Re: [Freeipa-users] ipa: ERROR: attribute 'idnsAllowTransfer' not allowed

On 02/25/2013 03:38 PM, Sigbjorn Lie wrote: > On Mon, February 25, 2013 12:59, Christian Horn wrote: >> Hi, >> >> >> On Mon, Feb 25, 2013 at 09:46:49AM +0100, Sigbjorn Lie wrote: >> >>> >>> $ ipa dnszone-add example.com --name-server=ns01.example.com >>> --admin-email=hostmaster.example.com >>> ipa

Re: [Freeipa-users] ipa-replica-install command failed

On 02/26/2013 09:01 AM, Umarzuki Mochlis wrote: > hi, > > on tried to create a free-ipa replica on fedora 18 with > freeipa-server-3.1.2-1.fc18.x86_64 > > below is last few lines of /var/log/ipareplica-install.log > > 2013-02-25T16:16:33Z DEBUG retrieving schema for SchemaCache > url=ldap://ipa.

Re: [Freeipa-users] Password expiry when account provisioned/updated via JSON RPC

On 02/25/2013 04:38 PM, Brian Smith wrote: > It seems that regardless of the global password expiry setting, that setting a > password via the methods > > user-add > passwd > > i will always have a password that expires in 90 days. I followed the > instructions here http://freeipa.org/page/Passw

Re: [Freeipa-users] ipa-replica-install command failed

2013/2/26 Martin Kosek : Hi Martin, I found below on errors file [26/Feb/2013:00:16:14 +0800] - 389-Directory/1.3.0.3 B2013.045.10 starting up [26/Feb/2013:00:16:14 +0800] - Db home directory is not set. Possibly nsslapd-directory (optionally nsslapd-db-home-directory) is missin g in the config

Re: [Freeipa-users] ipa-replica-install command failed

Hm, all these are usually benign, when we are just setting up a replication. Can you please send me the whole ipareplica-install.log and dirsrv's errors log so I can see these errors in a broader context? You can do it in private message if you want. Btw I assume that you are running on the curren

Re: [Freeipa-users] FreeIPA for AMM users management

And what? Is there any result? I try same thing with my AMM and IPA В Пн., 05/11/2012 в 09:32 +0100, Petr Spacek пишет: > On 11/03/2012 01:12 PM, Pavel Zhukov wrote: > >> Can you do NS lookup of the IPA server from the AMM box? > > yes > >> Can you do kinit from the AMM box against IPA? > >> Can y

Re: [Freeipa-users] nsslapd-changelogmaxage

ok, but setting nsslapd-changelogmaxage parameter doesnt automatically shrink changelog. The file size dosent change. Other idea how to trim changelog file? 2013/2/25 Rich Megginson > On 02/25/2013 11:33 AM, Kriss Von Prosst wrote: > > Hi, > > I have multimaster replication enviroment, IPA v

Re: [Freeipa-users] FreeIPA for AMM users management

On 26.2.2013 11:49, Артур Файзуллин wrote: And what? Is there any result? I try same thing with my AMM and IPA Unfortunately, we don't have sufficient information to give you any advice. Please, try to provide output from a sniffer as I asked in last reply. Then we will try to help you. (You

Re: [Freeipa-users] RHEL 6.4 , IPA 3.0 and bind-chroot

On 23.2.2013 23:01, Dale Macartney wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 02/23/2013 09:47 PM, Dmitri Pal wrote: On 02/23/2013 12:48 PM, Dale Macartney wrote: > > >> Hi all >> >> I've just performed a clean IPA installation and noticed that if you're >> using integrate

Re: [Freeipa-users] nsslapd-changelogmaxage

On 02/26/2013 04:00 AM, Kriss Von Prosst wrote: ok, but setting nsslapd-changelogmaxage parameter doesnt automatically shrink changelog. The file size dosent change. Other idea how to trim changelog file? I don't know. Looks like you have found a bug. 2013/2/25 Rich Megginson

Re: [Freeipa-users] Upgrading to 6.4 - additional information

On 02/21/2013 12:31 PM, Dmitri Pal wrote: > On 02/21/2013 11:44 AM, Erinn Looney-Triggs wrote: >> On 02/21/2013 09:40 AM, Rob Crittenden wrote: >>> Erinn Looney-Triggs wrote: On 02/21/2013 09:34 AM, Rob Crittenden wrote: > Erinn Looney-Triggs wrote: >> On 02/21/2013 09:07 AM, Rob Critt

Re: [Freeipa-users] Upgrading to 6.4 - additional information

On 02/26/2013 04:29 PM, Dmitri Pal wrote: > On 02/21/2013 12:31 PM, Dmitri Pal wrote: >> On 02/21/2013 11:44 AM, Erinn Looney-Triggs wrote: >>> On 02/21/2013 09:40 AM, Rob Crittenden wrote: Erinn Looney-Triggs wrote: > On 02/21/2013 09:34 AM, Rob Crittenden wrote: >> Erinn Looney-Trigg

Re: [Freeipa-users] Cannot obtain CA Certificate

Sorry for the late response, so I tried this, and it changed the error to the following: Synchronizing time with KDC... Joining realm failed: HTTP response code is 401, not 200 Installation failed. Rolling back changes. Looking at debug this is what I see: < HTTP/1.1 401 Authorization Requ

Re: [Freeipa-users] Upgrading to 6.4 - additional information

On 02/26/2013 10:29 AM, Dmitri Pal wrote: > On 02/21/2013 12:31 PM, Dmitri Pal wrote: >> On 02/21/2013 11:44 AM, Erinn Looney-Triggs wrote: >>> On 02/21/2013 09:40 AM, Rob Crittenden wrote: Erinn Looney-Triggs wrote: > On 02/21/2013 09:34 AM, Rob Crittenden wrote: >> Erinn Looney-Trigg

Re: [Freeipa-users] Upgrading to 6.4 - additional information

On 02/26/2013 06:05 PM, Erinn Looney-Triggs wrote: > On 02/26/2013 10:29 AM, Dmitri Pal wrote: >> On 02/21/2013 12:31 PM, Dmitri Pal wrote: >>> On 02/21/2013 11:44 AM, Erinn Looney-Triggs wrote: On 02/21/2013 09:40 AM, Rob Crittenden wrote: > Erinn Looney-Triggs wrote: >> On 02/21/2013

Re: [Freeipa-users] Upgrading to 6.4 - additional information

On 02/26/2013 12:08 PM, Martin Kosek wrote: > On 02/26/2013 06:05 PM, Erinn Looney-Triggs wrote: >> On 02/26/2013 10:29 AM, Dmitri Pal wrote: >>> On 02/21/2013 12:31 PM, Dmitri Pal wrote: On 02/21/2013 11:44 AM, Erinn Looney-Triggs wrote: > On 02/21/2013 09:40 AM, Rob Crittenden wrote: >>>

Re: [Freeipa-users] Upgrading to 6.4 - additional information

On 02/26/2013 06:10 PM, Erinn Looney-Triggs wrote: On 02/26/2013 12:08 PM, Martin Kosek wrote: On 02/26/2013 06:05 PM, Erinn Looney-Triggs wrote: On 02/26/2013 10:29 AM, Dmitri Pal wrote: On 02/21/2013 12:31 PM, Dmitri Pal wrote: On 02/21/2013 11:44 AM, Erinn Looney-Triggs wrote: On 02/21/20

Re: [Freeipa-users] Upgrading to 6.4 - additional information

On 02/26/2013 01:05 PM, Martin Kosek wrote: > On 02/26/2013 06:10 PM, Erinn Looney-Triggs wrote: >> On 02/26/2013 12:08 PM, Martin Kosek wrote: >>> On 02/26/2013 06:05 PM, Erinn Looney-Triggs wrote: On 02/26/2013 10:29 AM, Dmitri Pal wrote: > On 02/21/2013 12:31 PM, Dmitri Pal wrote: >

[Freeipa-users] IPA,NFS4,krb5p Ticket expired error

Hi, I have a IPA server, NFS4 Server sharing home directories with autofs and krb5p as only valid authentication. Mail Postfix/Dovecot both with startTLS and GSSAPI. All servers and clients are Red Hat 6.3 and updated with latest kernel and everything else. If i start and log in locally as user

Re: [Freeipa-users] New User - Possible to point authentication to external KDC

On 02/26/2013 01:31 AM, Trey Dockendorf wrote: > > > On Feb 25, 2013 1:23 AM, "Dmitri Pal" > wrote: > > > > On 02/23/2013 10:33 PM, Trey Dockendorf wrote: > > > I just begun evaluating FreeIPA, after having successfully used 389ds > > > for a few months. The move from 389

[Freeipa-users] proper way to clear sssd cache without sss_cache?

I know that at some point the sssd package (or maybe the tools package) started including sss_cache for managing the sssd cache. I have some RHEL5 boxes that don't have this utility. I've been stopping the sssd service, deleting the contents of /var/lib/sss/db/ and then restarting and things seem

Re: [Freeipa-users] IPA,NFS4,krb5p Ticket expired error

On 02/26/2013 02:03 PM, Johan Petersson wrote: > Hi, > > I have a IPA server, NFS4 Server sharing home directories with autofs > and krb5p as only valid authentication. > Mail Postfix/Dovecot both with startTLS and GSSAPI. > All servers and clients are Red Hat 6.3 and updated with latest kernel > a

Re: [Freeipa-users] RHEL6 IPA and Active Directory synchronisation and Solaris RBAC

On 02/25/2013 02:29 PM, Mercer, Rodney wrote: > I think that this is a good explanation or the solaris rbac model. > > http://www.softpanorama.org/Solaris/Security/solaris_rbac.shtml > > Regards, > Rodney. I will definitely read it. But assume I did. What are the next steps? The schema is the right

Re: [Freeipa-users] proper way to clear sssd cache without sss_cache?

On 02/26/2013 02:29 PM, KodaK wrote: > I know that at some point the sssd package (or maybe the tools > package) started including sss_cache for managing the sssd cache. I > have some RHEL5 boxes that don't have this utility. > > I've been stopping the sssd service, deleting the contents of > /var

Re: [Freeipa-users] proper way to clear sssd cache without sss_cache?

Hi, Its what I have to do on most client side issues and what RH support advise. I was told that the sssd daemon would be upgraded in 6.4, its certainly seems to be my main pain point right now. regards Steven Jones Technical Specialist - Linux RHCE Victoria University, Wellington, NZ 0064

Re: [Freeipa-users] Non-Prod instance

On 02/25/2013 09:58 AM, Guy Matz wrote: > Hello! Does anyone out there run two instances of freeipa, prod & > non-prod instances? Are there any issues to be wary of in this > scenario? Any gotchas? Do you use the same realms & domain names > between instances? As long as you completely isolate

Re: [Freeipa-users] Non-Prod instance

Thanks! Is it a matter of isolating the networks? Or just making sure clients are pointing to the correct server? Thanks again, Guy On 02/26/2013 02:45 PM, Dmitri Pal wrote: On 02/25/2013 09:58 AM, Guy Matz wrote: Hello! Does anyone out there run two instances of freeipa, prod & non-prod i

Re: [Freeipa-users] proper way to clear sssd cache without sss_cache?

On Tue, Feb 26, 2013 at 02:36:42PM -0500, Dmitri Pal wrote: > On 02/26/2013 02:29 PM, KodaK wrote: > > I know that at some point the sssd package (or maybe the tools > > package) started including sss_cache for managing the sssd cache. I > > have some RHEL5 boxes that don't have this utility. > >

Re: [Freeipa-users] ipa: ERROR: attribute 'idnsAllowTransfer' not allowed

Hi. This is ipa 2.2 on rhel 6.3. Upgraded from rhel 6.2. Initial install on 6.2. Rgds Siggi Martin Kosek wrote: >On 02/25/2013 03:38 PM, Sigbjorn Lie wrote: >> On Mon, February 25, 2013 12:59, Christian Horn wrote: >>> Hi, >>> >>> >>> On Mon, Feb 25, 2013 at 09:46:49AM +0100, Sigbjorn Lie wr

[Freeipa-users] FQDN Hostname Requirement

Hi All, Spec: Red Hat Enterprise Linux Server release 6.3 (Santiago) ipa-server-2.2.0-16.el6.x86_64 Issue: I made a post a while back regarding IPA and the forcing of the hostname to be a FQDN entry, rather than utilising `hostname --fqdn` ref: https://www.redhat.com/archives/freeipa-users/2012-

Re: [Freeipa-users] FreeIPA for AMM users management

Ok! I will try :) but would you give me some advice :) what configs to put. should I use: * "Use LDAP Servers for Authentication and Authorization" * "Use DNS to find LDAP Servers" and put here domain name if IPA-server? * should in "Active Directory Settings" Enhanced role-based security b

Re: [Freeipa-users] Transferring "mastership" to a new server

Is is still required if the replica is created using the following command:- # ipa-replica-install --setup-ca --setup-dns -- Regards, Rajnesh Kumar Siwal ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/fr

[Freeipa-users] meaning of several domains in sssd.conf

What does it mean to have several domains listed in sssd.conf ? Will they all be queried on each login, or will only the first domain be queried if the user/groups is found there? Does having an IPA domain, and an LDAP domain pointing at the same servers give any protection against failures in the