Re: [Freeipa-users] RFE: default hbac is too open

2013-03-06 Thread Martin Kosek
On 03/05/2013 10:13 PM, Matthew Barr wrote: On Mar 5, 2013, at 9:15 AM, Rob Crittenden rcrit...@redhat.com wrote: Артур Файзуллин wrote: What rule must be present for replica to work? :) (in order to remove allow-all rule) I mean may be there is somewhere a guide to write rules for strict

Re: [Freeipa-users] ipa-* tools throws errors

2013-03-06 Thread Martin Kosek
Ok. Can you try if this hostname is not returned in a SRV DNS record discovery run on the host where you execute the ipa commands? # dig -t srv _ldap._tcp.esci.millersville.edu Does it return the right results? Martin On 03/05/2013 07:26 PM, David Fitzgerald wrote: The host command returns

Re: [Freeipa-users] Password expiry when account provisioned/updated via JSON RPC

2013-03-06 Thread Dmitri Pal
On 03/05/2013 10:28 PM, Brian Smith wrote: I set the policy to 1 year and recreated the account. $ ipa pwpolicy-show --user=it-rc-test-faculty Group: global_policy Max lifetime (days): 365 Min lifetime (hours): 1 History size: 0 Character classes: 0 Min length: 8 Max

Re: [Freeipa-users] Errors when trying IPA,Dovecot GSSAPI.

2013-03-06 Thread Dale Macartney
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 03/06/2013 02:46 PM, M.R Niranjan wrote: On 03/06/2013 08:03 PM, Johan Petersson wrote: Hi, I hope someone here can shed some light on what is wrong in my test environment. The error seem to be that Dovecot on mail server wants to access

Re: [Freeipa-users] Errors when trying IPA,Dovecot GSSAPI.

2013-03-06 Thread M.R Niranjan
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 03/06/2013 08:30 PM, Dale Macartney wrote: On 03/06/2013 02:46 PM, M.R Niranjan wrote: On 03/06/2013 08:03 PM, Johan Petersson wrote: Hi, I hope someone here can shed some light on what is wrong in my test environment. The error seem

Re: [Freeipa-users] Errors when trying IPA,Dovecot GSSAPI.

2013-03-06 Thread M.R Niranjan
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 03/06/2013 08:30 PM, Dale Macartney wrote: On 03/06/2013 02:46 PM, M.R Niranjan wrote: On 03/06/2013 08:03 PM, Johan Petersson wrote: Hi, I hope someone here can shed some light on what is wrong in my test environment. The error seem

Re: [Freeipa-users] Password expiry when account provisioned/updated via JSON RPC

2013-03-06 Thread Brian Smith
I'm going to dig into it further, hopefully produce a patch in the next few days. My work-around for right now is ldapmodifying the krbPasswordExpiration attribute on the account after creation and subsequent password updates. On Wed, Mar 6, 2013 at 8:40 AM, Dmitri Pal d...@redhat.com wrote:

[Freeipa-users] Can I change an IPA client's IPA without re-enrolling it?

2013-03-06 Thread Kanwar Ranbir Sandhu
Hi Everyone, The subject says it all. I'm using IPA in CentOS 6. I know for a hostname change on a client, I'd have to uninstall the IPA client, change the hostname, and then reinstall it. But, I don't know if that holds true for IPs. Would a simple IP change require the

Re: [Freeipa-users] Can I change an IPA client's IPA without re-enrolling it?

2013-03-06 Thread Rob Crittenden
Kanwar Ranbir Sandhu wrote: Hi Everyone, The subject says it all. I'm using IPA in CentOS 6. I know for a hostname change on a client, I'd have to uninstall the IPA client, change the hostname, and then reinstall it. But, I don't know if that holds true for IPs. Would a simple IP change

Re: [Freeipa-users] Can I change an IPA client's IPA without re-enrolling it?

2013-03-06 Thread Kanwar Ranbir Sandhu
On Wed, 2013-03-06 at 16:50 -0500, Rob Crittenden wrote: A re-install should not be necessary. Just be sure that forward and reverse name resolution works after making the change (something we test for during install). Thanks. I'll give it a go. I just saw the typo in my subject. Fail. :P

Re: [Freeipa-users] Can I change an IPA client's IPA without re-enrolling it?

2013-03-06 Thread Martin Kosek
On 03/06/2013 11:08 PM, Kanwar Ranbir Sandhu wrote: On Wed, 2013-03-06 at 16:50 -0500, Rob Crittenden wrote: A re-install should not be necessary. Just be sure that forward and reverse name resolution works after making the change (something we test for during install). Thanks. I'll give