Re: [Freeipa-users] Issues creating trust with AD.

2014-02-19 Thread Sumit Bose
On Wed, Feb 19, 2014 at 12:17:59AM +0200, Genadi Postrilko wrote: After i restarted SSSD nothing changed - still cannot login via ssh/su. I have increased debug level to 6: https://gist.github.com/anonymous/9081367 (krb5_child was empty) The LDAP extented operation which should fetch the user

[Freeipa-users] Grey button in Reset password in the gui

2014-02-19 Thread barrykfl
Dear all: I created a account of operator and added roles of user admin with reset /modify passwor priviges. but when he login , the reset password button is grey ? Any permission i should assign more... Now can only add this operator to admin group so all full access right. thks Barry

Re: [Freeipa-users] Grey button in Reset password in the gui

2014-02-19 Thread Petr Vobornik
On 19.2.2014 10:37, barry...@gmail.com wrote: Dear all: I created a account of operator and added roles of user admin with reset /modify passwor priviges. but when he login , the reset password button is grey ? Any permission i should assign more... Now can only add this operator to admin

Re: [Freeipa-users] HBAC - expected behaviour?

2014-02-19 Thread Jan Pazdziora
On Tue, Feb 04, 2014 at 04:11:12AM +, Les Stott wrote: If I access the host host1 and remove allow_all from its defined HBAC rules in the web ui, jane can still access host1 via ssh (actually tested login). I can see you've found the solution already but I'd like to go back to this part.

Re: [Freeipa-users] Sudo denied on first attempt, allowed on second attempt

2014-02-19 Thread Steve Dainard
Hi Pavel, sdainard-admin is a Windows domain user, part of an external group 'ad_admins_external' which is a member of 'ad_admins', an ipa posix group. 'admins' groups is the built-in ipa admin group. ipa group-show admins Group name: admins Description: Account administrators group GID:

Re: [Freeipa-users] Export data

2014-02-19 Thread Choudhury, Suhail
Hi Martin, Thanks for your previous answer. And how can I export a list of DNS entries using ldapsearch? Regards, Suhail. DevOps BSkyB. From: Martin Kosek [mko...@redhat.com] Sent: 22 January 2014 13:30 To: Choudhury, Suhail; freeipa-users@redhat.com

Re: [Freeipa-users] Export data

2014-02-19 Thread Martin Kosek
Similarly to users, you just use the right container: $ kinit admin $ ldapsearch -h `hostname` -Y GSSAPI -b 'cn=dns,dc=example,dc=com' There are plenty of resources online how to work with ldapsearch, ldapmodify and resulting LDIFs that could help get you started. Martin On 02/19/2014 04:33

[Freeipa-users] Windows client

2014-02-19 Thread Mauricio Tavares
When I added a windows 7 client (let's call it windows.lan.domain.com), I had to go manually enter the domain (in System Properties-Computer Name/Domain Changes-DNS Suffix and netbios computer name) even though ipconfig would report it properly. Otherwise, it would show in the kdc log file

Re: [Freeipa-users] ipa-client-install fails on replica because of kinit cannot contact any KDC

2014-02-19 Thread Shree
Guys Any word on this? New logs are attached to the email. I am still not able to add clients using the replica. Let me know if you need any other information and thanks for you help.   Shreeraj Change

Re: [Freeipa-users] Windows client

2014-02-19 Thread Alexander Bokovoy
On Wed, 19 Feb 2014, Mauricio Tavares wrote: When I added a windows 7 client (let's call it windows.lan.domain.com), I had to go manually enter the domain (in System Properties-Computer Name/Domain Changes-DNS Suffix and netbios computer name) even though ipconfig would report it properly.

Re: [Freeipa-users] Windows client

2014-02-19 Thread Simo Sorce
On Wed, 2014-02-19 at 20:34 +0200, Alexander Bokovoy wrote: On Wed, 19 Feb 2014, Mauricio Tavares wrote: When I added a windows 7 client (let's call it windows.lan.domain.com), I had to go manually enter the domain (in System Properties-Computer Name/Domain Changes-DNS Suffix and

Re: [Freeipa-users] Windows client

2014-02-19 Thread Petr Spacek
On 19.2.2014 19:44, Simo Sorce wrote: On Wed, 2014-02-19 at 20:34 +0200, Alexander Bokovoy wrote: On Wed, 19 Feb 2014, Mauricio Tavares wrote: When I added a windows 7 client (let's call it windows.lan.domain.com), I had to go manually enter the domain (in System Properties-Computer

Re: [Freeipa-users] Windows client

2014-02-19 Thread Mauricio Tavares
On Wed, Feb 19, 2014 at 2:02 PM, Petr Spacek pspa...@redhat.com wrote: On 19.2.2014 19:44, Simo Sorce wrote: On Wed, 2014-02-19 at 20:34 +0200, Alexander Bokovoy wrote: On Wed, 19 Feb 2014, Mauricio Tavares wrote: When I added a windows 7 client (let's call it

Re: [Freeipa-users] Windows client

2014-02-19 Thread Petr Spacek
On 19.2.2014 20:10, Mauricio Tavares wrote: On Wed, Feb 19, 2014 at 2:02 PM, Petr Spacek pspa...@redhat.com wrote: On 19.2.2014 19:44, Simo Sorce wrote: On Wed, 2014-02-19 at 20:34 +0200, Alexander Bokovoy wrote: On Wed, 19 Feb 2014, Mauricio Tavares wrote: When I added a windows 7

[Freeipa-users] Unexpected error at the end of ipa-replica-install

2014-02-19 Thread Shree
Everything seems to be going well for all the 17 of 17 steps and then this  [15/17]: configure clone certificate renewals   [16/17]: configure Server-Cert certificate renewal   [17/17]: Configure HTTP to proxy connections Done configuring certificate server (pki-cad). Restarting the directory and

Re: [Freeipa-users] ipa-client-install fails on replica because of kinit cannot contact any KDC

2014-02-19 Thread Rob Crittenden
Shree wrote: 1) I have got a step furthur. My replica is not running CA Service. To achieve this I had to remove the existing cert with this command pkiremove -pki_instance_root=/var/lib -pki_instance_name=pki-ca -force Now the replica looks like this skarulkar@ldap2 tmp]$ sudo ipactl status

Re: [Freeipa-users] Export data

2014-02-19 Thread Rob Crittenden
Choudhury, Suhail wrote: Hi Martin, Thanks for your previous answer. And how can I export a list of DNS entries using ldapsearch? He included the basics in his previous answer: $ kinit admin $ ldapsearch -h `hostname` -Y GSSAPI -b 'cn=users,cn=accounts,dc=example,dc=com' You can append

Re: [Freeipa-users] ipa-client-install fails on replica because of kinit cannot contact any KDC

2014-02-19 Thread Shree
Here are a couple of things [skarulkar@ldap2 ~]$ rpm -q ipa-client ipa-client-3.0.0-26.el6_4.4.x86_64 and my /etc/krb5.conf looks like .. === includedir /var/lib/sss/pubconf/krb5.include.d/ [logging]  default = FILE:/var/log/krb5libs.log  kdc =

Re: [Freeipa-users] ipa-client-install fails on replica because of kinit cannot contact any KDC

2014-02-19 Thread Shree
root@test500 ~]# rpm -q ipa-client ipa-client-2.2.0-16.el6.x86_64 [root@test500 ~]#   Shreeraj Change is the only Constant ! On Wednesday, February 19, 2014 1:17 PM, Rob Crittenden

Re: [Freeipa-users] ipa-client-install fails on replica because of kinit cannot contact any KDC

2014-02-19 Thread Rob Crittenden
Shree wrote: root@test500 ~]# rpm -q ipa-client ipa-client-2.2.0-16.el6.x86_64 [root@test500 ~]# You'll definitely want to update to 2.2.0-17, that fixes CVE-2012-5484 Unfortunately our logging around discovery was rather horrible in 2.2.x so it is difficult to know exactly what is going on.

[Freeipa-users] About Windows client

2014-02-19 Thread Dmitri Pal
Hello, I want to summarize our position regarding joining Windows systems into IPA. 1) If you already have AD we recommend using this system with AD and using trusts between AD and IPA. 2) If you do not have AD then use Samba 4 instead of it. It would be great when Samba 4 grows capability to

Re: [Freeipa-users] ipa-client-install fails on replica because of kinit cannot contact any KDC

2014-02-19 Thread Shree
Rob You were right. After upgrading the client to the ipa-client-3.0.0-37.el6.x86_64 version I started seeing a warning during the client install that went something like = Autodiscovery of servers for failover cannot work with this configuration. If you proceed with the