Re: [Freeipa-users] DNS and $GENERATE Directive

2014-11-10 Thread Martin Kosek
On 11/08/2014 12:16 AM, Andrew Powell wrote: Is there a way to add a Bind $GENERATE directive line to FreeIPA to automatically name DHCP-assigned ranges? In a file-based Bind installation, I can have the following line in the forward example.com zone file: $generate 80-250/1

Re: [Freeipa-users] Free ipa Configurations

2014-11-10 Thread Martin Basti
On 10/11/14 02:05, Rolf Nufable wrote: Hello I have tons of questions on why free ipa wont't work on my network , I've been using fedora 20 as the os for the server and client free ipa . I deployed freeipa 4.0.3 at the server side and freeipa 4.1.0 for the client side using 2 VM's at first

Re: [Freeipa-users] Centos IPA Client fails after upgrade to 6.6

2014-11-10 Thread Diaulas Castro
Hi Lukas, Already opened case within Red Hat. They told on case there is private bugzilla for this known problem, the case got closed. Im on vacation and RH Customer Portal seems off right now, cant find if got the case got updated or there is errata for this issue. 2014-11-08 14:44 GMT-02:00

Re: [Freeipa-users] Centos IPA Client fails after upgrade to 6.6

2014-11-10 Thread Jakub Hrozek
On Fri, Nov 07, 2014 at 04:00:19PM -0800, Michael Lasevich wrote: Exactly 16 hours after reboot the problem returned on both servers. What has a 16 hour timeout? I set log level to 10 and got some logs, but they are long and not sure what I am looking for. I am attaching some logs ( out of

Re: [Freeipa-users] missing package in 4.1.1 repo

2014-11-10 Thread Martin Kosek
This is a new dependency that PKI/dogtag grew with latest version bump. It is not available in the mkosek/freeipa repo, but we will give it a shot in providing it (and it's dependencies) in the repo ourselves and also parallely ask dogtag team to help. Obviously, this does scale well, Java

Re: [Freeipa-users] restored replica ssl issue

2014-11-10 Thread Martin Kosek
On 11/10/2014 08:34 AM, Les Stott wrote: Hi all, I have a standard freeipa environment under rhel6. One of my replica servers, lets call it serverB had issues and I eventually rebuilt it. I rebuilt and restored data, but something wasn't right. Replication wasn't working. I had tried

Re: [Freeipa-users] trouble with ldap authentication for a Cisco UCS 5108

2014-11-10 Thread Martin Kosek
On 11/10/2014 07:46 AM, Les Stott wrote: Hi all, I have a FreeIPA environment with standard rhel6 package sets. Everything is working well. I would like to get our Cisco UCS 5108 authenticating via ldap with TLS using ldap group based checks. The ucs manager runs the latest 2.2(3a)

Re: [Freeipa-users] Free ipa Configurations

2014-11-10 Thread Martin Kosek
On 11/10/2014 02:05 AM, Rolf Nufable wrote: Hello I have tons of questions on why free ipa wont't work on my network , I've been using fedora 20 as the os for the server and client free ipa . I deployed freeipa 4.0.3 at the server side and freeipa 4.1.0 for the client side using 2 VM's

Re: [Freeipa-users] Free ipa Configurations

2014-11-10 Thread Jakub Hrozek
On Mon, Nov 10, 2014 at 12:56:00PM +0100, Martin Kosek wrote: On 11/10/2014 02:05 AM, Rolf Nufable wrote: Hello I have tons of questions on why free ipa wont't work on my network , I've been using fedora 20 as the os for the server and client free ipa . I deployed freeipa 4.0.3 at

Re: [Freeipa-users] Apache WebDav file sharing permission problem

2014-11-10 Thread Dmitri Pal
On 11/10/2014 12:14 AM, Thomas Lau wrote: Hi All, I am successfully letting Apache auth against FreeIPA, but whatever folder/files being created on WebDav server would be using Apache user and group instead of login user/group, does anyone know how to fix this? Kerberos + LDAP config:

Re: [Freeipa-users] trouble with ldap authentication for a Cisco UCS 5108

2014-11-10 Thread Dmitri Pal
On 11/10/2014 06:42 AM, Martin Kosek wrote: On 11/10/2014 07:46 AM, Les Stott wrote: Hi all, I have a FreeIPA environment with standard rhel6 package sets. Everything is working well. I would like to get our Cisco UCS 5108 authenticating via ldap with TLS using ldap group based checks. The

Re: [Freeipa-users] DNS and $GENERATE Directive

2014-11-10 Thread Dmitri Pal
On 11/10/2014 03:25 AM, Martin Kosek wrote: On 11/08/2014 12:16 AM, Andrew Powell wrote: Is there a way to add a Bind $GENERATE directive line to FreeIPA to automatically name DHCP-assigned ranges? In a file-based Bind installation, I can have the following line in the forward example.com zone

[Freeipa-users] certmonger question

2014-11-10 Thread Natxo Asenjo
hi, is this the right list to post certmonger questions? Here I see only a developer's list without too much activity: https://fedorahosted.org/certmonger/ My question is simple. After upgrading a vm running centos 6.5 to 6.6 I am seeing this error on reboot in messages: Nov 10 15:51:31

Re: [Freeipa-users] Apache WebDav file sharing permission problem

2014-11-10 Thread Rob Crittenden
Thomas Lau wrote: Hi All, I am successfully letting Apache auth against FreeIPA, but whatever folder/files being created on WebDav server would be using Apache user and group instead of login user/group, does anyone know how to fix this? Kerberos + LDAP config:

Re: [Freeipa-users] Apache WebDav file sharing permission problem

2014-11-10 Thread tlau
Yeah, thanks for pointing it out, I am very upset now. Sent from my BlackBerry 10 smartphone.   Original Message   From: Rob Crittenden Sent: Monday, 10 November, 2014 11:30 PM To: Thomas Lau; freeipa-users@redhat.com Subject: Re: [Freeipa-users] Apache WebDav file sharing permission problem

Re: [Freeipa-users] Apache WebDav file sharing permission problem

2014-11-10 Thread Simo Sorce
On Mon, 10 Nov 2014 13:14:38 +0800 Thomas Lau t...@tetrioncapital.com wrote: Hi All, I am successfully letting Apache auth against FreeIPA, but whatever folder/files being created on WebDav server would be using Apache user and group instead of login user/group, does anyone know how to fix

Re: [Freeipa-users] certmonger question

2014-11-10 Thread Martin Kosek
On 11/10/2014 04:17 PM, Natxo Asenjo wrote: hi, is this the right list to post certmonger questions? It is. Certmonger is part of IPA solution so this list is a good start. CCing Nalin as he is still the SME for certmonger, he may have some idea. Here I see only a developer's list without

Re: [Freeipa-users] DNS and $GENERATE Directive

2014-11-10 Thread Martin Kosek
On 11/10/2014 02:48 PM, Dmitri Pal wrote: On 11/10/2014 03:25 AM, Martin Kosek wrote: On 11/08/2014 12:16 AM, Andrew Powell wrote: Is there a way to add a Bind $GENERATE directive line to FreeIPA to automatically name DHCP-assigned ranges? In a file-based Bind installation, I can have the

Re: [Freeipa-users] certmonger question

2014-11-10 Thread Nalin Dahyabhai
On Mon, Nov 10, 2014 at 04:17:49PM +0100, Natxo Asenjo wrote: Nov 10 15:51:31 apachetest03 certmonger: Decoding error on

Re: [Freeipa-users] Centos IPA Client fails after upgrade to 6.6

2014-11-10 Thread Michael Lasevich
I can certainly try, it would need to be compatible with CentOS 6.6 though. -M So according to the logs, the create_ccache() function failed. Unfortunately, we don't do very good job at logging the failures there.. Michael, are you able to run a custom package with extra debugging? It would

[Freeipa-users] strange error deleting replica?

2014-11-10 Thread Janelle
Hi -- Has anyone seen this before? # ipa-replica-manage del kermit.xyzzy.com --force unexpected error: [Errno -2] Name or service not known ?? Very confused as to What service or name is not known? This is 4.0.5 running on CentOS 7. ~J -- Manage your subscription for the Freeipa-users

[Freeipa-users] getting rid of private groups

2014-11-10 Thread Craig White
Trying to learn to live without private groups. I imported a bunch of users from OpenLDAP and that was good. I created about 4 users and the private groups show up in odd places and I don't want them. The private groups offer little value since the bulk of the imported users don't have them

[Freeipa-users] Possible trust issues

2014-11-10 Thread William Muriithi
‎Evening, ‎I have been trying to get IPA server working using AD users and I think I need some assistance as I have run into the wall.  Below is some background information.  The active directory domain is called example.local and the IPA domain is called example.loc.  My plan is to map domain

Re: [Freeipa-users] getting rid of private groups

2014-11-10 Thread Rob Crittenden
Craig White wrote: Trying to learn to live without private groups. I imported a bunch of users from OpenLDAP and that was good. I created about 4 users and the private groups show up in odd places and I don’t want them. The private groups offer little value since the bulk of the

Re: [Freeipa-users] getting rid of private groups

2014-11-10 Thread Craig White
-Original Message- From: Rob Crittenden [mailto:rcrit...@redhat.com] Sent: Monday, November 10, 2014 3:14 PM To: Craig White; freeipa-users@redhat.com Subject: Re: [Freeipa-users] getting rid of private groups Craig White wrote: Trying to learn to live without private groups. I

[Freeipa-users] Possible trust issues

2014-11-10 Thread William Muriithi
‎Evening, Also, this show up on /var/log/krb5kdc.log on ipa server Nov 10 18:43:22 ipa3-yyz-int.example.loc krb5kdc[5469](info): AS_REQ (4 etypes {18 17 16 23}) 10.10.10.29: NEEDED_PREAUTH: host/sogo-eval.example@example.loc for krbtgt/example@example.loc, Additional

Re: [Freeipa-users] Possible trust issues

2014-11-10 Thread Dmitri Pal
On 11/10/2014 07:01 PM, William Muriithi wrote: ‎Evening, Also, this show up on /var/log/krb5kdc.log on ipa server Nov 10 18:43:22 ipa3-yyz-int.example.loc krb5kdc[5469](info): AS_REQ (4 etypes {18 17 16 23}) 10.10.10.29: NEEDED_PREAUTH: host/sogo-eval.example@example.loc for

[Freeipa-users] how to overcome same serial number in cert issue on different master servers?

2014-11-10 Thread Les Stott
Hi, I have a standard rhel6 deployment for FreeIPA in two environments. One environment is in our Production Data Center, The Other in our DR Data Center. Both environments are setup with the same domain (mydomain.com) for FreeIPA. This is to support dr/failover etc. In each environment,

Re: [Freeipa-users] how to overcome same serial number in cert issue on different master servers?

2014-11-10 Thread Fraser Tweedale
On Tue, Nov 11, 2014 at 01:40:50AM +, Les Stott wrote: Hi, I have a standard rhel6 deployment for FreeIPA in two environments. One environment is in our Production Data Center, The Other in our DR Data Center. Both environments are setup with the same domain (mydomain.com) for

Re: [Freeipa-users] how to overcome same serial number in cert issue on different master servers?

2014-11-10 Thread Les Stott
-Original Message- From: Fraser Tweedale [mailto:ftwee...@redhat.com] Sent: Tuesday, 11 November 2014 12:51 PM To: Les Stott Cc: freeipa-users@redhat.com Subject: Re: [Freeipa-users] how to overcome same serial number in cert issue on different master servers? On Tue, Nov 11,

Re: [Freeipa-users] how to overcome same serial number in cert issue on different master servers?

2014-11-10 Thread Fraser Tweedale
On Tue, Nov 11, 2014 at 02:11:55AM +, Les Stott wrote: -Original Message- From: Fraser Tweedale [mailto:ftwee...@redhat.com] Sent: Tuesday, 11 November 2014 12:51 PM To: Les Stott Cc: freeipa-users@redhat.com Subject: Re: [Freeipa-users] how to overcome same serial number

Re: [Freeipa-users] how to overcome same serial number in cert issue on different master servers?

2014-11-10 Thread Les Stott
-Original Message- From: Fraser Tweedale [mailto:ftwee...@redhat.com] Sent: Tuesday, 11 November 2014 1:59 PM To: Les Stott Cc: freeipa-users@redhat.com Subject: Re: [Freeipa-users] how to overcome same serial number in cert issue on different master servers? On Tue, Nov 11, 2014

Re: [Freeipa-users] how to overcome same serial number in cert issue on different master servers?

2014-11-10 Thread Fraser Tweedale
On Tue, Nov 11, 2014 at 04:17:37AM +, Les Stott wrote: -Original Message- From: Fraser Tweedale [mailto:ftwee...@redhat.com] Sent: Tuesday, 11 November 2014 1:59 PM To: Les Stott Cc: freeipa-users@redhat.com Subject: Re: [Freeipa-users] how to overcome same serial number in

Re: [Freeipa-users] Free ipa Configurations

2014-11-10 Thread Rolf Nufable
well I'll try them now, my sssd config only consists of these lines added to the sudo area sudo_provider = ldap ldap_uri = ldap://myipaserver.example.com ldap_sudo_search_base = ou=sudoers,dc=example,dc=com ldap_sasl_mech = GSSAPI ldap_sasl_authid = host/myipaserver.example.com ldap_sasl_realm

Re: [Freeipa-users] Free ipa Configurations

2014-11-10 Thread Rolf Nufable
or could you guys direct me or guide me on how to deploy this ipa server? I've been successful deploying ipa version 3.3.5 before but this 4.0 and above series is really giving me a headache On Tuesday, November 11, 2014 1:24 PM, Rolf Nufable rolf_16_nufa...@yahoo.com wrote: well I'll

Re: [Freeipa-users] Possible trust issues

2014-11-10 Thread Alexander Bokovoy
On Mon, 10 Nov 2014, William Muriithi wrote: less /var/log/sssd/sssd_example.loc.log (Mon Nov 10 15:58:21 2014) [sssd[be[example.loc]]] [fo_set_port_status] (0x0100): Marking port 389 of server 'ipa3-yyz-int.example.loc' as 'working' (Mon Nov 10 15:58:21 2014) [sssd[be[example.loc]]]

Re: [Freeipa-users] Free ipa Configurations

2014-11-10 Thread Martin Kosek
On 11/11/2014 06:37 AM, Rolf Nufable wrote: or could you guys direct me or guide me on how to deploy this ipa server? I've been successful deploying ipa version 3.3.5 before but this 4.0 and above series is really giving me a headache Hm, that is worrying. FreeIPA 4.0+ should definitely not

Re: [Freeipa-users] Free ipa Configurations

2014-11-10 Thread Rolf Nufable
well I dont know how or what command to use to display the logs, could you teach me how? , but yes the network.negotiate-auth.trusted-uris has the same domain name which is example.com this is on the server side only while on the client side, even though the network.negotiate-auth.trusted-uris

Re: [Freeipa-users] Free ipa Configurations

2014-11-10 Thread Martin Kosek
On 11/11/2014 08:07 AM, Rolf Nufable wrote: well I dont know how or what command to use to display the logs, could you teach me how? There should be HOWTO articles on how to do that. Jakub may have better sources, but I see for example:

Re: [Freeipa-users] Free ipa Configurations

2014-11-10 Thread Rolf Nufable
oh sorry I forgot that on the clients side network.negotiate-auth.trusted-uris they have the same domain as of the server side I've configured it as well as in the client side because recent guides for deploying IPA says that you must go to about:config either you are on the server or client

Re: [Freeipa-users] certmonger question

2014-11-10 Thread Natxo Asenjo
Hi Nalin, On Mon, Nov 10, 2014 at 5:19 PM, Nalin Dahyabhai na...@redhat.com wrote: On Mon, Nov 10, 2014 at 04:17:49PM +0100, Natxo Asenjo wrote: How can I debug this? First thing would be to run the daemon with additional logging - I usually use '-d3' to watch what's going on while the