[Freeipa-users] bug in pki during install of CA replica and workaround/solution

2015-02-05 Thread Les Stott
Hi, I found a bug in the pki packages and CA replica installation. Environment: Rhel 6.6 IPA Server 3.0.0-42 Pki components: pki-symkey-9.0.3-38.el6_6.x86_64 pki-common-9.0.3-38.el6_6.noarch pki-setup-9.0.3-38.el6_6.noarch pki-selinux-9.0.3-38.el6_6.noarch pki-java-tools-9.0.3-38.el6_6.noarch

Re: [Freeipa-users] User certificates with FreeIPA and management

2015-02-05 Thread Fraser Tweedale
On Thu, Feb 05, 2015 at 03:12:17PM -0500, Christopher Young wrote: Some of this might be rudimentary, so I apologize if this is answered somewhere, though I've tried to search and have not had much luck... Basically, I would like to be able to issue user certificates (Subject:

Re: [Freeipa-users] AD/IPA login compatibility

2015-02-05 Thread Dmitri Pal
On 02/05/2015 04:44 AM, Alexander Bokovoy wrote: On Thu, 05 Feb 2015, Dmitri Pal wrote: On 02/04/2015 03:01 PM, Hugh wrote: On 1/29/2015 4:26 PM, Dmitri Pal wrote: How are the domains connected? Do you use trust or sync? Trust. We wanted to have just one account and not need to install

Re: [Freeipa-users] AD/IPA login compatibility

2015-02-05 Thread Alexander Bokovoy
On Thu, 05 Feb 2015, Dmitri Pal wrote: On 02/05/2015 04:44 AM, Alexander Bokovoy wrote: On Thu, 05 Feb 2015, Dmitri Pal wrote: On 02/04/2015 03:01 PM, Hugh wrote: On 1/29/2015 4:26 PM, Dmitri Pal wrote: How are the domains connected? Do you use trust or sync? Trust. We wanted to have just

Re: [Freeipa-users] Remove password exiration after useradd

2015-02-05 Thread Dmitri Pal
On 02/05/2015 05:54 AM, Matt . wrote: In the past we have done some testsetups with password expiring after we added a user, at the moment I have difficulties with this on 4.1.2 What I need is the following: - We add a user using json/kinit - The user is added in the right way - tThe user

Re: [Freeipa-users] Remove password exiration after useradd

2015-02-05 Thread Matt .
HI, I'm already doing so without any luck. If you remember something, would be nice to know! So it should be possible to do still ? 2015-02-05 14:26 GMT+01:00 Dmitri Pal d...@redhat.com: On 02/05/2015 07:59 AM, Matt . wrote: Hi, OK, but as far as I understand we made some change, using a

Re: [Freeipa-users] Remove password exiration after useradd

2015-02-05 Thread Dmitri Pal
On 02/05/2015 07:59 AM, Matt . wrote: Hi, OK, but as far as I understand we made some change, using a commandline command which I cannot remember or find, which goes around the password policy, or the attribute you talk about, when you add a user. Can I change that globally? As we did it

Re: [Freeipa-users] Remove password exiration after useradd

2015-02-05 Thread Dmitri Pal
On 02/05/2015 08:32 AM, Matt . wrote: HI, I'm already doing so without any luck. If you remember something, would be nice to know! So it should be possible to do still ? Do the ipa user-show --raw, there will be a time stamp. It is krbPasswordExpiration attribute. It will be set to the user

Re: [Freeipa-users] ipa replica (centos 6.5) integrate with AD 2008

2015-02-05 Thread Rob Crittenden
alireza baghery wrote: hi i integrated ipa (centos 6.5) with AD windows server 2008 and anything do work i install replica server as follow: #(ipaserve ipa): replica- prepare ipareplica. example. com - - ip- address 192. 168. 1. 2 scp /var/lib/ipa/replica- info-

Re: [Freeipa-users] Remove password exiration after useradd

2015-02-05 Thread Matt .
Hi, OK, but as far as I understand we made some change, using a commandline command which I cannot remember or find, which goes around the password policy, or the attribute you talk about, when you add a user. Can I change that globally? As we did it seems... but we were testing so much back

[Freeipa-users] Real-time replication status (RFE)?

2015-02-05 Thread Baird, Josh
Hi, I'm looking for an easy way to validate that all replication agreements are functioning correctly between all of my IPA masters and replicas. I am aware that I can run 'ipa-replica-manage list -v' from each IPA master, but I was looking for something more centralized that could give me a

Re: [Freeipa-users] Remove password exiration after useradd

2015-02-05 Thread Rob Crittenden
Matt . wrote: HI, I'm already doing so without any luck. If you remember something, would be nice to know! So it should be possible to do still ? If the DN of the entry adding the password is in passSyncManagersDNs in the entry dn: cn=ipa_pwd_extop,cn=plugins,cn=config then the password

Re: [Freeipa-users] Remove password exiration after useradd

2015-02-05 Thread Martin Kosek
On 02/05/2015 01:21 PM, Dmitri Pal wrote: On 02/05/2015 05:54 AM, Matt . wrote: In the past we have done some testsetups with password expiring after we added a user, at the moment I have difficulties with this on 4.1.2 What I need is the following: - We add a user using json/kinit - The

Re: [Freeipa-users] Remove password exiration after useradd

2015-02-05 Thread Matt .
Hi, Thank, this brought me further. I don't see that attribute while kinit as admin. When I use an ldap editor and login ad DM on my full cn domain I can get into kerberos = My DN = cn=global policy. When when I set the krbMaxPwdLife very high this doesn't matter, I need to higher up the first

Re: [Freeipa-users] Remove password exiration after useradd

2015-02-05 Thread Matt .
OK this works out good, I can login without changing my password directly. But my expire is still on a day which should be set higer. min is on 0 everywhere, max is 90 days. How to accomplish that ? 2015-02-05 17:13 GMT+01:00 Matt . yamakasi@gmail.com: Yes, when receiving your email I

Re: [Freeipa-users] Remove password exiration after useradd

2015-02-05 Thread Rob Crittenden
Matt . wrote: OK this works out good, I can login without changing my password directly. But my expire is still on a day which should be set higer. min is on 0 everywhere, max is 90 days. How to accomplish that ? I can't think of a way without modifying code. Changing the password

[Freeipa-users] User certificates with FreeIPA and management

2015-02-05 Thread Christopher Young
Some of this might be rudimentary, so I apologize if this is answered somewhere, though I've tried to search and have not had much luck... Basically, I would like to be able to issue user certificates (Subject: email=sblblabla@blabla.local) in order to use client SSL security on some things.

[Freeipa-users] Replication not happening for user password changes even after increasing the nsslapd-sasl-max-buffers to 2M

2015-02-05 Thread Auerbach, Steven
A user contacted me today for a password reset. I made the reset on the ipa-primary. The user opened a terminal session on an SSH Client to a server in the realm and logged in. They received the required immediate password change requirement and did so. They can log off and log back on that

Re: [Freeipa-users] Replication not happening for user password changes even after increasing the nsslapd-sasl-max-buffers to 2M

2015-02-05 Thread Rob Crittenden
Auerbach, Steven wrote: A user contacted me today for a password reset. I made the reset on the ipa-primary. The user opened a terminal session on an SSH Client to a server in the realm and logged in. They received the required immediate password change requirement and did so. They can log

Re: [Freeipa-users] AD/IPA login compatibility

2015-02-05 Thread Dmitri Pal
On 02/04/2015 03:01 PM, Hugh wrote: On 1/29/2015 4:26 PM, Dmitri Pal wrote: How are the domains connected? Do you use trust or sync? Trust. We wanted to have just one account and not need to install additional software on the AD servers if possible. 1) Is it possible to log into a

Re: [Freeipa-users] ipa replica (centos 6.5) integrate with AD 2008

2015-02-05 Thread Dmitri Pal
On 02/05/2015 12:23 AM, alireza baghery wrote: hi i integrated ipa (centos 6.5) with AD windows server 2008 and anything do work i install replica server as follow: #(ipaserve ipa): replica- prepare ipareplica. example. com - - ip- address 192. 168. 1. 2 scp /var/lib/ipa/replica-

Re: [Freeipa-users] Real-time replication status (RFE)?

2015-02-05 Thread Rob Crittenden
Baird, Josh wrote: Hi, I'm looking for an easy way to validate that all replication agreements are functioning correctly between all of my IPA masters and replicas. I am aware that I can run 'ipa-replica-manage list -v' from each IPA master, but I was looking for something more

Re: [Freeipa-users] User certificates with FreeIPA and another question.

2015-02-05 Thread Rob Crittenden
Christopher Young wrote: Some of this might be rudimentary, so I apologize if this is answered somewhere, though I've tried to search and have not had much luck... Basically, I would like to be able to issue user certificates (Subject: email=sblblabla@blabla.local) in order to use client

Re: [Freeipa-users] netgroups not working for exports in freeipa - SOLVED

2015-02-05 Thread Rob Crittenden
Roderick Johnstone wrote: On 29/01/15 21:43, Roderick Johnstone wrote: On 29/01/2015 17:32, Jakub Hrozek wrote: On Wed, Jan 28, 2015 at 01:57:28PM +, Roderick Johnstone wrote: On 28/01/15 10:57, Jakub Hrozek wrote: On Tue, Jan 27, 2015 at 10:03:37PM +, Roderick Johnstone wrote: Hi

Re: [Freeipa-users] Remove password exiration after useradd

2015-02-05 Thread Matt .
I'm quite sure you can without changing code, I need to find out where it's set again... it's doable. 2015-02-05 22:04 GMT+01:00 Rob Crittenden rcrit...@redhat.com: Matt . wrote: OK this works out good, I can login without changing my password directly. But my expire is still on a day which

[Freeipa-users] Trust with Active Directory fails

2015-02-05 Thread Guertin, David S.
I'm trying to set up a trust between IPA and Active Directory, and it keeps failing. The problem is the same as this one (https://www.redhat.com/archives/freeipa-users/2014-April/msg00039.html), but the solution is not. In that case, it was solved by enabling IPv6 in the kernel, and in this

Re: [Freeipa-users] Remove password exiration after useradd

2015-02-05 Thread Matt .
Yes, when receiving your email I found that indeed. My ldapEditor doesn't allow me to add that value, so this need to be done using the commandline ? 2015-02-05 15:03 GMT+01:00 Rob Crittenden rcrit...@redhat.com: Matt . wrote: HI, I'm already doing so without any luck. If you remember

[Freeipa-users] one way AD trust relationship

2015-02-05 Thread Nicolas Zin
Hi, is it possible to create a one way AD trust relationship with FreeIPA/IDM 3.3? - From Windows I created an incoming one-way trust relationship, with a trust-secret - on Linux I use the trust-secret with ipa: ipa trust-add --type=ad ipawindows.mtl.sfl --trust-secret everything seems to be

Re: [Freeipa-users] Real-time replication status (RFE)?

2015-02-05 Thread Innes, Duncan
The screen mockup in that ticket is based on a Perl script that I stuck in cgi-bin to pull just those stats off each IPA server I have and display them. Can share the code if you're interested. D -Original Message- From: freeipa-users-boun...@redhat.com

Re: [Freeipa-users] User certificates with FreeIPA and another question.

2015-02-05 Thread Christopher Young
Obvious next question: Any plans to implement that functionality or advice on how one might get some level of functionality for this? Would it be possible to create another command-line based openssl CA that could issue these but using IPA as the root CA for those? I'm just trying to provide a

Re: [Freeipa-users] AD/IPA login compatibility

2015-02-05 Thread Alexander Bokovoy
On Thu, 05 Feb 2015, Dmitri Pal wrote: On 02/04/2015 03:01 PM, Hugh wrote: On 1/29/2015 4:26 PM, Dmitri Pal wrote: How are the domains connected? Do you use trust or sync? Trust. We wanted to have just one account and not need to install additional software on the AD servers if possible. 1)

Re: [Freeipa-users] Real-time replication status (RFE)?

2015-02-05 Thread Baird, Josh
That would be great, thanks! Josh -Original Message- From: Innes, Duncan [mailto:duncan.in...@virginmoney.com] Sent: Thursday, February 05, 2015 11:34 AM To: Rob Crittenden; Baird, Josh; freeipa-users@redhat.com Subject: RE: [Freeipa-users] Real-time replication status (RFE)? The

[Freeipa-users] User certificates with FreeIPA and another question.

2015-02-05 Thread Christopher Young
Some of this might be rudimentary, so I apologize if this is answered somewhere, though I've tried to search and have not had much luck... Basically, I would like to be able to issue user certificates (Subject: email=sblblabla@blabla.local) in order to use client SSL security on some things.

Re: [Freeipa-users] netgroups not working for exports in freeipa - SOLVED

2015-02-05 Thread Roderick Johnstone
On 29/01/15 21:43, Roderick Johnstone wrote: On 29/01/2015 17:32, Jakub Hrozek wrote: On Wed, Jan 28, 2015 at 01:57:28PM +, Roderick Johnstone wrote: On 28/01/15 10:57, Jakub Hrozek wrote: On Tue, Jan 27, 2015 at 10:03:37PM +, Roderick Johnstone wrote: Hi I'm migrating from a legacy