Re: [Freeipa-users] IPA 4.1.0 in RHEL 7.1

2015-03-12 Thread Jan Cholasta
Dne 12.3.2015 v 08:25 Martin Kosek napsal(a): On 03/11/2015 09:05 PM, Dmitri Pal wrote: On 03/11/2015 03:15 PM, Erinn Looney-Triggs wrote: ... Third, there appears to be a behavior change from in ipalib. I cleaned up a little inventory script for ansible, you can take a look at it here:

Re: [Freeipa-users] how can i create home directories automatically on solaris while IPA user login

2015-03-12 Thread Ben .T.George
HI i tried both method and still it's not creating the home directories regards, Ben On Wed, Mar 11, 2015 at 11:35 PM, sipazzo sipa...@yahoo.com wrote: This is how use the automounter to automatically create home directories for ipa users under /export/home/ and mount them under /home/ on

Re: [Freeipa-users] Error in replication while inserting a RHEL7.1 server into a RHEL6.6 IPA setup.

2015-03-12 Thread Martin Kosek
I think you should now check dirsrv errors logs on both server and the replica. It should have more info what went wrong with starting the replication. Please also check # systemctl status dirsrv@YOUR-REALM.service to check there are no SASL buffer related error messages. On 03/10/2015 12:58

Re: [Freeipa-users] Migration from RHEL6 (3.0.0-42) to CentOS7 (3.3.3-28.0.1)

2015-03-12 Thread Martin Kosek
On 03/10/2015 03:06 PM, Alexander Bokovoy wrote: On Tue, 10 Mar 2015, Benjamin Reed wrote: On 3/10/15 9:31 AM, Alexander Bokovoy wrote: Are you following these instructions?

[Freeipa-users] Adding external CA

2015-03-12 Thread crony
Hi FreeIPA Users, I have a fresh new FreeIPA 4.1 on RHEL7.1 with self-sign CA and I would like to change the self-sign CA to the external CA Do you have any step by step document for do it correctly on 4.1 version? /lm -- Manage your subscription for the Freeipa-users mailing list:

Re: [Freeipa-users] IPA 4.1.0 in RHEL 7.1

2015-03-12 Thread Martin Basti
On 12/03/15 08:30, Martin Kosek wrote: On 03/12/2015 12:17 AM, Dmitri Pal wrote: On 03/11/2015 04:37 PM, Steven Jones wrote: == [root@vuwunicoipam004 ipa-certs]# ipa-replica-install --setup-dns --forwarder=10.100.32.31 -U replica-info-vuwunicoipam004.ods.vuw.ac.nz.gpg --skip-conncheck

Re: [Freeipa-users] Adding external CA

2015-03-12 Thread David Kupka
On 03/12/2015 10:37 AM, crony wrote: Hi FreeIPA Users, I have a fresh new FreeIPA 4.1 on RHEL7.1 with self-sign CA and I would like to change the self-sign CA to the external CA Do you have any step by step document for do it correctly on 4.1 version? /lm Hello! I'm not aware of this

Re: [Freeipa-users] Adding external CA

2015-03-12 Thread crony
Thank you David, I'll check it out. 2015-03-12 12:36 GMT+01:00 David Kupka dku...@redhat.com: On 03/12/2015 10:37 AM, crony wrote: Hi FreeIPA Users, I have a fresh new FreeIPA 4.1 on RHEL7.1 with self-sign CA and I would like to change the self-sign CA to the external CA Do you have any

Re: [Freeipa-users] Backwards compatability

2015-03-12 Thread Martin Kosek
On 03/11/2015 06:46 PM, Dmitri Pal wrote: On 03/11/2015 01:13 PM, Andrew Holway wrote: Hi, We have a mix of Centos 6 and Centos 7 machines which we would like to manage with FreeIPA. I remember that setting up freeipa on Centos 6 can be a bit tricky although I found this method which

Re: [Freeipa-users] subjectAlternitiveName for webservice

2015-03-12 Thread Matt .
Hi, Security wise I can understand that. Yes I have read about that... but that would let me use the loadbalancer to connect ? I was not sure if the SAN would connect as other host. 2015-03-12 15:07 GMT+01:00 Rob Crittenden rcrit...@redhat.com: Matt . wrote: Hi Guys, Is Rob able to look at

Re: [Freeipa-users] Adding external CA

2015-03-12 Thread Martin Kosek
On 03/12/2015 12:48 PM, crony wrote: Thank you David, I'll check it out. 2015-03-12 12:36 GMT+01:00 David Kupka dku...@redhat.com: On 03/12/2015 10:37 AM, crony wrote: Hi FreeIPA Users, I have a fresh new FreeIPA 4.1 on RHEL7.1 with self-sign CA and I would like to change the self-sign

Re: [Freeipa-users] subjectAlternitiveName for webservice

2015-03-12 Thread Rob Crittenden
Matt . wrote: Hi, Security wise I can understand that. Yes I have read about that... but that would let me use the loadbalancer to connect ? I was not sure if the SAN would connect as other host. Kerberos through a load balancer can be a problem. Is this what you're worried about? rob

Re: [Freeipa-users] subjectAlternitiveName for webservice

2015-03-12 Thread Rob Crittenden
Matt . wrote: Hi Guys, Is Rob able to look at this ? I hope he has some sparetime as I'm kinda stuck with this issue. Wildcard certs are not supported. You can request a SAN with certmonger using -D FQDN. That will work with IPA 4.x for sure, maybe 3.3.5. rob Thanks! 2015-03-08

[Freeipa-users] OTP and cached credentials

2015-03-12 Thread Rob Verduijn
Hello, I was looking into otp authentication and found some articles on how to enable this in freeipa. I can't seem to figure out how this is going to deal with cashed credentials on a laptop that is not able to connect the ipa server. How is this going to work out when 'native OTP' is being

Re: [Freeipa-users] OTP and cached credentials

2015-03-12 Thread Jakub Hrozek
On 12 Mar 2015, at 21:32, Rob Verduijn rob.verdu...@gmail.com wrote: Hello, I was looking into otp authentication and found some articles on how to enable this in freeipa. I can't seem to figure out how this is going to deal with cashed credentials on a laptop that is not able to

Re: [Freeipa-users] Windows AD -- LDAP (oneWay)

2015-03-12 Thread Rich Megginson
On 03/12/2015 03:07 PM, Gonzalo Fernandez Ordas wrote: Hi I have successfully setup an AD--- freeipa Model and joining bits and pieces from 389-ds I have setup a oneWaySinc fromWindows. The issue I got for the last week is the pasword sync which does not seem to work at all, it does not

Re: [Freeipa-users] Fw: Need to replace cert for ipa servers

2015-03-12 Thread Rob Crittenden
sipazzo wrote: I do have other CAs (just not the master but it is available offline if needed) To be clear, all IPA servers are masters, some just run more services than others. It sounds like you have at least one CA available which should be sufficient. Directory server is running The

[Freeipa-users] Windows AD -- LDAP (oneWay)

2015-03-12 Thread Gonzalo Fernandez Ordas
Hi I have successfully setup an AD--- freeipa Model and joining bits and pieces from 389-ds I have setup a oneWaySinc fromWindows. The issue I got for the last week is the pasword sync which does not seem to work at all, it does not matter what I do in the AD server I never get the passwords

Re: [Freeipa-users] IPA 4.1.0 in RHEL 7.1

2015-03-12 Thread Martin Kosek
On 03/12/2015 07:24 PM, Erinn Looney-Triggs wrote: On 03/12/2015 02:10 AM, Jan Cholasta wrote: Dne 12.3.2015 v 08:25 Martin Kosek napsal(a): On 03/11/2015 09:05 PM, Dmitri Pal wrote: On 03/11/2015 03:15 PM, Erinn Looney-Triggs wrote: ... Third, there appears to be a behavior change from in

Re: [Freeipa-users] IPA 4.1.0 in RHEL 7.1

2015-03-12 Thread Erinn Looney-Triggs
On 03/12/2015 01:46 PM, Martin Kosek wrote: On 03/12/2015 07:24 PM, Erinn Looney-Triggs wrote: On 03/12/2015 02:10 AM, Jan Cholasta wrote: Dne 12.3.2015 v 08:25 Martin Kosek napsal(a): On 03/11/2015 09:05 PM, Dmitri Pal wrote: On 03/11/2015 03:15 PM, Erinn Looney-Triggs wrote: ... Third,

Re: [Freeipa-users] Migration from RHEL6 (3.0.0-42) to CentOS7 (3.3.3-28.0.1)

2015-03-12 Thread Steven Jones
Hi, Currently it seems that IPA on RHEL6.6 is broken in terms of adding a RHEL7.1 replica to it. ie following the document linked to below. Should be a BZ case on it shortly via RH support (RH case number 01290601) for an updated 389 rpm for 6.6. I assume it will be the same for Centos 7.x

Re: [Freeipa-users] IPA 4.1.0 in RHEL 7.1

2015-03-12 Thread Erinn Looney-Triggs
On 03/12/2015 02:10 AM, Jan Cholasta wrote: Dne 12.3.2015 v 08:25 Martin Kosek napsal(a): On 03/11/2015 09:05 PM, Dmitri Pal wrote: On 03/11/2015 03:15 PM, Erinn Looney-Triggs wrote: ... Third, there appears to be a behavior change from in ipalib. I cleaned up a little inventory script for

[Freeipa-users] Fw: Need to replace cert for ipa servers

2015-03-12 Thread sipazzo
I do have other CAs (just not the master but it is available offline if needed) Directory server is runningThe apache web server is running and I can get to the guiipa cert-show 1 works Are the TLS errors due to the mismatch in certs between slapd-PKI-CA and slapd-NETWORKFLEET-COM?

Re: [Freeipa-users] how can i create home directories automatically on solaris while IPA user login

2015-03-12 Thread Ben .T.George
HI Siggi, thanks for the detailed information. how can i apply this DUA profile? can you please give me the steps to apply this. my current stage is, i can able to login to solaris 10 box with AD user. only thing from command like without - in su Regards, Ben On Thu, Mar 12, 2015 at 4:00 PM,

Re: [Freeipa-users] how can i create home directories automatically on solaris while IPA user login

2015-03-12 Thread Sigbjorn Lie
Hi, Yes the DUA profile needs manually editing and updating as IPA servers are added or removed. Ideally this would be managed by ipa-replica-manage, however as I was advised in the BZ, Red Hat does not have the knowledge or resources to focus on integration with Solaris, which is

Re: [Freeipa-users] Windows AD -- LDAP (oneWay)

2015-03-12 Thread Gonzalo Fernandez Ordas
Thanks very much for the quick reply. And that was exactly the bit I never fully understood, till now. is it known anyway of synchronising the passwords? Any recommendations on those regards? Thanks On 12/03/2015 22:13, Rich Megginson wrote: On 03/12/2015 03:07 PM, Gonzalo Fernandez

Re: [Freeipa-users] Windows AD -- LDAP (oneWay)

2015-03-12 Thread Dmitri Pal
On 03/12/2015 05:59 PM, Rich Megginson wrote: On 03/12/2015 03:44 PM, Gonzalo Fernandez Ordas wrote: Thanks very much for the quick reply. And that was exactly the bit I never fully understood, till now. is it known anyway of synchronising the passwords? No. Any recommendations on those

Re: [Freeipa-users] OTP and cached credentials

2015-03-12 Thread Dmitri Pal
On 03/12/2015 04:59 PM, Jakub Hrozek wrote: On 12 Mar 2015, at 21:32, Rob Verduijn rob.verdu...@gmail.com wrote: Hello, I was looking into otp authentication and found some articles on how to enable this in freeipa. I can't seem to figure out how this is going to deal with cashed credentials

Re: [Freeipa-users] subjectAlternitiveName for webservice

2015-03-12 Thread Matt .
Hi Guys, Is Rob able to look at this ? I hope he has some sparetime as I'm kinda stuck with this issue. Thanks! 2015-03-08 12:30 GMT+01:00 Matt . yamakasi@gmail.com: I'm reviewing some things. When I'm using a loadbalancer, which I prefer in this setup I need to have the same

Re: [Freeipa-users] ipa-server setup with external CA fails

2015-03-12 Thread Jan Cholasta
Dne 11.3.2015 v 21:10 Martin Kosek napsal(a): On 03/11/2015 06:33 PM, Gould, Joshua wrote: We’re trying to setup RHEL7 with the latest updates. Our ipa-server shows ipa-server-4.1.0-18.el7.x86_64. On 3/11/15, 12:39 PM, Dmitri Pal d...@redhat.com wrote: On 03/11/2015 11:13 AM, Gould, Joshua

Re: [Freeipa-users] IPA 4.1.0 in RHEL 7.1

2015-03-12 Thread Martin Kosek
On 03/12/2015 12:17 AM, Dmitri Pal wrote: On 03/11/2015 04:37 PM, Steven Jones wrote: == [root@vuwunicoipam004 ipa-certs]# ipa-replica-install --setup-dns --forwarder=10.100.32.31 -U replica-info-vuwunicoipam004.ods.vuw.ac.nz.gpg --skip-conncheck Checking forwarders, please wait ...