On Thu, Mar 19, 2015 at 10:32:08PM +0100, Andrew Holway wrote:
I wasn't precise enough, I meant the sssd version, sorry. But given that
you're on RHEL-7, I think you can switch to:
sudo_provider=ipa
That does indeed seem to work. Thanks!
You're welcome, btw if you set up your
Hello,
I'd like to find our what the minimum role would be to allow a user to join
a new client to freeipa.
Currently our enrol command looks like:
ipa-client-install --force-join --enable-dns-updates -U -p admin -w
:
Thanks,
Andrew
--
Manage your subscription for the Freeipa-users
On Thu, Mar 19, 2015 at 05:50:50PM -0400, Prasun Gera wrote:
It's just that /var/lib/sss/db is not cleared between subsequent server
installs and uninstall, and that seems to be creating problems on the
server since the server is also a client. If you do
install-uninstall-install on the server
On 03/20/2015 09:16 AM, Andrew Holway wrote:
Hello,
I'd like to find our what the minimum role would be to allow a user to join
a new client to freeipa.
Currently our enrol command looks like:
ipa-client-install --force-join --enable-dns-updates -U -p admin -w
:
Thanks,
Andrew
On Fri, 20 Mar 2015, David Kupka wrote:
On 03/20/2015 09:16 AM, Andrew Holway wrote:
Hello,
I'd like to find our what the minimum role would be to allow a user to join
a new client to freeipa.
Currently our enrol command looks like:
ipa-client-install --force-join --enable-dns-updates -U -p
On Wed, Mar 18, 2015 at 01:11:44PM -0400, Rob Crittenden wrote:
On Wed, Mar 18, 2015 at 17:40:19 +0100, Andrew Holway wrote:
Im wondering how we should be handing SSSD for redundant configurations
on our freeipa clients. We have three freeipa servers; how can we make
SSSD check another
Actually, I stumbled across this which explains everything you need to do
to get sudo working on Centos6 clients.
https://www.redhat.com/archives/freeipa-users/2013-June/msg00064.html
I have had to kind of scratch together bits of information from various
sources including this list (thanks!!)
On Fri, Mar 20, 2015 at 09:20:15AM +0100, Andrew Holway wrote:
Actually, I stumbled across this which explains everything you need to do
to get sudo working on Centos6 clients.
https://www.redhat.com/archives/freeipa-users/2013-June/msg00064.html
I have had to kind of scratch together bits
On Thu, Mar 19, 2015 at 04:46:44PM +0100, Bobby Prins wrote:
Hi there,
I'm currently trying to use the 'AD Trust for Legacy Clients' freeIPA setup
(described here:
http://www.freeipa.org/images/0/0d/FreeIPA33-legacy-clients.pdf) to be able
to autenticate AIX 7.1 clients against an AD
On Fri, 20 Mar 2015, Sumit Bose wrote:
On Fri, Mar 20, 2015 at 11:44:43AM +0100, Bobby Prins wrote:
On Thu, Mar 19, 2015 at 04:46:44PM +0100, Bobby Prins wrote:
Hi there,
I'm currently trying to use the 'AD Trust for Legacy Clients' freeIPA
setup (described here:
On Fri, Mar 20, 2015 at 11:44:43AM +0100, Bobby Prins wrote:
On Thu, Mar 19, 2015 at 04:46:44PM +0100, Bobby Prins wrote:
Hi there,
I'm currently trying to use the 'AD Trust for Legacy Clients' freeIPA
setup (described here:
On Fri, Mar 20, 2015 at 11:06:04AM +0100, Jan Pazdziora wrote:
On Wed, Mar 18, 2015 at 01:11:44PM -0400, Rob Crittenden wrote:
On Wed, Mar 18, 2015 at 17:40:19 +0100, Andrew Holway wrote:
Im wondering how we should be handing SSSD for redundant configurations
on our freeipa clients.
On Fri, 20 Mar 2015, Sumit Bose wrote:
On Fri, Mar 20, 2015 at 11:44:43AM +0100, Bobby Prins wrote:
On Thu, Mar 19, 2015 at 04:46:44PM +0100, Bobby Prins wrote:
Hi there,
I'm currently trying to use the 'AD Trust for Legacy Clients' freeIPA setup
(described here:
It seems so:
$ firewall-cmd --list-all
FedoraServer (default, active)
interfaces: em2
sources:
services: cockpit dhcpv6-client ssh
ports: 8009/tcp 443/tcp 7999/tcp 464/tcp 9443/tcp 636/tcp 88/udp 464/udp
8010/tcp 88/tcp 7990/tcp 123/udp 80/tcp 389/tcp 7389/tcp 9444/tcp 9445/tcp
8011/tcp
On 03/20/2015 04:51 PM, nat...@nathanpeters.com wrote:
I have FreeIPA installed on several types of Linux machines and they are
all experiencing strange issues with certificates and host keys.
Here is the setup:
Server : FreeIPA 4.1.2 on Centos 7
Client 12 : FreeIPA 3.0.0-42.el6 with sssd
nat...@nathanpeters.com wrote:
I have FreeIPA installed on several types of Linux machines and they
are
all experiencing strange issues with certificates and host keys.
Here is the setup:
Server : FreeIPA 4.1.2 on Centos 7
Client 12 : FreeIPA 3.0.0-42.el6 with sssd 1.11.6-30.el6_6.4 on
Ah, I see, I had forgotten to enable debut in the nss section. Here its log.
On 21 March 2015 at 00:40, Roberto Cornacchia roberto.cornacc...@gmail.com
wrote:
Two log files in attachment (the other files in /var/log/sssd are all
empty).
I'll also go through the troubleshooting page again,
Actually this was the problem :
I had added the following line to the [sssd] section of sssd.conf :
[sssd]
default_domain_suffix = addomain.net
The reason I had added this is because our business asked if our active
directory trusted users can be allowed to login without entering their
On 03/20/2015 08:18 PM, nat...@nathanpeters.com wrote:
Actually this was the problem :
I had added the following line to the [sssd] section of sssd.conf :
[sssd]
default_domain_suffix = addomain.net
The reason I had added this is because our business asked if our active
directory trusted users
On 03/20/2015 07:40 PM, Roberto Cornacchia wrote:
Two log files in attachment (the other files in /var/log/sssd are all
empty).
I'll also go through the troubleshooting page again, thanks
Do the logs include an id call for admin?
I do not see any instance of the word admin in the log.
On
On 03/20/2015 07:41 PM, nat...@nathanpeters.com wrote:
On 03/20/2015 04:51 PM, nat...@nathanpeters.com wrote:
I have FreeIPA installed on several types of Linux machines and they are
all experiencing strange issues with certificates and host keys.
Here is the setup:
Server : FreeIPA 4.1.2 on
On 03/20/2015 07:56 PM, Roberto Cornacchia wrote:
From https://fedorahosted.org/sssd/wiki/Troubleshooting, I see that
invoking getent should correspond to seeing command 17 invoked in the
nss log:
Something like:
[sssd[nss]] [nss_cmd_getbynam] (0x0400): Running command [17] with
input
From https://fedorahosted.org/sssd/wiki/Troubleshooting, I see that
invoking getent should correspond to seeing command 17 invoked in the nss
log:
Something like:
[sssd[nss]] [nss_cmd_getbynam] (0x0400): Running command [17] with input
[admin].
I don't see any command invocation in my sss_dnss
When I look at the password entries for my rfc2307 account in Active directory
I get three different answers.
The only correct one is on a server where I used sssd to join AD directly ( the
last one ). Do I need to configure
rfc2307? When I configured the server to join AD directly I use the
Matt . wrote:
The right way to sequest a SAN, this seems to need some extra config file ?
Like I said before, use certmonger, it makes life easier.
I'll create a new host balancer.example.com with a HTTP service. I'll
generate a cert with a SAN for idp.example.com in that service. I'm
On Fri, Mar 20, 2015 at 09:41:08AM -0400, Gould, Joshua wrote:
Updated:
libipa_hbac.x86_64 0:1.12.2-58.el7_1.6.1
libipa_hbac-python.x86_64 0:1.12.2-58.el7_1.6.1
libsss_idmap.x86_64 0:1.12.2-58.el7_1.6.1
libsss_nss_idmap.x86_64 0:1.12.2-58.el7_1.6.1
libsss_nss_idmap-python.x86_64
Hi,
I am having one of those really annoying pesky troubles.
I add clients to freeipa but the first time I am logging in and trying to
sudo with my freeipa credentials the sudo is not working. If I restart the
SSSD process this usually fixes it but not always. Im going to try and do
some
On Fri, Mar 20, 2015 at 04:05:56PM +0100, Andrew Holway wrote:
Hi,
I am having one of those really annoying pesky troubles.
I add clients to freeipa but the first time I am logging in and trying to
sudo with my freeipa credentials the sudo is not working. If I restart the
SSSD process
The zone settings:
$ ipa dnszone-show --all
Zone name: hq.example.com.
dn: idnsname=hq.example.com.,cn=dns,dc=hq,dc=example,dc=com
Zone name: hq.example.com.
Active zone: TRUE
Authoritative nameserver: ipa.hq.example.com.
Administrator e-mail address: hostmaster.hq.example.com.
SOA
On Fri, Mar 20, 2015 at 11:51:14AM +0100, Jakub Hrozek wrote:
Or even better, set the weight and priority fields on the server and
keep using SRV resolution :-)
How do you specify different priorities for different consumers if
the DNS is IPA-based (== the records are in LDAP and replicated)?
On Fri, 20 Mar 2015, Bobby Prins wrote:
On Fri, 20 Mar 2015, Sumit Bose wrote:
On Fri, Mar 20, 2015 at 11:44:43AM +0100, Bobby Prins wrote:
On Thu, Mar 19, 2015 at 04:46:44PM +0100, Bobby Prins wrote:
Hi there,
I'm currently trying to use the 'AD Trust for Legacy Clients'
freeIPA setup
On Fri, Mar 20, 2015 at 01:02:58PM +0100, Jan Pazdziora wrote:
On Fri, Mar 20, 2015 at 11:51:14AM +0100, Jakub Hrozek wrote:
Or even better, set the weight and priority fields on the server and
keep using SRV resolution :-)
How do you specify different priorities for different consumers
On 03/20/2015 08:05 AM, Alexander Bokovoy wrote:
On Fri, 20 Mar 2015, Bobby Prins wrote:
On Fri, 20 Mar 2015, Sumit Bose wrote:
On Fri, Mar 20, 2015 at 11:44:43AM +0100, Bobby Prins wrote:
On Thu, Mar 19, 2015 at 04:46:44PM +0100, Bobby Prins wrote:
Hi there,
I'm currently trying to use
Updated:
libipa_hbac.x86_64 0:1.12.2-58.el7_1.6.1
libipa_hbac-python.x86_64 0:1.12.2-58.el7_1.6.1
libsss_idmap.x86_64 0:1.12.2-58.el7_1.6.1
libsss_nss_idmap.x86_64 0:1.12.2-58.el7_1.6.1
libsss_nss_idmap-python.x86_64 0:1.12.2-58.el7_1.6.1
python-sssdconfig.noarch 0:1.12.2-58.el7_1.6.1
I have FreeIPA installed on several types of Linux machines and they are
all experiencing strange issues with certificates and host keys.
Here is the setup:
Server : FreeIPA 4.1.2 on Centos 7
Client 12 : FreeIPA 3.0.0-42.el6 with sssd 1.11.6-30.el6_6.4 on CentOS 6.5
Client 34 : FreeIPA
Hi FreeIPA Users:
I can only get my new Fedora 21 freeipa to server to setup a trust with Active
Directory if I turn off the firewall on the ipa server. I have looked through
all the doc on which ports to open but have had no luck getting the join to
work with firewalld running... Can
On 03/20/2015 01:57 PM, Roberto Cornacchia wrote:
But the ipa server itself is also enrolled as a client, just after the
server installation, right?. And that worked fine.
Are these VMs?
There have been a similar case when the network was not set properly for
the virtual test environment.
No, all real machines.
I'm really sorry it's taking so much of your time.
I had tried almost everything on a VM setting first, and everything was
fine.
Everything always works fine, until you actually need it.
On 20 March 2015 at 19:41, Dmitri Pal d...@redhat.com wrote:
On 03/20/2015 01:57
But the ipa server itself is also enrolled as a client, just after the
server installation, right?. And that worked fine.
On 20 March 2015 at 18:55, Roberto Cornacchia roberto.cornacc...@gmail.com
wrote:
No, sorry about the confusion, i shouldn't have posted so quickly.
When I use the correct
On 03/20/2015 01:55 PM, Roberto Cornacchia wrote:
No, sorry about the confusion, i shouldn't have posted so quickly.
When I use the correct domain (hq.example.com
http://hq.example.com), then I really get all the same errors as
before, also in the new client.
Does it really hit the right
Oops. Not true, forget last email.
This secon client installation went different just because it took the
wrong domain.
It used *example.com http://example.com* (what was previously set)
instead of *hq.example.com http://hq.example.com*
Uninstalled, tried again with
On 03/20/2015 01:25 PM, Roberto Cornacchia wrote:
Oops. Not true, forget last email.
This secon client installation went different just because it took the
wrong domain.
It used *example.com http://example.com* (what was previously set)
instead of *hq.example.com http://hq.example.com*
Update:
I tried from another client. Also FC21, same network, same settings from
the same DHCP.
But obviously it must have something different because it partially
succeeded.
- I do not get errors about LDAP users.
- I do not get errors about DNS update
However:
- I still get the initial error
No, sorry about the confusion, i shouldn't have posted so quickly.
When I use the correct domain (hq.example.com), then I really get all the
same errors as before, also in the new client.
On 20 Mar 2015 18:39, Dmitri Pal d...@redhat.com wrote:
On 03/20/2015 01:25 PM, Roberto Cornacchia
ipv6 re-enabled. No luck yet :(
On 20 March 2015 at 17:06, Dmitri Pal d...@redhat.com wrote:
On 03/20/2015 10:56 AM, Roberto Cornacchia wrote:
The zone settings:
$ ipa dnszone-show --all
Zone name: hq.example.com.
dn: idnsname=hq.example.com.,cn=dns,dc=hq,dc=example,dc=com
Zone
On 03/20/2015 10:56 AM, Roberto Cornacchia wrote:
The zone settings:
$ ipa dnszone-show --all
Zone name: hq.example.com http://hq.example.com.
dn: idnsname=hq.example.com
http://hq.example.com.,cn=dns,dc=hq,dc=example,dc=com
Zone name: hq.example.com http://hq.example.com.
Active zone:
On 03/20/2015 02:48 PM, Roberto Cornacchia wrote:
No, all real machines.
I'm really sorry it's taking so much of your time.
I had tried almost everything on a VM setting first, and everything
was fine.
Everything always works fine, until you actually need it.
We try to help as much as we
nat...@nathanpeters.com wrote:
I have FreeIPA installed on several types of Linux machines and they are
all experiencing strange issues with certificates and host keys.
Here is the setup:
Server : FreeIPA 4.1.2 on Centos 7
Client 12 : FreeIPA 3.0.0-42.el6 with sssd 1.11.6-30.el6_6.4 on
On 03/20/2015 04:51 PM, nat...@nathanpeters.com wrote:
I have FreeIPA installed on several types of Linux machines and they are
all experiencing strange issues with certificates and host keys.
Here is the setup:
Server : FreeIPA 4.1.2 on Centos 7
Client 12 : FreeIPA 3.0.0-42.el6 with sssd
nat...@nathanpeters.com wrote:
I have finally gotten all of my Solaris servers to accept AD users but
the
behavior is inconsistent.
In my FreeIPA domain, I can login to a Linux server and then ssh to the
Solaris server and I am automatically logged in because of my Kerberos
ticket (I
It certainly gets there, because the client gets in fact enrolled as a
domain host. I can see it from the UI in Identity / Hosts. But not in the
DNS zone.
*Before ipa-client-install, all these do work: *
$ ssh ipa.hq.example.com
$ ntpdate ipa.hq.example.com
$ ldapsearch -x -h ipa.hq.example.com
On 03/20/2015 05:23 PM, nat...@nathanpeters.com wrote:
nat...@nathanpeters.com wrote:
I have finally gotten all of my Solaris servers to accept AD users but
the
behavior is inconsistent.
In my FreeIPA domain, I can login to a Linux server and then ssh to the
Solaris server and I am
SSSD logs are empty so far.
Isn't sssd.conf written by ipa-client-install? If I raise the debug level
after client installation, what activities do you suggest to attempt from
the client?
On 20 March 2015 at 22:37, Dmitri Pal d...@redhat.com wrote:
On 03/20/2015 05:28 PM, Roberto Cornacchia
I'll open a ticket. It should probably be cleared, unless handled in some
other way, before installs too. This looks like more of a client side issue
than a server one. The database should be cleared when a client is
explicitly uninstalled, and also if the client tries to register to a
different
On 03/20/2015 05:59 PM, Roberto Cornacchia wrote:
SSSD logs are empty so far.
This is wrong.
Isn't sssd.conf written by ipa-client-install?
Yes
If I raise the debug level after client installation,
(and restart)
what activities do you suggest to attempt from the client?
the ones
nat...@nathanpeters.com wrote:
I have FreeIPA installed on several types of Linux machines and they are
all experiencing strange issues with certificates and host keys.
Here is the setup:
Server : FreeIPA 4.1.2 on Centos 7
Client 12 : FreeIPA 3.0.0-42.el6 with sssd 1.11.6-30.el6_6.4 on
56 matches
Mail list logo