Re: [Freeipa-users] Chained IPA Servers

On Mon, Mar 23, 2015 at 08:23:00PM -0400, Dmitri Pal wrote: > On 03/23/2015 05:13 PM, Matt Wells wrote: > >We have two authentication domains; both on 4.X. > > > >Domain 1 - Internal and contains our employee accounts > >Domain 2 - External accounts that reside outside of our company. > >These acco

Re: [Freeipa-users] inserting users via java

On 03/24/2015 01:29 AM, Dmitri Pal wrote: > On 03/23/2015 05:56 PM, Timothy Worman wrote: >> I have an existing web app built with java/WebObjects that currently handles >> some user/groups tasks with our current directory server (Open Directory). We >> are investigating a move to FreeIPA for our d

Re: [Freeipa-users] What am I missing? ipaca?

Wiadomość napisana przez Martin Kosek w dniu 23 mar 2015, o godz. 12:04: > On 03/23/2015 04:07 AM, Janelle wrote: >> attrlist_replace - attr_replace (nsslapd-referral, >> ldap://ipa1.example.com:389/o%3Dipaca) failed. > > Hm, I do not met this error yet. This looks like error from 389-ds-base, i

Re: [Freeipa-users] What am I missing? ipaca?

On 03/24/2015 09:49 AM, Łukasz Jaworski wrote: Wiadomość napisana przez Martin Kosek w dniu 23 mar 2015, o godz. 12:04: On 03/23/2015 04:07 AM, Janelle wrote: attrlist_replace - attr_replace (nsslapd-referral, ldap://ipa1.example.com:389/o%3Dipaca) failed. Hm, I do not met this error yet. Th

Re: [Freeipa-users] What am I missing? ipaca?

Hi, Wiadomość napisana przez thierry bordaz w dniu 24 mar 2015, o godz. 10:01: > > It seems that this error is logged each time a replication session is > started. At the beginning of the session, the replica that receive the > replication request, tries to update the referral list of the rep

Re: [Freeipa-users] Chained IPA Servers

On 03/24/2015 03:25 AM, Jakub Hrozek wrote: On Mon, Mar 23, 2015 at 08:23:00PM -0400, Dmitri Pal wrote: On 03/23/2015 05:13 PM, Matt Wells wrote: We have two authentication domains; both on 4.X. Domain 1 - Internal and contains our employee accounts Domain 2 - External accounts that reside out

[Freeipa-users] how can i give set of users to one particular host

HI i am using IPA 3.3 and my client is solaris 10. how can i give only some set of users to this client without creating user group in ad? thanks & Regards, Ben -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://fre

Re: [Freeipa-users] 'Preauthentication failed' with SSSD in ipa_server_mode

>- Oorspronkelijk bericht - >Van: "Alexander Bokovoy" >Aan: "Bobby Prins" >Cc: d...@redhat.com, freeipa-users@redhat.com >Verzonden: Maandag 23 maart 2015 16:44:47 >Onderwerp: Re: [Freeipa-users] 'Preauthentication failed' with SSSD in >ipa_server_mode > >... > >Can you show relevant par

Re: [Freeipa-users] how can i give set of users to one particular host

On 03/24/2015 07:20 AM, Ben .T.George wrote: HI i am using IPA 3.3 and my client is solaris 10. how can i give only some set of users to this client without creating user group in ad? thanks & Regards, Ben You can create a group in IPA and make Solaris check that group at the access pha

Re: [Freeipa-users] 'Preauthentication failed' with SSSD in ipa_server_mode

On 03/24/2015 09:01 AM, Bobby Prins wrote: - Oorspronkelijk bericht - Van: "Alexander Bokovoy" Aan: "Bobby Prins" Cc: d...@redhat.com, freeipa-users@redhat.com Verzonden: Maandag 23 maart 2015 16:44:47 Onderwerp: Re: [Freeipa-users] 'Preauthentication failed' with SSSD in ipa_server_mo

Re: [Freeipa-users] ipa-client-install failure

Hi there, All the issues I reported in this long thread are SOLVED. For completeness, I'm posting here the conclusions. ipa-client-install did enroll the client but failed in several points: $ ipa-client-install --mkhomedir --ssh-trust-dns --force-ntpd [...] Synchronizing time with KDC... Unable

Re: [Freeipa-users] ipa-client-install failure

On 03/24/2015 09:43 AM, Roberto Cornacchia wrote: Hi there, All the issues I reported in this long thread are SOLVED. Thanks for closing the loop. For completeness, I'm posting here the conclusions. ipa-client-install did enroll the client but failed in several points: $ ipa-client-install

Re: [Freeipa-users] ipa-client-install failure

On 24 March 2015 at 14:49, Dmitri Pal wrote: > On 03/24/2015 09:43 AM, Roberto Cornacchia wrote: > > Hi there, > > All the issues I reported in this long thread are SOLVED. > > > Thanks for closing the loop. > > For completeness, I'm posting here the conclusions. > > ipa-client-install did en

Re: [Freeipa-users] 'Preauthentication failed' with SSSD in ipa_server_mode

On Tue, 24 Mar 2015, Bobby Prins wrote: - Oorspronkelijk bericht - Van: "Alexander Bokovoy" Aan: "Bobby Prins" Cc: d...@redhat.com, freeipa-users@redhat.com Verzonden: Maandag 23 maart 2015 16:44:47 Onderwerp: Re: [Freeipa-users] 'Preauthentication failed' with SSSD in ipa_server_mode

Re: [Freeipa-users] 'Preauthentication failed' with SSSD in ipa_server_mode

>- Oorspronkelijk bericht - >Van: "Dmitri Pal" >Aan: "Bobby Prins" , "Alexander Bokovoy" > >Cc: freeipa-users@redhat.com >Verzonden: Dinsdag 24 maart 2015 14:44:42 >Onderwerp: Re: [Freeipa-users] 'Preauthentication failed' with SSSD in >ipa_server_mode > >On 03/24/2015 09:01 AM, Bobby Pr

Re: [Freeipa-users] What am I missing? ipaca?

Hello, Sorry for the late answer. Those entries are named RUV. host25.x1.net RUV contains nscpentrywsi: nsds50ruv: {replicageneration} 550feb150060 nscpentrywsi: nsds50ruv: {replica 96 ldap://host25.x1.net:389} 550feb1d0060 551129d70060 nscpentrywsi: nsds50ruv:

Re: [Freeipa-users] 'Preauthentication failed' with SSSD in ipa_server_mode

On 03/24/2015 10:18 AM, Bobby Prins wrote: - Oorspronkelijk bericht - Van: "Dmitri Pal" Aan: "Bobby Prins" , "Alexander Bokovoy" Cc: freeipa-users@redhat.com Verzonden: Dinsdag 24 maart 2015 14:44:42 Onderwerp: Re: [Freeipa-users] 'Preauthentication failed' with SSSD in ipa_server_mod

Re: [Freeipa-users] 'Preauthentication failed' with SSSD in ipa_server_mode

>- Oorspronkelijk bericht - >Van: "Dmitri Pal" >Aan: "Bobby Prins" >Cc: "Alexander Bokovoy" , freeipa-users@redhat.com >Verzonden: Dinsdag 24 maart 2015 16:08:07 >Onderwerp: Re: [Freeipa-users] 'Preauthentication failed' with SSSD in >ipa_server_mode > >On 03/24/2015 10:18 AM, Bobby Prin

Re: [Freeipa-users] 'Preauthentication failed' with SSSD in ipa_server_mode

>- Oorspronkelijk bericht - >Van: "Alexander Bokovoy" >Aan: "Bobby Prins" >Cc: d...@redhat.com, freeipa-users@redhat.com >Verzonden: Dinsdag 24 maart 2015 15:13:38 >Onderwerp: Re: [Freeipa-users] 'Preauthentication failed' with SSSD in >ipa_server_mode > >On Tue, 24 Mar 2015, Bobby Prins

Re: [Freeipa-users] What am I missing? ipaca?

On 03/24/2015 03:18 PM, thierry bordaz wrote: > Hello, > > Sorry for the late answer. > > Those entries are named RUV. > > host25.x1.net RUV contains > nscpentrywsi: nsds50ruv: {replicageneration} 550feb150060 > nscpentrywsi: nsds50ruv: {replica 96 ldap://host25.x1.net:389} > 550

Re: [Freeipa-users] 'Preauthentication failed' with SSSD in ipa_server_mode

On 03/24/2015 11:45 AM, Bobby Prins wrote: - Oorspronkelijk bericht - Van: "Alexander Bokovoy" Aan: "Bobby Prins" Cc: d...@redhat.com, freeipa-users@redhat.com Verzonden: Dinsdag 24 maart 2015 15:13:38 Onderwerp: Re: [Freeipa-users] 'Preauthentication failed' with SSSD in ipa_server_mo

Re: [Freeipa-users] 'Preauthentication failed' with SSSD in ipa_server_mode

On Tue, Mar 24, 2015 at 04:45:53PM +0100, Bobby Prins wrote: > >- Oorspronkelijk bericht - > >Van: "Alexander Bokovoy" > >Aan: "Bobby Prins" > >Cc: d...@redhat.com, freeipa-users@redhat.com > >Verzonden: Dinsdag 24 maart 2015 15:13:38 > >Onderwerp: Re: [Freeipa-users] 'Preauthentication f

Re: [Freeipa-users] 'Preauthentication failed' with SSSD in ipa_server_mode

On Tue, 24 Mar 2015, Bobby Prins wrote: - Oorspronkelijk bericht - Van: "Alexander Bokovoy" Aan: "Bobby Prins" Cc: d...@redhat.com, freeipa-users@redhat.com Verzonden: Dinsdag 24 maart 2015 15:13:38 Onderwerp: Re: [Freeipa-users] 'Preauthentication failed' with SSSD in ipa_server_mode

[Freeipa-users] Fedora 20 upstream repo ipa-server-install fails

Hello, after enabling https://copr.fedoraproject.org/coprs/mkosek/freeipa/repo/fedora-20/mkosek-freeipa-fedora-20.repo I've installed freeipa-server bind bind-dyndb-ldap and run ipa-server-install --domain example.test The process failed at [3/7]: setting up kerb

Re: [Freeipa-users] 'Preauthentication failed' with SSSD in ipa_server_mode

>- Oorspronkelijk bericht - >Van: "Alexander Bokovoy" >Aan: "Bobby Prins" >Cc: d...@redhat.com, freeipa-users@redhat.com >Verzonden: Dinsdag 24 maart 2015 17:23:08 >Onderwerp: Re: [Freeipa-users] 'Preauthentication failed' with SSSD in >ipa_server_mode > >On Tue, 24 Mar 2015, Bobby Prins

Re: [Freeipa-users] how can i give set of users to one particular host

Hi current stage is AD users can able to login to solaris box. But i don't up to what level i can control the user. i don't think to there is much pan modules in solaris. still i cannot able to make home directory with pam. On Tue, Mar 24, 2015 at 4:42 PM, Dmitri Pal wrote: > On 03/24/2015

Re: [Freeipa-users] 'Preauthentication failed' with SSSD in ipa_server_mode

On Tue, 24 Mar 2015, Bobby Prins wrote: The inability to login is reported in about the same time as the number of seconds you would find in the etime= field of the RESULT line. I checked the "Common AD provider issues" and "Troubleshooting authentication, password change and access control" s

Re: [Freeipa-users] how can i give set of users to one particular host

On 03/24/2015 01:15 PM, Ben .T.George wrote: Hi current stage is AD users can able to login to solaris box. But i don't up to what level i can control the user. i don't think to there is much pan modules in solaris. still i cannot able to make home directory with pam. I think pam_groupdn (

Re: [Freeipa-users] how can i give set of users to one particular host

Dmitri Pal wrote: > On 03/24/2015 01:15 PM, Ben .T.George wrote: >> Hi >> >> current stage is AD users can able to login to solaris box. But i >> don't up to what level i can control the user. >> >> i don't think to there is much pan modules in solaris. still i cannot >> able to make home directory

Re: [Freeipa-users] how can i give set of users to one particular host

please anyone share bit more information on this like real example On Tue, Mar 24, 2015 at 9:03 PM, Rob Crittenden wrote: > Dmitri Pal wrote: > > On 03/24/2015 01:15 PM, Ben .T.George wrote: > >> Hi > >> > >> current stage is AD users can able to login to solaris box. But i > >> don't up to what

Re: [Freeipa-users] how can i give set of users to one particular host

Ben .T.George wrote: > please anyone share bit more information on this like real example As we've said many times before, we have very little real experience on Solaris. We do the best we can and sometimes that is going to be in the form of bread crumbs that may be usable to finding your way to

Re: [Freeipa-users] 'Preauthentication failed' with SSSD in ipa_server_mode

> On Mar 24, 2015, at 18:42, Alexander Bokovoy wrote: > > On Tue, 24 Mar 2015, Bobby Prins wrote: The inability to login is reported in about the same time as the number of seconds you would find in the etime= field of the RESULT line. I checked the "Common AD provider issu

Re: [Freeipa-users] 'Preauthentication failed' with SSSD in ipa_server_mode

> On Mar 24, 2015, at 17:11, Dmitri Pal wrote: > > On 03/24/2015 11:45 AM, Bobby Prins wrote: >>> - Oorspronkelijk bericht - >>> Van: "Alexander Bokovoy" >>> Aan: "Bobby Prins" >>> Cc: d...@redhat.com, freeipa-users@redhat.com >>> Verzonden: Dinsdag 24 maart 2015 15:13:38 >>> Onderwerp

Re: [Freeipa-users] 'Preauthentication failed' with SSSD in ipa_server_mode

> On Mar 24, 2015, at 17:17, Jakub Hrozek wrote: > > On Tue, Mar 24, 2015 at 04:45:53PM +0100, Bobby Prins wrote: >>> - Oorspronkelijk bericht - >>> Van: "Alexander Bokovoy" >>> Aan: "Bobby Prins" >>> Cc: d...@redhat.com, freeipa-users@redhat.com >>> Verzonden: Dinsdag 24 maart 2015 15

Re: [Freeipa-users] 'Preauthentication failed' with SSSD in ipa_server_mode

On Tue, Mar 24, 2015 at 08:10:43PM +0100, Bobby Prins wrote: > > I guess what Alexander meant (in a very simplified way) was that the 'id' > > command could take a long time. Sumit recently fixed two nasty issues that > > would make this operation take too long with POSIX attributes in effect > > a

Re: [Freeipa-users] Fw: Need to replace cert for ipa servers

Ok I finally was able to get a sandbox environment up to test the cert replacement. When I ran this stepgot to the cert request steps:ipa-getcert request -d /etc/dirsrv/slapd-IPADOMAIN-COM -n Server-Cert -p /etc/dirsrv/slapd-IPADOMAIN-COM/pwdfile.txt -C '/usr/lib64/ipa/certmonger/restart_dirsrv

[Freeipa-users] Clients are reading AD info inconsistently

I have three IPA servers set up (master and two replicas) and they're all behaving normally. AD users can log in, AD group restrictions are honored, etc. Now I'm trying to set up clients, and running into problems. I have three clients set up, and all three behave differently. On one of the cli

[Freeipa-users] Debian 7.0.8 and REHL IPA

Hi, Anyone have experience with running the sssd client (I assume its available) on Debian 7.0.8 against a RH IPA setup? Is it painless long term or best avoided? regards Steven -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeip

Re: [Freeipa-users] Debian 7.0.8 and REHL IPA

There is a ppa for ubuntu: https://code.launchpad.net/~freeipa/+archive/ubuntu/ppa and packages in the deb archives: https://packages.qa.debian.org/f/freeipa.html I’ve had mixed results using them, there seem to be frequent regressions so having a canary machine / cluster is essential.  The

[Freeipa-users] ID Range question

Hello, I have seen this pop up a few times, but no real answers - at least none that I am finding.. I have not run into it and this was a brand new server farm with about 4000 migrated users from OpenLDAP? Is there something I might be missing when migrating? ipa: ERROR: Operations error:

Re: [Freeipa-users] ID Range question

Janelle wrote: > Hello, > > I have seen this pop up a few times, but no real answers - at least none > that I am finding.. > > I have not run into it and this was a brand new server farm with about > 4000 migrated users from OpenLDAP? Is there something I might be missing > when migrating? > > i

Re: [Freeipa-users] Clients are reading AD info inconsistently

On 03/24/2015 05:08 PM, Guertin, David S. wrote: I have three IPA servers set up (master and two replicas) and they're all behaving normally. AD users can log in, AD group restrictions are honored, etc. Now I'm trying to set up clients, and running into problems. I have three clients set up,

Re: [Freeipa-users] Debian 7.0.8 and REHL IPA

I tried setting up the client on an ubuntu 12.04 system, and had some initial hiccups. I used the ppa for ipa and sssd. This bug report lists some pitfalls: https://bugs.launchpad.net/ubuntu/+source/freeipa/+bug/1280215. I don't know why it is marked as won't fix, but it affects 12.04, which is LTS

Re: [Freeipa-users] ID Range question

That makes perfect sense. I lost a connection to the master. I can fix that. Thank you! ~J On 3/24/15 3:26 PM, Rob Crittenden wrote: Janelle wrote: Hello, I have seen this pop up a few times, but no real answers - at least none that I am finding.. I have not run into it and this was a brand

Re: [Freeipa-users] Having Issues with Dogtag After Updating IPA and Rebooting

Endi, Any word on the build? *Michael Pawlak* Web Systems Administrator | Colovore LLC E: m...@colovore.com C: 408.316.2154 On Mon, Mar 23, 2015 at 2:55 PM, Michael Pawlak wrote: > Endi, > > I could test that. > > *Michael Pawlak* > Web Systems Administrator | Colov

[Freeipa-users] ipa-client-install failing on new ipa-server

While running ipa-server-install, it's failing out at the end with an error regarding the client install on the server. This happens regardless of how I input the options, but here's the latest command: ipa-server-install --setup-dns -N --idstart=1000 -r EXAMPLE.COM -n example.com -p passwd1 -a pa

Re: [Freeipa-users] ipa-client-install failing on new ipa-server

On 03/24/2015 09:17 PM, Anthony Lanni wrote: While running ipa-server-install, it's failing out at the end with an error regarding the client install on the server. This happens regardless of how I input the options, but here's the latest command: ipa-server-install --setup-dns -N --idstart=10

[Freeipa-users] Is it possible to Disable "BAD Password" from IPA Configs

Hi, Is there any way that we can configure IPA server not to do Strict Checking for Password. For EG: *BAD PASSWORD: The password is too similar to the old one* *New password: * *BAD PASSWORD: The password fails the dictionary check - it is based on a dictionary word* We tried removing "use_aut

Re: [Freeipa-users] Is it possible to Disable "BAD Password" from IPA Configs

On Wed, 25 Mar 2015, Yogesh Sharma wrote: Hi, Is there any way that we can configure IPA server not to do Strict Checking for Password. For EG: *BAD PASSWORD: The password is too similar to the old one* *New password: * *BAD PASSWORD: The password fails the dictionary check - it is based on a

Re: [Freeipa-users] What am I missing? ipaca?

Hi, Wiadomość napisana przez Martin Kosek w dniu 24 mar 2015, o godz. 17:08: > Right. Maybe you reinstalled IPA replica (several times) without cleaning the > RUV? With > > # ipa-replica-manage list-ruv > # ipa-replica-manage clean-ruv > > you should be able to clean the old (lower) RUVs and

[Freeipa-users] Configuration of client side components failed! on IPA Server

Hi, We are getting below error while we are installing IPA Server (ipa-server-install --no-ntp). ** *Configuration of client side components failed!* *ipa-client-install returned: Command '/usr/sbin/ipa-client-install --on-master --unattended --domain sd.int --server ldap-inf-stg