Re: [Freeipa-users] Setup of freeipa 4.1.3 failed

2015-04-08 Thread Markus Roth
Endi Sukma Dewata edew...@redhat.com hat am 1. April 2015 um 23:56 geschrieben: On 4/1/2015 4:29 PM, Markus Roth wrote: Am Mittwoch, 1. April 2015, 16:04:54 schrieben Sie: On 4/1/2015 11:56 AM, Endi Sukma Dewata wrote: On 03/31/2015 01:54 PM, Markus Roth wrote: Hi all, I want

Re: [Freeipa-users] upgrade 3.0 - 4.1

2015-04-08 Thread Martin Kosek
On 04/07/2015 11:29 PM, Dmitri Pal wrote: On 04/07/2015 03:04 PM, Natxo Asenjo wrote: hi, On Fri, Apr 3, 2015 at 4:41 PM, Dmitri Pal d...@redhat.com mailto:d...@redhat.com wrote: On 04/03/2015 09:46 AM, Brian Topping wrote: On Apr 3, 2015, at 6:48 AM, Tamas Papptom...@martos.bme.hu

Re: [Freeipa-users] Slow logins on FreeIPA 4.1.2 (F21)

2015-04-08 Thread Martin (Lists)
Am 08.04.2015 um 10:27 schrieb Jakub Hrozek: Can you run: KRB5_TRACE=/dev/stderr kinit yourprinc@YOUR.REALM So that we can compare with the krb5_child.log you sent earlier? I wonder if SSSD talks to a KDC that is slower or far away from your client.. This is my trace from kinit: [2422]

[Freeipa-users] Accident upgrade 3.3 to 4.1

2015-04-08 Thread Alexander Frolushkin
Hello! We used have a geo-replicated IPA with RHEL 7.0, and on one site ipa servers was upgraded by mistake to RHEL 7.1 (ipa-server-4.1.0-18.el7_1.3.x86_64). Now it is broken globally, in logs I see these: [08/Apr/2015:13:06:47 +0600] NSACLPlugin - ACL PARSE ERR(rv=-5):

Re: [Freeipa-users] Accident upgrade 3.3 to 4.1

2015-04-08 Thread Alexander Frolushkin
-Original Message- From: Martin Kosek [mailto:mko...@redhat.com] Sent: Wednesday, April 08, 2015 4:04 PM To: Alexander Frolushkin (SIB); freeipa-users@redhat.com; Ludwig Krispenz; Thierry Bordaz Subject: Re: [Freeipa-users] Accident upgrade 3.3 to 4.1 On 04/08/2015 11:52 AM, Alexander

Re: [Freeipa-users] Accident upgrade 3.3 to 4.1

2015-04-08 Thread Jakub Hrozek
On Wed, Apr 08, 2015 at 11:07:25AM +, Alexander Frolushkin wrote: -Original Message- From: Martin Kosek [mailto:mko...@redhat.com] Sent: Wednesday, April 08, 2015 4:47 PM To: Alexander Frolushkin (SIB); freeipa-users@redhat.com; Ludwig Krispenz; Thierry Bordaz; Jakub Hrozek

Re: [Freeipa-users] Accident upgrade 3.3 to 4.1

2015-04-08 Thread Martin Kosek
On 04/08/2015 01:40 PM, Alexander Frolushkin wrote: -Original Message- From: Jakub Hrozek [mailto:jhro...@redhat.com] Sent: Wednesday, April 08, 2015 5:12 PM To: Alexander Frolushkin (SIB) Cc: 'Martin Kosek'; freeipa-users@redhat.com; Ludwig Krispenz; Thierry Bordaz Subject: Re:

Re: [Freeipa-users] Accident upgrade 3.3 to 4.1

2015-04-08 Thread Ludwig Krispenz
On 04/08/2015 12:04 PM, Martin Kosek wrote: On 04/08/2015 11:52 AM, Alexander Frolushkin wrote: Hello! We used have a geo-replicated IPA with RHEL 7.0, and on one site ipa servers was upgraded by mistake to RHEL 7.1 (ipa-server-4.1.0-18.el7_1.3.x86_64). Now it is broken globally, in logs I

Re: [Freeipa-users] krb5kdc: Server error

2015-04-08 Thread Traiano Welcome
Hi Ben On Wed, Apr 8, 2015 at 12:39 PM, Ben .T.George bentech4...@gmail.com wrote: HI i am getting krb5kdc: Server error on ligs: krb5kdc: Server error - while fetching master key K/M for realm SUN.LOCAL and the ipactl status is taking long time. Web interface is not able to

Re: [Freeipa-users] Accident upgrade 3.3 to 4.1

2015-04-08 Thread Alexander Frolushkin
-Original Message- From: Ludwig Krispenz [mailto:lkris...@redhat.com] Sent: Wednesday, April 08, 2015 4:18 PM To: Martin Kosek Cc: Alexander Frolushkin (SIB); freeipa-users@redhat.com; Thierry Bordaz Subject: Re: [Freeipa-users] Accident upgrade 3.3 to 4.1 On 04/08/2015 12:04 PM, Martin

Re: [Freeipa-users] krb5kdc: Server error

2015-04-08 Thread Ben .T.George
HI Traino, thanks for the info i have checked the hots and confirmed that entry was ip FQDN Alias format And the DNS everything is working [root@kwtprsolipa01 slapd-SUN-LOCAL]# for i in _ldap._tcp _kerberos._tcp _kerberos._udp _kerberos-master._tcp _kerberos-master._udp _ntp._udp; do echo ;

Re: [Freeipa-users] Accident upgrade 3.3 to 4.1

2015-04-08 Thread Alexander Frolushkin
-Original Message- From: Martin Kosek [mailto:mko...@redhat.com] Sent: Wednesday, April 08, 2015 4:47 PM To: Alexander Frolushkin (SIB); freeipa-users@redhat.com; Ludwig Krispenz; Thierry Bordaz; Jakub Hrozek Subject: Re: [Freeipa-users] Accident upgrade 3.3 to 4.1 In any case, upgrade

Re: [Freeipa-users] FreeIPA, version: 4.1.0 and sudo configuration

2015-04-08 Thread Chamambo Martin
Sudo seems to be configured correctly but somehow it's not working Even if I do a sudo -l under the admin user [admin@ironhide tmp]$ sudo -l [sudo] password for admin: Matching Defaults entries for admin on this host: requiretty, !visiblepw, always_set_home, env_reset, env_keep=COLORS

Re: [Freeipa-users] Accident upgrade 3.3 to 4.1

2015-04-08 Thread Alexander Frolushkin
-Original Message- From: Jakub Hrozek [mailto:jhro...@redhat.com] Sent: Wednesday, April 08, 2015 5:12 PM To: Alexander Frolushkin (SIB) Cc: 'Martin Kosek'; freeipa-users@redhat.com; Ludwig Krispenz; Thierry Bordaz Subject: Re: [Freeipa-users] Accident upgrade 3.3 to 4.1 On Wed, Apr 08,

Re: [Freeipa-users] Accident upgrade 3.3 to 4.1

2015-04-08 Thread thierry bordaz
On 04/08/2015 12:36 PM, Alexander Frolushkin wrote: -Original Message- From: Ludwig Krispenz [mailto:lkris...@redhat.com] Sent: Wednesday, April 08, 2015 4:18 PM To: Martin Kosek Cc: Alexander Frolushkin (SIB); freeipa-users@redhat.com; Thierry Bordaz Subject: Re: [Freeipa-users]

Re: [Freeipa-users] FreeIPA, version: 4.1.0 and sudo configuration

2015-04-08 Thread Martin Chamambo
From: Jakub Hrozek [jhro...@redhat.com] Sent: Wednesday, April 08, 2015 2:01 PM To: Martin Chamambo Cc: freeipa-users@redhat.com Subject: Re: [Freeipa-users] FreeIPA, version: 4.1.0 and sudo configuration On Wed, Apr 08, 2015 at 01:39:44PM +0200, Chamambo

Re: [Freeipa-users] Accident upgrade 3.3 to 4.1

2015-04-08 Thread Jakub Hrozek
On Wed, Apr 08, 2015 at 11:40:08AM +, Alexander Frolushkin wrote: After that, client are able to login via ssh on servers connected to 7.1 servers, but still no login on client servers connected to 7.0 IPA servers... There we might be a problem with ACIs, can you check the logs on the

Re: [Freeipa-users] Accident upgrade 3.3 to 4.1

2015-04-08 Thread Martin Kosek
On 04/08/2015 12:12 PM, Alexander Frolushkin wrote: -Original Message- From: Martin Kosek [mailto:mko...@redhat.com] Sent: Wednesday, April 08, 2015 4:04 PM To: Alexander Frolushkin (SIB); freeipa-users@redhat.com; Ludwig Krispenz; Thierry Bordaz Subject: Re: [Freeipa-users]

Re: [Freeipa-users] FreeIPA, version: 4.1.0 and sudo configuration

2015-04-08 Thread Jakub Hrozek
On Wed, Apr 08, 2015 at 01:39:44PM +0200, Chamambo Martin wrote: Sudo seems to be configured correctly but somehow it's not working Even if I do a sudo -l under the admin user [admin@ironhide tmp]$ sudo -l [sudo] password for admin: Matching Defaults entries for admin on this host:

Re: [Freeipa-users] Accident upgrade 3.3 to 4.1

2015-04-08 Thread Martin Kosek
On 04/08/2015 11:52 AM, Alexander Frolushkin wrote: Hello! We used have a geo-replicated IPA with RHEL 7.0, and on one site ipa servers was upgraded by mistake to RHEL 7.1 (ipa-server-4.1.0-18.el7_1.3.x86_64). Now it is broken globally, in logs I see these: [08/Apr/2015:13:06:47 +0600]

Re: [Freeipa-users] Accident upgrade 3.3 to 4.1

2015-04-08 Thread Alexander Frolushkin
On one of accidently upgraded server I have following error in dirsrv logs: [08/Apr/2015:13:24:12 +0300] connection - conn=1095 fd=131 Incoming BER Element was too long, max allowable is 209715200 bytes. Change the nsslapd-maxbersize attribute in cn=config to increase.

Re: [Freeipa-users] FreeIPA, version: 4.1.0 and sudo configuration

2015-04-08 Thread Lukas Slebodnik
On (08/04/15 09:25), Chamambo Martin wrote: Good day I am running FreeIPA, version: 4.1.0 and everything is working well except SUDO configuration. ipa-client-install on CentOS 7.1 should configure sudo by default. I have 3 questions 1: I have configured the bare minimum sudo

Re: [Freeipa-users] FreeIPA, version: 4.1.0 and sudo configuration

2015-04-08 Thread Jakub Hrozek
On Wed, Apr 08, 2015 at 10:00:50AM +0200, Chamambo Martin wrote: I have these logs and cant seem to make sense of them These are not the logs we asked for. What we need is debug_level=6 in the sudo section, then run sudo, then attach /var/log/sssd/sssd_sudo.log. It would also be nice if you

Re: [Freeipa-users] FreeIPA, version: 4.1.0 and sudo configuration

2015-04-08 Thread Chamambo Martin
I have this log after doing a debug_level=6 in the sudo section and have attached a txt file for the ldbsearch -H /var/lib/sss/db/cache_ai.co.zw.ldb [root@ironhide ~]# tail -f /var/log/sssd/sssd_sudo.log (Wed Apr 8 10:10:03 2015) [sssd[sudo]] [sysdb_domain_init_internal] (0x0200): DB File for

[Freeipa-users] krb5kdc: Server error

2015-04-08 Thread Ben .T.George
HI i am getting krb5kdc: Server error on ligs: krb5kdc: Server error - while fetching master key K/M for realm SUN.LOCAL and the ipactl status is taking long time. Web interface is not able to athenticate. If i issue ipactl restart, noting is happening to solve this issue currently i am

[Freeipa-users] FreeIPA, version: 4.1.0 and sudo configuration

2015-04-08 Thread Chamambo Martin
Good day I am running FreeIPA, version: 4.1.0 and everything is working well except SUDO configuration. I have 3 questions 1: I have configured the bare minimum sudo configuration without hostgroups and netgroups , just sudo commands and sudo command groups that have been added as sudo

Re: [Freeipa-users] Setup of freeipa 4.1.3 failed

2015-04-08 Thread Natxo Asenjo
On Wed, Apr 8, 2015 at 7:57 AM, Markus Roth mar...@die5roths.de wrote: Yersterday I did the installation of freeipa on my banana Pi with modifying the source file ipalib/constants.py:('startup_timeout', 300). I changed it to 900 s. And the setup process was successful! The start of the

Re: [Freeipa-users] Setup of freeipa 4.1.3 failed

2015-04-08 Thread Markus Roth
Martin Kosek mko...@redhat.com hat am 8. April 2015 um 10:59 geschrieben: On 04/08/2015 07:57 AM, Markus Roth wrote: Endi Sukma Dewata edew...@redhat.com hat am 1. April 2015 um 23:56 geschrieben: On 4/1/2015 4:29 PM, Markus Roth wrote: Am Mittwoch, 1. April 2015, 16:04:54

Re: [Freeipa-users] FreeIPA, version: 4.1.0 and sudo configuration

2015-04-08 Thread Jakub Hrozek
On Wed, Apr 08, 2015 at 09:25:33AM +0200, Chamambo Martin wrote: Good day I am running FreeIPA, version: 4.1.0 and everything is working well except SUDO configuration. I have 3 questions 1: I have configured the bare minimum sudo configuration without hostgroups and netgroups ,

Re: [Freeipa-users] Slow logins on FreeIPA 4.1.2 (F21)

2015-04-08 Thread Jakub Hrozek
On Wed, Apr 08, 2015 at 10:11:01AM +0200, Martin (Lists) wrote: Am 07.04.2015 um 18:27 schrieb Simo Sorce: On Tue, 2015-04-07 at 17:57 +0200, Martin (Lists) wrote: Hallo attached you can find the data from krb_child.log. As far as I can see it, the three seconds are due to the

Re: [Freeipa-users] Slow logins on FreeIPA 4.1.2 (F21)

2015-04-08 Thread Martin (Lists)
Am 08.04.2015 um 10:57 schrieb Jakub Hrozek: Most of the host can only communicate in the local net, which has not that much hosts (10). The wired ones are connected via GBit Network, wireless it is up to 150MBit. Server is a Xeon E3-1225 with 8GB Mem. All Systems have Fedora 21

Re: [Freeipa-users] FreeIPA, version: 4.1.0 and sudo configuration

2015-04-08 Thread Chamambo Martin
I have these logs and cant seem to make sense of them I have created the hostgroup mailservers and have added the sudo rule that allows the users to execute sudo vim anyfile (Wed Apr 8 09:58:45 2015) [sssd[be[ai.co.zw]]] [fo_resolve_service_send] (0x0100): Trying to resolve service 'IPA'

Re: [Freeipa-users] FreeIPA, version: 4.1.0 and sudo configuration

2015-04-08 Thread Jakub Hrozek
On Wed, Apr 08, 2015 at 10:17:59AM +0200, Chamambo Martin wrote: I have this log after doing a debug_level=6 in the sudo section and have attached a txt file for the ldbsearch -H /var/lib/sss/db/cache_ai.co.zw.ldb (Wed Apr 8 10:14:52 2015) [sssd[sudo]] [sudosrv_get_sudorules_query_cache]

Re: [Freeipa-users] Slow logins on FreeIPA 4.1.2 (F21)

2015-04-08 Thread Jakub Hrozek
On Wed, Apr 08, 2015 at 10:43:10AM +0200, Martin (Lists) wrote: Am 08.04.2015 um 10:27 schrieb Jakub Hrozek: Can you run: KRB5_TRACE=/dev/stderr kinit yourprinc@YOUR.REALM So that we can compare with the krb5_child.log you sent earlier? I wonder if SSSD talks to a KDC that is slower

Re: [Freeipa-users] Slow logins on FreeIPA 4.1.2 (F21)

2015-04-08 Thread Martin (Lists)
Am 07.04.2015 um 18:27 schrieb Simo Sorce: On Tue, 2015-04-07 at 17:57 +0200, Martin (Lists) wrote: Hallo attached you can find the data from krb_child.log. As far as I can see it, the three seconds are due to the communication with the kerberos server. (1.2.3.4 is my server). Do you

Re: [Freeipa-users] FreeIPA, version: 4.1.0 and sudo configuration

2015-04-08 Thread Chamambo Martin
I have done below and its giving me the correct results and at the moment LET ME enable debugging in sudo itself and see if that will get me somewhere [root@ironhide ~]# getent netgroup mailservers mailservers (ironhide.ai.co.zw,-,ai.co.zw) (alvin.ai.co.zw,-,ai.co.zw)

Re: [Freeipa-users] Setup of freeipa 4.1.3 failed

2015-04-08 Thread Martin Kosek
On 04/08/2015 07:57 AM, Markus Roth wrote: Endi Sukma Dewata edew...@redhat.com hat am 1. April 2015 um 23:56 geschrieben: On 4/1/2015 4:29 PM, Markus Roth wrote: Am Mittwoch, 1. April 2015, 16:04:54 schrieben Sie: On 4/1/2015 11:56 AM, Endi Sukma Dewata wrote: On 03/31/2015 01:54 PM,

Re: [Freeipa-users] FreeIPA server in Docker container improved

2015-04-08 Thread Mark Heslin
On 04/08/2015 08:42 AM, Jan Pazdziora wrote: Hello world! The ability to run FreeIPA server in a container was recently improved by adding support for storing the server configuration and data in a volume, making it easier to backup the server, upgrade it to newer versions, as well as adding

[Freeipa-users] Private key management

2015-04-08 Thread Andrey Ptashnik
Hello Team, I know that FreeIPA server supports management of public keys for each user and it is a very convenient feature. Are there any possible way to manage private keys as well including features like re-issuing the key pair if it gets compromised? Regards, Andrey -- Manage your

[Freeipa-users] Promoting a replica to a FreeIPA server without primary server

2015-04-08 Thread Прохоров Сергей
Hello, I have self-signed freeipa replica. The problem is that I lose my freeipa primary server after hdd error. Now I need to create new replication server but I can't without primary server. I read this documentation and a lot of community correspondence but don't find my issue:

[Freeipa-users] ID Ranges in FreeIPA

2015-04-08 Thread Coy Hile
Hi all, When I installed FreeIPA, it created a default ID range (of which user admin is currently the only user existing). Through the UI, I've found that one can create additional ranges (and that the ipa tools will complain if a user has a uid assigned manually that falls outside the defined

Re: [Freeipa-users] Accident upgrade 3.3 to 4.1

2015-04-08 Thread thierry bordaz
On 04/08/2015 02:19 PM, Alexander Frolushkin wrote: On one of accidently upgraded server I have following error in dirsrv logs: [08/Apr/2015:13:24:12 +0300] connection - conn=1095 fd=131 Incoming BER Element was too long, max allowable is 209715200 bytes. Change the nsslapd-maxbersize

Re: [Freeipa-users] Slow logins on FreeIPA 4.1.2 (F21)

2015-04-08 Thread Simo Sorce
On Wed, 2015-04-08 at 10:11 +0200, Martin (Lists) wrote: Am 07.04.2015 um 18:27 schrieb Simo Sorce: On Tue, 2015-04-07 at 17:57 +0200, Martin (Lists) wrote: Hallo attached you can find the data from krb_child.log. As far as I can see it, the three seconds are due to the communication

Re: [Freeipa-users] ID Ranges in FreeIPA

2015-04-08 Thread Rob Crittenden
Coy Hile wrote: Hi all, When I installed FreeIPA, it created a default ID range (of which user admin is currently the only user existing). Through the UI, I've found that one can create additional ranges (and that the ipa tools will complain if a user has a uid assigned manually that

[Freeipa-users] FreeIPA server in Docker container improved

2015-04-08 Thread Jan Pazdziora
Hello world! The ability to run FreeIPA server in a container was recently improved by adding support for storing the server configuration and data in a volume, making it easier to backup the server, upgrade it to newer versions, as well as adding the ability to start a container as a replica of

Re: [Freeipa-users] Private key management

2015-04-08 Thread Andrey Ptashnik
It looks like Vault is the functionality I was looking for. Thank you Rob and Dmitri for your responses. Regards, Andrey On 4/8/15, 5:59 PM, Rob Crittenden rcrit...@redhat.com wrote: Andrey Ptashnik wrote: Hello Team, I know that FreeIPA server supports management of public keys for

[Freeipa-users] Expired Certs on 3.0.0 IPA host

2015-04-08 Thread John Williams
I'm looking at the following link for recovering expired certificates on FreeeIPA 3.0.0: https://www.freeipa.org/page/Howto/CA_Certificate_Renewal   Problem is when Iook inside my /etc/pki-ca/CS.cfg file for a subsystemCert I do not find one.  I see the other three: auditSigningCert cert-pki-ca

Re: [Freeipa-users] Replica with external ca + custom subject in certificate

2015-04-08 Thread James James
It's a little bit more clear. Thanks. I have created a new ipa 4.1 replica but when I want run : # ipa-cacert-manage renew --self-signed I've got this message : [root@ipa-devel-centos7 ~]# ipa-cacert-manage renew --self-signed CA is not configured on this system If I want to install the CA

[Freeipa-users] Freeipa 4 and AD

2015-04-08 Thread Aric Wilisch
I’m having issues with getting my RHEL 7 server running Freeipa 4 to join my Windows 2012R2 domain. DNS checks out fine. When I try to establish the join I get the below listed errors popping up. I’ve tried both creating the trust from Freeipa and just this morning I setup the trust on the AD

Re: [Freeipa-users] Freeipa 4 and AD

2015-04-08 Thread Alexander Bokovoy
On Wed, 08 Apr 2015, Aric Wilisch wrote: I’m having issues with getting my RHEL 7 server running Freeipa 4 to join my Windows 2012R2 domain. DNS checks out fine. When I try to establish the join I get the below listed errors popping up. I’ve tried both creating the trust from Freeipa and just

Re: [Freeipa-users] Private key management

2015-04-08 Thread Rob Crittenden
Andrey Ptashnik wrote: Hello Team, I know that FreeIPA server supports management of public keys for each user and it is a very convenient feature. Are there any possible way to manage private keys as well including features like re-issuing the key pair if it gets compromised? I assume you

Re: [Freeipa-users] Private key management

2015-04-08 Thread Dmitri Pal
On 04/08/2015 11:31 AM, Andrey Ptashnik wrote: Hello Team, I know that FreeIPA server supports management of public keys for each user and it is a very convenient feature. First of all IPA does not support user certs yet. It supports SSH public keys if this is what you are referring to.

Re: [Freeipa-users] Freeipa 4 and AD

2015-04-08 Thread Dmitri Pal
On 04/08/2015 12:42 PM, Aric Wilisch wrote: I'm having issues with getting my RHEL 7 server running Freeipa 4 to join my Windows 2012R2 domain. DNS checks out fine. When I try to establish the join I get the below listed errors popping up. I've tried both creating the trust from Freeipa and

Re: [Freeipa-users] Promoting a replica to a FreeIPA server without primary server

2015-04-08 Thread Rob Crittenden
Прохоров Сергей wrote: Hello, I have self-signed freeipa replica. The problem is that I lose my freeipa primary server after hdd error. Now I need to create new replication server but I can't without primary server. I read this documentation and a lot of community correspondence but don't

Re: [Freeipa-users] Promoting a replica to a FreeIPA server without primary server

2015-04-08 Thread Dmitri Pal
On 04/08/2015 07:12 AM, Прохоров Сергей wrote: Hello, I have self-signed freeipa replica. The problem is that I lose my freeipa primary server after hdd error. Now I need to create new replication server but I can't without primary server. I read this documentation and a lot of community

Re: [Freeipa-users] krb5kdc: Server error

2015-04-08 Thread Dmitri Pal
On 04/08/2015 06:54 AM, Ben .T.George wrote: HI Traino, thanks for the info i have checked the hots and confirmed that entry was ip FQDN Alias format And the DNS everything is working [root@kwtprsolipa01 slapd-SUN-LOCAL]# for i in _ldap._tcp _kerberos._tcp _kerberos._udp

Re: [Freeipa-users] Expired Certs on 3.0.0 IPA host

2015-04-08 Thread Rob Crittenden
John Williams wrote: I'm looking at the following link for recovering expired certificates on FreeeIPA 3.0.0: https://www.freeipa.org/page/Howto/CA_Certificate_Renewal Problem is when Iook inside my /etc/pki-ca/CS.cfg file for a subsystemCert I do not find one. I see the other three:

[Freeipa-users] Configuring RHEL 5 clients for automatic failover of servers

2015-04-08 Thread Guertin, David S.
I have a mixed environment of RHEL 5 and RHEL 6 clients, and three RHEL 7 IPA servers (one master and two duplicates). I'm trying to ensure that if one server goes down, the remain server(s) will still allow logins. With the RHEL 6 clients this is easy -- the line ipa_server = _srv_,

Re: [Freeipa-users] Configuring RHEL 5 clients for automatic failover of servers

2015-04-08 Thread Rob Crittenden
Guertin, David S. wrote: I have a mixed environment of RHEL 5 and RHEL 6 clients, and three RHEL 7 IPA servers (one master and two duplicates). I'm trying to ensure that if one server goes down, the remain server(s) will still allow logins. With the RHEL 6 clients this is easy -- the line

Re: [Freeipa-users] granular sudo commands

2015-04-08 Thread Martin Chamambo
For all my sudo commands i do sudo command_name_here From: freeipa-users-boun...@redhat.com [freeipa-users-boun...@redhat.com] on behalf of Craig White [cwh...@skytouchtechnology.com] Sent: Thursday, April 09, 2015 1:52 AM To: freeipa-users@redhat.com Subject:

Re: [Freeipa-users] Accident upgrade 3.3 to 4.1

2015-04-08 Thread Alexander Frolushkin
-Original Message- From: thierry bordaz [mailto:tbor...@redhat.com] Sent: Wednesday, April 08, 2015 6:36 PM To: Alexander Frolushkin (SIB) Cc: 'Ludwig Krispenz'; Martin Kosek; freeipa-users@redhat.com Subject: Re: [Freeipa-users] Accident upgrade 3.3 to 4.1 On 04/08/2015 02:19 PM,

Re: [Freeipa-users] Accident upgrade 3.3 to 4.1

2015-04-08 Thread Martin Kosek
On 04/09/2015 05:59 AM, Alexander Frolushkin wrote: -Original Message- From: thierry bordaz [mailto:tbor...@redhat.com] Sent: Wednesday, April 08, 2015 6:36 PM To: Alexander Frolushkin (SIB) Cc: 'Ludwig Krispenz'; Martin Kosek; freeipa-users@redhat.com Subject: Re: [Freeipa-users]

Re: [Freeipa-users] FreeIPA, version: 4.1.0 and sudo configuration

2015-04-08 Thread Martin Chamambo
Good day I managed to configure sudo and its working for all my centos 6.6 and RHEL 6.6 clients. somehow i managed to change the sudo rules ,sudo comands and sudo groups to be less restrictive ,thats when i managed to access root owned files using sudo thanx for your help My advice when

Re: [Freeipa-users] Replica with external ca + custom subject in certificate

2015-04-08 Thread Jan Cholasta
Dne 8.4.2015 v 17:43 James James napsal(a): It's a little bit more clear. Thanks. I have created a new ipa 4.1 replica but when I want run : # ipa-cacert-manage renew --self-signed I've got this message : [root@ipa-devel-centos7 ~]# ipa-cacert-manage renew --self-signed CA is not configured

[Freeipa-users] granular sudo commands

2015-04-08 Thread Craig White
rpm -q sssd sssd-1.11.6-30.el6_6.4.x86_64 rpm -q ipa-client ipa-client-3.0.0-42.el6.x86_64 [test2.user@app001 ~]$ sudo su - weblogic [sudo] password for test2.user: Sorry, user test2.user is not allowed to execute '/bin/su - weblogic' as root on app001.stt.local. [test2.user@app001 ~]$ sudo -l

Re: [Freeipa-users] Configuring SUDO on centos and RHEL 5 clients

2015-04-08 Thread Dmitri Pal
On 04/08/2015 09:04 PM, Martin Chamambo wrote: I managed to install my ipa client on centos 5 using this command below ipa-client-install --server cyclops.ai.co.zw --domain ai.co.zw and it worked perfectly , i can getent passwd for users in the freeIPA server which is good. I am now

[Freeipa-users] Configuring SUDO on centos and RHEL 5 clients

2015-04-08 Thread Martin Chamambo
I managed to install my ipa client on centos 5 using this command below ipa-client-install --server cyclops.ai.co.zw --domain ai.co.zw and it worked perfectly , i can getent passwd for users in the freeIPA server which is good. I am now trying to configure SUDO on centos and there seem

Re: [Freeipa-users] Configuring RHEL 5 clients for automatic failover of servers

2015-04-08 Thread Dmitri Pal
On 04/08/2015 04:04 PM, Guertin, David S. wrote: I have a mixed environment of RHEL 5 and RHEL 6 clients, and three RHEL 7 IPA servers (one master and two duplicates). I'm trying to ensure that if one server goes down, the remain server(s) will still allow logins. With the RHEL 6 clients