Re: [Freeipa-users] Can an Active Directory domain be the default domain?

2015-04-13 Thread Jakub Hrozek
On Mon, Apr 13, 2015 at 01:02:18PM -0400, David Guertin wrote: Said that, you can set default domain in SSSD configuration on the legacy clients (RHEL 5) as then SSSD will ensure proper fully-qualified name will be sent towards compat tree and non-qualified name can be asked on the client

Re: [Freeipa-users] Synology DSM5 and freeIPA

2015-04-13 Thread Prasun Gera
Just a follow up. I thought that making NFS a service in IPA takes care of this, but it looks like the issues are unrelated. Home directories are created automatically if the user logs in to the NFS server, but I haven't found any solution to trigger this from a client without using no_root_squah

Re: [Freeipa-users] CRON: Authentication service cannot retrieve authentication info

2015-04-13 Thread Dmitri Pal
On 04/13/2015 08:23 AM, Thomas Lau wrote: Hi, These problem appear randomly, sometime it still work even under heavy packet loss, some times would be like this. So its hard to catch. On Apr 13, 2015 3:22 PM, Jakub Hrozek jhro...@redhat.com mailto:jhro...@redhat.com wrote: On Mon, Apr

Re: [Freeipa-users] Checking 389 for ACI contamination

2015-04-13 Thread Brian Topping
On Apr 13, 2015, at 1:33 PM, Martin Kosek mko...@redhat.com wrote: On 04/12/2015 05:27 AM, Brian Topping wrote: Hi all, trying to figure out if I may have contaminated my ACIs in the process of upgrading my replicated deployment. I didn't upgrade the instances at the same time, is there

Re: [Freeipa-users] CRON: Authentication service cannot retrieve authentication info

2015-04-13 Thread Thomas Lau
Hi, It's an in-house program which runs on one kerberos user. On Tue, Apr 14, 2015 at 5:34 AM, Dmitri Pal d...@redhat.com wrote: On 04/13/2015 08:23 AM, Thomas Lau wrote: Hi, These problem appear randomly, sometime it still work even under heavy packet loss, some times would be like this.

[Freeipa-users] Upgrading Freeipa 3 server.

2015-04-13 Thread Aric Wilisch
One of our environments has a Freeipa3 sever installed and I need to upgrade it to FreeIPA 4. I brought up RHEL 7 server and installed FreeIPA 4 as a replica of the FreeIPA3 box. But now I’m stuck. I can’t find any good documentation on how to promote the new FreeIPA4 server and take the old

Re: [Freeipa-users] Upgrading Freeipa 3 server.

2015-04-13 Thread Dmitri Pal
On 04/13/2015 07:26 PM, Aric Wilisch wrote: One of our environments has a Freeipa3 sever installed and I need to upgrade it to FreeIPA 4. I brought up RHEL 7 server and installed FreeIPA 4 as a replica of the FreeIPA3 box. But now I'm stuck. I can't find any good documentation on how to

Re: [Freeipa-users] Upgrading Freeipa 3 server.

2015-04-13 Thread Aric Wilisch
I didn’t see this guide until now. The IPA3 server started off as a RHEL 6.6 server so no upgrade is necessary, but I simply generated the replica file and created the IPA 4 server as a replica. Aside from the CA not being there the server looks to be working fine and shows up as a master.

Re: [Freeipa-users] user account without password

2015-04-13 Thread Alexander Frolushkin
Hello, usually domain users used to run services AND to make some administration work. Some of users only used to run services. Also, there is a number of domain users, for example, oracle which is very important for application life, so we duplicating such users locally, to make sure it

Re: [Freeipa-users] CRON: Authentication service cannot retrieve authentication info

2015-04-13 Thread Jakub Hrozek
On Mon, Apr 13, 2015 at 01:15:09PM +0800, Thomas Lau wrote: Hi all, We have cronjob which running on a FreeIPA LDAP user; When connection between IPA server and client having heavy packet loss, following error would occur: CRON[20637]: Authentication service cannot retrieve authentication

Re: [Freeipa-users] DNS questions

2015-04-13 Thread Petr Spacek
Hello! On 11.4.2015 12:08, Christoph Kaminski wrote: have some questions about DNS in IPA... first some info to our DNS structure: we have 4 internale domains and a lot of subdomains, for example: domain: ourdom.int subdomains: - mgmt.ourdom.int - io.ourdom.int -

Re: [Freeipa-users] Replica status 'last update ended'

2015-04-13 Thread thierry bordaz
On 04/13/2015 08:31 AM, Martin Kosek wrote: On 04/11/2015 11:34 AM, Christoph Kaminski wrote: Hi All with the cmd: ipa-replica-manage -v list myipaserver I can see the status of the replication... But I dont understand the field 'last update ended'. What shows the field? The last

Re: [Freeipa-users] Replica status 'last update ended'

2015-04-13 Thread Martin Kosek
On 04/11/2015 11:34 AM, Christoph Kaminski wrote: Hi All with the cmd: ipa-replica-manage -v list myipaserver I can see the status of the replication... But I dont understand the field 'last update ended'. What shows the field? The last SUCCESSFULLY update? The last TRY to update?

Re: [Freeipa-users] Checking 389 for ACI contamination

2015-04-13 Thread Martin Kosek
On 04/12/2015 05:27 AM, Brian Topping wrote: Hi all, trying to figure out if I may have contaminated my ACIs in the process of upgrading my replicated deployment. I didn't upgrade the instances at the same time, is there any possibility that the 3.x ACIs contaminated the 4.x DIT? What do you

Re: [Freeipa-users] Promoting a replica to a FreeIPA server without primary server

2015-04-13 Thread Прохоров Сергей
Thank you, Rob for your response On 08.04.2015 21:07, Rob Crittenden wrote: I assume you can't do this because the original host is lost, right? Year, you right. Every IPA master is a equal, some are just more equal than others. The key bit that distinguishes them is whether there is a CA

Re: [Freeipa-users] .LDAPUpdate: ERROR Add failure missing required attribute objectclass

2015-04-13 Thread Martin Kosek
On 04/11/2015 09:51 PM, Traiano Welcome wrote: Hi I got this error while installing an IPA replica of my primary master IDM server: .LDAPUpdate: ERRORAdd failure missing required attribute objectclass Replica add command: ipa-replica-install --setup-ca --setup-dns

Re: [Freeipa-users] Multi-Master IPA deployment with AD Trusts: Stability and Consistency Expectations?

2015-04-13 Thread Alexander Bokovoy
On Mon, 13 Apr 2015, Traiano Welcome wrote: Hi List The deployment I'm contemplating is as follows: 1. FreeIPA master at a central site,with AD Trust established to the primary DC. 2. Replicas of the FreeIPA master at 4 other sites (with varying WAN latency between central and site),with

[Freeipa-users] Can an Active Directory domain be the default domain?

2015-04-13 Thread David Guertin
In our newly-setup IPA environment, users can log in to RHEL clients with the username username@addomain. This works, but I've run into a problem with some RHEL 5 clients that are Apache servers -- the Apache UserDir mappings no longer work. Many of the users have web pages served from the

Re: [Freeipa-users] multihome - single interface?

2015-04-13 Thread Janne Blomqvist
On 2015-04-10 12:05, Petr Spacek wrote: On 10.4.2015 10:52, Janne Blomqvist wrote: On 2015-04-07 14:29, Martin Kosek wrote: On 04/05/2015 08:03 PM, Dmitri Pal wrote: On 04/05/2015 12:51 PM, Janelle wrote: Hello, Trying to find a way on a multi-homed server to force IPA and its

Re: [Freeipa-users] Can an Active Directory domain be the default domain?

2015-04-13 Thread Jakub Hrozek
On Mon, Apr 13, 2015 at 10:23:08AM -0400, David Guertin wrote: In our newly-setup IPA environment, users can log in to RHEL clients with the username username@addomain. This works, but I've run into a problem with some RHEL 5 clients that are Apache servers -- the Apache UserDir mappings no

Re: [Freeipa-users] ipa-replica-prepare failing

2015-04-13 Thread David Dejaeghere
Hi Rob, So you want to output of the command using pk12 with server cert and key? or with the ca chain in there too? Regards, David 2015-04-13 16:28 GMT+02:00 Rob Crittenden rcrit...@redhat.com: David Dejaeghere wrote: Hi, I get the same error when I use a pk12 with only the server

Re: [Freeipa-users] ipa-replica-prepare failing

2015-04-13 Thread Rob Crittenden
David Dejaeghere wrote: Hi, I get the same error when I use a pk12 with only the server certificate (and key) in it. Not sure what else I can try. I'd need to see the full output again. rob Regards, D 2015-04-11 0:23 GMT+02:00 Rob Crittenden rcrit...@redhat.com

Re: [Freeipa-users] Can an Active Directory domain be the default domain?

2015-04-13 Thread Alexander Bokovoy
On Mon, 13 Apr 2015, David Guertin wrote: In our newly-setup IPA environment, users can log in to RHEL clients with the username username@addomain. This works, but I've run into a problem with some RHEL 5 clients that are Apache servers -- the Apache UserDir mappings no longer work. Many of

Re: [Freeipa-users] CRON: Authentication service cannot retrieve authentication info

2015-04-13 Thread Thomas Lau
Hi, These problem appear randomly, sometime it still work even under heavy packet loss, some times would be like this. So its hard to catch. On Apr 13, 2015 3:22 PM, Jakub Hrozek jhro...@redhat.com wrote: On Mon, Apr 13, 2015 at 01:15:09PM +0800, Thomas Lau wrote: Hi all, We have cronjob

Re: [Freeipa-users] Can an Active Directory domain be the default domain?

2015-04-13 Thread David Guertin
Said that, you can set default domain in SSSD configuration on the legacy clients (RHEL 5) as then SSSD will ensure proper fully-qualified name will be sent towards compat tree and non-qualified name can be asked on the client (RHEL 5) side. I was able to do this on RHEL 6/sssd 1.11 with

Re: [Freeipa-users] Sudo rules w/ external users (RHEL7)

2015-04-13 Thread Alexander Bokovoy
On Mon, 13 Apr 2015, Gould, Joshua wrote: On 4/13/15, 11:37 AM, Alexander Bokovoy aboko...@redhat.com wrote: Through external users' groups mechanism we use for any other AD users mapping in HBAC and SUDO. These are not local (not defined in IPA but defined on the host) groups and users but

Re: [Freeipa-users] Sudo rules w/ external users (RHEL7)

2015-04-13 Thread Gould, Joshua
On 4/13/15, 11:37 AM, Alexander Bokovoy aboko...@redhat.com wrote: Through external users' groups mechanism we use for any other AD users mapping in HBAC and SUDO. These are not local (not defined in IPA but defined on the host) groups and users but rather AD groups and users. ipa group-add

Re: [Freeipa-users] user account without password

2015-04-13 Thread Nordgren, Bryce L -FS
Hi Alex, Just because I gave up doesn't mean there isn't a way. Does your partitioning of local/domain users allow a domain user to run a service on a machine? I was trying to run an iPython notebook server as my regular user/domain account via systemd. Much of the data that the service

[Freeipa-users] Sudo rules w/ external users (RHEL7)

2015-04-13 Thread Gould, Joshua
I’ve looked at the docs and it looks as if I can specify an external user who can have sudo rights via IPA. https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Linux_Domain_Identity_Authentication_and_Policy_Guide/defining-sudorules.html#about-external-sudo The issue

Re: [Freeipa-users] Sudo rules w/ external users (RHEL7)

2015-04-13 Thread Alexander Bokovoy
On Mon, 13 Apr 2015, Gould, Joshua wrote: I’ve looked at the docs and it looks as if I can specify an external user who can have sudo rights via IPA.