Re: [Freeipa-users] RedHat IDM Replica runs ony dirsrv, kinit and getent fail after reboot

2015-05-18 Thread Martin Kosek
On 05/18/2015 02:17 PM, Sina Owolabi wrote: Hi Martin And thanks for getting back, greatly appreciated. I tore down the replica and reinstalled from scratch, using an old replica-info file I had on the primary. Im not sure if this is a good thing to do, but I would appreciate if you could

Re: [Freeipa-users] Securing IPA Redux

2015-05-18 Thread Brian Topping
On May 18, 2015, at 9:55 PM, Rich Megginson rmegg...@redhat.com mailto:rmegg...@redhat.com wrote: Not necessarily. https://access.redhat.com/documentation/en-US/Red_Hat_Directory_Server/9.0/html/Administration_Guide/SecureConnections.html#requiring-secure-connections

Re: [Freeipa-users] LDAP uid to cn modify

2015-05-18 Thread Vangass
Yes, I saw that discussion but there is no solution. So how to create compat tree? In my ldap there is somenting like uid=bartosz,cn=users,cn=compat,dc=example,dc=com - but it is still with uid. PS. I have fresh instalation CentOS 7.1 and IPA 4.1. 2015-05-18 16:03 GMT+02:00 Rob Crittenden

Re: [Freeipa-users] interesting Kerberos issue

2015-05-18 Thread Alexander Bokovoy
On Mon, 18 May 2015, Nathaniel McCallum wrote: On Mon, 2015-05-18 at 17:03 +0300, Alexander Bokovoy wrote: On Mon, 18 May 2015, Janelle wrote: On 5/10/15 11:57 PM, Alexander Bokovoy wrote: On Sun, 10 May 2015, Janelle wrote: On 5/5/15 6:47 AM, Dmitri Pal wrote: On 05/04/2015 09:38 PM,

Re: [Freeipa-users] interesting Kerberos issue

2015-05-18 Thread Janelle
Ok, let me ask this a different way, because maybe there is a way, and I am just not seeing it. I have 2 datacenters with typical bastions in each. I have enabled OTP and that works fine via ssh. But the user has to login to both and opening ssh tunnels is problematic at best. Using all the

Re: [Freeipa-users] interesting Kerberos issue

2015-05-18 Thread Nathaniel McCallum
On Mon, 2015-05-18 at 09:45 -0500, Janelle wrote: Ok, let me ask this a different way, because maybe there is a way, and I am just not seeing it. I have 2 datacenters with typical bastions in each. I have enabled OTP and that works fine via ssh. But the user has to login to both and

Re: [Freeipa-users] trusted user groups

2015-05-18 Thread Martin Kosek
On 05/18/2015 04:50 PM, Andy Thompson wrote: -Original Message- From: Lukas Slebodnik [mailto:lsleb...@redhat.com] Sent: Monday, May 18, 2015 10:33 AM To: Andy Thompson Cc: freeipa-users@redhat.com Subject: Re: [Freeipa-users] trusted user groups On (18/05/15 13:55), Andy Thompson

Re: [Freeipa-users] 4.1.4 and OTP

2015-05-18 Thread Janelle
On May 18, 2015, at 04:31, Martin Kosek mko...@redhat.com wrote: On 05/18/2015 01:49 AM, Janelle wrote: On 4/28/15 6:44 AM, Nathaniel McCallum wrote: On Fri, 2015-04-17 at 20:21 -0700, Janelle wrote: On 4/17/15 5:59 PM, Dmitri Pal wrote: On 04/17/2015 08:07 PM, Janelle wrote: On

Re: [Freeipa-users] 4.1.4 and OTP

2015-05-18 Thread Nathaniel McCallum
On Mon, 2015-05-18 at 07:59 -0500, Janelle wrote: On May 18, 2015, at 04:31, Martin Kosek mko...@redhat.com wrote: On 05/18/2015 01:49 AM, Janelle wrote: On 4/28/15 6:44 AM, Nathaniel McCallum wrote: On Fri, 2015-04-17 at 20:21 -0700, Janelle wrote: On 4/17/15 5:59 PM,

Re: [Freeipa-users] interesting Kerberos issue

2015-05-18 Thread Nathaniel McCallum
On Mon, 2015-05-18 at 17:18 +0300, Alexander Bokovoy wrote: On Mon, 18 May 2015, Nathaniel McCallum wrote: On Mon, 2015-05-18 at 17:03 +0300, Alexander Bokovoy wrote: On Mon, 18 May 2015, Janelle wrote: On 5/10/15 11:57 PM, Alexander Bokovoy wrote: On Sun, 10 May 2015, Janelle

Re: [Freeipa-users] interesting Kerberos issue

2015-05-18 Thread Alexander Bokovoy
On Mon, 18 May 2015, Nathaniel McCallum wrote: On Mon, 2015-05-18 at 17:18 +0300, Alexander Bokovoy wrote: On Mon, 18 May 2015, Nathaniel McCallum wrote: On Mon, 2015-05-18 at 17:03 +0300, Alexander Bokovoy wrote: On Mon, 18 May 2015, Janelle wrote: On 5/10/15 11:57 PM, Alexander Bokovoy

Re: [Freeipa-users] trusted user groups

2015-05-18 Thread Lukas Slebodnik
On (18/05/15 13:55), Andy Thompson wrote: -Original Message- From: Lukas Slebodnik [mailto:lsleb...@redhat.com] Sent: Thursday, May 14, 2015 4:41 PM To: Andy Thompson Cc: freeipa-users@redhat.com Subject: Re: [Freeipa-users] trusted user groups On (14/05/15 15:53), Andy Thompson

Re: [Freeipa-users] Replication Update in progress : FALSE LDAP ERROR

2015-05-18 Thread Rich Megginson
On 05/16/2015 04:06 PM, Nathan Peters wrote: I have updated the bug report you filed below. The issue was that the instructions would only work in Windows Server 2003 because My Network Places was removed in 2008 and above. Since the manual clearly states that the AD sync is to be performed

Re: [Freeipa-users] AD-trust and external DNS

2015-05-18 Thread Baird, Josh
You should add your IPA zone as a slave on your 'external' DNS servers so they are able to resolve the IPA zone. Josh From: freeipa-users-boun...@redhat.com [mailto:freeipa-users-boun...@redhat.com] On Behalf Of Winfried de Heiden Sent: Monday, May 18, 2015 10:10 AM To: Freeipa-users Subject:

Re: [Freeipa-users] Securing IPA Redux

2015-05-18 Thread Martin Kosek
Adding freeipa-users list back, to keep others in the loop. On 05/18/2015 12:32 PM, Brian Topping wrote: Thanks for taking the time to write that, Martin. It's good to have a reference to build from. Result of ida-client-install outside the firewall with port 636 accessible: Ah, I mostly

Re: [Freeipa-users] trusted user groups

2015-05-18 Thread Andy Thompson
-Original Message- From: Lukas Slebodnik [mailto:lsleb...@redhat.com] Sent: Monday, May 18, 2015 10:33 AM To: Andy Thompson Cc: freeipa-users@redhat.com Subject: Re: [Freeipa-users] trusted user groups On (18/05/15 13:55), Andy Thompson wrote: -Original Message- From:

Re: [Freeipa-users] Securing IPA Redux

2015-05-18 Thread Rich Megginson
On 05/18/2015 08:26 AM, Martin Kosek wrote: Adding freeipa-users list back, to keep others in the loop. On 05/18/2015 12:32 PM, Brian Topping wrote: Thanks for taking the time to write that, Martin. It's good to have a reference to build from. Result of ida-client-install outside the

Re: [Freeipa-users] RedHat IDM Replica runs ony dirsrv, kinit and getent fail after reboot

2015-05-18 Thread Sina Owolabi
Hi Martin And thanks for getting back, greatly appreciated. I tore down the replica and reinstalled from scratch, using an old replica-info file I had on the primary. Im not sure if this is a good thing to do, but I would appreciate if you could point me to the logs you'd be interested in seeing.

Re: [Freeipa-users] interesting Kerberos issue

2015-05-18 Thread Alexander Bokovoy
On Mon, 18 May 2015, Janelle wrote: On 5/10/15 11:57 PM, Alexander Bokovoy wrote: On Sun, 10 May 2015, Janelle wrote: On 5/5/15 6:47 AM, Dmitri Pal wrote: On 05/04/2015 09:38 PM, Janelle wrote: On 5/4/15 6:06 PM, Nathaniel McCallum wrote: On Mon, 2015-05-04 at 08:49 -0700, Janelle wrote:

Re: [Freeipa-users] LDAP uid to cn modify

2015-05-18 Thread Rob Crittenden
Vangass wrote: Hi, I try to set FreeIPA as a LDAP server for HP iLO authentication. iLO client sends dn as cn=bartosz,cn=users,cn=accounts,dc=example,dc=com but in FreeIPA there is no cn=bartosz just uid=bartosz (as for any other user I create is uid). Is it possible to modify uid to cn or is

[Freeipa-users] LDAP uid to cn modify

2015-05-18 Thread Vangass
Hi, I try to set FreeIPA as a LDAP server for HP iLO authentication. iLO client sends dn as cn=bartosz,cn=users,cn=accounts,dc=example,dc=com but in FreeIPA there is no cn=bartosz just uid=bartosz (as for any other user I create is uid). Is it possible to modify uid to cn or is there any other

Re: [Freeipa-users] Certificate operation cannot be completed: Unable to communicate with CMS (Not Found)

2015-05-18 Thread Sina Owolabi
Yes CA is running, and it's on the same machine. [root@dc ~]# ipa-replica-prepare dc01.ourdom.com --ip-address 192.168.2.40 Directory Manager (existing master) password: Preparing replica for dc01.ourdom.com from dc.ourdom.com Creating SSL certificate for the Directory Server Certificate

Re: [Freeipa-users] trusted user groups

2015-05-18 Thread Andy Thompson
-Original Message- From: Lukas Slebodnik [mailto:lsleb...@redhat.com] Sent: Thursday, May 14, 2015 4:41 PM To: Andy Thompson Cc: freeipa-users@redhat.com Subject: Re: [Freeipa-users] trusted user groups On (14/05/15 15:53), Andy Thompson wrote: -Original Message- From:

Re: [Freeipa-users] interesting Kerberos issue

2015-05-18 Thread Nathaniel McCallum
On Mon, 2015-05-18 at 17:03 +0300, Alexander Bokovoy wrote: On Mon, 18 May 2015, Janelle wrote: On 5/10/15 11:57 PM, Alexander Bokovoy wrote: On Sun, 10 May 2015, Janelle wrote: On 5/5/15 6:47 AM, Dmitri Pal wrote: On 05/04/2015 09:38 PM, Janelle wrote: On 5/4/15 6:06 PM,

Re: [Freeipa-users] Certificate operation cannot be completed: Unable to communicate with CMS (Not Found)

2015-05-18 Thread Rob Crittenden
Sina Owolabi wrote: Yes CA is running, and it's on the same machine. [root@dc ~]# ipa-replica-prepare dc01.ourdom.com http://dc01.ourdom.com --ip-address 192.168.2.40 Directory Manager (existing master) password: Preparing replica for dc01.ourdom.com http://dc01.ourdom.com from

Re: [Freeipa-users] Replication seems to begin but failed after 127 seconds ...

2015-05-18 Thread thierry bordaz
On 05/15/2015 05:11 PM, James James wrote: ok Rob. Thanks for your help. I will wait for the Scientific Linux 6.7 . Hi James, Unfortunately there is no workaround. This is a timing issue mostly seen when the master is more powerful than the consumer. If you are using VM you may try to get

Re: [Freeipa-users] interesting Kerberos issue

2015-05-18 Thread Janelle
On 5/10/15 11:57 PM, Alexander Bokovoy wrote: On Sun, 10 May 2015, Janelle wrote: On 5/5/15 6:47 AM, Dmitri Pal wrote: On 05/04/2015 09:38 PM, Janelle wrote: On 5/4/15 6:06 PM, Nathaniel McCallum wrote: On Mon, 2015-05-04 at 08:49 -0700, Janelle wrote: Happy Star Wars Day! May the Fourth be

Re: [Freeipa-users] host usercertificate attribute

2015-05-18 Thread Rob Crittenden
Natxo Asenjo wrote: On Sat, May 16, 2015 at 10:24 PM, Natxo Asenjo natxo.ase...@gmail.com mailto:natxo.ase...@gmail.com wrote: hi, If I retrieve the usercertificate attribute for host objects I get some gibberish. How can I decode the info I get from ldapsearch? maybe there

[Freeipa-users] AD-trust and external DNS

2015-05-18 Thread Winfried de Heiden
Hi all, Creating an AD-trust works nicely. However, for some customers both AD and IPA don't have have DNS "for their own", the use external DNS (Infoblox for example) Now, is is possible to create an AD trust without a build-in (bind)

Re: [Freeipa-users] username case sensitivity

2015-05-18 Thread Jakub Hrozek
On Sun, May 17, 2015 at 10:26:45PM +, Andy Thompson wrote: -Original Message- From: freeipa-users-boun...@redhat.com [mailto:freeipa-users- boun...@redhat.com] On Behalf Of Jakub Hrozek Sent: Sunday, May 17, 2015 5:23 PM To: freeipa-users@redhat.com Subject: Re:

Re: [Freeipa-users] Certificate operation cannot be completed: Unable to communicate with CMS (Not Found)

2015-05-18 Thread Rob Crittenden
Sina Owolabi wrote: Hi Rob There are some logs in /var/log/pki-ca/catalina.out that appear to indicate a problem: [SNIP] These are mostly white noise from tomcat and can be ignored. Also running getcert list tells me there are two expired certs: Request ID '20130524104636':

Re: [Freeipa-users] Securing IPA Redux

2015-05-18 Thread Rob Crittenden
Rich Megginson wrote: On 05/18/2015 08:26 AM, Martin Kosek wrote: Adding freeipa-users list back, to keep others in the loop. On 05/18/2015 12:32 PM, Brian Topping wrote: Thanks for taking the time to write that, Martin. It's good to have a reference to build from. Result of

Re: [Freeipa-users] LDAP uid to cn modify

2015-05-18 Thread Rob Crittenden
Vangass wrote: Yes, I saw that discussion but there is no solution. So how to create compat tree? In my ldap there is somenting like uid=bartosz,cn=users,cn=compat,dc=example,dc=com - but it is still with uid. PS. I have fresh instalation CentOS 7.1 and IPA 4.1. Take a look at

Re: [Freeipa-users] Certificate operation cannot be completed: Unable to communicate with CMS (Not Found)

2015-05-18 Thread Sina Owolabi
Hi Rob There are some logs in /var/log/pki-ca/catalina.out that appear to indicate a problem: CMS Warning: FAILURE: Cannot build CA chain. Error java.security.cert.CertificateException: Certificate is not a PKCS #11 certificate|FAILURE: authz instance DirAclAuthz initialization failed and

Re: [Freeipa-users] interesting Kerberos issue

2015-05-18 Thread Janelle
On May 18, 2015, at 09:47, Nathaniel McCallum npmccal...@redhat.com wrote: On Mon, 2015-05-18 at 09:45 -0500, Janelle wrote: Ok, let me ask this a different way, because maybe there is a way, and I am just not seeing it. I have 2 datacenters with typical bastions in each. I have enabled

[Freeipa-users] Apache htaccess replacement

2015-05-18 Thread thewebbie
Hello I have been attempting to use my 4.1.4 FreeIPA server to authenticate folders on a web server as a replacement for the normal htaccess feature. I do require group authentication. I have tried just about online example and have only been able to get basic ldap and basic kerbos

Re: [Freeipa-users] interesting Kerberos issue

2015-05-18 Thread Janelle
On 5/18/15 7:47 AM, Nathaniel McCallum wrote: On Mon, 2015-05-18 at 09:45 -0500, Janelle wrote: Ok, let me ask this a different way, because maybe there is a way, and I am just not seeing it. I have 2 datacenters with typical bastions in each. I have enabled OTP and that works fine via ssh.

[Freeipa-users] replication again :-(

2015-05-18 Thread Janelle
Once again, replication/sync has been lost. I really wish the product was more stable, it is so much potential and yet. Servers running for 6 days no issues. No new accounts or changes (maybe a few users changing passwords) and again, 5 out of 16 servers are no longer in sync. I can test it

Re: [Freeipa-users] replication again :-(

2015-05-18 Thread Janelle
On 5/18/15 6:23 PM, Janelle wrote: Once again, replication/sync has been lost. I really wish the product was more stable, it is so much potential and yet. Servers running for 6 days no issues. No new accounts or changes (maybe a few users changing passwords) and again, 5 out of 16 servers

[Freeipa-users] Reinstall ipa client, problem with old CA

2015-05-18 Thread Dewangga Bachrul Alam
Hello! I'm trying to reinstall ipa client, but have a problem with old/existing ca.crt in `/etc/ipa/ca.crt`. Should I remove it manually? Since the IPA server still on development and always reinstalled, I need to reproduce any possible problem/error on FreeIPA 4.x on CentOS 7. The error was :

Re: [Freeipa-users] replication again :-(

2015-05-18 Thread Martin Kosek
On 05/19/2015 03:23 AM, Janelle wrote: Once again, replication/sync has been lost. I really wish the product was more stable, it is so much potential and yet. Servers running for 6 days no issues. No new accounts or changes (maybe a few users changing passwords) and again, 5 out of 16 servers

Re: [Freeipa-users] Reinstall ipa client, problem with old CA

2015-05-18 Thread Martin Kosek
On 05/19/2015 04:04 AM, Dewangga Bachrul Alam wrote: Hello! I'm trying to reinstall ipa client, but have a problem with old/existing ca.crt in `/etc/ipa/ca.crt`. Should I remove it manually? Since the IPA server still on development and always reinstalled, I need to reproduce any possible

Re: [Freeipa-users] RedHat IDM Replica runs ony dirsrv, kinit and getent fail after reboot

2015-05-18 Thread Martin Kosek
On 05/16/2015 12:19 PM, Sina Owolabi wrote: Please help me. I am in dire straits, this is the linchpin of our network and we are suffering. I am sorry for delay in answering, but not many people here show up on the weekend. Comments below. On Sat, May 16, 2015 at 6:00 AM, Sina Owolabi

Re: [Freeipa-users] Certificate operation cannot be completed: Unable to communicate with CMS (Not Found)

2015-05-18 Thread Martin Kosek
On 05/16/2015 12:18 PM, Sina Owolabi wrote: Hi Group, I'm attempting again to rebuild and reinstall a troublesome replica. I have two freshly upgraded RHEL6.6 IdM servers. Problem is when I try to run createreplica I have this output: ipa-replica-prepare services01.ours.com

Re: [Freeipa-users] Securing IPA Redux

2015-05-18 Thread Martin Kosek
On 05/15/2015 01:33 PM, Brian Topping wrote: In the (apparently) first message to the list in 2014, https://www.redhat.com/archives/freeipa-users/2014-January/msg0.html https://www.redhat.com/archives/freeipa-users/2014-January/msg0.html addressed questions about securing IPA and I

Re: [Freeipa-users] 4.1.4 and OTP

2015-05-18 Thread Martin Kosek
On 05/18/2015 01:49 AM, Janelle wrote: On 4/28/15 6:44 AM, Nathaniel McCallum wrote: On Fri, 2015-04-17 at 20:21 -0700, Janelle wrote: On 4/17/15 5:59 PM, Dmitri Pal wrote: On 04/17/2015 08:07 PM, Janelle wrote: On Apr 17, 2015, at 16:36, Dmitri Pal d...@redhat.com wrote: snip for

Re: [Freeipa-users] username case sensitivity

2015-05-18 Thread Andy Thompson
-Original Message- From: Jakub Hrozek [mailto:jhro...@redhat.com] Sent: Monday, May 18, 2015 4:07 AM To: Andy Thompson Cc: freeipa-users@redhat.com Subject: Re: [Freeipa-users] username case sensitivity On Sun, May 17, 2015 at 10:26:45PM +, Andy Thompson wrote: