Re: [Freeipa-users] compat settings

2015-05-21 Thread Alexander Bokovoy
On Thu, 21 May 2015, Rudolf Gabler wrote: Hi to whom it may concern, we used for many years a 2 location policy to separate email users from unix users in order to not using the same passwords. So we had 2 trees in our LDAP with the same user but different passwords. In freeipa (where we want

Re: [Freeipa-users] ruv problem

2015-05-21 Thread Ludwig Krispenz
On 05/21/2015 09:50 AM, Alexander Frolushkin wrote: Thank you. Do I need to run this on each of my 17 IPA servers in unix domain? no, the cleanallruv task should be propagated to all server a repl agreement exists WBR, Alexander Frolushkin Cell +79232508764 Work +79232507764

Re: [Freeipa-users] ruv problem

2015-05-21 Thread Ludwig Krispenz
could you try this: https://www.redhat.com/archives/freeipa-users/2015-May/msg00062.html it was successfully applied before On 05/21/2015 06:58 AM, Alexander Frolushkin wrote: Hello again. Is it now clear how to deal with problem ipa-replica-manage list-ruv showing unable to decode:

Re: [Freeipa-users] ruv problem

2015-05-21 Thread Alexander Frolushkin
Thank you. Do I need to run this on each of my 17 IPA servers in unix domain? WBR, Alexander Frolushkin Cell +79232508764 Work +79232507764 From: freeipa-users-boun...@redhat.com [mailto:freeipa-users-boun...@redhat.com] On Behalf Of Ludwig Krispenz Sent: Thursday, May 21, 2015 1:37 PM To:

[Freeipa-users] compat settings

2015-05-21 Thread Rudolf Gabler
Hi to whom it may concern, we used for many years a 2 location policy to separate email users from unix users in order to not using the same passwords. So we had 2 trees in our LDAP with the same user but different passwords. In freeipa (where we want to migrate now) I can use the accounts

Re: [Freeipa-users] confused by ldapsearch results

2015-05-21 Thread Ludwig Krispenz
On 05/21/2015 07:50 AM, Martin Kosek wrote: On 05/20/2015 04:01 PM, Boyce, George Robert. (GSFC-762.0)[NICS] wrote: This worked for me: $ ldapsearch -LLL -Y GSSAPI -b cn=users,cn=accounts,dc=example,dc=cm (|(uid=admin)(name=admin)) dn SASL/GSSAPI authentication started SASL username:

Re: [Freeipa-users] replication again :-(

2015-05-21 Thread Janelle
On 5/20/15 7:53 AM, Mark Reynolds wrote: On 05/20/2015 10:17 AM, thierry bordaz wrote: On 05/20/2015 03:46 PM, Janelle wrote: On 5/20/15 6:01 AM, thierry bordaz wrote: On 05/20/2015 02:57 AM, Janelle wrote: On 5/19/15 12:04 AM, thierry bordaz wrote: On 05/19/2015 03:42 AM, Janelle wrote:

Re: [Freeipa-users] confused by ldapsearch results

2015-05-21 Thread Boyce, George Robert. (GSFC-762.0)[NICS]
Knowing that the first issue is 'working as designed', I can now focus on exactly how to fix it. In my case, the issue is that a vendor's code is appending name=... to its search filter to find a user group. Thanks, I can troubleshoot the second issue, it isn't a roadblock to my task. On

Re: [Freeipa-users] replication again :-(

2015-05-21 Thread Janelle
On 5/21/15 5:20 AM, thierry bordaz wrote: Hello Janelle, Those 3 RIDs were already present in Node dc2-ipa1, correct ? They reappeared on others nodes as well ? May be ds2-ipa1 established a replication session with its peers and send those RIDs. Could you track in all the access logs, when

Re: [Freeipa-users] replication again :-(

2015-05-21 Thread Rich Megginson
On 05/21/2015 06:25 AM, Janelle wrote: On 5/21/15 5:20 AM, thierry bordaz wrote: Hello Janelle, Those 3 RIDs were already present in Node dc2-ipa1, correct ? They reappeared on others nodes as well ? May be ds2-ipa1 established a replication session with its peers and send those RIDs. Could

Re: [Freeipa-users] replication again :-(

2015-05-21 Thread Ludwig Krispenz
On 05/21/2015 03:04 PM, Janelle wrote: On 5/21/15 5:49 AM, Rich Megginson wrote: On 05/21/2015 06:25 AM, Janelle wrote: On 5/21/15 5:20 AM, thierry bordaz wrote: Hello Janelle, Those 3 RIDs were already present in Node dc2-ipa1, correct ? They reappeared on others nodes as well ? May be

Re: [Freeipa-users] replication again :-(

2015-05-21 Thread Janelle
On 5/21/15 5:49 AM, Rich Megginson wrote: On 05/21/2015 06:25 AM, Janelle wrote: On 5/21/15 5:20 AM, thierry bordaz wrote: Hello Janelle, Those 3 RIDs were already present in Node dc2-ipa1, correct ? They reappeared on others nodes as well ? May be ds2-ipa1 established a replication session

Re: [Freeipa-users] replication again :-(

2015-05-21 Thread Ludwig Krispenz
On 05/21/2015 01:36 PM, Janelle wrote: And just like that - for no reason, they all reappeared: unable to decode {replica 16} 5535647200030010 5535647200030010 unable to decode {replica 23} 5545d61f00020017 5552f71800030017 unable to decode {replica 24} 554d53d30018

Re: [Freeipa-users] replication again :-(

2015-05-21 Thread Janelle
On 5/21/15 5:20 AM, thierry bordaz wrote: On 05/21/2015 01:36 PM, Janelle wrote: On 5/20/15 7:53 AM, Mark Reynolds wrote: On 05/20/2015 10:17 AM, thierry bordaz wrote: On 05/20/2015 03:46 PM, Janelle wrote: On 5/20/15 6:01 AM, thierry bordaz wrote: On 05/20/2015 02:57 AM, Janelle wrote:

Re: [Freeipa-users] replication again :-(

2015-05-21 Thread Janelle
On 5/21/15 5:16 AM, Ludwig Krispenz wrote: On 05/21/2015 01:36 PM, Janelle wrote: And just like that - for no reason, they all reappeared: unable to decode {replica 16} 5535647200030010 5535647200030010 unable to decode {replica 23} 5545d61f00020017 5552f71800030017 unable

Re: [Freeipa-users] replication again :-(

2015-05-21 Thread thierry bordaz
On 05/21/2015 01:36 PM, Janelle wrote: On 5/20/15 7:53 AM, Mark Reynolds wrote: On 05/20/2015 10:17 AM, thierry bordaz wrote: On 05/20/2015 03:46 PM, Janelle wrote: On 5/20/15 6:01 AM, thierry bordaz wrote: On 05/20/2015 02:57 AM, Janelle wrote: On 5/19/15 12:04 AM, thierry bordaz wrote:

Re: [Freeipa-users] Updates refused when trying to do dynamic DNS updates with TSIG

2015-05-21 Thread Petr Spacek
On 20.5.2015 17:38, Brian Koontz wrote: Running FreeIPA 4.1.4, Fedora 21. Trying to get dynamic DNS updates on clients to work following these instructions: http://www.freeipa.org/page/Howto/DNS_updates_and_zone_transfers_with_TSIG (Using GSS-TSIG isn't an option because I have no way of

[Freeipa-users] Count of IPA Servers for SSSD

2015-05-21 Thread Christoph Kaminski
Hi All what a count of IPA servers does make sense for sssd configuration? We have 5 IPA servers and each Host can reach them. Can I put them all to sssd configuration (redundancy) or does it dont make sense (timeouts to big etc)? MfG Christoph Kaminski -- Manage your subscription for the

Re: [Freeipa-users] replication again :-(

2015-05-21 Thread Ludwig Krispenz
On 05/21/2015 03:59 PM, Janelle wrote: On 5/21/15 6:46 AM, Ludwig Krispenz wrote: On 05/21/2015 03:28 PM, Janelle wrote: I think I found the problem. There was a lone replica running in another DC. It was installed as a replica some time ago with all the others. Think of this -- the

Re: [Freeipa-users] Count of IPA Servers for SSSD

2015-05-21 Thread Rob Crittenden
Christoph Kaminski wrote: Hi All what a count of IPA servers does make sense for sssd configuration? We have 5 IPA servers and each Host can reach them. Can I put them all to sssd configuration (redundancy) or does it dont make sense (timeouts to big etc)? The recommended procedure is to use

Re: [Freeipa-users] replication again :-(

2015-05-21 Thread Mark Reynolds
On 05/21/2015 09:15 AM, Ludwig Krispenz wrote: On 05/21/2015 03:04 PM, Janelle wrote: On 5/21/15 5:49 AM, Rich Megginson wrote: On 05/21/2015 06:25 AM, Janelle wrote: On 5/21/15 5:20 AM, thierry bordaz wrote: Hello Janelle, Those 3 RIDs were already present in Node dc2-ipa1, correct ?

Re: [Freeipa-users] Proper configuration of service accounts

2015-05-21 Thread Boyce, George Robert. (GSFC-762.0)[NICS]
Rob, Try adding the inetUser objectclass to your system account. You're probably lacking memberOf. Thanks, that worked. My last issue is to add read/search permission on the name attribute as the vendor doesn't offer a way to not include it in a search filter to find user groups. I was in

Re: [Freeipa-users] replication again :-(

2015-05-21 Thread Ludwig Krispenz
On 05/21/2015 03:28 PM, Janelle wrote: I think I found the problem. There was a lone replica running in another DC. It was installed as a replica some time ago with all the others. Think of this -- the original config had 5 servers, one of them was this server. Then the other 4 servers

Re: [Freeipa-users] Certificate operation cannot be completed: Unable to communicate with CMS (Not Found)

2015-05-21 Thread Rob Crittenden
Sanju A wrote: Dear Rob, Please find the result of getcert list. Request ID '20140430124456': status: MONITORING stuck: no key pair storage: type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS Certificate

Re: [Freeipa-users] replication again :-(

2015-05-21 Thread Janelle
On 5/21/15 6:46 AM, Ludwig Krispenz wrote: On 05/21/2015 03:28 PM, Janelle wrote: I think I found the problem. There was a lone replica running in another DC. It was installed as a replica some time ago with all the others. Think of this -- the original config had 5 servers, one of them

Re: [Freeipa-users] replication again :-(

2015-05-21 Thread Janelle
On 5/21/15 6:46 AM, Ludwig Krispenz wrote: On 05/21/2015 03:28 PM, Janelle wrote: I think I found the problem. There was a lone replica running in another DC. It was installed as a replica some time ago with all the others. Think of this -- the original config had 5 servers, one of them

Re: [Freeipa-users] replication again :-(

2015-05-21 Thread Janelle
I think I found the problem. There was a lone replica running in another DC. It was installed as a replica some time ago with all the others. Think of this -- the original config had 5 servers, one of them was this server. Then the other 4 servers were RE-BUILT from scratch, so all the

Re: [Freeipa-users] replication again :-(

2015-05-21 Thread Rob Crittenden
Janelle wrote: On 5/21/15 6:46 AM, Ludwig Krispenz wrote: On 05/21/2015 03:28 PM, Janelle wrote: I think I found the problem. There was a lone replica running in another DC. It was installed as a replica some time ago with all the others. Think of this -- the original config had 5 servers,

[Freeipa-users] User Can't Authenticate

2015-05-21 Thread John Williams
I've got a freeIPA client where a user account cannot authenticate. The log entry for IPA looks like: audit/audit.log.4:type=USER_AUTH msg=audit(1425316592.375:38090): user pid=16485 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 msg='op=PAM:authentication

Re: [Freeipa-users] User Can't Authenticate

2015-05-21 Thread Dmitri Pal
On 05/21/2015 05:54 PM, John Williams wrote: I've got a freeIPA client where a user account cannot authenticate. The log entry for IPA looks like: audit/audit.log.4:type=USER_AUTH msg=audit(1425316592.375:38090): user pid=16485 uid=0 auid=4294967295 ses=4294967295

[Freeipa-users] disable unwanted kerberos encryption types

2015-05-21 Thread Andy Thompson
We have requirements to only allow AES encryption. I'm trying to understand what is the default and where everything comes in to play, the user tickets are AES when obtained using kinit, but the system keytab shows des3 and arcfour in addition to AES. So my questions are What is

Re: [Freeipa-users] replication again :-(

2015-05-21 Thread Janelle
On 5/21/15 8:12 AM, Ludwig Krispenz wrote: On 05/21/2015 03:59 PM, Janelle wrote: On 5/21/15 6:46 AM, Ludwig Krispenz wrote: On 05/21/2015 03:28 PM, Janelle wrote: I think I found the problem. There was a lone replica running in another DC. It was installed as a replica some time ago with

Re: [Freeipa-users] replication again :-(

2015-05-21 Thread Mark Reynolds
On 05/21/2015 09:59 AM, Janelle wrote: On 5/21/15 6:46 AM, Ludwig Krispenz wrote: On 05/21/2015 03:28 PM, Janelle wrote: I think I found the problem. There was a lone replica running in another DC. It was installed as a replica some time ago with all the others. Think of this -- the