Re: [Freeipa-users] Single mail deployment i an FreeIPA-WindowsAD scenario.

2015-05-27 Thread Alexander Bokovoy
On Wed, 27 May 2015, Martin Kosek wrote: On 05/26/2015 07:36 PM, Carlos Raúl Laguna wrote: Hello Martin, The email deployment it is a groupware in this scenario Kolab, kolab use 389 ad as main backend and it require some kolab ldap specific attribute to work properly, this is not a problem in

[Freeipa-users] free ipa cluster replication features

2015-05-27 Thread barrykfl
hi aLL; i have 2 free ipa in same cluster. if a node1 fail stop... i found the connection of their replciation stop after nod1 fail. now i directly input to the node 2 new accounts , will these new accounts syn back when node 1 start up again.? my issue is that it seem no. Regards Barry --

Re: [Freeipa-users] Single mail deployment i an FreeIPA-WindowsAD scenario.

2015-05-27 Thread Martin Kosek
On 05/27/2015 10:08 AM, Alexander Bokovoy wrote: On Wed, 27 May 2015, Martin Kosek wrote: On 05/26/2015 07:36 PM, Carlos Raúl Laguna wrote: Hello Martin, The email deployment it is a groupware in this scenario Kolab, kolab use 389 ad as main backend and it require some kolab ldap specific

Re: [Freeipa-users] Installation on CentOS 6.6 with DNS

2015-05-27 Thread Ricardo Oliveira
Hi, Thanks for your reply. The host is indeed in the hosts file, and even in the DNS server's mydomain.com zone and reverse zone, which is a local Bind instance which is the one I expect IPA to manage once the setup is complete. In fact, if both DNS and reverse DNS resolution are not

Re: [Freeipa-users] FreeIPA 3.3.3 backup and restore

2015-05-27 Thread Thomas Lau
CentOS Linux release 7.0.1406 (Core) - this is the version we are using now. On Wed, May 27, 2015 at 5:54 PM, Martin Kosek mko...@redhat.com wrote: On 05/27/2015 04:14 AM, Thomas Lau wrote: Hi All, I was reading this page but seems very confusing:

Re: [Freeipa-users] free ipa cluster replication features

2015-05-27 Thread Martin Kosek
On 05/27/2015 10:30 AM, barry...@gmail.com wrote: hi aLL; i have 2 free ipa in same cluster. if a node1 fail stop... i found the connection of their replciation stop after nod1 fail. now i directly input to the node 2 new accounts , will these new accounts syn back when node 1 start up

Re: [Freeipa-users] FreeIPA 3.3.3 backup and restore

2015-05-27 Thread Martin Kosek
On 05/27/2015 04:14 AM, Thomas Lau wrote: Hi All, I was reading this page but seems very confusing: https://www.freeipa.org/page/V3/Backup_and_Restore#Data_Backup_.26_Restore_Process_.28online.29 We also have this: https://www.freeipa.org/page/Backup_and_Restore ​ipa-backup and ipa-restore

Re: [Freeipa-users] FreeIPA 3.3.3 backup and restore

2015-05-27 Thread Martin Kosek
Ok. If you upgrade to CentOS 7.1/FreeIPA 4.1+, you will have the command available. On 05/27/2015 12:16 PM, Thomas Lau wrote: CentOS Linux release 7.0.1406 (Core) - this is the version we are using now. On Wed, May 27, 2015 at 5:54 PM, Martin Kosek mko...@redhat.com wrote: On 05/27/2015

Re: [Freeipa-users] Haunted servers?

2015-05-27 Thread Alexander Frolushkin
For common information - we also have a ghost replica id: unable to decode: {replica 16} 548a81260010 548a81260010 and trying to get it away with help of Red Hat support, but at this point - no luck... WBR, Alexander Frolushkin -Original Message- From:

[Freeipa-users] replication on Debian and Ubuntu

2015-05-27 Thread Holger Levsen
Hi, first of all: thanks for FreeIPA, I think it's pretty usefull, well done and was missing for a long time. IOW: I really like it, thank you for your work! That, I'm having a serious problem with it: replication on Debian doesnt work at all. Which is partly expected (as Debian uses openldap

Re: [Freeipa-users] Single mail deployment i an FreeIPA-WindowsAD scenario.

2015-05-27 Thread Alexander Bokovoy
On Wed, 27 May 2015, Martin Kosek wrote: On 05/27/2015 10:08 AM, Alexander Bokovoy wrote: On Wed, 27 May 2015, Martin Kosek wrote: On 05/26/2015 07:36 PM, Carlos Raúl Laguna wrote: Hello Martin, The email deployment it is a groupware in this scenario Kolab, kolab use 389 ad as main backend

Re: [Freeipa-users] replication on Debian and Ubuntu

2015-05-27 Thread Rob Crittenden
Holger Levsen wrote: Hi, first of all: thanks for FreeIPA, I think it's pretty usefull, well done and was missing for a long time. IOW: I really like it, thank you for your work! That, I'm having a serious problem with it: replication on Debian doesnt work at all. Which is partly expected (as

Re: [Freeipa-users] replication on Debian and Ubuntu

2015-05-27 Thread Holger Levsen
Hi Rob, On Mittwoch, 27. Mai 2015, Rob Crittenden wrote: You need to resolve this error: TLS: could not initialize moznss PEM module - error -5977:Failure to load dynamic library. thanks! I suspected that but it's great to have that confirmed. Without this you have no SSL in openldap,

Re: [Freeipa-users] Web interface session timeout

2015-05-27 Thread Leszek Miś
Thank you! I didn't find it in documentation, could be useful information for someone. 2015-05-26 13:17 GMT+02:00 Petr Vobornik pvobo...@redhat.com: On 05/25/2015 09:54 AM, crony wrote: Hi All, Is there any way we can change web interface session timeout? I am using form based auth. /lm

[Freeipa-users] OTP vs VPN

2015-05-27 Thread Bendl, Kurt
Hi, I want to know if I can configure FreeIPA's native OTP solution to require an account to use OTP when authenticating from a specific app (OpenVPN or StrongSwan) but not require 2FA when logging into a system/server or the IPA app. My (not completely baked) thought is to provision the VPN

Re: [Freeipa-users] OTP vs VPN

2015-05-27 Thread Benjamen Keroack
We've found it easier to integrate a 2FA solution into OpenVPN and local login separately. If you go with a solution that works with PAM, setting it up with OpenVPN Access Server (the commercial product) and local login (FreeIPA-backed) is pretty straightforward. The only thing it won't protect is

Re: [Freeipa-users] OTP vs VPN

2015-05-27 Thread Alexander Bokovoy
On Wed, 27 May 2015, Bendl, Kurt wrote: Hi, I want to know if I can configure FreeIPA's native OTP solution to require an account to use OTP when authenticating from a specific app (OpenVPN or StrongSwan) but not require 2FA when logging into a system/server or the IPA app. My (not completely

[Freeipa-users] dereference processing failed : Invalid argument

2015-05-27 Thread nathan
I have a CentOS 6.3 client with sssd 1.11.6-30.el6_6.4 installed and when one of my FreeIPA users tries to sudo (he has permissions via group membership) I get the following error in /var/log/messages May 27 20:51:34 ipaclient sssd[be[mydomain.net]]: dereference processing failed : Invalid

Re: [Freeipa-users] ipa-backup and ipa-restore

2015-05-27 Thread Lukas Slebodnik
On (25/05/15 10:00), Bob Hinton wrote: Hi Martin, Yes. This fixes the problem on a newly recreated ipamaster - it didn't work on the one I'd been playing around with. So the complete rebuild sequence was... 1) On old ipamaster VM ipa004 (did this on 22/05/2015) login as an admin user with

Re: [Freeipa-users] Single mail deployment i an FreeIPA-WindowsAD scenario.

2015-05-27 Thread Carlos Raúl Laguna
Hello Martin, Alexander Seem that the time shift is large between us, If i understand correctly, compat tree will allow me to see all users, regardless they location Windows or FreeIPA, however the kolab-specific attribute must come from FreeIPA and Windows AD where the users entries lays. This

Re: [Freeipa-users] dereference processing failed : Invalid argument

2015-05-27 Thread nathan
I have a CentOS 6.3 client with sssd 1.11.6-30.el6_6.4 installed and when one of my FreeIPA users tries to sudo (he has permissions via group membership) I get the following error in /var/log/messages May 27 20:51:34 ipaclient sssd[be[mydomain.net]]: dereference processing failed : Invalid

[Freeipa-users] Antwort: Re: Haunted servers?

2015-05-27 Thread Christoph Kaminski
After spending well over 2 days trying to clean things -- I am now here: CLEANALLRUV tasks RID 16 Not all replicas finished cleaning, retrying in 14400 seconds RID 19 None RID 22 None What is going on here? All the same data still exists as shown above in the original thread, but

Re: [Freeipa-users] Single mail deployment i an FreeIPA-WindowsAD scenario.

2015-05-27 Thread Alexander Bokovoy
On Wed, 27 May 2015, Carlos Raúl Laguna wrote: Hello Martin, Alexander Seem that the time shift is large between us, If i understand correctly, compat tree will allow me to see all users, regardless they location Windows or FreeIPA, however the kolab-specific attribute must come from FreeIPA

Re: [Freeipa-users] Haunted servers?

2015-05-27 Thread Janelle
On 5/26/15 7:04 AM, thierry bordaz wrote: On 05/26/2015 08:47 AM, Martin Kosek wrote: On 05/26/2015 12:20 AM, Janelle wrote: On 5/24/15 3:12 AM, Janelle wrote: And just like that, my haunted servers have all returned. I am going to just put a gun to my head and be done with it. :-( Why do

Re: [Freeipa-users] Certificate operation cannot be completed: Unable to communicate with CMS (Not Found)

2015-05-27 Thread Sanju A
Hi Rob, ipactl status is up and the flag is also in the correct state. However I have restarted pki-cad and the issue got fixed. Thanks for your help in fixing the issue. Regards Sanju Abraham From: Rob Crittenden rcrit...@redhat.com To: Sanju A sanj...@tcs.com Cc:

Re: [Freeipa-users] ipa-backup and ipa-restore

2015-05-27 Thread Martin Kosek
On 05/27/2015 08:04 AM, Lukas Slebodnik wrote: On (25/05/15 10:00), Bob Hinton wrote: Hi Martin, Yes. This fixes the problem on a newly recreated ipamaster - it didn't work on the one I'd been playing around with. So the complete rebuild sequence was... 1) On old ipamaster VM ipa004 (did

Re: [Freeipa-users] Single mail deployment i an FreeIPA-WindowsAD scenario.

2015-05-27 Thread Martin Kosek
On 05/26/2015 07:36 PM, Carlos Raúl Laguna wrote: Hello Martin, The email deployment it is a groupware in this scenario Kolab, kolab use 389 ad as main backend and it require some kolab ldap specific attribute to work properly, this is not a problem in fact is quite easy to use freeipa as