Re: [Freeipa-users] ipa-replica-prepare error

2015-05-28 Thread Rob Crittenden
Orion Poplawski wrote: We did a CAless install: ipa-server-install -r NWRA.COM -n nwra.com -p `cat /etc/ldap.secret` -a `cat /etc/ldap.secret` --root-ca-file=PositiveSSLCA2.crt --dirsrv_pkcs12=nwra.com.p12 --dirsrv_pin= --http_pkcs12=nwra.com.p12 --http_pin= --idstart=8000 But now when

[Freeipa-users] ipa-replica-prepare error

2015-05-28 Thread Orion Poplawski
We did a CAless install: ipa-server-install -r NWRA.COM -n nwra.com -p `cat /etc/ldap.secret` -a `cat /etc/ldap.secret` --root-ca-file=PositiveSSLCA2.crt --dirsrv_pkcs12=nwra.com.p12 --dirsrv_pin= --http_pkcs12=nwra.com.p12 --http_pin= --idstart=8000 But now when we try to setup a

Re: [Freeipa-users] inserting users via java

2015-05-28 Thread Timothy Worman
On May 28, 2015, at 12:26 PM, Martin Kosek mko...@redhat.com wrote: On 05/28/2015 07:10 PM, Timothy Worman wrote: On Mar 26, 2015, at 3:08 PM, Dmitri Pal d...@redhat.com wrote: On 03/26/2015 03:19 PM, Timothy Worman wrote: On Mar 26, 2015, at 11:42 AM, Martin Kosek mko...@redhat.com wrote:

Re: [Freeipa-users] inserting users via java

2015-05-28 Thread Alexander Bokovoy
On Thu, 28 May 2015, Martin Kosek wrote: On 05/28/2015 07:10 PM, Timothy Worman wrote: On Mar 26, 2015, at 3:08 PM, Dmitri Pal d...@redhat.com wrote: On 03/26/2015 03:19 PM, Timothy Worman wrote: On Mar 26, 2015, at 11:42 AM, Martin Kosek mko...@redhat.com wrote: On 03/26/2015 07:37 PM,

Re: [Freeipa-users] ipa-replica-prepare error

2015-05-28 Thread Orion Poplawski
On 05/28/2015 03:09 PM, Rob Crittenden wrote: Orion Poplawski wrote: We did a CAless install: ipa-server-install -r NWRA.COM -n nwra.com -p `cat /etc/ldap.secret` -a `cat /etc/ldap.secret` --root-ca-file=PositiveSSLCA2.crt --dirsrv_pkcs12=nwra.com.p12 --dirsrv_pin=

Re: [Freeipa-users] inserting users via java

2015-05-28 Thread Timothy Worman
On Mar 26, 2015, at 3:08 PM, Dmitri Pal d...@redhat.com wrote: On 03/26/2015 03:19 PM, Timothy Worman wrote: On Mar 26, 2015, at 11:42 AM, Martin Kosek mko...@redhat.com wrote: On 03/26/2015 07:37 PM, Timothy Worman wrote: Thanks everyone for the input. I do agree that I don’t like the

Re: [Freeipa-users] inserting users via java

2015-05-28 Thread Martin Kosek
On 05/28/2015 07:10 PM, Timothy Worman wrote: On Mar 26, 2015, at 3:08 PM, Dmitri Pal d...@redhat.com wrote: On 03/26/2015 03:19 PM, Timothy Worman wrote: On Mar 26, 2015, at 11:42 AM, Martin Kosek mko...@redhat.com wrote: On 03/26/2015 07:37 PM, Timothy Worman wrote: Thanks everyone for the

Re: [Freeipa-users] Single mail deployment i an FreeIPA-WindowsAD scenario.

2015-05-28 Thread Carlos Raúl Laguna
Thanks for the clarifications, one more question, does FreeIPA support partial or fractional replications? Regards 2015-05-28 0:25 GMT-04:00 Alexander Bokovoy aboko...@redhat.com: On Wed, 27 May 2015, Carlos Raúl Laguna wrote: Hello Martin, Alexander Seem that the time shift is large

[Freeipa-users] SEC_ERROR_LEGACY_DATABASE

2015-05-28 Thread David Lin
Hi, When I try to add multiple hosts, on the web UI, when I go to the host tab, I get Certificate format error: (SEC_ERROR_LEGACY_DATABASE) The certificate/key database is in an old, unsupported format. What does this mean? On one of the hosts, I do notice that when i do ipa host-show there

Re: [Freeipa-users] Installation on CentOS 6.6 with DNS

2015-05-28 Thread Petr Spacek
Hello, I think that this more related to LDAP server than to DNS server. Could you system check logs (journalctl or /var/log/messages) to see if ns-slapd process crashed or something like that? Petr^2 Spacek On 27.5.2015 12:13, Ricardo Oliveira wrote: Hi, Thanks for your reply. The host is

Re: [Freeipa-users] dereference processing failed : Invalid argument

2015-05-28 Thread Lukas Slebodnik
On (27/05/15 14:22), nat...@nathanpeters.com wrote: I have a CentOS 6.3 client with sssd 1.11.6-30.el6_6.4 installed and when one of my FreeIPA users tries to sudo (he has permissions via group membership) I get the following error in /var/log/messages May 27 20:51:34 ipaclient

Re: [Freeipa-users] Haunted servers?

2015-05-28 Thread thierry bordaz
Hello Alexander, Cleanallruv can hang to do the cleanup (depending on task options and if replica are reachable). Did you try using CLEANRUV that is a more basic tool but that should not fail to do the cleanup. Before using cleanruv, you need to abort all cleanallruv pending tasks. Then for

Re: [Freeipa-users] Haunted servers?

2015-05-28 Thread thierry bordaz
On 05/28/2015 09:33 AM, Alexander Frolushkin wrote: Hello! Thank you for this info. Things seems to be complicated for now... We have this: unable to decode: {replica 16} 548a81260010 548a81260010 on all of our 17 servers. After launching cleanallruv we have it disappeared from

Re: [Freeipa-users] Haunted servers?

2015-05-28 Thread Alexander Frolushkin
Hello! Thank you for this info. Things seems to be complicated for now... We have this: unable to decode: {replica 16} 548a81260010 548a81260010 on all of our 17 servers. After launching cleanallruv we have it disappeared from 16 servers and one server hangs (any requests

Re: [Freeipa-users] dereference processing failed : Invalid argument

2015-05-28 Thread Jakub Hrozek
On Wed, May 27, 2015 at 04:27:45PM -0700, nat...@nathanpeters.com wrote: I have a CentOS 6.3 client with sssd 1.11.6-30.el6_6.4 installed and when one of my FreeIPA users tries to sudo (he has permissions via group membership) I get the following error in /var/log/messages May 27

[Freeipa-users] question about password migration from ldap

2015-05-28 Thread David Lin
Hi, I am try to migrate from openldap to freeipa. Everything seems to be working except the password. I understand that when migrating from openldap, the hashed form the the passwords are migrated, but a Kerberos hash is not generated until the user logs in using sssd or through the

Re: [Freeipa-users] Haunted servers?

2015-05-28 Thread thierry bordaz
On 05/28/2015 12:36 PM, Alexander Frolushkin wrote: Thank you again, Red Hat support directed me to do exactly the same. This removed my unable to decode: {replica 16} 548a81260010 548a81260010 from the rest of servers. I will check again tomorrow all our servers for this :)

Re: [Freeipa-users] question about password migration from ldap

2015-05-28 Thread David Lin
hum, seems like the migrated users do not have userPassword attribute. Is there anyway to fix this? Thanks! David On 05/28/2015 03:13 AM, Martin Kosek wrote: On 05/28/2015 11:47 AM, David Lin wrote: Hi, I am try to migrate from openldap to freeipa. Everything seems to be working except the

Re: [Freeipa-users] question about password migration from ldap

2015-05-28 Thread Alexander Bokovoy
On Thu, 28 May 2015, David Lin wrote: hum, seems like the migrated users do not have userPassword attribute. Is there anyway to fix this? Did you actually have access to the userPasssword attribute in OpenLDAP when migrate-ds command was running? This all is described in the 'ipa migrate-ds

Re: [Freeipa-users] question about password migration from ldap

2015-05-28 Thread David Lin
Thanks, that seemed to fix it. David On 05/28/2015 03:31 AM, Alexander Bokovoy wrote: On Thu, 28 May 2015, David Lin wrote: hum, seems like the migrated users do not have userPassword attribute. Is there anyway to fix this? Did you actually have access to the userPasssword attribute in

Re: [Freeipa-users] question about password migration from ldap

2015-05-28 Thread Martin Kosek
On 05/28/2015 11:47 AM, David Lin wrote: Hi, I am try to migrate from openldap to freeipa. Everything seems to be working except the password. I understand that when migrating from openldap, the hashed form the the passwords are migrated, but a Kerberos hash is not generated until the

Re: [Freeipa-users] Haunted servers?

2015-05-28 Thread Alexander Frolushkin
Thank you again, Red Hat support directed me to do exactly the same. This removed my unable to decode: {replica 16} 548a81260010 548a81260010 from the rest of servers. I will check again tomorrow all our servers for this :) Well, I'm not the only person have privileges on our

Re: [Freeipa-users] Haunted servers?

2015-05-28 Thread Alexander Frolushkin
Unfortunately, after a couple of minutes, on two of three servers error comes back in little changed form: # ipa-replica-manage list-ruv unable to decode: {replica 16} Before cleanruv it looked like: # ipa-replica-manage list-ruv unable to decode: {replica 16} 548a81260010

[Freeipa-users] Sensible defaults for a new major SSSD release

2015-05-28 Thread Pavel Reichl
Hello, as part of solution for https://fedorahosted.org/sssd/ticket/2583 ([RFE] Homedir is always overwritten with subdomain_homedir value in server mode) we came to the conclusion that it would be a good thing for SSSD in IPA server mode to change default value of subdomain_homedir from

[Freeipa-users] client fails to install from ipa-server-install or ipa-replica-install

2015-05-28 Thread Bob Hinton
Hello, I'm using Puppet to try to install ipa masters and replicas. I can generally get this to work on Vagrant VMs, but on the target VMs the server part succeeds until it attempts to install the ipa client and then this fails (please see extracts of logs below). The /etc/ipa/nssdb directory is

Re: [Freeipa-users] client fails to install from ipa-server-install or ipa-replica-install

2015-05-28 Thread Rob Crittenden
Bob Hinton wrote: Hello, I'm using Puppet to try to install ipa masters and replicas. I can generally get this to work on Vagrant VMs, but on the target VMs the server part succeeds until it attempts to install the ipa client and then this fails (please see extracts of logs below). The

Re: [Freeipa-users] Sensible defaults for a new major SSSD release

2015-05-28 Thread Jakub Hrozek
On Thu, May 28, 2015 at 01:52:30PM +0200, Pavel Reichl wrote: Hello, as part of solution for https://fedorahosted.org/sssd/ticket/2583 ([RFE] Homedir is always overwritten with subdomain_homedir value in server mode) we came to the conclusion that it would be a good thing for SSSD in IPA

Re: [Freeipa-users] OTP vs VPN

2015-05-28 Thread Bendl, Kurt
There is no way to define per-service target 2FA yet in FreeIPA. Oh, man... there you go using the yet word! ;-) Thanks to you and Ben for the ideas. I'll hack around to see what makes sense. Thanks, Kurt On 5/27/15, 12:33 PM, Alexander Bokovoy aboko...@redhat.com wrote: On Wed, 27 May