Re: [Freeipa-users] freeipa cert validation failed, SEC_ERROR_UNTRUSTED_ISSUER

2015-09-10 Thread Morgan Marodin
Now all is ok :) # ipa trust-add --type=ad mydomain.com --admin Administrator --password Active Directory domain administrator's password: --- Added Active Directory trust for realm "mydomain.com"

Re: [Freeipa-users] Add objectclasses to computer schema

2015-09-10 Thread Martin Basti
On 09/09/2015 06:32 PM, Thomas Suiter wrote: Is there an equivalent host/computer default objectclasses that there is for ipa config-mod –groupobjectclasses/--userobjectclasses ? We are wanting to add some additional attributes to all of the servers, I’m able to add the object class to

Re: [Freeipa-users] attempting to restore IPA

2015-09-10 Thread David Kupka
Hello Steven! I would like to help you but unfortunately I have no chance to guess what went wrong. To help us help you please report any issue in a way described on FreeIPA Troubleshooting page (http://www.freeipa.org/page/Troubleshooting). Most importantly we need the following: 1.

[Freeipa-users] ntpd frequency error xxx PPM exceeds tolerance 500 PPM

2015-09-10 Thread Prasun Gera
OS: RHEL 7.1 w IDM I'm seeing these messages in my master's log messages. I don't know if it's related, but I think I started seeing them after I set up a replica. Everything seems to be working fine, but I'm worried that things will break if delta grows beyond a point. I tried steps in

Re: [Freeipa-users] ntpd frequency error xxx PPM exceeds tolerance 500 PPM

2015-09-10 Thread Prasun Gera
Thanks. I'm not virtualizing though. Should I still add it ? On Thu, Sep 10, 2015 at 5:02 AM, Andrew Holway wrote: > Hi, > > I assume you are virtualising. > > Try adding "tinker panic 0" to /etc/ntp.conf. > > It should make it tolerant to heavily drifting virtual

[Freeipa-users] DNS Server

2015-09-10 Thread Günther J . Niederwimmer
Hello, what is the best way to include a external Nameserver for a IPA Host? My DNS (DNSSEC) server is running on a extra Instance (KVM) now I have setup a extra Instance for a IPA Master Server and I have now to include the CNAMe Server like "smtp.example.com CNAME imap.example.com" or cvan I

Re: [Freeipa-users] ntpd frequency error xxx PPM exceeds tolerance 500 PPM

2015-09-10 Thread Andrew Holway
Hi, I assume you are virtualising. Try adding "tinker panic 0" to /etc/ntp.conf. It should make it tolerant to heavily drifting virtual clocks. Cheers, Andrew On 10 September 2015 at 13:46, Prasun Gera wrote: > OS: RHEL 7.1 w IDM > > I'm seeing these messages in my

Re: [Freeipa-users] Add objectclasses to computer schema

2015-09-10 Thread Rob Crittenden
Thomas Suiter wrote: > Is there an equivalent host/computer default objectclasses that there is > for ipa config-mod –groupobjectclasses/--userobjectclasses ? We are > wanting to add some additional attributes to all of the servers, I’m > able to add the object class to individual servers but not

Re: [Freeipa-users] ntpd frequency error xxx PPM exceeds tolerance 500 PPM

2015-09-10 Thread Andrew Holway
Thats odd. You would normally not need it on bare metal. It could be broken hardware. On 10 September 2015 at 14:05, Prasun Gera wrote: > Thanks. I'm not virtualizing though. Should I still add it ? > > On Thu, Sep 10, 2015 at 5:02 AM, Andrew Holway

Re: [Freeipa-users] DNS Server

2015-09-10 Thread Petr Spacek
On 10.9.2015 15:38, Günther J. Niederwimmer wrote: > Hello, > > what is the best way to include a external Nameserver for a IPA Host? > > My DNS (DNSSEC) server is running on a extra Instance (KVM) now I have setup > a > extra Instance for a IPA Master Server and I have now to include the

Re: [Freeipa-users] Vector/hi-res logo

2015-09-10 Thread Alexander Bokovoy
On Thu, 10 Sep 2015, Martin Kosek wrote: On 09/08/2015 08:13 PM, Ian Pilcher wrote: Now that I'm actually using IPA authentication for a few services within my house, I'm going to set up a simple "start page" with a few links, including a link to IPA web UI for password changes. I'd like to

[Freeipa-users] PKI-CAD service fails, IPA won't start

2015-09-10 Thread Cassidy, James M.
Hello: So recently, we received some new workstations that I loaded with Ubuntu 12.04. The person who had this sysadmin position before me set up the IPA domain and had it running for quite some time. I went to add one of the systems to the domain through a script he created, something in the

Re: [Freeipa-users] Vector/hi-res logo

2015-09-10 Thread Martin Kosek
On 09/08/2015 08:13 PM, Ian Pilcher wrote: > Now that I'm actually using IPA authentication for a few services within > my house, I'm going to set up a simple "start page" with a few links, > including a link to IPA web UI for password changes. I'd like to use > the FreeIPA logo, but I've only

Re: [Freeipa-users] ntpd frequency error xxx PPM exceeds tolerance 500 PPM

2015-09-10 Thread Prasun Gera
The hardware is not very old (ivybridge). The entries appear every few minutes in the log. The /etc/ntp.conf has not been modified manually. It lists 3 servers - 0.rhel.pool.ntp.org, 1 and 2. At the end, there are also a couple of additional local servers with the comment added by

Re: [Freeipa-users] certificate add subject alt Name

2015-09-10 Thread Youenn PIOLET
Hi, I'm not sure I understood all of your problem, but here are some information that may help: - First, you don't change a certificate, but you can revoke it a make a new one - If you need to add a SubjectAltName to a certificate, you may have realized that the -D parameter makes the request to

Re: [Freeipa-users] Logging?

2015-09-10 Thread Martin Kosek
On 09/09/2015 09:50 PM, Janelle wrote: > Hello, > > I was wondering if anyone has played with thee extended logging of IPA and > specifically SSSD and the kibana dashboards they put together. > https://www.freeipa.org/page/Centralized_Logging > > I can't seem to get "clients" to send the login

Re: [Freeipa-users] Logging?

2015-09-10 Thread Janelle
On 9/10/15 7:55 AM, Martin Kosek wrote: On 09/09/2015 09:50 PM, Janelle wrote: Hello, I was wondering if anyone has played with thee extended logging of IPA and specifically SSSD and the kibana dashboards they put together. https://www.freeipa.org/page/Centralized_Logging I can't seem to get

Re: [Freeipa-users] Vector/hi-res logo

2015-09-10 Thread Ian Pilcher
Thanks all! (And I should have known that it would be Mo's work.) -- Ian Pilcher arequip...@gmail.com "I grew up before Mark Zuckerberg invented friendship"

Re: [Freeipa-users] Vector/hi-res logo

2015-09-10 Thread Petr Spacek
On 10.9.2015 17:22, Alexander Bokovoy wrote: > On Thu, 10 Sep 2015, Martin Kosek wrote: >> On 09/08/2015 08:13 PM, Ian Pilcher wrote: >>> Now that I'm actually using IPA authentication for a few services within >>> my house, I'm going to set up a simple "start page" with a few links, >>> including

Re: [Freeipa-users] ntpd frequency error xxx PPM exceeds tolerance 500 PPM

2015-09-10 Thread Prasun Gera
So I did a bit of googling and tinker panic 0 only makes sense for virtual machines. Is there any way to confirm if it is indeed a hardware issue ? On Thu, Sep 10, 2015 at 5:16 AM, Andrew Holway wrote: > Thats odd. You would normally not need it on bare metal. It could

[Freeipa-users] Migrating from iDM/FreeIPA RHEL 6.5 to 7.1 - CA Server Master

2015-09-10 Thread Craig White
Following instructions from here... https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Linux_Domain_Identity_Authentication_and_Policy_Guide/migrating-ipa-proc.html RHEL6 server # rpm -qa ipa-server ipa-server-3.0.0-42.el6.x86_64 RHEL7 server # rpm -q ipa-server

[Freeipa-users] AuthorizedKeysCommand for clients using nss-pam-ldapd

2015-09-10 Thread Gustavo Mateus
Hi, I'm trying to setup my Amazon Linux instances to be able to fetch the IPA users public ssh key. Do I have to setup a binddn and bindpw in the ldap.conf file and use /usr/libexec/openssh/ssh-ldap-wrapper or is there a better way to do it? Thanks, Gustavo -- Manage your subscription for the

Re: [Freeipa-users] AuthorizedKeysCommand for clients using nss-pam-ldapd

2015-09-10 Thread Prashant Bapat
One way to do it is write a small script which will fetch the keys from LDAP. As for authentication, I make the SSH public key anonymously readable for everyone. On 11 September 2015 at 05:00, Gustavo Mateus wrote: > Hi, > > I'm trying to setup my Amazon Linux

Re: [Freeipa-users] freeipa cert validation failed, SEC_ERROR_UNTRUSTED_ISSUER

2015-09-10 Thread Morgan Marodin
Sorry, I've read ipv6.disable=1 in this article http://www.freeipa.org/page/Active_Directory_trust_setup#Prerequisites, I understood wrong this prerequisite and went directly to the next chapter, in my mind I was conviced that IPv6 must be disabled :) I will try with IPv6 enabled, and then I will