Re: [Freeipa-users] separating authoritative servers from recursive servers

2015-10-06 Thread Petr Spacek
On 6.10.2015 14:13, Brendan Kearney wrote: > On 10/06/2015 07:42 AM, Petr Spacek wrote: >> On 6.10.2015 03:40, Brendan Kearney wrote: >>> i have two bind instances in somewhat of a multi-master server arrangement, >>> where they share the same ldap backend via bind-dyndb-ldap. currently, they >>>

Re: [Freeipa-users] re-initialize replica

2015-10-06 Thread Andrew E. Bruno
On Tue, Oct 06, 2015 at 10:22:44AM -0400, Rob Crittenden wrote: > Andrew E. Bruno wrote: > > On Tue, Oct 06, 2015 at 09:35:08AM -0400, Rob Crittenden wrote: > >> Andrew E. Bruno wrote: > >>> The replica is not showing up when running ipa-replica-manage list. > >>> > >>> # ipa-replica-manage list

Re: [Freeipa-users] ssh and sudo password authentication not working with freeipa-client 3.3.4-0ubuntu3.1 on Ubuntu 14.04

2015-10-06 Thread Alexander Skwar
Hello Sumit ipa-client-install hasn't set krb5_realm. I did that. We're using Chef-Solo to manage our systems and I have /etc/sssd/sssd.conf in chef. So it overwrote, whatever ipa-client-install put there. And that's how the mistake happened. I think the ipa-client-install discovered everything

Re: [Freeipa-users] re-initialize replica

2015-10-06 Thread Rob Crittenden
Andrew E. Bruno wrote: > On Tue, Oct 06, 2015 at 09:35:08AM -0400, Rob Crittenden wrote: >> Andrew E. Bruno wrote: >>> The replica is not showing up when running ipa-replica-manage list. >>> >>> # ipa-replica-manage list >>> srv-m14-32.cbls.ccr.buffalo.edu: master >>>

Re: [Freeipa-users] last step in retiring old RHEL 6 (IPA 3.0.0) servers

2015-10-06 Thread Petr Vobornik
On 09/22/2015 01:03 AM, Craig White wrote: -Original Message- From: Petr Vobornik [mailto:pvobo...@redhat.com] Sent: Friday, September 18, 2015 1:44 AM To: Craig White; Martin Kosek; freeipa-users@redhat.com; Jan Cholasta Subject: Re: [Freeipa-users] last step in retiring old RHEL 6 (IPA

Re: [Freeipa-users] re-initialize replica

2015-10-06 Thread Mark Reynolds
On 10/06/2015 01:13 PM, Andrew E. Bruno wrote: On Tue, Oct 06, 2015 at 12:53:04PM -0400, Mark Reynolds wrote: On 10/06/2015 10:30 AM, Andrew E. Bruno wrote: On Tue, Oct 06, 2015 at 10:22:44AM -0400, Rob Crittenden wrote: Andrew E. Bruno wrote: On Tue, Oct 06, 2015 at 09:35:08AM -0400, Rob

Re: [Freeipa-users] re-initialize replica

2015-10-06 Thread Andrew E. Bruno
On Tue, Oct 06, 2015 at 02:29:49PM -0400, Mark Reynolds wrote: > > > On 10/06/2015 01:13 PM, Andrew E. Bruno wrote: > >On Tue, Oct 06, 2015 at 12:53:04PM -0400, Mark Reynolds wrote: > >> > >>On 10/06/2015 10:30 AM, Andrew E. Bruno wrote: > >>>On Tue, Oct 06, 2015 at 10:22:44AM -0400, Rob

Re: [Freeipa-users] Possible bug in ipa-replica-install/pkispawn - or maybe lib mismatch

2015-10-06 Thread David Kupka
On 23/09/15 10:35, Michael Lasevich wrote: Ok, I just went through process of migrating our IPA setup from 4.1.2 running on Fedora 20 (?? may have been 21) to 4.1.4 on CentOS 7 (MKosek Copr version) and run into a nasty bug. The replica-install crashes during CA configuration with something

[Freeipa-users] RedHat IdM Active Directory Integration

2015-10-06 Thread Lesley Kimmel
Hi all; I'm working an initiative to centralize user accounts in Active Directory. We have a large RHEL (6+) footprint and want to manage these as well. I am a Red Hat Engineer on the project and, while it is possible to integrate all of the RHEL clients directly to AD, I have a nagging feeling

[Freeipa-users] RedHat IdM Active Directory Integration

2015-10-06 Thread Lesley Kimmel
Hi all; I'm working an initiative to centralize user accounts in Active Directory. We have a large RHEL (6+) footprint and want to manage these as well. I am a Red Hat Engineer on the project and, while it is possible to integrate all of the RHEL clients directly to AD, I have a nagging feeling

Re: [Freeipa-users] Groups

2015-10-06 Thread Simo Sorce
On 06/10/15 13:14, Rob Crittenden wrote: Sean Hogan wrote: Hello, I have been rolling out an IPA deployment for IBM Watson for the past 3 months. Initially I did not want to take on application ids (linux OS Ids owning apps). I now have to so I have created the accounts in IPA however new

[Freeipa-users] dogtag v CA less

2015-10-06 Thread Steven Jones
Hi, I am trying to determine what the difference is between the 2 options above in IPA4.1 and the implications and complications are of using one or other. Also which one would be the better choice and why? Can someone explain in simple terms please? regards Steven -- Manage your

Re: [Freeipa-users] ssh and sudo password authentication not working with freeipa-client 3.3.4-0ubuntu3.1 on Ubuntu 14.04

2015-10-06 Thread Alexander Skwar
Hi With further debugging, I discovered, that I messed up the /etc/sssd/sssd.conf file. There, I added: … [domain/customer.company.internal] krb5_realm = customer.company.internal … Exactly like that. With "krb5_realm = customer.company.internal"; ie. with the realm in lowercase letters.

Re: [Freeipa-users] DNS forwarding configuration randomly breaks and stops working

2015-10-06 Thread Petr Spacek
On 5.10.2015 21:57, nat...@nathanpeters.com wrote: Looking at the log entries, it appears that there may have been a network connectivity 'blip' (maybe a switch or router was restarted) at some point and even after connectivity was restored, the global forwarding was

Re: [Freeipa-users] separating authoritative servers from recursive servers

2015-10-06 Thread Brendan Kearney
On 10/06/2015 07:42 AM, Petr Spacek wrote: On 6.10.2015 03:40, Brendan Kearney wrote: i have two bind instances in somewhat of a multi-master server arrangement, where they share the same ldap backend via bind-dyndb-ldap. currently, they are authoritative and recursive servers, and i want to

Re: [Freeipa-users] re-initialize replica

2015-10-06 Thread Andrew E. Bruno
On Mon, Oct 05, 2015 at 02:48:48PM -0400, Rob Crittenden wrote: > Andrew E. Bruno wrote: > > On Mon, Oct 05, 2015 at 12:40:42PM +0200, Martin Kosek wrote: > >> On 10/02/2015 06:00 PM, Andrew E. Bruno wrote: > >>> On Fri, Oct 02, 2015 at 09:56:47AM -0400, Andrew E. Bruno wrote: > What's the

Re: [Freeipa-users] separating authoritative servers from recursive servers

2015-10-06 Thread Petr Spacek
On 6.10.2015 03:40, Brendan Kearney wrote: > i have two bind instances in somewhat of a multi-master server arrangement, > where they share the same ldap backend via bind-dyndb-ldap. currently, they > are authoritative and recursive servers, and i want to change things up a > bit. i want to move

Re: [Freeipa-users] FreeIPA 3.3 performance issues with many hosts

2015-10-06 Thread Dominik Korittki
Thanks for the info, Tomas. I will definitely try this one out! Couldn’t wait for it to be released for CentOS if it really does what the changes you mentioned describe :-) We would like to have hostgroup of 10.000 hostmembers or even more in one group. We currently split these group into

Re: [Freeipa-users] re-initialize replica

2015-10-06 Thread Rob Crittenden
Andrew E. Bruno wrote: > On Mon, Oct 05, 2015 at 02:48:48PM -0400, Rob Crittenden wrote: >> Andrew E. Bruno wrote: >>> On Mon, Oct 05, 2015 at 12:40:42PM +0200, Martin Kosek wrote: On 10/02/2015 06:00 PM, Andrew E. Bruno wrote: > On Fri, Oct 02, 2015 at 09:56:47AM -0400, Andrew E. Bruno

Re: [Freeipa-users] ssh and sudo password authentication not working with freeipa-client 3.3.4-0ubuntu3.1 on Ubuntu 14.04

2015-10-06 Thread Sumit Bose
On Tue, Oct 06, 2015 at 11:26:42AM +0200, Alexander Skwar wrote: > Hi > > With further debugging, I discovered, that I messed up the > /etc/sssd/sssd.conf file. There, I added: > > … > [domain/customer.company.internal] > > krb5_realm = customer.company.internal > … > > > > Exactly like

Re: [Freeipa-users] Problem FreeIPA 4.1.3 for vCenter 5.5u2b SSO

2015-10-06 Thread Ryan Belgrave
Herwono W Wijaya writes: > > > Tomorrow I will try to capture Univention LDAP traffic with > wireshark, and if possible I will try also this FreeIPA with vCenter > 6. Since I became one of the private beta testers so I had vCenter Any updates on this? I am getting the

Re: [Freeipa-users] Groups

2015-10-06 Thread Rob Crittenden
Sean Hogan wrote: > Hello, > > I have been rolling out an IPA deployment for IBM Watson for the past 3 > months. Initially I did not want to take on application ids (linux OS > Ids owning apps). I now have to so I have created the accounts in IPA > however new files created by user wdadeploy are

[Freeipa-users] sudo rules do not seem to work

2015-10-06 Thread Karl Forner
Hello, I had assumed sudo rules worked because I have an "allow_all for admins" sudo rule that seemed to work, but I wonder if there is an implicit rule for the special group admins ? Because I have tried to replicate this allow_all rule for for other user groups, and it does not seem to work

Re: [Freeipa-users] re-initialize replica

2015-10-06 Thread Mark Reynolds
On 10/06/2015 10:30 AM, Andrew E. Bruno wrote: On Tue, Oct 06, 2015 at 10:22:44AM -0400, Rob Crittenden wrote: Andrew E. Bruno wrote: On Tue, Oct 06, 2015 at 09:35:08AM -0400, Rob Crittenden wrote: Andrew E. Bruno wrote: The replica is not showing up when running ipa-replica-manage list.

Re: [Freeipa-users] DNS forwarding configuration randomly breaks and stops working

2015-10-06 Thread nathan
> Your expectation #1 is correct, but there can be multiple reasons why it > fails. > > Did you try to set forward policy = only as I advised you in the previous > e-mail? Forward policy 'first' does not make sense when split-DNS is > involved > because you can end up with mixture of records from

Re: [Freeipa-users] re-initialize replica

2015-10-06 Thread Andrew E. Bruno
On Tue, Oct 06, 2015 at 12:53:04PM -0400, Mark Reynolds wrote: > > > On 10/06/2015 10:30 AM, Andrew E. Bruno wrote: > >On Tue, Oct 06, 2015 at 10:22:44AM -0400, Rob Crittenden wrote: > >>Andrew E. Bruno wrote: > >>>On Tue, Oct 06, 2015 at 09:35:08AM -0400, Rob Crittenden wrote: > Andrew E.