Re: [Freeipa-users] Generation of /etc/krb5.conf file

> > Do you know if these options are generated by the installer or are those > the ones included with the sssd generated file ? > I do not. I didn't setup any kerberos configurations other then running the ipa client install to join the domain. > Would you mind filing a ticket? I think this

Re: [Freeipa-users] Generation of /etc/krb5.conf file

> > Looking into krb5/src/util/profile/prof_get.c, the code that supports > 'yes'/'no' (y,yes,1,true,t,on and n,no,nil,off,false) was added in 2000 > with the commit 97971c69b9389be08b7e9ffb742ca35f3706b3af (it was CVS at > the time but the commit is traceable via git after import from SVN). > >

Re: [Freeipa-users] Generation of /etc/krb5.conf file

On Mon, 07 Dec 2015, Marc Boorshtein wrote: FreeIPA team, In doing some work with Java I came across an issue with = the krb5.conf file generated by the IPA client install process. Options in the krb5.conf file that are boolean are being set as yes/no instead of true/false. MIT Kerberos

Re: [Freeipa-users] Generation of /etc/krb5.conf file

On Mon, 2015-12-07 at 10:45 -0500, Marc Boorshtein wrote: > > > > Do you know if these options are generated by the installer or are those > > the ones included with the sssd generated file ? > > > > I do not. I didn't setup any kerberos configurations other then > running the ipa client install

[Freeipa-users] Generation of /etc/krb5.conf file

FreeIPA team, In doing some work with Java I came across an issue with = the krb5.conf file generated by the IPA client install process. Options in the krb5.conf file that are boolean are being set as yes/no instead of true/false. MIT Kerberos accepts it but per the docs it should be

Re: [Freeipa-users] Generation of /etc/krb5.conf file

On Mon, 2015-12-07 at 10:04 -0500, Marc Boorshtein wrote: > FreeIPA team, > > In doing some work with Java I came across an issue with = the > krb5.conf file generated by the IPA client install process. Options > in the krb5.conf file that are boolean are being set as yes/no instead > of

Re: [Freeipa-users] .k5login and auth_to_local_names principal -> account mapping and localauth plugin not working on 6.7

> So the questions are: > - is there another cleaner way to exclude the localauth sssd plugin > (considering that the configuration snippet is recreated at every sssd > restart)? Can you test if this hack would help: # service sssd stop # rm

Re: [Freeipa-users] Generation of /etc/krb5.conf file

On Mon, 07 Dec 2015, Marc Boorshtein wrote: Looking into krb5/src/util/profile/prof_get.c, the code that supports 'yes'/'no' (y,yes,1,true,t,on and n,no,nil,off,false) was added in 2000 with the commit 97971c69b9389be08b7e9ffb742ca35f3706b3af (it was CVS at the time but the commit is traceable

Re: [Freeipa-users] .k5login and auth_to_local_names principal -> account mapping and localauth plugin not working on 6.7

On Mon, Dec 07, 2015 at 06:04:30PM +0100, Stefano Cortese wrote: > >> So the questions are: > >> - is there another cleaner way to exclude the localauth sssd plugin > >> (considering that the configuration snippet is recreated at every sssd > >> restart)? > > > >Can you test if this hack would

Re: [Freeipa-users] .k5login and auth_to_local_names principal -> account mapping and localauth plugin not working on 6.7

On Mon, 2015-12-07 at 18:04 +0100, Stefano Cortese wrote: > > > So the questions are: > > > - is there another cleaner way to exclude the localauth sssd plugin > > > (considering that the configuration snippet is recreated at every sssd > > > restart)? > > > > Can you test if this hack would help:

Re: [Freeipa-users] .k5login and auth_to_local_names principal -> account mapping and localauth plugin not working on 6.7

On Mon, Dec 07, 2015 at 06:04:30PM +0100, Stefano Cortese wrote: > >> So the questions are: > >> - is there another cleaner way to exclude the localauth sssd plugin > >> (considering that the configuration snippet is recreated at every sssd > >> restart)? > > > >Can you test if this hack would

Re: [Freeipa-users] FreeIPA Clients behind unreliable network links at remote sites

Hi Jakub On Mon, Dec 7, 2015 at 12:00 PM, Jakub Hrozek wrote: > On Sun, Dec 06, 2015 at 09:58:58PM +0300, Traiano Welcome wrote: >> Hi List >> >> >> Current Scenario: >> = >> >> I have a number of stores on really unreliable network connections: >> It's quite

[Freeipa-users] "DNS resource record not found" error when searching or deleting records

Dear Team, I’m trying to remove DNS records from IPA server and getting following error: "ipa: ERROR: webapps001.mz984: DNS resource record not found" I suspect that there was such server "webapps001.mz984" in the past properly added to IPA server via “spa-client-install” utility , but it was

[Freeipa-users] IP error when creating a replica

Hello Everyone, I'm using IPA on a CentOS 7 box at home (because why not?). I'm running into a problem which so far has stumped me. The host running the IPA master is on the protected LAN subnet (let's call it 1.1.1.1). The replica I'm now trying to setup is running in the "dmz" subnet (this one

Re: [Freeipa-users] .k5login and auth_to_local_names principal -> account mapping and localauth plugin not working on 6.7

On Sat, Dec 05, 2015 at 06:44:45PM +0100, Stefano Cortese wrote: > Hello, > we have a number of ipa 3.0 clients that have been upgraded from Scientific > Linux 6.6 to 6.7 and after the upgrade both the .k5login authorization and > auth_to_local_names mappings don't work anymore as before. > The

Re: [Freeipa-users] HBAC access denied, all AD groups not detected

On Fri, Dec 04, 2015 at 02:03:04PM -0600, Sauls, Jeff wrote: > Hello, > > We are having a problem with HBAC that appears to be related to group > membership lookup. I am testing with a new install on RHEL 7.2 with a > cross-forest trust with AD. When an AD user attempts to log into a client >

Re: [Freeipa-users] FreeIPA Clients behind unreliable network links at remote sites

On Sun, Dec 06, 2015 at 09:58:58PM +0300, Traiano Welcome wrote: > Hi List > > > Current Scenario: > = > > I have a number of stores on really unreliable network connections: > It's quite possible for the links to have been down for 3 - 4 days at > a time. > > In a given store is a

Re: [Freeipa-users] Mixing client and server versions

On 12/04/2015 09:11 PM, Martin Štefany wrote: > Hi Daryl, > > IPA client <-> IPA server are both backward and forward compatible, see: > > http://www.freeipa.org/page/Client#Compatibility > > Note: except ipa-admintools, that one is a (thick) client and is > compatible only forward, see the

Re: [Freeipa-users] Reverse Zone IPv6 Syntax ?

Hello for me working if ipv6 address is e.g. 2002::101 so reverse zone will be : 0.2.0.0.2.ip6.arpa you can use more char as you mentioned ( 0.0.0.0.0.2.0.0.2.ip6.arpa will still be reverse for ip 2002::101 ) so if your IP start 2001:: have reverse 2.0.0.1.ip6.arpa hope it helps -

Re: [Freeipa-users] Issue with ipa 4.2.0 upgrade

Orion Poplawski wrote: > I just upgraded my SL7 box to ipa-server-4.2.0, but this process appears to > have broken ipa. From the ipaupgrade.log: > > 2015-12-07T17:47:46Z DEBUG Starting external process > 2015-12-07T17:47:46Z DEBUG args='/bin/systemctl' 'is-active' > 'certmonger.service' >

Re: [Freeipa-users] "DNS resource record not found" error when searching or deleting records

Martin, Here is the output you requested: [root@ipa-idm]# ipa dnsrecord-find 123.xyz.com mz984 --all --raw dn: idnsName=webapps001.mz984+nsuniqueid=650db4bc-88c511e5-90e7864e-76f6b2c3,idnsname=123.xyz.com.,cn=dns,dc=123,dc=xyz,dc=com idnsname: webapps001.mz984 arecord: 10.16.9.232

Re: [Freeipa-users] "DNS resource record not found" error when searching or deleting records

Martin, For my education, how did you identify that from my output? Regards, Andrey Ptashnik From: Martin Basti > Date: Monday, December 7, 2015 at 1:24 PM To: Andrey Ptashnik >,

Re: [Freeipa-users] "DNS resource record not found" error when searching or deleting records

Andrey Ptashnik wrote: > Martin, > > For my education, how did you identify that from my output? The +nsuniqueid= in the dn. When managing entries in IPA it constructs the DN based on the values provided which is why you got a notfound for webapps001.mz984, because it literally doesn't exist.

Re: [Freeipa-users] "DNS resource record not found" error when searching or deleting records

Yes, it is replication conflict. Please follow: https://access.redhat.com/documentation/en-US/Red_Hat_Directory_Server/10/html/Administration_Guide/Managing_Replication-Solving_Common_Replication_Conflicts.html On 07.12.2015 20:19, Andrey Ptashnik wrote: Martin, Here is the output you

Re: [Freeipa-users] FreeIPA Clients behind unreliable network links at remote sites

On Mon, Dec 07, 2015 at 10:00:02AM +0100, Jakub Hrozek wrote: > On Sun, Dec 06, 2015 at 09:58:58PM +0300, Traiano Welcome wrote: > > Hi List > > > > > > Current Scenario: > > = > > > > I have a number of stores on really unreliable network connections: > > It's quite possible for

Re: [Freeipa-users] Reverse Zone IPv6 Syntax ?

On 07.12.2015 20:12, Pavel Picka wrote: Hello for me working if ipv6 address is e.g. 2002::101 so reverse zone will be : 0.2.0.0.2.ip6.arpa you can use more char as you mentioned ( 0.0.0.0.0.2.0.0.2.ip6.arpa will still be reverse for ip 2002::101 ) so if your IP start 2001:: have

Re: [Freeipa-users] HBAC access denied, all AD groups not detected

> Jakub Hrozek wrote: > > On Fri, Dec 04, 2015 at 02:03:04PM -0600, Sauls, Jeff wrote: > > Hello, > > > > We are having a problem with HBAC that appears to be related to group > > membership lookup. I am testing with a new install on RHEL 7.2 with a > > cross-forest trust with AD. When an AD

Re: [Freeipa-users] IP error when creating a replica

On Mon, 2015-12-07 at 19:39 +0100, Martin Basti wrote: > IMO 2.2.2.2/32 is why installation is failing, it should be something > 2.2.2.2/24, please try to reconfigure your network interface. Wow - I can't believe I missed the /32. I don't know _why_ the netmask was set to /32, but after changing

Re: [Freeipa-users] Reverse Zone IPv6 Syntax ?

Am Monday 07 December 2015, 20:41:29 schrieb Martin Basti: > On 07.12.2015 20:12, Pavel Picka wrote: > > Hello > > > > for me working if ipv6 address is e.g. 2002::101 so reverse zone will be : > > > > 0.2.0.0.2.ip6.arpa > > > > you can use more char as you mentioned (

Re: [Freeipa-users] Issue with ipa 4.2.0 upgrade

On 12/07/2015 12:17 PM, Rob Crittenden wrote: > Orion Poplawski wrote: >> I just upgraded my SL7 box to ipa-server-4.2.0, but this process appears to >> have broken ipa. From the ipaupgrade.log: >> >> 2015-12-07T17:47:46Z DEBUG Starting external process >> 2015-12-07T17:47:46Z DEBUG

Re: [Freeipa-users] HBAC access denied, all AD groups not detected

On Mon, Dec 07, 2015 at 02:04:26PM -0600, Sauls, Jeff wrote: > > Jakub Hrozek wrote: > > > > On Fri, Dec 04, 2015 at 02:03:04PM -0600, Sauls, Jeff wrote: > > > Hello, > > > > > > We are having a problem with HBAC that appears to be related to group > > > membership lookup. I am testing with a

Re: [Freeipa-users] Reverse Zone IPv6 Syntax ?

On 07.12.2015 21:26, Günther J. Niederwimmer wrote: Am Monday 07 December 2015, 20:41:29 schrieb Martin Basti: On 07.12.2015 20:12, Pavel Picka wrote: Hello for me working if ipv6 address is e.g. 2002::101 so reverse zone will be : 0.2.0.0.2.ip6.arpa you can use more char as you mentioned

Re: [Freeipa-users] IP error when creating a replica [solved]

On 07.12.2015 21:24, Ranbir wrote: On Mon, 2015-12-07 at 19:39 +0100, Martin Basti wrote: IMO 2.2.2.2/32 is why installation is failing, it should be something 2.2.2.2/24, please try to reconfigure your network interface. Wow - I can't believe I missed the /32. I don't know _why_ the netmask

[Freeipa-users] Ldap search for enrolled boxes

Hello, Does anyone have a ldapsearch syntax that will check the database for all enrolled hosts within IPA and ignore non-enrolled hosts? I am not familiar enough with the schema yet to know which containers contain what. I know there is a flag on the gui for enrolled or not so thinking its

Re: [Freeipa-users] Ldap search for enrolled boxes

Sean Hogan wrote: > Hello, > > Does anyone have a ldapsearch syntax that will check the database for > all enrolled hosts within IPA and ignore non-enrolled hosts? I am not > familiar enough with the schema yet to know which containers contain > what. I know there is a flag on the gui for

Re: [Freeipa-users] IP error when creating a replica

On 07.12.2015 18:40, Kanwar Ranbir Sandhu wrote: Hello Everyone, I'm using IPA on a CentOS 7 box at home (because why not?). I'm running into a problem which so far has stumped me. The host running the IPA master is on the protected LAN subnet (let's call it 1.1.1.1). The replica I'm now

Re: [Freeipa-users] "DNS resource record not found" error when searching or deleting records

Andrey Ptashnik wrote: > Dear Team, > > I’m trying to remove DNS records from IPA server and getting following > error: "ipa: ERROR: webapps001.mz984: DNS resource record not found" > I suspect that there was such server "webapps001.mz984" in the past > properly added to IPA server via

Re: [Freeipa-users] "DNS resource record not found" error when searching or deleting records

On 07.12.2015 18:08, Andrey Ptashnik wrote: Dear Team, I’m trying to remove DNS records from IPA server and getting following error: "ipa: ERROR: webapps001.mz984: DNS resource record not found" I suspect that there was such server "webapps001.mz984" in the past properly added to IPA server

[Freeipa-users] Reverse Zone IPv6 Syntax ?

Hello, I like to create a ip6.arpa with freeIPA but this is not possible ? I can't found the correct syntax for a IPv6 reverse Zone :-(. I Tested 16 Char x.x.x.x.x.x.x.x.x.x.x.x.1.0.0.2 x.x.x.x.x.x.x.x.x.x.x.x.1.0.0.2.ip6.arpa The last is working with named (bind) Can any tell me, is this