Re: [Freeipa-users] FreeRadius and FreeIPA

2015-12-14 Thread Alexander Bokovoy
On Wed, 09 Dec 2015, Randy Morgan wrote: Hello, We are setting up our wireless to authenticate against FreeRadius and FreeIPA. I am looking for any instructions on how to integrate radius with IPA. We can get them talking via kerberos, but when we have a wireless client attempt to

Re: [Freeipa-users] Yum update broke CA/CS - pki-tomcatd not starting

2015-12-14 Thread Jan Cholasta
Hi, On 14.12.2015 12:09, Martin Kosek wrote: ipa-cacert-manage only renews CA certificate. It does not fix expired CA subsystem certificates (#getcert list), IIRC. Correct. I think the process was: - move system time to about 1-2 weeks before the oldest expired certificate expiry time -

Re: [Freeipa-users] Any recent guides for Postfix and IPA integration?

2015-12-14 Thread Martin Kosek
On 12/12/2015 12:26 AM, Martin Štefany wrote: > Hello Ranbir, > > I'm working on this, even today I was putting more things together. > (That DRAFT is really uncommented version of what I currently have). And > I've opened also https://fedorahosted.org/freeipa/ticket/5521 to get a > bit more out

Re: [Freeipa-users] Any recent guides for Postfix and IPA integration?

2015-12-14 Thread Alexander Bokovoy
On Fri, 11 Dec 2015, Ranbir wrote: On Fri, 2015-12-11 at 22:13 +0100, Natxo Asenjo wrote: what exactly do you want to achieve? 'Integrate' could mean a couple of things, so please specify. Ya, that was lame. Let me elaborate. I have a postfix server and a dovecot server: both are running in

Re: [Freeipa-users] Yum update broke CA/CS - pki-tomcatd not starting

2015-12-14 Thread Martin Kosek
ipa-cacert-manage only renews CA certificate. It does not fix expired CA subsystem certificates (#getcert list), IIRC. I think the process was: - move system time to about 1-2 weeks before the oldest expired certificate expiry time - restart certmonnger - now certmonger itself should start

Re: [Freeipa-users] Clean up DNS Host Cert and other records from IPA

2015-12-14 Thread Martin Kosek
On 12/11/2015 11:55 PM, Andrey Ptashnik wrote: > Hello Team, > > We have many servers in our environment that are on a different stage of > their lifecycle. All of them are added to IPA domain. There are cases when > servers gets moved, sometimes crash, sometimes are being rebuild or >

Re: [Freeipa-users] Clean up DNS, Host, Cert and other records from IPA / IDM

2015-12-14 Thread Alexander Bokovoy
On Fri, 11 Dec 2015, Andrey Ptashnik wrote: Hello Team, We have many servers in our environment that are on a different stage of their lifecycle. All of them are added to IPA domain. There are cases when servers gets moved, sometimes crash, sometimes are being rebuild or decommissioned. In

Re: [Freeipa-users] FreeRadius and FreeIPA

2015-12-14 Thread Randy Morgan
Thanks Alexander, that was an excellent explanation with some very helpful information. We will look over our configs and see if we can work this out. Randy Randy Morgan CSR Department of Chemistry and Biochemistry Brigham Young University 801-422-4100 On 12/14/2015 3:12 AM, Alexander

Re: [Freeipa-users] otpd heavy load?

2015-12-14 Thread Alexander Bokovoy
On Thu, 10 Dec 2015, Janelle wrote: libverto-tevent-0.2.5-4.el7.x86_64 libverto-0.2.5-4.el7.x86_64 Patching problem perhaps? Can you install debuginfo for krb5 and ipa? And then install ltrace? I would go with these tools: - once ipa-otpd recreates its high resource usage, run 'pstack '

Re: [Freeipa-users] Any recent guides for Postfix and IPA integration?

2015-12-14 Thread Ranbir
On Sun, 2015-12-13 at 21:56 +0100, Natxo Asenjo wrote: > so what have you tried? A number of things. However, I've been able to get past the SASL GSSAPI error I was seeing in Postfix. Now I've run into another issue though I don't think it's related to freeipa. I'm going to post what I did once

Re: [Freeipa-users] otpd heavy load?

2015-12-14 Thread Janelle
I'll gather up the info first chance I get. Thank you ~J On 12/14/15 7:35 AM, Alexander Bokovoy wrote: On Thu, 10 Dec 2015, Janelle wrote: libverto-tevent-0.2.5-4.el7.x86_64 libverto-0.2.5-4.el7.x86_64 Patching problem perhaps? Can you install debuginfo for krb5 and ipa? And then install

[Freeipa-users] AD group members

2015-12-14 Thread Winfried de Heiden
Using an EL7 client, lot's of times the IPA (posix) groups are missing, or partly missing. Doing some debugging, sssd_pac.log shows: (Mon Dec 14 17:19:08 2015) [sssd[pac]] [pac_user_get_grp_info] (0x2000): Group with SID

Re: [Freeipa-users] Any recent guides for Postfix and IPA integration?

2015-12-14 Thread Ranbir
On Mon, 2015-12-14 at 11:30 -0500, Ranbir wrote: > How would one handle an email only user in freeipa? I have mail > accounts that aren't attached to a real person and yet I need the > "user" to exist in freeipa. Should I just create a normal user account, set the password and mail and disable

Re: [Freeipa-users] Any recent guides for Postfix and IPA integration?

2015-12-14 Thread Simo Sorce
On Mon, 2015-12-14 at 13:38 -0500, Ranbir wrote: > On Mon, 2015-12-14 at 11:30 -0500, Ranbir wrote: > > How would one handle an email only user in freeipa? I have mail > > accounts that aren't attached to a real person and yet I need the > > "user" to exist in freeipa. > > Should I just create a

Re: [Freeipa-users] Clean up DNS, Host, Cert and other records from IPA / IDM

2015-12-14 Thread Andrey Ptashnik
Alexander, Thank you for your feedback, this is what I expected to do - 'ipa-client-install —uninstall' and expected and easy quick fix for my request. It seem to work in environment where server portion is on CentOS/RHEL 7.1 and clients as well on 7.1 with IPA 4.1 However when clients are

[Freeipa-users] confused about replica role and use

2015-12-14 Thread Karl Forner
Hello, >From what I understood, a freeipa replica server is a kind of backup of another freeipa server. Both are usable by clients, and they will dynamically update their information. But I do not understand how a client will make use of the replica if the master server is down. Naively I would

Re: [Freeipa-users] FreeIPA DNSSEC NSEC3PARAM record

2015-12-14 Thread Petr Spacek
On 10.12.2015 16:05, Günther J. Niederwimmer wrote: > Am Thursday 10 December 2015, 12:51:19 schrieb Petr Spacek: >> On 9.12.2015 14:40, Günther J. Niederwimmer wrote: >>> Hello, >>> >>> I like to create a NSEC3PARAM Record but my tests are not working :-(. >>> >>> Is there a documentation for