Re: [Freeipa-users] IPA, autofs, kerberos

2016-01-04 Thread Rob Crittenden
Cal Sawyer wrote: > Hi > > After getting autofs working using automountmaps in IPA, i've discovered > that upon rebooting a client i have no automounts. If i ssh into the > client and obtain a ticket as admin, after restarting autofs (as root), > I can once again see access automounted

Re: [Freeipa-users] unable to effectively delete a replica agreement

2016-01-04 Thread Rob Crittenden
Karl Forner wrote: > I am running a master freeIPA called "ipa" in an adelton/freeipa-server > (freeIPA 4.1.4). > I am able to create a replica server "ipa2", still in an > adelton/freeipa-server. > > If I stop my ipa2 replica, and try to delete the replication agreement: > >

Re: [Freeipa-users] Avoid auto-setting krbpasswordexpiration to pwdpolicy?

2016-01-04 Thread Rob Crittenden
Martin René Mortensen wrote: > Hi, > > I am setting up an LDAP connection from our Identity Management system > which provisions our IPA servers with fresh users and groups. > I set it up pretty nice so far, with some added privileges for change > admin passwords and avoiding password resets. >

Re: [Freeipa-users] Failed upgrade to 4.2 via RHEL 7.2

2016-01-04 Thread Martin Basti
On 23.12.2015 08:28, Brian Topping wrote: Greetings all! Thanks for all the continued work on FreeIPA! :) I saw that 4.2 made it to RHEL 7.2 and upgraded. Unfortunately, the system did not come up cleanly. It seems to be some problem with the DNS server: [root@ipa01 ~]# systemctl status

Re: [Freeipa-users] DNSSEC Question (KSK ZSK)

2016-01-04 Thread Petr Spacek
On 29.12.2015 17:39, Martin Basti wrote: > > > On 29.12.2015 14:30, Günther J. Niederwimmer wrote: >> Hello, >> >> Is it possible to install a DSNSEC Master with my before created KSK ZSK? >> >> Background: >> >> I have installed a IPA Master on my System now I have change the Hardware and >>

Re: [Freeipa-users] Cockpit integration part I - Single Sign On

2016-01-04 Thread Alexander Bokovoy
On Mon, 04 Jan 2016, Alexander Bokovoy wrote: On Mon, 04 Jan 2016, Marius Vollmer wrote: Alexander Bokovoy writes: Thanks. I think we actually could do better by using gss-proxy -- if only cockpit-ws would cooperate[1]. I'll file a bug Thanks! -- when cockpit-ws

Re: [Freeipa-users] Want faster user-add

2016-01-04 Thread Martin Kosek
On 12/22/2015 03:25 PM, Daryl Fonseca-Holt wrote: > > > On 12/22/15 08:09, Petr Vobornik wrote: >> On 12/22/2015 10:24 AM, thierry bordaz wrote: >>> On 12/21/2015 05:55 PM, Daryl Fonseca-Holt wrote: Hi all, Environment: RHEL6 with IPA 3.0 at current RedHat level. 64-core

Re: [Freeipa-users] Want faster user-add

2016-01-04 Thread Martin Kosek
On 12/22/2015 04:16 PM, Simo Sorce wrote: > On Tue, 2015-12-22 at 10:24 +0100, thierry bordaz wrote: >> On 12/21/2015 05:55 PM, Daryl Fonseca-Holt wrote: >>> Hi all, >>> >>> Environment: RHEL6 with IPA 3.0 at current RedHat level. 64-core >>> 256-GB RAM Oracle x4470 M2. >>> >>> During our

Re: [Freeipa-users] Queries on migrating nis netgroups

2016-01-04 Thread Martin Kosek
On 12/22/2015 12:10 PM, Roderick Johnstone wrote: > Hi > > I'm migrating our nis environment to freeipa 4.2.0 on Redhat 7. > > I need to have the netgroups set up in freeipa before migrating systems to be > freeipa clients. > > At this point I'm trying to understand the relationship between

Re: [Freeipa-users] IPA DS migration

2016-01-04 Thread Martin Kosek
On 12/29/2015 08:36 PM, Sean Conley - US wrote: > Hello, > > I need to migrate the users from an existing IPA server to a new IPA server > on an isolated network. It appears that “ipa migrate-ds” works only when > direct connection to source LDAP server is possible. I have searched with no >

Re: [Freeipa-users] Cockpit integration part I - Single Sign On

2016-01-04 Thread Alexander Bokovoy
On Mon, 04 Jan 2016, Marius Vollmer wrote: Alexander Bokovoy writes: Thanks. I think we actually could do better by using gss-proxy -- if only cockpit-ws would cooperate[1]. I'll file a bug Thanks! -- when cockpit-ws launches cockpit-session it doesn't pass anything

Re: [Freeipa-users] deny read Access to passwd for external users

2016-01-04 Thread Jakub Hrozek
> On 17 Dec 2015, at 11:35, José Garcia wrote: > > Hi guys, merry christmas and happy new year. > > I have a freeipa (4.1.0) server on a centos 7 machine and its working fine > even with active directory integration. > > But I would like to know if is it possible to

[Freeipa-users] how to force switch to another kdc

2016-01-04 Thread Karl Forner
Hello, My freeipa master has crashed, and I have a replica running. The problem is that I can not use anymore the webapps on my main server which use a kerberos authentication since my server will not switch to the kdc on my replica. I remember that someone replied me on this list about that

Re: [Freeipa-users] IPA, autofs, kerberos

2016-01-04 Thread Prasun Gera
I would like to understand this better too. I'm not using kerberized NFS. I'm using regular nfs for user home dirs as well as other mount points, which used to work quite well with autofs + NIS. For the most part it works fine with ipa too. However, I have occasionally faced problems with autofs

Re: [Freeipa-users] unable to effectively delete a replica agreement

2016-01-04 Thread Karl Forner
> > > It hangs forever. > > How long is forever? > officially it's about 15 mns. Do you mean that this delay could be expected ? > > > If I run it using the --cleanup option, it seems to work. > > That does other things. > and actually it did not really work. > > > > > But when I try to run

Re: [Freeipa-users] Using 3rd party certificates for HTTP/LDAP

2016-01-04 Thread Jan Cholasta
Hi Peter, On 21.12.2015 17:43, Peter Pakos wrote: Hi, I tried to install a wildcard SSL certificate for HTTP/LDAP in our FreeIPA 4.1 (Centos 7.1) installation by following instructions from wiki page at http://www.freeipa.org/page/Using_3rd_part_certificates_for_HTTP/LDAP: Unfortunately

Re: [Freeipa-users] FreeIPA 4.x + CentOS 6.4

2016-01-04 Thread Martin Kosek
On 01/03/2016 01:32 PM, Alexander Bokovoy wrote: > On Wed, 23 Dec 2015, fvende@orange.com wrote: >> Hi, >> >> Do you know the compatibility between the different "FreeIPA 4" >> versions and CentOS 6.4, please ? I have tried to get the information >> but I don't have a clear response to this

Re: [Freeipa-users] Using 3rd party certificates for HTTP/LDAP

2016-01-04 Thread Peter Pakos
Hi Jan, On 04/01/2016 12:44, Jan Cholasta wrote: 1. Install the CA certificate chain of the issuer of the 3rd party certificate to IPA using "ipa-cacert-manage install" 2. Run "ipa-certupdate" to update CA certificate related IPA configuration. 3. Manually import the server certificate

Re: [Freeipa-users] Using 3rd party certificates for HTTP/LDAP

2016-01-04 Thread Jan Cholasta
On 4.1.2016 14:10, Peter Pakos wrote: Hi Jan, On 04/01/2016 12:44, Jan Cholasta wrote: 1. Install the CA certificate chain of the issuer of the 3rd party certificate to IPA using "ipa-cacert-manage install" 2. Run "ipa-certupdate" to update CA certificate related IPA configuration. 3.

Re: [Freeipa-users] Cockpit integration part I - Single Sign On

2016-01-04 Thread Marius Vollmer
Alexander Bokovoy writes: > Thanks. I think we actually could do better by using gss-proxy -- if > only cockpit-ws would cooperate[1]. I'll file a bug Thanks! > -- when cockpit-ws launches cockpit-session it doesn't pass anything > from the environment cockpit-ws was

Re: [Freeipa-users] Failed upgrade to 4.2 via RHEL 7.2

2016-01-04 Thread Petr Spacek
On 4.1.2016 10:48, Martin Basti wrote: > >> [root@ipa01 ~]# kinit -k -t /etc/named.keytab DNS/ipa01.example.com >> >> [root@ipa01 ~]# klist >> Ticket cache: KEYRING:persistent:0:krb_ccache_th1WCcV >> Default principal: DNS/ipa01.example@example.com >>

Re: [Freeipa-users] Want faster user-add

2016-01-04 Thread thierry bordaz
On 01/04/2016 01:03 PM, Martin Kosek wrote: On 12/22/2015 04:16 PM, Simo Sorce wrote: On Tue, 2015-12-22 at 10:24 +0100, thierry bordaz wrote: On 12/21/2015 05:55 PM, Daryl Fonseca-Holt wrote: Hi all, Environment: RHEL6 with IPA 3.0 at current RedHat level. 64-core 256-GB RAM Oracle x4470

[Freeipa-users] Fwd: NetworkError : invalid continuation byte with utf8 codec

2016-01-04 Thread Domineaux Philippe
Hello, Happy new year. So the content of my /etc/locale.conf : LANG="fr_FR.UTF-8" -- Forwarded message -- From: Fraser Tweedale Date: 2015-12-23 5:11 GMT+01:00 Subject: Re: [Freeipa-users] NetworkError : invalid continuation byte with utf8 codec To: Gmail

Re: [Freeipa-users] Queries on migrating nis netgroups

2016-01-04 Thread Martin Kosek
On 01/04/2016 10:41 PM, Rob Crittenden wrote: > Martin Kosek wrote: ... >> I anyway tried to add externalHost to the shadow hostgroup via ldapmodify as >> DM >> and it worked: >> >> # ipa netgroup-show masters >> Netgroup name: masters >> Description: ipaNetgroup masters >> NIS domain name:

Re: [Freeipa-users] SSSD to IPA connection?

2016-01-04 Thread Jakub Hrozek
On Mon, Jan 04, 2016 at 09:17:39AM -0800, Janelle wrote: > When this happens - it stops accepting logins for any of my users. Can you please generate logs when this happens? I suspect sssd might go offline for one reason or another.. > I have to restart SSSD to get it to work again. ..and a

Re: [Freeipa-users] FreeIPA server in Docker containers -- upcoming changes

2016-01-04 Thread Jan Pazdziora
On Thu, Dec 17, 2015 at 11:30:53AM +0100, Jan Pazdziora wrote: > > if you are running FreeIPA servers in containers, you might want to > be aware of a change that is coming -- in branch master-systemd of > > https://github.com/adelton/docker-freeipa > > we run the FreeIPA services via

Re: [Freeipa-users] SSSD to IPA connection?

2016-01-04 Thread Jakub Hrozek
On Mon, Jan 04, 2016 at 08:30:08AM -0800, Janelle wrote: > Happy New Year everyone! > > I came across a couple of my servers having some strange connection problems > and was wondering if anyone else has seen this or know what might cause it? > This is IPA 4.1.4 and client on RHEL 7.1. When you

Re: [Freeipa-users] Queries on migrating nis netgroups

2016-01-04 Thread Rob Crittenden
Martin Kosek wrote: > On 12/22/2015 12:10 PM, Roderick Johnstone wrote: >> Hi >> >> I'm migrating our nis environment to freeipa 4.2.0 on Redhat 7. >> >> I need to have the netgroups set up in freeipa before migrating systems to be >> freeipa clients. >> >> At this point I'm trying to understand

[Freeipa-users] SSSD to IPA connection?

2016-01-04 Thread Janelle
Happy New Year everyone! I came across a couple of my servers having some strange connection problems and was wondering if anyone else has seen this or know what might cause it? This is IPA 4.1.4 and client on RHEL 7.1. When you look at the status, for some reason, SSSD has lost contact with

Re: [Freeipa-users] SSSD to IPA connection?

2016-01-04 Thread Janelle
When this happens - it stops accepting logins for any of my users. I have to restart SSSD to get it to work again. And it is just kind of random when this happens. How can a STATUS command sent to SSSD show a wrong password? ~J On 1/4/16 9:11 AM, Jakub Hrozek wrote: On Mon, Jan 04, 2016 at