On Wed, 27 Jan 2016, Jon wrote:
Hi Alexander,
Huzzah!
Thanks for explaining how gethostname() works. At least armed with this
information I can make a case to the powers that be why we need to make a
change like this.
So does this mean that all servers should have a fqdn in /etc/hostname or
Hi,
We have a FreeIPA 4.1.4 setup on F21 servers. There is 1 master and 7
replicas in different regions. Earlier there was only 1 replica. Since I
added new replicas, on the master node, once in a while the kerberos
process dumps core and everything stops working - authentication,
replication
My two cents:
My "magic" string for NSS is like this (I had to move to Fedora 23
from CentOS in order to get more recent NSS version though):
NSSProtocol TLSv1.2
NSSCipherSuite
Marat Vyshegorodtsev wrote:
> Tried that.
>
> Originally I had just a normal user of a role "Build Administrator".
> It worked perfectly.
>
> Service account doesn't seem to recognize its privileges either way
> (explicit membership assignment or through roles).
>
> Originally it was like this
Wow, that worked! Thanks, you ended my week of torture :-)
For those who interested, this is my final ldif for the host provisioning user:
dn: uid=hostadmin,cn=sysaccounts,cn=etc,dc=contoso,dc=com
changetype: add
objectclass: account
objectclass: simplesecurityobject
objectclass: inetuser
Tried that.
Originally I had just a normal user of a role "Build Administrator".
It worked perfectly.
Service account doesn't seem to recognize its privileges either way
(explicit membership assignment or through roles).
Originally it was like this (working perfectly):
Marat Vyshegorodtsev wrote:
> Hi!
>
> My FreeIPA deployment is a part of PCI cardholder data environment.
>
> Hence, I have to comply with with the requirements such as 8.1.1
> (assign unique ID to each user) and 8.5 (do not use generic or shared
> IDs).
>
> I would like to move this user under
Marat Vyshegorodtsev wrote:
> My two cents:
>
> My "magic" string for NSS is like this (I had to move to Fedora 23
> from CentOS in order to get more recent NSS version though):
>
> NSSProtocol TLSv1.2
> NSSCipherSuite
>
Hi!
My FreeIPA deployment is a part of PCI cardholder data environment.
Hence, I have to comply with with the requirements such as 8.1.1
(assign unique ID to each user) and 8.5 (do not use generic or shared
IDs).
I would like to move this user under service accounts (it may still be
used by
On 27.1.2016 02:54, Nathan Peters wrote:
> I have my FreeIPA server setup with a forward only policy for DNS.
>
> If I perform an nslookup against either of the configured forward servers, I
> can do a reverse lookup properly.
>
> If I perform the same nslookup against my local server, it will
On Wed, 27 Jan 2016, Nathan Peters wrote:
I'm trying to create a trust with AD on FreeIPA 4.3.0 domain at domain level 1.
When I try though the cli I get this error :
ipa: ERROR: communication with CIFS server was unsuccessful
When I try through the web ui I get :
IPA Error 4016:
Marat Vyshegorodtsev wrote:
> Hi!
>
> I'm trying to build an auto-enrollment script that would leverage a
> service account to enroll hosts.
>
> Here is the LDIF for this service account:
> https://gist.github.com/touzoku/2b03a47d3f0bcfbdf30a
>
> This service account is created successfully,
Hi Martin
I am happy to provide the necessary information. What packages should i
check for? As for IPA we are IPA CA being signed with other CA
Thank You
On Wed, Jan 27, 2016 at 2:24 AM, Martin Kosek wrote:
> On 01/26/2016 09:45 PM, Ash Alam wrote:
> > I didnt want to dig
Hi,
the sssd's code that fetches sudo rules from the IPA server got an
overhaul recently. The search would no longer be performed against the
compat tree, but against IPA's native LDAP tree. This would have the
advantage that environments that don't use the slapi-nis' compat tree
for another
Both the WebUI and the CLI on the RHEL server work fine. The issue is that I'm
trying to automate the cleanup of old PTR records for the IP address of a new
VM joining the domain (we're experimenting in an AWS Cloud environment and at
least in this phase we have RHEL6 machines joining the
On 27.01.2016 16:49, Izzo, Anthony wrote:
Both the WebUI and the CLI on the RHEL server work fine. The issue is that I'm
trying to automate the cleanup of old PTR records for the IP address of a new
VM joining the domain (we're experimenting in an AWS Cloud environment and at
least in this
On (27/01/16 16:21), Jakub Hrozek wrote:
>Hi,
>
>the sssd's code that fetches sudo rules from the IPA server got an
>overhaul recently. The search would no longer be performed against the
>compat tree, but against IPA's native LDAP tree. This would have the
>advantage that environments that don't
Hi All,
Tue Jan 26 19:01:32 2016) [sssd] [ping_check] (0x0020): A service PING
timed out on [ssh]. Attempt [0]
(Tue Jan 26 19:06:50 2016) [sssd] [ping_check] (0x0020): A service PING
timed out on [sudo]. Attempt [0]
(Tue Jan 26 19:06:50 2016) [sssd] [ping_check] (0x0020): A service PING
timed
I started this post with a simple question: ³is it possible to have HBAC
work with AD authenticated users². I was not able from the tips provided
to get any further with this.
What I have not been able to have addressed is, if there are no HBAC
rules, there should be no access, or if there is
On Wed, 27 Jan 2016, Birnbaum, Warren (ETW) wrote:
I started this post with a simple question: ³is it possible to have HBAC
work with AD authenticated users². I was not able from the tips provided
to get any further with this.
Have you tried to read actual documentation? From your attempts it
Hi Alexander,
I've changed the names to anonymize the logs, but have maintained the
structure of the names.
This is how I've got the hostname configured:
>> [root@freeipaserver ~]# hostname
>> freeipaserver
>> [root@freeipaserver ~]# hostname -a
>> freeipaserver
>> [root@freeipaserver ~]#
Hello,
Thanks for your feedback.
So I reran `ipa-adtrust-install` and got a core dump from samba that there
was no space left on the device...?
A little digging showed that /var/log had filled up with files named
"core.X" in /var/log/samba/cores/winbindd. So I removed all of them
and reran
On Wed, 27 Jan 2016, Jon wrote:
Hello,
Thanks for your feedback.
So I reran `ipa-adtrust-install` and got a core dump from samba that there
was no space left on the device...?
A little digging showed that /var/log had filled up with files named
"core.X" in /var/log/samba/cores/winbindd.
Hi All,
I have an ipa-server-4.2.0-15.el7_2.3.x86_64 on which I installed
ipa-server-trust-ad-4.2.0-15.el7_2.3.x86_64 and ran "ipa-adtrust-install
--add-sids" command. After some initial issues it started working fine.
This has created ipaNTSecurityIdentifier to existing user accounts fine.
On Wed, 27 Jan 2016, Jon wrote:
Hi Alexander,
I've changed the names to anonymize the logs, but have maintained the
structure of the names.
This is how I've got the hostname configured:
[root@freeipaserver ~]# hostname
freeipaserver
[root@freeipaserver ~]# hostname -a
freeipaserver
Hi,
Not sure if this is a bug or if I'm ignorant of the RH world, but when I
try to do a fresh IPA install on Centos 7.2, I'm getting failures here:
[1/27]: creating certificate server user
[2/27]: configuring certificate server instance
ipa.ipaserver.install.cainstance.CAInstance: CRITICAL
Hi Alexander,
Huzzah!
Thanks for explaining how gethostname() works. At least armed with this
information I can make a case to the powers that be why we need to make a
change like this.
So does this mean that all servers should have a fqdn in /etc/hostname or
in the case of RHEL6 setting the
Hi,
> Hi,
On 12/22/2015 11:43 AM, David Goudet wrote:
>>Hi,
>>I have multimaster replication environment. On each replica, folder
>> /var/lib/dirsrv/slapd-/cldb/ has big size (3~GB) and old entries in
>> /var/lib/dirsrv/slapd-xxx/cldb/xxx.db4 have three month year old:
>>
Hi again,
Thanks for all your help, I have another question.
In my openldap I use qmail for only these attributes : *mailQuotaSize*,
*mailAlternateAddress*, *mailForwardingAddress* and *accountStatus*
Searching in ipa's schema I found this schema *50ns-mail.ldif*, this schema
provides these
On 27.01.2016 08:30, Martin Kosek wrote:
Adding freeipa-users list back, so that others benefit from the discussion.
On 01/26/2016 07:47 PM, Izzo, Anthony wrote:
The error I'm getting is that the option "raw" is invalid. The dnsrecord-del command includes a
"--raw" switch on RHEL6, but not
30 matches
Mail list logo