Re: [Freeipa-users] Fwd: Creating Trusts with AD - (RH#878168, FIPA#3266)

On Wed, 27 Jan 2016, Jon wrote: Hi Alexander, Huzzah! Thanks for explaining how gethostname() works. At least armed with this information I can make a case to the powers that be why we need to make a change like this. So does this mean that all servers should have a fqdn in /etc/hostname or

[Freeipa-users] Kerberos process coredump | authentication fails

Hi, We have a FreeIPA 4.1.4 setup on F21 servers. There is 1 master and 7 replicas in different regions. Earlier there was only 1 replica. Since I added new replicas, on the master node, once in a while the kerberos process dumps core and everything stops working - authentication, replication

Re: [Freeipa-users] FREAK Vulnerability

My two cents: My "magic" string for NSS is like this (I had to move to Fedora 23 from CentOS in order to get more recent NSS version though): NSSProtocol TLSv1.2 NSSCipherSuite

Re: [Freeipa-users] Service account to enroll hosts

Marat Vyshegorodtsev wrote: > Tried that. > > Originally I had just a normal user of a role "Build Administrator". > It worked perfectly. > > Service account doesn't seem to recognize its privileges either way > (explicit membership assignment or through roles). > > Originally it was like this

Re: [Freeipa-users] Service account to enroll hosts

Wow, that worked! Thanks, you ended my week of torture :-) For those who interested, this is my final ldif for the host provisioning user: dn: uid=hostadmin,cn=sysaccounts,cn=etc,dc=contoso,dc=com changetype: add objectclass: account objectclass: simplesecurityobject objectclass: inetuser

Re: [Freeipa-users] Service account to enroll hosts

Tried that. Originally I had just a normal user of a role "Build Administrator". It worked perfectly. Service account doesn't seem to recognize its privileges either way (explicit membership assignment or through roles). Originally it was like this (working perfectly):

Re: [Freeipa-users] Moving default "admin" user to service accounts

Marat Vyshegorodtsev wrote: > Hi! > > My FreeIPA deployment is a part of PCI cardholder data environment. > > Hence, I have to comply with with the requirements such as 8.1.1 > (assign unique ID to each user) and 8.5 (do not use generic or shared > IDs). > > I would like to move this user under

Re: [Freeipa-users] FREAK Vulnerability

Marat Vyshegorodtsev wrote: > My two cents: > > My "magic" string for NSS is like this (I had to move to Fedora 23 > from CentOS in order to get more recent NSS version though): > > NSSProtocol TLSv1.2 > NSSCipherSuite >

[Freeipa-users] Moving default "admin" user to service accounts

Hi! My FreeIPA deployment is a part of PCI cardholder data environment. Hence, I have to comply with with the requirements such as 8.1.1 (assign unique ID to each user) and 8.5 (do not use generic or shared IDs). I would like to move this user under service accounts (it may still be used by

Re: [Freeipa-users] Freeipa 4.3.0 : Forward only Policy fails for reverse lookup zones

On 27.1.2016 02:54, Nathan Peters wrote: > I have my FreeIPA server setup with a forward only policy for DNS. > > If I perform an nslookup against either of the configured forward servers, I > can do a reverse lookup properly. > > If I perform the same nslookup against my local server, it will

Re: [Freeipa-users] FreeIPA 4.3.0 Trust with AD Fails with RemoteRetrieveError

On Wed, 27 Jan 2016, Nathan Peters wrote: I'm trying to create a trust with AD on FreeIPA 4.3.0 domain at domain level 1. When I try though the cli I get this error : ipa: ERROR: communication with CIFS server was unsuccessful When I try through the web ui I get : IPA Error 4016:

Re: [Freeipa-users] Service account to enroll hosts

Marat Vyshegorodtsev wrote: > Hi! > > I'm trying to build an auto-enrollment script that would leverage a > service account to enroll hosts. > > Here is the LDIF for this service account: > https://gist.github.com/touzoku/2b03a47d3f0bcfbdf30a > > This service account is created successfully,

Re: [Freeipa-users] Upgrading from 3.0.0 CentOS6 to 4.2.3 CentOS7

Hi Martin I am happy to provide the necessary information. What packages should i check for? As for IPA we are IPA CA being signed with other CA Thank You On Wed, Jan 27, 2016 at 2:24 AM, Martin Kosek wrote: > On 01/26/2016 09:45 PM, Ash Alam wrote: > > I didnt want to dig

[Freeipa-users] heads-up: new code to fetch sudo rules from an IPA server coming to Fedora and RHEL-6

Hi, the sssd's code that fetches sudo rules from the IPA server got an overhaul recently. The search would no longer be performed against the compat tree, but against IPA's native LDAP tree. This would have the advantage that environments that don't use the slapi-nis' compat tree for another

Re: [Freeipa-users] ipa-admintools version incompatibility

Both the WebUI and the CLI on the RHEL server work fine. The issue is that I'm trying to automate the cleanup of old PTR records for the IP address of a new VM joining the domain (we're experimenting in an AWS Cloud environment and at least in this phase we have RHEL6 machines joining the

Re: [Freeipa-users] ipa-admintools version incompatibility

On 27.01.2016 16:49, Izzo, Anthony wrote: Both the WebUI and the CLI on the RHEL server work fine. The issue is that I'm trying to automate the cleanup of old PTR records for the IP address of a new VM joining the domain (we're experimenting in an AWS Cloud environment and at least in this

Re: [Freeipa-users] heads-up: new code to fetch sudo rules from an IPA server coming to Fedora and RHEL-6

On (27/01/16 16:21), Jakub Hrozek wrote: >Hi, > >the sssd's code that fetches sudo rules from the IPA server got an >overhaul recently. The search would no longer be performed against the >compat tree, but against IPA's native LDAP tree. This would have the >advantage that environments that don't

[Freeipa-users] SSSD and DNS

Hi All, Tue Jan 26 19:01:32 2016) [sssd] [ping_check] (0x0020): A service PING timed out on [ssh]. Attempt [0] (Tue Jan 26 19:06:50 2016) [sssd] [ping_check] (0x0020): A service PING timed out on [sudo]. Attempt [0] (Tue Jan 26 19:06:50 2016) [sssd] [ping_check] (0x0020): A service PING timed

Re: [Freeipa-users] Active Directory users are not controlled by HBAC

I started this post with a simple question: ³is it possible to have HBAC work with AD authenticated users². I was not able from the tips provided to get any further with this. What I have not been able to have addressed is, if there are no HBAC rules, there should be no access, or if there is

Re: [Freeipa-users] Active Directory users are not controlled by HBAC

On Wed, 27 Jan 2016, Birnbaum, Warren (ETW) wrote: I started this post with a simple question: ³is it possible to have HBAC work with AD authenticated users². I was not able from the tips provided to get any further with this. Have you tried to read actual documentation? From your attempts it

Re: [Freeipa-users] Fwd: Creating Trusts with AD - (RH#878168, FIPA#3266)

Hi Alexander, I've changed the names to anonymize the logs, but have maintained the structure of the names. This is how I've got the hostname configured: >> [root@freeipaserver ~]# hostname >> freeipaserver >> [root@freeipaserver ~]# hostname -a >> freeipaserver >> [root@freeipaserver ~]#

Re: [Freeipa-users] Fwd: Creating Trusts with AD - (RH#878168, FIPA#3266)

Hello, Thanks for your feedback. So I reran `ipa-adtrust-install` and got a core dump from samba that there was no space left on the device...? A little digging showed that /var/log had filled up with files named "core.X" in /var/log/samba/cores/winbindd. So I removed all of them and reran

Re: [Freeipa-users] Fwd: Creating Trusts with AD - (RH#878168, FIPA#3266)

On Wed, 27 Jan 2016, Jon wrote: Hello, Thanks for your feedback. So I reran `ipa-adtrust-install` and got a core dump from samba that there was no space left on the device...? A little digging showed that /var/log had filled up with files named "core.X" in /var/log/samba/cores/winbindd.

[Freeipa-users] ERROR: missing attribute "ipaNTSecurityIdentifier" required by object class "ipaNTUserAttrs"

Hi All, I have an ipa-server-4.2.0-15.el7_2.3.x86_64 on which I installed ipa-server-trust-ad-4.2.0-15.el7_2.3.x86_64 and ran "ipa-adtrust-install --add-sids" command. After some initial issues it started working fine. This has created ipaNTSecurityIdentifier to existing user accounts fine.

Re: [Freeipa-users] Fwd: Creating Trusts with AD - (RH#878168, FIPA#3266)

On Wed, 27 Jan 2016, Jon wrote: Hi Alexander, I've changed the names to anonymize the logs, but have maintained the structure of the names. This is how I've got the hostname configured: [root@freeipaserver ~]# hostname freeipaserver [root@freeipaserver ~]# hostname -a freeipaserver

[Freeipa-users] Centos 7, CA log files, bug report?

Hi, Not sure if this is a bug or if I'm ignorant of the RH world, but when I try to do a fresh IPA install on Centos 7.2, I'm getting failures here: [1/27]: creating certificate server user [2/27]: configuring certificate server instance ipa.ipaserver.install.cainstance.CAInstance: CRITICAL

Re: [Freeipa-users] Fwd: Creating Trusts with AD - (RH#878168, FIPA#3266)

Hi Alexander, Huzzah! Thanks for explaining how gethostname() works. At least armed with this information I can make a case to the powers that be why we need to make a change like this. So does this mean that all servers should have a fqdn in /etc/hostname or in the case of RHEL6 setting the

Re: [Freeipa-users] Purge old entries in /var/lib/dirsrv/slapd-xxx/cldb/xxx.db4 file

Hi, > Hi, On 12/22/2015 11:43 AM, David Goudet wrote: >>Hi, >>I have multimaster replication environment. On each replica, folder >> /var/lib/dirsrv/slapd-/cldb/ has big size (3~GB) and old entries in >> /var/lib/dirsrv/slapd-xxx/cldb/xxx.db4 have three month year old: >>

Re: [Freeipa-users] Migration from openLDAP to FreeIPA with qmail.schema

Hi again, Thanks for all your help, I have another question. In my openldap I use qmail for only these attributes : *mailQuotaSize*, *mailAlternateAddress*, *mailForwardingAddress* and *accountStatus* Searching in ipa's schema I found this schema *50ns-mail.ldif*, this schema provides these

Re: [Freeipa-users] ipa-admintools version incompatibility

On 27.01.2016 08:30, Martin Kosek wrote: Adding freeipa-users list back, so that others benefit from the discussion. On 01/26/2016 07:47 PM, Izzo, Anthony wrote: The error I'm getting is that the option "raw" is invalid. The dnsrecord-del command includes a "--raw" switch on RHEL6, but not