[Freeipa-users] Mostly working trust, SSH failure

2016-05-19 Thread Erik Mackdanz
Hello, I've set up a one-way trust to an Active Directory domain. Things seem to roughly work, but something's missing. Can any kind soul spot a problem with my configuration, or advise on how to further troubleshoot? Facts: - An AD user gets 'Access denied' when SSH'ing by password to the

Re: [Freeipa-users] File user and group ownership listings...

2016-05-19 Thread Simpson Lachlan
> -Original Message- > From: freeipa-users-boun...@redhat.com [mailto:freeipa-users- > boun...@redhat.com] On Behalf Of Alexander Bokovoy > Sent: Thursday, 19 May 2016 5:12 PM > To: Lachlan Musicman > Cc: freeipa-users@redhat.com > Subject: Re: [Freeipa-users] File user and group ownership

Re: [Freeipa-users] File user and group ownership listings...

2016-05-19 Thread Simpson Lachlan
> -Original Message- > From: freeipa-users-boun...@redhat.com [mailto:freeipa-users- > boun...@redhat.com] On Behalf Of Jakub Hrozek > Sent: Thursday, 19 May 2016 5:22 PM > To: freeipa-users@redhat.com > Subject: Re: [Freeipa-users] File user and group ownership listings... > > On Thu,

Re: [Freeipa-users] Advice sought on monitoring freeipa status

2016-05-19 Thread Prashant Bapat
For the replication issues please see http://directory.fedoraproject.org/docs/389ds/howto/howto-replicationmonitoring.html This has a perl script that you can use. As for the authentication of the user monitoring replication, we thought about it and ended up allowing anonymous reads on the

[Freeipa-users] Renewal of new cert concept

2016-05-19 Thread barrykfl
Hi: As stated in the guidline online.../root/ipa.crt is the server cert generated by 3rd patry CA ? or the CA cert itself that need to pair with server cert later. thx Give the CSR to your external CA and have them issue you a new certificate. We assume that the resulting certificate is saved

[Freeipa-users] SSSD, sudo and FQDNs

2016-05-19 Thread Lachlan Musicman
Hola, We couldn't get sssd and sudo to work and discovered this on the SSSD troubleshooting page: https://fedorahosted.org/sssd/wiki/HOWTO_Troubleshoot_SUDO#Knownissues Is this on the radar to be solved at all or is it unsolvable? Cheers L. -- The most dangerous phrase in the language is,

Re: [Freeipa-users] How does one authenticate Windows login against IPA

2016-05-19 Thread Coy Hile
Right, you have some process that creates the shadow accounts with a random, unknown, unused pass. This assumes you have some workflow for provisioning rather than doing ad hoc ipa user add as a human. Sent from my iPad > On May 18, 2016, at 23:20, John Meyers

Re: [Freeipa-users] Changing spec.page_length?

2016-05-19 Thread Martin Kosek
On 05/17/2016 01:54 AM, Jeffery Harrell wrote: > Is there a “soft” way to change the number of rows in tables like the hosts > and > DNS records search facets? I think I’d happily trade a little interactivity > when > going from one facet to another for the ability to see four or five times as

Re: [Freeipa-users] How does one authenticate Windows login against IPA

2016-05-19 Thread John Meyers
(apologize for possible double post) Can you share the details of how you managed to this with FreeIPA (even if it includes kadmin.local work)? Many thanks! On 5/18/16 6:03 PM, Coy Hile wrote: > When I've done this in the past, I used mit directly, not IPA. I set up a one > way trust, then

Re: [Freeipa-users] authconfig vs ipa-client-install

2016-05-19 Thread Martin Kosek
On 05/19/2016 04:12 PM, lejeczek wrote: > hi evebody > > I'd like to ask how does, what ipa installation does ot a box, relate to > authconfig? > > I am specifically thinking of the fact that authconfig does not indicate that > IPAv2 is used, on a box which is IPA member/client. > > Is it

[Freeipa-users] authconfig vs ipa-client-install

2016-05-19 Thread lejeczek
hi evebody I'd like to ask how does, what ipa installation does ot a box, relate to authconfig? I am specifically thinking of the fact that authconfig does not indicate that IPAv2 is used, on a box which is IPA member/client. Is it because it is for some older IPA, that "v2"? If yes,

[Freeipa-users] LDAP server failover via altServer attribute?

2016-05-19 Thread Guillermo Fuentes
Hello all, As OS X allows LDAP server failover via the altServer attribute (RFC4512) from RootDSE, it would be great to be able to configure our Macs to connect to a single FreeIPA server and add other FreeIPA servers as multiple altServer values. The current schema doesn't seem to support adding

[Freeipa-users] AD membership realmd way + samba?

2016-05-19 Thread lejeczek
hi users/devs I've poked around samba list but was suggested to ask sssd people, I thought IPA's might know as well. Having joined AD with realm - can samba take advantage of this membership? And if so then to what extent? many thanks, L. -- Manage your subscription for the Freeipa-users

Re: [Freeipa-users] How does one authenticate Windows login against IPA

2016-05-19 Thread Alexander Bokovoy
On Wed, 18 May 2016, John Meyers wrote: All, FreeIPA as we've discovered has some wonderful Windows integration capability, but it is all predicated on Windows AD being the authoritative source of user information. 2-Way trusts are great, but they only work for kerberotized applications, not

Re: [Freeipa-users] AD group membership

2016-05-19 Thread Alexander Bokovoy
On Thu, 19 May 2016, Lachlan Musicman wrote: Hi, We seem to have some progress, after reading this blog post about sssd performance tuning. https://jhrozek.wordpress.com/2015/08/19/performance-tuning-sssd-for-large-ipa-ad-trust-deployments/ So now we see that on the FreeIPA server, everything

[Freeipa-users] Advise on the best way to configure the following

2016-05-19 Thread pgb205
We have:AD->winsync->FIPA1<->replica<->FIPA2etc to multiple other replicas from FIPA1 What we want is to establish separate set of FIPA replicas which wold still have information from AD and yet would not 'pollute' the FIPA1/FIPA2 replicas above. So far we have considered following options:1.

[Freeipa-users] File user and group ownership listings...

2016-05-19 Thread Lachlan Musicman
Now that groups are working as expected, we have noticed that when listing a directory the user and group now have full domain qualifiers. This doesn't look great. We've also noticed that we now need to chown :group@subdomain filename (with default_domain_suffix set). Is there a reason why

Re: [Freeipa-users] AD group membership

2016-05-19 Thread Simpson Lachlan
> -Original Message- > From: freeipa-users-boun...@redhat.com [mailto:freeipa-users- > boun...@redhat.com] On Behalf Of Alexander Bokovoy > Sent: Thursday, 19 May 2016 4:07 PM > To: Lachlan Musicman > Cc: freeipa-users@redhat.com > Subject: Re: [Freeipa-users] AD group membership > > On

Re: [Freeipa-users] HBAC access denied, all AD groups not detected

2016-05-19 Thread Jakub Hrozek
On Wed, May 18, 2016 at 11:17:05PM +, Simpson Lachlan wrote: > > -Original Message- > > From: freeipa-users-boun...@redhat.com [mailto:freeipa-users- > > boun...@redhat.com] On Behalf Of Jakub Hrozek > > Sent: Wednesday, 18 May 2016 5:40 PM > > To: freeipa-users@redhat.com > > Subject:

Re: [Freeipa-users] File user and group ownership listings...

2016-05-19 Thread Alexander Bokovoy
On Thu, 19 May 2016, Lachlan Musicman wrote: Now that groups are working as expected, we have noticed that when listing a directory the user and group now have full domain qualifiers. This doesn't look great. We've also noticed that we now need to chown :group@subdomain filename (with

Re: [Freeipa-users] File user and group ownership listings...

2016-05-19 Thread Jakub Hrozek
On Thu, May 19, 2016 at 04:33:45PM +1000, Lachlan Musicman wrote: > Now that groups are working as expected, we have noticed that when listing > a directory the user and group now have full domain qualifiers. > > This doesn't look great. We've also noticed that we now need to > > chown