Re: [Freeipa-users] Replica without CA: implications?

If, after identifying the dangling RUVs and attempting to clean them, you see this: [root@ipa-replica ~]# ipa-replica-manage clean-ruv 104 Clean the Replication Update Vector for ipa.example.com:389 Cleaning the wrong replica ID will cause that server to no longer replicate so it may miss

Re: [Freeipa-users] FreeOTP

Well, here your are: rpm -qa 'libverto*' 'krb5*' krb5-pkinit-1.14.1-6.fc23.armv7hl libverto-tevent-0.2.6-5.fc23.armv7hl krb5-libs-1.14.1-6.fc23.armv7hl krb5-workstation-1.14.1-6.fc23.armv7hl libverto-0.2.6-5.fc23.armv7hl

Re: [Freeipa-users] FreeOTP

Can you please try:   # dnf install libverto-libev   # dnf remove libverto-tevent   # ipactl restart On Wed, 2016-06-08 at 18:30 +0200, Winfried de Heiden wrote: > Well, here your are: > rpm -qa 'libverto*' 'krb5*' > krb5-pkinit-1.14.1-6.fc23.armv7hl > libverto-tevent-0.2.6-5.fc23.armv7hl >

[Freeipa-users] IPA stack startup time - expected values?

hi users I wonder if on a very minimal installation, still fresh with only ~20 test users and no other app/services using IPA we have a time in mind that IPA stack should take no longer than, to start? I know it varies and may depend on quite a few variables. Reason I wonder is because I

[Freeipa-users] after a server reebot no more login for korora users

Hi i enroled Centos 7 box into IPA (also stock centos 7 server) for some time everything was working ok but now i can't ssh to the client after client reboot On every ssh login attempt i get such lines in sshd.log on the client (Wed Jun 8 14:05:03 2016) [sssd[be[korora.mydomain]]]

Re: [Freeipa-users] after a server reebot no more login for korora users

On Wed, Jun 08, 2016 at 04:54:44PM +0200, Przemysław Orzechowski wrote: > Hi i enroled > Centos 7 box into IPA (also stock centos 7 server) > for some time everything was working ok but now i can't ssh to the client > after client reboot > On every ssh login attempt i get such lines in sshd.log on

Re: [Freeipa-users] [FreeIPA 4.3.0] CentOS 6.8 sudo fails

I'm pretty lost here. I tried following the directions on that page but the results still make no sense to me. From what I can see, the account is successfully authorized, and the groups that I am part of are found and some sudo rules are found, but then I am denied access for no reason.

Re: [Freeipa-users] sessions failing when using different hostname

I think I introduced a red herring by accident, I'm deeply embarrassed to say. Our new FreeIPA instance lives in ns01.dev.example.net. The alternative hostname is password.example.net I think that the different domain there was causing some of the problems. I removed mention of the different

[Freeipa-users] Yet another question about smartcard login... this time Ubuntu.

Hello, I have system running Ubuntu 16.04 running the ipa client 4.3. I am trying to enable smartcard logins through lightdm. I have implemented some of my previous configurations on my Centos 7.2 systems. Obviously, there are differences between the two distros, so the big question is

[Freeipa-users] FreeIPA 4.2.0: An error has occurred (IPA Error 4301: CertificateOperationError)

I have a promoted CA master/FreeIPA 4.2.0 instance on CentOS 7 that emits this error in the httpd logs whenever the WebUI tries to see the certificates page: [Wed Jun 08 16:56:27.052106 2016] [:error] [pid 2863] ipa: ERROR: ipaserver.plugins.dogtag.ra.find(): Unable to communicate with CMS

Re: [Freeipa-users] Dynamic DNS Questions

Thank you, this is it. This entry was already in sssd.conf (with the wrong interface). But i was looking for an IP number … Ignoring interfaces. Stupid, my fault. Thank you again Detlev -- Detlev | Institut fuer Mikroelektronische Systeme Habicht | D-30167 Hannover +49 511 76219662

Re: [Freeipa-users] How to implement password expiration notifications?

Den 2016-06-08 14:00, skrev Alexander Bokovoy: Make a service (ipa service-add), download a keytab with the key for this service and use gss-proxy to provide refreshing credentials based on the keytab to a script that runs periodically. Hm. I like that idea, now I just need to actually make it

Re: [Freeipa-users] sessions failing when using different hostname

On Wed, Jun 08, 2016 at 09:29:09AM +0200, Martin Kosek wrote: > On 06/01/2016 07:48 PM, Anthony Clark wrote: > > > > I'm somewhat at a loss to debug this further. I was wondering if the > > session > > storage is somehow bound to the original host name. Is there a way to > > check > >

Re: [Freeipa-users] how to setup apache reverse https proxy for freeipa web UI

On Tue, Jun 07, 2016 at 11:01:12AM -0400, Anthony Clark wrote: > Apparently removing the GSSAPI AuthType breaks foreman-proxy, so I had to > do this: > > > > AuthType GSSAPI This feels strange. The %{HTTP_HOST} is the value of the Host: header of the HTTP request. And on my setup, with

Re: [Freeipa-users] how to setup apache reverse https proxy for freeipa web UI

On Wed, Jun 08, 2016 at 10:01:44AM +0200, Jan Pazdziora wrote: > On Tue, Jun 07, 2016 at 11:01:12AM -0400, Anthony Clark wrote: > > Apparently removing the GSSAPI AuthType breaks foreman-proxy, so I had to > > do this: > > > > > > > > AuthType GSSAPI > > This feels strange. The

Re: [Freeipa-users] sessions failing when using different hostname

On 06/08/2016 09:42 AM, Jan Pazdziora wrote: > On Wed, Jun 08, 2016 at 09:29:09AM +0200, Martin Kosek wrote: >> On 06/01/2016 07:48 PM, Anthony Clark wrote: >>> >>> I'm somewhat at a loss to debug this further. I was wondering if the >>> session >>> storage is somehow bound to the original host

Re: [Freeipa-users] [FreeIPA 4.3.0] Limits exceeded for this query

On 8.6.2016 10:45, Martin Kosek wrote: On 06/07/2016 09:08 PM, Nathan Peters wrote: I get this when doing almost anything on only one of my Fedora 23 FreeIPA 4.3.0 servers. The rest work fine. This server also tends to crash quite a bit and the others do not. Any tips on what I should be

Re: [Freeipa-users] samba kerberized with autofs

On Thu, 02 Jun 2016, Bello Florent wrote: Hi, I configured a samba with freeipa in kerberized mode. It work fine for normaly mounting but with autofs it work only if root has a kerberos ticket (example : kinit admin). When root haven't ticket, other users can't go in automount folder, but

Re: [Freeipa-users] Replica without CA: implications?

On 06/07/2016 04:10 PM, Cal Sawyer wrote: ... > I found that installing a replica with firewalld enabled would consistently > fail > during initial replication. Disabling firewalld always allowed replication > and > later stages to complete > >[24/38]: setting up initial replication

Re: [Freeipa-users] How to get FreeIPA feature requests ack'd?

On 06/07/2016 05:22 PM, Cal Sawyer wrote: > Hello > > The RH Bugzilla is pretty much unnavigable by anyone who doesn't know the > magic > words, so i'm asking here. Apologies in advance if misdirected. Hi Cal, I updated FreeIPA Trac front page, to help you (and others) more with filing bugs

Re: [Freeipa-users] Replica without CA: implications?

On 08/06/16 09:23, Martin Kosek wrote: On 06/07/2016 04:10 PM, Cal Sawyer wrote: ... I found that installing a replica with firewalld enabled would consistently fail during initial replication. Disabling firewalld always allowed replication and later stages to complete [24/38]:

Re: [Freeipa-users] Replica without CA: implications?

On 06/08/2016 11:05 AM, Cal Sawyer wrote: > > On 08/06/16 09:23, Martin Kosek wrote: >> On 06/07/2016 04:10 PM, Cal Sawyer wrote: >> ... >>> I found that installing a replica with firewalld enabled would consistently >>> fail >>> during initial replication. Disabling firewalld always allowed

[Freeipa-users] FreeIPA 4.4

Hi all, Any news/progress about FreeIPA 4.4? On http://www.freeipa.org/page/Roadmap: FreeIPA 4.4: feature release. Release planned for end of May 2016. Any updated release date...? Winny -- Manage your subscription for the Freeipa-users

[Freeipa-users] how to integrate freeipa (LDAP) with sonatype nexus

Hi All, I am not able to login to sonatype nexus gui after configuring ldap details on nexus. can any one provide me nexus ldap configuration details. Please find the attached screen shot which i have configured. [image: Inline image 1] [image: Inline image 2] [image: Inline image 3] Thanks

Re: [Freeipa-users] Replica without CA: implications?

On 06/08/2016 11:15 AM, Cal Sawyer wrote: > In /var/log/dirsrv/slapd-LOCALDOMAIN-LOCAL/errors on all IPA > master/replicas:, there's a multitude of these messages. There are no > other error messages and replication, from viewing access log, appears > to be working > > [08/Jun/2016:10:06:08

Re: [Freeipa-users] Replica without CA: implications?

In /var/log/dirsrv/slapd-LOCALDOMAIN-LOCAL/errors on all IPA master/replicas:, there's a multitude of these messages. There are no other error messages and replication, from viewing access log, appears to be working [08/Jun/2016:10:06:08 +0100] attrlist_replace - attr_replace

Re: [Freeipa-users] How to implement password expiration notifications?

On Wed, 08 Jun 2016, Eivind Olsen wrote: We have previously used a script to send "password expiration" reminders to our users. The script did this by doing LDAP search and checking krbLastPwdChange and krbPasswordExpiration. This seems to have stopped working, possibly a while ago. It now

Re: [Freeipa-users] Dynamic DNS Questions

On 08.06.2016 13:00, Detlev Habicht wrote: Hi all, well, i am really a beginner with IPA and just trying to setup some test systems. In the moment one IPA server, one NFS/Samba server and a fedora CLient. I am running IPA 4.2, Scientific Linux 7.2 and Fedora 23. The most important things are

Re: [Freeipa-users] Replica without CA: implications?

Thanks very much for this, Petr. [08/Jun/2016:12:28:42 +0100] NSMMReplicationPlugin - CleanAllRUV Task (rid 8): Successfully cleaned rid(8). on master and all replicas. Voila - all error logs are now quiet Cal Sawyer | Systems Engineer | BlueBolt Ltd 15-16 Margaret Street | London W1W 8RW

[Freeipa-users] How to implement password expiration notifications?

We have previously used a script to send "password expiration" reminders to our users. The script did this by doing LDAP search and checking krbLastPwdChange and krbPasswordExpiration. This seems to have stopped working, possibly a while ago. It now looks like the script is unable to match

Re: [Freeipa-users] Dynamic DNS Questions

Hello Detlev, FreeIPA/SSSD client use IP address of interface/vlan/subnet which is use to communicate (LDAP) with FreeIPA server. However, if you have dyndns_update set to True in sssd.conf, you can also set dyndns_iface to point to correct interface which IP addresses will be dynamically

Re: [Freeipa-users] FreeOTP

Hi all, Well, the libverto is there some time allready (yep, it's running on a Bananapi!), doesn't feel like a recent update, so a Name    : libverto Version : 0.2.6 Release : 5.fc23 Architecture: armv7hl

Re: [Freeipa-users] replication - ruv errors

On 06/07/2016 06:17 PM, Andy Brittingham wrote: Hello, I'm having issues with freeipa replication. Currently we have 4 Freeipa servers, in a master - master relationship with replication agreements between all servers. I noticed the replication failure messages in the logs late last week

Re: [Freeipa-users] sessions failing when using different hostname

On 06/01/2016 07:48 PM, Anthony Clark wrote: > Hello All, > > I've been asked to allow access to our FreeIPA web UI from a more user > friendly > url than I'm currently using. So I've set up a CNAME password.example.com > for ns01.example.com

[Freeipa-users] IPA to supply radius with a special user name - how?

hi users, some network devices need and look up a special type of a user, in my case it's dell powerconnect switch which - when uses radius - needs, eg: $enable5$. I this something that IPA will be ok with? will have no problems if I create such a user? I don't suppose IPA have full

Re: [Freeipa-users] how to setup apache reverse https proxy for freeipa web UI

On Tue, Jun 07, 2016 at 09:50:07AM -0400, Anthony Clark wrote: > One thing I noticed was that once I had set up the proxy as per the > document from Jan, I was getting access denied to /ipa until I disabled the > Kerberos authentication stuff: > > # Protect /ipa and everything below it in

Re: [Freeipa-users] FreeOTP

The libverto used on RHEL 7.2 (itś working there) is v0.2.5-4 build date January 26 2014, so that's an older one. Is this more recent one causing the problems? How to test? Winny Op 08-06-16 om 08:34 schreef

Re: [Freeipa-users] how to integrate freeipa (LDAP) with sonatype nexus

krnrd b wrote: Hi All, I am not able to login to sonatype nexus gui after configuring ldap details on nexus. can any one provide me nexus ldap configuration details. Please find the attached screen shot which i have configured. Inline image 1 Inline image 2 Inline image 3 Thanks and

Re: [Freeipa-users] FreeOTP

No, we need to know what libverto *backend* you are using. Please provide the output from this command: rpm -qa 'libverto*' 'krb5*' On Wed, 2016-06-08 at 08:34 +0200, Winfried de Heiden wrote: > Hi all, > > > Well, the libverto is there some time allready (yep, it's running on > a Bananapi!),