on domain controller ===
[nathan.peters@dc2 ~]$ getent group deployment_engineer
[nathan.peters@dc2 ~]$ getent group sysadmins
[nathan.peters@dc2 ~]$ id nathan.peters
uid=756600344(nathan.peters) gid=756600344(nathan.peters)
groups=756600344(nathan.peters),75660(admins)
[nathan.peters
There doesn't seem to be an option to add POSIX attributes to my sudo rules.
Which attributes should I be adding and how?
-Original Message-
From: Jakub Hrozek [mailto:jhro...@redhat.com]
Sent: Monday, June 13, 2016 1:57 PM
To: Nathan Peters
Cc: freeipa-users@redhat.com
Subject: Re: [Fre
Nathan Peters wrote:
There doesn't seem to be an option to add POSIX attributes to my sudo rules.
Which attributes should I be adding and how?
Not the sudo rule, the group. I'd create a new test group similar to one
of your existing groups, add that to your sudo rule and try that.
rob
--
I have confirmed that on both CentOS 6.8 and CentOS 6.7 that if the group is a
POSIX group, it can be used in sudo rules.
If the group is a 'normal' group it will fail when used in sudo rules.
This is really silly because in a previous version of CentOS (6.3) sudo rules
would fail if the group w
Nathan Peters wrote:
I have confirmed that on both CentOS 6.8 and CentOS 6.7 that if the group is a
POSIX group, it can be used in sudo rules.
If the group is a 'normal' group it will fail when used in sudo rules.
This is really silly because in a previous version of CentOS (6.3) sudo rules
wo
On 06/13/2016 01:13 PM, Guillermo Fuentes wrote:
Hi Rich,
After I started running the stack traces, the problem hasn't happen as
frequently as it use to but today I was able to get the stack traces.
As they aren't similar I'll send them over to you in a separate email.
This is what I did to sta
Hi,
freeipa-client-4.2.4-1.fc23.x86_64
freeipa-server-4.2.4-1.fc23.x86_64
I've tried add hostname with multiple hyphens. Sth like:
example--name-of-host.example.com.
Output is: ipa: ERROR: invalid 'hostname': invalid domain-name: only letters,
numbers, '-' are allowed. DNS label may not start o
HI, All
IPA server was installed on ipaserver.dev.example.net
A user 'ads' in IPA will periodically 'rsync' files from ipaclient1 to
ipaclient2. I found that rsync cronjobs will be failed once 'ads' kerberos
ticket has been expired.
I would like to renew kerberos tickets before expiration wit
On 06/10/2016 01:59 AM, Joshua J. Kugler wrote:
> Howdy!
>
> We are trying to set up password sync. I have read this:
>
> https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html-single/Windows_Integration_Guide/index.html#password-sync
>
> I have added that attribute:
> ec
On 06/09/16 15:16, Harald Dunkel wrote:
> Hi folks,
>
> Platform: freeipa 4.2 (Centos7)
>
> Problem: My cron job needs a ticket to run ldapsearch. The
> error message is:
>
> SASL/GSSAPI authentication started
> ldap_sasl_interactive_bind_s: Local error (-2)
> additional
On Mon, 13 Jun 2016, Harald Dunkel wrote:
On 06/09/16 15:16, Harald Dunkel wrote:
Hi folks,
Platform: freeipa 4.2 (Centos7)
Problem: My cron job needs a ticket to run ldapsearch. The
error message is:
SASL/GSSAPI authentication started
ldap_sasl_interactive_bind_s: Local error
On 06/12/2016 07:05 PM, dan.finkelst...@high5games.com wrote:
> The restore I was referring to was a red herring; we ended up wiping the
> server
> and saving ipa-backup files, which was the only way we could successfully
> reconfigure/reinitialize IPA on the host.
>
As Rob wrote, please check
Hello again,
[root@ipa01 ~]# kinit user
Password for user@DOMAIN.LOCAL:
[root@ipa01 ~]# ipa dnsforwardzone-show domain.eu
Zone name: domain.eu.
Active zone: TRUE
Zone forwarders: 194.65.3.20 195.65.3.21
Forward policy: only
[root@ipa01 ~]#
[root@ipa02 ~]# ipa dnsforwardzone-show domain.e
All group lists return correctly when using the ipa group-show command.
Like I said, there is definitely something wrong with CentOS 6.8 because all
group lists are correct. This was done on one of the CentOS 6.8 servers so we
know that the server can retrieve the group lists properly.
[nathan
(Note: versions below)
All,
I am getting password failures for accounts coming from a sub-ad domain.
I originally was not able to do 'getent' lookups of random users or groups and
found that it was timing out during ldap scan. I upped the timeout on the 'IPA
Configuration' tab in the web interfa
On Mon, 13 Jun 2016, David Fischer wrote:
(Note: versions below)
All,
I am getting password failures for accounts coming from a sub-ad domain.
I originally was not able to do 'getent' lookups of random users or groups and
found that it was timing out during ldap scan. I upped the timeout on the
Hi Rich,
After I started running the stack traces, the problem hasn't happen as
frequently as it use to but today I was able to get the stack traces.
As they aren't similar I'll send them over to you in a separate email.
This is what I did to start the stack traces (CentOS 7):
# yum install -y --
-Original Message-
From: Alexander Bokovoy
mailto:alexander%20bokovoy%20%3caboko...@redhat.com%3e>>
To: David Fischer
mailto:david%20fischer%20%3cdfisc...@petsmart.com%3e>>
Cc: freeipa-users@redhat.com
mailto:%22freeipa-us...@redhat.com%22%20%3cfreeipa-us...@redhat.com%3e>>
Subject: Re:
After more investigation I'm thinking this may be a bug in FreeIPA 4.3.1.
I have for testing purposes, installed a CentOS 6.7 client and I'm getting the
same issues.
The only thing I can think of is that we updated our FreeIPA servers to 4.3.1 a
few weeks ago and hadn't provisioned any new mach
Hello, I'm having issues with the 3 ipa certificates of type CA: IPA
renewing on 2 of 3 replicas. Particularly on the 2 that are not the CA
master. The other 5 certificates from getcert list do renew and all
certificates on the CA master do look to renew.
Both servers running ipa-server-3.0.0-50
Taking a second look at the sudo debugging logs : it looks like it can't
figure out that I'm in the right group ?
According to : https://fedorahosted.org/sssd/wiki/HOWTO_Troubleshoot_SUDO those
next 2 lines should be true ?
Jun 13 20:12:10 sudo[16270] <- user_in_group @ ./pwutil.c:957 := fal
On (13/06/16 20:24), Nathan Peters wrote:
>Taking a second look at the sudo debugging logs : it looks like it can't
>figure out that I'm in the right group ?
>
>According to : https://fedorahosted.org/sssd/wiki/HOWTO_Troubleshoot_SUDO
>those next 2 lines should be true ?
>
That's exactly a reason
Nathan Peters wrote:
Taking a second look at the sudo debugging logs : it looks like it can't
figure out that I'm in the right group ?
According to : https://fedorahosted.org/sssd/wiki/HOWTO_Troubleshoot_SUDO those
next 2 lines should be true ?
Jun 13 20:12:10 sudo[16270] <- user_in_group
On Mon, Jun 13, 2016 at 05:30:16PM +, Nathan Peters wrote:
> All group lists return correctly when using the ipa group-show command.
>
> Like I said, there is definitely something wrong with CentOS 6.8 because all
> group lists are correct. This was done on one of the CentOS 6.8 servers so
24 matches
Mail list logo
