[Freeipa-users] IPA HBAC access using SSSD for user in trusted AD domain (RHEL 6.8)

Hi, I am experiencing an HBAC issue that is proving to be very difficult to diagnose. It appears very closely related to the issue described in this thread (https://lists.fedorahosted.org/archives/list/sssd-us...@lists.fedorahosted.org/thread/DTX4LP5VI2AHANMT4QFXERCN7US2TCUB/), except that

[Freeipa-users] (DRAFT) HA mail services with FreeIPA, postfix, dovecot, amavisd-new, clamd and PLAIN/GSSAPI SSO

Hello, some days ago I found this doc, now I like to setup a secure mail server but the article is now missing? Can this come back? Thanks, -- mit freundlichen Grüßen / best regards, Günther J. Niederwimmer -- Manage your subscription for the Freeipa-users mailing list:

Re: [Freeipa-users] IPA HBAC access using SSSD for user in trusted AD domain (RHEL 6.8)

Hello, I am assuming this is the AD trust user that is having the problem with HBAC, in my testing I was only allowed access when the HBAC rule is linked to the IDM POSIX AD trust group and not the external group used to retrieve AD trust users. I noticed the following in the logs which is

[Freeipa-users] Could not delete change record

Hi, I have 3 replicas running 4.1 and 3 replicas running 4.2. One of the 4.2 replicas is the new master (CRL) and is at the moment replicating against the old 4.1 cluster (we are in the process of migrating). Upon restart of the 4.2 master, I receive many messages in slapd error log about

Re: [Freeipa-users] HBAC and AD users

On Tue, Jul 12, 2016 at 09:08:01AM +1000, Lachlan Musicman wrote: > Alex, Sumit, > > Which log levels would you recommend for sssd to help debug this issue? > > We've been using 7, but I just realised that it's not an increasing scale > but bitmasked... It is both 0-9 is increasing scale while

Re: [Freeipa-users] Impossible to restart IPA because of the presence of a file called CS.cfg.bak.saved

On 7/12/2016 12:17 PM, bahan w wrote: Hello everyone. I'm using ipa 3.0.0-47 on a RHEL6.6 OS (multi-masters). Today I tried to restart the IPA service with the commande ### service ipa restart ### And I got the following warning concerning the pkica service : ### Since the file

Re: [Freeipa-users] IPA HBAC access using SSSD for user in trusted AD domain (RHEL 6.8)

This is exactly the issue I'm seeing too, various differences, but the symptoms are the same. Main diff would be that sometimes stopping sssd, clearing cache and restarting sssd works, but only if individual AD domain members are added to the external group - not AD domain groups. Cheers L.

Re: [Freeipa-users] DNS service named in one of our IPA server cannot start

On 9.7.2016 02:47, lm gnid wrote: > Hello, > > In one of our IPA server, named service suddenly cannot start, so I followed > the link bellow: > https://fedorahosted.org/bind-dyndb-ldap/wiki/BIND9/NamedCannotStart > > Found some errors like bellow: > > ==> messages <== > > Jul 8 23:30:30

[Freeipa-users] Replication Agreement issues noticed with repl-monitor.pl

I was trying to create another Replica but then noticed it was constantly having issues trying to finish the joining of the replication. I then ran the command: repl-monitor.pl, It appears i have several replicaid's and they seem to be having issues, wondering if this is adding to my issue.

Re: [Freeipa-users] Could not delete change record

On 07/12/2016 11:25 AM, Christophe TREFOIS wrote: Hi, I have 3 replicas running 4.1 and 3 replicas running 4.2. One of the 4.2 replicas is the new master (CRL) and is at the moment replicating against the old 4.1 cluster (we are in the process of migrating). Upon restart of the 4.2

Re: [Freeipa-users] Can I migrate group password hashes from NIS?

On 12.7.2016 17:13, Joanna Delaporte wrote: > Hi Rob, > > I'm sorry, I don't know how to list available pre-defined attributes, and I > wasn't able to find it just now looking through the help menu. Is the > attribute key grpassword, grouppassword, or something else? The attribute called

[Freeipa-users] Impossible to restart IPA because of the presence of a file called CS.cfg.bak.saved

Hello everyone. I'm using ipa 3.0.0-47 on a RHEL6.6 OS (multi-masters). Today I tried to restart the IPA service with the commande ### service ipa restart ### And I got the following warning concerning the pkica service : ### Since the file '/var/lib/pki-ca/conf/CS.cfg.bak.saved' exists, a

Re: [Freeipa-users] Unable to ssh after establishing trust

+freeipa-users list From: pgb205 To: Sumit Bose Sent: Tuesday, July 12, 2016 2:12 PM Subject: Re: [Freeipa-users] Unable to ssh after establishing trust Sumit, thanks for replying So the first issue is my fault, probably from when I was

Re: [Freeipa-users] How does FreeIPA Fetch the Master DNS?

Russ Kaehler wrote: Hello, I'd like to review the section of code specifically related to how FreeIPA fetches the master DNS. When I run this: ipa -vv user-show admin The following printout emerges: ipa: INFO: trying https://nqa-ipa-master-int.sprinklr.com/ipa/json ipa: INFO: Forwarding

[Freeipa-users] How does FreeIPA Fetch the Master DNS?

Hello, I'd like to review the section of code specifically related to how FreeIPA fetches the master DNS. When I run this: ipa -vv user-show admin The following printout emerges: ipa: INFO: trying https://nqa-ipa-master-int.sprinklr.com/ipa/json ipa: INFO: Forwarding 'user_show' to json