[Freeipa-users] Why is user status different on each master replica?

This user was locked out due to Max Failure policy = 5 If they're supposed to be replicas, why the different status? [root@il10 ~]# ipa user-status lramey --- Account disabled: False --- Server: ipa-idm-01.ipajdr.local Failed logins: 0 Last

Re: [Freeipa-users] Why is user status different on each master replica?

On 09.08.2016 23:04, Larry Rosen wrote: This user was locked out due to Max Failure policy = 5 If they’re supposed to be replicas, why the different status? [root@il10 ~]# ipa user-status lramey --- Account disabled: False --- Server:

Re: [Freeipa-users] FreeIPA Session Management (WebUI, Kerberos, ...?)

> Date: Wed, 10 Aug 2016 09:02:29 +0200 > From: Petr Spacek > To: freeipa-users@redhat.com > Subject: Re: [Freeipa-users] FreeIPA Session Management (WebUI, > Kerberos, ...?) > Message-ID: > Content-Type: text/plain;

[Freeipa-users] sudo rules question on ubuntu 16.0.1

I've got a freeipa domain and many centos 7.2 clients. I also have a sudo rule that allows member of the developer group sudo rights on virtual servers in the "development" group. This works great on the centos servers. However, I recently set up 3 ubuntu boxes, and added them to the IPA domain

Re: [Freeipa-users] sudo rules question on ubuntu 16.0.1

Not sure it is the same as 14.X but I had to add the sudo in the list of services to sssd.conf as it was not put in by default. I am by no means an expert on it but my own personal experience with 14.x Sean Hogan From: Jeff Goddard To:

Re: [Freeipa-users] sudo rules question on ubuntu 16.0.1

Jeff Goddard wrote: Sean, Thanks for the reply. I don't think that's my problem but I'm posting a redacted copy of the sssd.conf file for review below. I'd start here: https://fedorahosted.org/sssd/wiki/HOWTO_Troubleshoot_SUDO rob -- Manage your subscription for the Freeipa-users mailing

Re: [Freeipa-users] sudo rules question on ubuntu 16.0.1

Sean, Thanks for the reply. I don't think that's my problem but I'm posting a redacted copy of the sssd.conf file for review below. [domain/domain.com] cache_credentials = True krb5_store_password_if_offline = True ipa_domain = domain.com id_provider = ipa auth_provider = ipa access_provider =

Re: [Freeipa-users] FreeIPA Session Management (WebUI, Kerberos, ...?)

On 9.8.2016 21:37, Joe Thielen wrote: > First off, let me say THANK YOU to all of you who've helped make FreeIPA > what it is. I think it's a fantastic project and it's amazing what it has > achieved. > > Second off, I'm still quite new to FreeIPA, especially the internals. This > includes

Re: [Freeipa-users] ipa-client login as AD user in trusted domain

Ok, I increased the debug level as you recommended and it's given me a lot of useful info. Before I go any further trying to troubleshoot that mass of info on this mailing list though, I would like to double check something I came across. In the debug output I noticed this line: "No ccache file

Re: [Freeipa-users] ipa-client login as AD user in trusted domain

On 08/10/2016 05:19 PM, Guy Knights wrote: Ok, I increased the debug level as you recommended and it's given me a lot of useful info. Before I go any further trying to troubleshoot that mass of info on this mailing list though, I would like to double check something I came across. In the debug

[Freeipa-users] FreeIPA vs DogTag CA

Dear all, Seeking your kind advices. If the requirement is for having a scalable corporate CA only, is it possible to get this requirement fulfilled with DogTag only, or install FreeIPA and use the CA functionality only. What are the functional differences and support limitations? Thanks

[Freeipa-users] ipa-replica-install fails with python import error for module ssl_match_hostname

When attempting to run ipa-replica-install I get a python error, No module named ssl_match_hostname This is on a CentOS 7.2 x86_64 testing box. All available updates including kernel installed, and system rebooted same day. Same error before and after patching and reboot. Let me know if you

Re: [Freeipa-users] Declarative configuration options?

Something declarative which can be version controlled and considered a "source of truth" and driven from configuration management (chef, puppet, ansible - whatever your flavor) A scheme to reconcile account properties, group memberships, permissions, etc... I could see how this would be a

Re: [Freeipa-users] ipa-client login as AD user in trusted domain

Hmm, ok. In that case, I guess I need to rethink my setup. Thanks again for all your help! Kind regards, Guy On 10 August 2016 at 14:46, Justin Stephenson wrote: > On 08/10/2016 05:19 PM, Guy Knights wrote: > > Ok, I increased the debug level as you recommended and it's

Re: [Freeipa-users] updating certificates

Hi Josh, depending on your IPA version, you may consider using ipa-server-certinstall and ipa-certupdate. ipa-server-certinstall can be used to install a new certificate for Apache/LDAP servers, and ipa-certupdate to update the NSS DBs with the CA certificates found in the LDAP server.

Re: [Freeipa-users] FreeIPA Session Management (WebUI, Kerberos, ...?)

On Tue, Aug 09, 2016 at 03:37:35PM -0400, Joe Thielen wrote: > > For example, let's say "joe" logs in to the WebUI (OR another web app tied > to FreeIPA). Now, on another computer, "admin" logs into the WebUI. Can > admin have a way to see that "joe" logged in, and, if need be, kill Joe's >

Re: [Freeipa-users] FreeIPA Session Management (WebUI, Kerberos, ...?)

On Wed, Aug 10, 2016 at 5:27 AM, Jan Pazdziora wrote: > On Tue, Aug 09, 2016 at 03:37:35PM -0400, Joe Thielen wrote: > > > > For example, let's say "joe" logs in to the WebUI (OR another web app > tied > > to FreeIPA). Now, on another computer, "admin" logs into the