[Freeipa-users] replica added, but clients still try renewing certificates with old master

hi, I followed the instructions here: https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Linux_Domain_Identity_Authentication_and_Policy_Guide/upgrading.html and now after some issues I have a replica with both pki and dns data running centos 7. So now I have 3

Re: [Freeipa-users] SSH public user's key stored in AD POSIX attribute

On Wed, Sep 21, 2016 at 09:47:12AM +0200, Jan Karásek wrote: > Hi, > > I have a question about the IPA-AD trust scenario where POSIX attributes are > store in AD. Although I describe some possible solution below I wonder if using IPA overrides which allow to add public ssh keys for AD user

Re: [Freeipa-users] FreeIPA client installation on ubuntu 14.04

Thanks Timo, The "DEBIAN_FRONTEND=noninteractive apt-get install freeipa-client -y" command works on the terminal but within ansible playbook i am getting [Errno 2] No such file or directory", "rc": 2} when adding command: DEBIAN_FRONTEND=noninteractive apt-get install freeipa-client -y any

Re: [Freeipa-users] FreeIPA client installation on ubuntu 14.04

On 21.09.2016 11:34, Deepak Dimri wrote: > Thanks Timo, > > The "DEBIAN_FRONTEND=noninteractive apt-get install freeipa-client -y" > command works on the terminal but within ansible playbook i am getting > > [Errno 2] No such file or directory", "rc": 2} when adding > command:

Re: [Freeipa-users] AD users can't login to IPA client

On Wed, Sep 21, 2016 at 05:43:29PM +0500, Alexander K wrote: > Hello, > > I'm having troubles with AD users authentication on IPA client. > I have 3 VMs in my test inveronment: > win-dc.windc.local 10.1.97.122 - AD DC server 2012R2 > fedora-dc.demo.loc 10.1.97.120 - fedora 24 + FreeIPA >

[Freeipa-users] Central logging docker image

Hi, When i was evaluating the configuration of the central logging proof of concept docker image described here: https://www.freeipa.org/page/Centralized_Logging i noticed that the rsyslog mmnormalization rules did not work properly and failed to parse keywords. Elasticsearch indexes does not

[Freeipa-users] CA Fails to build Replica (w/External CA)

Hello list, I'm currently attempting to add a second CA server to our IPA cluster (all servers Centos 7.2 with IPA 4.2.0). However, it is failing no matter how I try to setup the CA (ipa-replica-install with --setup-ca or ipa-replica-install followed by ipa-ca-install). The only useful thing in

Re: [Freeipa-users] 2FA using FreeIPA

hi LS, I am using IPA Server - VERSION: 4.2.0, API_VERSION: 2.156sssd version on my IPA server: 1.13.0sssd version on my IPA client (ubuntu): 1.11.8 I have new "testhip2user" created in IPA Server with 2FA enabled. My /etc/ssh/sshd_config has this entry AuthorizedKeysFile

Re: [Freeipa-users] FreeIPA client installation on ubuntu 14.04

I got it fixed my adding these in my playbook - command: sudo env DEBIAN_FRONTEND=noninteractive - shell: "DEBIAN_FRONTEND=noninteractive apt-get install freeipa-client -y" Thanks,Deepak > Subject: Re: [Freeipa-users] FreeIPA client installation on ubuntu 14.04 > To:

Re: [Freeipa-users] CA Fails to build Replica (w/External CA)

On Wed, Sep 21, 2016 at 6:47 AM, Tomas Krizek wrote: > On 09/21/2016 02:13 AM, Korey Chapman wrote: > > Hello list, > > I'm currently attempting to add a second CA server to our IPA cluster (all > servers Centos 7.2 with IPA 4.2.0). However, it is failing no matter how I > try

Re: [Freeipa-users] replica added, but clients still try renewing certificates with old master

hi Petr, On Wed, Sep 21, 2016 at 4:38 PM, Petr Vobornik wrote: > On 09/21/2016 10:50 AM, Natxo Asenjo wrote: > > > When I try to resubmit certificates from certmonger they still hit the > kdc01 web > > server, so the requests hang on an status: CA_UNREACHABLE > >

Re: [Freeipa-users] Samba Server setup

On Wed, 21 Sep 2016, Brook, Andy [CRI] wrote: On 9/16/16, 12:02 PM, "Alexander Bokovoy" wrote: On Fri, 16 Sep 2016, Brook, Andy [CRI] wrote: >You can replace actual hostnames/realm names/IP addresses by something more generic >in the output when sending

Re: [Freeipa-users] CA Fails to build Replica (w/External CA)

On 09/21/2016 02:13 AM, Korey Chapman wrote: Hello list, I'm currently attempting to add a second CA server to our IPA cluster (all servers Centos 7.2 with IPA 4.2.0). However, it is failing no matter how I try to setup the CA (ipa-replica-install with --setup-ca or ipa-replica-install

Re: [Freeipa-users] replica added, but clients still try renewing certificates with old master

On 09/21/2016 10:50 AM, Natxo Asenjo wrote: > hi, > > I followed the instructions here: > https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Linux_Domain_Identity_Authentication_and_Policy_Guide/upgrading.html > > and now after some issues I have a replica with both

Re: [Freeipa-users] Samba Server setup

On 9/16/16, 12:02 PM, "Alexander Bokovoy" wrote: On Fri, 16 Sep 2016, Brook, Andy [CRI] wrote: >You can replace actual hostnames/realm names/IP addresses by something more generic >in the output when sending to the list, but please do it consistently.

Re: [Freeipa-users] FreeIPA client installation on ubuntu, 14.04

Hello Deepak, If you know in advance what infos you want to enter input, you can try putting them in a file "inputs" and execute apt-get install freeipa-client -y < inputs > I am trying to install freeipa client on my ubuntu client via ansible > script. I have "apt-get update" and "apt-get

Re: [Freeipa-users] Replication issues (was Me Again)

Ian Harding wrote: I used to have a lot of replicas, but like a house of cards, it all came crashing down. I was down to two, that seemed to be replicating, but last few days I've noticed that they haven't always been. freeipa-sea.bpt.rocks is where we do all our admin. seattlenfs.bpt.rocks is

Re: [Freeipa-users] Replication issues (was Me Again)

On 09/21/2016 11:43 AM, Rob Crittenden wrote: > Ian Harding wrote: >> I used to have a lot of replicas, but like a house of cards, it all came >> crashing down. >> >> I was down to two, that seemed to be replicating, but last few days I've >> noticed that they haven't always been. >> >>

Re: [Freeipa-users] sssd.conf - the server and host-client relationship

My translations of your comments are in line, if you could correct, I'd appreciate that. On 20 September 2016 at 17:11, Lukas Slebodnik wrote: > >-- > >[domain/unixdev.etc] > >ignore_group_members = True > It was probably set as a result of performance

Re: [Freeipa-users] FreeIPA client installation on ubuntu 14.04

On 21.09.2016 09:41, Deepak Dimri wrote: > Hi All, > > I am trying to install freeipa client on my ubuntu client via ansible > script. I have "apt-get update" and "apt-get install freeipa-client -y" > these basic commands added in my playbook but the problem is when i run > "apt-get install

[Freeipa-users] SSH public user's key stored in AD POSIX attribute

Hi, I have a question about the IPA-AD trust scenario where POSIX attributes are store in AD. I would like to know if it's possible to store public SSH user key in Active Directory in some user's object attribute - the same way as uidNumber or loginShell. I can't find any suitable attribute

Re: [Freeipa-users] 3rd party Cert install now IPA total broken

On 09/20/2016 02:15 PM, Günther J. Niederwimmer wrote: Hello. Thanks for the first help, Am Montag, 19. September 2016, 12:02:19 schrieb Florence Blanc-Renaud: On 09/16/2016 03:06 PM, Günther J. Niederwimmer wrote: Hello, Freeipa 4.3.1 I have now install a 3rd Party Certificat from Startcom

[Freeipa-users] FreeIPA client installation on ubuntu 14.04

Hi All, I am trying to install freeipa client on my ubuntu client via ansible script. I have "apt-get update" and "apt-get install freeipa-client -y" these basic commands added in my playbook but the problem is when i run "apt-get install freeipa-client" with or without -y option it opens up

[Freeipa-users] down master still in ldap, prevents re-enrolement

topology prior to deletion master1<->master2 master2 deleted with ipa-server --uninstall command During re-installation I get error that the replication agreement still exists on master1.I do see this using ipa-replica-manage list. Tried deleting replication agreement withipa-replica-manage