Re: [Freeipa-users] FreeIPA v4.2 stopped working, wants me to run ipa-server-upgrade, but has errors

2016-10-13 Thread John Popowitch
Thanks so much for your help, Martin, and Alexander for keeping me honest. I think I have enough to start working on resolving the replication conflicts. I'm sure I'll have more questions, but this is definitely the right place to get them answered. -Original Message- From: Martin Basti

Re: [Freeipa-users] FreeIPA v4.2 stopped working, wants me to run ipa-server-upgrade, but has errors

2016-10-13 Thread Martin Basti
On 13.10.2016 15:50, John Popowitch wrote: Yeah, so very lucky. I have no idea how this happened. As I said before I inherited these servers so I don't really know what was done to get them to this state. I'm guessing most if not all of the conflicts are naming conflicts for standard entries

Re: [Freeipa-users] Password Complexity Requirements Seems Insufficient

2016-10-13 Thread Rob Crittenden
Ernedin Zajko wrote: Hi Anton, maybe you can "talk" directly to ds: http://directory.fedoraproject.org/docs/389ds/FAQ/password-syntax.html regards, That won't work. IPA re-implements password policy because it is baked into 389-ds and not plugable or extensible. There are some open tickets

Re: [Freeipa-users] FreeIPA v4.2 stopped working, wants me to run ipa-server-upgrade, but has errors

2016-10-13 Thread Martin Basti
On 13.10.2016 15:54, John Popowitch wrote: Also, it seems like most of these conflicts are nearly identical. Which leads me to believe I should delete the duplicates. The URL you shared seems to talk about renaming and keeping the conflicting records. Should I rename them or remove them?

[Freeipa-users] diskless workstations in an IPA domain

2016-10-13 Thread Jacquelin Charbonnel
Hi everybody, What is the best practice to enroll diskless Fedora24 workstations (under stateless Linux) into a IPA domain ? Each diskless workstation mounts its filesystem in RO mode from a single NFS share, with some specific directories (like /var/lib/sss) mapped RW in RAM. Thank you

[Freeipa-users] Naming conventions/practices for HBAC/sudo/etc

2016-10-13 Thread Baird, Josh
Hi all, I realize that this with vary from instance to instance, but I'm curious on how others are handling naming conventions for things like HBAC rules, sudo rules, etc. Here is how I am handling things today: * External groups have an 'external' prefix (eg, external_groupname) * Hostgroups

[Freeipa-users] Announcing FreeIPA 4.4.2

2016-10-13 Thread Petr Vobornik
The FreeIPA team would like to announce FreeIPA 4.4.2 release! It can be downloaded from http://www.freeipa.org/page/Downloads. Builds for Fedora 24 will be available in the official COPR repository . This announcement is also

Re: [Freeipa-users] diskless workstations in an IPA domain

2016-10-13 Thread Jakub Hrozek
On Thu, Oct 13, 2016 at 05:45:32PM +0200, Jacquelin Charbonnel wrote: > Hi everybody, > > What is the best practice to enroll diskless Fedora24 workstations > (under > stateless Linux) into a IPA domain ? > Each diskless workstation mounts its filesystem in RO mode from a single >

Re: [Freeipa-users] diskless workstations in an IPA domain

2016-10-13 Thread Jacquelin Charbonnel
Thank you for this information. Yes, /tmp is writable. My problem is : access are sometimes definitively refused for random user who wants to log in diskless workstations. But if this banned user tries to connect to the single machine which mounts the fs in rw mode, it's work, and

Re: [Freeipa-users] FreeIPA v4.2 stopped working, wants me to run ipa-server-upgrade, but has errors

2016-10-13 Thread John Popowitch
Ok, so I'm looking at fixing the conflicts for ' System: Modify Certificate Profile'. I ran this on each server: ldapsearch -Y GSSAPI -b 'dc=aws,dc=cappex,dc=com' "cn=*Modify Certificate Profile*" \* nsds5ReplConflict And now to make things interesting, this query has different results on each

Re: [Freeipa-users] FreeIPA v4.2 stopped working, wants me to run ipa-server-upgrade, but has errors

2016-10-13 Thread Martin Basti
On 13.10.2016 22:23, John Popowitch wrote: Ok, so I'm looking at fixing the conflicts for ' System: Modify Certificate Profile'. I ran this on each server: ldapsearch -Y GSSAPI -b 'dc=aws,dc=cappex,dc=com' "cn=*Modify Certificate Profile*" \* nsds5ReplConflict And now to make things

Re: [Freeipa-users] bind-dyndb-ldap issues

2016-10-13 Thread Petr Spacek
On 13.10.2016 01:42, Brendan Kearney wrote: > On 10/12/2016 02:35 AM, Petr Spacek wrote: >> Hello, >> >> these are debug messages and are harmless. Apparently you have verbose/debug >> messages enabled in named.conf: >> >> arg "verbose_checks yes"; >> >> If you want to get rid of

Re: [Freeipa-users] FreeIPA Server installation on ubuntu 14.0

2016-10-13 Thread Deepak Dimri
Hi Alexander, I have tried it on ubuntu 16.04 as well but no luck either. Getting the same error: sudo apt-get install freeipa-server Reading package lists... Done Building dependency tree Reading state information... Done E: Unable to locate package freeipa-server any other ideas? I

Re: [Freeipa-users] FreeIPA v4.2 stopped working, wants me to run ipa-server-upgrade, but has errors

2016-10-13 Thread Martin Basti
Oh you are lucky to have ~150 replication conflicts :) How did you get those? Did you run upgrade in parallel or did you have some network issues? You have to manually fix all replication conflicts and the re-run ipa-server-upgrade Please follow guide I posted previously, sorry :(

Re: [Freeipa-users] FreeIPA Server installation on ubuntu 14.0

2016-10-13 Thread Alexander Bokovoy
On to, 13 loka 2016, Deepak Dimri wrote: Hi Alexander, I have tried it on ubuntu 16.04 as well but no luck either. Getting the same error: sudo apt-get install freeipa-server Reading package lists... Done Building dependency tree Reading state information... Done E: Unable to locate

Re: [Freeipa-users] FreeIPA v4.2 stopped working, wants me to run ipa-server-upgrade, but has errors

2016-10-13 Thread John Popowitch
Yeah, so very lucky. I have no idea how this happened. As I said before I inherited these servers so I don't really know what was done to get them to this state. I'm guessing most if not all of the conflicts are naming conflicts for standard entries which were setup on all three servers. Please

Re: [Freeipa-users] FreeIPA v4.2 stopped working, wants me to run ipa-server-upgrade, but has errors

2016-10-13 Thread John Popowitch
Also, it seems like most of these conflicts are nearly identical. Which leads me to believe I should delete the duplicates. The URL you shared seems to talk about renaming and keeping the conflicting records. Should I rename them or remove them? -Original Message- From: John Popowitch