Re: [Freeipa-users] Novice question re IPA management of host RBAC login, sudo and ssh key management for users who are only in Active Directory

2016-10-19 Thread Alexander Bokovoy
On ke, 19 loka 2016, Chris Dagdigian wrote: Thanks to great tips and pointers from people on this list (h/t Alexander B) I was able to build an IPA master + replica setup that can recognize and allow logins from users coming from multiple disconnected AD Forests with 1-way trusts to the IPA

Re: [Freeipa-users] Novice question re IPA management of host RBAC login, sudo and ssh key management for users who are only in Active Directory

2016-10-19 Thread Baird, Josh
Hi, If I'm understanding you correctly - you will want to nest 'external' groups into POSIX groups for assigning policy (HBAC, sudo, etc) to your AD users. There are examples of this in the IdM documentation, but the gist is: * Create an 'external' group in IPA (eg, ipa-group-add

[Freeipa-users] Novice question re IPA management of host RBAC login, sudo and ssh key management for users who are only in Active Directory

2016-10-19 Thread Chris Dagdigian
Thanks to great tips and pointers from people on this list (h/t Alexander B) I was able to build an IPA master + replica setup that can recognize and allow logins from users coming from multiple disconnected AD Forests with 1-way trusts to the IPA servers Sanitized view of our AWS footprint:

Re: [Freeipa-users] Novice question re IPA management of host RBAC login, sudo and ssh key management for users who are only in Active Directory

2016-10-19 Thread Chris Dagdigian
Perfect thank you. I tend to get too wordy in my emails. You've described exactly what I'm going for. Follow up question - Will a similar approach work for users (not groups) as well if there is a small collection of AD-defined people I want to hold and distribute SSH public keys for?

Re: [Freeipa-users] Novice question re IPA management of host RBAC login, sudo and ssh key management for users who are only in Active Directory

2016-10-19 Thread Alexander Bokovoy
On ke, 19 loka 2016, Baird, Josh wrote: Hi, If I'm understanding you correctly - you will want to nest 'external' groups into POSIX groups for assigning policy (HBAC, sudo, etc) to your AD users. There are examples of this in the IdM documentation, but the gist is: * Create an 'external'

Re: [Freeipa-users] Impossible to renew certificate. pki-tomcat issue

2016-10-19 Thread Martin Babinsky
On 10/18/2016 11:22 PM, Bertrand Rétif wrote: Hello, I had an issue with pki-tomcat. I had serveral certificate that was expired and pki-tomcat did not start anymore. I set the dateon the server before certificate expiration and then pki-tomcat starts properly. Then I try to resubmit the

Re: [Freeipa-users] DNS question on named.ca

2016-10-19 Thread Petr Spacek
On 19.10.2016 00:55, Sean Hogan wrote: > > Hi all, > >I have a DNS question on how/why my IPA DNS servers are trying to hit > the root DNS internet servers. My IPA servers are in private networks only > serving DNS for the private domains they manage but recently the network > team >

Re: [Freeipa-users] Lots of error messages in logs after upgrade

2016-10-19 Thread Prashant Bapat
Some more info. This is happening on one of the hosts for which replica-info file was generated but for some reason the replica installation failed. So I went ahead and deleted and created the replica file again and this time installation went thru fine. Should this cause logs like this ? These

Re: [Freeipa-users] Lots of error messages in logs after upgrade

2016-10-19 Thread Ludwig Krispenz
On 10/19/2016 09:39 AM, Prashant Bapat wrote: Some more info. This is happening on one of the hosts for which replica-info file was generated but for some reason the replica installation failed. So I went ahead and deleted and created the replica file again and this time installation went

Re: [Freeipa-users] replica DS failure deadlock

2016-10-19 Thread Ludwig Krispenz
On 10/18/2016 08:52 PM, Andrew E. Bruno wrote: We had one of our replicas fail today with the following errors: [18/Oct/2016:13:40:47 -0400] agmt="cn=meTosrv-m14-32.cbls.ccr.buffalo.edu" (srv-m14-32:389) - Can't locate CSN 58065ef300010003 in the changelog (DB rc=-30988). If replication

Re: [Freeipa-users] Unable to resolve AD users from IPA

2016-10-19 Thread Sumit Bose
On Wed, Oct 19, 2016 at 12:08:01PM +0200, Jan Karásek wrote: > Hi, > > thank you for help. > > This is my sssd.conf from server : > > [domain/vs.example.cz] > debug_level = 7 > cache_credentials = True > krb5_store_password_if_offline = True > ipa_domain = vs.example.cz > id_provider =

Re: [Freeipa-users] Lots of error messages in logs after upgrade

2016-10-19 Thread Prashant Bapat
Thanks. This is error was did not include ipaca which is discussed a lot on this list. So I was not sure. There was indeed a dangling reference to an old replica. Removed now. ipa-replica-manage clean-ruv did the trick. On 19 October 2016 at 14:14, Petr Spacek wrote: > On

[Freeipa-users] Promote CA-less replica

2016-10-19 Thread James Harrison
Hi,Were using FreeIPA on Ubuntu Xenial. We lost the Master server. I have some questions:1. Do DNS replicate among other replicas is we change/add DNS records? If not can this behaviour be changed? 2. How do we promote a replica to become a master? We have not configured our servers to become

[Freeipa-users] ipa-cacert-manage install failing with subject public key info mismatch

2016-10-19 Thread David Dejaeghere
Hello, When installing FreeIPA we used the CA from our Windows servers. This one recently expired and we created a new one. It seems that the new root CA has another subject name and this seems to be an issue when we want to install new certs on our FreeIPA hosts. ipa-cacert-manage install

Re: [Freeipa-users] Impossible to renew certificate. pki-tomcat issue

2016-10-19 Thread Bertrand Rétif
> De: "Martin Babinsky" > À: freeipa-users@redhat.com > Envoyé: Mercredi 19 Octobre 2016 08:45:49 > Objet: Re: [Freeipa-users] Impossible to renew certificate. pki-tomcat issue > On 10/18/2016 11:22 PM, Bertrand Rétif wrote: > > Hello, > > > > I had an issue with pki-tomcat.

Re: [Freeipa-users] Promote CA-less replica

2016-10-19 Thread Martin Babinsky
On 10/19/2016 11:35 AM, James Harrison wrote: Hi James, Hi, Were using FreeIPA on Ubuntu Xenial. We lost the Master server. I have some questions: 1. Do DNS replicate among other replicas is we change/add DNS records? If not can this behaviour be changed? IPA-intergrated DNS stores records in

Re: [Freeipa-users] Unable to resolve AD users from IPA

2016-10-19 Thread Jan Karásek
Hi, thank you for help. This is my sssd.conf from server : [domain/vs.example.cz] debug_level = 7 cache_credentials = True krb5_store_password_if_offline = True ipa_domain = vs.example.cz id_provider = ipa auth_provider = ipa access_provider = ipa ipa_hostname =

Re: [Freeipa-users] Lots of error messages in logs after upgrade

2016-10-19 Thread Petr Spacek
On 19.10.2016 10:14, Ludwig Krispenz wrote: > > On 10/19/2016 09:39 AM, Prashant Bapat wrote: >> Some more info. >> >> This is happening on one of the hosts for which replica-info file was >> generated but for some reason the replica installation failed. So I went >> ahead and deleted and created

Re: [Freeipa-users] Promote CA-less replica

2016-10-19 Thread James Harrison
Hi, Martin thanks for your quick response. Based on your comments. I have further questions. >> equal peers and can be considered masters 1. If there any urgency for us to recreate a "master" server to perform any "master" type functions? How do we re-attach "replicas" to this new "master"? >>

Re: [Freeipa-users] Renew / Replace third-party certificate for IPA Servers(primary and replica)

2016-10-19 Thread beeth beeth
First of all, thanks for the quick response Florence! I have question about your suggested step [1] and [2]: For [1], "ipa-cacert-manage install cert.pem". Which certificate is this? Is it the ChainBundle cert(root cert + intermediate cert)? For [2], "ipa-server-certinstall -d

[Freeipa-users] IPA-AD trust group membership: display 'short' group names for *two* AD domains?

2016-10-19 Thread Robert Sturrock
Hello, We have an IPA (4.2) server setup on RHEL 7.2 in a trust arrangement with our University organisational AD. The AD forest contains *two* domains: EXAMPLE.AU (staff users) STUDENT.EXAMPLE.AU (student users) The IPA domain that trusts these is called: IPA.EXAMPLE.AU The basic

Re: [Freeipa-users] Promote CA-less replica

2016-10-19 Thread Rob Crittenden
James Harrison wrote: Hi, Martin thanks for your quick response. Based on your comments. I have further questions. >> equal peers and can be considered masters 1. If there any urgency for us to recreate a "master" server to perform any "master" type functions? How do we re-attach "replicas"

Re: [Freeipa-users] replica DS failure deadlock

2016-10-19 Thread Andrew E. Bruno
On Wed, Oct 19, 2016 at 10:13:26AM +0200, Ludwig Krispenz wrote: > > On 10/18/2016 08:52 PM, Andrew E. Bruno wrote: > > We had one of our replicas fail today with the following errors: > > > > > > [18/Oct/2016:13:40:47 -0400] agmt="cn=meTosrv-m14-32.cbls.ccr.buffalo.edu" > > (srv-m14-32:389) -

Re: [Freeipa-users] Unable to resolve AD users from IPA

2016-10-19 Thread Jan Karásek
Ok thank you. Wonder why it's a problem only on clients - IPA servers are quite ok with that. Jan -- Message: 1 Date: Wed, 19 Oct 2016 12:28:31 +0200 From: Sumit Bose To: freeipa-users@redhat.com

Re: [Freeipa-users] Impossible to renew certificate. pki-tomcat issue

2016-10-19 Thread Bertrand Rétif
- Mail original - > De: "Rob Crittenden" > À: "Bertrand Rétif" , freeipa-users@redhat.com > Envoyé: Mercredi 19 Octobre 2016 15:30:14 > Objet: Re: [Freeipa-users] Impossible to renew certificate. pki-tomcat issue > Bertrand Rétif wrote: > >> De:

Re: [Freeipa-users] Renew / Replace third-party certificate for IPA Servers(primary and replica)

2016-10-19 Thread Florence Blanc-Renaud
On 10/19/2016 05:23 PM, beeth beeth wrote: I once asked about Install IPA servers with certificate provided by third-party like Verisign(https://www.redhat.com/archives/freeipa-users/2016-September/msg00440.html ).

Re: [Freeipa-users] replica DS failure deadlock

2016-10-19 Thread Ludwig Krispenz
On 10/19/2016 03:48 PM, Andrew E. Bruno wrote: On Wed, Oct 19, 2016 at 10:13:26AM +0200, Ludwig Krispenz wrote: On 10/18/2016 08:52 PM, Andrew E. Bruno wrote: We had one of our replicas fail today with the following errors: [18/Oct/2016:13:40:47 -0400]

Re: [Freeipa-users] replica DS failure deadlock

2016-10-19 Thread Ludwig Krispenz
On 10/19/2016 05:02 PM, Ludwig Krispenz wrote: On 10/19/2016 03:48 PM, Andrew E. Bruno wrote: On Wed, Oct 19, 2016 at 10:13:26AM +0200, Ludwig Krispenz wrote: On 10/18/2016 08:52 PM, Andrew E. Bruno wrote: We had one of our replicas fail today with the following errors:

[Freeipa-users] Renew / Replace third-party certificate for IPA Servers(primary and replica)

2016-10-19 Thread beeth beeth
I once asked about Install IPA servers with certificate provided by third-party like Verisign(https://www.redhat.com/archives/freeipa-users/ 2016-September/msg00440.html). Florence, Rob and Jakub from Redhat had been very helpful, and pointed out the solution at https://access.redhat.com/

Re: [Freeipa-users] replica DS failure deadlock

2016-10-19 Thread Andrew E. Bruno
On Wed, Oct 19, 2016 at 07:05:14PM +0200, thierry bordaz wrote: > > > On 10/19/2016 06:54 PM, Andrew E. Bruno wrote: > > On Wed, Oct 19, 2016 at 06:33:05PM +0200, thierry bordaz wrote: > > > > > > On 10/19/2016 03:48 PM, Andrew E. Bruno wrote: > > > > On Wed, Oct 19, 2016 at 10:13:26AM +0200,

Re: [Freeipa-users] replica DS failure deadlock

2016-10-19 Thread Andrew E. Bruno
On Wed, Oct 19, 2016 at 06:59:57PM +0200, thierry bordaz wrote: > > > On 10/19/2016 06:28 PM, Andrew E. Bruno wrote: > > On Wed, Oct 19, 2016 at 05:41:37PM +0200, Ludwig Krispenz wrote: > > > On 10/19/2016 05:02 PM, Ludwig Krispenz wrote: > > > > On 10/19/2016 03:48 PM, Andrew E. Bruno wrote: >

Re: [Freeipa-users] replica DS failure deadlock

2016-10-19 Thread thierry bordaz
On 10/19/2016 03:48 PM, Andrew E. Bruno wrote: On Wed, Oct 19, 2016 at 10:13:26AM +0200, Ludwig Krispenz wrote: On 10/18/2016 08:52 PM, Andrew E. Bruno wrote: We had one of our replicas fail today with the following errors: [18/Oct/2016:13:40:47 -0400]

Re: [Freeipa-users] replica DS failure deadlock

2016-10-19 Thread thierry bordaz
On 10/19/2016 06:54 PM, Andrew E. Bruno wrote: On Wed, Oct 19, 2016 at 06:33:05PM +0200, thierry bordaz wrote: On 10/19/2016 03:48 PM, Andrew E. Bruno wrote: On Wed, Oct 19, 2016 at 10:13:26AM +0200, Ludwig Krispenz wrote: On 10/18/2016 08:52 PM, Andrew E. Bruno wrote: We had one of our

Re: [Freeipa-users] replica DS failure deadlock

2016-10-19 Thread thierry bordaz
On 10/19/2016 06:28 PM, Andrew E. Bruno wrote: On Wed, Oct 19, 2016 at 05:41:37PM +0200, Ludwig Krispenz wrote: On 10/19/2016 05:02 PM, Ludwig Krispenz wrote: On 10/19/2016 03:48 PM, Andrew E. Bruno wrote: On Wed, Oct 19, 2016 at 10:13:26AM +0200, Ludwig Krispenz wrote: On 10/18/2016 08:52

Re: [Freeipa-users] replica DS failure deadlock

2016-10-19 Thread Andrew E. Bruno
On Wed, Oct 19, 2016 at 05:41:37PM +0200, Ludwig Krispenz wrote: > > On 10/19/2016 05:02 PM, Ludwig Krispenz wrote: > > > > On 10/19/2016 03:48 PM, Andrew E. Bruno wrote: > > > On Wed, Oct 19, 2016 at 10:13:26AM +0200, Ludwig Krispenz wrote: > > > > On 10/18/2016 08:52 PM, Andrew E. Bruno wrote:

Re: [Freeipa-users] replica DS failure deadlock

2016-10-19 Thread Andrew E. Bruno
On Wed, Oct 19, 2016 at 06:33:05PM +0200, thierry bordaz wrote: > > > On 10/19/2016 03:48 PM, Andrew E. Bruno wrote: > > On Wed, Oct 19, 2016 at 10:13:26AM +0200, Ludwig Krispenz wrote: > > > On 10/18/2016 08:52 PM, Andrew E. Bruno wrote: > > > > We had one of our replicas fail today with the

Re: [Freeipa-users] Impossible to renew certificate. pki-tomcat issue

2016-10-19 Thread Bertrand Rétif
De: "Bertrand Rétif" > À: freeipa-users@redhat.com > Envoyé: Mercredi 19 Octobre 2016 15:42:07 > Objet: Re: [Freeipa-users] Impossible to renew certificate. pki-tomcat issue > - Mail original - > > De: "Rob Crittenden" > > > À: "Bertrand

Re: [Freeipa-users] Impossible to renew certificate. pki-tomcat issue

2016-10-19 Thread Rob Crittenden
Bertrand Rétif wrote: De: "Martin Babinsky" À: freeipa-users@redhat.com Envoyé: Mercredi 19 Octobre 2016 08:45:49 Objet: Re: [Freeipa-users] Impossible to renew certificate. pki-tomcat issue On 10/18/2016 11:22 PM, Bertrand Rétif wrote: Hello, I had an issue with