Re: [Freeipa-users] 3 way IPA setup

2016-10-31 Thread Rob Crittenden
Steven Jones wrote: > Hi, > > I have a 3 way IPA 4.2 setup running on Centos7.2 > > > So ipa2 and ipa3 are replicas from ipa1. > > > Is a replication agreement setup between 2 and 3 automatically by > default? (I suspect not) how do I see this is or is not the case? > > > This is what I

[Freeipa-users] SSH as Root on CentOS 7 fails

2016-10-31 Thread Geordie Grindle
Hello, I’m unable to ssh as ‘root’ onto any of my new CentOS 7 hosts. I’ve always been able to do so on CentOS6.x We normally have the file ‘/root/.k5login’ listing the designated system admins’ principals. Once on a CentOS 7, an admin can ‘ksu’ and become root as we expected. We are using

[Freeipa-users] 3 way IPA setup

2016-10-31 Thread Steven Jones
Hi, I have a 3 way IPA 4.2 setup running on Centos7.2 So ipa2 and ipa3 are replicas from ipa1. Is a replication agreement setup between 2 and 3 automatically by default? (I suspect not) how do I see this is or is not the case? This is what I have so far, == [root@glusterp2 ~]#

Re: [Freeipa-users] Allow external AD users on webui

2016-10-31 Thread Troels Hansen
- On Oct 31, 2016, at 8:33 AM, Alexander Bokovoy aboko...@redhat.com wrote: > You make it sound as if it is a done deal. It is not, there is a number > of changes that yet not figured out how to do in an efficient way. > > It is in our pipeline for 4.5. It is understandable that people ask

[Freeipa-users] Allow external AD users on webui

2016-10-31 Thread Troels Hansen
Hi there After trying to add external usergroups from AD to allow (admin) users to log in to IPA webUI, by tdding the groups to toe local admin group and discovering that it didn't work, I found that as far as I can see, its currently not possibly, and fount this rather old ticket on the

Re: [Freeipa-users] Allow external AD users on webui

2016-10-31 Thread Alexander Bokovoy
On ma, 31 loka 2016, Troels Hansen wrote: - On Oct 31, 2016, at 8:33 AM, Alexander Bokovoy aboko...@redhat.com wrote: You make it sound as if it is a done deal. It is not, there is a number of changes that yet not figured out how to do in an efficient way. It is in our pipeline for 4.5.

[Freeipa-users] freeipa 4.2.0 ipa-cacert-manage not generating CSR with CA:True for chaining

2016-10-31 Thread Frank Li
we currently have a IPA 4.2 servers working with a self-signed CA certificate with the REALM of xyz.local I’m trying chain our xyz.local CA cert with IT’s abc.local CA cert so that users on corp laptop(with the abc.local cert already in CA chain) would trust the xyz.local CA cert and not get

Re: [Freeipa-users] Allow external AD users on webui

2016-10-31 Thread Alexander Bokovoy
On ma, 31 loka 2016, Troels Hansen wrote: Hi there After trying to add external usergroups from AD to allow (admin) users to log in to IPA webUI, by tdding the groups to toe local admin group and discovering that it didn't work, I found that as far as I can see, its currently not possibly, and

[Freeipa-users] How to fix a broken PKI state?

2016-10-31 Thread Vladyslav Frolov
Hello dear FreeIPA people, After weeks of unsuccessful attempts, I seems to run out of sane ideas of how to proceed. I have been using FreeIPA in Docker container https://github.com/ adelton/docker-freeipa for over half a year now, and everything was fine up until this August when after a

[Freeipa-users] freeipa 4.2.0 ipa-cacert-manage not generating CSR with CA:True for chaining

2016-10-31 Thread Frank Li
we currently have a IPA 4.2 servers working with a self-signed CA certificate with the REALM of xyz.local I’m trying chain our xyz.local CA cert with IT’s abc.local CA cert so that users on corp laptop(with the abc.local cert already in CA chain) would trust the xyz.local CA cert and not get

Re: [Freeipa-users] Setting "preserve" as default action when deleting in webUI

2016-10-31 Thread Pavel Vomacka
Hello Sebastien, I tried your plugin and it works correctly. Default value is Preserve with your plugin. Did you copy your plugin into /var/share/ipa/ui/js/plugins/plugin_name/plugin_name.js ? That should be enough. On 10/28/2016 12:14 AM, Sebastien Julliot wrote: Hello guys, Thank you