[Freeipa-users] Change of list behavior

Dear freeipa-users, due to persisting spam and other issues with DMARC protection, I changed the list behavior to anonymize the user's address. We'll experiment with this mode for a little while and see if it works for the group. If you have major issues with this mode please write to the list owne

Re: [Freeipa-users] Importing Host Entries from /etc/hosts using sample nis-hosts.sh: Zone name error

On 05.12.2016 17:42, Robert Kudyba wrote: ./nis-hosts.sh nisnamesubdomain.ourdomain.edu

Re: [Freeipa-users] New IPA Servers

On 02.12.2016 17:11, Outback Dingo wrote: Ok so trying to setup a replca to deploy 2 new freeipa servers on AWS... migrating from old servers going away, It was suggested to create a replica then promote it. this issue is the public ip for the new server is not the same as the servers IP o

[Freeipa-users] nfsv4+kerberos: group ID not mapped on newly create users, however user id is correct

VERSION: 4.4.0, API_VERSION: 2.213 on rhel7. ipa server was recently upgraded to version 4.4 from version 4.2 and it seems that we are having problems with users created after the upgrade. Of course, it could be something I forgot. Our environment consist of an hds nfs server, a couple of ipa

[Freeipa-users] Problem with autofs

Hello, i have setup an IPA environment using Fedora 24 for the clients and Scientific Linux 7.2 for the servers. All clients are mounting NFS4 shares on a central server. The setup is based on the Red Hat Documentation (Red_Hat_Enterprise_Linux-7-Linux_Domain_Identity_Authentication_and_Policy_

[Freeipa-users] IPA versions for small scale hope-to-be-production use on CentOS 7?

Still trying to figure out why my AD users in various trusted forests can be resolved and "su - " but password checks via SSH logins fail. In the mean time I'm wondering if I should consider upgrading before I go much further into the troubleshooting tunnel. It really does seem like there h

Re: [Freeipa-users] IPA versions for small scale hope-to-be-production use on CentOS 7?

On Tue, Dec 06, 2016 at 10:55:12AM -0500, List dedicated to discussions about use, configuration and deployment of the IPA server. wrote: > > Still trying to figure out why my AD users in various trusted forests can be > resolved and "su - " but password checks via SSH logins fail. Do you call '

[Freeipa-users] ns-slapd often hangs on CentOS 7

Hello all, we recently updated our two freeipa clusters to CentOS 7 and both of them now suffers from often ns-slapd hangs. We use stock CentOS 7.2 packages with one exception - 389-ds-base-1.3.5.10-11 which comes from RHEL 7.3 together with backported fix https://fedorahosted.org/389/changeset/e2

Re: [Freeipa-users] IPA versions for small scale hope-to-be-production use on CentOS 7?

It's certainly some sort of TGT ticket issue; I just need to find the proper bits of log to sanitize and post back to this list. I'll do that under another thread though to keep this one clean. Trying to figure out if upgrading to 4.3 or even 4.4 would be "wise" on a CentOS-7 system we hope t

Re: [Freeipa-users] IPA versions for small scale hope-to-be-production use on CentOS 7?

On Tue, Dec 06, 2016 at 11:45:18AM -0500, List dedicated to discussions about use, configuration and deployment of the IPA server. wrote: > > It's certainly some sort of TGT ticket issue; I just need to find the proper > bits of log to sanitize and post back to this list. I'll do that under > ano

[Freeipa-users] Debugging failed password checks (SSH) for AD users at the other end of 1-way trusts

This is a new thread related to one I started today about upgrading FreeIPA software before continuing troubleshooting work ... New post here so I don't pollute the other thread. Looking for additional eyeballs or tips on this ongoing problem. The short summary is we can't check p

Re: [Freeipa-users] Debugging failed password checks (SSH) for AD users at the other end of 1-way trusts

On Tue, Dec 06, 2016 at 12:45:18PM -0500, List dedicated to discussions about use, configuration and deployment of the IPA server. wrote: > > This is a new thread related to one I started today about upgrading FreeIPA > software before continuing troubleshooting work ... > > New post here so

Re: [Freeipa-users] Debugging failed password checks (SSH) for AD users at the other end of 1-way trusts

Appreciate the assistance! Is there a better debug level balance than 10 for this sort of situation? The domain logs were several hundred MBs by the time I started looking for useful info if there is a different level I can use that would better at producing actionable error/log messages I'll

Re: [Freeipa-users] Mapping users from AD to IPA KDC

On ti, 06 joulu 2016, TomK wrote: On 12/5/2016 2:02 AM, Alexander Bokovoy wrote: On su, 04 joulu 2016, TomK wrote: Could not get much from logs and decided to start fresh. When I run this: ipa trust-add --type=ad mds.xyz --admin Administrator --password Trust works fine and id t...@mds.xyz r

[Freeipa-users] lowest-privilege method of checking for out of sync FreeIPA masters?

Hello, There's a method to check the replication status of FreeIPA masters by looking at objectClass=nsDS5ReplicationAgreement in the "cn=mapping tree,cn=config" part of LDAP. Unfortunately that requires Directory Admin level privileges. Is there a method to check those replication agreement det

[Freeipa-users] Made a bit of install progress, next error

Volunteers, I moved over to a Fedora VM which was way more difficult than it should be. All kinds of problems with Guest Additions and I ended up having to run server mode with no GUI. Now I run an Ubuntu VM from which I ssh into my Fedora VM. Anyway... The install made it a further step than

Re: [Freeipa-users] lowest-privilege method of checking for out of sync FreeIPA masters?

List dedicated to discussions about use, configuration and deployment of the IPA server. wrote: > Hello, > > There's a method to check the replication status of FreeIPA masters by > looking at objectClass=nsDS5ReplicationAgreement in the "cn=mapping > tree,cn=config" part of LDAP. > > Unfortunate

[Freeipa-users] can manage user access from Serial Console & only use local users in case cannot reach IPA server ?

Hi , I'm just testing IPA on CentOS 6, login via ssh is woking fine. I would like to try two steps but didnot find any documents- 1). can we manage user that access from serial interface. 2). in case IPA was failed, can we configure it to use local user Best Regards, sjw -- Manage

Re: [Freeipa-users] Mapping users from AD to IPA KDC

On 12/6/2016 3:37 PM, Alexander Bokovoy wrote: On ti, 06 joulu 2016, TomK wrote: On 12/5/2016 2:02 AM, Alexander Bokovoy wrote: On su, 04 joulu 2016, TomK wrote: Could not get much from logs and decided to start fresh. When I run this: ipa trust-add --type=ad mds.xyz --admin Administrator --

Re: [Freeipa-users] can manage user access from Serial Console & only use local users in case cannot reach IPA server ?

On Wed, Dec 07, 2016 at 09:57:22AM +0700, List dedicated to discussions about use, configuration and deployment of the IPA server. wrote: > Hi , > I'm just testing IPA on CentOS 6, login via ssh is woking fine. > >I would like to try two steps but didnot find any documents- > 1). can

[Freeipa-users] What should the --hostname option do?

Hello, the --hostname option to the installer currently modifies the hostname of the machine. In some environments, namely in unprivileged containers, that operation is not denied. In some cases, it is possible to change the FQDN of the container from outside, for example with docker run's -h opt