[Freeipa-users] Still unclear about relation between IPA DNS domain and company DNS domain.

I know the Quick Start Guide and Deployment Recommendations cover this in depth, but there are still some ambiguities. I'm trying to figure out if a company like us, lautus.net should use a DNS subdomain like ipa.lautus.net for the IPA domain, or not. On the one hand 2.3.1 of the Linux Domain Ide

Re: [Freeipa-users] Still unclear about relation between IPA DNS domain and company DNS domain.

On ke, 07 joulu 2016, List dedicated to discussions about use, configuration and deployment of the IPA server. wrote: I know the Quick Start Guide and Deployment Recommendations cover this in depth, but there are still some ambiguities. I'm trying to figure out if a company like us, lautus.net

[Freeipa-users] Reverting anonymous posting

Enough people complained they cannot cope with the change I made recently. So I am reverting this change and will try to find a better solution for the spam issue the list user's are subject to. Thanks for your understanding, Simo. -- Simo Sorce * Red Hat, Inc * New York -- Manage your subscri

Re: [Freeipa-users] What should the --hostname option do?

On 07.12.2016 08:48, List dedicated to discussions about use, configuration and deployment of the IPA server. wrote: Hello, the --hostname option to the installer currently modifies the hostname of the machine. In some environments, namely in unprivileged containers, that operation is not den

Re: [Freeipa-users] Debugging failed password checks (SSH) for AD users at the other end of 1-way trusts

On Tue, Dec 06, 2016 at 03:17:33PM -0500, List dedicated to discussions about use, configuration and deployment of the IPA server. wrote: > > Appreciate the assistance! > > Is there a better debug level balance than 10 for this sort of situation? > The domain logs were several hundred MBs by the

[Freeipa-users] Services missing in web-ui

I have a strange issue in IPA 4.4.0-12 (RHEL 7.3) Navigating to Identity -> Services reveals 5 services. 2 cifs, 2 dogtag and one empty line... cifs/host1.domain@REALM cifs/host2.domain@REALM dogtag/ipa01.domain@REALM dogtag/ipa02.domain@REALM However, from CLI everything looks

Re: [Freeipa-users] Services missing in web-ui

I have the same issue with version 4.4.2 $ rpm -qa|grep freeipa freeipa-server-4.4.2-1.fc25.x86_64 freeipa-python-compat-4.4.2-1.fc25.noarch freeipa-server-common-4.4.2-1.fc25.noarch freeipa-common-4.4.2-1.fc25.noarch freeipa-server-trust-ad-4.4.2-1.fc25.x86_64 freeipa-client-4.4.2-1.fc25.x86_64 f

Re: [Freeipa-users] Services missing in web-ui

And with Firefox 50.0.2. F. On Wed, Dec 7, 2016 at 11:46 AM, Fujisan wrote: > I have the same issue with version 4.4.2 > > $ rpm -qa|grep freeipa > freeipa-server-4.4.2-1.fc25.x86_64 > freeipa-python-compat-4.4.2-1.fc25.noarch > freeipa-server-common-4.4.2-1.fc25.noarch > freeipa-common-4.4.2-1

Re: [Freeipa-users] Services missing in web-ui

Hello, it is caused by missing canonical name on services which were created in older versions of FreeIPA. Fixed ticket here: https://fedorahosted.org/freeipa/ticket/6397 . On 12/07/2016 11:48 AM, Fujisan wrote: And with Firefox 50.0.2. F. On Wed, Dec 7, 2016 at 11:46 AM, Fujisan

Re: [Freeipa-users] Services missing in web-ui

Looks great.. Pavel, as a RedHat internal, should I create a ticket to have this fixed in the RedHat version, or does it already have a internal Red Hat bugzilla case? - On Dec 7, 2016, at 11:58 AM, Pavel Vomacka wrote: > Hello, > it is caused by missing canonical name on services w

Re: [Freeipa-users] Services missing in web-ui

Sorry. Didn't see this. https://bugzilla.redhat.com/show_bug.cgi?id=1387782 - On Dec 7, 2016, at 12:43 PM, Troels Hansen wrote: > Looks great.. Pavel, as a RedHat internal, should I create a ticket to > have > this fixed in the RedHat version, or does it already have a internal

Re: [Freeipa-users] Services missing in web-ui

I'm glad that you found it, and I'm sorry, I should have attached the BZ in the first mail. On 12/07/2016 01:26 PM, Troels Hansen wrote: Sorry. Didn't see this. https://bugzilla.redhat.com/show_bug.cgi?id=1387782 - On Dec 7, 2016, at 12:43 PM, Troels Hansen wrote: Looks great

Re: [Freeipa-users] Loss of initial master in multi master setup

> From: Rob Crittenden > Martin Babinsky wrote: > > On 12/01/2016 01:28 PM, Neal Harrington | i-Neda Ltd wrote: > >> Hi IPA Gurus, > >> > >> > >> I had a 3 site multi master IPA replication setup (1 office and 2 > >> datacentres) with 2 IPA servers at each site. Each server was > >> replicating su

Re: [Freeipa-users] Mapping users from AD to IPA KDC

On 12/6/2016 11:32 PM, TomK wrote: On 12/6/2016 3:37 PM, Alexander Bokovoy wrote: On ti, 06 joulu 2016, TomK wrote: On 12/5/2016 2:02 AM, Alexander Bokovoy wrote: On su, 04 joulu 2016, TomK wrote: Could not get much from logs and decided to start fresh. When I run this: ipa trust-add --type

Re: [Freeipa-users] Still unclear about relation between IPA DNS domain and company DNS domain.

Thanks, that helps a lot. Yes and no. What you see with "@ NS ..." is a glue record -- you are > supposed to have a glue record for IPA domain in the upstream domain, > this is how domain delegation works in DNS world. Except what i saw was the other way around. The FreeIPA server has an NSrecor

Re: [Freeipa-users] Debugging failed password checks (SSH) for AD users at the other end of 1-way trusts

Sumit, Thank you so much for your assistance and eyeballs on the massive logset. I've repeatedly found the level of support on this list to be fantastic. Some day I'll have enough hands-on experience to repay in kind ... We do actually use a different domain for the clients: Our clients ar

Re: [Freeipa-users] Still unclear about relation between IPA DNS domain and company DNS domain.

On 07/12/2016 08:58, freeIPA users list wrote: On ke, 07 joulu 2016, List dedicated to discussions about use, configuration and deployment of the IPA server. wrote: I know the Quick Start Guide and Deployment Recommendations cover this in depth, but there are still some ambiguities. I'm trying

Re: [Freeipa-users] What should the --hostname option do?

Martin Basti wrote: > > > On 07.12.2016 08:48, List dedicated to discussions about use, > configuration and deployment of the IPA server. wrote: >> Hello, >> >> the --hostname option to the installer currently modifies the hostname >> of the machine. In some environments, namely in unprivileged >

Re: [Freeipa-users] Debugging failed password checks (SSH) for AD users at the other end of 1-way trusts

Confirmed that adding the following to /etc/sssd/ssd.conf on the SERVER fixed SSH password checks on the server itself! ldap_user_principal = nosuchattr subdomain_inherit = ldap_user_principal The core problem does appear to be the "... UPN is quite different" error when we try to login as u

Re: [Freeipa-users] What should the --hostname option do?

On 07.12.2016 15:21, Rob Crittenden wrote: Martin Basti wrote: On 07.12.2016 08:48, List dedicated to discussions about use, configuration and deployment of the IPA server. wrote: Hello, the --hostname option to the installer currently modifies the hostname of the machine. In some environme

Re: [Freeipa-users] What should the --hostname option do?

Martin Basti wrote: > > > On 07.12.2016 15:21, Rob Crittenden wrote: >> Martin Basti wrote: >>> >>> On 07.12.2016 08:48, List dedicated to discussions about use, >>> configuration and deployment of the IPA server. wrote: Hello, the --hostname option to the installer currently modif

[Freeipa-users] Let's Encrypt Install: Made a bit of install progress, next error

Sorry, I wasn't clear in my earlier subject line. This is related to the Lets Encrypt installation. I tried to pull some more relevant items from the log below. I don't actually see all of the elements of my FQDN (ipa-a.kkgpitt.org) only references to the host (ipa-a) in the log, but am not sure

Re: [Freeipa-users] Let's Encrypt Install: Made a bit of install progress, next error

What does `hostname` command return? On 07.12.2016 16:37, Joseph Flynn wrote: Sorry, I wasn't clear in my earlier subject line. This is related to the Lets Encrypt installation. I tried to pull some more relevant items from the log below. I don't actually see all of the elements of my FQDN

Re: [Freeipa-users] Let's Encrypt Install: Made a bit of install progress, next error

Damn, I thought I already fixed that but didn't. Hold while I rerun... I bet that was it. On Wed, Dec 7, 2016 at 10:50 AM, Martin Basti wrote: > What does `hostname` command return? > > On 07.12.2016 16:37, Joseph Flynn wrote: > > Sorry, I wasn't clear in my earlier subject line. This is rel

Re: [Freeipa-users] Let's Encrypt Install: Made a bit of install progress, next error

Please make sure you use `hostnamectl set-hostname FQDN` to set all hostnames on system (static, tentaive, current ) Martin On 07.12.2016 16:52, Joseph Flynn wrote: Damn, I thought I already fixed that but didn't. Hold while I rerun... I bet that was it. On Wed, Dec 7, 2016 at 10:50 AM

Re: [Freeipa-users] Still unclear about relation between IPA DNS domain and company DNS domain.

On 7.12.2016 14:57, Brian Candler wrote: > On 07/12/2016 08:58, freeIPA users list wrote: >> On ke, 07 joulu 2016, List dedicated to discussions about use, configuration >> and deployment of the IPA server. wrote: >>> I know the Quick Start Guide and Deployment Recommendations cover this in >>> dep

Re: [Freeipa-users] Let's Encrypt Install: Made a bit of install progress, next error

Man, I feel silly. I thought i had that set earlier by using the network setup during the install. Maybe different distributions handle that differently. I have it corrected via your suggestion Martin Thanks you!! To the next stage... Seems like partial success. Is there another step needed to

Re: [Freeipa-users] Debugging failed password checks (SSH) for AD users at the other end of 1-way trusts

Our problem is largely solved but we are using some "do not use in production!" settings so I wanted to both recap our solution and ask some follow up questions. Our setup: - - FreeIPA 4.2 running on CentOS-7 in AWS VPC - Edge-case split DNS setup. Our cloud clients are "company

[Freeipa-users] Certificates missing (was: Re: Services missing in web-ui)

I'm unsure if it is related to ticket 6397... Pavel Vomacka writes: > it is caused by missing canonical name on services which were created > in older versions of FreeIPA. Fixed ticket here: > https://fedorahosted.org/freeipa/ticket/6397 . Symptom: In the web UI on 4.3 on Fedora 24 I have 43 c

Re: [Freeipa-users] Certificates missing

Jochen Hein writes: > I'm unsure if it is related to ticket 6397... It seems it was. CentOS 7.3/CR had new packages today and both problems are fixed for me. Thanks! Jochen -- The only problem with troubleshooting is that the trouble shoots back. -- Manage your subscription for the Freeipa-

[Freeipa-users] Problem with Free IPA Client Ubuntu Precise (12.04) authenticating with AD account

Hi all, I am trying to authenticate an ubuntu Precise (12.06) fully patched system. Its enrolled into a FreeIPA server. The following trace is the output of syslog auth sssd/*.log and full debug (-ddd) from the sshd service. I am getting a PAM error at the end of the procedure. Also I cant seem

Re: [Freeipa-users] Problem with Free IPA Client Ubuntu Precise (12.04) authenticating with AD account

On Wed, Dec 07, 2016 at 06:19:06PM +, James Harrison wrote: > Hi all, > > I am trying to authenticate an ubuntu Precise (12.06) fully patched system. > Its enrolled into a FreeIPA server. The following trace is the output of > syslog auth sssd/*.log and full debug (-ddd) from the sshd servic