Re: [Freeipa-users] FreeIPA Help

On 02/22/2017 04:41 AM, Daniel Schimpfoessl wrote: Is there a way for me to export my data (users, groups, ...), rebuild the server and import the data again? Daniel Hi Daniel, please keep the mailing list in CC as the content may also benefit other users with similar issues. Does anyone

[Freeipa-users] FreeIPA Fedora 25 and IPA CentOS 7.3

Hi, I have currently running one IdM Server (package version 4.4.0-14) on CentOS 7.3 (x86_64). The first which I must ask is: which FreeIPA Version is basis of this version because on https://www.freeipa.org/page/Main_Page under News only v4.4.1 – v.4.4.3 are listed. The next question which

Re: [Freeipa-users] FreeIPA Fedora 25 and IPA CentOS 7.3

On ke, 22 helmi 2017, Ente Trompete wrote: Hi, I have currently running one IdM Server (package version 4.4.0-14) on CentOS 7.3 (x86_64). The first which I must ask is: which FreeIPA Version is basis of this version because on https://www.freeipa.org/page/Main_Page under News only v4.4.1 –

Re: [Freeipa-users] How to check if ldap was updated?

On 22.02.2017 13:13, Sandor Juhasz wrote: Hi, i would like to know if there is any endpoint, command, plugin, api or other way to check if ldap was modified. I would like to trigger jobs, if user/group attributes are updated and polling ldap continuously is not he best way i guess.

[Freeipa-users] Katello IPA auth and Cross realm trust.

Hello all, I'm trying to get IPA auth on Katello to work properly, however the infopipe is unable to access the right information without additional configuration. With these changes I got the infopipe to work, but then user logins started to fail due to invalid user errors. I've added the

[Freeipa-users] How to check if ldap was updated?

Hi, i would like to know if there is any endpoint, command, plugin, api or other way to check if ldap was modified. I would like to trigger jobs, if user/group attributes are updated and polling ldap continuously is not he best way i guess. Sándor Juhász System Administrator ChemAxon Ltd

Re: [Freeipa-users] Katello IPA auth and Cross realm trust.

On Wed, Feb 22, 2017 at 12:03:58PM +, wouter.hummel...@kpn.com wrote: > Hello all, > > I'm trying to get IPA auth on Katello to work properly, however the infopipe > is unable to access the right information without additional configuration. > With these changes I got the infopipe to work,

Re: [Freeipa-users] Can mount NFS, but user only gets the permission question marks

On 02/22/2017 05:23 AM, Kees Bakker wrote: On 21-02-17 19:49, Brendan Kearney wrote: On 02/21/2017 10:57 AM, Kees Bakker wrote: Hey, Maybe one of the NFS users on this list could give me a hint what could be wrong. I'm not sure if it has any relation with FreeIPA/Kerberos. I've set up an NFS

Re: [Freeipa-users] Client for CoreOS

Thanks, Lukas. Hope it works. 2017-02-20 13:22 GMT-03:00 Lukas Slebodnik : > On (20/02/17 12:44), Igor Leão wrote: > >Is it possible to run a FreeIPA client on CoreOS? > >The OS misses some libraries and I didn't succeeded installing them. > > > >Has anyone faced this

Re: [Freeipa-users] ldapsearch for AD users

Thanks Alex, Does it also means that I'll have to install the FreeIPA server with --enable-compat ? I didn't do that. Regards, Hanoz *Hanoz Elavia |* IT Manager *O:* 604-734-2866 *|* *www.atomiccartoons.com * 112 West 6th Ave, Vancouver, BC, Canada, V5Y1K6 On

Re: [Freeipa-users] Can mount NFS, but user only gets the permission question marks

On 02/22/2017 10:26 AM, Kees Bakker wrote: On 22-02-17 14:05, Brendan Kearney wrote: On 02/22/2017 05:23 AM, Kees Bakker wrote: On 21-02-17 19:49, Brendan Kearney wrote: On 02/21/2017 10:57 AM, Kees Bakker wrote: Hey, Maybe one of the NFS users on this list could give me a hint what could

Re: [Freeipa-users] ldapsearch for AD users

On ke, 22 helmi 2017, Hanoz Elavia wrote: Thanks Alex, Does it also means that I'll have to install the FreeIPA server with --enable-compat ? I didn't do that. check ipa-compat-manage tool. Regards, Hanoz *Hanoz Elavia |* IT Manager *O:* 604-734-2866 *|* *www.atomiccartoons.com

Re: [Freeipa-users] ldapsearch for AD users

On ke, 22 helmi 2017, Hanoz Elavia wrote: Hey Alex, Thanks for the link, isn't RFC 2307 implemented as Services for Unix in Windows 2008 R2? Apologies for not mentioning this earlier but I haven't enabled that mainly because SSSD now maps the IDs. Also, in the newer version of the Windows

Re: [Freeipa-users] Can mount NFS, but user only gets the permission question marks

On 22-02-17 14:05, Brendan Kearney wrote: > On 02/22/2017 05:23 AM, Kees Bakker wrote: >> On 21-02-17 19:49, Brendan Kearney wrote: >>> On 02/21/2017 10:57 AM, Kees Bakker wrote: Hey, Maybe one of the NFS users on this list could give me a hint what could be wrong. I'm not sure

Re: [Freeipa-users] Debian client installation

Hi Thanks for the answer. Is there any workaround for this that anyone can suggest? Regards Per Sent from my Commodore 64 > On 18 Feb 2017, at 05:34, Timo Aaltonen wrote: > >> On 17.02.2017 17:37, Per Qvindesland wrote: >> Hi All >> >> I have installed free ipa

Re: [Freeipa-users] Debian client installation

On (22/02/17 17:35), Per Qvindesland wrote: >Hi > >Thanks for the answer. > >Is there any workaround for this that anyone can suggest? > There are two vesions of sudo packages in debian sudo and sudo-ldap. IIRC the 1st one is compiled with sssd support and 2nd one just with ldap support. Which

Re: [Freeipa-users] ldapsearch for AD users

Hey Alexander, So based on the RFC 2307 documentation, I built a test server and ran the following command: ldapsearch -x -W -H 'ldap://ipa.server.com' -b 'cn=compat,dc=ipa,dc=server,dc=com' -D 'uid=admin,cn=users,cn=accounts,dc=ipa,dc=server,dc=com' -s sub 'uid= ad_u...@server.com' It worked

Re: [Freeipa-users] support for rfc2307AIX schema in IPA server

Iulian Roman wrote: > On Wed, Feb 22, 2017 at 6:03 PM, Michael Ströder > wrote: > > Iulian Roman wrote: > > On Tue, Feb 21, 2017 at 4:31 PM, Rob Crittenden > >

Re: [Freeipa-users] FreeIPA Fedora 25 and IPA CentOS 7.3

On (22/02/17 12:59), Alexander Bokovoy wrote: >On ke, 22 helmi 2017, Ente Trompete wrote: >> The next question which I have is: can I install a Fedora 25 and use >> the included FreeIPA v4.4.1-3 to create a replica of the existing >> 4.4.0-14? My problem is that I will use an ARM32 computer as

Re: [Freeipa-users] ldapsearch for AD users

Hey Jason, I realized I had made one more change. I setup the FreeIPA server again and this time I added the --enable-compat with my /usr/sbin/ipa-adtrust-install command. Yes, I cannot use GSSAPI as well. I use simple bind to run a LDAP query. On IPA clients I don't need to authenticate as IPA

Re: [Freeipa-users] ldapsearch for AD users

Hey Jason, I am not sure about that. I just rebuilt my IPA server since it's only purpose is to authenticate users with the AD. As for the clients, I removed them from the FreeIPA server using ipa-client-install --uninstall and rebooted. Once they rebooted my saltstack state added them back to

Re: [Freeipa-users] ldapsearch for AD users

> For example, for user that would be (&(objectClass=posixAccount)(uid=%s)) > where %s is ad_u...@server.com according to your example. > > This is what would be intercepted and queried through SSSD. > > For example: > > $ ldapsearch -Y GSSAPI -b cn=compat,dc=xs,dc=ipa,dc=cool >

[Freeipa-users] authenticating with dns

Hello Everyone I recently lost the master master IPA server setup by the previous administrator. As it stands now, if I try to add a new client, in order to standup a new replica, I get errors while trying to setup DNS. This led me to look at how authentication worked (I'm new to IPA) and I

Re: [Freeipa-users] ldapsearch for AD users

Hey Jason, Also, my bind DN is a native FreeIPA user and doesn't exist on the Active Directory. Regards, Hanoz *Hanoz Elavia |* IT Manager *O:* 604-734-2866 *|* *www.atomiccartoons.com * 112 West 6th Ave, Vancouver, BC, Canada, V5Y1K6 On Wed, Feb 22, 2017 at

Re: [Freeipa-users] lost master master and soa

sorry for the late response, yes, this was helpful I ended up realizing that each IPA server is a kind of SOA and that I needed to get rid of the old master and much of it resolved itself...until the next problem surfaced that is keeping me from creating a new master (at least, with my limited

Re: [Freeipa-users] ldapsearch for AD users

> I realized I had made one more change. I setup the FreeIPA server again and > this > time I added the --enable-compat with my /usr/sbin/ipa-adtrust-install > command. Is it safe to re-run ipa-adtrust-install? I have existing trusts in place. Thanks, j -- Manage your subscription for the

Re: [Freeipa-users] support for rfc2307AIX schema in IPA server

On Wed, Feb 22, 2017 at 6:03 PM, Michael Ströder wrote: > Iulian Roman wrote: > > On Tue, Feb 21, 2017 at 4:31 PM, Rob Crittenden > > wrote: > > > > Iulian Roman wrote: > > > Hello, > > > > > > Does anybody

Re: [Freeipa-users] Dogtag certs did not auto-renew, very stuck!

Peter Fern wrote: > Okay, with much debugging and hoop-jumping, I can say that certmonger on > Debian/Ubuntu is currently in a rather broken state, at least in a > server role. > > It links against libcurl3-nss, however on Debian/-derivs there is no > build of nss-pem, so anything built against

Re: [Freeipa-users] ldapsearch for AD users

On ke, 22 helmi 2017, Hanoz Elavia wrote: Hey Alexander, So based on the RFC 2307 documentation, I built a test server and ran the following command: ldapsearch -x -W -H 'ldap://ipa.server.com' -b 'cn=compat,dc=ipa,dc=server,dc=com' -D 'uid=admin,cn=users,cn=accounts,dc=ipa,dc=server,dc=com'

[Freeipa-users] Recommended approach to VM snapshot prior to upgrade

I have a 3-node cluster running FreeIPA 4.2 on RHEL 7.2. I would like to upgrade to RHEL 7.3 / IPA 4.4, and I want to make VM snapshots that I can rollback to in case there are issues. What is the recommended approach to this? Should services already be started when running the yum update? Can

Re: [Freeipa-users] Dogtag certs did not auto-renew, very stuck!

On 23/02/17 05:26, Rob Crittenden wrote: > It's been many moons since I worked on nss-pem but from what I can tell > it should be buildable outside of NSS so can ship as a separate package. > You might try building it locally to see if it resolves the issues for > you. It resides at

Re: [Freeipa-users] ldapsearch for AD users

> There is none. Compat tree is built with RFC2307 queries in mind. > RFC2307 clients issue a request with a specific user or group name and > that triggers lookup of AD user/group through SSSD and insertion into > the compat tree. A part of the trigger is how LDAP filter is built (see > RFC for

Re: [Freeipa-users] ldapsearch for AD users

On ke, 22 helmi 2017, Jason B. Nance wrote: There is none. Compat tree is built with RFC2307 queries in mind. RFC2307 clients issue a request with a specific user or group name and that triggers lookup of AD user/group through SSSD and insertion into the compat tree. A part of the trigger is how

Re: [Freeipa-users] ldapsearch for AD users

Thanks guys, I think there might be a way to modify the LDAP query. I'm speaking to the EMC / Dell support personnel today to see what can be done. Regards, Hanoz *Hanoz Elavia |* IT Manager *O:* 604-734-2866 *|* *www.atomiccartoons.com * 112 West 6th Ave,

Re: [Freeipa-users] ldapsearch for AD users

Hey Alex, Thanks for the link, isn't RFC 2307 implemented as Services for Unix in Windows 2008 R2? Apologies for not mentioning this earlier but I haven't enabled that mainly because SSSD now maps the IDs. Also, in the newer version of the Windows Server, SFU seems to have been discontinued.

Re: [Freeipa-users] FreeIPA 4.3.1 ipa-replica-install wrong exit code?

On 23.02.2017 00:17, Diogenes S. Jesus wrote: We are ansible-playbooking FreeIPA and we don't want to care about if freeipa is installed, we just want to ignore errors if it already is - but for that the exit code is relevant. Either the return code is wrong in the code or in the manual -

[Freeipa-users] FreeIPA 4.3.1 ipa-replica-install wrong exit code?

We are ansible-playbooking FreeIPA and we don't want to care about if freeipa is installed, we just want to ignore errors if it already is - but for that the exit code is relevant. Either the return code is wrong in the code or in the manual - according to the manual, it should be 3, but it's

[Freeipa-users] sudo NOPASSWD for a single command

We have a script stored on a particular server in our realm that executes a number of non-privileged commands and are wanting to add /sbin/vgs command. The script uses SSH to then execute the same set of commands on all the servers in the realm. The owner of the script is in the administrator

Re: [Freeipa-users] ldapsearch for AD users

Hey Alex, Thanks, I ran ipa-compat-manage status and it shows Plugin enabled. I'll have a look at the link and see if we can change the query to obtain the info required. Regards, Hanoz *Hanoz Elavia |* IT Manager *O:* 604-734-2866 *|* *www.atomiccartoons.com

Re: [Freeipa-users] sudo NOPASSWD for a single command

> We have a script stored on a particular server in our realm that executes a > number of non-privileged commands and are wanting to add /sbin/vgs command. > The > script uses SSH to then execute the same set of commands on all the servers in > the realm. > The owner of the script is in the

Re: [Freeipa-users] support for rfc2307AIX schema in IPA server

Iulian Roman wrote: > On Tue, Feb 21, 2017 at 4:31 PM, Rob Crittenden > wrote: > > Iulian Roman wrote: > > Hello, > > > > Does anybody know if the rfc2307aix schema is supported in IPA server (i > > use red hat IDM version) ?

Re: [Freeipa-users] ldapsearch for AD users

On ke, 22 helmi 2017, Jason B. Nance wrote: For example, for user that would be (&(objectClass=posixAccount)(uid=%s)) where %s is ad_u...@server.com according to your example. This is what would be intercepted and queried through SSSD. For example: $ ldapsearch -Y GSSAPI -b