[Freeipa-users] Default domain for AD groups

2017-02-23 Thread Hanoz Elavia
Hello, My FreeIPA clients and server are setup to use the AD domain as the default. This is done using the default_domain_suffix parameter in the sssd section of the sssd.conf file. This works fine for users when we use ldapsearch but not so much for groups. For e.g.: ldapsearch -x -W -s sub -H

Re: [Freeipa-users] integrated DNS vs external DNS

2017-02-23 Thread Matrix
No, integrated dns is an optional component of ipa, even for ad integration. But without integrated DNS, you have to correctly configure all srv records by manual. Matrix -- Original -- From: Iulian Roman Date: Thu,Feb 23,2017

Re: [Freeipa-users] New install, unsupported format?

2017-02-23 Thread Rob Crittenden
Steve Huston wrote: > Next stage of my testing was to make a replica of the FreeIPA server, > and I started by doing a 'yum install ipa-server' and then moved on to > adding the host to the ipaservers group. This fails every time > however, with the error: > > ipa: ERROR: cannot connect to >

[Freeipa-users] WARNING: Existing users or groups do not have a SID identifier assigned

2017-02-23 Thread Gady Notrica
Hello, When setting up a trust between IPA and AD I am having the Warning below. Question: Is this going to affect the users in Active Directory if IPA sync back with AD? Any help? # ipa-adtrust-install WARNING: 200 existing users or groups do not have a SID identifier assigned. Installer

Re: [Freeipa-users] New install, unsupported format?

2017-02-23 Thread Steve Huston
I already had to do that previously to get other things to work; I had solved it by changing line 582 of /usr/lib/python2.7/site-packages/ipaserver/install/cainstance.py from "::1" to "localhost" before installing the server. I did do this on the to-be-promoted client as well, to no avail. On

[Freeipa-users] WARNING: Existing users or groups do not have a SID identifier assigned

2017-02-23 Thread Gady Notrica
Hello, When setting up a trust between IPA and AD I am having the Warning below. Question: Is this going to affect the users in Active Directory if IPA sync back with AD? # ipa-adtrust-install WARNING: 200 existing users or groups do not have a SID identifier assigned. Installer can run a

[Freeipa-users] New install, unsupported format?

2017-02-23 Thread Steve Huston
Next stage of my testing was to make a replica of the FreeIPA server, and I started by doing a 'yum install ipa-server' and then moved on to adding the host to the ipaservers group. This fails every time however, with the error: ipa: ERROR: cannot connect to

Re: [Freeipa-users] Default domain for AD groups

2017-02-23 Thread Alexander Bokovoy
On to, 23 helmi 2017, Hanoz Elavia wrote: Hello, My FreeIPA clients and server are setup to use the AD domain as the default. This is done using the default_domain_suffix parameter in the sssd section of the sssd.conf file. This works fine for users when we use ldapsearch but not so much for

Re: [Freeipa-users] WARNING: Existing users or groups do not have a SID identifier assigned

2017-02-23 Thread Alexander Bokovoy
On to, 23 helmi 2017, Gady Notrica wrote: Hello, When setting up a trust between IPA and AD I am having the Warning below. Question: Is this going to affect the users in Active Directory if IPA sync back with AD? winsync and trust are incompatible options. You are supposed to disable winsync

Re: [Freeipa-users] New install, unsupported format?

2017-02-23 Thread Standa Laznicka
Hello, I don't quite understand your situation - have the error happened during an addition of the host to the "ipaservers" group or during replica installation? Certutil is a wonderful piece of software that returns "(SEC_ERROR_LEGACY_DATABASE)" in about 90% of most common cases but I have

Re: [Freeipa-users] Dogtag certs did not auto-renew, very stuck!

2017-02-23 Thread Martin Basti
On 23.02.2017 10:21, Timo Aaltonen wrote: On 23.02.2017 02:04, Peter Fern wrote: On 23/02/17 05:26, Rob Crittenden wrote: It's been many moons since I worked on nss-pem but from what I can tell it should be buildable outside of NSS so can ship as a separate package. You might try building it

Re: [Freeipa-users] Dogtag certs did not auto-renew, very stuck!

2017-02-23 Thread Peter Fern
On 23/02/17 20:27, Martin Basti wrote: > On 23.02.2017 10:21, Timo Aaltonen wrote: >> And as you noticed, packaging nss-pem is not a trivial task because of >> the way it uses private NSS api's that the libnss maintainer refuses to >> make public.. OpenSSL, anyone? :P >> > We are working on it :)

[Freeipa-users] integrated DNS vs external DNS

2017-02-23 Thread Iulian Roman
Despite reading the freeipa and Redhat IdM documentation regarding the DNS , it is still unclear to me if and when is integrated DNS mandatory . We do have an environment with a pretty complex DNS setup , which is in place for years and there are no plans to change it. if i understood correctly

Re: [Freeipa-users] Can mount NFS, but user only gets the permission question marks

2017-02-23 Thread Kees Bakker
On 23-02-17 13:51, Brendan Kearney wrote: > On 02/23/2017 07:32 AM, Kees Bakker wrote: >> On 22-02-17 17:33, Brendan Kearney wrote: >>> On 02/22/2017 10:26 AM, Kees Bakker wrote: On 22-02-17 14:05, Brendan Kearney wrote: > On 02/22/2017 05:23 AM, Kees Bakker wrote: >> On 21-02-17

Re: [Freeipa-users] Dogtag certs did not auto-renew, very stuck!

2017-02-23 Thread Martin Basti
On 23.02.2017 12:40, Peter Fern wrote: On 23/02/17 20:27, Martin Basti wrote: On 23.02.2017 10:21, Timo Aaltonen wrote: And as you noticed, packaging nss-pem is not a trivial task because of the way it uses private NSS api's that the libnss maintainer refuses to make public.. OpenSSL,

Re: [Freeipa-users] support for rfc2307AIX schema in IPA server

2017-02-23 Thread Iulian Roman
On Wed, Feb 22, 2017 at 9:02 PM, Michael Ströder wrote: > Iulian Roman wrote: > > On Wed, Feb 22, 2017 at 6:03 PM, Michael Ströder > > wrote: > > > > Iulian Roman wrote: > > > On Tue, Feb 21, 2017 at 4:31 PM, Rob

Re: [Freeipa-users] FreeIPA Fedora 25 and IPA CentOS 7.3

2017-02-23 Thread Ente Trompete
Hi, THX for your answer but as you can see in your test, you get freeipa-server 4.4.3 installed and if you follow the link offered by Alexander Red Hat/CentOS uses another versioning as the FreeIPA project contained in Fedora. So to create a replica with freeipa-server 4.4.3 from a CentOS

Re: [Freeipa-users] Dogtag certs did not auto-renew, very stuck!

2017-02-23 Thread Timo Aaltonen
On 23.02.2017 02:04, Peter Fern wrote: > On 23/02/17 05:26, Rob Crittenden wrote: >> It's been many moons since I worked on nss-pem but from what I can tell >> it should be buildable outside of NSS so can ship as a separate package. >> You might try building it locally to see if it resolves the

Re: [Freeipa-users] ldapsearch for AD users

2017-02-23 Thread Hanoz Elavia
Thanks Alexander, I have rebuilt the server with compatibility and I can now query AD users. I'll just have to confirm with Dell / EMC whether the Isilon can now handle this. Regards, Hanoz On Wed, Feb 22, 2017 at 10:26 PM, Alexander Bokovoy wrote: > On ke, 22 helmi

[Freeipa-users] UPDATE: Resolved sudo NOPASSWD for a single command

2017-02-23 Thread Auerbach, Steven
Yes, I implemented in Policy -> Sudo -> Sudo Commands as: Sudo Command: NOPASSWD: /sbin/vgs The script (executed by a non-root, administrative group user on an enrolled host) specifies: …. hostname >> statresults.txt cat /etc/redhat-release >> statresults.txt uname -r >>

[Freeipa-users] Recall: sudo NOPASSWD for a single command

2017-02-23 Thread Auerbach, Steven
Auerbach, Steven would like to recall the message, "[Freeipa-users] sudo NOPASSWD for a single command". -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] Can mount NFS, but user only gets the permission question marks

2017-02-23 Thread Brendan Kearney
On 02/23/2017 07:32 AM, Kees Bakker wrote: On 22-02-17 17:33, Brendan Kearney wrote: On 02/22/2017 10:26 AM, Kees Bakker wrote: On 22-02-17 14:05, Brendan Kearney wrote: On 02/22/2017 05:23 AM, Kees Bakker wrote: On 21-02-17 19:49, Brendan Kearney wrote: On 02/21/2017 10:57 AM, Kees Bakker

Re: [Freeipa-users] Recommended approach to VM snapshot prior to upgrade

2017-02-23 Thread Rob Crittenden
Martin Basti wrote: > > > On 23.02.2017 00:47, Brian Mathis wrote: >> I have a 3-node cluster running FreeIPA 4.2 on RHEL 7.2. I would like >> to upgrade to RHEL 7.3 / IPA 4.4, and I want to make VM snapshots that >> I can rollback to in case there are issues. What is the recommended >>

Re: [Freeipa-users] integrated DNS vs external DNS

2017-02-23 Thread Martin Basti
Hello, comments inline On 23.02.2017 15:07, Iulian Roman wrote: Despite reading the freeipa and Redhat IdM documentation regarding the DNS , it is still unclear to me if and when is integrated DNS mandatory . We do have an environment with a pretty complex DNS setup , which is in place for

Re: [Freeipa-users] sudo NOPASSWD for a single command

2017-02-23 Thread Brendan Kearney
On 02/23/2017 09:43 AM, Auerbach, Steven wrote: sudo vgs >> statresults.txt should be sudo /sbin/vgs >> statresults.txt since that is what sudo allows. its almost like exact match for strings. -- Manage your subscription for the Freeipa-users mailing list:

Re: [Freeipa-users] Can mount NFS, but user only gets the permission question marks

2017-02-23 Thread Brendan Kearney
On 02/23/2017 09:11 AM, Kees Bakker wrote: On 23-02-17 13:51, Brendan Kearney wrote: On 02/23/2017 07:32 AM, Kees Bakker wrote: On 22-02-17 17:33, Brendan Kearney wrote: On 02/22/2017 10:26 AM, Kees Bakker wrote: On 22-02-17 14:05, Brendan Kearney wrote: On 02/22/2017 05:23 AM, Kees Bakker

Re: [Freeipa-users] sudo NOPASSWD for a single command

2017-02-23 Thread Auerbach, Steven
Yes, I implemented in Policy -> Sudo -> Sudo Commands as: Sudo Command: NOPASSWD: /sbin/vgs The script (executed by a non-root, administrative group user on an enrolled host) specifies: …. hostname >> statresults.txt cat /etc/redhat-release >> statresults.txt uname -r >>

[Freeipa-users] FreeIPA 4.4 / Winsync issues.

2017-02-23 Thread Devin Acosta
I have installed a new replica in our IPA domain and configured it to do a winsync with Windows 2012R2. It creates the agreement but then after a while it dies. It appears something isn't configured just right. The Windows client is using the passync user on my side, and i'm creating the sync

Re: [Freeipa-users] authenticating with dns

2017-02-23 Thread Aaron Young
on ld4ipa01, I removed it with ipa-server-install --uninstall this was an attempt to recreate the replica from nyc02ipa02 On Thu, Feb 23, 2017 at 3:17 AM, Martin Basti wrote: > > > On 22.02.2017 23:26, Aaron Young wrote: > > Hello Everyone > > I recently lost the master

Re: [Freeipa-users] authenticating with dns

2017-02-23 Thread Aaron Young
And yes, I learned to stop using kadmin after I made that note On Thu, Feb 23, 2017 at 11:56 AM, Aaron Young wrote: > on ld4ipa01, I removed it with ipa-server-install --uninstall > > this was an attempt to recreate the replica from nyc02ipa02 > > On Thu, Feb 23, 2017

[Freeipa-users] UPDATE: NOT Resolved After All -- sudo NOPASSWD for a single command

2017-02-23 Thread Auerbach, Steven
Yes, I implemented in Policy -> Sudo -> Sudo Commands as: Sudo Command: NOPASSWD: /sbin/vgs The script (executed by a non-root, administrative group user on an enrolled host) specifies: …. hostname >> statresults.txt cat /etc/redhat-release >> statresults.txt uname -r >>

Re: [Freeipa-users] pki-tomcat will not start after certificate renewal

2017-02-23 Thread Joseph Vandermas
I got really busy sorry about the delay. It was a coworker who renewed our CA cert during an upgrade from Centos 6 to Centos 7. I remember him saying during the upgrade the CA broke and he had to mess around with it. According to him "Pretty sure I did the walk the clock back thing, but it's

Re: [Freeipa-users] authenticating with dns

2017-02-23 Thread Martin Basti
On 22.02.2017 23:26, Aaron Young wrote: Hello Everyone I recently lost the master master IPA server setup by the previous administrator. As it stands now, if I try to add a new client, in order to standup a new replica, I get errors while trying to setup DNS. This led me to look at how

Re: [Freeipa-users] FreeIPA 4.3.1 ipa-replica-install wrong exit code?

2017-02-23 Thread Standa Laznicka
On 02/23/2017 08:30 AM, Martin Basti wrote: On 23.02.2017 00:17, Diogenes S. Jesus wrote: We are ansible-playbooking FreeIPA and we don't want to care about if freeipa is installed, we just want to ignore errors if it already is - but for that the exit code is relevant. Either the return code

Re: [Freeipa-users] Recommended approach to VM snapshot prior to upgrade

2017-02-23 Thread Martin Basti
On 23.02.2017 00:47, Brian Mathis wrote: I have a 3-node cluster running FreeIPA 4.2 on RHEL 7.2. I would like to upgrade to RHEL 7.3 / IPA 4.4, and I want to make VM snapshots that I can rollback to in case there are issues. What is the recommended approach to this? Should services