Re: [Freeipa-users] FreeIPA for Linux desktop deployment

2011-04-30 Thread Adam Young
On 04/30/2011 12:10 PM, JR Aquino wrote: On Apr 29, 2011, at 11:45 PM, nasir nasirkollath...@yahoo.commailto:kollath...@yahoo.com wrote: Hi All, First of all, many thanks indeed to the developers and community for making some great strides in the open source IPA world ! I am planning for a

Re: [Freeipa-users] FreeIPA for Linux desktop deployment

2011-05-02 Thread Adam Young
On 05/01/2011 08:49 AM, nasir nasir wrote: Thanks for all the replies and great suggestions! I do appreciate it a lot. Apologies for being a bit confusing about the cetralized /home foder in my previous mail. What I want is that all the users should have their /home folder stored in the

Re: [Freeipa-users] extending FreeIPA

2011-05-06 Thread Adam Young
On 05/06/2011 08:49 AM, Simo Sorce wrote: On Wed, 2011-05-04 at 17:41 -0700, Stephen Ingram wrote: I currently maintain a directory with MTA configuration data in it (among other items). I'm wondering what is the best way to add to the FreeIPA schema without stepping on current and future

Re: [Freeipa-users] FreeIPA for Linux desktop deployment

2011-05-08 Thread Adam Young
. Is this possible? if so could anyone suggest me some guide lines or docs for the same ? Did you try installing the ipa-client rpms with Alien? Thanks and Regards, Nidal --- On *Mon, 5/2/11, Adam Young /ayo...@redhat.com/* wrote: From: Adam Young ayo...@redhat.com Subject: Re: [Freeipa

Re: [Freeipa-users] FreeIPA for Linux desktop deployment

2011-05-09 Thread Adam Young
that the entire problem is just in the NFS configuration. Thanks indeed in advance and regards, Nidal --- On *Mon, 5/9/11, Adam Young /ayo...@redhat.com/* wrote: From: Adam Young ayo...@redhat.com Subject: Re: [Freeipa-users] FreeIPA for Linux desktop deployment To: nasir

Re: [Freeipa-users] failure to un-install FreeIPA

2011-05-10 Thread Adam Young
On 05/10/2011 04:32 AM, Martin Kosek wrote: On Tue, 2011-05-10 at 03:58 +, Steven Jones wrote: I am trying to un-install freeipa with ipa-server-install --uninstall and its saying not installed, but when I try to install its saying already installed! oops. Is there a way to force the

Re: [Freeipa-users] failure to un-install FreeIPA

2011-05-10 Thread Adam Young
On 05/10/2011 05:02 PM, Steven Jones wrote: VMware local consoleI cant cut and paste outputs or scroll back when its a KDE rdp to a windows 7 vmware guest and then into the vmware thick client and then to a local console simply doesnt work... Bit messy but I get a Linux desktop

Re: [Freeipa-users] fatal error for ipa with dns.

2011-05-10 Thread Adam Young
Can you attach the file /var/log/ipa-server-install.log? On 05/10/2011 10:14 PM, Steven Jones wrote: I have installed ipa but Im getting this error, named wont run as wont kinit admin. = May 11 14:11:40 vuwunicoipamt01 named[3132]: starting BIND 9.7.3-RedHat-9.7.3-1.el6 -u

Re: [Freeipa-users] fatal error for ipa with dns.

2011-05-10 Thread Adam Young
Very cool. I've had a slew on DNS related issues when trying to set things up in a small virtual environment using DNSMasq, so I feel your pain. Please send a quick write up of your set up if you get everything working. On 05/10/2011 11:02 PM, Steven Jones wrote: Hi, Fixed I think,

Re: [Freeipa-users] fatal error for ipa with dns.

2011-05-10 Thread Adam Young
-users-boun...@redhat.com] on behalf of Adam Young [ayo...@redhat.com] Sent: Wednesday, 11 May 2011 3:16 p.m. To: freeipa-users@redhat.com Subject: Re: [Freeipa-users] fatal error for ipa with dns. Very cool. I've had a slew on DNS related issues when trying to set things up in a small virtual

Re: [Freeipa-users] fatal error for ipa with dns.

2011-05-11 Thread Adam Young
On 05/11/2011 11:00 AM, Rob Crittenden wrote: Steven Jones wrote: Hi, Nope looks like DNS is barfed big time... == [root@vuwunicoipamt01 ~]# host vuwunicoipamt01.unix.vuw.ac.nz vuwunicoipamt01.unix.vuw.ac.nz has address 130.195.81.236 [root@vuwunicoipamt01 ~]# ipa dns-resolve

Re: [Freeipa-users] FreeIPA for Linux desktop deployment

2011-05-13 Thread Adam Young
On 05/12/2011 03:30 PM, nasir nasir wrote: Adam, I tried to follow your recommendations with RHEL 6.1 beta on server and client machine. Centralized login and such things work. I have NFS service too working. But automount is not working. For the time being I configured my server as NFS

Re: [Freeipa-users] /var/log/dirsrv/slapd-* permissions

2011-05-13 Thread Adam Young
On 05/13/2011 06:11 AM, Charlie Derwent wrote: Hi First time posting on the mailing list so go easy on me :-) I've installed freeipa on our network and noticed that no real user owns the folders /var/log/dirsrv/slapd-PKI-IPA and /var/log/dirsrv/slapd-TEST-NET. Isn't this going to cause

Re: [Freeipa-users] FreeIPA for Linux desktop deployment

2011-05-13 Thread Adam Young
On 05/13/2011 12:13 PM, nasir nasir wrote: Adam, Thanks indeed! I tried your suggestions. -- I can mkdir -- When I try to chown, I get the following error *chown: changing ownership of `nasir': Operation not permitted* Could you please explain me what do you mean by 'You probably need

Re: [Freeipa-users] FreeIPA for Linux desktop deployment

2011-05-13 Thread Adam Young
. You can probably just chkconfig off autofs on the nfs server. I'm not sure if there is a cleaner solution. Thanks and regards, Nidal * * --- On *Fri, 5/13/11, Adam Young /ayo...@redhat.com/*wrote: From: Adam Young ayo...@redhat.com Subject: Re: [Freeipa-users] FreeIPA for Linux

Re: [Freeipa-users] FreeIPA for Linux desktop deployment

2011-05-16 Thread Adam Young
I'm guessing that the user you are trying to create is test1? And the directory /xtra/home/test1 does not yet exist? Does a precreated directory automount? On 05/16/2011 08:08 AM, nasir nasir wrote: Thanks indeed for the reply! I updated the autofs package with version

Re: [Freeipa-users] FreeIPA for Linux desktop deployment

2011-05-17 Thread Adam Young
On 05/17/2011 02:03 AM, nasir nasir wrote: Further to my previous mail, let us try to isolate it even more by comparing the login attempts to the NFS server(hugayat.cohort.org) and another IPA client(rhel.cohort.org) This is the relevant /var/log/message in the two cases *1. ssh -l nasir

Re: [Freeipa-users] 4202 error no modifications can be performed

2011-05-24 Thread Adam Young
On 05/23/2011 10:59 PM, Steven Jones wrote: It needs to be disabled then as it locks up the gui and its then stuffed regards From: Rob Crittenden [rcrit...@redhat.com] Sent: Tuesday, 24 May 2011 2:27 p.m. To: Steven Jones Cc: d...@redhat.com; Adam

Re: [Freeipa-users] FreeIPA 2, adding Samba attributes

2011-06-09 Thread Adam Young
On 06/09/2011 03:37 PM, John S. Skogtvedt wrote: Den 09. juni 2011 14:31, skrev Simo Sorce: You probably want to use the DNA plugin to generate the sambaSid for you once you have a domain SID, it's not too difficult and will be much less error prone. Simo. Thanks. The solution outlined at

Re: [Freeipa-users] Multiple host records in the GUI

2011-06-13 Thread Adam Young
On 06/13/2011 12:20 PM, Sigbjorn Lie wrote: Hi, How come I cannot see multiple records for the same host in the WEB GUI? I can see the records when I'm using the CLI. This goes for multiple A records for the same hostname, but also if a hostname has an A record and a record. Only the A

Re: [Freeipa-users] extracting info and injecting info

2011-06-17 Thread Adam Young
On 06/14/2011 04:33 PM, Steven Jones wrote: Hi, That's excellentit wont be me but our IdM developers...who will want to look, since its Oracle IdM I suspect Java type stuff but im clueless on programming..I can hand this to them when they ask. JSON is much friendlier, and it is what

Re: [Freeipa-users] Custom Fields on UI

2011-06-23 Thread Adam Young
On 06/23/2011 08:35 AM, Attila Bogár wrote: Hi, When I apply the following ldif, the custom fields are not appearing on the web interface (ipa restart doesn't help). -- 8 -- dn: cn=ipaConfig,cn=etc,dc=linguamatics,dc=com changetype: modify replace: ipaCustomFields ipaCustomFields: Employee

Re: [Freeipa-users] ipa-client-install errors via kickstart

2011-06-27 Thread Adam Young
On 06/26/2011 08:35 AM, Charlie Derwent wrote: On Thu, Jun 23, 2011 at 6:54 PM, Rob Crittenden rcrit...@redhat.com mailto:rcrit...@redhat.com wrote: Charlie Derwent wrote: On Wed, Jun 22, 2011 at 10:49 PM, Rob Crittenden rcrit...@redhat.com mailto:rcrit...@redhat.com

Re: [Freeipa-users] ipa-client-install errors via kickstart

2011-06-27 Thread Adam Young
On 06/27/2011 11:01 AM, Rob Crittenden wrote: Charlie Derwent wrote: On Mon, Jun 27, 2011 at 2:07 PM, Adam Young ayo...@redhat.com mailto:ayo...@redhat.com wrote: __ On 06/26/2011 08:35 AM, Charlie Derwent wrote: On Thu, Jun 23, 2011 at 6:54 PM, Rob Crittenden rcrit

Re: [Freeipa-users] Automounter maps

2011-06-30 Thread Adam Young
Good point. Take a look at the test day instructions, I found them very useful for setting up both SUDO and automount. https://fedoraproject.org/wiki/QA:Testcase_freeipav2_automount On 06/30/2011 11:08 AM, Ondrej Valousek wrote: On 30.06.2011 16:55, Rob Crittenden wrote: Look at the

Re: [Freeipa-users] Automounter maps

2011-07-01 Thread Adam Young
On 07/01/2011 03:48 AM, Ondrej Valousek wrote: Hi, On 30.06.2011 17:29, Dmitri Pal wrote: Can you please rephrase? Do you mean that instead of documenting what we already have or in addition to it, we should also document how to configure automount with DNS? Does DNS allow specifying the

Re: [Freeipa-users] Is it possible FreeIPA for Web Apps SingleSignOn like CAS?

2011-07-29 Thread Adam Young
In order to authenticate through the firewall you have to allow kinit and kerberos web traffic through, which means opening port 88. If you are unwilling to do that, you need to come up with an authentication solution that will pass through firewalls, which means either basic auth, digest,

Re: [Freeipa-users] Unable to start IPA server after server reboot

2011-08-02 Thread Adam Young
On 08/02/2011 09:42 AM, Ondrej Valousek wrote: Hi Rob, It was just polaris - so I tried: [root@polaris etc]# hostname polaris.example.com and it started working - Magic! That means that we rely on the fact that hostname is set to FQDN, right? Isn't it too strong requirement? Maybe we should

Re: [Freeipa-users] Use of FreeIPA or FreeIPA LDAP server to hold private keys

2011-08-03 Thread Adam Young
On 08/03/2011 12:21 PM, Ian Stokes-Rees wrote: On Wed Aug 3 10:37:45 2011, Stephen Gallagher wrote: As a general rule, I would think that having your private key stored somewhere that an admin other than yourself can reset the password and have access to would be really dangerous. Most

Re: [Freeipa-users] Use of FreeIPA or FreeIPA LDAP server to hold private keys

2011-08-03 Thread Adam Young
On 08/03/2011 01:16 PM, Ian Stokes-Rees wrote: On 8/3/11 12:38 PM, Adam Young wrote: I think what you are interested in is the Data Recovery Manager (DRM...hey, we had the acronym first, but we also call it Key Recovery ) aspect of Certificate Server. That is awesome. That is exactly

Re: [Freeipa-users] Use of FreeIPA or FreeIPA LDAP server to hold private keys

2011-08-04 Thread Adam Young
DRM is the way to go. However it does not support symmetric keys now. This is the pert that we need for volume keys. May be it is the vault to store all sorts of keys. This is something that needs to be designed and looked at as a broader perspective. Adam likes to repeat a phase about

Re: [Freeipa-users] extending FreeIPA

2011-08-07 Thread Adam Young
On 08/06/2011 03:18 PM, Stephen Ingram wrote: On Fri, May 6, 2011 at 1:11 PM, Adam Youngayo...@redhat.com wrote: On 05/06/2011 08:49 AM, Simo Sorce wrote: On Wed, 2011-05-04 at 17:41 -0700, Stephen Ingram wrote: I currently maintain a directory with MTA configuration data in it (among other

Re: [Freeipa-users] extending FreeIPA

2011-08-07 Thread Adam Young
On 08/06/2011 04:29 PM, Stephen Ingram wrote: On Sat, Aug 6, 2011 at 12:18 PM, Stephen Ingramsbing...@gmail.com wrote: On Fri, May 6, 2011 at 1:11 PM, Adam Youngayo...@redhat.com wrote: On 05/06/2011 08:49 AM, Simo Sorce wrote: On Wed, 2011-05-04 at 17:41 -0700, Stephen Ingram wrote: I

Re: [Freeipa-users] Using FreeIPA web interface from a windows client(IE)

2011-09-23 Thread Adam Young
On 09/23/2011 03:31 PM, Rob Crittenden wrote: Jimmy wrote: I have been using the interface from a Linux client on Firefox just fine, but now I need to configure a windows client to access the web interface. I have the win7 client logged in using a FreeIPA user, authenticated against the realm,

Re: [Freeipa-users] Certificate error when modifying/deleting a host

2011-09-27 Thread Adam Young
On 09/27/2011 04:22 PM, Sigbjorn Lie wrote: On 09/27/2011 09:54 PM, Sigbjorn Lie wrote: On 09/27/2011 12:34 AM, Dmitri Pal wrote: On 09/25/2011 05:49 PM, Sigbjorn Lie wrote: Hi, I have a host that refuses to be modified or deleted. I get the same error from the webui and the cli. I am

Re: [Freeipa-users] Certificate error when modifying/deleting a host

2011-09-27 Thread Adam Young
Siggi, This is my comment in the ticket: https://fedorahosted.org/freeipa/ticket/1889 We are working on a tool in the PKI project that will perform these steps in an automated fashion. There are three files that need to be addressed. On the tomcat side, the files are in the Tomcat

Re: [Freeipa-users] Certificate error when modifying/deleting a host

2011-09-27 Thread Adam Young
After talking with the PKI developer that is fixing this, I found out that one other file needs to be modified: /var/lib/pki-ca/conf/CS.cfg http.port=8080 https.port=8443 On 09/27/2011 07:55 PM, Adam Young wrote: Siggi, This is my comment in the ticket: https://fedorahosted.org

Re: [Freeipa-users] Certificate error when modifying/deleting a host

2011-09-28 Thread Adam Young
On 09/28/2011 05:03 PM, Sigbjorn Lie wrote: On 09/28/2011 03:33 AM, Adam Young wrote: After talking with the PKI developer that is fixing this, I found out that one other file needs to be modified: /var/lib/pki-ca/conf/CS.cfg http.port=8080 https.port=8443 On 09/27/2011 07:55 PM, Adam

Re: [Freeipa-users] Certificate error when modifying/deleting a host

2011-09-28 Thread Adam Young
On 09/28/2011 05:59 PM, Sigbjorn Lie wrote: On 09/28/2011 11:35 PM, Adam Young wrote: On 09/28/2011 05:03 PM, Sigbjorn Lie wrote: On 09/28/2011 03:33 AM, Adam Young wrote: After talking with the PKI developer that is fixing this, I found out that one other file needs to be modified: /var

Re: [Freeipa-users] user login exposes all users in UI

2011-09-28 Thread Adam Young
On 09/28/2011 01:13 PM, Stephen Ingram wrote: When logging into the FreeIPA UI as a user, most everything is removed with the exception of the Identity tab and the Users list. Although I'm guessing that LDAP needs to expose the users list to all users just as anyone can view the passwd file on

Re: [Freeipa-users] Install problem with --setup-dns

2011-09-30 Thread Adam Young
On 09/30/2011 01:10 PM, Mark A Cinense wrote: Hi, new to the list. I have been pounding away at this for the past month or so, and I am stumped as to why when installing IPA, it keeps wanting to setup DNS with a domain name of ipaserver.test.mark.cinense.org

Re: [Freeipa-users] Complaint web browsers

2011-10-18 Thread Adam Young
On 10/17/2011 10:36 PM, Steven Jones wrote: Hi, I have only used Firefox 3.x as shipped with RHEL to admin IPA, what are others using? ie what are compliant/suitable? We are only claiming to support Firefox, 3 on forward should all work, but we only test the versions with Fedora and RHEL.

Re: [Freeipa-users] Complaint web browsers

2011-10-18 Thread Adam Young
Lets distinguish between Supported browsers for the kerberos case and the Supported browser for the Basic auth enabled case: For Kerberos, it is as I said previously: it will work on the others, but you have to know how to configure. You are not going to get IE Kerberos support without a

Re: [Freeipa-users] No hosts showing as enrolled

2011-10-21 Thread Adam Young
On 10/21/2011 02:04 PM, Sigbjorn Lie wrote: Hi, I've updated to freeipa-server-2.1.3-2.fc15.x86_64. There is no hosts showing as enrolled in the webui. In the CLI hosts are reported to have a keytab. Is this a known issue? Rgds, Siggi PS. KUDOS on the speed of lookups! MASSIVE

Re: [Freeipa-users] No hosts showing as enrolled

2011-10-21 Thread Adam Young
On 10/21/2011 02:29 PM, Sigbjorn Lie wrote: On 10/21/2011 08:15 PM, Adam Young wrote: On 10/21/2011 02:04 PM, Sigbjorn Lie wrote: Hi, I've updated to freeipa-server-2.1.3-2.fc15.x86_64. There is no hosts showing as enrolled in the webui. In the CLI hosts are reported to have a keytab

Re: [Freeipa-users] No hosts showing as enrolled

2011-10-24 Thread Adam Young
On 10/21/2011 07:05 PM, Sigbjorn Lie wrote: On 10/21/2011 10:02 PM, Adam Young wrote: On 10/21/2011 02:29 PM, Sigbjorn Lie wrote: On 10/21/2011 08:15 PM, Adam Young wrote: On 10/21/2011 02:04 PM, Sigbjorn Lie wrote: Hi, I've updated to freeipa-server-2.1.3-2.fc15.x86_64. There is no hosts

Re: [Freeipa-users] Unique world wide UIDS

2011-10-26 Thread Adam Young
On 10/26/2011 08:49 PM, Steven Jones wrote: Hi, Readng the docs on the 32bit UIDs it says it makes an attempt to give out a unique rangewould it be possible / practical if RH (would want to) ran some sort of database or registration function to try and insure that? regards Steven Jones

Re: [Freeipa-users] Freeipa-users] Overall Design of Policy Related Components

2011-11-01 Thread Adam Young
On 11/01/2011 01:04 PM, Rodney Mercer wrote: On Tue, 2011-11-01 at 12:00 -0400, freeipa-users-requ...@redhat.com wrote: On 10/31/2011 05:20 PM, Rodney Mercer wrote: We have previously developed Solaris RBAC authorization within our application to validate users and roles to our application's

Re: [Freeipa-users] ipa-client-install error

2011-11-04 Thread Adam Young
CentOS is far behind RHEL. Many of the issues you will find have been fixed in released versions of IPA. This one is due, I think to an earlier issue with directory server that has since been upgraded. You might want to see if the versions shipped with Scientifix Linux work better for you,

Re: [Freeipa-users] ipa-client-install error

2011-11-04 Thread Adam Young
On 11/04/2011 07:07 PM, Dmitri Pal wrote: On 11/04/2011 04:23 PM, Jimmy wrote: I see. I have ipa-client-2.0-9.el6.x86_64 on the CentOS 6 client. I guess the proper fix is to use the SL packages Adam referenced? Correct. It looks like Scientific Linux is behind as well: The packages on

Re: [Freeipa-users] FreeIPA on CentOS 5.6

2011-11-09 Thread Adam Young
On 11/09/2011 02:27 PM, Stephen Gallagher wrote: On Wed, 2011-11-09 at 14:23 -0500, Boris Epstein wrote: So what OS would not be too old to run FreeIPA on? Would we be talking CentOS 6? Boris. Well, RHEL 6.2 (due out before the end of the year) will include a fully-supported version of

Re: [Freeipa-users] Kerberos authentication setup

2011-11-11 Thread Adam Young
On 11/11/2011 03:52 PM, Boris Epstein wrote: Hello all, I've got my FreeIPA seemingly running on a Fedora 16 machine but I can not log into it from a browser as I get the Your kerberos ticket is no longer valid. message. So the question is: is there a good guide on how to set up the Kerberos

Re: [Freeipa-users] Delete host: Unable to communicate with CMS (Not Found)

2011-11-17 Thread Adam Young
On 11/17/2011 10:58 AM, Dan Scott wrote: On Wed, Nov 16, 2011 at 14:01, Rob Crittendenrcrit...@redhat.com wrote: Dan Scott wrote: On Wed, Nov 16, 2011 at 10:39, Rob Crittendenrcrit...@redhat.comwrote: Dan Scott wrote: On Wed, Nov 16, 2011 at 09:23, Rob Crittendenrcrit...@redhat.com

Re: [Freeipa-users] Some feature requests

2011-11-28 Thread Adam Young
On 11/28/2011 04:16 PM, Steven Jones wrote: Hi, a) Auto setup in RH satellite to allow auto joining to freeIPA from a baremetal kickstart. That is a Satellite, not FreeIPA, request. b) Setup/config (info etc) to allow a gluster system to join to IPA. What would a gluster system

Re: [Freeipa-users] User Administrator role member doesn't see User Groups under identity tab

2011-12-15 Thread Adam Young
On 12/13/2011 02:09 PM, Rob Crittenden wrote: Ian Levesque wrote: Hello, I'm running version 2.0.0-23 under Scientific 6.1. I've noticed that users in the User Administrator role, don't have access via the web UI to actually manage groups. The only link under Identity is Users. CLI

Re: [Freeipa-users] Multi-tennancy and Freeipa

2011-12-16 Thread Adam Young
I opened a ticket for multitenancy https://fedorahosted.org/freeipa/ticket/2201 Here is a detailed write up of the issues. http://freeipa.org/page/Multitenancy Please provide any feedback that you have and I will update. ___ Freeipa-users mailing

Re: [Freeipa-users] Multi-tennancy and Freeipa

2011-12-19 Thread Adam Young
On 12/16/2011 03:41 PM, Dmitri Pal wrote: On 12/16/2011 02:37 PM, Alan Evans wrote: Adam, This is great news. The feedback I have after a quick read through (I will try to put a bit more time on it later) would be to make the 'tennant' separation more flexible and why not use existing ldap

Re: [Freeipa-users] WebUI With Windows, Firefox, and MIT Kerberos

2012-01-30 Thread Adam Young
On 01/28/2012 01:53 PM, Erinn Looney-Triggs wrote: On 1/27/2012 4:53 PM, JR Aquino wrote: On Jan 27, 2012, at 5:31 PM, Jr Aquino wrote: Has anyone successfully gotten firefox in windows with firefox and mit kerberos? I've followed several how to's, but i cant get firefox to take/pass my tgt.

Re: [Freeipa-users] Roles and permissions

2012-02-10 Thread Adam Young
On 02/07/2012 03:54 PM, Steven Jones wrote: Hi, Users in group A can manage the membership of group B Users in group A can manage this small set of attributes of members of group B Yes, I can see that delegating is going to be very hard to do securely / properly.at least with [my] limited

Re: [Freeipa-users] fine-grained permissions for DNS tasks

2013-12-12 Thread Adam Young
On 12/12/2013 04:26 PM, Stephen Ingram wrote: Is it possible to restrict user to say a DNS Administrator role for only one domain in the system? Steve ___ Freeipa-users mailing list Freeipa-users@redhat.com