Re: [Freeipa-users] Add user - custom script

2011-09-16 Thread Alexander Bokovoy
: ipa_user_script=/path/to/script then during add/delete/modify of an user, it will be called with add/del/mod as first parameter and user's dn as second. Result of the call is ignored but return from IPA server is blocked by the execution so be quick in ipa_user_script! -- / Alexander Bokovoy diff --git

Re: [Freeipa-users] Add user - custom script

2011-09-16 Thread Alexander Bokovoy
sophisticated mechanism in many ways, maybe we should discuss on freeipa-devel Sure. I only wanted to show how large is amount of work to hook something in. You can treat my POC as means to provoke discussion. :) -- / Alexander Bokovoy ___ Freeipa-users mailing

Re: [Freeipa-users] Add user - custom script

2011-09-16 Thread Alexander Bokovoy
, it might be enough but still poses possible privilege escalation in your environment. -- / Alexander Bokovoy ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] Debian clients?

2011-09-16 Thread Alexander Bokovoy
, late friday and I have a horrible headache, so if it doesn't I apologize in advance. :) Friday night is a nice time to talk about serious stuff :) -- / Alexander Bokovoy ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com

Re: [Freeipa-users] Fedora 16 installer

2011-11-10 Thread Alexander Bokovoy
be nice, indeed. Could you please raise a bug for Fedora installer to improve 'FreeIPA authentication' settings page? And add me to the CC: list. -- / Alexander Bokovoy ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com

Re: [Freeipa-users] Fedora 16 installer

2011-11-11 Thread Alexander Bokovoy
of things to discover. Though I would get discovery part of the ipa-client-install reused here -- like finding out kerberos setup via DNS and if that fails, show UI to enter all additional details, then schedule actual enrollment. -- / Alexander Bokovoy

Re: [Freeipa-users] Fedora 16 failing to start dirsrv process

2011-11-14 Thread Alexander Bokovoy
proper intervention yet. Fedora 15 to Fedora 16 upgrade is a bit complicated due to change from System V to systemd. -- / Alexander Bokovoy ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] Fedora 16 failing to start dirsrv process

2011-11-14 Thread Alexander Bokovoy
. -- / Alexander Bokovoy ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] Fedora 16 failing to start dirsrv process

2011-11-14 Thread Alexander Bokovoy
it. I'm not sure it will be possible to use it in %post for upgrades but at least running it after yum upgrade would be possible. -- / Alexander Bokovoy ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa

Re: [Freeipa-users] installing freeipa v2 server fails at configuring certificate server instance

2011-11-16 Thread Alexander Bokovoy
to set up and start CA. -- / Alexander Bokovoy ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] installing freeipa v2 server fails at configuring certificate server instance

2011-11-16 Thread Alexander Bokovoy
On Wed, 16 Nov 2011, Thomas Sailer wrote: On 11/16/2011 03:14 PM, Alexander Bokovoy wrote: maybe that's because server..com resolves to IPv6 address? We pass FQDN of the server to pkisilent, and then it tries to set up and start CA. It doesn't: # dig server..com and 'getent hosts

Re: [Freeipa-users] Delete host: Unable to communicate with CMS (Not Found)

2011-11-17 Thread Alexander Bokovoy
it into Fedora? I'll add symlinks update into freeipa F15-F16 upgrade script. At worst, if 728598 will be fixed in Fedora as well, that part of the code will do nothing. Tickets 2103 and 2117 in upstream FreeIPA are for tracking that. -- / Alexander Bokovoy

Re: [Freeipa-users] Joining realm failed because of failing XML-RPC request

2011-11-24 Thread Alexander Bokovoy
/client major versions. Check /var/log/ipaclient-install.log for details. -- / Alexander Bokovoy ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com

Re: [Freeipa-users] Joining realm failed because of failing XML-RPC request

2011-11-24 Thread Alexander Bokovoy
On Fri, 25 Nov 2011, Craig T wrote: Hi Alexander, I took Steven Jones's advice and updated the IPA client to ipa-client-2.1.1-4.el6.x86_64 and the client started working perfectly! Ok, great! -- / Alexander Bokovoy ___ Freeipa-users mailing

Re: [Freeipa-users] FreeIPA_demonstration_tools CA creation error.

2011-12-18 Thread Alexander Bokovoy
of logging before initialization by one of components. That was fixed a while ago but if you are saying we missed it in 2.1.4 build for F15/F16, please file a bug and we'll work on backporting that change. -- / Alexander Bokovoy ___ Freeipa-users

Re: [Freeipa-users] Fedora 16 with new RHEL 6.2 Server? (RPC failed at server Error)

2011-12-19 Thread Alexander Bokovoy
hope that our effort preventing possible remote attacks on core piece of enterprise infrastructure will be helpful when you'll go live with your installation. -- / Alexander Bokovoy ___ Freeipa-users mailing list Freeipa-users@redhat.com https

Re: [Freeipa-users] ns-slapd hang/segfault

2011-12-22 Thread Alexander Bokovoy
fileserver1 to freeipa-server-2.1.4-2.fc16.x86_64. I'm a little concerned about the slapd-PKI-IPA replication now, since I haven't been able to replicate that properly. Did you install Fedora 16 from scratch or was it upgrade from Fedora 15? The latter might explain some of these issues. -- / Alexander

Re: [Freeipa-users] FreeIPA 2.1.4 replication

2012-01-04 Thread Alexander Bokovoy
, workarounds are kludgy and require modification deep in Dogtag templates. Backstory for nss part is here https://bugzilla.redhat.com/show_bug.cgi?id=737506 -- / Alexander Bokovoy ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com

Re: [Freeipa-users] FreeIPA 2.1.4 replication

2012-01-05 Thread Alexander Bokovoy
On Wed, 04 Jan 2012, Alexander Bokovoy wrote: On Wed, 04 Jan 2012, Rich Megginson wrote: Your system may be partly configured. Run /usr/sbin/ipa-server-install --uninstall to clean up. [root@fileserver4 ~]# I'm running 389-ds-base-1.2.10-0.5.a5.fc16.x86_64, if that helps try 389

Re: [Freeipa-users] FreeIPA 2.1.4 replication

2012-01-05 Thread Alexander Bokovoy
On Thu, 05 Jan 2012, Alexander Bokovoy wrote: On Wed, 04 Jan 2012, Alexander Bokovoy wrote: On Wed, 04 Jan 2012, Rich Megginson wrote: Your system may be partly configured. Run /usr/sbin/ipa-server-install --uninstall to clean up. [root@fileserver4 ~]# I'm running 389-ds-base

Re: [Freeipa-users] SELinux error during ipa-server-install

2012-02-10 Thread Alexander Bokovoy
complete my setup. Is this an error in the policy? https://bugzilla.redhat.com/show_bug.cgi?id=739708 Allowing connecting to ephemeral port is something that Ade still not decided on yet. -- / Alexander Bokovoy ___ Freeipa-users mailing list

Re: [Freeipa-users] FreeIPA not starting - probably 389ds cause

2012-02-12 Thread Alexander Bokovoy
? -- / Alexander Bokovoy ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] FreeIPA not starting - probably 389ds cause

2012-02-12 Thread Alexander Bokovoy
On Sun, 12 Feb 2012, Marco Pizzoli wrote: On Sun, Feb 12, 2012 at 5:41 PM, Alexander Bokovoy aboko...@redhat.comwrote: On Sun, 12 Feb 2012, Marco Pizzoli wrote: I'm having the same issue with another freeipa setup which was installed directly from the updates-testing repository. He

Re: [Freeipa-users] FreeIPA not starting - probably 389ds cause

2012-02-12 Thread Alexander Bokovoy
/ would contain 389-ds instances' data stores. Thanks in advance. -- / Alexander Bokovoy ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] FreeIPA not starting - probably 389ds cause

2012-02-12 Thread Alexander Bokovoy
this time out configurable in /etc/ipa/default.conf? This is something that we can't predict in all cases so this would be per-system setting. -- / Alexander Bokovoy ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com

Re: [Freeipa-users] samba IPA

2012-02-23 Thread Alexander Bokovoy
number of shares. Something better needs to be created. -- / Alexander Bokovoy ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] samba IPA

2012-02-23 Thread Alexander Bokovoy
information leak in certain circumstances. -- / Alexander Bokovoy ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] 2.1.90 rc1 testing on F17 alpha

2012-03-10 Thread Alexander Bokovoy
. Any suggestions? Please try with permissive mode and clear VM. -- / Alexander Bokovoy ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] 2.1.90 rc1 testing on F17 alpha

2012-03-11 Thread Alexander Bokovoy
On Sat, 10 Mar 2012, Stephen Ingram wrote: On Sat, Mar 10, 2012 at 10:49 PM, Alexander Bokovoy aboko...@redhat.com wrote: On Sat, 10 Mar 2012, Stephen Ingram wrote: I'm testing the new FreeIPA 2.1.90 rc1 on a fresh Fedora 17 alpha this weekend. I started by installing the freeipa-server

Re: [Freeipa-users] Integrate with Samba

2012-05-04 Thread Alexander Bokovoy
will have a bit different schema (supported by native IPA passdb module for Samba) but the state as it is at least should work as a stop gap for file server cases. -- / Alexander Bokovoy ___ Freeipa-users mailing list Freeipa-users@redhat.com https

Re: [Freeipa-users] IPA Service accounts (Bind accounts)

2012-06-02 Thread Alexander Bokovoy
(by making a container in sysaccounts to include all 'AD agents' from IPA servers exposed via CIFS and limiting what they can do). A downside is that you don't see these system accounts through IPA UI/CLI, they are only managed manually. -- / Alexander Bokovoy

Re: [Freeipa-users] Provision user accounts groups from external IM

2012-06-05 Thread Alexander Bokovoy
would be a bit more elaborate. -- / Alexander Bokovoy ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] Provision user accounts groups from external IM

2012-06-05 Thread Alexander Bokovoy
looks promising, I will certainly try the example provided. Would user_add be the suitable command to use? It's the obvious candidate, but I just want to make sure... Yes, user_add is the command. -- / Alexander Bokovoy ___ Freeipa-users mailing list

Re: [Freeipa-users] Freeipa-users Digest, Vol 46, Issue 104

2012-06-05 Thread Alexander Bokovoy
, this is the version from December. Is there any newer version? There is no newer version. I was planning to go over and add more content in the schema extension area once we get 3.0beta1 out. -- / Alexander Bokovoy ___ Freeipa-users mailing list Freeipa-users

Re: [Freeipa-users] How can I change my password from a python script?

2012-06-29 Thread Alexander Bokovoy
at 2b077f7b0d68a758ae15a73eeef74591bac84360, I believe it is fixed already. -- / Alexander Bokovoy ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] How can I change my password from a python script?

2012-06-29 Thread Alexander Bokovoy
On Fri, 29 Jun 2012, Joe Linoff wrote: Hi Alexander: Thank you. I appreciate the feedback. Is it safe to upgrade to 2.2 on a CentOS 6.2 system? I used 2.1.3 because it was in the rpm distribution. I haven't used CentOS 6.2 so I cannot suggest anything on this front. -- / Alexander Bokovoy

Re: [Freeipa-users] UID 999, not possible?

2012-06-29 Thread Alexander Bokovoy
___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users -- / Alexander Bokovoy ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] UID 999, not possible?

2012-06-29 Thread Alexander Bokovoy
On Fri, 29 Jun 2012, Petr Viktorin wrote: On 06/29/2012 03:04 PM, Alexander Bokovoy wrote: On Thu, 28 Jun 2012, sysad...@noboost.org wrote: Hi All, Is there a weird restriction to UID 999 in ipa, as IPA keeps changing the UID when I add a user with that number? (I've already checked the UID

Re: [Freeipa-users] 2.20 dirsrv memory usage

2012-07-19 Thread Alexander Bokovoy
to remove the file and its reference from /etc/sysconfig/httpd and restart the service. -- / Alexander Bokovoy ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] One-way replication

2012-08-16 Thread Alexander Bokovoy
creating a non-updating stand-alone copy of my production servers. Is there a way to force a one-way replication? (I'd also be grateful for any mentions of less painful ways of connecting samba to freeipa :)) For IPA v2.x the link above explains fairly easy setup. -- / Alexander Bokovoy

Re: [Freeipa-users] One-way replication

2012-08-16 Thread Alexander Bokovoy
On Thu, 16 Aug 2012, Dimitris Tsompanidis wrote: On 16/08/2012 14:34, Alexander Bokovoy wrote: On Thu, 16 Aug 2012, Dimitris Tsompanidis wrote: Hi all, I'm looking into setting up a Samba file server with FreeIPA as the password backend. I don't need fancy stuff, just plain LDAP password

Re: [Freeipa-users] ipa host-del

2012-09-05 Thread Alexander Bokovoy
is the same). -- / Alexander Bokovoy - Original Message - From: george he george_...@yahoo.com To: John Dennis jden...@redhat.com, a...@redhat.com Cc: freeipa-users@redhat.com Sent: Wednesday, September 5, 2012 9:40:10 PM Subject: Re: [Freeipa-users] ipa host-del Thanks a lot. It's

Re: [Freeipa-users] NSMMReplicationPlugin - changelog program - cl5DBData2Entry: invalid data version

2012-09-24 Thread Alexander Bokovoy
@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users -- / Alexander Bokovoy

Re: [Freeipa-users] FreeIPA 3 rc1 sslget error

2012-09-27 Thread Alexander Bokovoy
/agent/ca/profileReview?requestId=7 ipa.nix.be:9443' returned non-zero exit status 6 https://bugzilla.redhat.com/show_bug.cgi?id=859043 -- / Alexander Bokovoy ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo

Re: [Freeipa-users] Query IPA for group membership

2012-10-06 Thread Alexander Bokovoy
-- / Alexander Bokovoy ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] mod_nss issue.

2012-10-08 Thread Alexander Bokovoy
need to apply greater security protection to the KDC which runs on the same FreeIPA host. http://freeipa.org/page/Apache_SNI_With_Kerberos -- / Alexander Bokovoy ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman

Re: [Freeipa-users] cross realm trust - SID doesn't resolve

2012-12-09 Thread Alexander Bokovoy
consults IPA LDAP server (and then winbindd on IPA server) for SID to name translation when parsing MS-PAC. -- / Alexander Bokovoy ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] cross realm trust - SID doesn't resolve

2012-12-10 Thread Alexander Bokovoy
the name instead? Should I open an RFE? Since resolving SID means contacting AD's global catalog, there might be delays and even failure. I'll see how we can do it in a safe way. Please add an RFE. -- / Alexander Bokovoy ___ Freeipa-users mailing list

Re: [Freeipa-users] how to allow a remote realm user to be an IPA admin?

2012-12-10 Thread Alexander Bokovoy
to be able to map these ephemeral users to some existing objects first to allow them to bind to LDAP. We haven't done that yet but may at some point in future consider adding sort of ephemeral bind support. It is unclear how to do it properly, considering all security implications. -- / Alexander Bokovoy

Re: [Freeipa-users] AD permissions needed for setting up AD trusts

2013-01-11 Thread Alexander Bokovoy
... It is moved to HOWTOs: http://www.freeipa.org/page/Howto/IPAv3_AD_trust_setup#Add_trust_with_AD_domain -- / Alexander Bokovoy ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] AD permissions needed for setting up AD trusts

2013-01-11 Thread Alexander Bokovoy
On Fri, 11 Jan 2013, Petr Spacek wrote: On 11.1.2013 10:19, Alexander Bokovoy wrote: On Fri, 11 Jan 2013, David Juran wrote: On fre, 2013-01-04 at 19:04 +0100, Ana Krivokapic wrote: On 01/03/2013 12:28 PM, Petr Spacek wrote: On 12/21/2012 01:19 PM, Sumit Bose wrote: On Fri, Dec 21, 2012

Re: [Freeipa-users] Some interrogations about the freeipa deployment

2013-01-23 Thread Alexander Bokovoy
as required by Windows. You could get around of the issue by manually mapping appropriate Kerberos identities to local Windows users on each machine. -- / Alexander Bokovoy ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com

Re: [Freeipa-users] Re : Re: Re : Re: Some interrogations about the freeipa deployment

2013-01-24 Thread Alexander Bokovoy
-forest trusts yet. -- / Alexander Bokovoy ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] Re : RE: Re : Re: Re : Re: Some interrogations about the freeipa deployment

2013-01-24 Thread Alexander Bokovoy
reboot now but this one is not authorized by the IPA server for this user on this server. = Is this possible ? 'sudo reboot now', that's possible. -- / Alexander Bokovoy ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com

Re: [Freeipa-users] Granting rights temporarily

2013-02-14 Thread Alexander Bokovoy
of thinking out and writing down feature proposal, based on a template at http://www.freeipa.org/page/Feature_template -- / Alexander Bokovoy ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] permissions of the user uid=sudo, cn=sysaccounts, cn=etc, dc=example, dc=com

2013-02-18 Thread Alexander Bokovoy
attributeLevelRights: *:21 -- / Alexander Bokovoy ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] FreeIPA 3.0 transitive trust, multiple domains

2013-03-13 Thread Alexander Bokovoy
get there we need to finish a foundational work, including some changes in Samba I'm currently working on and changes for SSSD. You can see progress with the ticket above and others mentioned in it. -- / Alexander Bokovoy ___ Freeipa-users mailing list

Re: [Freeipa-users] mutiple domain, single realm

2013-03-26 Thread Alexander Bokovoy
in KDC. SSSD is also going to fetch the list like it fetches now list of trusted domains and configures them for clients. -- / Alexander Bokovoy ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] Replication Issue

2013-04-05 Thread Alexander Bokovoy
. If LDAP_OPT_X_SASL_NOCANON is not set explicitly, it is never set by libldap itself. -- / Alexander Bokovoy ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] Replication Issue

2013-04-05 Thread Alexander Bokovoy
was not inhibited. -- / Alexander Bokovoy ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] User Roles and access in GUI

2013-04-15 Thread Alexander Bokovoy
service accounts (include host/fqdn@REALM) since roles cannot be applied to them, if I remember correctly. We would need to make an exclusive ACI that allows all services to gain read only access... -- / Alexander Bokovoy ___ Freeipa-users mailing list

Re: [Freeipa-users] setting up a trust problem

2013-04-18 Thread Alexander Bokovoy
-utils might have been installed for mounting CIFS shares. -- / Alexander Bokovoy ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] ssh login from windows AD trust host not working

2013-04-19 Thread Alexander Bokovoy
. -- / Alexander Bokovoy ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] Freeipa -ssh keys

2013-04-25 Thread Alexander Bokovoy
with ipa-client-install since that would have turned GSSAPIAuthentication to 'yes'. Or you did change sshd_config by yourself to non-working state. -- / Alexander Bokovoy ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman

Re: [Freeipa-users] Freeipa -ssh keys

2013-04-26 Thread Alexander Bokovoy
-- / Alexander Bokovoy ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] Freeipa -ssh keys

2013-04-26 Thread Alexander Bokovoy
different types of OpenSSH versions and a bit of configuration mess. -- / Alexander Bokovoy ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] question about bind 10 plans

2013-04-28 Thread Alexander Bokovoy
and Peter Spacek can tell more but in short, Bind 10 module is on our radar. -- / Alexander Bokovoy ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] Samba 4 with IPA

2013-04-30 Thread Alexander Bokovoy
. (2) is not possible right now due to the fact that Samba AD DC does not support cross-forest trusts right now. There is certain amount of work to be done to implement needed logic in Samba. -- / Alexander Bokovoy ___ Freeipa-users mailing list Freeipa

Re: [Freeipa-users] Upgrade Test Case

2013-04-30 Thread Alexander Bokovoy
which brings change in KDC driver ABI. As result, you will need to restart KDC after upgrade. -- / Alexander Bokovoy ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] Samba 4 with IPA

2013-04-30 Thread Alexander Bokovoy
how to work with 'net conf setparm'. For 'valid users' I guess you can use simply user names since these would be our local ones. Again, this is completely untested right now. -- / Alexander Bokovoy ___ Freeipa-users mailing list Freeipa-users

Re: [Freeipa-users] Samba 4 with IPA

2013-04-30 Thread Alexander Bokovoy
On Tue, 30 Apr 2013, Alexander Bokovoy wrote: On Tue, 30 Apr 2013, simon.willi...@thehelpfulcat.com wrote: That is actually pretty good news. The real requirement is network storage for the Windows workstations secured by FreeIPA authentication. If I read what you’ve said correctly

Re: [Freeipa-users] Samba 4 with IPA

2013-04-30 Thread Alexander Bokovoy
On Tue, 30 Apr 2013, Alexander Bokovoy wrote: On Tue, 30 Apr 2013, Alexander Bokovoy wrote: On Tue, 30 Apr 2013, simon.willi...@thehelpfulcat.com wrote: That is actually pretty good news. The real requirement is network storage for the Windows workstations secured by FreeIPA authentication

Re: [Freeipa-users] Samba 4 with IPA

2013-04-30 Thread Alexander Bokovoy
On Tue, 30 Apr 2013, Simo Sorce wrote: On Tue, 2013-04-30 at 22:37 +0300, Alexander Bokovoy wrote: We need to add some smart logic to ipasam module to handle it. The logic for trusted users needs to go into winbindd or sssd, ipasam is only about our own domain. In SSSD 1.10 there is new SID

Re: [Freeipa-users] Two kerberos realms for same domainname?

2013-05-09 Thread Alexander Bokovoy
Directory. -- / Alexander Bokovoy ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] Connect to FreeIPA's LDAP Directory

2013-05-28 Thread Alexander Bokovoy
connection = ldap.initialize('ldap://{host}'.format(host='foo.fandingo.org')) auth = ldap.sasl.gssapi() connection.sasl_interactive_bind_s('', auth) ldif = . dn = . connection.add_s(dn, ldif) == -- / Alexander Bokovoy ___ Freeipa-users mailing

Re: [Freeipa-users] Sudo Commands and groups confusion

2013-06-12 Thread Alexander Bokovoy
-master setup with two servers. I tried to add both servers to the ldap uri and to the krb5 section byt the service refused to start. See man sssd-ldap(5). ldap_uri accepts comma-separated list of servers. Same for krb5_server, see sssd-krb5(5). -- / Alexander Bokovoy

Re: [Freeipa-users] FreeIPA trusts with 2003 R2

2013-06-19 Thread Alexander Bokovoy
lacks AES encryption and making it working with weaker encryption for TGT was to force downgrading encryption on IPA side, aside from unclear issues with RPC calls. -- / Alexander Bokovoy ___ Freeipa-users mailing list Freeipa-users@redhat.com https

Re: [Freeipa-users] FreeIPA trusts with 2003 R2

2013-06-19 Thread Alexander Bokovoy
On Wed, 19 Jun 2013, Dmitri Pal wrote: On 06/19/2013 12:35 PM, Alexander Bokovoy wrote: On Wed, 19 Jun 2013, Aly Khimji wrote: So as others have mentioned windows obviously isn't my area of focus here either, however we have this working with 2003r2, but I do notice odd behaviour with id

Re: [Freeipa-users] Configure IPA 3.1.5 client for sudo?

2013-06-24 Thread Alexander Bokovoy
/Freeipa30_SSSD_SUDO_Integration.pdf -- / Alexander Bokovoy ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] Configure IPA 3.1.5 client for sudo?

2013-06-24 Thread Alexander Bokovoy
On Mon, 24 Jun 2013, Dean Hunter wrote: On Mon, 2013-06-24 at 09:07 +0300, Alexander Bokovoy wrote: On Sun, 23 Jun 2013, Dean Hunter wrote: Section 14.4. Applying the Configured sudo Policies to Hosts of the FreeIPA Guide, Edition 3.1.5 in the Fedora 18 documentation contains only an example

Re: [Freeipa-users] IPA, Samba and AD

2013-07-03 Thread Alexander Bokovoy
not allow to redefine krb5.conf. -- / Alexander Bokovoy ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] FreeIPA as Samba 4 Backend

2013-07-03 Thread Alexander Bokovoy
DC right now. -- / Alexander Bokovoy ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] IPA, Samba and AD

2013-07-03 Thread Alexander Bokovoy
is not enrolled to IPA realm, you can easily make it working against AD domain. If you enrolled the host to IPA realm which is exactly same as AD domain, both DNS and krb5.conf collisions will be creating quite serious issues. Basically, it is 'either - either' case. -- / Alexander Bokovoy

Re: [Freeipa-users] freeipa-client on Debian Wheezy

2013-07-12 Thread Alexander Bokovoy
: debian/rules binary a produit une erreur de sortie de type 2 Any idea or me advice about how to backport freeipa-client to wheezy ? Perhaps, you can fix it in a manner similar to http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=628827 -- / Alexander Bokovoy

Re: [Freeipa-users] Problems creating trust between FreeIPA and AD

2013-07-17 Thread Alexander Bokovoy
users but on the AD I can't use IPA users. Any idea why this is happening? Because we haven't yet implemented the other direction. We are planning to work on it for Fedora 20 time frame. -- / Alexander Bokovoy ___ Freeipa-users mailing list Freeipa

Re: [Freeipa-users] User_show works from webserver, user_add ipa: ERROR: Insufficient access

2013-07-29 Thread Alexander Bokovoy
into the user_show part and that works, now westill need the user_add (and so on). Has anyone some sort of sample/howto for this ? As I said on IRC, I'm working on the article which explains all that. Stay tuned. -- / Alexander Bokovoy ___ Freeipa

Re: [Freeipa-users] User_show works from webserver, user_add ipa: ERROR: Insufficient access

2013-07-29 Thread Alexander Bokovoy
Hope it helps. I've tested the scenario on Fedora 19. Thanks! Cheers, Matt 2013/7/29 Alexander Bokovoy aboko...@redhat.com Hi Matt, On Mon, 29 Jul 2013, Matt . wrote: Hi all, Refering to this topic: https://www.redhat.com/**archives/freeipa-users/2013-**July/msg00318.htmlhttps

Re: [Freeipa-users] User_show works from webserver, user_add ipa: ERROR: Insufficient access

2013-07-30 Thread Alexander Bokovoy
Kerberos to the server when talking. When all four are in place, it should work with whatever language you have used to write your web application. -- / Alexander Bokovoy ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com

Re: [Freeipa-users] User_show works from webserver, user_add ipa: ERROR: Insufficient access

2013-07-30 Thread Alexander Bokovoy
/29/2013 03:02 PM, Alexander Bokovoy wrote: Hi! On Mon, 29 Jul 2013, Matt . wrote: Hi Alexander, That is great! I hope that someone can find this topic and use it as reference as it tool us some time to find the other one :) You can find my

Re: [Freeipa-users] IPA Server UI Behind Proxy

2013-08-14 Thread Alexander Bokovoy
/conf/ipa.keytab: (echo rkt /tmp/external.keytab; echo wkt /etc/httpd/conf/ipa.keytab) |ktutil Then restart httpd -- I'm not sure mod_auth_kerb re-reads the keytab on its change. -- / Alexander Bokovoy ___ Freeipa-users mailing list Freeipa-users

Re: [Freeipa-users] IPA Load Problems?

2013-09-04 Thread Alexander Bokovoy
is the OTP one. I wonder if we do too much during bind when OTP is not enabled (by default). This should be unrelated to OTP work as John is using CentOS with older FreeIPA build, equivalent to what is in RHEL 6.4. -- / Alexander Bokovoy ___ Freeipa

Re: [Freeipa-users] slapi-nis user password error

2013-09-05 Thread Alexander Bokovoy
0.48 is in Fedora 19 at this point) but filing a bug against RHEL 6.3 would help in promoting the fix to stable packages. -- / Alexander Bokovoy ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] slapi-nis user password error

2013-09-05 Thread Alexander Bokovoy
in combination with slapi-nis identity source, for example. -- / Alexander Bokovoy ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] Permission Denied

2013-09-10 Thread Alexander Bokovoy
directory. Is there any SELinux AVC in the logs? Is /home/net an NFS mount? Does use_nfs_home_dirs SELinux boolean set to on? (getsebool -a|grep home) -- / Alexander Bokovoy ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman

Re: [Freeipa-users] IPA AD Trust issue

2013-09-10 Thread Alexander Bokovoy
on IPA side. -- / Alexander Bokovoy ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] IPA AD Trust issue

2013-09-11 Thread Alexander Bokovoy
to IPA, not the other way around. A change in IPA for the account which was synchronized from AD will be propagated back to AD but IPA users will not be copied to AD. -- / Alexander Bokovoy ___ Freeipa-users mailing list Freeipa-users@redhat.com https

Re: [Freeipa-users] IPA vs 3.0 and Windows Group Policy

2013-09-12 Thread Alexander Bokovoy
? No, it is not possible. -- / Alexander Bokovoy ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] Joining a Windows Workstation to an IPA realm (It works better than expected!)

2013-09-20 Thread Alexander Bokovoy
the currently logged in user, but I suspect that is simply because Windows takes the logged in user SID from the PAC and it doesn't really talk to samba4. Yep, only that it doesn't know where to talk as there is no proper service available. -- / Alexander Bokovoy

Re: [Freeipa-users] Joining a Windows Workstation to an IPA realm (It works better than expected!)

2013-09-20 Thread Alexander Bokovoy
On Fri, 20 Sep 2013, Dmitri Pal wrote: On 09/20/2013 11:01 AM, Alexander Bokovoy wrote: On Fri, 20 Sep 2013, Loris Santamaria wrote: Hi all, yesterday I was going to try puppet on windows, so I fired up a Windows 7 VM, and just for curiosity, instead of joining it to the AD realm, i decided

Re: [Freeipa-users] IPA, Samba and AD

2013-09-21 Thread Alexander Bokovoy
-forest trusts and therefore will work with FreeIPA out of the box. -- / Alexander Bokovoy ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users

  1   2   3   4   5   6   7   8   9   10   >