[Freeipa-users] ssh known hosts gets recreated on client

2015-06-10 Thread Bob Hinton
Hello, If I uninstall the ipa client with ipa-client-install --uninstall then reinstall it to the same ipa master then most functions work fine. However, if I attempt to ssh from the client to the master then I get. @@@ @WARNING: REMOTE

Re: [Freeipa-users] ssh known hosts gets recreated on client

2015-06-10 Thread Bob Hinton
/USER/.ssh/known_hosts delete the IP line. On Wed, Jun 10, 2015 at 5:33 AM, Bob Hinton b...@jackland.demon.co.uk mailto:b...@jackland.demon.co.uk wrote: Hello, If I uninstall the ipa client with ipa-client-install --uninstall then reinstall it to the same ipa master

Re: [Freeipa-users] ssh known hosts gets recreated on client

2015-06-10 Thread Bob Hinton
On 10/06/2015 14:37, Lukas Slebodnik wrote: On (10/06/15 11:33), Bob Hinton wrote: Hello, If I uninstall the ipa client with ipa-client-install --uninstall then reinstall it to the same ipa master then most functions work fine. However, if I attempt to ssh from the client to the master

Re: [Freeipa-users] ssh known hosts gets recreated on client

2015-06-10 Thread Bob Hinton
/ssh_host_ecdsa_key.pub keyfix.sh echo -n ',' keyfix.sh sudo cat /etc/ssh/ssh_host_ed25519_key.pub keyfix.sh echo ' keyfix.sh vi keyfix.sh (keep pressing J to join everything into one long line) sh keyfix.sh On 10/06/2015 17:09, Bob Hinton wrote: On 10/06/2015 14:37, Lukas Slebodnik wrote

Re: [Freeipa-users] problem with keytab for ipa user-add

2015-06-01 Thread Bob Hinton
On 01/06/2015 11:01, Petr Vobornik wrote: On 06/01/2015 11:36 AM, Bob Hinton wrote: On 01/06/2015 09:55, Petr Vobornik wrote: On 05/31/2015 12:21 PM, Bob Hinton wrote: Hello, I've written a Ruby script to add IPA users from CSV files. This works fine when specifying a username and password

Re: [Freeipa-users] problem with keytab for ipa user-add

2015-06-01 Thread Bob Hinton
On 01/06/2015 09:55, Petr Vobornik wrote: On 05/31/2015 12:21 PM, Bob Hinton wrote: Hello, I've written a Ruby script to add IPA users from CSV files. This works fine when specifying a username and password. However, using a keytab produces an error (see below). This seems to happen whatever

[Freeipa-users] problem with keytab for ipa user-add

2015-05-31 Thread Bob Hinton
Hello, I've written a Ruby script to add IPA users from CSV files. This works fine when specifying a username and password. However, using a keytab produces an error (see below). This seems to happen whatever I put in the keytab file. Any suggestions ? The VM in question has had its database

[Freeipa-users] client fails to install from ipa-server-install or ipa-replica-install

2015-05-28 Thread Bob Hinton
is enabled on the target VMs, but presumably this isn't an issue. Many thanks Bob Hinton trying https://ipa001.jackland.co.uk/ipa/json Forwarding 'ping' to json server 'https://ipa001.jackland.co.uk/ipa/json' Cannot connect to the server due to generic error: cannot connect to 'https://ipa001

Re: [Freeipa-users] ipa-backup and ipa-restore

2015-05-25 Thread Bob Hinton
/2015 07:10, Martin Kosek wrote: On 05/23/2015 01:51 PM, Bob Hinton wrote: Hello, I've been trying to rebuild an ipamaster by using ipa-backup, destroying and recreating the ipamaster VM then using ipa-restore on the rebuilt master. Most functions of the newly built master work. Logging-in via

[Freeipa-users] ipa-backup and ipa-restore

2015-05-23 Thread Bob Hinton
Hello, I've been trying to rebuild an ipamaster by using ipa-backup, destroying and recreating the ipamaster VM then using ipa-restore on the rebuilt master. Most functions of the newly built master work. Logging-in via ssh with keys works but using passwords produces Permission denied, please

[Freeipa-users] Adding groupOfUniqueNames to all freeipa replicas for Zenoss LDAP authentication

2016-05-25 Thread Bob Hinton
wo replicas running IPA v4.2.0 on RHEL 7.2. Do I need to make the same change to all three servers ? Can I leave the replicas connected or do I need to break the replication and re-establish it? Do I need the "ipa permission-mod" if so then how do I avoid it freezing ? Many thanks Bo

Re: [Freeipa-users] Adding groupOfUniqueNames to all freeipa replicas for Zenoss LDAP authentication

2016-05-27 Thread Bob Hinton
Hi Martin, On 27/05/2016 14:01, Martin Kosek wrote: > On 05/25/2016 09:51 PM, Bob Hinton wrote: >> Hello, >> >> We are trying to get Zenoss login authentication to use freeipa over >> LDAP. Group mappings don't currently work and we think this is because >> Zenos

Re: [Freeipa-users] Cannot add password policy SOLVED

2016-03-10 Thread Bob Hinton
On 09/03/2016 22:14, Rob Crittenden wrote: > Bob Hinton wrote: >> Hi, >> >> I've been trying to add a password policy for an existing user group >> called "services" in IPA version 4.2.0. >> >> ipa pwpolicy-add services >> ipa: ERROR: entry

[Freeipa-users] Cannot add password policy

2016-03-08 Thread Bob Hinton
et the same symptoms, so it's possible that this is what happened with the services pwpolicy. How do I correct this situation? Many thanks Bob Hinton -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freei

[Freeipa-users] named-pkcs11 fails on new ipa replica

2016-07-14 Thread Bob Hinton
he named issue or is it much simpler to disconnect the replica, uninstall it and start again ? Thanks Bob Hinton -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] How to delete a managed group

2016-08-03 Thread Bob Hinton
On 03/08/2016 07:15, Petr Spacek wrote: > On 3.8.2016 00:58, Bob Hinton wrote: >> Hi, >> >> Something went wrong when trying to restore some preserved users so I >> deleted them and then tried to recreate them. This failed with - >> >> ipa: ERROR: Unable

[Freeipa-users] How to delete a managed group

2016-08-02 Thread Bob Hinton
Hi, Something went wrong when trying to restore some preserved users so I deleted them and then tried to recreate them. This failed with - ipa: ERROR: Unable to create private group. A group 'X' already exists. Trying to delete this group produces - ipa: ERROR: Unable to create private

[Freeipa-users] named-pkcs11 fails to start on new replica

2016-07-13 Thread Bob Hinton
he named issue or is it much simpler to disconnect the replica, uninstall it and start again ? Thanks Bob Hinton -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] named-pkcs11 fails to start on new replica [SOLVED]

2016-07-14 Thread Bob Hinton
On 14/07/2016 08:39, Martin Babinsky wrote: > On 07/13/2016 09:56 PM, Bob Hinton wrote: >> Hi, >> >> We are trying to create a new replica on RHEL 7.2 >> >> This completes but named-pkcs11 fails to start - >> >> systemctl status named-pkcs11.service

[Freeipa-users] Struggling to remove redundant RUV records

2016-07-19 Thread Bob Hinton
dapsearch (see below), but this seems to give numbers that don't match the replica IDs. Do I need to translate the search results in some fashion or use a different search ? Many Thanks Bob Hinton -sh-4.2$ cat /etc/redhat-release Red Hat Enterprise Linux Server release 7.2 (Maipo) -sh-4.2$ ipa --ve

Re: [Freeipa-users] How to delete a managed group [SOLVED]

2016-08-04 Thread Bob Hinton
On 03/08/2016 14:13, Rob Crittenden wrote: > Bob Hinton wrote: >> On 03/08/2016 07:15, Petr Spacek wrote: >>> On 3.8.2016 00:58, Bob Hinton wrote: >>>> Hi, >>>> >>>> Something went wrong when trying to restore some preserved users so I >>

[Freeipa-users] How do I create a certificate to support LDAPS for an IPA cluster

2016-08-30 Thread Bob Hinton
so that Rundeck sees a valid SSL certificate. This means that the authentication fails if that particular IPA master is down. Is it possible to create a single SSL certificate that would support a LDAPS connection to any of the IPA masters and, if so then how is this done ? Many thanks Bob Hinton

[Freeipa-users] pki-tomcat failure

2017-01-10 Thread Bob Hinton
Hi, The pki-tomcatd services on our IPA servers seem to have stopped working. This seems to be related to the expiry of several certificates - [root@ipa001 ~]# getcert list | more Number of certificates and requests being tracked: 8. Request ID '20161230150048': status: MONITORING

Re: [Freeipa-users] pki-tomcat failed. [SOLVED]

2017-01-10 Thread Bob Hinton
true > > 5. systemctl start pki-tomcatd@pki-tomcat.service > > Now tomcat should run correctly and you should be able to resubmit expired > certs and you can start to experiment with switch dogtag back to TLS auth. > Hope this helps you. > > Regards, Adam > >

[Freeipa-users] pki-tomcat failed.

2017-01-10 Thread Bob Hinton
Hi, The pki-tomcatd services on our IPA servers seem to have stopped working. This seems to be related to the expiry of several certificates - [root@ipa001 ~]# getcert list | more Number of certificates and requests being tracked: 8. Request ID '20161230150048': status: MONITORING

Re: [Freeipa-users] pki-tomcat failure

2017-01-11 Thread Bob Hinton
On 11/01/2017 13:55, Petr Vobornik wrote: > On 01/10/2017 09:31 PM, Bob Hinton wrote: >> Hi, >> >> The pki-tomcatd services on our IPA servers seem to have stopped working. >> >> This seems to be related to the expiry of several certificates - >> >> [

[Freeipa-users] default nisdomain appears to be derived from hostname of first master rather than set to domain or realm. Bug ?

2017-03-18 Thread Bob Hinton
? Is there a way to change the default nisdomain ? Rebuilding all the new IPA masters and migrating all the data again would be a lot of work. Many thanks Bob Hinton -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http

Re: [Freeipa-users] shadow netgroups with wrong domains - sudo problem

2017-03-17 Thread Bob Hinton
On 17/03/2017 14:01, Lukas Slebodnik wrote: > On (17/03/17 13:52), Bob Hinton wrote: >> On 17/03/2017 12:48, Lukas Slebodnik wrote: >>> On (17/03/17 10:40), Bob Hinton wrote: >>>> On 17/03/2017 08:41, Jakub Hrozek wrote: >>>>> On Fri, Mar 1

Re: [Freeipa-users] shadow netgroups with wrong domains - sudo problem

2017-03-18 Thread Bob Hinton
On 17/03/2017 14:01, Lukas Slebodnik wrote: > On (17/03/17 13:52), Bob Hinton wrote: >> On 17/03/2017 12:48, Lukas Slebodnik wrote: >>> On (17/03/17 10:40), Bob Hinton wrote: >>>> On 17/03/2017 08:41, Jakub Hrozek wrote: >>>>> On Fri, Mar 1

Re: [Freeipa-users] default nisdomain appears to be derived from hostname of first master rather than set to domain or realm. Bug ?

2017-03-18 Thread Bob Hinton
On 18/03/2017 17:03, Alexander Bokovoy wrote: > On la, 18 maalis 2017, Bob Hinton wrote: >> Hi, >> >> The first IPA master we built was ipa001.local.lan. We have since >> created a number of subdomains of local.lan and have created a number of >> replicas.

Re: [Freeipa-users] default nisdomain appears to be derived from hostname of first master rather than set to domain or realm [SOLVED]

2017-03-18 Thread Bob Hinton
On 18/03/2017 19:09, Alexander Bokovoy wrote: > On la, 18 maalis 2017, Bob Hinton wrote: >> On 18/03/2017 17:03, Alexander Bokovoy wrote: >>> On la, 18 maalis 2017, Bob Hinton wrote: >>>> Hi, >>>> >>>> The first IPA master we built was

Re: [Freeipa-users] shadow netgroups with wrong domains - sudo problem [SOLVED]

2017-03-20 Thread Bob Hinton
On 20/03/2017 08:29, Jakub Hrozek wrote: > On Fri, Mar 17, 2017 at 01:52:17PM +0000, Bob Hinton wrote: >> On 17/03/2017 12:48, Lukas Slebodnik wrote: >>> On (17/03/17 10:40), Bob Hinton wrote: >>>> On 17/03/2017 08:41, Jakub Hrozek wrote: >>>>> On Fri,

[Freeipa-users] shadow netgroups with wrong domains - sudo problem

2017-03-17 Thread Bob Hinton
Morning, We have a collection of hosts within prod1.local.lan. However, the domain section of the shadow netgroups for the hosts is mgmt.prod.local.lan. This seems to prevent sudo rules working on these hosts unless they specify all hosts - -sh-4.2$ getent netgroup oepp_hosts oepp_hosts

Re: [Freeipa-users] Adjusting nsslapd-cachememsize

2017-03-17 Thread Bob Hinton
Hi Lachlan, This is probably a complete hack, but the way I've changed nsslapd-cachememsize in the past is - On each ipa replica in turn - 1. ipactl stop 2. vim /etc/dirsrv/slapd-DOMAIN/dse.ldif- (where DOMAIN is your server's domain/realm - not sure which) find and change the value

Re: [Freeipa-users] shadow netgroups with wrong domains - sudo problem

2017-03-17 Thread Bob Hinton
On 17/03/2017 08:41, Jakub Hrozek wrote: > On Fri, Mar 17, 2017 at 06:50:34AM +0000, Bob Hinton wrote: >> Morning, >> >> We have a collection of hosts within prod1.local.lan. However, the >> domain section of the shadow netgroups for the hosts is >> mgmt.prod.loca

Re: [Freeipa-users] shadow netgroups with wrong domains - sudo problem

2017-03-17 Thread Bob Hinton
On 17/03/2017 12:48, Lukas Slebodnik wrote: > On (17/03/17 10:40), Bob Hinton wrote: >> On 17/03/2017 08:41, Jakub Hrozek wrote: >>> On Fri, Mar 17, 2017 at 06:50:34AM +, Bob Hinton wrote: >>>> Morning, >>>> >>>> We have a collection of