Re: [Freeipa-users] [Freeipa-interest] Announcing FreeIPA v2 Server Alpha 2 Release

2010-03-12 Thread Christian Horn
On Thu, Feb 18, 2010 at 02:07:54PM -0500, Rob Crittenden wrote: Please take a moment to play with these pages. Please do not pay attention to style, rather focus attention to the work flow, layout and data being added, displayed or modified. We need to understand if the direction that

Re: [Freeipa-users] SSS problems with eDirectory

2010-07-23 Thread Christian Horn
On Thu, Jul 22, 2010 at 03:30:23PM -0400, Scott Duckworth wrote: There are almost 120,000 users in our directory, and we currently have ~200 Linux systems that might use SSSD, soon scaling to 500 systems. I imagine that even 500 systems is only a medium-scale installation compared to some

Re: [Freeipa-users] [Freeipa-devel] [Freeipa-interest] Announcing FreeIPA v2 Server Beta 1 Release

2011-01-03 Thread Christian Horn
On Mon, Jan 03, 2011 at 07:37:51PM +0100, Roland Kaeser wrote: Its sad, but in the most cases, sysadmins have to deal with windows machines in their network. True, but IMHO the strategy FreeIPA is currently following in doing interop with crossrealm-trusts is the ony longterm way to go.

Re: [Freeipa-users] Standalone or VM instance of FreeIPA

2011-03-21 Thread Christian Horn
Hi, On Mon, Mar 21, 2011 at 11:43:39AM -0500, Steven Bernstein wrote: My point is: When I go to run the installation script on my Fedora box, it tells me the script cannot be run unless the IP resolves in both directions. Is there a 'decent' way to go 'round this? Looking for help, if you

Re: [Freeipa-users] Standalone or VM instance of FreeIPA

2011-03-22 Thread Christian Horn
Hi, On Tue, Mar 22, 2011 at 10:49:07AM -0500, Steven Bernstein wrote: Would you be able to point me towards an instructable / how-to on that, please? These were my notes for setting it up on rhel5 some time ago: http://fluxcoil.net/doku.php/kerberos/3_setup_bind Yet one has to know some

Re: [Freeipa-users] IPA Startup issues

2011-05-23 Thread Christian Horn
On Mon, May 23, 2011 at 08:58:53PM +, Steven Jones wrote: I just built a brand new RHEL6.1 64bit server and installed ipa-server and despite setting up the chkconfig's it wont start on boot...it will start manually later by hand... Works out of the box for my virt-installed virtual

Re: [Freeipa-users] IPA Startup issues

2011-05-23 Thread Christian Horn
Hi, On Mon, May 23, 2011 at 11:20:27PM +0200, Sigbjorn Lie wrote: My issue is startup of IPA only occurs when the host is extremely busy, such as after a reboot of the host machine when the disk is grinding and the cpu is almost going up in flames of all the virtual machines starting at

Re: [Freeipa-users] IPA Startup issues

2011-05-24 Thread Christian Horn
On Tue, May 24, 2011 at 11:13:06AM +0200, Sigbjorn Lie wrote: Do you have any examples for how to do cgroup configuration for a KVM machine? I've had a quick browse through the cgrules.conf file, and I don't see an option for specifying KVM machines... Look at it as a usual process. Linda

Re: [Freeipa-users] Migration from FreeIPA 1.2.1 to 2

2011-05-25 Thread Christian Horn
On Wed, May 25, 2011 at 01:29:41PM -0800, Erinn Looney-Triggs wrote: On 05/25/2011 01:21 PM, Steven Jones wrote: As far as I am aware Windows clients can only authenticate against ADs. So if you need to authenticate Windows you need a password trust/sync setup with AD and yes you need

Re: [Freeipa-users] Migration from FreeIPA 1.2.1 to 2

2011-05-25 Thread Christian Horn
On Thu, May 26, 2011 at 05:51:59AM +, Steven Jones wrote: Quickly as Im late. We are setting up cross realm from AD to a school who runs MIT Kerberos with openldap underneathA windows client in our domain can then connect to a school resource where its connected to the school's

Re: [Freeipa-users] bug in ipa user-add

2011-05-30 Thread Christian Horn
On Tue, May 31, 2011 at 02:17:44AM +, Steven Jones wrote: So the docs should cover this at the least It's actually not a problem of ipa but a feature of your shell. I bet there is documentation for your shell explaining the usage of . In case you use a shell which does not use to

Re: [Freeipa-users] issues + docs

2011-06-26 Thread Christian Horn
On Thu, Jun 23, 2011 at 02:33:43PM -0400, Deon Lackey wrote: I'm culling through some of the recent issues on this list to make sure they end up on the FreeIPA wiki or in the FreeIPA guide (https://docs.fedoraproject.org/en-US/Fedora/15/html/FreeIPA_Guide/index.html). Really nice to see the

Re: [Freeipa-users] How to configuring MIT Kerberos in microsoft windows xp

2011-06-30 Thread Christian Horn
On Thu, Jun 30, 2011 at 01:58:32PM +0700, Muhammad Naufal wrote: Now it can authenticate against IPA server but no ticket generated when i type klist in XP cmd prompt. As a result i can not access IPA web ui. IIRC there can multiple ticket caches be used there. Maybe the MIT windows kerberos

Re: [Freeipa-users] Question on AD to freeipa sync

2011-10-03 Thread Christian Horn
On Mon, Oct 03, 2011 at 10:03:12AM +0200, Ondrej Valousek wrote: Just wondering why would anyone want to sync freeIPA and AD - both can serve Linux systems fine, so if I already have AD, I no longer require IPA. - the error messages of an AD might be strange to deal with for unix/linux admins

Re: [Freeipa-users] ipa-getkeytab during %post

2012-02-08 Thread Christian Horn
On Wed, Feb 08, 2012 at 11:13:36AM +, Dale Macartney wrote: i'm dabbling with automated provisioning of ipa client servers, and i'm a little perplexed on how to add a keytab to a system during the %post section of a kickstart... i've run ipa-client-install -U -p admin -w redhat123

Re: [Freeipa-users] IPA, samba, and secondary groups

2012-03-03 Thread Christian Horn
Hi, On Wed, Feb 29, 2012 at 11:24:25AM -0500, Kelvin Edmison wrote: I am running into an issue where users cannot access a samba volume if their only access is via a secondary group. For example, if testuser's primary group is ipausers, and secondary groups include testgroup, and the

Re: [Freeipa-users] Desperate help requested.

2012-08-27 Thread Christian Horn
On Mon, Aug 27, 2012 at 08:57:20AM +0200, David Sastre wrote: On Sun, Aug 26, 2012 at 6:05 AM, KodaK wrote: Regardless, I need some help. I need some help with comparisons between FreeIPA and AD, and the problems and issues one might encounter when trying to authenticate Unix machines

Re: [Freeipa-users] Easy deployment

2012-09-25 Thread Christian Horn
Hi, On Tue, Sep 25, 2012 at 12:17:47AM +0200, James James wrote: we are planning to install 150 freeipa clients and I was wondering if there is a way to easily install (from kickstart) nfsv4 client. I can add host with # ipa host-add --password=secret But to get the keytab (host and

Re: [Freeipa-users] Improving user manual.

2012-10-25 Thread Christian Horn
Hi, On Thu, Oct 25, 2012 at 07:55:31PM +, Steven Jones wrote: One thing that has plagued me for the last 9 months is trying to fault find why something doesnt work when setting up or in operation. Looking at each section, say the passsync I think it would be useful to have a

Re: [Freeipa-users] NFS v4 integration how to

2012-12-07 Thread Christian Horn
On Fri, Dec 07, 2012 at 01:02:01PM +0100, Petr Spacek wrote: I accidentally found following how-to: http://wiki.linux-nfs.org/wiki/index.php/NFS_and_FreeIPA Did somebody try it? Did it work? Looks good, althou I like the 'nfsroot' style of nfsv4. My notes are at

Re: [Freeipa-users] Windows XP Client problem

2013-01-23 Thread Christian Horn
Hi, On Wed, Jan 23, 2013 at 02:50:06PM -0800, Eric Chennells wrote: I have followed the instuctions of these two guides: http://docs.fedoraproject.org/en-US/Fedora/15/html/FreeIPA_Guide/Using_Micro soft_Windows.html http://freeipa.org/page/Windows_authentication_against_FreeIPA Kerberos

Re: [Freeipa-users] Windows XP Client problem

2013-01-25 Thread Christian Horn
Hi, On Thu, Jan 24, 2013 at 01:36:04PM -0800, Eric Chennells wrote: [windows kerberos client] Is anyone aware of if there is an LDAP related configuration needed? It seems like only setting up the kerberos authentication is not enough. The only working way with unmodified [1] Windows as

Re: [Freeipa-users] Postponing IPA 3 upgrade

2013-02-11 Thread Christian Horn
On Mon, Feb 11, 2013 at 12:00:22PM -0500, rashard.ke...@sita.aero wrote: I was wondering if I need to be concerned about IPA 2 being updated automatically to IPA 3? We have a working IPA 2 environment in place now and wanted to know if IPA needed to be added to an exclude list. We are

Re: [Freeipa-users] Postponing IPA 3 upgrade

2013-02-11 Thread Christian Horn
On Mon, Feb 11, 2013 at 01:25:56PM -0500, Rob Crittenden wrote: Christian Horn wrote: If you have the old system only receiving z-stream updates, so i.e. 6.3.z for a RHEL6.3 then you will stay on ipa2. I just tested the upgrade of a populated ipa2/rhel6.3 to rhel6.4 . Without a 'exclude

Re: [Freeipa-users] Postponing IPA 3 upgrade

2013-02-11 Thread Christian Horn
On Mon, Feb 11, 2013 at 02:26:06PM -0500, Rob Crittenden wrote: Christian Horn wrote: On Mon, Feb 11, 2013 at 01:25:56PM -0500, Rob Crittenden wrote: Christian Horn wrote: If you have the old system only receiving z-stream updates, so i.e. 6.3.z for a RHEL6.3 then you will stay on ipa2

Re: [Freeipa-users] Postponing IPA 3 upgrade

2013-02-11 Thread Christian Horn
On Mon, Feb 11, 2013 at 09:05:40PM +, Steven Jones wrote: Personally Im very worried, 6.2 to 6.3 went badly and this looks like a bigger upgrade I might miss something.. but cant one create a throw away replica of the old environment, use that then separatedly and try out the upgrade with

Re: [Freeipa-users] ipa: ERROR: attribute idnsAllowTransfer not allowed

2013-02-25 Thread Christian Horn
Hi, On Mon, Feb 25, 2013 at 09:46:49AM +0100, Sigbjorn Lie wrote: $ ipa dnszone-add example.com --name-server=ns01.example.com --admin-email=hostmaster.example.com ipa: ERROR: attribute idnsAllowTransfer not allowed [..] Is this a known error? Yes, the idnsZone objectClass entry was

Re: [Freeipa-users] Discussion: What would be the best way to create service principles via provisioning

2013-03-11 Thread Christian Horn
Hoi, Dale Macartneyさんが書きました: I'm open to hear some opinions and thoughts on what the best way to auto-provision service principles in an environment with a 100% autonomous build process.. Lets say for example, I wanted to provision a mail server and configure dovecot SSO in the same

Re: [Freeipa-users] Discussion: What would be the best way to create service principles via provisioning

2013-03-11 Thread Christian Horn
Dale Macartneyさんが書きました: On 03/11/2013 11:04 AM, Christian Horn wrote: How about having service-add/ipa-getkeytab done on the server, and having the keytab deployed onto the clientsystem using scp from the server, or via configmanagement? That definitely gets around security concerns

Re: [Freeipa-users] Recent/Decent Install Config Guide?

2013-03-19 Thread Christian Horn
Hi, On Tue, Mar 19, 2013 at 10:48:31AM -0400, Guy Matz wrote: Hi! Does anyone know of a recent detailed installation/configuration guide for IPA? Is the InstallAndDeploy wiki (http://freeipa.org/page/InstallAndDeploy) still appropriate? It mentions Fedora 7, so I'm thinking it might be a

Re: [Freeipa-users] Heads-up: Removing self-sign CA

2013-03-28 Thread Christian Horn
Hi, On Tue, Mar 26, 2013 at 05:02:34PM +0100, Petr Viktorin wrote: We will soon be introducing a way to install IPA with custom certificates without a CA at all. When that is merged, it will no longer be possible to install a self-sign server. I see that the change in functionality is in

Re: [Freeipa-users] Heads-up: Removing self-sign CA

2013-03-28 Thread Christian Horn
On Thu, Mar 28, 2013 at 09:32:36AM +0100, Petr Viktorin wrote: To clarify: this is about removing the --selfsign option to ipa-server-install, which installs a limited CA (for example, it doesn't support CA replication or cert-find). The default Dogtag CA also uses a self-signed

Re: [Freeipa-users] freeipa and sudo

2013-09-07 Thread Christian Horn
On Sat, Sep 07, 2013 at 12:06:37PM -0500, Dean Hunter wrote: Are [1] and[2] still the current and best sources of information for configuring sudo for use with the current release of FreeIPA on Fedora 19? 1. http://docs.fedoraproject.org/en-US/Fedora/18/html/FreeIPA_Guide/sudo.html 2.

Re: [Freeipa-users] IE or Firefox Apache Kerberos authentication

2013-09-16 Thread Christian Horn
Hi, On Mon, Sep 16, 2013 at 04:04:49PM +, Ondrej Valousek wrote: Is there any howto describing Firefox (or IE, if possible) authenticating against Apache web server using GSSAPI/Kerberos? Both client server in the same IPA domain. Ideally I would like to know FF and Apache setup +

Re: [Freeipa-users] TLSA records in FreeIPA

2013-09-25 Thread Christian Horn
On Tue, Sep 24, 2013 at 11:23:29AM -0600, Erinn Looney-Triggs wrote: I wanted to bring up the idea of integrating TLSA records into FreeIPA so that a host that is issued a certificate for say the web server (via dogtag) would also publish that information in DNS using a TLSA record. This is

Re: [Freeipa-users] zeroconf/bonjour FreeIPA

2013-09-25 Thread Christian Horn
On Wed, Sep 25, 2013 at 08:52:53AM +0200, Petr Spacek wrote: On 25.9.2013 08:20, Christian Horn wrote: Hm.. another nice idea would be to announce services via zeroconf/bonjour. I guess effectively its the same as having clients search in DNS who offers service XYZ which we already do

Re: [Freeipa-users] zeroconf/bonjour FreeIPA

2013-09-25 Thread Christian Horn
On Wed, Sep 25, 2013 at 10:43:16AM +0300, Alexander Bokovoy wrote: Before adding a support for this in FreeIPA it is worth to see if any of supposed clients would already have it supported. I was more having in mind to announce services that IPA learns about automatically, but the server

Re: [Freeipa-users] DNS views: request for comments

2013-10-01 Thread Christian Horn
Hi, On Tue, Oct 01, 2013 at 05:11:16PM +0200, Petr Spacek wrote: Questions are: - For what purpose do you use views? I see only use for 2 views: a) Internal clients, domain members. They - see everything (internet DNS records plus IPA domain data) - can request

Re: [Freeipa-users] Install FreeIPA on CentOS 6.4

2013-12-04 Thread Christian Horn
Hi, On Wed, Dec 04, 2013 at 10:52:58AM -0500, Dimitar Georgievski wrote: I plan to install FreeIPA on CentOS 6.4. Initially FreeIPA should provide secure authentication and authorization for system (shell) accounts (users and groups) by integration with SSSD. There is already a DNS server

Re: [Freeipa-users] sssd off after authconfig update

2013-12-25 Thread Christian Horn
Hi, On Thu, Dec 26, 2013 at 11:59:28AM +0600, Arthur Faizullin wrote: As I mentioned earlier in my previous topic, when I do: # authconfig ­­--enablemkhomedir ­­update that somehow makes sssd off (disables autostart), so I should do: # chkconfig sssd on os: EL6 (CentOS) ipa version: 3.0

Re: [Freeipa-users] Specifying gid/uid range

2014-02-06 Thread Christian Horn
On Thu, Feb 06, 2014 at 09:33:08AM -0500, Mauricio Tavares wrote: Where can I configure the range, or at least starting value, for the uid and gid that will be used when creating user accounts? I think this helps: