www.flbog.edu
[BOG-wordmark-wideFOR EMAIL-color]
Hi,
this looks similar to:
https://www.redhat.com/archives/freeipa-users/2015-January/msg00331.html
and https://fedorahosted.org/freeipa/ticket/4807
Did you try to raise the nsslapd-sasl-max-buffer-size?
--
David Kupka
--
Manage your subscription
Hello Bryan,
I'm currently working on this. This feature should be available in
freeipa-4.2.
--
David Kupka
On 02/13/2015 01:25 PM, Bryan Pearson wrote:
One of our IPA servers, is in a virtualized environment and is continuously
losing time, resulting in invalid credentials and breaking
domain.
--
David Kupka
--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project
/to/external_ca_certificate
--
David Kupka
--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project
them off and on
normaly (with system or using ipactl stop/start) and after they start
again the replication process should continue.
--
David Kupka
--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org
to solve similar issue:
https://www.redhat.com/archives/freeipa-users/2013-January/msg00153.html
--
David Kupka
--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project
you need to decide whether your FreeIPA domain is internal or
external.
If it's internal it is inaccessible from outside and you need to first
connect to the internal network (e.g. use VPN) and then connect to
FreeIPA server.
If it's external then everything works as expected.
--
David Kupka
/archives/freeipa-users/2015-April/msg00016.html)
there is no special procedure. You just turn the servers off before the
power outage and then turn them back on.
--
David Kupka
--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go
. This is
currently WIP, you can find more on freeipa-devel list.
--
David Kupka
--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project
Hello,
I think that it should be possible with ID View
(http://www.freeipa.org/page/V4/Migrating_existing_environments_to_Trust#ID_Views)
but I'm not familiar with it.
--
David Kupka
--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo
.
On the other hand it would be useful to show these implicit members in
group-show output.
Could you please file a ticket (https://fedorahosted.org/freeipa/newticket)?
--
David Kupka
--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
-tomcatd fails and
therefore ipactl start fails.
Could you run # ipactl start -d and post its output?
Also starting individual services is not a good idea as you can forget
to start some (you actually did :-)
--
David Kupka
--
Manage your subscription for the Freeipa-users mailing list:
https
not sure if it is available in
CentOS, yet.
--
David Kupka
--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project
variable where
Directory Manager password is required but I know it's just name of the
variable.
--
David Kupka
--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project
on all ipa servers and clients
to distribute the new certificate.
--
David Kupka
--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project
On 16/10/15 15:26, Fujisan wrote:
Hello,
When I enter the email address, the phone number or the mailing address of
ipa user 'smith' in the web ui "Identity/Users/smith", it does not appears
in the output of ldapsearch.
Sendmail can look into the ldap database and get the email address of a
repository
(https://copr.fedoraproject.org/coprs/mkosek/freeipa/) with newer
version of PKI packages and I tested replication between Fedora 21 and
CentOS 7.1 (both FreeIPA 4.1.4) and it works for me as expected.
Could you please try it again?
--
David Kupka
--
Manage your subscription for the
Hello Steven!
I would like to help you but unfortunately I have no chance to guess
what went wrong.
To help us help you please report any issue in a way described on
FreeIPA Troubleshooting page (http://www.freeipa.org/page/Troubleshooting).
Most importantly we need the following:
1.
that came to my mind would be having records in DNS and
not having corresponding IPv6 on that host but that is general
misconfiguration.
--
David Kupka
--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http
on client?
--
David Kupka
--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project
u,u,u
EXAMPLE.TEST IPA CA CT,C,C
Signing-Cert u,u,u
If this is not what you was asking please try to explain what you want
to achieve with more details.
--
David Kupka
--
Manage your
.)
David
On Mon, Aug 24, 2015 at 5:01 AM, David Kupka <dku...@redhat.com
<mailto:dku...@redhat.com>> wrote:
On 21/08/15 15:21, bahan w wrote:
Hello !
I contact you because I notice something strange with IPA
environment.
I cre
understand kerberos better will advice.
--
David Kupka
--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project
Thanks
Hello!
I don't know why it does not work with ktutil but I've find other way
how to get keytab for a user:
$ kinit ttester
$ ipa-getkeytab -p ttes...@example.test -k ttester.keytab -e
aes256-cts-hmac-sha1-96
$ kdestroy ttester
$ kinit ttes...@example.test -kt ttester.keytab
HTH,
On 26/02/16 08:56, David Kupka wrote:
On 26/02/16 02:22, Teik Hooi Beh wrote:
Hi,
I have manged to deployed 1 ipa master and 1 ipa client with success on
centos 7.2 with freeipa v4.2. I also managed to create user and set
sshd-rules to for ttester user and also successfully get krb ticket
s used. When IP address is needed it
can be resolved from the name included in SRV response.
HTH,
--
David Kupka
--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project
stopped it before. It can result in inconsistent data in backup archive.
[0]
https://git.fedorahosted.org/cgit/freeipa.git/tree/ipaserver/install/ipa_backup.py#n293
[1]
https://git.fedorahosted.org/cgit/freeipa.git/tree/ipaserver/install/ipa_backup.py#n316
--
David Kupka
--
Manage your subscription
log on server:
Feb 17 10:10:35 vm-248.example.test krb5kdc[11350](info): AS_REQ (6
etypes {18 17 16 23 25 26}) 192.0.2.248: CLIENT_NOT_FOUND:
nonexist...@example.test for krbtgt/example.t...@example.test, Client
not found in Kerberos database
--
David Kupka
--
Manage your subscription
on't see the need for stopping the server manually.
ipa-backup calls "ipactl start" [0]. If you remove the else branch it
will not start the server.
[0
]https://git.fedorahosted.org/cgit/freeipa.git/tree/ipaserver/install/ipa_backup.py#n316
HTH,
David
2016-02-17 8:00 GMT+01:0
rvices in FreeIPA depends on host names and resolve
IP address from DNS when needed.
But if DNS server is part of FreeIPA server you're trying to restore it
is holding old records with old IP addresses. Maybe this is the cause
but it's just wild guess.
--
David Kupka
--
Manage your subscr
On 27/04/16 13:15, barry...@gmail.com wrote:
Do u meant use ldapmodify?
I tried update the dse.ldif but it will fall back after a while.
2016年4月27日 下午7:10 於 "David Kupka" <dku...@redhat.com
<mailto:dku...@redhat.com>> 寫道:
On 27/04/16 12:48, barry...@gmail.com <
g
nsslapd-requiresrestart
I don't see nsslapd-security listed so it should be possible to change
it in runtime.
--
David Kupka
--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project
illa.redhat.com/show_bug.cgi?id=1271551
HTH,
--
David Kupka
--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project
db
Please check the permission on your system. If it's different and you
(or system admin) haven't changed it please file a ticket
(https://fedorahosted.org/freeipa/newticket).
--
David Kupka
--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/fre
reproducer?
--
David Kupka
--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project
hint is highly welcome
Harri
Hello Harri,
the attribute you're looking for is 'nsaccountlock'. This command should
give you uids of all disabled users:
$ ldapsearch -LLL -Y GSSAPI -b cn=users,cn=accounts,dc=example,dc=test
"(nsaccountlock=TRUE)" uid
--
David Kupka
--
M
auto-renew: yes
--
Thanks, Anthony
Hello Anthony!
After stopping NTP (or other time synchronizing service) and setting
time manually server really don't have a way to determine that its time
differs from the real one.
I think this might be issue with Kerberos ticket. You can show content
of
the opposite (installing CS on CA-less freeipa
server). Feel free to file an RFE https://fedorahosted.org/freeipa/newticket
--
David Kupka
--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info
RFE (https://fedorahosted.org/freeipa/newticket)?
--
David Kupka
--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project
domains),
c) will likely result in weird behavior,
d) is definitelly not supported nor encouraged.
--
David Kupka
signature.asc
Description: PGP signature
--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project
ORG
Principal "krbtgt/example@example.org" modified.
: exit
To increase 3) you need to change 'max_life' in /var/kerberos/krb5kdc/kdc.conf
and restart krb5kdc service.
But generally I don't think it's a good idea to have such long tickets. Would
it make sense in your use case to deploy
d in [2]? Why is separate deployment of FreeIPA for the project
required?
[1] https://technet.microsoft.com/en-us/library/cc730749(v=ws.11).aspx
[2] https://www.redhat.com/archives/freeipa-users/2017-February/msg00136.html
--
David Kupka
signature.asc
Description: PGP signature
--
Man
ilman/listinfo/freeipa-users
> Go to http://freeipa.org for more info on the project
Hello!
From man 8 useradd:
Usernames may only be up to 32 characters long.
--
David Kupka
signature.asc
Description: PGP signature
--
Manage your subscription for the Freeipa-users mailing list:
htt
te accounts for all the users involved in Project in Enterprise
IPA and assign them to Project group. You can also enroll all Project hosts
to Enterprise IPA and add them to Project hostgroup. Then you can use HBAC
rules [1] to:
* disable the default allow_all rule
* allow everyone in Proje
renew the ticket for the user until the ticket renew
life time expires.
Given this you can keep ticket life time reasonable short (~1 day) set ticket
renewable life time to longer period (~2 weeks) and maintain reasonable
security level without negative impact on user's daily work.
Look for krb5_renew_interv
he
logs-out in the end of the workday (after 8~10 hours). So there's no need to
refresh it.
But feel free to open a ticket for SSSD [1] and describe you use case. I don't
know SSSD that well and maybe there's no reason against setting it by default.
[1] https://fedorahosted.org/sssd/newticket
-
le Based Access Control->Permissions (eg. System: Read User
Addressbook Attributes) and change "Bind rule type" from all to
"permission".
But be aware that modifying the permissions may result in SSSD being
unable to resolve users unless you add those permissions to hos
ora instead.
[1] https://fedorahosted.org/freeipa/ticket/5814
--
David Kupka
--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project
ine interactive_prompt_callback (like
dns plugin) or forward (like vault plugin) you will need to split the
client and server part of the plugin.
--
David Kupka
--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more i
On 17/01/17 11:30, Peter Fern wrote:
On 17/01/17 20:39, David Kupka wrote:
in 4.4 we split the plugins to the server and client plugins. Simple
plugins (like server plugin) needs to exist only on server and all
what is needed is to move it from ipalib/plugins to ipaserver/plugins
On 17/01/17 12:16, Peter Fern wrote:
On 17/01/17 21:48, David Kupka wrote:
Ok, your plugin is not really a plugin but that should not be a problem.
To make it work:
1) replace "from ipalib.plugins.user import user" with "from
ipaserver.plugins.user import use
wnstream git clone [1] add the desired
patches and build your own package.
[1] https://git.centos.org/commit/rpms!ipa.git
--
David Kupka
--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project
.
--
David Kupka
--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project
led
on first master that is installed with CA. Here you can find more
information and how to:
https://www.freeipa.org/page/Howto/Promote_CA_to_Renewal_and_CRL_Master
HTH,
--
David Kupka
--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/free
-configuration-of-dns/
The article is about CentOS 6 and more than 3 years old but still might
be helpful because it's mainly about Bind 9 configuration.
--
David Kupka
--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http
On 24/10/16 19:26, Gilbert Wilson wrote:
On Oct 24, 2016, at 5:51 AM, David Kupka <dku...@redhat.com> wrote:
On 22/10/16 00:15, Gilbert Wilson wrote:
We have a lot of FreeBSD systems that I would like to streamline certificate
issuance and renewal. Ideally, we could leverage our F
or the account's expiration. My
/var/log/secure has messages like "pam_sss(sshd:auth): received for user
uname: 13 (User account has expired)". Is there a setting for default
expiration of user accounts ? I don't remember setting it anywhere.
On Mon, Oct 24, 2016 at 8:13 AM, David
no way to say the password
is expired.
When the user tries to obtain Kerberos ticket he will be forced to
change the password and NTLM hash will be also regenerated.
--
David Kupka
--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa
certmonger using FreeBSD's Linux
Binary Compatibility [1]? Though I don't know what are the limitations
or possible issues it could be a way.
[1] http://www.freebsd.cz/doc/handbook/linuxemu.html
--
David Kupka
--
Manage your subscription for the Freeipa-users mailing list:
https
? Create pull request on GitHub
(https://github.com/freeipa/freeipa ).
Do you want to contribute the translations? Submit it via zanata
(https://fedora.zanata.org/project/view/freeipa ).
HTH,
--
David Kupka
--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com
/dirsrv/slapd-$REALM/ -L
# ausearch -m avc -i
--
David Kupka
--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project
at's wrong. SSSD is taking care of
resolving users and groups on enrolled systems. "id mgm" should output
something like "id=1414(mgm) gid=1414(mgm) groups=1414(mgm)" if it works
properly.
[1] http://www.freeipa.org/page/V4/Kerberos_principal_aliases
--
David Kupka
--
Manage yo
the realm different from the
domain?
--
David Kupka
--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project
))"
+'%Y%m%d%H%M%S'Z)
END_LDIF
It works but I would not recommend using it in production environment.
--
David Kupka
--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project
On 13/12/16 07:52, Stephen Ingram wrote:
On Sun, Dec 11, 2016 at 11:31 PM, David Kupka <dku...@redhat.com> wrote:
yes you can do it. DNS domain and Kerberos realm are two different things.
It's common and AFAIK recommended to capitalize DNS domain to get the realm
but it's not re
ca-install
[client] # ipa-client-install -p admin -w Secret123 --domain
example.test --server replica.example.test -U
[client] # id admin
Is there anything you've done differently?
--
David Kupka
--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listin
tate dbus.String(u'CA_UNREACHABLE',
variant_level=1)
in replica install log.
2016-11-29 12:09 GMT+01:00 David Kupka <dku...@redhat.com>:
On 29/11/16 11:51, David Dejaeghere wrote:
Hi,
I have a setup where i want to add a replica. The first master
setup has
an externally signed cer
On 30/11/16 10:13, David Kupka wrote:
On 29/11/16 12:57, Callum Guy wrote:
Hi Alexander,
I can confirm that I am using version 4.2.0.
The bug link provided mentions that it caused GA to fail to scan the
codes.
In my situation it is FreeIPA (or related service) which appears to
fail
istinfo/freeipa-users
> Go to http://freeipa.org for more info on the project
Hello Ranbir,
are other records (A, , PTR, ...) created for the client in random.ipa and
just SSHFP missing? Is the domain random.ipa properly delegated? Is sshd
installed and keys generated on client in random.ipa?
and update user entries
there and once the entry is complete you can call stageuser-activate to create
user entry with using values from stageuser entry.
You can find description of the feature and examples on design page [1].
[1] http://www.freeipa.org/page/V4/User_Life-Cycle_Management
--
David
red during ipa-server-install to track and renew
certificates.
[1] https://www.freeipa.org/page/V4/External_DNS_integration_with_installer
[2] https://pagure.io/certmonger
--
David Kupka
signature.asc
Description: PGP signature
--
Manage your subscription for the Freeipa-users mailing list
.
Generally I would not recommend touching this on production system. Why do you
want to change the database format?
(1) certutil -d sql:HTTPD_ALIAS_DIR --upgrade-merge --source-dir
HTTPD_ALIAS_DIR --upgrade-id 1
--
David Kupka
signature.asc
Description: PGP signature
--
Manage your subsc
need to be brought back. I can provide further
> log excerpts if needed.
>
> Thank you in advance,
> Paul Brennan
>
> --
> Manage your subscription for the Freeipa-users mailing list:
> https://www.redhat.com/mailman/listinfo/freeipa-users
> Go to http://freeipa.or
've posted ipa-replica-prepare is no
longer used when domain level is above 0. Since domain level 1 new replica is
first joined to FreeIPA domain as client using ipa-client-install and then
promoted to replica using ipa-replica-install.
You can find out more about Replica Promotion on design page [1].
[1
tion:
https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Linux_Domain_Identity_Authentication_and_Policy_Guide/creating-the-replica.html
--
David Kupka
signature.asc
Description: PGP signature
--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project
Lock the user account after period of time or at
specified time. You need to call "ipa user-disable LOGIN" manually.
You can file ticket and describe your use-case here:
https://pagure.io/freeipa/new_issue
--
David Kupka
signature.asc
Description: PGP signature
--
Manage your su
76 matches
Mail list logo