Re: [Freeipa-users] IPA-Server v3.0 Replication Broken

2015-01-29 Thread David Kupka
www.flbog.edu [BOG-wordmark-wideFOR EMAIL-color] Hi, this looks similar to: https://www.redhat.com/archives/freeipa-users/2015-January/msg00331.html and https://fedorahosted.org/freeipa/ticket/4807 Did you try to raise the nsslapd-sasl-max-buffer-size? -- David Kupka -- Manage your subscription

Re: [Freeipa-users] chrony support

2015-02-13 Thread David Kupka
Hello Bryan, I'm currently working on this. This feature should be available in freeipa-4.2. -- David Kupka On 02/13/2015 01:25 PM, Bryan Pearson wrote: One of our IPA servers, is in a virtualized environment and is continuously losing time, resulting in invalid credentials and breaking

Re: [Freeipa-users] Minimum rights to enrol a client

2015-03-20 Thread David Kupka
domain. -- David Kupka -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] Adding external CA

2015-03-12 Thread David Kupka
/to/external_ca_certificate -- David Kupka -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] Power down all FreeIPA servers

2015-04-01 Thread David Kupka
them off and on normaly (with system or using ipactl stop/start) and after they start again the replication process should continue. -- David Kupka -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org

Re: [Freeipa-users] Found new problem after 3.3 - 4.1 update

2015-04-20 Thread David Kupka
to solve similar issue: https://www.redhat.com/archives/freeipa-users/2013-January/msg00153.html -- David Kupka -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] Access to IPA Web-UI with different domain names

2015-04-27 Thread David Kupka
you need to decide whether your FreeIPA domain is internal or external. If it's internal it is inaccessible from outside and you need to first connect to the internal network (e.g. use VPN) and then connect to FreeIPA server. If it's external then everything works as expected. -- David Kupka

Re: [Freeipa-users] FreeIPA cluster shutdown sequence

2015-05-04 Thread David Kupka
/archives/freeipa-users/2015-April/msg00016.html) there is no special procedure. You just turn the servers off before the power outage and then turn them back on. -- David Kupka -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go

Re: [Freeipa-users] replication again :-(

2015-05-19 Thread David Kupka
. -- David Kupka -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] time restricted access

2015-08-13 Thread David Kupka
. This is currently WIP, you can find more on freeipa-devel list. -- David Kupka -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] Different shell for different systems

2015-08-18 Thread David Kupka
Hello, I think that it should be possible with ID View (http://www.freeipa.org/page/V4/Migrating_existing_environments_to_Trust#ID_Views) but I'm not familiar with it. -- David Kupka -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo

Re: [Freeipa-users] GID, groups and ipa group-show

2015-08-24 Thread David Kupka
. On the other hand it would be useful to show these implicit members in group-show output. Could you please file a ticket (https://fedorahosted.org/freeipa/newticket)? -- David Kupka -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] freeipa sudden stop

2015-06-29 Thread David Kupka
-tomcatd fails and therefore ipactl start fails. Could you run # ipactl start -d and post its output? Also starting individual services is not a good idea as you can forget to start some (you actually did :-) -- David Kupka -- Manage your subscription for the Freeipa-users mailing list: https

Re: [Freeipa-users] Another Migration from 3.0 (CentOS 6.6) to 4.1 (CentOS 7.1)

2015-07-29 Thread David Kupka
not sure if it is available in CentOS, yet. -- David Kupka -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] IdM Password Expiration

2015-08-05 Thread David Kupka
variable where Directory Manager password is required but I know it's just name of the variable. -- David Kupka -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] Primary certificates

2015-07-14 Thread David Kupka
on all ipa servers and clients to distribute the new certificate. -- David Kupka -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] Why are some user's information not stored in the LDAP database?

2015-10-16 Thread David Kupka
On 16/10/15 15:26, Fujisan wrote: Hello, When I enter the email address, the phone number or the mailing address of ipa user 'smith' in the web ui "Identity/Users/smith", it does not appears in the output of ldapsearch. Sendmail can look into the ldap database and get the email address of a

Re: [Freeipa-users] Possible bug in ipa-replica-install/pkispawn - or maybe lib mismatch

2015-10-06 Thread David Kupka
repository (https://copr.fedoraproject.org/coprs/mkosek/freeipa/) with newer version of PKI packages and I tested replication between Fedora 21 and CentOS 7.1 (both FreeIPA 4.1.4) and it works for me as expected. Could you please try it again? -- David Kupka -- Manage your subscription for the

Re: [Freeipa-users] attempting to restore IPA

2015-09-10 Thread David Kupka
Hello Steven! I would like to help you but unfortunately I have no chance to guess what went wrong. To help us help you please report any issue in a way described on FreeIPA Troubleshooting page (http://www.freeipa.org/page/Troubleshooting). Most importantly we need the following: 1.

Re: [Freeipa-users] V6 and v4

2015-09-14 Thread David Kupka
that came to my mind would be having records in DNS and not having corresponding IPv6 on that host but that is general misconfiguration. -- David Kupka -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http

Re: [Freeipa-users] SSH login to client

2016-06-09 Thread David Kupka
on client? -- David Kupka -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] mod_nss FreeIPA

2016-05-26 Thread David Kupka
u,u,u EXAMPLE.TEST IPA CA CT,C,C Signing-Cert u,u,u If this is not what you was asking please try to explain what you want to achieve with more details. -- David Kupka -- Manage your

Re: [Freeipa-users] GID, groups and ipa group-show

2016-01-14 Thread David Kupka
.) David On Mon, Aug 24, 2015 at 5:01 AM, David Kupka <dku...@redhat.com <mailto:dku...@redhat.com>> wrote: On 21/08/15 15:21, bahan w wrote: Hello ! I contact you because I notice something strange with IPA environment. I cre

Re: [Freeipa-users] Recovering from data-only backup doesn't recover Kerberos keys properly

2016-02-24 Thread David Kupka
understand kerberos better will advice. -- David Kupka -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] Not able to get kerberos ticket from keytab

2016-02-26 Thread David Kupka
Thanks Hello! I don't know why it does not work with ktutil but I've find other way how to get keytab for a user: $ kinit ttester $ ipa-getkeytab -p ttes...@example.test -k ttester.keytab -e aes256-cts-hmac-sha1-96 $ kdestroy ttester $ kinit ttes...@example.test -kt ttester.keytab HTH,

Re: [Freeipa-users] Not able to get kerberos ticket from keytab

2016-02-26 Thread David Kupka
On 26/02/16 08:56, David Kupka wrote: On 26/02/16 02:22, Teik Hooi Beh wrote: Hi, I have manged to deployed 1 ipa master and 1 ipa client with success on centos 7.2 with freeipa v4.2. I also managed to create user and set sshd-rules to for ttester user and also successfully get krb ticket

Re: [Freeipa-users] How to reference to IPA Server in Multi-Master Setup ?

2016-01-25 Thread David Kupka
s used. When IP address is needed it can be resolved from the name included in SRV response. HTH, -- David Kupka -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] Split backup actions in stop - backup - start commands

2016-02-16 Thread David Kupka
stopped it before. It can result in inconsistent data in backup archive. [0] https://git.fedorahosted.org/cgit/freeipa.git/tree/ipaserver/install/ipa_backup.py#n293 [1] https://git.fedorahosted.org/cgit/freeipa.git/tree/ipaserver/install/ipa_backup.py#n316 -- David Kupka -- Manage your subscription

Re: [Freeipa-users] Logging configuration for ipa server

2016-02-17 Thread David Kupka
log on server: Feb 17 10:10:35 vm-248.example.test krb5kdc[11350](info): AS_REQ (6 etypes {18 17 16 23 25 26}) 192.0.2.248: CLIENT_NOT_FOUND: nonexist...@example.test for krbtgt/example.t...@example.test, Client not found in Kerberos database -- David Kupka -- Manage your subscription

Re: [Freeipa-users] Split backup actions in stop - backup - start commands

2016-02-18 Thread David Kupka
on't see the need for stopping the server manually. ipa-backup calls "ipactl start" [0]. If you remove the else branch it will not start the server. [0 ]https://git.fedorahosted.org/cgit/freeipa.git/tree/ipaserver/install/ipa_backup.py#n316 HTH, David 2016-02-17 8:00 GMT+01:0

Re: [Freeipa-users] freeipa restore backup on a new server

2016-04-12 Thread David Kupka
rvices in FreeIPA depends on host names and resolve IP address from DNS when needed. But if DNS server is part of FreeIPA server you're trying to restore it is holding old records with old IP addresses. Maybe this is the cause but it's just wild guess. -- David Kupka -- Manage your subscr

Re: [Freeipa-users] can live turn off nsslapd-security: to off ?

2016-04-27 Thread David Kupka
On 27/04/16 13:15, barry...@gmail.com wrote: Do u meant use ldapmodify? I tried update the dse.ldif but it will fall back after a while. 2016年4月27日 下午7:10 於 "David Kupka" <dku...@redhat.com <mailto:dku...@redhat.com>> 寫道: On 27/04/16 12:48, barry...@gmail.com <

Re: [Freeipa-users] can live turn off nsslapd-security: to off ?

2016-04-27 Thread David Kupka
g nsslapd-requiresrestart I don't see nsslapd-security listed so it should be possible to change it in runtime. -- David Kupka -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] Best practice for requesting a certificate in Kickstart?

2016-04-25 Thread David Kupka
illa.redhat.com/show_bug.cgi?id=1271551 HTH, -- David Kupka -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] ipa -v ping lies about the cert database

2016-04-15 Thread David Kupka
db Please check the permission on your system. If it's different and you (or system admin) haven't changed it please file a ticket (https://fedorahosted.org/freeipa/newticket). -- David Kupka -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/fre

Re: [Freeipa-users] Object class violation

2016-04-17 Thread David Kupka
reproducer? -- David Kupka -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] howto ldapsearch for disabled/enabled users?

2016-04-15 Thread David Kupka
hint is highly welcome Harri Hello Harri, the attribute you're looking for is 'nsaccountlock'. This command should give you uids of all disabled users: $ ldapsearch -LLL -Y GSSAPI -b cn=users,cn=accounts,dc=example,dc=test "(nsaccountlock=TRUE)" uid -- David Kupka -- M

Re: [Freeipa-users] ca-error: Error setting up ccache for local "host" service using default keytab: Clock skew too great.

2016-04-28 Thread David Kupka
auto-renew: yes -- Thanks, Anthony Hello Anthony! After stopping NTP (or other time synchronizing service) and setting time manually server really don't have a way to determine that its time differs from the real one. I think this might be issue with Kerberos ticket. You can show content of

Re: [Freeipa-users] Moving from ca to ca-less without pki

2016-08-01 Thread David Kupka
the opposite (installing CS on CA-less freeipa server). Feel free to file an RFE https://fedorahosted.org/freeipa/newticket -- David Kupka -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info

Re: [Freeipa-users] How to unset a user's kerberos principal expiration date?

2016-06-30 Thread David Kupka
RFE (https://fedorahosted.org/freeipa/newticket)? -- David Kupka -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] client in many IPA domains

2017-02-06 Thread David Kupka
domains), c) will likely result in weird behavior, d) is definitelly not supported nor encouraged. -- David Kupka signature.asc Description: PGP signature -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] How to change kerberos key lifetime?

2017-02-15 Thread David Kupka
ORG Principal "krbtgt/example@example.org" modified. : exit To increase 3) you need to change 'max_life' in /var/kerberos/krb5kdc/kdc.conf and restart krb5kdc service. But generally I don't think it's a good idea to have such long tickets. Would it make sense in your use case to deploy

Re: [Freeipa-users] Looking for instructions on one way subtree sync IPA->IPA

2017-02-21 Thread David Kupka
d in [2]? Why is separate deployment of FreeIPA for the project required? [1] https://technet.microsoft.com/en-us/library/cc730749(v=ws.11).aspx [2] https://www.redhat.com/archives/freeipa-users/2017-February/msg00136.html -- David Kupka signature.asc Description: PGP signature -- Man

Re: [Freeipa-users] sysaccounts max length

2017-02-20 Thread David Kupka
ilman/listinfo/freeipa-users > Go to http://freeipa.org for more info on the project Hello! From man 8 useradd: Usernames may only be up to 32 characters long. -- David Kupka signature.asc Description: PGP signature -- Manage your subscription for the Freeipa-users mailing list: htt

Re: [Freeipa-users] Looking for instructions on one way subtree sync IPA->IPA

2017-02-10 Thread David Kupka
te accounts for all the users involved in Project in Enterprise IPA and assign them to Project group. You can also enroll all Project hosts to Enterprise IPA and add them to Project hostgroup. Then you can use HBAC rules [1] to: * disable the default allow_all rule * allow everyone in Proje

Re: [Freeipa-users] How to change kerberos key lifetime?

2017-02-16 Thread David Kupka
renew the ticket for the user until the ticket renew life time expires. Given this you can keep ticket life time reasonable short (~1 day) set ticket renewable life time to longer period (~2 weeks) and maintain reasonable security level without negative impact on user's daily work. Look for krb5_renew_interv

Re: [Freeipa-users] How to change kerberos key lifetime?

2017-02-16 Thread David Kupka
he logs-out in the end of the workday (after 8~10 hours). So there's no need to refresh it. But feel free to open a ticket for SSSD [1] and describe you use case. I don't know SSSD that well and maybe there's no reason against setting it by default. [1] https://fedorahosted.org/sssd/newticket -

Re: [Freeipa-users] Limit regular user access only to self service portal

2017-01-18 Thread David Kupka
le Based Access Control->Permissions (eg. System: Read User Addressbook Attributes) and change "Bind rule type" from all to "permission". But be aware that modifying the permissions may result in SSSD being unable to resolve users unless you add those permissions to hos

Re: [Freeipa-users] 32 bit netmask detection and error during install

2017-01-16 Thread David Kupka
ora instead. [1] https://fedorahosted.org/freeipa/ticket/5814 -- David Kupka -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] FreeIPA 4.4 plugin migration path

2017-01-17 Thread David Kupka
ine interactive_prompt_callback (like dns plugin) or forward (like vault plugin) you will need to split the client and server part of the plugin. -- David Kupka -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more i

Re: [Freeipa-users] FreeIPA 4.4 plugin migration path

2017-01-17 Thread David Kupka
On 17/01/17 11:30, Peter Fern wrote: On 17/01/17 20:39, David Kupka wrote: in 4.4 we split the plugins to the server and client plugins. Simple plugins (like server plugin) needs to exist only on server and all what is needed is to move it from ipalib/plugins to ipaserver/plugins

Re: [Freeipa-users] FreeIPA 4.4 plugin migration path

2017-01-17 Thread David Kupka
On 17/01/17 12:16, Peter Fern wrote: On 17/01/17 21:48, David Kupka wrote: Ok, your plugin is not really a plugin but that should not be a problem. To make it work: 1) replace "from ipalib.plugins.user import user" with "from ipaserver.plugins.user import use

Re: [Freeipa-users] manually apply patches from upstream

2017-01-19 Thread David Kupka
wnstream git clone [1] add the desired patches and build your own package. [1] https://git.centos.org/commit/rpms!ipa.git -- David Kupka -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] (no subject)

2016-08-24 Thread David Kupka
. -- David Kupka -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] How to make a FreeIPA node replica become Master?

2016-09-15 Thread David Kupka
led on first master that is installed with CA. Here you can find more information and how to: https://www.freeipa.org/page/Howto/Promote_CA_to_Renewal_and_CRL_Master HTH, -- David Kupka -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/free

Re: [Freeipa-users] rpm dependencies

2016-10-27 Thread David Kupka
-common contains files for samba client and server so removing it may remove applications that can behave as samba client. -- David Kupka -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info

Re: [Freeipa-users] bind-dyndb-ldap and replication requirements

2016-11-09 Thread David Kupka
-configuration-of-dns/ The article is about CentOS 6 and more than 3 years old but still might be helpful because it's mainly about Bind 9 configuration. -- David Kupka -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http

Re: [Freeipa-users] Certmonger (or similar) for FreeBSD?

2016-10-24 Thread David Kupka
On 24/10/16 19:26, Gilbert Wilson wrote: On Oct 24, 2016, at 5:51 AM, David Kupka <dku...@redhat.com> wrote: On 22/10/16 00:15, Gilbert Wilson wrote: We have a lot of FreeBSD systems that I would like to streamline certificate issuance and renewal. Ideally, we could leverage our F

Re: [Freeipa-users] Do expired passwords remain usable indefinitely?

2016-10-25 Thread David Kupka
or the account's expiration. My /var/log/secure has messages like "pam_sss(sshd:auth): received for user uname: 13 (User account has expired)". Is there a setting for default expiration of user accounts ? I don't remember setting it anywhere. On Mon, Oct 24, 2016 at 8:13 AM, David

Re: [Freeipa-users] Do expired passwords remain usable indefinitely?

2016-10-24 Thread David Kupka
no way to say the password is expired. When the user tries to obtain Kerberos ticket he will be forced to change the password and NTLM hash will be also regenerated. -- David Kupka -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa

Re: [Freeipa-users] Certmonger (or similar) for FreeBSD?

2016-10-24 Thread David Kupka
certmonger using FreeBSD's Linux Binary Compatibility [1]? Though I don't know what are the limitations or possible issues it could be a way. [1] http://www.freebsd.cz/doc/handbook/linuxemu.html -- David Kupka -- Manage your subscription for the Freeipa-users mailing list: https

Re: [Freeipa-users] help

2016-10-16 Thread David Kupka
? Create pull request on GitHub (https://github.com/freeipa/freeipa ). Do you want to contribute the translations? Submit it via zanata (https://fedora.zanata.org/project/view/freeipa ). HTH, -- David Kupka -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com

Re: [Freeipa-users] ipa-replica-install failing, dirsrv not starting properly during install process

2016-11-29 Thread David Kupka
/dirsrv/slapd-$REALM/ -L # ausearch -m avc -i -- David Kupka -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] ipa-replica-install failing, dirsrv not starting properly during install process

2016-11-29 Thread David Kupka
the Server-Cert but I don't understand why there's "bad database" error in the errors log. I'll try to reproduce it. What version of FreeIPA are you using? On what system? 2016-11-29 12:09 GMT+01:00 David Kupka <dku...@redhat.com>: On 29/11/16 11:51, David Dejaeghere wrot

Re: [Freeipa-users] nfsv4+kerberos: group ID not mapped on newly create users, however user id is correct

2016-12-08 Thread David Kupka
at's wrong. SSSD is taking care of resolving users and groups on enrolled systems. "id mgm" should output something like "id=1414(mgm) gid=1414(mgm) groups=1414(mgm)" if it works properly. [1] http://www.freeipa.org/page/V4/Kerberos_principal_aliases -- David Kupka -- Manage yo

Re: [Freeipa-users] Kerberos realm for different domain

2016-12-11 Thread David Kupka
the realm different from the domain? -- David Kupka -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] How to disable First time password change on IPA user

2016-12-13 Thread David Kupka
))" +'%Y%m%d%H%M%S'Z) END_LDIF It works but I would not recommend using it in production environment. -- David Kupka -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] Kerberos realm for different domain

2016-12-13 Thread David Kupka
On 13/12/16 07:52, Stephen Ingram wrote: On Sun, Dec 11, 2016 at 11:31 PM, David Kupka <dku...@redhat.com> wrote: yes you can do it. DNS domain and Kerberos realm are two different things. It's common and AFAIK recommended to capitalize DNS domain to get the realm but it's not re

Re: [Freeipa-users] Failed ipa-client-install with IPA Replica

2016-12-13 Thread David Kupka
ca-install [client] # ipa-client-install -p admin -w Secret123 --domain example.test --server replica.example.test -U [client] # id admin Is there anything you've done differently? -- David Kupka -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listin

Re: [Freeipa-users] ipa-replica-install failing, dirsrv not starting properly during install process

2016-11-29 Thread David Kupka
tate dbus.String(u'CA_UNREACHABLE', variant_level=1) in replica install log. 2016-11-29 12:09 GMT+01:00 David Kupka <dku...@redhat.com>: On 29/11/16 11:51, David Dejaeghere wrote: Hi, I have a setup where i want to add a replica. The first master setup has an externally signed cer

Re: [Freeipa-users] OTP Algorithm

2016-11-30 Thread David Kupka
. X-on makes no representation or warranty as to the absence of viruses in this email or any attachments. -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project -- / Alexander Boko

Re: [Freeipa-users] OTP Algorithm

2016-11-30 Thread David Kupka
On 30/11/16 10:13, David Kupka wrote: On 29/11/16 12:57, Callum Guy wrote: Hi Alexander, I can confirm that I am using version 4.2.0. The bug link provided mentions that it caused GA to fail to scan the codes. In my situation it is FreeIPA (or related service) which appears to fail

Re: [Freeipa-users] One kerberos realm, two dns zones and SSHFP records

2017-03-23 Thread David Kupka
istinfo/freeipa-users > Go to http://freeipa.org for more info on the project Hello Ranbir, are other records (A, , PTR, ...) created for the client in random.ipa and just SSHFP missing? Is the domain random.ipa properly delegated? Is sshd installed and keys generated on client in random.ipa?

Re: [Freeipa-users] ldap connector from IIQ to ipa

2017-03-21 Thread David Kupka
and update user entries there and once the entry is complete you can call stageuser-activate to create user entry with using values from stageuser entry. You can find description of the feature and examples on design page [1]. [1] http://www.freeipa.org/page/V4/User_Life-Cycle_Management -- David

Re: [Freeipa-users] Options for existing CA/DNS infrastructure

2017-03-20 Thread David Kupka
red during ipa-server-install to track and renew certificates. [1] https://www.freeipa.org/page/V4/External_DNS_integration_with_installer [2] https://pagure.io/certmonger -- David Kupka signature.asc Description: PGP signature -- Manage your subscription for the Freeipa-users mailing list

Re: [Freeipa-users] Use SQLite format NSS database?

2017-03-20 Thread David Kupka
. Generally I would not recommend touching this on production system. Why do you want to change the database format? (1) certutil -d sql:HTTPD_ALIAS_DIR --upgrade-merge --source-dir HTTPD_ALIAS_DIR --upgrade-id 1 -- David Kupka signature.asc Description: PGP signature -- Manage your subsc

Re: [Freeipa-users] Original master lost, cannot create additional CA clones

2017-03-22 Thread David Kupka
need to be brought back. I can provide further > log excerpts if needed. > > Thank you in advance, > Paul Brennan > > -- > Manage your subscription for the Freeipa-users mailing list: > https://www.redhat.com/mailman/listinfo/freeipa-users > Go to http://freeipa.or

Re: [Freeipa-users] IPA domain level is 1, so replica prepare fails (new installation)

2017-03-22 Thread David Kupka
've posted ipa-replica-prepare is no longer used when domain level is above 0. Since domain level 1 new replica is first joined to FreeIPA domain as client using ipa-client-install and then promoted to replica using ipa-replica-install. You can find out more about Replica Promotion on design page [1]. [1

Re: [Freeipa-users] IPA domain level is 1, so replica prepare fails (new installation)

2017-03-22 Thread David Kupka
tion: https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Linux_Domain_Identity_Authentication_and_Policy_Guide/creating-the-replica.html -- David Kupka signature.asc Description: PGP signature -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] Freeipa 4.4 creating users with expiration

2017-03-05 Thread David Kupka
Lock the user account after period of time or at specified time. You need to call "ipa user-disable LOGIN" manually. You can file ticket and describe your use-case here: https://pagure.io/freeipa/new_issue -- David Kupka signature.asc Description: PGP signature -- Manage your su