[Freeipa-users] Reinstall ipa client, problem with old CA

2015-05-18 Thread Dewangga Bachrul Alam
Hello! I'm trying to reinstall ipa client, but have a problem with old/existing ca.crt in `/etc/ipa/ca.crt`. Should I remove it manually? Since the IPA server still on development and always reinstalled, I need to reproduce any possible problem/error on FreeIPA 4.x on CentOS 7. The error was :

Re: [Freeipa-users] Reinstall ipa client, problem with old CA

2015-05-19 Thread Dewangga Bachrul Alam
Hello! On 05/19/2015 12:53 PM, Martin Kosek wrote: On 05/19/2015 04:04 AM, Dewangga Bachrul Alam wrote: Hello! I'm trying to reinstall ipa client, but have a problem with old/existing ca.crt in `/etc/ipa/ca.crt`. Should I remove it manually? Since the IPA server still on development

Re: [Freeipa-users] Problem installing external SSL Certificate

2015-05-19 Thread Dewangga Bachrul Alam
This is the verbose log, tried to convert them to p12 format (dont know it's right or not), still no luck. http://fpaste.org/223608/88775143/raw/ Ref: http://www.redhat.com/archives/freeipa-users/2014-August/msg00338.html Any additional hints? On 05/19/2015 08:30 PM, Dewangga Bachrul Alam

[Freeipa-users] Problem installing external SSL Certificate

2015-05-19 Thread Dewangga Bachrul Alam
Hello! I was build FreeIPA 4.1.4 on CentOS 7.1, the deployment was done, but could I changes the HTTP and dirsv certificate? I have wildcard certificate (thawte SSL CA - G2). It is compatible for FreeIPA (http and dirsv)? I've tried to follow the instruction

Re: [Freeipa-users] Reinstall ipa client, problem with old CA

2015-05-19 Thread Dewangga Bachrul Alam
Well, thanks Martin for the info :) On 05/19/2015 08:23 PM, Martin Kosek wrote: On 05/19/2015 03:21 PM, Dewangga Bachrul Alam wrote: Thank you Martin, Yes, the IPA Server was built on CentOS 7.1. But, some client still using CentOS 6.x, but I have plan upgrade them to 7.x. Is it gave

Re: [Freeipa-users] Reinstall ipa client, problem with old CA

2015-05-19 Thread Dewangga Bachrul Alam
/2015 10:53 AM, Dewangga Bachrul Alam wrote: Hello! On 05/19/2015 12:53 PM, Martin Kosek wrote: On 05/19/2015 04:04 AM, Dewangga Bachrul Alam wrote: Hello! I'm trying to reinstall ipa client, but have a problem with old/existing ca.crt in `/etc/ipa/ca.crt`. Should I remove it manually? Since

Re: [Freeipa-users] Configure IPA Server work with Multiple domain Env

2015-05-20 Thread Dewangga Bachrul Alam
Hello! On 05/20/2015 05:30 PM, Martin Kosek wrote: On 05/20/2015 11:54 AM, Dewangga Bachrul Alam wrote: Hello! I've tried to setup my IPA server to work on multiple domain env, for the example, I have 20 instance/servers using mydomain.co.id then I have another 10 instance/servers using

Re: [Freeipa-users] Configure IPA Server work with Multiple domain Env

2015-05-20 Thread Dewangga Bachrul Alam
Yes, of course. I will add NS record to parent zone if my IPA server are ready for production. :D Thanks for any comments and help. Cheers! :) On 05/20/2015 06:02 PM, Petr Spacek wrote: On 20.5.2015 12:56, Dewangga Bachrul Alam wrote: Thanks Martin, Better I leave the configuration as is :D

Re: [Freeipa-users] Configure IPA Server work with Multiple domain Env

2015-05-20 Thread Dewangga Bachrul Alam
:38 PM, Dewangga Bachrul Alam wrote: Hello! On 05/20/2015 05:30 PM, Martin Kosek wrote: On 05/20/2015 11:54 AM, Dewangga Bachrul Alam wrote: Hello! I've tried to setup my IPA server to work on multiple domain env, for the example, I have 20 instance/servers using mydomain.co.id then I have

[Freeipa-users] Configure IPA Server work with Multiple domain Env

2015-05-20 Thread Dewangga Bachrul Alam
Hello! I've tried to setup my IPA server to work on multiple domain env, for the example, I have 20 instance/servers using mydomain.co.id then I have another 10 instance/servers using mydomain.com, I want to manage both of them on same IPA server. On instance with mydomain.com, I've setup and

Re: [Freeipa-users] Sudo command not working

2015-08-13 Thread Dewangga Bachrul Alam
Hello! Should I reboot the machine after changing sudo.conf file? On 08/12/2015 09:26 PM, Jakub Hrozek wrote: On Wed, Aug 12, 2015 at 07:44:15PM +0700, Dewangga Bachrul Alam wrote: Hello! On 08/12/2015 07:36 PM, Jakub Hrozek wrote: On Wed, Aug 12, 2015 at 07:30:52PM +0700, Dewangga Bachrul

[Freeipa-users] Having problem with pwd_expiration

2015-08-13 Thread Dewangga Bachrul Alam
Hello! I've been discovered something about pwd_expiration on freeipa 4.1.4, I got a line from sssd_DOMAIN.log : ... snip ... (Thu Aug 13 12:25:39 2015) [sssd[be[mydomain.co.id]]] [confdb_get_domain_internal] (0x1000): pwd_expiration_warning is -1 ... snip ... $ ipa pwpolicy-find Group:

Re: [Freeipa-users] Sudo command not working

2015-08-13 Thread Dewangga Bachrul Alam
Hello! On 08/13/2015 03:09 PM, Jakub Hrozek wrote: On Thu, Aug 13, 2015 at 03:01:40PM +0700, Dewangga Bachrul Alam wrote: Hello! Should I reboot the machine after changing sudo.conf file? No, it's read by sudo on every invocation. There is no sudo deamon or such. Yes, I found

Re: [Freeipa-users] FreeIPA state - performace, commercial usage

2015-08-20 Thread Dewangga Bachrul Alam
On 08/21/2015 09:44 AM, Vaclav Adamec wrote: Hi, Don't want to start flame, but my question is quite simple, is there anybody who use it in real production/commercial setup without any major issues ? don't you lack commercial support ? no issues with auditors ? FreeIPA is upstream for

Re: [Freeipa-users] Is there any delay after applied rules to user?

2015-07-30 Thread Dewangga Bachrul Alam
Hello Jakub! Sorry for delayed email, My bad, I disabled cache_credentials, not sssd_cache. I tried modified my user `dewangga` to remove sudo rules, the cache still active even I restart the sssd service and delete all ccache* files. There's no information on sssd log folder. -rw---. 1

Re: [Freeipa-users] Is there any delay after applied rules to user?

2015-07-30 Thread Dewangga Bachrul Alam
related information about the 4 step above. On 07/30/2015 08:54 PM, Jakub Hrozek wrote: On Thu, Jul 30, 2015 at 07:09:47PM +0700, Dewangga Bachrul Alam wrote: Hello Jakub! Sorry for delayed email, My bad, I disabled cache_credentials, not sssd_cache. Then I think it's completely unrelated

[Freeipa-users] Is there any delay after applied rules to user?

2015-07-29 Thread Dewangga Bachrul Alam
Hello! I'm using FreeIPA 4.1.x on CentOS 7, Is there any delay after applied some rules to specified user? [root@ipa ~]# ipa sudorule-show Rule name: wheel Rule name: Wheel Enabled: TRUE Host category: all Command category: all RunAs User category: all RunAs Group category: all

Re: [Freeipa-users] Is there any delay after applied rules to user?

2015-07-30 Thread Dewangga Bachrul Alam
still didn't use correct configuration. It's still using min 0, max 0 configuration (I set this policy yesterday, and was revert it back to min 1 max 90 on yesterday too) Any hints? On 07/31/2015 01:47 AM, Jakub Hrozek wrote: On Thu, Jul 30, 2015 at 09:50:23PM +0700, Dewangga Bachrul Alam wrote

Re: [Freeipa-users] Different domain enrollment

2015-08-11 Thread Dewangga Bachrul Alam
Hello! On 08/11/2015 01:43 PM, Alexander Bokovoy wrote: On Tue, 11 Aug 2015, Dewangga Bachrul Alam wrote: Hello! I'm having problem with different hostname with primary domain on ipa server. For example, my primary domain is mydomain.co.id, and then if the server hostname using

[Freeipa-users] Different domain enrollment

2015-08-10 Thread Dewangga Bachrul Alam
Hello! I'm having problem with different hostname with primary domain on ipa server. For example, my primary domain is mydomain.co.id, and then if the server hostname using mydomain.co.id, the dns discover was sucessfully. The problem come if the client hostname using different domain, for

[Freeipa-users] Sudo command not working

2015-08-12 Thread Dewangga Bachrul Alam
Hello! I'm having problem with sudo command, the sudo command was sucessfully initiated. But user still requested for password. For example : ipa-client $ sudo -l Matching Defaults entries for subhan on this host: requiretty, !visiblepw, always_set_home, env_reset, env_keep=COLORS DISPLAY

Re: [Freeipa-users] Sudo command not working

2015-08-12 Thread Dewangga Bachrul Alam
Hello! On 08/12/2015 07:36 PM, Jakub Hrozek wrote: On Wed, Aug 12, 2015 at 07:30:52PM +0700, Dewangga Bachrul Alam wrote: Hello! I'm having problem with sudo command, the sudo command was sucessfully initiated. But user still requested for password. For example : ipa-client $ sudo -l

Re: [Freeipa-users] Different domain enrollment

2015-08-12 Thread Dewangga Bachrul Alam
Hello! On 08/11/2015 06:25 PM, Alexander Bokovoy wrote: On Tue, 11 Aug 2015, Dewangga Bachrul Alam wrote: Hello! On 08/11/2015 01:43 PM, Alexander Bokovoy wrote: On Tue, 11 Aug 2015, Dewangga Bachrul Alam wrote: Hello! I'm having problem with different hostname with primary domain on ipa

Re: [Freeipa-users] List SPAM

2017-04-23 Thread Dewangga Bachrul Alam
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Mark as spam, and they gone from my inbox. :) On 04/23/2017 05:10 PM, Prasun Gera wrote: > This still continues to be a problem. Was any solution identified > for this ? Why are the emails not obfuscated on the public archives > ? > > On Tue, Dec

Re: [Freeipa-users] CA Certificate didn't automatically transfer to replica(s)

2017-04-23 Thread Dewangga Bachrul Alam
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Hello! Just update, manually add external CA(s) and signed certificated was successful, but why it's didn't automatically transferred to replica(s) from master. On 04/22/2017 03:00 PM, Dewangga Bachrul Alam wrote: > Hello! > > I've suc

[Freeipa-users] CA Certificate didn't automatically transfer to replica(s)

2017-04-23 Thread Dewangga Bachrul Alam
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Hello! I've successfully create replica, everything works fine but why my signed CA certificate didn't automatically transfer to another replica(s)? Is it normal? Trying to add manually, but the certificate in replica(s) still using self-signed.

[Freeipa-users] Creating another sudo rules full

2017-04-27 Thread Dewangga Bachrul Alam
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Hello! Is it possible to create another sudo rules that same with sudo_rule_full or admin privileges, it means that the user can run `sudo su -` without password. I've create the similar rules, but no luck. [root@idm ~]# ipa sudorule-show

Re: [Freeipa-users] Creating another sudo rules full

2017-04-28 Thread Dewangga Bachrul Alam
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Hello! On 04/28/2017 07:26 PM, Jason B. Nance wrote: > Hi Dewangga, > >> [root@idm ~]# ipa sudorule-show sudo_rules_rekanalar Rule name: >> sudo_rules_rekanalar Enabled: TRUE Command category: all RunAs >> User category: all RunAs Group category:

Re: [Freeipa-users] CA Certificate didn't automatically transfer to replica(s)

2017-04-27 Thread Dewangga Bachrul Alam
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Hello! On 04/26/2017 08:08 PM, Florence Blanc-Renaud wrote: > On 04/25/2017 10:56 AM, Dewangga Bachrul Alam wrote: Hello! > > Master IPA Server: - I install 1 (one) server as master > (self-signed) and add/modify using external CA.

Re: [Freeipa-users] CA Certificate didn't automatically transfer to replica(s)

2017-04-25 Thread Dewangga Bachrul Alam
, the command ipa-server-certinstall must also be run on the > replica with the appropriate certificate. > > HTH, Flo. > > On 04/22/2017 10:41 AM, Dewangga Bachrul Alam wrote: Hello! > > Just update, manually add external CA(s) and signed certificated > was successful, but wh