Re: [Freeipa-users] Migration from FreeIPA 1.2.1 to 2

2011-05-25 Thread Erinn Looney-Triggs
On 05/25/2011 01:21 PM, Steven Jones wrote: Hi, As far as I am aware Windows clients can only authenticate against ADs. So if you need to authenticate Windows you need a password trust/sync setup with AD and yes you need an AD as well as FreeIPA. No Windows clients can auth against

Re: [Freeipa-users] Sudo configuration question

2011-12-21 Thread Erinn Looney-Triggs
On 12/20/2011 10:27 PM, Jan Zelený wrote: I have been working through configuring sudo via IPA and ran into the following situation. There is a directive in the documentation to configure /etc/sssd/sssd.conf on the clients with something like the following: ldap_netgroup_search_base =

Re: [Freeipa-users] Sudo configuration question

2011-12-21 Thread Erinn Looney-Triggs
On 12/21/2011 12:22 AM, Jan Zelený wrote: On 12/20/2011 10:27 PM, Jan Zelený wrote: I have been working through configuring sudo via IPA and ran into the following situation. There is a directive in the documentation to configure /etc/sssd/sssd.conf on the clients with something like the

Re: [Freeipa-users] Sudo configuration question

2011-12-21 Thread Erinn Looney-Triggs
On 12/21/2011 04:37 AM, Stephen Gallagher wrote: On Tue, 2011-12-20 at 12:59 -0900, Erinn Looney-Triggs wrote: I have been working through configuring sudo via IPA and ran into the following situation. There is a directive in the documentation to configure /etc/sssd/sssd.conf on the clients

Re: [Freeipa-users] Sudo configuration question

2011-12-21 Thread Erinn Looney-Triggs
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 12/21/2011 09:14 AM, Stephen Gallagher wrote: On Wed, 2011-12-21 at 09:08 -0900, Erinn Looney-Triggs wrote: On 12/21/2011 04:37 AM, Stephen Gallagher wrote: On Tue, 2011-12-20 at 12:59 -0900, Erinn Looney-Triggs wrote: I have been working

Re: [Freeipa-users] Hot Backup Solution for IPA 2.x?

2011-12-28 Thread Erinn Looney-Triggs
On 12/27/2011 04:01 PM, Craig T wrote: Hi, Is there a hot backup technique for IPA? From my reading the best solution is to setup a replication server then shut the replication server down and do a backup? cya Craig ___ Freeipa-users

[Freeipa-users] Large slow down when using IPA

2011-12-30 Thread Erinn Looney-Triggs
I have been slowly rolling out FreeIPA to my systems, trying to track differences/changes. One of the most noticeable has been a large slow down in file access times. Let me explain as best as I can. I use AIDE to track the file system (think tripwire) and it runs checks once a day. During these

Re: [Freeipa-users] Large slow down when using IPA

2011-12-31 Thread Erinn Looney-Triggs
On 12/30/2011 07:19 PM, JR Aquino wrote: On Dec 30, 2011, at 5:45 PM, Erinn Looney-Triggs wrote: I have been slowly rolling out FreeIPA to my systems, trying to track differences/changes. One of the most noticeable has been a large slow down in file access times. Let me explain as best

[Freeipa-users] Large lastlog from large UIDs

2012-01-02 Thread Erinn Looney-Triggs
While digging through and trying to investigate a file system slowdown that may or may not be IPA related, I noticed an odd thing on my RHEL 5 and 6 based systems, the lastlog file was bloody huge: -rw-r--r-- 1 root root 469419202628 Jan 3 00:20 /var/log/lastlog Or for those of us who don't

Re: [Freeipa-users] Large slow down when using IPA

2012-01-02 Thread Erinn Looney-Triggs
On 01/02/2012 01:47 PM, Simo Sorce wrote: On Mon, 2012-01-02 at 11:54 -0900, Erinn Looney-Triggs wrote: On 01/02/2012 11:40 AM, Jakub Hrozek wrote: On Mon, Jan 02, 2012 at 12:53:29PM -0500, Simo Sorce wrote: On Mon, 2012-01-02 at 17:29 +0100, Jakub Hrozek wrote: On Mon, Jan 02, 2012 at 10:00

Re: [Freeipa-users] Large lastlog from large UIDs

2012-01-02 Thread Erinn Looney-Triggs
On 01/02/2012 07:59 PM, Simo Sorce wrote: On Mon, 2012-01-02 at 15:47 -0900, Erinn Looney-Triggs wrote: While digging through and trying to investigate a file system slowdown that may or may not be IPA related, I noticed an odd thing on my RHEL 5 and 6 based systems, the lastlog file

Re: [Freeipa-users] Large slow down when using IPA

2012-01-02 Thread Erinn Looney-Triggs
On 01/02/2012 07:43 PM, Simo Sorce wrote: On Mon, 2012-01-02 at 15:52 -0900, Erinn Looney-Triggs wrote: On 01/02/2012 01:47 PM, Simo Sorce wrote: Hi Erinn, can you please tell what's the baseline you are comparing against ? Is it nss_ldap ? With or without nscd ? Simo. Here is what

Re: [Freeipa-users] Hot Backup Solution for IPA 2.x?

2012-01-04 Thread Erinn Looney-Triggs
On 01/04/2012 09:24 AM, Rob Crittenden wrote: Erinn Looney-Triggs wrote: On 12/27/2011 04:01 PM, Craig T wrote: Hi, Is there a hot backup technique for IPA? From my reading the best solution is to setup a replication server then shut the replication server down and do a backup? cya

[Freeipa-users] HBAC issues

2012-01-05 Thread Erinn Looney-Triggs
I am trying to solve an issue that seems like it should be obvious but is not, to me at least. I am trying to allow a user to log into a single host, via GDM. I have configured a HBAC rule that allows access to the host from the host (actually to the group with the host in it from the same

Re: [Freeipa-users] HBAC issues

2012-01-05 Thread Erinn Looney-Triggs
On 01/05/2012 11:54 AM, Stephen Gallagher wrote: On Thu, 2012-01-05 at 11:48 -0900, Erinn Looney-Triggs wrote: Yes that look about right, not able to confirm 100%, but that is probably the issue. We're looking into it. However, I should point out that using srchost is a very unreliable

[Freeipa-users] Initial login on RHEL 6 fails

2012-01-09 Thread Erinn Looney-Triggs
For a users very first, (as in never logged in before and will have to set new password), login attempt via GDM, the password change will fail and the user will be unable to log in. Now if the user has already set a password the login works fine. I haven't tested after the password expires but I

Re: [Freeipa-users] Initial login on RHEL 6 fails

2012-01-09 Thread Erinn Looney-Triggs
On 01/09/2012 11:33 AM, Dmitri Pal wrote: On 01/09/2012 02:16 PM, Erinn Looney-Triggs wrote: For a users very first, (as in never logged in before and will have to set new password), login attempt via GDM, the password change will fail and the user will be unable to log in. Now if the user

Re: [Freeipa-users] Initial login on RHEL 6 fails

2012-01-09 Thread Erinn Looney-Triggs
On 01/09/2012 01:31 PM, Simo Sorce wrote: On Mon, 2012-01-09 at 12:28 -0900, Erinn Looney-Triggs wrote: [snip] Looks like the expiration is not updated, I suspect the password change actually failed. A couple of additional notes that may be important. The system to which I am

[Freeipa-users] Allowing nisdomainname to survive reboots

2012-01-11 Thread Erinn Looney-Triggs
Apologies in advance for my lack of understanding of NIS, I think I started my career a bit late for that particular product. Anyway, the sudo rules require the nisdomainname to be set on the server. The documentation states using nisdomainame CL tool, however, this does not appear to survive

[Freeipa-users] Sudo options

2012-01-18 Thread Erinn Looney-Triggs
I can't really figure out what the proper syntax is for the sudo rules in IPA. I have a number of options that I would like included by default, I have put them in place, from ipa sudorule-show: Sudo Option: env_keep = LESSSECURE, env_reset, mail_badpass, mail_no_host, mail_no_perms, syslog =

Re: [Freeipa-users] Sudo options

2012-01-18 Thread Erinn Looney-Triggs
On 01/18/2012 11:50 AM, JR Aquino wrote: On Jan 18, 2012, at 11:47 AM, Erinn Looney-Triggs wrote: I can't really figure out what the proper syntax is for the sudo rules in IPA. I have a number of options that I would like included by default, I have put them in place, from ipa sudorule-show

Re: [Freeipa-users] Sudo options

2012-01-18 Thread Erinn Looney-Triggs
On 01/18/2012 11:50 AM, JR Aquino wrote: On Jan 18, 2012, at 11:47 AM, Erinn Looney-Triggs wrote: I can't really figure out what the proper syntax is for the sudo rules in IPA. I have a number of options that I would like included by default, I have put them in place, from ipa sudorule-show

Re: [Freeipa-users] WebUI With Windows, Firefox, and MIT Kerberos

2012-01-28 Thread Erinn Looney-Triggs
On 1/27/2012 4:53 PM, JR Aquino wrote: On Jan 27, 2012, at 5:31 PM, Jr Aquino wrote: Has anyone successfully gotten firefox in windows with firefox and mit kerberos? I've followed several how to's, but i cant get firefox to take/pass my tgt. The Key to success:

Re: [Freeipa-users] Dovecot imap authentication with IPA/Kerberos

2012-01-30 Thread Erinn Looney-Triggs
On 01/30/2012 10:20 AM, Dale Macartney wrote: Hi Erinn I originally asked the question as I was thinking my auth attempts were failing when using ipa, however this was not the case. On closer inspection, i found that the authentication was successful yet dovecot was failing to read a

Re: [Freeipa-users] IPA Sudo - RHEL5

2012-02-01 Thread Erinn Looney-Triggs
On 02/01/2012 03:43 AM, Westerlund Johnny wrote: You pointed me in the correct direction. I only needed to setup ldap.conf in a correct way and it worked perfectly. the documentation for setting up sudo on rhel6 describes how to setup the nslcd.conf, i just did ldap.conf a symlink of that

Re: [Freeipa-users] Jabber services for IPA

2012-02-09 Thread Erinn Looney-Triggs
On 02/09/2012 06:48 AM, Dale Macartney wrote: Morning all I have a working setup of ejabberd authenticated to pam on an IPA client which works great.. However, unlike my other projects to provide details of integration with IPA, I am struggling with the SSO aspect of it, simply because

Re: [Freeipa-users] Jabber services for IPA

2012-02-09 Thread Erinn Looney-Triggs
, Erinn Looney-Triggs wrote: On 02/09/2012 06:48 AM, Dale Macartney wrote: Morning all I have a working setup of ejabberd authenticated to pam on an IPA client which works great.. However, unlike my other projects to provide details of integration with IPA, I am struggling with the SSO aspect

[Freeipa-users] Searching for subjectKeyIdentifier in SSL certs

2012-02-22 Thread Erinn Looney-Triggs
It looks like, as far as I can tell, the IPA pki setup does not by default include subjectKeyIdentifier in the SSL certificates issued. I am using ipa-getcert -f foo -k bar, to generate and submit the request. I am a little hazy about how all of this fits together at this point, so please forgive

Re: [Freeipa-users] IPA dogtag as CA for puppet ?

2012-05-21 Thread Erinn Looney-Triggs
On 05/21/2012 01:00 PM, Jan-Frode Myklebust wrote: If joining a machine to IPA automatically gives it a SSL keyset, it seems silly to also join the puppetca for config management. Has anybody looked into using IPA-dogtag as CA for puppet and func? -jf

Re: [Freeipa-users] stopping su -

2012-07-16 Thread Erinn Looney-Triggs
On 07/16/2012 01:32 PM, Steven Jones wrote: I have craeted a sshd rule only for the HBAC, but I find a std user can su - to root, is this correect behavior? How do I? or can I? stop this unless explicitly allowed? regards Steven Jones Technical Specialist - Linux RHCE Victoria

Re: [Freeipa-users] stopping su -

2012-07-16 Thread Erinn Looney-Triggs
University, Wellington, NZ 0064 4 463 6272 From: freeipa-users-boun...@redhat.com [freeipa-users-boun...@redhat.com] on behalf of Erinn Looney-Triggs [erinn.looneytri...@gmail.com] Sent: Tuesday, 17 July 2012 9:38 a.m. To: freeipa-users@redhat.com

[Freeipa-users] cannot find name for user ID

2012-08-08 Thread Erinn Looney-Triggs
An interesting problem has popped up and I am not sure where the issue lies. Users logging in are presented with cannot find name for user ID etc. etc. for all groups they are a member of id returns nothing but the numbers, and a getent passwd username returns nothing, when running as the user.

Re: [Freeipa-users] cannot find name for user ID

2012-08-08 Thread Erinn Looney-Triggs
On 08/08/2012 01:11 PM, Jakub Hrozek wrote: On Wed, Aug 08, 2012 at 10:45:47AM -0800, Erinn Looney-Triggs wrote: An interesting problem has popped up and I am not sure where the issue lies. Users logging in are presented with cannot find name for user ID etc. etc. for all groups

Re: [Freeipa-users] cannot find name for user ID

2012-08-09 Thread Erinn Looney-Triggs
On 08/08/2012 01:11 PM, Jakub Hrozek wrote: On Wed, Aug 08, 2012 at 10:45:47AM -0800, Erinn Looney-Triggs wrote: An interesting problem has popped up and I am not sure where the issue lies. Users logging in are presented with cannot find name for user ID etc. etc. for all groups

Re: [Freeipa-users] cannot find name for user ID

2012-08-09 Thread Erinn Looney-Triggs
On 08/08/2012 01:11 PM, Jakub Hrozek wrote: On Wed, Aug 08, 2012 at 10:45:47AM -0800, Erinn Looney-Triggs wrote: An interesting problem has popped up and I am not sure where the issue lies. Users logging in are presented with cannot find name for user ID etc. etc. for all groups

[Freeipa-users] Lost dse.ldif

2012-08-15 Thread Erinn Looney-Triggs
After a restart of the system I received the following errors: Starting dirsrv: FOO-COM...[15/Aug/2012:21:48:26 +] startup - The default password storage scheme SSHA could not be read or was not found in the file /etc/dirsrv/slapd-FOO-COM/dse.ldif. It is mandatory.

Re: [Freeipa-users] Lost dse.ldif

2012-08-16 Thread Erinn Looney-Triggs
On 08/16/2012 11:18 AM, Sigbjorn Lie wrote: On 08/16/2012 09:08 PM, Rich Megginson wrote: On 08/16/2012 11:46 AM, Erinn Looney-Triggs wrote: On 08/15/2012 05:13 PM, Rich Megginson wrote: On 08/15/2012 03:58 PM, Erinn Looney-Triggs wrote: After a restart of the system I received the following

[Freeipa-users] SELinux user mapping

2012-08-28 Thread Erinn Looney-Triggs
I am hoping I haven't missed something here, but it appears that the SELinux user mapping portion is not working for me. This is tested on a RHEL 6.3 client and server. The rule I have: Rule name: Developers staff_U SELinux User: staff_u:s0-s0:c0.c1023 Description: Confines developers on

Re: [Freeipa-users] SELinux user mapping

2012-08-29 Thread Erinn Looney-Triggs
On 08/28/2012 11:23 PM, Jakub Hrozek wrote: On Tue, Aug 28, 2012 at 01:54:12PM -0800, Erinn Looney-Triggs wrote: I am hoping I haven't missed something here, but it appears that the SELinux user mapping portion is not working for me. This is tested on a RHEL 6.3 client and server. The rule I

[Freeipa-users] Process open FD table is full.

2012-11-01 Thread Erinn Looney-Triggs
Have any folks run into this: PR_Accept() failed, Netscape Portable Runtime error -5971 (Process open FD table is full.) From the dirsrv logs. It appears that this may have been what killed IPA in total on one server for me last night. I can't turn up anything via Google. After a restart of all

Re: [Freeipa-users] Process open FD table is full.

2012-11-01 Thread Erinn Looney-Triggs
On 11/01/12 16:47, Rich Megginson wrote: On 11/01/2012 04:15 PM, Erinn Looney-Triggs wrote: Have any folks run into this: PR_Accept() failed, Netscape Portable Runtime error -5971 (Process open FD table is full.) From the dirsrv logs. It appears that this may have been what killed IPA

Re: [Freeipa-users] Process open FD table is full.

2012-11-02 Thread Erinn Looney-Triggs
by the way, though the problem appeared in 6.2 for me. Regards Johan -Original Message- From: freeipa-users-boun...@redhat.com [mailto:freeipa-users-boun...@redhat.com] On Behalf Of Erinn Looney-Triggs Sent: den 1 november 2012 23:15 To: FreeIPAUsers Subject: [Freeipa-users] Process

Re: [Freeipa-users] Process open FD table is full.

2012-11-02 Thread Erinn Looney-Triggs
On 11/02/12 07:28, Rich Megginson wrote: On 11/02/2012 09:06 AM, Simo Sorce wrote: On Fri, 2012-11-02 at 08:38 +, Johan Sunnerstig wrote: Looks a lot like a problem I have as well. Check out the /proc/xxx/fd directory of the dirsrv process for your IPA realm, in my case it's full of dead

[Freeipa-users] Updating the CA certificate

2012-11-05 Thread Erinn Looney-Triggs
I hope I haven't missed it in searching around, but how does one update the CA certificate in IPA? Though it is a year out from expiring I would rather know sooner than later when it comes to this. -Erinn signature.asc Description: OpenPGP digital signature

Re: [Freeipa-users] Updating the CA certificate

2012-11-05 Thread Erinn Looney-Triggs
On 11/05/12 10:25, Rob Crittenden wrote: Erinn Looney-Triggs wrote: I hope I haven't missed it in searching around, but how does one update the CA certificate in IPA? Though it is a year out from expiring I would rather know sooner than later when it comes to this. Kudos for planning

Re: [Freeipa-users] Updating the CA certificate

2012-11-05 Thread Erinn Looney-Triggs
On 11/05/12 10:42, Rob Crittenden wrote: Erinn Looney-Triggs wrote: On 11/05/12 10:25, Rob Crittenden wrote: Erinn Looney-Triggs wrote: I hope I haven't missed it in searching around, but how does one update the CA certificate in IPA? Though it is a year out from expiring I would rather

Re: [Freeipa-users] Disadantages of using external DNS

2012-12-12 Thread Erinn Looney-Triggs
On 12/12/12 09:09, rashard.ke...@sita.aero wrote: What are the disadvantages of using an external DNS source? My three options are install DNS services on the IPA server, use the local Active Directory DNS, or connect to a linux based DNS appliance. Is it common not to use DNS at all if so

Re: [Freeipa-users] authentication with latest putty fails

2013-01-04 Thread Erinn Looney-Triggs
On 01/04/13 06:56, Han Boetes wrote: Your information about the quest putty version seems to be outdated. ;-) Quest Softare no longer maintains recent releases of PuTTY. To obtain the latest stable release of PuTTY please goto PuTTY Download Page * The functionality that was provided by

Re: [Freeipa-users] Aiisues to wathc out fro / anticipate when upgrading RHEL6.3 and IPA 2 to 6.4 and IPA 3

2013-01-08 Thread Erinn Looney-Triggs
On 01/08/13 11:44, Rob Crittenden wrote: Simo Sorce wrote: On Tue, 2013-01-08 at 19:31 +, Steven Jones wrote: HI, I assume RHEL 6.4 is GA shortly just how straigh forward is the upgrade from one IPA version to another please? regards Should just require an rpm upgrade and a restart

Re: [Freeipa-users] Aiisues to wathc out fro / anticipate when upgrading RHEL6.3 and IPA 2 to 6.4 and IPA 3

2013-01-08 Thread Erinn Looney-Triggs
On 01/08/13 11:55, Jakub Hrozek wrote: On Tue, Jan 08, 2013 at 11:49:11AM -0900, Erinn Looney-Triggs wrote: On 01/08/13 11:44, Rob Crittenden wrote: Simo Sorce wrote: On Tue, 2013-01-08 at 19:31 +, Steven Jones wrote: HI, I assume RHEL 6.4 is GA shortly just how straigh forward

Re: [Freeipa-users] Aiisues to wathc out fro / anticipate when upgrading RHEL6.3 and IPA 2 to 6.4 and IPA 3

2013-01-08 Thread Erinn Looney-Triggs
On 01/08/13 12:45, Rob Crittenden wrote: Erinn Looney-Triggs wrote: On 01/08/13 11:44, Rob Crittenden wrote: Simo Sorce wrote: On Tue, 2013-01-08 at 19:31 +, Steven Jones wrote: HI, I assume RHEL 6.4 is GA shortly just how straigh forward is the upgrade from one IPA version to another

Re: [Freeipa-users] Aiisues to wathc out fro / anticipate when upgrading RHEL6.3 and IPA 2 to 6.4 and IPA 3

2013-01-09 Thread Erinn Looney-Triggs
On 01/09/13 00:02, Martin Kosek wrote: On 01/08/2013 11:20 PM, Erinn Looney-Triggs wrote: On 01/08/13 12:45, Rob Crittenden wrote: Erinn Looney-Triggs wrote: On 01/08/13 11:44, Rob Crittenden wrote: Simo Sorce wrote: On Tue, 2013-01-08 at 19:31 +, Steven Jones wrote: HI, I assume RHEL

Re: [Freeipa-users] Postponing IPA 3 upgrade

2013-02-11 Thread Erinn Looney-Triggs
On 02/11/2013 10:00 AM, rashard.ke...@sita.aero wrote: I was wondering if I need to be concerned about IPA 2 being updated automatically to IPA 3? We have a working IPA 2 environment in place now and wanted to know if IPA needed to be added to an exclude list. We are afraid of breaking our

[Freeipa-users] Upgrading to 6.4

2013-02-21 Thread Erinn Looney-Triggs
For the fool hearty amongst us, as in me, I upgraded to RHEL 6.4 today. So far the Web UI portion of IPA is broken. I receive the following error via the UI: IPA Error 903 an internal error has occurred. Other things appear to be working fine, though my testing hasn't been all that thorough at

Re: [Freeipa-users] Upgrading to 6.4

2013-02-21 Thread Erinn Looney-Triggs
On 02/21/2013 09:07 AM, Rob Crittenden wrote: add:attributeTypes: (2.16.840.1.113730.3.8.11.1 NAME 'ipaExternalMember' DESC 'External Group Member Identifier' EQUALITY caseIgnoreMatch ORDERING caseIgnoreOrderingMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN 'IPA v3' ) add:objectClasses:

Re: [Freeipa-users] Upgrading to 6.4

2013-02-21 Thread Erinn Looney-Triggs
On 02/21/2013 09:40 AM, Rob Crittenden wrote: Erinn Looney-Triggs wrote: On 02/21/2013 09:34 AM, Rob Crittenden wrote: Erinn Looney-Triggs wrote: On 02/21/2013 09:07 AM, Rob Crittenden wrote: add:attributeTypes: (2.16.840.1.113730.3.8.11.1 NAME 'ipaExternalMember' DESC 'External Group

Re: [Freeipa-users] Upgrading to 6.4

2013-02-21 Thread Erinn Looney-Triggs
On 02/21/2013 09:34 AM, Rob Crittenden wrote: Erinn Looney-Triggs wrote: On 02/21/2013 09:07 AM, Rob Crittenden wrote: add:attributeTypes: (2.16.840.1.113730.3.8.11.1 NAME 'ipaExternalMember' DESC 'External Group Member Identifier' EQUALITY caseIgnoreMatch ORDERING caseIgnoreOrderingMatch

Re: [Freeipa-users] Upgrading to 6.4 - additional information

2013-02-26 Thread Erinn Looney-Triggs
On 02/26/2013 10:29 AM, Dmitri Pal wrote: On 02/21/2013 12:31 PM, Dmitri Pal wrote: On 02/21/2013 11:44 AM, Erinn Looney-Triggs wrote: On 02/21/2013 09:40 AM, Rob Crittenden wrote: Erinn Looney-Triggs wrote: On 02/21/2013 09:34 AM, Rob Crittenden wrote: Erinn Looney-Triggs wrote: On 02/21

Re: [Freeipa-users] Upgrading to 6.4 - additional information

2013-02-26 Thread Erinn Looney-Triggs
On 02/26/2013 12:08 PM, Martin Kosek wrote: On 02/26/2013 06:05 PM, Erinn Looney-Triggs wrote: On 02/26/2013 10:29 AM, Dmitri Pal wrote: On 02/21/2013 12:31 PM, Dmitri Pal wrote: On 02/21/2013 11:44 AM, Erinn Looney-Triggs wrote: On 02/21/2013 09:40 AM, Rob Crittenden wrote: Erinn Looney

Re: [Freeipa-users] FreeIPA dual stacked

2013-04-15 Thread Erinn Looney-Triggs
On 04/15/2013 09:45 AM, Adam Bishop wrote: Hi, I've just had a go at deploying FreeIPA v3.1.3 and have hit a minor road bump. The server hostname resolves to more than one address: :::::4 xxx.xxx.xxx.180 Please provide the IP address to be used for this host

[Freeipa-users] Replacing CA Certificate

2013-06-14 Thread Erinn Looney-Triggs
So my CA certificate in IPA is a subordinate certificate of an AD CS instance. These certificates by default are only valid for two years, and mine will be up come this December. So, I am looking for a way to replace this certificate in IPA. Any thoughts? -Erinn signature.asc Description:

[Freeipa-users] Instructions for using Postfix SMTP Client Relay with FreeIPA

2013-07-10 Thread Erinn Looney-Triggs
Folks, I swear I am not trying to drive up traffic to my very small blog, but I wrote up some instruction for how to configure the postfix mail client to use Kerberos to relay through a Postfix gateway. Instructions are here for folks that are interested:

Re: [Freeipa-users] Instructions for using Postfix SMTP Client Relay with FreeIPA

2013-07-10 Thread Erinn Looney-Triggs
On 7/10/2013 5:59 PM, James Hogarth wrote: Thanks for the blog! There's dovecot in the howto section of the wiki but no postfix ... worth one of us adding the link? OP would you be okay with the link? ___ Freeipa-users mailing list

Re: [Freeipa-users] Instructions for using Postfix SMTP Client Relay with FreeIPA

2013-07-10 Thread Erinn Looney-Triggs
On 07/10/2013 05:00 PM, Dmitri Pal wrote: On 07/10/2013 12:12 PM, Simo Sorce wrote: On Wed, 2013-07-10 at 11:45 -0400, Erinn Looney-Triggs wrote: Folks, I swear I am not trying to drive up traffic to my very small blog, but I wrote up some instruction for how to configure the postfix mail

Re: [Freeipa-users] Instructions for using Postfix SMTP Client Relay with FreeIPA

2013-07-12 Thread Erinn Looney-Triggs
On 07/12/2013 11:04 AM, Anthony Messina wrote: On Wednesday, July 10, 2013 05:00:53 PM Dmitri Pal wrote: On 07/10/2013 12:12 PM, Simo Sorce wrote: On Wed, 2013-07-10 at 11:45 -0400, Erinn Looney-Triggs wrote: Folks, I swear I am not trying to drive up traffic to my very small blog, but I

[Freeipa-users] IPA CA install in ca-bundle.crt

2013-07-12 Thread Erinn Looney-Triggs
Is there a reason that ipa-client-install does not add the CA of the IPA server to the ca-bundle.crt file in /etc/pki/certs/? Seems like it would be a reasonable move to do that. I know it imports the CA into /etc/pki/nssdb. Hopefully I didn't miss something that allows it to. But I wanted to

Re: [Freeipa-users] Instructions for using Postfix SMTP Client Relay with FreeIPA

2013-07-12 Thread Erinn Looney-Triggs
On 07/12/2013 11:36 AM, Simo Sorce wrote: On Fri, 2013-07-12 at 10:04 -0500, Anthony Messina wrote: On Wednesday, July 10, 2013 05:00:53 PM Dmitri Pal wrote: On 07/10/2013 12:12 PM, Simo Sorce wrote: On Wed, 2013-07-10 at 11:45 -0400, Erinn Looney-Triggs wrote: Folks, I swear I am not trying

Re: [Freeipa-users] IPA CA install in ca-bundle.crt

2013-07-12 Thread Erinn Looney-Triggs
On 07/12/2013 01:25 PM, Rob Crittenden wrote: Erinn Looney-Triggs wrote: On 07/12/2013 01:19 PM, Rob Crittenden wrote: Erinn Looney-Triggs wrote: Is there a reason that ipa-client-install does not add the CA of the IPA server to the ca-bundle.crt file in /etc/pki/certs/? Seems like

Re: [Freeipa-users] Is GSSAPI secure without TLS?

2013-07-12 Thread Erinn Looney-Triggs
On 07/12/2013 05:03 PM, Dmitri Pal wrote: On 07/12/2013 11:33 AM, Erinn Looney-Triggs wrote: GSSAPI inside of a TLS channel apparently isn't secure unless the channel is secure and verified. The irony being that GSSAPI auth outside of a TLS connection is just fine for postfix

[Freeipa-users] TLSA records in FreeIPA

2013-09-24 Thread Erinn Looney-Triggs
I wanted to bring up the idea of integrating TLSA records into FreeIPA so that a host that is issued a certificate for say the web server (via dogtag) would also publish that information in DNS using a TLSA record. This is very much like how SSHFP records are handled now in FreeIPA. Has this been

Re: [Freeipa-users] TLSA records in FreeIPA

2013-09-26 Thread Erinn Looney-Triggs
On 09/24/2013 12:06 PM, Petr Spacek wrote: On 24.9.2013 19:23, Erinn Looney-Triggs wrote: I wanted to bring up the idea of integrating TLSA records into FreeIPA so that a host that is issued a certificate for say the web server (via dogtag) would also publish that information in DNS using

Re: [Freeipa-users] DNS views: request for comments

2013-10-01 Thread Erinn Looney-Triggs
On 10/01/2013 09:11 AM, Petr Spacek wrote: Hello list, we would like to get more details about DNS views and how you use them in real life. Also, any idea how user a interface should work is more than welcome! (If you don't know views, read it as differentiate answer to a DNS query on client's

[Freeipa-users] Renewing CA certificate

2013-10-14 Thread Erinn Looney-Triggs
Folks, I wanted to touch base with y'all about how/if work is progressing on the ability to replace the CA certificate. My certificate is a subordinate of an AD CS instance and will be expiring in December, after two years. Some how, some way, without rebuilding I would like to be able to replace

Re: [Freeipa-users] Renewing CA certificate

2013-10-14 Thread Erinn Looney-Triggs
On 10/14/2013 10:26 AM, Rob Crittenden wrote: Erinn Looney-Triggs wrote: Folks, I wanted to touch base with y'all about how/if work is progressing on the ability to replace the CA certificate. My certificate is a subordinate of an AD CS instance and will be expiring in December, after two

[Freeipa-users] CA expiration and renewal

2013-11-13 Thread Erinn Looney-Triggs
Folks just wanted to touch base again before the American holiday season starts. My CA, which is subordinate to AD CS will be expiring on December 9th, I submitted a bug, y'all drew up docs etc for a plan (thanks). Now I just wanted to see how it was going and if need be what manual steps I will

Re: [Freeipa-users] CA expiration and renewal

2013-11-27 Thread Erinn Looney-Triggs
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 11/25/2013 11:09 AM, Rob Crittenden wrote: Erinn Looney-Triggs wrote: Folks just wanted to touch base again before the American holiday season starts. My CA, which is subordinate to AD CS will be expiring on December 9th, I submitted a bug

[Freeipa-users] Dogtag not working?

2013-11-28 Thread Erinn Looney-Triggs
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 In the process of prepping a replication host for changing over the CA I had to use certmonger to generate another certificate on my secondary IPA server. Unfortunately it seems to fail every single time. Here is what I am running and here is what I

Re: [Freeipa-users] Dogtag not working?

2013-11-29 Thread Erinn Looney-Triggs
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 11/28/2013 03:50 PM, Erinn Looney-Triggs wrote: In the process of prepping a replication host for changing over the CA I had to use certmonger to generate another certificate on my secondary IPA server. Unfortunately it seems to fail every

Re: [Freeipa-users] Dogtag not working?

2013-12-02 Thread Erinn Looney-Triggs
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 12/02/2013 07:40 AM, Rob Crittenden wrote: Erinn Looney-Triggs wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 11/28/2013 03:50 PM, Erinn Looney-Triggs wrote: In the process of prepping a replication host for changing over the CA I

Re: [Freeipa-users] Dogtag not working?

2013-12-02 Thread Erinn Looney-Triggs
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 12/02/2013 08:03 AM, Rob Crittenden wrote: Erinn Looney-Triggs wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 12/02/2013 07:40 AM, Rob Crittenden wrote: Erinn Looney-Triggs wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1

Re: [Freeipa-users] Dogtag not working?

2013-12-02 Thread Erinn Looney-Triggs
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 12/02/2013 10:18 AM, Rob Crittenden wrote: Erinn Looney-Triggs wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 12/02/2013 08:03 AM, Rob Crittenden wrote: Erinn Looney-Triggs wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1

Re: [Freeipa-users] Dogtag not working?

2013-12-03 Thread Erinn Looney-Triggs
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 12/03/2013 05:45 AM, Rob Crittenden wrote: Erinn Looney-Triggs wrote: Rob, Thanks so much for the help. It was the first certificate but other than that you were spot on, we can't all be perfect ;). That fixed the issue and I am now able

Re: [Freeipa-users] CA expiration and renewal

2013-12-03 Thread Erinn Looney-Triggs
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 11/27/2013 11:11 AM, Rob Crittenden wrote: Erinn Looney-Triggs wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 11/25/2013 11:09 AM, Rob Crittenden wrote: Erinn Looney-Triggs wrote: Folks just wanted to touch base again before

Re: [Freeipa-users] Dogtag not working?

2013-12-03 Thread Erinn Looney-Triggs
On 12/3/2013 9:45 AM, Rob Crittenden wrote: Erinn Looney-Triggs wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 12/02/2013 10:18 AM, Rob Crittenden wrote: Erinn Looney-Triggs wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 12/02/2013 08:03 AM, Rob Crittenden wrote: Erinn

Re: [Freeipa-users] CA expiration and renewal

2013-12-04 Thread Erinn Looney-Triggs
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 12/04/2013 07:15 AM, Rob Crittenden wrote: Erinn Looney-Triggs wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 11/27/2013 11:11 AM, Rob Crittenden wrote: Erinn Looney-Triggs wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1

Re: [Freeipa-users] CA expiration and renewal

2013-12-05 Thread Erinn Looney-Triggs
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 12/05/2013 01:35 AM, Martin Kosek wrote: On 12/04/2013 06:58 PM, Erinn Looney-Triggs wrote: On 12/04/2013 07:15 AM, Rob Crittenden wrote: Erinn Looney-Triggs wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 11/27/2013 11:11 AM, Rob

Re: [Freeipa-users] CA expiration and renewal

2013-12-05 Thread Erinn Looney-Triggs
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 12/05/2013 12:18 PM, Rob Crittenden wrote: Erinn Looney-Triggs wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 12/05/2013 01:35 AM, Martin Kosek wrote: On 12/04/2013 06:58 PM, Erinn Looney-Triggs wrote: On 12/04/2013 07:15 AM, Rob

Re: [Freeipa-users] JSON interface (Was: IPA DNS command line tools and ~)

2014-03-07 Thread Erinn Looney-Triggs
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 03/07/2014 08:57 AM, Petr Viktorin wrote: On 03/07/2014 04:34 PM, Rich Megginson wrote: [...] The ipa command line tools use RPC, but they use XML. If you run ipa -vv dnsrecord-add ... you can see the XML sent and received. There is a bit of

[Freeipa-users] OTP in RHEL 7

2014-03-21 Thread Erinn Looney-Triggs
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Hopefully I am not overlooking something. However, it appears that with RHEL 7 IPA includes the OTP auth piece. However, I can't seem to find any documentation on how to use it. I can deconstruct from the Fedora test day, but before I head down that

Re: [Freeipa-users] OTP in RHEL 7

2014-03-21 Thread Erinn Looney-Triggs
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 03/21/2014 02:54 PM, Alexander Bokovoy wrote: On Fri, 21 Mar 2014, Erinn Looney-Triggs wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Hopefully I am not overlooking something. However, it appears that with RHEL 7 IPA includes the OTP

[Freeipa-users] IPA commands failing

2014-07-07 Thread Erinn Looney-Triggs
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 On a RHEL 6.5 environment the IPA command line tools are failing me with the following: ipa ping ipa: ERROR: cannot connect to Gettext('any of the configured servers', domain='ipa', localedir=None): https://ipa.foo.com/ipa/xml,

[Freeipa-users] RHEL 7 Upgrade experience so far

2014-07-26 Thread Erinn Looney-Triggs
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Well it hasn't been all the pretty trying to move from RHEL 6.5 to RHEL 7. I have two servers providing my ipa instances ipa and ipa2. Given that I don't have a great deal of spare capacity the plan was to remove ipa2 from the replication

Re: [Freeipa-users] RHEL 7 Upgrade experience so far

2014-07-26 Thread Erinn Looney-Triggs
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 On 07/26/2014 05:25 PM, Erinn Looney-Triggs wrote: Well it hasn't been all the pretty trying to move from RHEL 6.5 to RHEL 7. I have two servers providing my ipa instances ipa and ipa2. Given that I don't have a great deal of spare capacity

Re: [Freeipa-users] RHEL 7 Upgrade experience so far

2014-07-27 Thread Erinn Looney-Triggs
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 On 07/26/2014 07:12 PM, Erinn Looney-Triggs wrote: On 07/26/2014 05:25 PM, Erinn Looney-Triggs wrote: Well it hasn't been all the pretty trying to move from RHEL 6.5 to RHEL 7. I have two servers providing my ipa instances ipa and ipa2. Given

Re: [Freeipa-users] RHEL 7 Upgrade experience so far

2014-07-27 Thread Erinn Looney-Triggs
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 On 07/27/2014 12:02 AM, Erinn Looney-Triggs wrote: On 07/26/2014 07:12 PM, Erinn Looney-Triggs wrote: On 07/26/2014 05:25 PM, Erinn Looney-Triggs wrote: Well it hasn't been all the pretty trying to move from RHEL 6.5 to RHEL 7. I have two

Re: [Freeipa-users] RHEL 7 Upgrade experience so far

2014-07-28 Thread Erinn Looney-Triggs
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 On 07/28/2014 08:04 AM, Ade Lee wrote: On Mon, 2014-07-28 at 07:41 -0700, Erinn Looney-Triggs wrote: On 07/28/2014 07:17 AM, Rob Crittenden wrote: Rob Crittenden wrote: Erinn Looney-Triggs wrote: On 07/27/2014 12:02 AM, Erinn Looney-Triggs

Re: [Freeipa-users] RHEL 7 Upgrade experience so far

2014-07-28 Thread Erinn Looney-Triggs
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 On 07/28/2014 11:07 AM, Ade Lee wrote: On Mon, 2014-07-28 at 08:26 -0700, Erinn Looney-Triggs wrote: On 07/28/2014 08:04 AM, Ade Lee wrote: On Mon, 2014-07-28 at 07:41 -0700, Erinn Looney-Triggs wrote: On 07/28/2014 07:17 AM, Rob Crittenden

Re: [Freeipa-users] RHEL 7 Upgrade experience so far

2014-07-28 Thread Erinn Looney-Triggs
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 On 07/28/2014 11:07 AM, Ade Lee wrote: On Mon, 2014-07-28 at 08:26 -0700, Erinn Looney-Triggs wrote: On 07/28/2014 08:04 AM, Ade Lee wrote: On Mon, 2014-07-28 at 07:41 -0700, Erinn Looney-Triggs wrote: On 07/28/2014 07:17 AM, Rob Crittenden

Re: [Freeipa-users] RHEL 7 Upgrade experience so far

2014-07-28 Thread Erinn Looney-Triggs
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 On 07/28/2014 11:07 AM, Ade Lee wrote: No exceptions thrown in the journal. When investigating the cacert.p12 file that is bundled up for the replica's I see two caSigningCert's. One is the older one, before I renewed and one is the new,

Re: [Freeipa-users] RHEL 7 Upgrade experience so far

2014-07-28 Thread Erinn Looney-Triggs
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 On 07/28/2014 12:20 PM, Ade Lee wrote: On Mon, 2014-07-28 at 12:14 -0700, Erinn Looney-Triggs wrote: On 07/28/2014 11:07 AM, Ade Lee wrote: No exceptions thrown in the journal. When investigating the cacert.p12 file that is bundled up

  1   2   >