[Freeipa-users] PKI Subsystem Type: CA Clone convert to Root

2012-05-23 Thread James Hogarth
in the process) in IPA 2.1/2.2? Kind regards, James Hogarth ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] How to promote 2.2.0 replica(installed with --setup-ca) to primary master?

2012-06-13 Thread James Hogarth
But in short the only thing to do is change the CRL generator per those instructions. It is otherwise already a full CA. If none or all of them are generating a CRL it isn't the end of the world either way, you could just end up with slightly different CRLs on different masters which can be

[Freeipa-users] Request for comments - Apache SNI via IPA with kerberos authentication

2012-06-19 Thread James Hogarth
Hi all, As mentioned on IRC today I've finished my write up of using Apache with SNI and kerberos authentication with an IPA backend I'd be interested in any feedback: http://freeipa.org/page/Apache_SNI_With_Kerberos Kind regards, James ___

Re: [Freeipa-users] FreeIPA in a locked down Active Directory environment

2012-06-19 Thread James Hogarth
Well, at the moment we only set up a two way trust but the windows admins would certainly be able to delete the outgoing trust right after it is created, it should cause trouble for win users that want to access ipa hosts. We may take an RFE about creating only a one way trust, but it won't

Re: [Freeipa-users] Request for comments - Apache SNI via IPA with kerberos authentication

2012-06-20 Thread James Hogarth
I'll try and replicate the blog findings in the course of the next couple of days if it works I'll add it to the wiki ... Set up a test this morning using Centos 6: nss-3.13.1-7.el6_2.x86_64 mod_nss-1.0.8-14.el6_2.x86_64 The behaviour was... odd SNI itself must have been working as

Re: [Freeipa-users] Request for comments - Apache SNI via IPA with kerberos authentication

2012-06-20 Thread James Hogarth
Only one nss database may be opened at a time. mod_nss should probably error out if multiple are defined to prevent confusion. I'd think a nickname should be unique to a given VirtualServer. If not then it's a bug. That makes sense - and yeah it should probably error out rather than just

Re: [Freeipa-users] Do clients have to be in teh same DNS zone / FQDN as the IPA servers / Kerberos Realm?

2012-06-21 Thread James Hogarth
but Im getting hammered by my management for instant answers...they asked last night and expect an answer this morning.and I'm expected to catch up and deploy several important solutions/projects all hinging on IPA ASAP... 2.2 isnt in RHEL6.3 though? Are you using fedora, centos

[Freeipa-users] Request for comments - Libvirt (KVM) with VNC via IPA with kerberos authentication

2012-06-25 Thread James Hogarth
Hi all, As mentioned on IRC today I've finished my write up of using libvirt (kvm virtualization) with VNC consoles and kerberos authentication with an IPA backend I'd be interested in any feedback: http://freeipa.org/page/Libvirt_with_VNC_Consoles Kind regards, James

Re: [Freeipa-users] Roadmap

2012-06-28 Thread James Hogarth
Is there any information on what the roadmap might be now that 2.2 is out the door? The current roadmap still references the 2.1 release around a year ago. Check out the info here: https://fedorahosted.org/freeipa/roadmap So far as I'm aware the bulk of the 3.0 work is for cross realm

Re: [Freeipa-users] hostgroups not working for Sudo commands

2012-08-07 Thread James Hogarth
Yes I'd missed this, echo nisdomainname ods.vuw.ac.nz /etc/rc.d/rc.local Is it not possible to automate this (sudo setup) more in the ipa-client-install ? control whether you want it via a sudo_enable=yes or no somewhere? Ive added it to my kickstart for now so my sudo setup is

[Freeipa-users] Heads up on dynamic DNS TTL weird behaviour...

2012-08-13 Thread James Hogarth
Hey all, Just a quick heads up in for the mailing list archive in case someone bumps into this after drilling through it a bit in IRC on Friday... If you are making use of --enable-dns-updates in ipa-client-install and for whatever reason your client may change its address more often than once

[Freeipa-users] IPA Error 401 certificate not found

2012-08-14 Thread James Hogarth
Hi all, I was adding and removing the same hosts and a fairly high rate from IPA and I've managed to get myself into an odd situation... On trying to delete or unprovision one of the hosts I'm getting IPA error 401: Certificate operation cannot be completed: EXCEPTION (Certificate serial number

Re: [Freeipa-users] IPA Error 401 certificate not found

2012-08-14 Thread James Hogarth
I suspect I've hit a replication conflict... Just to close this off ... it was a replication issue - the certificates hadn't yet replicated... deleting from the server originally enrolled against it was fine. James ___ Freeipa-users mailing list

Re: [Freeipa-users] ttl settings for host records

2012-11-29 Thread James Hogarth
I'm not entirely sure where that 86400 came from. When we do a dynamic update the TTL is hardcoded to 1200. There is a ticket to make this configurable, https://fedorahosted.org/**freeipa/ticket/3031https://fedorahosted.org/freeipa/ticket/3031 The patch I submitted on the SSSD side has

[Freeipa-users] Certificate serial number not found error

2012-12-07 Thread James Hogarth
Hi, When trying to view a particular service (or the related host) I'm getting the following error in the UI: IPA Error 4301 Certificate operation cannot be completed: EXCEPTION (Certificate serial number 0xffe000c not found) Now I've seen similar issue in the past when replication has played

Re: [Freeipa-users] Managing Sudo through FreeIPA

2012-12-11 Thread James Hogarth
Hi, caching capabilities were not optimal in the tech preview, but it was fully functional (or at least should be, I don't think anyone really tried it in production), unless sssd is configured with multiple domains. I looked at the 6.3 technical notes for sudo, sssd and ipa but couldn't

Re: [Freeipa-users] Sudo Commands and groups confusion

2013-06-14 Thread James Hogarth
I believe that at one point we included a configuration very similar to the snippet above in man sssd-sudo. It should be there in 6.4, not 100% sure now. Just checked the man page and indeed that minimal snippet is there ... I really need to spend more time going through new man pages etc at

Re: [Freeipa-users] named seg faulting

2013-07-01 Thread James Hogarth
Upgrade to bind-dyndb-ldap-2.3-2.el6_4.1 should fix the problem. Thanks Petr ... looks like that's not in the CentOS repositories ... I'll give those guys a heads up ... A quick look and it appears that the SRPM isn't in the public FTP server ... opened bug

Re: [Freeipa-users] named seg faulting

2013-07-02 Thread James Hogarth
I meanwhile I recommend you to build version 2.6: https://fedorahosted.org/released/bind-dyndb-ldap/bind-dyndb-ldap-2.6.tar.bz2 It includes some fixes not-yet accepted for RHEL. Interesting... I might build and test but generally I prefer to keep to packages accepted to rhel... As an FYI

Re: [Freeipa-users] named (DNS) dumping core

2013-07-09 Thread James Hogarth
Yes, it looks like we ran into the same bug. We will schedule an update for our IPA servers soon to address this issue. As a heads up you can do these one at a time and for this particular issue it doesn't require a full IPA restart... Just named. When we updated ours after the srpm got

[Freeipa-users] heads up on dirsrv failure to start on fedora19

2013-07-10 Thread James Hogarth
Hi all, A heads up in case someone else bumps into this when doing any 389-ds/freeipa work on F19. The /etc/tmpfiles.d/dirsrv-EXAMPLE-COM.conf file is configured to create the lockfiles in /var/lock/dirsrv/slapd-EXAMPLE-COM but on F19 /var/lock is a symlink to /var/run/lock... As a result after

Re: [Freeipa-users] Instructions for using Postfix SMTP Client Relay with FreeIPA

2013-07-10 Thread James Hogarth
Thanks for the blog! There's dovecot in the howto section of the wiki but no postfix ... worth one of us adding the link? OP would you be okay with the link? ___ Freeipa-users mailing list Freeipa-users@redhat.com

Re: [Freeipa-users] Instructions for using Postfix SMTP Client Relay with FreeIPA

2013-07-11 Thread James Hogarth
Sure no problem, the more useful to people the better. Great stuff - just added the link... On a side note I'm just loving the growing collection of integration documentation - really makes 'selling' IPA internally easier all the time! ___

[Freeipa-users] Question about design of ldap dns

2013-07-15 Thread James Hogarth
Hi guys, I'm just picking up the nice to have ticket of configure the default TTL as part of my general TTL refactor work seeing as the exposing and modification of TTL in the UI is unlikely to be complete before 3.3 freeze (mostly working but a few bugs remaining) :

Re: [Freeipa-users] [freeipa-users] errors when trying to add public SSH key to user

2013-07-15 Thread James Hogarth
ipa-server-2.2.0-17.el6_3.1.x86_64 Think I see the problem here From the 3.0 release notes: - SSH public key format has been changed to OpenSSH-style public keys. http://www.freeipa.org/page/IPAv3_300_ga You really ought to get those servers updated to RHEL 6.4 with IPA 3.0 (which

Re: [Freeipa-users] sudo rules user and host group bugs?

2013-07-15 Thread James Hogarth
Did anyone find a solution for this? I am having the same experience. Wow that was a mess... To use hostgroups for sudo ensure nisdomainname is set on the hosts to the IPA domain. ___ Freeipa-users mailing list Freeipa-users@redhat.com

Re: [Freeipa-users] Question about design of ldap dns

2013-07-17 Thread James Hogarth
Please contact me on IRC (pspacek in #freeipa @ FreeNode) or via e-mail. We need to coordinate, because bind-dyndb-ldap is undergoing heavy refactoring right now. Also, remember that modification in bind-dyndb-ldap will require modification on FreeIPA side (CLI/WebUI/API). Sure - I'm

[Freeipa-users] Providing minimal permissions to read replication status

2013-07-31 Thread James Hogarth
Hi, We're looking to add monitoring to our IPA replicas and want to provide a user with the minimum possible permissions to do so. Allowing the user to have the Replication Administrators role works but for monitoring the ability to add/modify/remove is overkill by a long shot. There's no

Re: [Freeipa-users] Providing minimal permissions to read replication status

2013-08-01 Thread James Hogarth
On 1 August 2013 09:36, Martin Kosek mko...@redhat.com wrote: The patch for this would do basically this: - remove the following aci: (targetattr != aci)(version 3.0; aci replica admins read access; allow (read, search, compare) groupdn = ldap:///cn=Modify Replication

Re: [Freeipa-users] Providing minimal permissions to read replication status

2013-08-01 Thread James Hogarth
On 1 August 2013 15:55, Rob Crittenden rcrit...@redhat.com wrote: James Hogarth wrote: On 1 August 2013 09:36, Martin Kosek mko...@redhat.com mailto:mko...@redhat.com wrote: The patch for this would do basically this: - remove the following aci: (targetattr != aci)(version