Re: [Freeipa-users] [freeipa-users] errors when trying to add public SSH key to user

2013-07-15 Thread Jan Pazdziora
server. Any thoughts? Does it fail even if you do not copy-n-paste the key but let shell expand it as ipa user-mod demo --sshpubkey $( cat /tmp/demo.pub ) ? -- Jan Pazdziora | adelton at #ipa*, #brno Principal Software Engineer, Identity Management Engineering, Red Hat

Re: [Freeipa-users] Incorrect user information

2013-09-23 Thread Jan Pazdziora
be updated automatically to reflect those changes. Bug perhaps? The ticket https://fedorahosted.org/freeipa/ticket/3569 tracks addition of the WebUI GECOS field. It's been added in upstream FreeIPA and it should find its way to the next RHEL releases as well. -- Jan Pazdziora | adelton

[Freeipa-users] Starting with host based access control and your existing users and hosts

2013-11-11 Thread Jan Pazdziora
to be disabled or it would still allow all accesses. That might break existing users. Check http://www.freeipa.org/page/Howto/HBAC_and_allow_all about possible solution to that problem. -- Jan Pazdziora Principal Software Engineer, Identity Management Engineering, Red Hat

Re: [Freeipa-users] freeipa client wont install on host where a ipa server guest is already installed.

2013-12-17 Thread Jan Pazdziora
that I must first uninstall the ipa server. What is the OS version and the exact message that you get? Has anyone experienced this and how might I get around this problem? Are you sure you don't have the IPA server installed on both the KVM guest *and* on the host? -- Jan Pazdziora Principal

[Freeipa-users] Enrolling client to second IPA server

2014-01-06 Thread Jan Pazdziora
not move me forward enrolling the system to another IPA server. Does anyone have example steps that need to be done to have my system enrolled to two IPA servers? Thank you, -- Jan Pazdziora Principal Software Engineer, Identity Management Engineering, Red Hat

Re: [Freeipa-users] HBAC - expected behaviour?

2014-02-19 Thread Jan Pazdziora
of its Any Host (aka Host category: all) manually and then removed it? -- Jan Pazdziora | adelton at #ipa*, #brno Principal Software Engineer, Identity Management Engineering, Red Hat ___ Freeipa-users mailing list Freeipa-users@redhat.com https

Re: [Freeipa-users] Free-IPA in an AWS Base Image

2014-02-20 Thread Jan Pazdziora
to change the hostname of the instance to be in the domain managed by the FreeIPA server? -- Jan Pazdziora Principal Software Engineer, Identity Management Engineering, Red Hat ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com

Re: [Freeipa-users] Allow freeipa send password to user

2014-02-20 Thread Jan Pazdziora
for no password change forced on user upon their first login from multiple sides, I wonder if the current behaviour stems from some technical reason or if it's just a security approach which the FreeIPA admins should be able to override. -- Jan Pazdziora Principal Software Engineer, Identity

[Freeipa-users] HBAC for mod_auth_kerb (and give karma to Fedora 20 package)

2014-03-25 Thread Jan Pazdziora
as the guidelines but you can also try to set things up completely without the guides, just using mod_authnz_pam's documentation at http://www.adelton.com/apache/mod_authnz_pam/ And comments and help with the karma would be appreciated. -- Jan Pazdziora Principal Software Engineer, Identity

Re: [Freeipa-users] Enrolling client to second IPA server

2014-04-07 Thread Jan Pazdziora
? When I put IPA2's data to /etc/openldap/ldap.conf.IPA2 and run LDAPCONF=/etc/openldap/ldap.conf.IPA2 getent passwd user...@realm2.net I still don't get anything. I assume that it's because it's actually sssd which does the calls ... but how would I set LDAPCONF for sssd? -- Jan Pazdziora

Re: [Freeipa-users] IPA-server and conrainers

2014-06-10 Thread Jan Pazdziora
not announcing it yet as we try to find ways to make the image smaller and thus more easily consumable. -- Jan Pazdziora Principal Software Engineer, Identity Management Engineering, Red Hat ___ Freeipa-users mailing list Freeipa-users@redhat.com https

Re: [Freeipa-users] IPA-server and conrainers

2014-06-11 Thread Jan Pazdziora
on different hosts (be it containters or true hosts). That's why the initial effort goes into moving what we have with ipa-server-install to container as one block. -- Jan Pazdziora Principal Software Engineer, Identity Management Engineering, Red Hat

Re: [Freeipa-users] Announcing FreeIPA 4.0.0

2014-07-14 Thread Jan Pazdziora
https://admin.fedoraproject.org/pkgdb/package/python-qrcode/ python-yubico is already in epel6 but *NOT IN* epel7 https://admin.fedoraproject.org/pkgdb/package/python-yubico/ https://fedoraproject.org/wiki/EPEL/epel7/Requests should help us get the process started. -- Jan Pazdziora

Re: [Freeipa-users] PatternFly questions

2014-07-18 Thread Jan Pazdziora
to the next page. Thus, on each screen the number of rows of the default ideal view can be different, if the content above and below the table is of different height, or if the height of the rows is different among pages/tables. -- Jan Pazdziora Principal Software Engineer, Identity Management Engineering

[Freeipa-users] FreeIPA server in Docker container

2014-07-21 Thread Jan Pazdziora
/page/Docker Any comments or improvements are welcome, -- Jan Pazdziora Principal Software Engineer, Identity Management Engineering, Red Hat -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info

Re: [Freeipa-users] IRC channel dead?

2014-09-02 Thread Jan Pazdziora
? There are currently 115 users there. Maybe some sort of network slip and you are connected to the wrong part of the network? -- Jan Pazdziora Principal Software Engineer, Identity Management Engineering, Red Hat -- Manage your subscription for the Freeipa-users mailing list: https

Re: [Freeipa-users] Fedora 21 and 4.0.3

2014-09-30 Thread Jan Pazdziora
of IPA? I strongly suspect you are hitting https://bugzilla.redhat.com/show_bug.cgi?id=1117673 Is there a particular reason why you want to go with unreleased Fedora? -- Jan Pazdziora Principal Software Engineer, Identity Management Engineering, Red Hat -- Manage your subscription

Re: [Freeipa-users] named and IpA

2014-10-03 Thread Jan Pazdziora
? -- Jan Pazdziora Principal Software Engineer, Identity Management Engineering, Red Hat -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project

Re: [Freeipa-users] FW: FW: FW: named and IpA

2014-10-10 Thread Jan Pazdziora
nothing if LDAP is not accessible. -- Jan Pazdziora Principal Software Engineer, Identity Management Engineering, Red Hat -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project

Re: [Freeipa-users] FW: FW: FW: named and IpA

2014-10-13 Thread Jan Pazdziora
was implemented: https://bugzilla.redhat.com/show_bug.cgi?id=662930 Feel free to open RFE. Done: https://fedorahosted.org/bind-dyndb-ldap/ticket/140 Thank you, -- Jan Pazdziora Principal Software Engineer, Identity Management Engineering, Red Hat -- Manage your subscription for the Freeipa

Re: [Freeipa-users] bind-dyndb-ldap and ddns updates from dhcp

2014-12-31 Thread Jan Pazdziora
it be to Kerberize it? -- Jan Pazdziora Principal Software Engineer, Identity Management Engineering, Red Hat -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project

Re: [Freeipa-users] bind-dyndb-ldap and ddns updates from dhcp

2014-12-31 Thread Jan Pazdziora
-microsoft-dns/ shows how ISC DHCP's execute can be used to send the changes to an external command, and that command can include the kinit -kt + nsupdate -g combo. -- Jan Pazdziora Principal Software Engineer, Identity Management Engineering, Red Hat -- Manage your subscription for the Freeipa-users

Re: [Freeipa-users] bind-dyndb-ldap and ddns updates from dhcp

2014-12-31 Thread Jan Pazdziora
On Wed, Dec 31, 2014 at 10:34:37PM +0100, Jan Pazdziora wrote: endpoints, or their users, should not be trusted to make updates to DNS zones. TSIG signed updates from servers are still preferred over authenticated updates from endpoints or users. Server has identity just like service

Re: [Freeipa-users] Client configuration to point to Replica server once master service failed

2015-01-01 Thread Jan Pazdziora
. -- Jan Pazdziora Principal Software Engineer, Identity Management Engineering, Red Hat -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project

Re: [Freeipa-users] Problems with ntpd when running FreeIPA in a Docker container

2015-01-15 Thread Jan Pazdziora
is not container and ntpd not running on the server, I was not able to reproduce the issue. -- Jan Pazdziora Principal Software Engineer, Identity Management Engineering, Red Hat -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] Problems with ntpd when running FreeIPA in a Docker container

2015-01-15 Thread Jan Pazdziora
and proceeding. -- Jan Pazdziora Principal Software Engineer, Identity Management Engineering, Red Hat -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project

Re: [Freeipa-users] Problems with ntpd when running FreeIPA in a Docker container

2015-01-15 Thread Jan Pazdziora
false assumptions. I'll update the git repo README / image documentation once we know what exactly the plan with SELinux and situation with Fedora 21 client blocking are. It is something I work on right now. -- Jan Pazdziora Principal Software Engineer, Identity Management Engineering, Red Hat

Re: [Freeipa-users] FreeIPA and Application Specific Passwords

2015-02-19 Thread Jan Pazdziora
, instead of using SSO, be it Kerberos or SAML? Is that purely the application not supporting it or are there some other reasons (you say we don't want single sign on which sounds like a political or compliance issue, not technical one). -- Jan Pazdziora Principal Software Engineer, Identity

Re: [Freeipa-users] FreeIpa and Dovecot

2015-02-20 Thread Jan Pazdziora
On Fri, Feb 20, 2015 at 09:36:17AM +0100, Günther J. Niederwimmer wrote: have any a functional Link for this Problem. Can you elaborate what the problem actually is? Specifically, what setup you try to achieve, how you do it, where it starts to fail. -- Jan Pazdziora Principal Software

Re: [Freeipa-users] SSSD in redundant configuration

2015-03-20 Thread Jan Pazdziora
, it does not set priority for the preferred IPA server which can be useful if they are in different geos and by default you want the traffic to go to the local server. In that case ipa_server = test-freeipa-2.cloud.domain.de, _srv_ might actually be preferred. -- Jan Pazdziora Principal

Re: [Freeipa-users] SSSD in redundant configuration

2015-03-20 Thread Jan Pazdziora
)? -- Jan Pazdziora Principal Software Engineer, Identity Management Engineering, Red Hat -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] Freeipa and dns

2015-03-06 Thread Jan Pazdziora
might be a work around for now. That's actually not too much trouble with our configuration management system. Then ipa_server = local-geo-replica.example.com, _srv_ in sssd.conf is probably the best approach. -- Jan Pazdziora Principal Software Engineer, Identity Management

[Freeipa-users] Fedora 20 upstream repo ipa-server-install fails

2015-03-24 Thread Jan Pazdziora
: Could not load the library. I see the same bug both on host and in container. -- Jan Pazdziora Principal Software Engineer, Identity Management Engineering, Red Hat -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http

Re: [Freeipa-users] Fedora 20 upstream repo ipa-server-install fails

2015-03-25 Thread Jan Pazdziora
for the prompt fix! -- Jan Pazdziora Principal Software Engineer, Identity Management Engineering, Red Hat -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] Is systemd really a requirement for freeipa 4.x?

2015-03-26 Thread Jan Pazdziora
On Thu, Mar 26, 2015 at 10:49:22AM +0100, Andrew Holway wrote: From an SELinux standpoint systemd is far superior to initd as it allows far more graceful domain transitions. Have you got a link which would demonstrate how systemd helps with domain transitions? -- Jan Pazdziora Principal

Re: [Freeipa-users] Troubleshooting SSO

2015-03-30 Thread Jan Pazdziora
was the machine enrolled -- ipa-client-install, realm join, or some other way? -- Jan Pazdziora Principal Software Engineer, Identity Management Engineering, Red Hat -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http

Re: [Freeipa-users] Troubleshooting SSO

2015-03-30 Thread Jan Pazdziora
/pubconf/krb5.include.d/localauth_plugin exists and configures module = sssd:/usr/lib64/sssd/modules/sssd_krb5_localauth_plugin.so ? -- Jan Pazdziora Principal Software Engineer, Identity Management Engineering, Red Hat -- Manage your subscription for the Freeipa-users mailing list

Re: [Freeipa-users] Troubleshooting SSO

2015-03-30 Thread Jan Pazdziora
machine ... So that test.osuwmc realm -- is that your IPA server's realm, or AD realm? -- Jan Pazdziora Principal Software Engineer, Identity Management Engineering, Red Hat -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go

Re: [Freeipa-users] issues with secondary groups? (sssd)

2015-03-02 Thread Jan Pazdziora
with simple sssd/ldap only auth. You might want to check Foreman and its realm feature: http://theforeman.org/manuals/1.7/index.html#4.3.9Realm That way OTP authentication will be used. -- Jan Pazdziora Principal Software Engineer, Identity Management Engineering, Red Hat -- Manage your

[Freeipa-users] user-mod --rename and password

2015-05-07 Thread Jan Pazdziora
...@example.test: # Is this expected? It's with 4.1.0. -- Jan Pazdziora Senior Principal Software Engineer, Identity Management Engineering, Red Hat -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org

Re: [Freeipa-users] HBAC rules don't work with PAM - problem

2015-05-11 Thread Jan Pazdziora
If hbactest passes, then we need to see the logs, /var/log/secure and SSSD logs. Also the sssd.conf, please. Also, how did you configure that tac_plus PAM service should be used? How do you try to access the machine / service? -- Jan Pazdziora Senior Principal Software Engineer, Identity Management

Re: [Freeipa-users] multi homed environment

2015-05-11 Thread Jan Pazdziora
resolution. Is there anything we can add to the tool on our side to catch the errors earlier and/or make the error messages less scary and more descriptive? -- Jan Pazdziora Senior Principal Software Engineer, Identity Management Engineering, Red Hat -- Manage your subscription for the Freeipa

Re: [Freeipa-users] HBAC rules don't work with PAM - problem

2015-05-12 Thread Jan Pazdziora
in theory force it to work by writing a wrapper PAM module which would call both pam_sss's pam_sm_authenticate *and* pam_sm_acct_mgmt for its pam_sm_authenticate call. But it would be a hack, possibly with unexpected side effects. -- Jan Pazdziora Senior Principal Software Engineer, Identity Management

Re: [Freeipa-users] FreeIPA server in Docker container improved

2015-05-14 Thread Jan Pazdziora
On Wed, Apr 08, 2015 at 02:42:38PM +0200, Jan Pazdziora wrote: The ability to run FreeIPA server in a container was recently improved by adding support for storing the server configuration and data in a volume, making it easier to backup the server, upgrade it to newer versions, as well

Re: [Freeipa-users] Apache htaccess replacement

2015-05-19 Thread Jan Pazdziora
mod_authnz_pam: http://www.adelton.com/apache/mod_authnz_pam/ http://www.freeipa.org/page/Web_App_Authentication The module is packaged in Fedoras, RHEL, and CentOS. -- Jan Pazdziora Senior Principal Software Engineer, Identity Management Engineering, Red Hat -- Manage your

Re: [Freeipa-users] Critique

2015-04-17 Thread Jan Pazdziora
Nice. One detail -- Red Hat prefers its name to be spelled Red Hat. -- Jan Pazdziora Senior Principal Software Engineer, Identity Management Engineering, Red Hat -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http

[Freeipa-users] FreeIPA server in Docker container improved

2015-04-08 Thread Jan Pazdziora
at https://registry.hub.docker.com/u/adelton/freeipa-server/ README was amended to describe the new usage options. -- Jan Pazdziora Senior Principal Software Engineer, Identity Management Engineering, Red Hat -- Manage your subscription for the Freeipa-users mailing list: https

Re: [Freeipa-users] freeipa server upgrade from fedora 20 to fedora 22 glitches

2015-06-01 Thread Jan Pazdziora
-tomcat/conf/ca/CS.cfg had the wrong owner (root). I saw this issue in containers as well, when upgrading from Fedora 21 to 22. Do we have a bugzilla / ticket filed? Do we need one? -- Jan Pazdziora Senior Principal Software Engineer, Identity Management Engineering, Red Hat -- Manage your

Re: [Freeipa-users] Using FreeIPA OTP in a PAM module

2015-06-30 Thread Jan Pazdziora
, by giving you time-constrained service ticket? -- Jan Pazdziora Senior Principal Software Engineer, Identity Management Engineering, Red Hat -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info

[Freeipa-users] Running pki commands on fresh IPA server -- authentication

2015-05-20 Thread Jan Pazdziora
]: ClientResponseFailure: Error status 401 Unauthorized returned What am I doing wrong? This is with ipa-server-4.1.0-18.el7.x86_64 and pki-server-10.1.2-7.el7.noarch. -- Jan Pazdziora Senior Principal Software Engineer, Identity Management Engineering, Red Hat -- Manage your subscription for the Freeipa

Re: [Freeipa-users] freeipa on http?

2015-08-20 Thread Jan Pazdziora
will not work -- the session cookie is marked as Secure so the browser will not store it when it comes via http, plus the UI checks referer to start with https://. -- Jan Pazdziora Senior Principal Software Engineer, Identity Management Engineering, Red Hat -- Manage your subscription

Re: [Freeipa-users] freeipa on http?

2015-08-24 Thread Jan Pazdziora
On Thu, Aug 20, 2015 at 02:26:43PM +0200, Jan Pazdziora wrote: On Tue, Aug 18, 2015 at 02:58:50PM -0700, Janelle wrote: Tried that -- but it gives a blank screen. I will try playing with it some more. At least I know we are thinking in the same ballpark I was able to set this up just fine

Re: [Freeipa-users] Unable to install ipa-server-trust-ad

2015-08-04 Thread Jan Pazdziora
the installation today but that should be fairly easy to workaround by not having krb5-devel installed from updates when you start the installation, and it does not seem related to the samba-python issue you see. -- Jan Pazdziora Senior Principal Software Engineer, Identity Management Engineering

Re: [Freeipa-users] AD users not visible in FreeIPA mapped group

2015-07-14 Thread Jan Pazdziora
membership. Would it make sense to have a way of running the SSSD evaluation from the WebUI and showing the results there? Clearly distinguished from the LDAP data, yet exposed in the WebUI ... -- Jan Pazdziora Senior Principal Software Engineer, Identity Management Engineering, Red Hat -- Manage

Re: [Freeipa-users] AD users not visible in FreeIPA mapped group

2015-07-14 Thread Jan Pazdziora
On Tue, Jul 14, 2015 at 11:06:20AM +0300, Alexander Bokovoy wrote: On Tue, 14 Jul 2015, Jan Pazdziora wrote: Would it make sense to have a way of running the SSSD evaluation from the WebUI and showing the results there? Clearly distinguished from the LDAP data, yet exposed in the WebUI

Re: [Freeipa-users] Rename or not to rename (packages only)? freeipa-server - ipa-server?

2015-07-17 Thread Jan Pazdziora
On Fri, Jul 17, 2015 at 10:47:37AM +0200, Petr Spacek wrote: This rename would remove the inconsistency which drives me crazy when I need to script something universally for RHEL and Fedora. Wouldn't rpm Provides solve this particular issue? -- Jan Pazdziora Senior Principal Software

Re: [Freeipa-users] Free IPA to Microsoft AD 2008R2 trust question

2015-10-13 Thread Jan Pazdziora
ogy, CNAMEs pointing to that IPA-managed domain can be used to present flat structure to users: server.example.com -> server.ipa.example.com -- Jan Pazdziora Senior Principal Software Engineer, Identity Management Engineering, Red Hat -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] DNS configuration for not resolving some addresses

2015-07-08 Thread Jan Pazdziora
? -- Jan Pazdziora Senior Principal Software Engineer, Identity Management Engineering, Red Hat -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] Announcing FreeIPA 4.2.0

2015-07-10 Thread Jan Pazdziora
://copr.fedoraproject.org/coprs/mkosek/freeipa-4.2/. Are copr builds for RHEL 7 / CentOS 7 planned? -- Jan Pazdziora Senior Principal Software Engineer, Identity Management Engineering, Red Hat -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo

Re: [Freeipa-users] Announcing FreeIPA 4.2.0

2015-07-10 Thread Jan Pazdziora
packages. -- Jan Pazdziora Senior Principal Software Engineer, Identity Management Engineering, Red Hat -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] Announcing FreeIPA 4.2.0

2015-07-10 Thread Jan Pazdziora
On Fri, Jul 10, 2015 at 02:40:58PM +0200, Jan Pazdziora wrote: On Fri, Jul 10, 2015 at 10:26:11AM +0200, Petr Vobornik wrote: The FreeIPA team is proud to announce FreeIPA v4.2.0 release! It can be downloaded from http://www.freeipa.org/page/Downloads. The builds for Fedora 22 and Fedora

Re: [Freeipa-users] Using NTP SRV records

2015-07-07 Thread Jan Pazdziora
. Am I missing something? I believe you might be hitting bug https://fedorahosted.org/freeipa/ticket/4981 The fix will go out with 4.2 release. -- Jan Pazdziora Senior Principal Software Engineer, Identity Management Engineering, Red Hat -- Manage your subscription for the Freeipa

Re: [Freeipa-users] Migrating from custom auth system

2015-07-09 Thread Jan Pazdziora
) way to let users authenticate via Kerberos and create users authenticated by PAM upon first login? Create user where -- in the Web application or in FreeIPA? -- Jan Pazdziora Senior Principal Software Engineer, Identity Management Engineering, Red Hat -- Manage your subscription

Re: [Freeipa-users] Apache htaccess replacement

2015-07-09 Thread Jan Pazdziora
-- with SSSD configured on the machine -- doesn't require group the-group-name actually work? -- Jan Pazdziora Senior Principal Software Engineer, Identity Management Engineering, Red Hat -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo

Re: [Freeipa-users] Announcing FreeIPA 4.2.0

2015-07-10 Thread Jan Pazdziora
confirm things work now, I'm able to install and setup FreeIPA 4.2 server on Fedora 22 with the copr repo. Thank you! Any plans for the RHEL/CentOS 7 copr repo? -- Jan Pazdziora Senior Principal Software Engineer, Identity Management Engineering, Red Hat -- Manage your subscription for the Freeipa

Re: [Freeipa-users] Using IPA CA to sign SSL client certificates

2015-08-28 Thread Jan Pazdziora
-certificates.html I guess I should have been more clear. I need to create certificates for users, not services. That's new feature in FreeIPA 4.2: http://www.freeipa.org/page/V4/User_Certificates -- Jan Pazdziora Senior Principal Software Engineer, Identity Management Engineering

Re: [Freeipa-users] ipa-client-install --request-cert fails

2015-09-15 Thread Jan Pazdziora
On Mon, Sep 14, 2015 at 09:59:40AM +0200, Jan Pazdziora wrote: > On Sat, Sep 12, 2015 at 03:14:35PM +0200, Natxo Asenjo wrote: > > On Sat, Sep 12, 2015 at 12:18 PM, Natxo Asenjo <natxo.ase...@gmail.com> > > wrote: > > > > > on a a centos 7.1 host when enroll

Re: [Freeipa-users] ipa-client-install --request-cert fails

2015-09-14 Thread Jan Pazdziora
ntos 6.7 realm either, same error. Also reproduced on RHEL 7.1 and RHEL 7.2 (to be). I've filed https://bugzilla.redhat.com/show_bug.cgi?id=1262718 now. Thank you for bringing this to our attention. -- Jan Pazdziora Senior Principal Software Engineer, Identity Management Engineering, Red Hat

Re: [Freeipa-users] otp issue: can't log in with password+otp

2015-09-25 Thread Jan Pazdziora
kdc/DEFAULT.socket, for debugging purposes? I haven't even been able to sync the token properly, which Duncan says in https://github.com/adelton/docker-freeipa/issues/34#issuecomment-123877080 was working for him. -- Jan Pazdziora Senior Principal Software Engineer, Identity Manageme

Re: [Freeipa-users] otp issue: can't log in with password+otp

2015-09-25 Thread Jan Pazdziora
and communication with the ipa-otpd daemon? Also, does the Sync OTP Token operation invoke the ipa-otpd daemon path (so if Duncan managed to sync the token, it worked for him at least once) in any way or does it bypass it? -- Jan Pazdziora Senior Principal Software Engineer, Identity Management Eng

[Freeipa-users] FreeIPA server in Docker containers -- upcoming changes

2015-12-17 Thread Jan Pazdziora
(data volumes) are supported but you certainly want to keep backup around in case you need to revert to the old image. You can also create new replica. The master-systemd branch is based on Fedora 23. Thank you, -- Jan Pazdziora Senior Principal Software Engineer, Identity Management Engineering

Re: [Freeipa-users] FreeIPA server in Docker containers -- upcoming changes

2016-01-04 Thread Jan Pazdziora
On Thu, Dec 17, 2015 at 11:30:53AM +0100, Jan Pazdziora wrote: > > if you are running FreeIPA servers in containers, you might want to > be aware of a change that is coming -- in branch master-systemd of > > https://github.com/adelton/docker-freeipa > > we run the

Re: [Freeipa-users] FreeIPA 4.x + CentOS 6.4

2016-01-03 Thread Jan Pazdziora
you try to run FreeIPA 4 on CentOS 6.4 or do you want to IPA-enroll that CentOS 6 machine to FreeIPA server? What services / areas are you concerned about from the compatibility POV? -- Jan Pazdziora Senior Principal Software Engineer, Identity Management Engineering, Red Hat --

Re: [Freeipa-users] unable to effectively delete a replica agreement

2015-12-18 Thread Jan Pazdziora
n that I failed to see the cause of the issues when we discussed it with Karl in https://github.com/adelton/docker-freeipa/issues/40 and at the same time I don't see anything container-specific in what he attempts to do -- therefore I've asked him to bring the issue to this forum. -- Jan Paz

Re: [Freeipa-users] HBAC - Limit SSH access to "test" systems

2015-11-30 Thread Jan Pazdziora
rules. For example, see http://www.freeipa.org/page/Howto/HBAC_and_allow_all -- Jan Pazdziora Senior Principal Software Engineer, Identity Management Engineering, Red Hat -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] connection problems after reboot with unusual setting (Ubuntu 14.04 + freeipa docker)

2015-11-23 Thread Jan Pazdziora
ssh remotely. I am now able to connect to the server. > It seems that all works fine again once I restart sssd on the server. Do you restart the sshd service, sssd service, or both? -- Jan Pazdziora Senior Principal Software Engineer, Identity Management Engineering, Red Hat -- Manage your subsc

Re: [Freeipa-users] FreeIPA and project Atomic

2016-01-11 Thread Jan Pazdziora
containers are like virtual machines (and people treat them like those especially from security point of view) when they are not. -- Jan Pazdziora Senior Principal Software Engineer, Identity Management Engineering, Red Hat -- Manage your subscription for the Freeipa-users mailing list: htt

Re: [Freeipa-users] Upgrade to FreeIPA 4.2.0 broke Katello/Foreman realm proxy

2016-01-11 Thread Jan Pazdziora
.google.com/forum/#!topic/foreman-users/GlGSM6EAyUs In that thread you note that the issue was in fact a replication problem. Did you manage to resolve it? -- Jan Pazdziora Senior Principal Software Engineer, Identity Management Engineering, Red Hat -- Manage your subscription for the

Re: [Freeipa-users] how to setup apache reverse https proxy for freeipa web UI

2016-06-03 Thread Jan Pazdziora
om/ Note that you will not be able to use SSO (Kerberos) authentication for the accesses via the ipa.public.company.com proxy but I assume that's not needed. Hope this helps. I will likely do another writeup about this setup. -- Jan Pazdziora Senior Principal Software Engineer, Identity Manage

Re: [Freeipa-users] sessions failing when using different hostname

2016-06-08 Thread Jan Pazdziora
Anthony as mentioned in the other thread but we will debug it from here. -- Jan Pazdziora Senior Principal Software Engineer, Identity Management Engineering, Red Hat -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] how to setup apache reverse https proxy for freeipa web UI

2016-06-08 Thread Jan Pazdziora
t:9443/ https://ns01.dev.example.net/ -- with the nonstandard port specified. -- Jan Pazdziora Senior Principal Software Engineer, Identity Management Engineering, Red Hat -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] how to setup apache reverse https proxy for freeipa web UI

2016-06-08 Thread Jan Pazdziora
On Wed, Jun 08, 2016 at 10:01:44AM +0200, Jan Pazdziora wrote: > On Tue, Jun 07, 2016 at 11:01:12AM -0400, Anthony Clark wrote: > > Apparently removing the GSSAPI AuthType breaks foreman-proxy, so I had to > > do this: > > > > > > > >

Re: [Freeipa-users] how to setup apache reverse https proxy for freeipa web UI

2016-06-08 Thread Jan Pazdziora
he access denied, perhaps also increase the LogLevel to debug in the FreeIPA's Apache configuration and check the error_log and ssl_error_log. I did not observe the access denied before or after logging in and I'd like to get to the root of this. Thank you, -- Jan Pazdziora Senior Principal Software Engine

[Freeipa-users] The -e skip_version_check=1 with 4.2 client against 6.4-based server

2016-01-11 Thread Jan Pazdziora
value (2.51) rather than ignoring the difference altogether? I have verified that the option works on Fedora client against older Fedora server (but I did not try ipa-server-3.0.0 there). -- Jan Pazdziora Senior Principal Software Engineer, Identity Management Engineering, Red Hat -- Manage your

Re: [Freeipa-users] The -e skip_version_check=1 with 4.2 client against 6.4-based server

2016-01-11 Thread Jan Pazdziora
On Mon, Jan 11, 2016 at 07:05:16PM +0100, Martin Basti wrote: > On 11.01.2016 16:57, Jan Pazdziora wrote: > > > >We try to call the ipa commands against old FreeIPA server version, > >taking advantage of the > > > > -e skip_version_check=1 > &g

Re: [Freeipa-users] client/authentication inside a docker container

2016-02-04 Thread Jan Pazdziora
likely do not want to give every user a way to run any command, why not just use sudo, and docker run -u $SUDO_UID container bash in the script invoked with the sudo (untested)? -- Jan Pazdziora Senior Principal Software Engineer, Identity Management Engineering, Red Hat -- Manage your s

Re: [Freeipa-users] client/authentication inside a docker container

2016-02-15 Thread Jan Pazdziora
On Thu, Feb 04, 2016 at 12:37:07PM -0500, Prasun Gera wrote: > On Thu, Feb 4, 2016 at 10:56 AM, Jan Pazdziora <jpazdzi...@redhat.com> > wrote: > > > > The goal is to run the > > > docker container such that when the user calls docker run, > > > > Is a

Re: [Freeipa-users] krb5_server in sssd.conf after ipa-server-install

2016-03-14 Thread Jan Pazdziora
, the resulting sssd.conf had the [domain/default] section removed. So something in the process seems to care about that section -- maybe not the installer, maybe authconfig or something else. On the other hand, I was not able to reproduce the chaneg to the content of the domain/default section that lej

Re: [Freeipa-users] start and stop of ipa commands in systemd

2016-04-04 Thread Jan Pazdziora
rent machines (or in different containers). If you are interested in exploring those areas and helping us develop them, we'll be happy to hear about your findings. -- Jan Pazdziora Senior Principal Software Engineer, Identity Management Engineering, Red Hat -- Manage your subscription for the F

Re: [Freeipa-users] Free IPA Client in Docker

2016-05-11 Thread Jan Pazdziora
appen) > — > Attached > > My main suspect is dbus service unable to start in this container where it > launches on a plain machine. Certainly. What steps did you take to make dbus startable in the container? Do you have the dbus package installed? -- Jan Pazdziora Senior Princi

Re: [Freeipa-users] Free IPA Client in Docker

2016-05-11 Thread Jan Pazdziora
http://www.freeipa.org/page/Docker and https://github.com/adelton/docker-freeipa. -- Jan Pazdziora Senior Principal Software Engineer, Identity Management Engineering, Red Hat -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to

Re: [Freeipa-users] Free IPA Client in Docker

2016-05-11 Thread Jan Pazdziora
least one replica -- just create the FreeIPA server in the container as another replica in your environment. That way you can test it gradually -- point clients to it, add it to DNS. I would not recommend attempting to convert existing installation in one swoop, by replacing it in place. -- Jan Paz

Re: [Freeipa-users] [Freeipa-devel] CentOS 7 COPR repository with ipa 4.3.1 available for testing

2016-04-21 Thread Jan Pazdziora
ike to try FreeIPA 4.3.1 on CentOS 7 in container, use branch centos-7-upstream of https://github.com/adelton/docker-freeipa to built locally, or pull image adelton/freeipa-server:centos-7-upstream from Docker hub registry. -- Jan Pazdziora Senior Principal Software Engineer, I

Re: [Freeipa-users] sssd shows deleted users as well

2016-07-29 Thread Jan Pazdziora
PAM service that pam_sss.so / SSSD will handle. -- Jan Pazdziora Senior Principal Software Engineer, Identity Management Engineering, Red Hat -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] label for public keys

2016-08-04 Thread Jan Pazdziora
or do you need something else? -- Jan Pazdziora Senior Principal Software Engineer, Identity Management Engineering, Red Hat -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] A question related to ipa webui

2016-08-11 Thread Jan Pazdziora
root4u IPv4 xx 0t0 TCP *:https (LISTEN) > ### > > Is there something I am missing in the IPA configuration for the WebUI > please ? Perhaps https://www.adelton.com/freeipa/freeipa-behind-proxy-with-different-name could give some hints. It was tested on FreeIPA 4.* --

Re: [Freeipa-users] FreeIPA Session Management (WebUI, Kerberos, ...?)

2016-08-10 Thread Jan Pazdziora
role in application-level session where the cookie is hold by the browser and evaluated by the application directly. -- Jan Pazdziora Senior Principal Software Engineer, Identity Management Engineering, Red Hat -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] Web UI access from outside the home network via port forwarding

2016-07-13 Thread Jan Pazdziora
rong? There are some more config tweaks likely needed. Writeup https://www.adelton.com/freeipa/freeipa-behind-proxy-with-different-name should help you resolve the issue. -- Jan Pazdziora Senior Principal Software Engineer, Identity Management Engineering, Red Hat -- Manage your subscri

Re: [Freeipa-users] Freeipa and spacewalk integration.

2016-06-30 Thread Jan Pazdziora
actly is the issue. > If anyone have some information or done similar integration, i'd appreciate > if you can share it. What Spacewalk version and what OS and version is this? -- Jan Pazdziora Senior Principal Software Engineer, Identity Management Engineering, Red Hat -- Manage your subscription

Re: [Freeipa-users] webmaster permission

2016-07-01 Thread Jan Pazdziora
e our Websystem on this Server This server meaning yet another VM, or directly on the host? > What is the best way to allow a external Webmaster to create or modify the > websites with joomla, and have the secure from IPA. Could you be more specific about the have the secure from IPA

  1   2   >