Re: [Freeipa-users] Trouble creating userobjectlass sambaSAMAccount

2016-03-19 Thread Jeff Goddard
asses: sambaGroupMapping > EOF > > Note, also there is a notorious spelling mistake under Point 5 of the > Fedora instructions you are following > > cosAttribute: sambaGrouptType > > should be: > > cosAttribute: sambaGroupType > > i.e. sambaGroupType has only one "T&q

Re: [Freeipa-users] Trouble creating userobjectlass sambaSAMAccount

2016-03-19 Thread Jeff Goddard
sAttribute: sambaGroupType > > i.e. sambaGroupType has only one "T". > > Chris > > [image: Inactive hide details for Jeff Goddard ---18.03.2016 > 16:11:10---Hello all, I'm following this guide:]Jeff Goddard > ---18.03.2016 16:11:10---Hello all, I'm following t

Re: [Freeipa-users] sudo rules question on ubuntu 16.0.1

2016-08-11 Thread Jeff Goddard
centos? Jeff On Wed, Aug 10, 2016 at 2:13 PM, Rob Crittenden <rcrit...@redhat.com> wrote: > Jeff Goddard wrote: > >> Sean, >> >> Thanks for the reply. I don't think that's my problem but I'm posting a >> redacted copy of the sssd.conf file for review

Re: [Freeipa-users] sudo rules question on ubuntu 16.0.1

2016-08-11 Thread Jeff Goddard
om] On Thu, Aug 11, 2016 at 2:15 PM, Rob Crittenden <rcrit...@redhat.com> wrote: > Jeff Goddard wrote: > >> I've looked though these but not found anything helpful. It appears as >> though my previous statement about the 1 group being found was >> misleading

[Freeipa-users] sudo rules question on ubuntu 16.0.1

2016-08-10 Thread Jeff Goddard
I've got a freeipa domain and many centos 7.2 clients. I also have a sudo rule that allows member of the developer group sudo rights on virtual servers in the "development" group. This works great on the centos servers. However, I recently set up 3 ubuntu boxes, and added them to the IPA domain

Re: [Freeipa-users] sudo rules question on ubuntu 16.0.1

2016-08-10 Thread Jeff Goddard
onal experience with 14.x > > > > Sean Hogan > > > > > > [image: Inactive hide details for Jeff Goddard ---08/10/2016 10:52:31 > AM---I've got a freeipa domain and many centos 7.2 clients. I als]Jeff > Goddard ---08/10/2016 10:52:31 AM---I've got a freeipa domain and

Re: [Freeipa-users] sudo rules question on ubuntu 16.0.1

2016-08-14 Thread Jeff Goddard
/Giving_users_a_home_directory_automatically I greatly appreciate your time and efforts on this problem. Jeff On Sun, Aug 14, 2016 at 2:16 PM, Jakub Hrozek <jhro...@redhat.com> wrote: > Hi Pavel, can you help us with this thread? > > > On 12 Aug 2016, at 21:57, Jeff Goddard <jgodd.

Re: [Freeipa-users] sudo rules question on ubuntu 16.0.1

2016-08-12 Thread Jeff Goddard
r=jgoddard Aug 12 08:16:38 docker-dev-01 sudo: jgoddard : command not allowed ; TTY=tty1 ; PWD=/home/jgoddard ; USER=root ; COMMAND=list On Fri, Aug 12, 2016 at 3:52 AM, Jakub Hrozek <jhro...@redhat.com> wrote: > On Thu, Aug 11, 2016 at 05:02:49PM -0400, Jeff Goddard wrote: &

Re: [Freeipa-users] sudo rules question on ubuntu 16.0.1

2016-08-12 Thread Jeff Goddard
The rule is defined that all members of the developer group have sudo access to all commands available on the machines in the office group. Jeff On Fri, Aug 12, 2016 at 9:58 AM, Jakub Hrozek <jhro...@redhat.com> wrote: > On Fri, Aug 12, 2016 at 08:53:53AM -0400, Jeff Goddard wrote:

Re: [Freeipa-users] sudo rules question on ubuntu 16.0.1

2016-08-12 Thread Jeff Goddard
I made the edit as suggested - removing nis and just leaving sss - restarted sssd and then re-tried. I also tried with files sss. Still getting the same result. Thanks, Jeff On Fri, Aug 12, 2016 at 2:27 PM, Justin Stephenson wrote: > This looks suspicious > > *Aug 12

Re: [Freeipa-users] sudo rules question on ubuntu 16.0.1

2016-08-12 Thread Jeff Goddard
ing. > > What version of sssd are you running? > > Kind regards, > > Justin Stephenson > On 08/12/2016 02:35 PM, Jeff Goddard wrote: > > I made the edit as suggested - removing nis and just leaving sss - > restarted sssd and then re-tried. I also tried with files sss. S

Re: [Freeipa-users] Cannot create replica

2017-01-31 Thread Jeff Goddard
as it also have the solution to your > problem: https://fedorahosted.org/freeipa/ticket/6613 > > On Tue, Jan 31, 2017 at 9:21 AM, Rob Crittenden <rcrit...@redhat.com> > wrote: > >> Jeff Goddard wrote: >> >>> My previous install of freeipa became corrupted so I'm

Re: [Freeipa-users] Where is SID stored after ipa-adtrust-install?

2017-02-08 Thread Jeff Goddard
I had this same issue and the value was only added after a password change. Jeff On Wed, Feb 8, 2017 at 11:10 AM, Alexander Bokovoy wrote: > On ke, 08 helmi 2017, Armaan Esfahani wrote: > >> I’ve been having issues with some of my IPA seemingly not getting SID’s >> after

[Freeipa-users] Samba integration documentation question

2017-01-31 Thread Jeff Goddard
I'm taking the next step in getting our freeipa environment set back up. This is a centos 7.2 freeipa 4.4 environment. I'm using this guide as a reference for setting up samba: http://www.freeipa.org/page/Howto/Integrating_a_Samba_File_Server_With_IPA/NTMLSSP. Our environment does not include

[Freeipa-users] pki status discrepancies

2017-01-26 Thread Jeff Goddard
Is there a reason the ipactl status command shows pki stopped even though the systemctl shows it as running? Here is the example output: [root@id-management-1 log]# systemctl status pki-tomcatd@pki-tomcat ● pki-tomcatd@pki-tomcat.service - PKI Tomcat Server pki-tomcat Loaded: loaded

[Freeipa-users] Error: CA certificate is not tracked by certmonger

2017-01-25 Thread Jeff Goddard
I've accidentally removed tracking of my CA certificate and don't know how to re-add it. Can someone assist? Using the command:pki ca-cert-find results in the error:PKIException: Not Found Thanks, Jeff -- -- Manage your subscription for the Freeipa-users mailing list:

Re: [Freeipa-users] can't add replica: failed to start the directory server

2017-02-16 Thread Jeff Goddard
Might be another instance of this: https://fedorahosted.org/freeipa/ticket/6613 Jeff On Thu, Feb 16, 2017 at 11:21 AM, Tiemen Ruiten wrote: > Hello, > > I'm trying to add a third replica to a FreeIPA 4.4 domain (level 1), but > I'm getting this error: > >

Re: [Freeipa-users] sudo rules question on ubuntu 16.0.1

2016-08-30 Thread Jeff Goddard
Cory, Thanks for the update and link. And a big thanks to everyone else for their time looking at this. I also was able to install the referenced .deb and now sudo works as expected. Jeff On Tue, Aug 30, 2016 at 12:46 PM, Cory Francis Myers < c...@trinitymobilenetworks.com> wrote: > Pavel

Re: [Freeipa-users] Sudo Rule not working

2016-09-29 Thread Jeff Goddard
I had a similar issue. To see the details and solution search the list for: Re: [Freeipa-users] sudo rules question on ubuntu 16.0.1 Jeff On Thu, Sep 29, 2016 at 4:22 AM, Deepak Dimri wrote: > Hi All, > > I have added sudo rule having allowed command for sudo su for

Re: [Freeipa-users] sudo rules question on ubuntu 16.0.1

2016-08-26 Thread Jeff Goddard
RunAs User category: all RunAs Group category: all User Groups: developers Host Groups: office [root@id-management-1 ~]# On Fri, Aug 26, 2016 at 5:34 AM, Pavel Březina <pbrez...@redhat.com> wrote: > On 08/25/2016 08:01 PM, Jeff Goddard wrote: > >> I'm still hoping

Re: [Freeipa-users] can't get sudo to work.

2016-08-23 Thread Jeff Goddard
Not sure if it's related or not but I also reported an instance of similar behavior of this on Ubuntu 16.0.1 On Tue, Aug 23, 2016 at 2:24 AM, Tony Brian Albers wrote: > Hi guys, > > I've been trying to get sudo to work for our day-to-day admin who have > their own

Re: [Freeipa-users] sudo rules question on ubuntu 16.0.1

2016-08-25 Thread Jeff Goddard
... Processing triggers for dbus (1.10.6-1ubuntu3) ... Log ended: 2016-08-25 13:49:53 On Sun, Aug 14, 2016 at 2:16 PM, Jakub Hrozek <jhro...@redhat.com> wrote: > Hi Pavel, can you help us with this thread? > > > On 12 Aug 2016, at 21:57, Jeff Goddard <jgodd...@emerlyn.com> wro

[Freeipa-users] Switch certificates from external CA to internal

2017-01-12 Thread Jeff Goddard
I've had issues with expired certificates. In the course of troubleshooting I've somehow set the cas to external. Is there a way I can switch back? [root@id-management-1 conf]# getcert list-cas CA 'SelfSign': is-default: no ca-type: INTERNAL:SELF next-serial-number: 01 CA

Re: [Freeipa-users] Switch certificates from external CA to internal

2017-01-12 Thread Jeff Goddard
it back. Jeff On Thu, Jan 12, 2017 at 10:46 AM, Florence Blanc-Renaud <f...@redhat.com> wrote: > On 01/12/2017 02:57 PM, Jeff Goddard wrote: > >> I've had issues with expired certificates. In the course of >> troubleshooting I've somehow set the cas to external.

Re: [Freeipa-users] ipa-dnskeysyncd ipa : ERROR Login to LDAP server failed: {'desc': 'Invalid credentials'}

2017-01-05 Thread Jeff Goddard
at 16:21 -0500, Jeff Goddard wrote: > > I don't want to hijack someone else's thread but I'm having what > > appears to > > be the same problem and have not seen a solution presented yet. > > The problem and solution were presented. These two messages basically >

Re: [Freeipa-users] Fwd: ipa-dnskeysyncd ipa : ERROR Login to LDAP server failed: {'desc': 'Invalid credentials'}

2017-01-05 Thread Jeff Goddard
Invalidcredentials: > bindtoLDAPserverfailed > > kinit prints nothing when it works, so it works in your case, can you > after kinit as DNS service try to use ldapsearch -Y GSSAPI ? > > > Martin > > > > On 05.01.2017 14:58, Jeff Goddard wrote: > > > ---

[Freeipa-users] DNS service fails to start on replica master

2017-01-05 Thread Jeff Goddard
I'm starting a new thread rather than continuing to submit under: https://www.redhat.com/archives/freeipa-users/2017-January/msg00108.html. My problem is that I cannot get the DNS service to start on one of my replica masters. From the previous message thread: Hello, could you check this link

Re: [Freeipa-users] DNS service fails to start on replica master

2017-01-05 Thread Jeff Goddard
com> wrote: > On 01/05/2017 04:11 PM, Jeff Goddard wrote: > > I'm starting a new thread rather than continuing to submit under: > https://www.redhat.com/archives/freeipa-users/2017-January/msg00108.html. > > My problem is that I cannot get the DNS service to start on one of my

Re: [Freeipa-users] pki-tomcatd fails to start

2017-01-06 Thread Jeff Goddard
at 3:23 PM, Rob Crittenden <rcrit...@redhat.com> wrote: > Jeff Goddard wrote: > > Flo, > > > > I'm not able to access the link you posted. I did find this thread > > though > > https://www.redhat.com/archives/freeipa-users/2015-June/msg00144.html > > &

Re: [Freeipa-users] pki-tomcatd fails to start

2017-01-06 Thread Jeff Goddard
wrote: > Jeff Goddard wrote: > > I've done this. > > [root@id-management-1 ipa]# date > > Sun Jan 1 01:12:27 EST 2017 > > > > getcert list give me this as the first entry: > > > > Request ID '20150116162120': > > status: CA_UNREACHABLE &g

Re: [Freeipa-users] pki-tomcatd fails to start

2017-01-06 Thread Jeff Goddard
<f...@redhat.com> wrote: > On 01/06/2017 05:36 PM, Jeff Goddard wrote: > >> Thanks Flo, >> >> I was able to add the host to the keytab once I found the correct >> command and then was able to issue >> >> [root@id-management-1 pki-tomcat]# ipa-cacert

Re: [Freeipa-users] pki-tomcatd fails to start

2017-01-06 Thread Jeff Goddard
Then replace with the PIN in the command above. > > # getcert start-tracking -d /etc/pki/pki-tomcat/alias -n 'caSigningCert > cert-pki-ca' -P -c dogtag-ipa-ca-renew-agent > > On Fri, Jan 6, 2017 at 3:47 PM, Jeff Goddard <jgodd...@emerlyn.com> wrote: > >> I think my

Re: [Freeipa-users] pki-tomcatd fails to start

2017-01-06 Thread Jeff Goddard
I have to confess I'm in over my head already. Another shot in the foot isn't going to help. Is there good documentation for solving the problem on the version I'm using? Jeff On Fri, Jan 6, 2017 at 5:44 PM, Rob Crittenden <rcrit...@redhat.com> wrote: > Jeff Goddard wrote: > > R

Re: [Freeipa-users] pki-tomcatd fails to start

2017-01-06 Thread Jeff Goddard
I've followed the instructions related to my error here: http://www.freeipa.org/page/Troubleshooting#PKI_Issues but I still haven't found a solution. Jeff On Fri, Jan 6, 2017 at 4:05 PM, Jeff Goddard <jgodd...@emerlyn.com> wrote: > Alan, > > Thank you so VERY much. That res

Re: [Freeipa-users] pki-tomcatd fails to start

2017-01-06 Thread Jeff Goddard
den <rcrit...@redhat.com> wrote: > Jeff Goddard wrote: > > I've followed the instructions related to my error here: > > http://www.freeipa.org/page/Troubleshooting#PKI_Issues but I still > > haven't found a solution. > > Look at these instructions > http://www.freeipa.org

Re: [Freeipa-users] pki-tomcatd fails to start

2017-01-06 Thread Jeff Goddard
wrote: > Jeff Goddard wrote: > > I've followed the instructions related to my error here: > > http://www.freeipa.org/page/Troubleshooting#PKI_Issues but I still > > haven't found a solution. > > Look at these instructions > http://www.freeipa.org/page/IPA_2x_Certificate_

Re: [Freeipa-users] ipa-dnskeysyncd ipa : ERROR Login to LDAP server failed: {'desc': 'Invalid credentials'}

2017-01-05 Thread Jeff Goddard
iled because the control process exited with error code. See "systemctl status named-pkcs11.service" and "journalctl -xe" for details. It looks to me like the change in resolve.conf is causing all subsequent lookups to fail. Jeff On Thu, Jan 5, 2017 at 3:43 AM, Martin Basti

[Freeipa-users] Fwd: ipa-dnskeysyncd ipa : ERROR Login to LDAP server failed: {'desc': 'Invalid credentials'}

2017-01-05 Thread Jeff Goddard
-- Forwarded message -- From: Jeff Goddard <jgodd...@emerlyn.com> Date: Thu, Jan 5, 2017 at 8:57 AM Subject: Re: [Freeipa-users] ipa-dnskeysyncd ipa : ERROR Login to LDAP server failed: {'desc': 'Invalid credentials'} To: Martin Basti <mba...@redhat.com> On Thu,

Re: [Freeipa-users] ipa-dnskeysyncd ipa : ERROR Login to LDAP server failed: {'desc': 'Invalid credentials'}

2017-01-04 Thread Jeff Goddard
I don't want to hijack someone else's thread but I'm having what appears to be the same problem and have not seen a solution presented yet. Here is the output of journalctl -xe after having tried to start named: Jan 04 15:48:42 id-management-2.internal.emerlyn.com named-pkcs11[3948]: loading

[Freeipa-users] pki-tomcatd fails to start

2017-01-06 Thread Jeff Goddard
My environment is freeipa 4.4; centos 7.3. This system was upgraded as of yesterday afternoon. I'm unable to start pki-tomcat. The debug log show this entry: Internal Database Error encountered: Could not connect to LDAP server host id-management-1.internal.emerlyn.com port 636 Error

Re: [Freeipa-users] pki-tomcatd fails to start

2017-01-06 Thread Jeff Goddard
incipal admin/ad...@internal.emerlyn.com with password. kadmin: Client 'admin/ad...@internal.emerlyn.com' not found in Kerberos database while initializing kadmin interface Yet if I issue kinit admin I get a password prompt and appear to get a ticket. What am I missing? On Fri, Jan 6, 2017 at 10:19 AM, Rob C

Re: [Freeipa-users] pki-tomcatd fails to start

2017-01-06 Thread Jeff Goddard
t;f...@redhat.com> wrote: > On 01/06/2017 04:47 PM, Jeff Goddard wrote: > >> Sorry for the typo. here is the correct output: >> ldapsearch -h id-management-1.internal.emerlyn.com >> <http://id-management-1.internal.emerlyn.com> >> SASL/EXTERNAL authentication starte