Re: [Freeipa-users] ipa client on ubuntu and sudo rules

2015-07-13 Thread Karl Forner
), Karl Forner wrote: Hello, I setup an ubuntu client for freeIPA 4.1.4, and sudo rules do not seem to work. I then realized that I used ipa-client-install version 3.3.4. Is this a plausible cause ? And if so, where can I get a more recent version for ubuntu/debian ? Never version of ipa

[Freeipa-users] freeIPA user can not use cron

2015-10-15 Thread Karl Forner
denied) in freeIPA I setup an hbac rule for this user and host that allow the services: ftp login sshd gdm-password crond gdm What did I miss ? Thanks. Karl Forner -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http

Re: [Freeipa-users] freeIPA user can not use cron

2015-10-15 Thread Karl Forner
oup. > > Best regards, > Fabian > > -Ursprüngliche Nachricht- > Von: freeipa-users-boun...@redhat.com > [mailto:freeipa-users-boun...@redhat.com] Im Auftrag von Karl Forner > Gesendet: Donnerstag, 15. Oktober 2015 15:53 > An: freeipa-users@redhat.com > Betreff: [Freei

Re: [Freeipa-users] freeIPA user can not use cron

2015-10-15 Thread Karl Forner
lar are using cron > > ____ > From: Karl Forner [karl.for...@gmail.com] > Sent: Thursday, October 15, 2015 16:24 > To: Zoske, Fabian > Cc: freeipa-users@redhat.com > Subject: Re: [Freeipa-users] freeIPA user can not use cron > > Yes it works !!! Maybe this should b

Re: [Freeipa-users] freeIPA user can not use cron

2015-10-15 Thread Karl Forner
%ipa hbactest User name: qbuser Target host: asgard Service: crond Access granted: True On Thu, Oct 15, 2015 at 3:53 PM, Karl Forner <karl.for...@gmail.com> wrote: > Hi, > > cron jobs do no work using a freeIPA user account. > > the cron job: >

Re: [Freeipa-users] sudo rules do not seem to work

2015-10-08 Thread Karl Forner
Sorry I had disabled the emailing, just was your answers in the archives. >> How can I debug this ? >Pavel (CC) has a nice sudo debug howto, maybe it would be helpful? Where is it ? Do you mean the slide "FreeIPA Training Series: Obtaining debugging information" from

[Freeipa-users] (no subject)

2015-10-08 Thread Karl Forner
Hi, > you are prompted for password because (ALL) ALL rule is applied because of > last-match rule. > > > See: > http://www.sudo.ws/man/1.8.13/sudoers.ldap.man.html sudoOrder. Ok. I updated the rules to use a sudoorder attribute of 100 for the /usr/bin/less sudo rule. Now, if I type in a

Re: [Freeipa-users] (no subject)

2015-10-09 Thread Karl Forner
, Pavel Březina <pbrez...@redhat.com> wrote: > On 10/08/2015 04:26 PM, Karl Forner wrote: >> >> Hi, >> >> >>> you are prompted for password because (ALL) ALL rule is applied because >>> of last-match rule. > > > See: >>> http://w

Re: [Freeipa-users] (no subject)

2015-10-09 Thread Karl Forner
y to upgrade sssd right now with ubuntu 14.04. Is-it possible to set sudo_inverse_order = true with my current version, i.e. even if it is not yet recognized ? > > >> >> >> On Thu, Oct 8, 2015 at 5:26 PM, Pavel Březina <pbrez...@redhat.com> wrote: >>

[Freeipa-users] DNS configuration for not resolving some addresses

2015-07-08 Thread Karl Forner
Hello, When using my freeIPA DNS name server for my domain example.test, I need to exclude some names from the server( to be forwarded to the DNS forwarder for instance. For example, I'd like foo.example.test not to be resolved, but forwarded. How could I implement this ? Thanks. Karl Forner

Re: [Freeipa-users] DNS configuration for not resolving some addresses

2015-07-08 Thread Karl Forner
On Wed, Jul 8, 2015 at 2:32 PM, Jan Pazdziora jpazdzi...@redhat.com wrote: On Wed, Jul 08, 2015 at 02:26:02PM +0200, Karl Forner wrote: When using my freeIPA DNS name server for my domain example.test, I need to exclude some names from the server( to be forwarded to the DNS forwarder

Re: [Freeipa-users] DNS configuration for not resolving some addresses

2015-07-08 Thread Karl Forner
On Wed, Jul 8, 2015 at 4:09 PM, Martin Basti mba...@redhat.com wrote: On 08/07/15 14:26, Karl Forner wrote: Hello, When using my freeIPA DNS name server for my domain example.test, I need to exclude some names from the server( to be forwarded to the DNS forwarder for instance

Re: [Freeipa-users] DNS configuration for not resolving some addresses

2015-07-08 Thread Karl Forner
Spacek pspa...@redhat.com wrote: On 8.7.2015 15:07, Karl Forner wrote: On Wed, Jul 8, 2015 at 2:32 PM, Jan Pazdziora jpazdzi...@redhat.com wrote: On Wed, Jul 08, 2015 at 02:26:02PM +0200, Karl Forner wrote: When using my freeIPA DNS name server for my domain example.test, I need

Re: [Freeipa-users] DNS configuration for not resolving some addresses

2015-07-08 Thread Karl Forner
, Martin Basti mba...@redhat.com wrote: On 08/07/15 14:26, Karl Forner wrote: Hello, When using my freeIPA DNS name server for my domain example.test, I need to exclude some names from the server( to be forwarded to the DNS forwarder for instance. For example, I'd like foo.example.test

Re: [Freeipa-users] DNS configuration for not resolving some addresses

2015-07-08 Thread Karl Forner
/etc/hosts on all internal computers, but I had hoped to benefit from the freeIPA DNS a more elegant solution. On Wed, Jul 8, 2015 at 4:50 PM, Petr Spacek pspa...@redhat.com wrote: On 8.7.2015 16:32, Karl Forner wrote: Thanks Petr. My use case is: we have scripts that connect to some

[Freeipa-users] ipa client on ubuntu and sudo rules

2015-07-10 Thread Karl Forner
Hello, I setup an ubuntu client for freeIPA 4.1.4, and sudo rules do not seem to work. I then realized that I used ipa-client-install version 3.3.4. Is this a plausible cause ? And if so, where can I get a more recent version for ubuntu/debian ? Thanks, Karl -- Manage your subscription for the

[Freeipa-users] [work-around] sss_ssh_knownhostsproxy problem with sparkleshare due to setlocale()

2015-09-11 Thread Karl Forner
So I just edited my /etc/default/locale to permanently fix my problem. Nonetheless, I'd be curious the understand why the setlocale() call fails when sss_ssh_knownhostsproxy is called via git via sparkleshare (via mono). Regards, Karl Forner -- Manage your subscription for the Freeipa-users mail

Re: [Freeipa-users] [work-around] sss_ssh_knownhostsproxy problem with sparkleshare due to setlocale()

2015-09-11 Thread Karl Forner
done: Ticket #2785 <https://fedorahosted.org/sssd/ticket/2785> On Fri, Sep 11, 2015 at 10:17 AM, Alexander Bokovoy <aboko...@redhat.com> wrote: > On Fri, 11 Sep 2015, Karl Forner wrote: > >> Hi, >> >> I kind of fixed my problem, but I share it there in cas

Re: [Freeipa-users] ipaSshPubKey and ldapsearch

2015-09-18 Thread Karl Forner
Sorry, my mistake. The following works fine: % ldapsearch -x -D 'uid=ldap_gitlab,cn=users,cn=accounts,dc=quartzbio,dc=com' -W uid=karl cn ipaSshPubKey Karl On Fri, Sep 18, 2015 at 3:13 PM, Karl Forner <karl.for...@gmail.com> wrote: > Hello, > > I'm trying to integrate the fre

[Freeipa-users] ipaSshPubKey and ldapsearch

2015-09-18 Thread Karl Forner
Hello, I'm trying to integrate the freeIPA SSH public key with gitlab Enterprise Edition. They have a configuration setting **ldap_sync_ssh_keys** that I tried to set to 'ipaSshPubKey' but it does not work. While trying to understand the problem, I realized that I don't even know how to

[Freeipa-users] sudo rules do not seem to work

2015-10-06 Thread Karl Forner
Hello, I had assumed sudo rules worked because I have an "allow_all for admins" sudo rule that seemed to work, but I wonder if there is an implicit rule for the special group admins ? Because I have tried to replicate this allow_all rule for for other user groups, and it does not seem to work

Re: [Freeipa-users] confused about replica role and use

2015-12-16 Thread Karl Forner
> > If you do a local login instead of a kinit, you will see that SSSD will > switch to the new server and subsequent kinit will start using it. > Ok, I checked and it works just fine for me, thanks. This dynamic discovery of freeipa servers by sssd is very elegant and smart; but I still do not

Re: [Freeipa-users] confused about replica role and use

2015-12-16 Thread Karl Forner
> SSSD mostly manages discovery of servers, it is normally configure with > the name _srv_ + an actual name as fallback. > SSSD also feeds the information to kerberos libraries via a plugin. ok, I have this line in my /etc/sssd/sssd.conf: ipa_server = _srv_, ipa.example.com How do I check the

[Freeipa-users] bash completion freeze possibly related to freeipa/sssd

2015-12-17 Thread Karl Forner
Hello, Since we use freeIPA, every ubuntu client experiences some sporadic freezes with bash completion. It seems far-fetched but the other ubuntu not using sssd/freeipa do not experience these problems. Could it be related ? How to troubleshoot ? Regards, Karl -- Manage your subscription for

Re: [Freeipa-users] confused about replica role and use

2015-12-17 Thread Karl Forner
> > Unfortunately it is, it is a bug in the way we update the krb5 libraries > to point to a KDC. > > SSSD updates this information in a file under /var/lib/sss/pubconf and > krb5 libraries read from it, however kinit cannot force sssd to > re-evaluate if the file needs updating. > Is there a

Re: [Freeipa-users] confused about replica role and use

2015-12-15 Thread Karl Forner
>All replicas should be listed in SRV records in DNS so clients will find them >automatically. But then I must add the freeIPA DNS of the master AND the replica in resolv.conf ? Thanks, Karl -- Manage your subscription for the Freeipa-users mailing list:

[Freeipa-users] confused about replica role and use

2015-12-14 Thread Karl Forner
Hello, >From what I understood, a freeipa replica server is a kind of backup of another freeipa server. Both are usable by clients, and they will dynamically update their information. But I do not understand how a client will make use of the replica if the master server is down. Naively I would

[Freeipa-users] how to force switch to another kdc

2016-01-04 Thread Karl Forner
Hello, My freeipa master has crashed, and I have a replica running. The problem is that I can not use anymore the webapps on my main server which use a kerberos authentication since my server will not switch to the kdc on my replica. I remember that someone replied me on this list about that

Re: [Freeipa-users] unable to effectively delete a replica agreement

2016-01-04 Thread Karl Forner
> > > It hangs forever. > > How long is forever? > officially it's about 15 mns. Do you mean that this delay could be expected ? > > > If I run it using the --cleanup option, it seems to work. > > That does other things. > and actually it did not really work. > > > > > But when I try to run

[Freeipa-users] faking DNS autodiscovery of servers

2016-01-06 Thread Karl Forner
Hello, I have some web applications that use LDAP for authentication/authorization, and which do not support LDAP auto-discovery. I'm wondering if it's possible to fake the auto-discovery of server. For instance, I could imagine using a DNS CNAME ldap_current.example.com which should point to a

Re: [Freeipa-users] how to force switch to another kdc

2016-01-05 Thread Karl Forner
uld still happen. Is that so ? Thanks. On Tue, Jan 5, 2016 at 12:16 AM, Karl Forner <karl.for...@gmail.com> wrote: > Hello, > > My freeipa master has crashed, and I have a replica running. > The problem is that I can not use anymore the webapps on my main server &

Re: [Freeipa-users] how to force switch to another kdc

2016-01-05 Thread Karl Forner
. Did I miss any critical option ? What should the /etc/krb5.conf be like ? Thanks. On Tue, Jan 5, 2016 at 7:06 PM, Karl Forner <karl.for...@gmail.com> wrote: > Another piece of information: > > the linux boxes are running ubuntu too, with the same configuration. > I hav

Re: [Freeipa-users] how to force switch to another kdc

2016-01-05 Thread Karl Forner
Thanks a lot, that works if I comment out the explicit reference to a server name, and that I switch dns_lookup_kdc to true. I think I understand why it was not working from the install: I used the ipa-client-install with the option --server. According to the man page, in the "Failover" section,

Re: [Freeipa-users] how to force switch to another kdc

2016-01-05 Thread Karl Forner
On Tue, Jan 5, 2016 at 8:14 AM, Jakub Hrozek <jhro...@redhat.com> wrote: > On Tue, Jan 05, 2016 at 12:16:48AM +0100, Karl Forner wrote: > > Hello, > > > > My freeipa master has crashed, and I have a replica running. > > The problem is that I can not use anym

Re: [Freeipa-users] unable to add user in freeIPA 4.2.3 using the web UI

2016-01-08 Thread Karl Forner
> > I purposely used rather weak working in my blog to ensure that one > thinks carefully about making this kind of change. If your original > master can be brought back up that is definitely the best way to resolve > it. > ok, I'll try this first. > > If it was nuked from orbit then yeah the

Re: [Freeipa-users] unable to add user in freeIPA 4.2.3 using the web UI

2016-01-08 Thread Karl Forner
> > > > I am not sure to follow. The default used my master is > > 13400-13420 right ? > > So I could set 13500-13520 for instance. Or did I miss something > ? > > > > > > My example was based on the ldif you proposed. > > What the DNA plugin would have done is split the original

[Freeipa-users] unable to effectively delete a replica agreement

2015-12-18 Thread Karl Forner
I am running a master freeIPA called "ipa" in an adelton/freeipa-server (freeIPA 4.1.4). I am able to create a replica server "ipa2", still in an adelton/freeipa-server. If I stop my ipa2 replica, and try to delete the replication agreement: %ipa-replica-manage del ipa2.example.com --force -v

Re: [Freeipa-users] ipa-replica-install --setup-ca: do or don't?

2015-12-28 Thread Karl Forner
> There is no need to have a CA on every ipa server, so a CA is not > installed by default. What is the downside of having every replica as a CA ? Because in case of big trouble with your master, if your replica is not a CA you can not replace your master from this replica right ? In particular

Re: [Freeipa-users] ipa-replica-prepare error: Profile caIPAserviceCert Not Found

2015-12-22 Thread Karl Forner
image on my computers. Thanks, Karl On Tue, Dec 22, 2015 at 2:46 AM, Fraser Tweedale <ftwee...@redhat.com> wrote: > On Mon, Dec 21, 2015 at 01:57:02PM +0100, Karl Forner wrote: > > Hello, > > > > Running: > > ipa-replica-prepare ipa-h3s1.example.com --ip-ad

[Freeipa-users] ipa-replica-prepare error: Profile caIPAserviceCert Not Found

2015-12-21 Thread Karl Forner
Hello, Running: ipa-replica-prepare ipa-h3s1.example.com --ip-address xx.xx.xx.xx -d -v fails with ipa: DEBUG: Protocol: TLS1.2 ipa: DEBUG: Cipher: TLS_RSA_WITH_AES_128_CBC_SHA ipa: DEBUG: request status 200 ipa: DEBUG: request reason_phrase u'OK' ipa: DEBUG: request headers {'date': 'Mon, 21 Dec

Re: [Freeipa-users] unable to effectively delete a replica agreement

2015-12-21 Thread Karl Forner
It's quite a problem for me. Would upgrading to a more recent version solve the problem ? How does freeIPA knows that a host is a freeIPA host ? From the LDAP ? Thanks On Fri, Dec 18, 2015 at 3:45 PM, Karl Forner <karl.for...@gmail.com> wrote: > I am running a master freeIPA ca

[Freeipa-users] freeipa harware appliance

2015-11-20 Thread Karl Forner
Hello, Could you recommend me a mini appliance/server to use as a freeIPA server ? I guess the main points are an ethernet port, minimal consumption, robustness. Thanks, Karl Forner -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa

[Freeipa-users] connection problems after reboot with unusual setting (Ubuntu 14.04 + freeipa docker)

2015-11-20 Thread Karl Forner
? Thanks, Karl Forner -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] freeipa harware appliance

2015-11-20 Thread Karl Forner
cation on its own dedicated appliance. On Fri, Nov 20, 2015 at 6:29 PM, Martin Basti <mba...@redhat.com> wrote: > > > On 20.11.2015 16:47, Karl Forner wrote: > > Hello, > > Could you recommend me a mini appliance/server to use as a freeIPA server > ? > I guess the ma

Re: [Freeipa-users] how to setup apache reverse https proxy for freeipa web UI

2016-06-06 Thread Karl Forner
Thanks a lot Jan. It works perfectly, and it is crystal-clear. Best, Karl On Mon, Jun 6, 2016 at 11:13 AM, Jan Pazdziora wrote: > On Fri, Jun 03, 2016 at 10:42:59PM +0200, Jan Pazdziora wrote: >> >> Hope this helps. I will likely do another writeup about this setup. > >

[Freeipa-users] how to setup apache reverse https proxy for freeipa web UI

2016-06-02 Thread Karl Forner
Hi, My problem is: I have an ipa.example.com server on the internal network, with self-signed certificates. I'd like to be able to connect to the UI from the internet, using https with other certificates (e.g. let's encrypt certificates). So I tried to setup an SNI apache reverse proxy, but I

[Freeipa-users] unable to add user in freeIPA 4.2.3 using the web UI

2016-01-08 Thread Karl Forner
Hello, If I go to active users, click Add, fill in log, first and last name, then click "Add", I get the error message: Operations error: Allocation of a new value for range cn=posix ids,cn=distributed numeric assignment plugin,cn=plugins,cn=config failed! Unable to proceed. I also tried to add

Re: [Freeipa-users] unable to add user in freeIPA 4.2.3 using the web UI

2016-01-08 Thread Karl Forner
> If you never added users through this IPA server, it has no subset of ID > range > allocated to IDs issued on this server. To obtain this subset, it needs > to talk back to the master on first allocation. Master is missing, thus > it couldn't talk to it. > thanks. But if I understand, I just

Re: [Freeipa-users] unable to add user in freeIPA 4.2.3 using the web UI

2016-01-08 Thread Karl Forner
as a work-around, or should it be avoided at all means ? On Fri, Jan 8, 2016 at 5:17 PM, Alexander Bokovoy <aboko...@redhat.com> wrote: > On Fri, 08 Jan 2016, Karl Forner wrote: > >> If you never added users through this IPA server, it has no subset of ID >>&

Re: [Freeipa-users] UnicodeEncodeError using ipa user-find

2016-01-14 Thread Karl Forner
IDENTIFICATION="C" LC_ALL= I confirm it works using LC_ALL=en_US.utf8 ipa user-find --login=$login I'm using the adelton docker. Maybe the default locale should be set to en_US.utf8 ? Are there any expected downsides ? Thanks. On Thu, Jan 14, 2016 at 3:43 PM, Martin Basti <mba...@redhat.c

[Freeipa-users] UnicodeEncodeError using ipa user-find

2016-01-14 Thread Karl Forner
Hello, When I do: ipa user-find --login=$login I get: ipa: ERROR: UnicodeEncodeError: 'ascii' codec can't encode character u'\xf1' in position 25: ordinal not in range(128) Traceback (most recent call last): File "/usr/lib/python2.7/site-packages/ipalib/cli.py", line 1340, in run

Re: [Freeipa-users] how to list only enabled users using ipa user-find

2016-01-14 Thread Karl Forner
On Thu, Jan 14, 2016 at 3:12 PM, Rob Crittenden wrote: > '(nsAccountLock=TRUE)' dn thanks -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] Error setting krbpasswordexpiration using ipa user-mod

2016-02-23 Thread Karl Forner
> > The docs you are referring to are quite old: 5 full Fedora releases, > several IPA releases. > You're right, sorry. I found this documentation

Re: [Freeipa-users] Error setting krbpasswordexpiration using ipa user-mod

2016-02-23 Thread Karl Forner
I forgot to say that I did a "kinit admin" before the ipa user-mod. On Tue, Feb 23, 2016 at 2:31 PM, Karl Forner <karl.for...@gmail.com> wrote: > Hello, > > I tried to postpone a password expiration date, as indicated here: > > https://docs.fedoraproject.org/en-

[Freeipa-users] cups problem that may be related to freeIPA

2016-03-08 Thread Karl Forner
r 8 15:14:58 pyro cupsd: pam_sss(cups:auth): Request to sssd failed. Permission denied M I added many local groups to my freeIPA user: (sys),4(adm),7(lp),27(sudo),109(lpadmin), If I enter the credentials of a local account (non managed by freeIPA), it works. What's wrong ? Thanks, Karl Forner --

Re: [Freeipa-users] cups problem that may be related to freeIPA

2016-03-08 Thread Karl Forner
Very good idea indeed. Disabling the apparmor profile for cups solved the problem. Thanks a lot ! Just an idea: > You probably have AppArmor running and its default policy might prevent > cupsd to talk to sssd socket. > > -- > / Alexander Bokovoy > -- Manage your subscription for the

[Freeipa-users] login/su problem on ubuntu

2017-02-28 Thread Karl Forner
:account): Access denied for user joe: 6 (Permission denied) Feb 28 16:48:32 nyx su[26394]: pam_acct_mgmt: Permission denied Feb 28 16:48:32 nyx su[26394]: FAILED su for joe by karl This computer is setup exactly like a dozen of others that work fine. What could be the problem ? Thanks, Karl Forner

Re: [Freeipa-users] network ports requirements for a replica

2016-10-17 Thread Karl Forner
On Mon, Oct 17, 2016 at 10:33 AM, Alexander Bokovoy <aboko...@redhat.com> wrote: > On ma, 17 loka 2016, Karl Forner wrote: > >> Thanks Alexander, unfortunately I could only find outdated documentation. >> I just realized that my question is not precise enough. >>

Re: [Freeipa-users] network ports requirements for a replica

2016-10-17 Thread Karl Forner
;aboko...@redhat.com> wrote: > On ke, 12 loka 2016, Karl Forner wrote: > >> Hello, >> >> A very simple question, but I could not find the answer. I'd like to setup >> a replica on another network than my master. Is it possible to setup the >> replication using

[Freeipa-users] network ports requirements for a replica

2016-10-12 Thread Karl Forner
Hello, A very simple question, but I could not find the answer. I'd like to setup a replica on another network than my master. Is it possible to setup the replication using only https, or other ports must be available ? Thanks, Karl -- Manage your subscription for the Freeipa-users mailing

Re: [Freeipa-users] network ports requirements for a replica

2016-10-17 Thread Karl Forner
Thank you ! This is at last crystal clear for me ! Thank you also for the VPN/tunneling suggestion, I'll look into it. On Mon, Oct 17, 2016 at 12:12 PM, Alexander Bokovoy <aboko...@redhat.com> wrote: > On ma, 17 loka 2016, Karl Forner wrote: > >> On Mon, Oct 17, 2016 at 1