Hello,
I'm attempting to configure an AIX 5.3 client, I've followed the instructions
(and then some) that are found here:
http://docs.redhat.com/docs/en-US/Red_Hat_Enterprise_Linux/6/html/Identity_Management_Guide/Configuring_an_IPA_Client_on_AIX.html
I keep overcoming hurdles (like the
I have two IPA servers. The primary/master is SLPIDML01 and the
replica is SLPIDML01. I have followed the instructions for creating a
replica and the install on SLPIDML02 completed successfully. However,
the instructions tell me to add some entries to the DNS zone file, and
I'm stumped.
The
On Mon, Apr 9, 2012 at 1:56 PM, Dmitri Pal d...@redhat.com wrote:
On 04/09/2012 02:53 PM, Dmitri Pal wrote:
On 04/09/2012 02:50 PM, KodaK wrote:
On Mon, Apr 9, 2012 at 1:46 PM, Dmitri Pal d...@redhat.com wrote:
On 04/09/2012 02:41 PM, KodaK wrote:
On Mon, Apr 9, 2012 at 1:34 PM, Dmitri Pal d
On Mon, Apr 9, 2012 at 1:53 PM, Dmitri Pal d...@redhat.com wrote:
On 04/09/2012 02:50 PM, KodaK wrote:
On Mon, Apr 9, 2012 at 1:46 PM, Dmitri Pal d...@redhat.com wrote:
On 04/09/2012 02:41 PM, KodaK wrote:
On Mon, Apr 9, 2012 at 1:34 PM, Dmitri Pal d...@redhat.com wrote:
On 04/09/2012 02:07
On Mon, Apr 9, 2012 at 2:04 PM, KodaK sako...@gmail.com wrote:
On Mon, Apr 9, 2012 at 1:56 PM, Dmitri Pal d...@redhat.com wrote:
On 04/09/2012 02:53 PM, Dmitri Pal wrote:
On 04/09/2012 02:50 PM, KodaK wrote:
On Mon, Apr 9, 2012 at 1:46 PM, Dmitri Pal d...@redhat.com wrote:
On 04/09/2012 02:41
On Mon, Apr 9, 2012 at 3:01 PM, Rob Crittenden rcrit...@redhat.com wrote:
Dmitri Pal wrote:
On 04/09/2012 03:02 PM, KodaK wrote:
On Mon, Apr 9, 2012 at 1:53 PM, Dmitri Pald...@redhat.com wrote:
On 04/09/2012 02:50 PM, KodaK wrote:
On Mon, Apr 9, 2012 at 1:46 PM, Dmitri Pald...@redhat.com
Hi,
I have googled around a bit, but I still have a couple of questions:
1) is it possible to get getent shadow to return shadow entries from
the ipa server? This is so we can do a DR test on some server or set
of servers without also having to restore the IPA server first. I can
do a getent
Further information:
I do have:
ldap_netgroup_search_base = cn=ng,cn=compat,dc=validdomain,dc=com
In /etc/sssd/sssd.conf
Is cn=ng,cn=compat correct?
--Jason
On Tue, Jul 10, 2012 at 2:15 PM, KodaK sako...@gmail.com wrote:
I'm running IPA 2.2.0 on RHEL6
Server:
[root@validserver ~]# rpm
On Tue, Jul 17, 2012 at 11:06 AM, Dmitri Pal d...@redhat.com wrote:
On 07/17/2012 11:50 AM, KodaK wrote:
I've been banging my head on this for a couple of days, and I can't
find anything in the docs or by searching.
I'm trying to do what I think should be pretty simple: I have a group
On Tue, Jul 17, 2012 at 1:40 PM, KodaK sako...@gmail.com wrote:
On Tue, Jul 17, 2012 at 11:06 AM, Dmitri Pal d...@redhat.com wrote:
On 07/17/2012 11:50 AM, KodaK wrote:
I've been banging my head on this for a couple of days, and I can't
find anything in the docs or by searching.
I'm trying
On Mon, Jul 23, 2012 at 9:42 AM, KodaK sako...@gmail.com wrote:
Alright, this is pretty bad.
My servers keep going out of sync. I have four replicas, slpidml01
through 04. I only figure it out when weird things start happening.
Is there a log somewhere that I can parse that says
I have an unusual situation. Our DBAs want different passwords for
the oracle account
on production and development machines. I'm using local
authentication for oracle
on all the boxes, but they're also not allowed to log in directly as
oracle, only su, but
su always wants to go to ldap first.
, Aug 7, 2012 at 10:02 AM, KodaK sako...@gmail.com wrote:
I have an unusual situation. Our DBAs want different passwords for
the oracle account
on production and development machines. I'm using local
authentication for oracle
on all the boxes, but they're also not allowed to log in directly
I suspect I'm SOL on this one, but I'd like confirmation.
We have two servers in an HA cluster:
source:
sla710ph1.unix.magellanhealth.com
target:
slahat01.unix.magellanhealth.com
and a service name of:
sla710ph.unix.magellanhealth.com
The service name will float between the HA source and
On Tue, Aug 7, 2012 at 4:48 PM, Rob Ogilvie r...@axpr.net wrote:
I just found this additional log file entries on my IPA server. The
vm-mapsdc2 is one of the domain controllers/DNS servers not associated
with IPA other than being one of our authoritative DNS servers. Is
something
On Wed, Aug 8, 2012 at 11:06 AM, Petr Spacek pspa...@redhat.com wrote:
Best way is to create subdomain UNIX.MYCOMPANY.COM and fill it with proper
SRV records (or let IPA to manage it).
Absolutely, this is the best way.
You can configure each all servers and client statically with
Rob, you may want to read through this whole FAQ, but this one covers
what I'm talking about:
http://www.cmf.nrl.navy.mil/CCS/people/kenh/kerberos-faq.html#realms
--
The government is going to read our mail anyway, might as well make it
tough for them. GPG Public key ID: B6A1A7C6
On Wed, Aug 8, 2012 at 2:16 PM, Rob Ogilvie r...@axpr.net wrote:
On Wed, Aug 8, 2012 at 11:52 AM, Simo Sorce s...@redhat.com wrote:
On Wed, 2012-08-08 at 11:23 -0700, Rob Ogilvie wrote:
-I'm going to set up the IPA server with a new realm;
UNIX.MYCOMPANY.COM (do I need to have our DNS folks
I've kerberized a bunch of AIX machines, and I noticed when I was
starting out that AIX allows people to connect that have expired
passwords, and does not prompt for changes.
1) does anyone know what I need to do on AIX to make this happen (I
don't hold out much hope for this.)
2) alternately,
I apologize in advance for not having very much information to go on.
We have exactly 100 hosts in IPA right now. On occasion, maybe once
or twice a day, all authentication just pauses for some amount of
time. It can range from just a few seconds to about 30 seconds. I
can see this happen, I
OK, so it works if you allow all hosts, but fails if you specify a
host. This leads me to believe that the host may not know who it
is.
Run the gamut on local hostname configuration:
Check /etc/hosts, is the host listed with the FQDN first?
Check hostname -- it should report the FQDN.
Check
463 6272
From: KodaK [sako...@gmail.com]
Sent: Wednesday, 15 August 2012 9:41 a.m.
To: Steven Jones
Cc: freeipa-users@redhat.com
Subject: Re: [Freeipa-users] Unable to get sudo commend to work...
OK, so it works if you allow all hosts, but fails
On Tue, Aug 21, 2012 at 2:50 AM, Innes, Duncan
duncan.in...@virginmoney.com wrote:
I can't be alone in deploying IPA in a network already dominated by AD.
You're certainly not. In my case it appears the Windows people have
done everything they can to sabotage my efforts to implement SSO in
I've just been informed by my boss's boss's boss that, and I quote
from his ridiculous email:
we cannot use anything other than MS AD for authentication
I've spent months of time and much effort rolling out IPA,
consolidating authentication across our Linux and AIX machines. To
paraphrase
Thanks, everyone, for your input. It has helped tremendously.
--Jason
--
The government is going to read our mail anyway, might as well make it
tough for them. GPG Public key ID: B6A1A7C6
___
Freeipa-users mailing list
Freeipa-users@redhat.com
Thank you everyone. We finally had our meeting today (it was delayed
from Tuesday.) It went much better than I was expecting. Regardless
of the email that said we can't authenticate to anything but MS AD,
apparently his *actual* concern was having a third party tie-in to
Active Directory that
On Mon, Sep 10, 2012 at 4:16 PM, Steven Jones steven.jo...@vuw.ac.nz wrote:
Hi,
Not sure if this is an IPA issue but Im finding ssh takes long time to login.
It looks like ssh is querying IPA for authentication mechanisms?...if so can
I simply turn this off? and if so how?
Slow SSH is (in
I've been having users use the newgrp command to change their
primary group on different machines.
I've poked around in the docs a bit and I don't see this addressed. I
know, I know: if it works, use it -- but I'm wondering if I'm just
missing a way to do it with IPA, or if there's another way
On Thu, Oct 25, 2012 at 12:35 PM, Dmitri Pal d...@redhat.com wrote:
On 10/25/2012 11:49 AM, KodaK wrote:
I've been having users use the newgrp command to change their
primary group on different machines.
I've poked around in the docs a bit and I don't see this addressed. I
know, I know
On Thu, Oct 25, 2012 at 2:30 PM, Dmitri Pal d...@redhat.com wrote:
On 10/25/2012 03:11 PM, KodaK wrote:
On Thu, Oct 25, 2012 at 12:35 PM, Dmitri Pal d...@redhat.com wrote:
On 10/25/2012 11:49 AM, KodaK wrote:
I've been having users use the newgrp command to change their
primary group
I'm attempting to install Satellite in my IPA domain. There is a
ridiculous requirement that the group dba must not already exist
prior to installing. Red Hat support wanted me to *remove* the DBA
group and then install.
Anyway, I'm trying to play around with filter_groups in sssd, and I
can't
On Tue, Dec 18, 2012 at 3:51 AM, Jakub Hrozek jhro...@redhat.com wrote:
On Tue, Dec 18, 2012 at 10:39:56AM +0100, Jakub Hrozek wrote:
On Mon, Dec 17, 2012 at 04:03:03PM -0500, Dmitri Pal wrote:
On 12/17/2012 03:11 PM, KodaK wrote:
I'm attempting to install Satellite in my IPA domain
On Mon, Dec 17, 2012 at 3:03 PM, Dmitri Pal d...@redhat.com wrote:
On 12/17/2012 03:11 PM, KodaK wrote:
I'm attempting to install Satellite in my IPA domain. There is a
ridiculous requirement that the group dba must not already exist
prior to installing. Red Hat support wanted me to *remove
On Tue, Dec 18, 2012 at 9:17 AM, Jakub Hrozek jhro...@redhat.com wrote:
On Tue, Dec 18, 2012 at 09:07:25AM -0600, KodaK wrote:
On Tue, Dec 18, 2012 at 3:51 AM, Jakub Hrozek jhro...@redhat.com wrote:
On Tue, Dec 18, 2012 at 10:39:56AM +0100, Jakub Hrozek wrote:
On Mon, Dec 17, 2012 at 04:03
On Tue, Dec 18, 2012 at 10:38 AM, KodaK sako...@gmail.com wrote:
On Tue, Dec 18, 2012 at 9:17 AM, Jakub Hrozek jhro...@redhat.com wrote:
On Tue, Dec 18, 2012 at 09:07:25AM -0600, KodaK wrote:
On Tue, Dec 18, 2012 at 3:51 AM, Jakub Hrozek jhro...@redhat.com wrote:
On Tue, Dec 18, 2012 at 10:39
This is a surprisingly difficult thing to google for. I'd really like
to roll out an AD trust, but I want to stay within RHEL support.
Approximate is fine, I just want to know if I can plan for it sometime
this year or not.
--
The government is going to read our mail anyway, might as well make
I have a need to have certain mission critical application accounts
non-expiring (people don't log in directly, but if the accounts expire
it could stop production jobs.)
I've set Max lifetime (days) to 9 in the web interface, but
here's what I see when I do ipa pwpolicy show:
Group:
On Thu, Jan 24, 2013 at 4:03 PM, Rob Crittenden rcrit...@redhat.com wrote:
It is a 32-bit time problem.
I'd set the maxlife no higher than 5000 for now.
Thanks. Is there a way to apply this policy retroactively without
requiring my users to reset passwords?
--Jason
On Thu, Jan 24, 2013 at 5:05 PM, Sigbjorn Lie sigbj...@nixtra.com wrote:
A calender will be shown to choose a date and time for simplicity if you
download and use the Apache Directory Studio
(http://directory.apache.org/studio/) to edit the krbPasswordExpiration
attribute for an user account.
On Fri, Jan 25, 2013 at 10:43 AM, Dmitri Pal d...@redhat.com wrote:
AFAIK there is also some kind of no shell capability in SSH which might be
useful in this case but I am not a specialist in this area.
You can do this a few ways, but the easiest (IMO) is something like
this in sshd_config:
I use the following to dump my LDAP databases:
#!/bin/sh
/usr/lib64/dirsrv/slapd-PKI-IPA/db2ldif.pl -D cn=directory manager
-j /var/lib/dirsrv/scripts-YOUR-KERB-REALM/dmanager.credentials -n
ipaca -a /var/lib/dirsrv/slapd-PKI-IPA/bak/ipaca.`/bin/date
+%Y%m%d%H%M%S`.ldif
On Thu, Feb 7, 2013 at 1:46 PM, Steven Jones steven.jo...@vuw.ac.nz wrote:
Hi,
I have had little to do with permissions until now so bear with me if the Qs
are obviously stupid, probably not really IPA but a linux blind spot I
haveanyway,
So I have a service account with its group
On Fri, Feb 15, 2013 at 11:25 AM, Lynn Root lr...@redhat.com wrote:
Hi all -
I'm curious if anyone has written Puppet manifests for managing an IPA
domain. If so, I'd like to pester you to take a peek at those manifests.
More curious on the overall automated management process than anything
I suspect the answer to this is no, but I'm asking anyway:
Let's say I have an IPA user named bob. When bob was created, IPA
created a matching GID for him. Is it possible, through IPA, to add
another user to that GID?
If not, and I add another user to that GID by directly manipulating
LDAP,
On Wed, Feb 20, 2013 at 8:41 AM, Bret Wortman
bret.wort...@damascusgrp.comwrote:
Eureka!
Someone had deleted the contents of /etc/dirsrv/slapd-PKI-IPA/dse.ldif. I
replaced it from a saved copy and now everything's working as expected.
Thanks everyone for your contributions, patience, and
Just curious if anyone has configured HP ILO to authenticate against
IPA. I'm just starting out and the fact that the ILO configuration
screen has a section for a SID has me a bit concerned.
--
The government is going to read our mail anyway, might as well make it
tough for them. GPG Public
On Fri, Feb 22, 2013 at 10:05 AM, Han Boetes hboe...@gmail.com wrote:
Hi Kodak,
The question is: Which authentication mechanisms does HP ILO support?
Their documentation kind of blurs the lines. It appears that the only
directory that exists (according to HP) is AD, so they freely mix
LDAP
I know that at some point the sssd package (or maybe the tools
package) started including sss_cache for managing the sssd cache. I
have some RHEL5 boxes that don't have this utility.
I've been stopping the sssd service, deleting the contents of
/var/lib/sss/db/ and then restarting and things
When performing an operation with the IPA tools, I get a message every
time similar to this:
ipa: INFO: Forwarding 'hbactest' to server u'https://ipaserver/ipa/xml'
What does it mean? I've never seen it say anything other than u
(that I've noticed.) A pointer to documentation is preferred, but
On Thu, Feb 28, 2013 at 3:27 PM, John Dennis jden...@redhat.com wrote:
On 02/28/2013 04:18 PM, KodaK wrote:
When performing an operation with the IPA tools, I get a message every
time similar to this:
ipa: INFO: Forwarding 'hbactest' to server u'https://ipaserver/ipa/xml'
What does it mean
On Thu, Feb 28, 2013 at 5:01 PM, John Dennis jden...@redhat.com wrote:
On 02/28/2013 05:34 PM, KodaK wrote:
BTW, why are you parsing diagnostic output?
I haven't actually started yet, I was just getting my bearings.
I was going to wrap the commands in some scripts so I can do things
like
Hi all.
I know that the A part of IPA has been delayed, but that doesn't mean
that the auditing requirement has gone away.
Before I write a bunch of stuff for this, I wanted to see if anyone
had any thoughts (or code!) regarding how to accomplish some of this
stuff that auditors want to see.
On Wed, Mar 13, 2013 at 3:39 PM, Luke Kearney l...@kearney.jp wrote:
Hello,
I have recently been working on integrating our solaris 10 fleet with
FreeIPA. The first 'test' host went relatively smoothly and we recently
created a new test host. Only this time it was more challenging to get
On Fri, Mar 15, 2013 at 8:54 PM, Dmitri Pal d...@redhat.com wrote:
This is what HBAC test is about
The HBAC test will allow me to see if a single user can access a given
server. It doesn't give me a list of all the users that are allowed
to access a given host. I can dump a list of users and
On Tue, Mar 19, 2013 at 3:36 PM, Rob Crittenden rcrit...@redhat.com wrote:
John Moyer wrote:
Is there a mail challenge 3rd party tool that allows for users to change
their own passwords if they don't know their password? Something like
PWM for LDAP?
https://code.google.com/p/pwm/
I've
On Wed, Mar 20, 2013 at 6:23 PM, Michael ORourke
mrorou...@earthlink.net wrote:
We have a POC with PWM and a testIPA server running freeIPA v2.2.0.
It is working very well and we plan to move it into production soon.
I haven't written a how-to, but I have several notes on setting this up.
What
On Wed, Mar 20, 2013 at 7:54 PM, Simo Sorce s...@redhat.com wrote:
You should have given the pwm user 'password sync' privileges.
See this: http://www.freeipa.org/page/PasswordSynchronization
I remember what my problem with PWM was now: it wants to go out and
retrieve something from the cloud
I've been asked to look into the possibility of branding IPA.
I'm running ipa 3.0.0-26 on RHEL 6.
Is it safe to just modify the css files in /usr/share/ipa/ui, or is
there (or will there be, since I've seen references to a branding
patch) a preferred way to do this? They want the logo swapped
Run an hbactest:
ipa hbactest --user=youruser --host=fqdn.of.host --service=sshd
Make sure that works, if it does, then you can move on to troubleshooting
the host itself.
On Thu, Apr 4, 2013 at 2:27 PM, Shawn taaj.sh...@gmail.com wrote:
Hi,
I have configured a ipa-server, replica and
Sorry, for some reason gmail makes me forget about reply all.
On Wed, Jun 5, 2013 at 2:45 PM, Dmitri Pal d...@redhat.com wrote:
On 06/05/2013 11:20 AM, KodaK wrote:
I know this has been discussed before, but I didn't see anything with a
cursory search.
There are bugs when using user
On Thu, Jun 6, 2013 at 9:30 AM, Rob Crittenden rcrit...@redhat.com wrote:
Lowest-common denominator. One can configure all sorts of *nix-like
systems to use IPA for authentication so we needed a default shell that is
available on all systems and that is the bourne shell.
I have a bunch of
We've just discovered that AIX does not honor HBAC rules with telnet. ssh
is fine.
[jebalicki@mo0033802 ~]$ ipa hbactest --user=testuser --host=
sla765q1.unix.magellanhealth.com --service=sshd
-
Access granted: False
-
There was no telnet service by
On Mon, Jul 8, 2013 at 12:50 PM, Rob Crittenden rcrit...@redhat.com wrote:
HBAC is enforced by sssd, so no sssd, no HBAC.
I think you need to use pam_access to limit users in AIX.
I have some work-arounds now, but I'd like to find a way to automate them.
What
I need is a way to ask IPA who
On Thu, Jul 11, 2013 at 5:19 PM, Dmitri Pal d...@redhat.com wrote:
I am not good with ldap syntax but SQL natural for me so conceptually the
search would look like this:
I don't think it's humanly possible to be good at ldap syntax.
I hope it conveys what I have in mind. The result of
On Fri, Jul 12, 2013 at 7:31 AM, natxo asenjo natxo.ase...@gmail.comwrote:
tcp wrappers support netgroups (iirc), you could use that too (you
cannot mix hosts and users though, so you should create netgroups of
users.
I haven't used tcp wrappers in years, and I never knew it supported
On Mon, Jul 15, 2013 at 7:04 PM, Dmitri Pal d...@redhat.com wrote:
You probably want to remove krbPwdHistory attribute and set
krbPwdHistoryLength to 0.
Just so I'm clear: I only want to do a one-time erase for one user so he
can use a password he was using
earlier. We changed it for
Another off the wall one from me, but I just want to know if this is worth
pursuing.
I have a series of internal web applications that authenticate variously to
AD or IPA via prompted credentials.
I'd like to use Kerberos tickets (and fall back to LDAP) instead.
I have an IPA connected apache
I've been searching and I know it's been answered before but I can't find it.
I have UNIX.DOMAIN.COM as my IPA realm.
I have some hosts that sit on (in dns) domain.com (they are not part
of any other Kerberos realms.)
I'm unable to currently change the domain names on these boxes.
In krb5.conf
On Tue, Jul 30, 2013 at 2:41 PM, KodaK sako...@gmail.com wrote:
I've been searching and I know it's been answered before but I can't find it.
I have UNIX.DOMAIN.COM as my IPA realm.
I have some hosts that sit on (in dns) domain.com (they are not part
of any other Kerberos realms.)
I'm
Ok, so, yeah -- my first question stands. This works when it falls
back to LDAP, but it does not honor a kerberos ticket. Is there a way
to do that in the same circumstances?
Thanks again,
--Jason
On Tue, Jul 30, 2013 at 2:58 PM, KodaK sako...@gmail.com wrote:
Nevermind, AIX problem
On Tue, Jul 30, 2013 at 6:16 PM, Steven Jones steven.jo...@vuw.ac.nz wrote:
Has anybody tried this?
http://code.google.com/p/pwm/
Would it work is is it advised not to use it, if so reasons please?
It's been talked about a bit in this mailing list. I had issues, and I know of
another
On Wed, Jul 31, 2013 at 6:56 AM, Sumit Bose sb...@redhat.com wrote:
I think that's the issue. You have to make sure that host.domain.com has
a DNS entry somewhere, it does not have to be the IPA DNS but the DNS
setup must be correct so the IPA DNS can forward the request to the
right
On Wed, Jul 31, 2013 at 11:09 AM, KodaK sako...@gmail.com wrote:
On Wed, Jul 31, 2013 at 6:56 AM, Sumit Bose sb...@redhat.com wrote:
I think that's the issue. You have to make sure that host.domain.com has
a DNS entry somewhere, it does not have to be the IPA DNS but the DNS
setup
On Wed, Jul 31, 2013 at 11:24 AM, Sumit Bose sb...@redhat.com wrote:
On Wed, Jul 31, 2013 at 11:12:47AM -0500, KodaK wrote:
On Wed, Jul 31, 2013 at 11:09 AM, KodaK sako...@gmail.com wrote:
On Wed, Jul 31, 2013 at 6:56 AM, Sumit Bose sb...@redhat.com wrote:
I think that's
On Wed, Jul 31, 2013 at 1:28 PM, KodaK sako...@gmail.com wrote:
On Wed, Jul 31, 2013 at 11:24 AM, Sumit Bose sb...@redhat.com wrote:
On Wed, Jul 31, 2013 at 11:12:47AM -0500, KodaK wrote:
On Wed, Jul 31, 2013 at 11:09 AM, KodaK sako...@gmail.com wrote:
On Wed, Jul 31, 2013 at 6:56
On Wed, Jul 31, 2013 at 1:28 PM, KodaK sako...@gmail.com wrote:
On Wed, Jul 31, 2013 at 11:24 AM, Sumit Bose sb...@redhat.com wrote:
On Wed, Jul 31, 2013 at 11:12:47AM -0500, KodaK wrote:
On Wed, Jul 31, 2013 at 11:09 AM, KodaK sako...@gmail.com wrote:
On Wed, Jul 31, 2013 at 6:56
First, before we go any further: is it supported to use
sssd when the client machines domain differs from
the realm name? If not, then the rest of this is moot.
Client box is a RHEL 5.something. I didn't do ipa-client-install
because I wanted to configure by hand as a test. The client
box has
On Mon, Aug 5, 2013 at 4:23 AM, Sumit Bose sb...@redhat.com wrote:
Which version of FreeIPA are you using on the server? Maybe the sssd
logs at a high debug level will give more details why the access is
denied you you try to log in with ssh as testuser on
stlmoracsbx01.domain.com.
Something
On Tue, Aug 6, 2013 at 4:31 PM, Davis Goodman
davis.good...@digital-district.ca wrote:
Hi,
I have an FreeIPA server configured, managed to configure a Mountain Lion
Client for automounts and user logins.
My issue is that whenever I first login with a user the New Password box
shows up and
Yet another AIX related problem:
The AIX LDAP client is called secldapclntd (sure, they could make it more
awkward, but the budget ran out.) I'm running into the issue detailed here:
http://www-01.ibm.com/support/docview.wss?uid=isg1IV11344
If an LDAP server fails to answer an LDAP query,
a RH ticket.
Thanks,
--Jason
On Thu, Sep 19, 2013 at 1:57 PM, KodaK sako...@gmail.com wrote:
Well, this is awkward:
[root@slpidml01 slapd-UNIX-xxx-COM]# grep conn=170902 access* | wc -l
5453936
[root@slpidml01 slapd-UNIX-xxx-COM]#
On Thu, Sep 19, 2013 at 1:48 PM, KodaK sako...@gmail.com
Well, this is awkward:
[root@slpidml01 slapd-UNIX-xxx-COM]# grep conn=170902 access* | wc -l
5453936
[root@slpidml01 slapd-UNIX-xxx-COM]#
On Thu, Sep 19, 2013 at 1:48 PM, KodaK sako...@gmail.com wrote:
Thanks. I've been running that against my logs, and this has to be
abnormal:
err=32
Terry, did you ever get to the bottom of this? I appear to be having a
similar issue with the same version of IPA.
On Wed, Sep 4, 2013 at 1:18 PM, Terry Soucy tso...@salesforce.com wrote:
I am experiencing some long execution times, and I'm wondering if anyone
can give me some insight.
We
I didn't realize that DNS created one connection. I thought it was one
connection spanning several days.
On Thu, Sep 19, 2013 at 2:51 PM, Rich Megginson rmegg...@redhat.com wrote:
On 09/19/2013 12:57 PM, KodaK wrote:
Well, this is awkward:
[root@slpidml01 slapd-UNIX-xxx-COM]# grep conn
=9 op=169772 RESULT err=32 tag=101
nentries=0 etime=0
So far today there are over half a million of these. That can't be right.
On Thu, Sep 19, 2013 at 3:05 PM, KodaK sako...@gmail.com wrote:
I didn't realize that DNS created one connection. I thought it was one
connection spanning several
/2013 07:57 PM, Dmitri Pal wrote:
On 09/16/2013 12:02 PM, KodaK wrote:
Yet another AIX related problem:
The AIX LDAP client is called secldapclntd (sure, they could make it
more awkward, but the budget ran out.) I'm running into the issue detailed
here:
http://www-01.ibm.com/support
pspa...@redhat.com wrote:
On 20.9.2013 01:24, KodaK wrote:
This is ridiculous, right?
IPA server 1:
# for i in $(ls access*); do echo -n $i:\ ;grep err=32 $i | wc -l; done
access: 248478
access.20130916-043207: 302774
access.20130916-123642: 272572
access.20130916-201516: 294308
access
Here's what I had to do:
http://www.freeipa.org/page/PasswordSynchronization
On Thu, Sep 26, 2013 at 10:35 AM, KodaK sako...@gmail.com wrote:
As far as I can tell, password policy is enforced on the client side, not
the directory side.
I set up a self-service password reset utility which
I'm attempting to get HP ILO authenticating against IPA again.
I've configured the user context in ILO as:
cn=users,cn=accounts,dc=unix,dc=magellanhealth,dc=com
When ILO tries to connect, it sends the string:
CN=jebalicki,cn=users,cn=accounts,dc=unix,dc=magellanhealth,dc=com
Which, of course,
If I use the whole connection string:
uid=jebalicki,cn=users,cn=accounts,dc=unix,dc=magellanhealth,dc=com
I can authenticate.
On Tue, Nov 5, 2013 at 1:40 PM, KodaK sako...@gmail.com wrote:
I'm attempting to get HP ILO authenticating against IPA again.
I've configured the user context
Just wanted to pass along an issue I just had.
We have some legacy local users on some boxes, and we need to have a mix of
those local users and IPA users in the same groups.
In order for that to happen (at least on AIX) I need to create a group in
IPA with the GID of the local group. This can
I am an unfortunate AIX sufferer as well. I've gotten through setting this
up.
First, what version of sudo are you running on the AIX box?
On Mon, Dec 16, 2013 at 8:46 AM, y...@degauquier.net wrote:
Hi,
I'm trying to integrate on AIX environment (as clients) a centralized
authentication
For the record, I spent quite a long time on this and finally gave up. I
never found a work-around other than providing the entire DN, which I
wasn't about to do.
On Tue, Jan 14, 2014 at 11:53 PM, Alexander Bokovoy aboko...@redhat.comwrote:
On Wed, 15 Jan 2014, Les Stott wrote:
I can
Hey everyone,
A couple of days ago I started getting the following message:
[jebalicki@slpidml01 ~]$ ipa cert-show 1
ipa: INFO: trying https://slpidml01.unix.xxx.com/ipa/xml
ipa: INFO: Forwarding 'cert_show' to server u'
https://slpidml01.unix.xxx.com/ipa/xml'
ipa: ERROR: Certificate operation
On Fri, Feb 28, 2014 at 11:14 AM, Rob Crittenden rcrit...@redhat.comwrote:
KodaK wrote:
Hey everyone,
A couple of days ago I started getting the following message:
[jebalicki@slpidml01 ~]$ ipa cert-show 1
ipa: INFO: trying https://slpidml01.unix.xxx.com/ipa/xml
ipa: INFO: Forwarding
On Fri, Feb 28, 2014 at 1:05 PM, Rob Crittenden rcrit...@redhat.com wrote:
KodaK wrote:
On Fri, Feb 28, 2014 at 11:14 AM, Rob Crittenden rcrit...@redhat.com
mailto:rcrit...@redhat.com wrote:
KodaK wrote:
Hey everyone,
A couple of days ago I started getting
Once again, I'm probably missing something that's well documented. I
promise I searched.
We have a daily termination list that needs to be enforced at 5:00 PM every
day. I can script it up just fine, but sometimes I like to sneak out early.
I tried to use at, but since I'm logged out when the
###
# Auto Kinit
/usr/kerberos/bin/klist -s
EXITCODE=$?
if [ $EXITCODE != 0 ] ; then
/usr/kerberos/bin/kdestroy /dev/null 21
/usr/kerberos/bin/kinit -F usern...@example.com -k -t
/path/to/username.keytab
fi
On Mar 6, 2014, at 8:48 AM, KodaK sako
I had this issue, but I gave up. I have my users either log into a Linux
box to change passwords or use a web based password reset I set up for them.
When your users log in successfully do they have tickets? That's my
situation: they can get tickets once they're logged in, but can't change
when
Andrew's suggestion works fine, but you can also set up a simple krb5.conf
on the source hosts and then issue a kinit. It doesn't have to be a full
IPA client for that to work.
You can also do this from a Windows box by using the MIT Kerberos for
Windows package:
1 - 100 of 102 matches
Mail list logo