Re: [Freeipa-users] DNS forwarders

-forwarder=8.8.4.4 --forwarder=8.8.8.8 ... or using webUI This setting will override configuration of forwarders in named.conf. I don't know if there are some historical reasons to configure forwarders only in named.conf during installation, do you know Petr? -- Martin Basti -- Manage yo

Re: [Freeipa-users] ipa-client-install failure

ed Hat, Inc. -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project -- Thank you, Dmitri Pal Sr. Engineering Manager IdM portfo

Re: [Freeipa-users] ipa-client-install failure

Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project -- Martin Basti -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] Can freeIPA work without Kerberos and DNS

your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project -- Martin Basti -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] freeipa-server on Raspberry Pi 2

ion what is causing this problem? (no, I am not upgrading from an older version, this is a fresh install) Kind regards, Winfried Hello, you can try: https://www.redhat.com/archives/freeipa-users/2015-April/msg00076.html -- Martin Basti -- Manage your subscription for the Freeipa-users m

Re: [Freeipa-users] pks error??

this message? Which log? Can you send the log? Martin -- Martin Basti -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] Upgrade fail 3.3.3 (rhel7) to 4.1 (rhel7.1)

f you think it is 1180325 issue you can check if nsSchemaPolicy is in 01core389.ldif: grep -i nsSchemaPolicy /etc/dirsrv/slapd-INSTANCE/schema/01core389.ldif grep -i nsSchemaPolicy /etc/dirsrv/schema/01core389.ldif Martin -- Martin Basti -- Manage your subscription for the Freeipa-users mai

Re: [Freeipa-users] Antwort: Re: Upgrade fail 3.3.3 (rhel7) to 4.1 (rhel7.1)

etscape Directory Server' ) grep -i nsSchemaPolicy /etc/dirsrv/schema/01core389.ldif objectClasses: ( 2.16.840.1.113730.3.2.328 NAME 'nsSchemaPolicy' DESC 'Netscape defined objectclass' SUP top MAY ( cn $ schemaUpdateObjectclassAccept $ schemaUpdateObjectclassReject $ s

Re: [Freeipa-users] freeipa-server on Raspberry Pi 2

sing" the script the same error occurs: "CA did not start in 300.0s" I might try to hack the services.py script but anyone got another suggestion? Kind regards, Winfried Op 02-04-15 om 13:38 schreef Martin Basti: On 02/04/15 12:53, Winfried de Heiden wrote: Hi all, "B

Re: [Freeipa-users] Replication failed

telephone and immediately and permanently delete the message and any attachments. Thank you Hello, do you have synchronized time on both servers? Martin -- Martin Basti -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go

Re: [Freeipa-users] Replication failed

). Current seqnum=1 From which log is this? Regards Sanju Abraham Linux Admin From: Martin Basti To: Sanju A , freeipa-users@redhat.com Date: 07-04-2015 16:53 Subject: Re: [Freeipa-users] Replication failed On 07/0

Re: [Freeipa-users] DNS lookups after replica(master) added

o', 'nsaccountlock': u'rscwo'} cn: dns objectclass: idnsConfigObject objectclass: nsContainer objectclass: top Hello, Can you share more details please? What is your IPA version? What is your zone, how do you test it (dig/host command?), output from these comm

Re: [Freeipa-users] Fw: Web ui error “Your session has expired. Please re-login.” from a browser on a remote client.

rs Go to http://freeipa.org for more info on the project -- Martin Basti -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] FreeIPA SAML and Google Apps

On 28/04/15 08:53, Andrew Holway wrote: Hi, Is it yet possible to use FreeIPA as an identity provider to Google Apps via SAML. I understand there was some project afoot Thanks, Andrew Maybe this would help. https://fedorahosted.org/ipsilon/ -- Martin Basti -- Manage your

Re: [Freeipa-users] Using CNAME to point to different domain name

PA, the CNAME should be set on that external server, IPA cannot help in this case. Martin -- Martin Basti -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] Using CNAME to point to different domain name [SOLVED]

On 07/05/15 18:30, Andrey Ptashnik wrote: Hi Martin, Thank you for a catch! I just noticed that I was missing the dot you mentioned! Regards, Andrey From: Martin Basti mailto:mba...@redhat.com>> Date: Thursday, May 7, 2015 at 2:37 AM To: Andrey Ptashnik <mailto:aptash...@

Re: [Freeipa-users] Problems with failed upgrade: groups are not created

=0 csn=5553e3f800010004 ===< Which is consistent with the slapd log during the upgrade: [21/Apr/2015:19:18:43 +] NSACLPlugin - The ACL target cn=hr,cn=groups,cn=accounts,dc=foo,dc=com does not exist -- Kind regards, Will Sheldon Hello, can you find in

Re: [Freeipa-users] Configuration of CA failed

, Remigio Hello, can you please check error logs of DS? /var/log/dirsrv/slapd-*/errors And please post here an error why DS restart failed. Martin -- Martin Basti -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] Configuration of CA failed

On 14/05/15 13:54, Remigio Moncayo Serrano wrote: I fail to see the problem in the logs so I’m attaching the file here *De:*Martin Basti [mailto:mba...@redhat.com] *Enviado el:* jueves, 14 de mayo de 2015 13:05 *Para:* Remigio Moncayo Serrano; freeipa-users@redhat.com *Asunto:* Re: [Freeipa

Re: [Freeipa-users] ubuntu dns discovery

llation failed. Rolling back changes. IPA client is not configured on this system. ``` Yet on the same client: ``` root@testing-ubuntu001:~# dig srv _ldap._tcp.pp +short 0 100 389 production-ipa003.pp. 0 100 389 production-ipa001.pp. 0 100 389 production-ipa002.pp. ``` Why can't ipa-

Re: [Freeipa-users] freeipa server upgrade from fedora 20 to fedora 22 glitches

odlist) File "/usr/lib64/python2.7/contextlib.py", line 35, in __exit__ self.gen.throw(type, value, traceback) File "/usr/lib/python2.7/site-packages/ipapython/ipaldap.py", line 1191, in error_handler raise errors.ObjectclassViolation(info=info) 2015-05-28T17:11:53Z DEBUG T

Re: [Freeipa-users] freeipa server upgrade from fedora 20 to fedora 22 glitches

onfig fail, because /var/lib/pki/pki-tomcat/conf/ca/CS.cfg had the wrong owner (root). I saw this issue in containers as well, when upgrading from Fedora 21 to 22. Do we have a bugzilla / ticket filed? Do we need one? I don't think so, please file a ticket. -- Martin Basti -- Manage your su

Re: [Freeipa-users] Internal FreeIPA Administrators cannot search DNS records

entries or actually be alloted all permissions on the system? Hello, which version of IPA do you use? I was able to find all zones with new user on IPA 4.1. I just add the 'DNS administrators' privilege for the new user. Martin -- Martin Basti -- Manage your subscription for the

Re: [Freeipa-users] Internal FreeIPA Administrators cannot search DNS records

On 09/06/15 12:58, Martin Basti wrote: On 08/06/15 20:59, nat...@nathanpeters.com wrote: I am trying my best to figure out why any FreeIPA internal 'administrators' that I create cannot search DNS entries. The builtin admin user can search and get results for DNS entries just fi

Re: [Freeipa-users] Internal FreeIPA Administrators cannot search DNS records

On 09/06/15 13:05, Martin Basti wrote: On 09/06/15 12:58, Martin Basti wrote: On 08/06/15 20:59, nat...@nathanpeters.com wrote: I am trying my best to figure out why any FreeIPA internal 'administrators' that I create cannot search DNS entries. The builtin admin user can sear

Re: [Freeipa-users] Host don't update DNS

"dynamic updates" for the particular zone? What is your IPA version? Martin -- Martin Basti -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] Trace / Debug LDAP queries from 3rd Party Tools against FreeIPA Server

everything I want to see). Cheers Chris Hello, all LDAP queries are logged in this log /var/log/dirsrv/slapd-*/access -- Martin Basti -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the

Re: [Freeipa-users] DNS configuration for not resolving some addresses

therwise dnszone-add with --forwarder option Do not forget to add proper NS delegation for all sub zones from parent zone. For example: ipa dnsrecord-add example.test. test --ns-rec=ipa.example.test. -- Martin Basti -- Manage your subscription for the Freeipa-users mailing list: https://www.re

Re: [Freeipa-users] DNS configuration for not resolving some addresses

ample.test. zone managed by IPA, and add delegation to this zone into example.test. Martin On Wed, Jul 8, 2015 at 4:09 PM, Martin Basti <mailto:mba...@redhat.com>> wrote: On 08/07/15 14:26, Karl Forner wrote: Hello, When using my freeIPA DNS name server for my domain

Re: [Freeipa-users] Force IPA client Reverse Zone Dynamic Updates

in zones where the particular A/ records are? SSSD is able to update records. Please check if "dyndns_update" is set to true in sssd.conf. (man sssd-ipa) -- Martin Basti -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeip

Re: [Freeipa-users] Force IPA client Reverse Zone Dynamic Updates

istrator e-mail address: hostmaster.mydom.com. SOA serial: 1436799166 SOA refresh: 3600 SOA retry: 900 SOA expire: 1209600 SOA minimum: 3600 Allow query: any; Allow transfer: none; You must use option --all ipa dnszone-show mydom.com --all Martin On Mon, Jul 13, 2015 at 11:20 A

Re: [Freeipa-users] Force IPA client Reverse Zone Dynamic Updates

istrator e-mail address: hostmaster.mydom.com. SOA serial: 1436799166 SOA refresh: 3600 SOA retry: 900 SOA expire: 1209600 SOA minimum: 3600 Allow query: any; Allow transfer: none; On Mon, Jul 13, 2015 at 11:20 AM, Martin Basti wrote: On 12/07/15 10:05, Sina Owolabi wrote: Hi I h

Re: [Freeipa-users] Force IPA client Reverse Zone Dynamic Updates

2:20 PM, Martin Basti wrote: On 13/07/15 19:58, Sina Owolabi wrote: Hi Martin Yes all my sssd configs are set ipa_dyndns_update = True I didn't have --allow-sync-ptr=TRUE in all the forward zones so I set them. I've tried to set it in the very first zone (setup during installation) b

Re: [Freeipa-users] Reverse DNS and Forwarding

PA DNS? (with suffix 10.in-addr.arpa)? -- Martin Basti -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] Reverse DNS and Forwarding

On 15/07/15 15:07, Nevada Sanchez wrote: On Wednesday, July 15, 2015, Martin Basti <mailto:mba...@redhat.com>> wrote: On 14/07/15 19:12, Nevada Sanchez wrote: I have FreeIPA setup as our primary DNS on an AWS VPC. I setup global forwarding ('Forward First') so t

Re: [Freeipa-users] ipa-dnskeysyncd exited on failure state

-dnskeysyncd are stored in journalctl -u ipa-dnskeysyncd This error, or LDAP error may appear during restart, but it should not be often. Is your KDC working well? If you do not use DNSSEC you may safely ignore this error. -- Martin Basti -- Manage your subscription for the Freeipa-users mailing list

Re: [Freeipa-users] reverse DNS lookup does not work

On 08/11/2015 04:47 PM, Nikola Kržalić wrote: reverse DNS lookup stopped working after I broke some replication agreements (perhaps unrelated, but worth mentioning). Regular A records resolve fine. The records can be seen in LDAP (using ldapsearch with GSSAPI after kinit -t /etc/named.keytab):

Re: [Freeipa-users] IPA Client Unattended Registration Issue

On 08/14/2015 10:12 AM, Yogesh Sharma wrote: Hi, We use Chef to perform the basic system setup once we launch new server. We are updating our cookbook to include ipa-client-install once we run our base cookbook via chef-client. For unattended ipa-client installation, we are passing below p

Re: [Freeipa-users] IPA Client Unattended Registration Issue

On 08/14/2015 10:54 AM, Martin Basti wrote: On 08/14/2015 10:12 AM, Yogesh Sharma wrote: Hi, We use Chef to perform the basic system setup once we launch new server. We are updating our cookbook to include ipa-client-install once we run our base cookbook via chef-client. For unattended

Re: [Freeipa-users] PTR record not adding to IPA DNS

On 08/14/2015 12:07 PM, Yogesh Sharma wrote: Hi, Upon client registration , PTR records are not getting added to reverse Zone in IPA DNS. /Best Regards,/ /__ / /Yogesh Sharma / /Email: yks0...@gmail.com | Web: www.initd.in

Re: [Freeipa-users] PTR record not adding to IPA DNS

om/+YogeshSharmaOnGooglePlus> On Fri, Aug 14, 2015 at 3:45 PM, Martin Basti <mailto:mba...@redhat.com>> wrote: On 08/14/2015 12:07 PM, Yogesh Sharma wrote: Hi, Upon client registration , PTR records are not getting added to reverse Zone in IPA DNS. /Best Regards

Re: [Freeipa-users] PTR record not adding to IPA DNS

m/in/yks> <https://twitter.com/checkwithyogesh> <http://google.com/+YogeshSharmaOnGooglePlus> On Fri, Aug 14, 2015 at 4:30 PM, Martin Basti <mailto:mba...@redhat.com>> wrote: On 08/14/2015 12:57 PM, Yogesh Sharma wrote: Forward zone: initd.int <http

Re: [Freeipa-users] IPA Client Unattended Registration Issue

Please provide feedback if this (and which) solution works for you, this may help for other users too. Martin On 08/14/2015 11:02 AM, Martin Basti wrote: On 08/14/2015 10:54 AM, Martin Basti wrote: On 08/14/2015 10:12 AM, Yogesh Sharma wrote: Hi, We use Chef to perform the basic system

Re: [Freeipa-users] IPA Client Unattended Registration Issue [SOLVED]

itd.in <http://www.initd.in/> / / / /RHCE, VCE-CIA, RACKSPACE CLOUD U Certified/ <https://www.fb.com/yks> <http://in.linkedin.com/in/yks> <https://twitter.com/checkwithyogesh> <http://google.com/+YogeshSharmaOnGooglePlus> On Fri, Aug 14, 2015 at 5:20 PM, Ma

Re: [Freeipa-users] PTR record not adding to IPA DNS [SOLVED]

HCE, VCE-CIA, RACKSPACE CLOUD U Certified/ <https://www.fb.com/yks> <http://in.linkedin.com/in/yks> <https://twitter.com/checkwithyogesh> <http://google.com/+YogeshSharmaOnGooglePlus> On Fri, Aug 14, 2015 at 4:52 PM, Martin Basti <mailto:mba...@redhat.com&

Re: [Freeipa-users] FreeIPA certificate for Outlook

On 08/18/2015 01:02 PM, Günther J. Niederwimmer wrote: Hello, is it possible to export a CA / certificate for a windows client "outlook" when yes, can any tell me the correct file? Thanks for a answer -- mit freundlichen Grüssen / best regards, Günther J. Niederwimmer Hi, IPA CA cer

Re: [Freeipa-users] Dns SOA MNAME not resolving from LDAP data

On 08/20/2015 01:48 PM, David Dejaeghere wrote: Hi, I noticed that changing the authoritarive nameserver in FreeIPA reflects correctly to its directory data but bind will not resolve the soa record with the updated mname details. For example I add a zone test.be and change

Re: [Freeipa-users] Dns SOA MNAME not resolving from LDAP data

On 08/20/2015 02:22 PM, Martin Basti wrote: On 08/20/2015 01:48 PM, David Dejaeghere wrote: Hi, I noticed that changing the authoritarive nameserver in FreeIPA reflects correctly to its directory data but bind will not resolve the soa record with the updated mname details. For example I

Re: [Freeipa-users] Dns SOA MNAME not resolving from LDAP data

://fedorahosted.org/freeipa/ticket/5241 2015-08-20 15:09 GMT+02:00 Martin Basti <mailto:mba...@redhat.com>>: On 08/20/2015 02:46 PM, David Dejaeghere wrote: confirmed working. Does this default value make any sense if this value is changeable in the UI and using the I

Re: [Freeipa-users] SOA Serial changes overnight and is inconsisstent with replica

On 09/07/2015 03:00 PM, David Dejaeghere wrote: Hello, I noticed on the couple of installs that I am running that my zones have different soa serial values on both master and replica. I also noticed that this value is changing without adding or removing a record some time during the night.

Re: [Freeipa-users] Add objectclasses to computer schema

On 09/09/2015 06:32 PM, Thomas Suiter wrote: Is there an equivalent host/computer default objectclasses that there is for ipa config-mod –groupobjectclasses/--userobjectclasses ? We are wanting to add some additional attributes to all of the servers, I’m able to add the object class to ind

Re: [Freeipa-users] ipa-client-install not creating reverse DNS entries

Hi, can you check the journalctl -u named(-pkcs11) on server, they might be errors why PTR record has not been added. Do you have enabled dynamic updates for the reverse zone? Martin On 09/12/2015 10:42 PM, Youenn PIOLET wrote: Hi, I've seen the same issue recently on various clients using

Re: [Freeipa-users] Red Hat 5 and 6 with IPA Client v. 4

On 09/16/2015 06:30 PM, Andrey Ptashnik wrote: Alexander, Thank you for your feedback! In my environment I noticed that client machines that are on Red Hat 6 have version 3.0.0 of IPA client installed. [root@ptr-test-6 ~]# yum list installed | grep ipa ipa-client.x86_64 3.0

Re: [Freeipa-users] Ghost user?

On 09/23/2015 07:15 PM, Janelle wrote: I have a user I created for testing, but now shows as both "there" but not there.. *ipa user-show jtest* ipa: ERROR: jtest: user not found *ipa user-find jtest* -- 1 user matched -- User login: jtest First name: jan

Re: [Freeipa-users] DNS Replication Validation

On 09/24/2015 04:43 PM, Rich Megginson wrote: On 09/24/2015 08:32 AM, Aric Wilisch wrote: I need a way to validate that both the primary and the redundant FreeIPA server’s DNS zones are in sync. What’s the simplest way for me to do this? Do a DNS query to confirm that the SOA record for the

Re: [Freeipa-users] DNS Replication Validation

On 09/24/2015 05:02 PM, Rich Megginson wrote: On 09/24/2015 08:53 AM, Martin Basti wrote: On 09/24/2015 04:43 PM, Rich Megginson wrote: On 09/24/2015 08:32 AM, Aric Wilisch wrote: I need a way to validate that both the primary and the redundant FreeIPA server’s DNS zones are in sync

Re: [Freeipa-users] ipa upgrade failed

On 10/01/2015 05:03 PM, Andrew E. Bruno wrote: Running CentOS 7.1.1503. Upgrading via yum update from: ipa-server.x86_64 0:4.1.0-18.el7.centos.3 --to-- ipa-server.x86_64 0:4.1.0-18.el7.centos.4 We have 3 replicates. Upgrading the first replicate (first-master) went fine. Upgr

Re: [Freeipa-users] ipa upgrade failed

On 10/01/2015 05:28 PM, Andrew E. Bruno wrote: On Thu, Oct 01, 2015 at 05:09:23PM +0200, Martin Basti wrote: On 10/01/2015 05:03 PM, Andrew E. Bruno wrote: Running CentOS 7.1.1503. Upgrading via yum update from: ipa-server.x86_64 0:4.1.0-18.el7.centos.3 --to-- ipa-server.x86_64

Re: [Freeipa-users] ipa upgrade failed

On 10/01/2015 07:50 PM, Andrew E. Bruno wrote: On Thu, Oct 01, 2015 at 05:40:34PM +0200, Martin Basti wrote: On 10/01/2015 05:28 PM, Andrew E. Bruno wrote: On Thu, Oct 01, 2015 at 05:09:23PM +0200, Martin Basti wrote: On 10/01/2015 05:03 PM, Andrew E. Bruno wrote: Running CentOS 7.1.1503

Re: [Freeipa-users] FreeIPA install

On 10/02/2015 03:41 PM, Andrew Meyer wrote: works in chrome and not firefox, creating new FF profile. Hi, try to remove IPA certificates from firefox in ff settings Martin On Friday, October 2, 2015 3:09 AM, Martin Kosek wrote: On 10/02/2015 04:15 AM, Andrew Meyer wrote: >

Re: [Freeipa-users] CentOS 7.2 Certificate Issue with chrome

On 16.06.2016 06:40, Outback Dingo wrote: Freshly installed IPA went to the web ui and got this in google chrome This site can’t provide a secure connection ipa3.optimcloud.com doesn't adhere to security standards. ERR_SSL_SERVER_CERT_BAD_FORMAT Hello, I was

Re: [Freeipa-users] ipa-ods-exporter failed ?

On 17.06.2016 12:54, Günther J. Niederwimmer wrote: Hello List, Am Freitag, 17. Juni 2016, 07:51:45 CEST schrieb Petr Spacek: On 16.6.2016 21:51, Lukas Slebodnik wrote: On (16/06/16 11:54), Günther J. Niederwimmer wrote: Hello on my system the ods-exporter i mean have a problem. I have th

Re: [Freeipa-users] ipa-ods-exporter failed ?

On 17.06.2016 18:29, Günther J. Niederwimmer wrote: Hello, Am Freitag, 17. Juni 2016, 14:13:55 CEST schrieb Martin Basti: On 17.06.2016 12:54, Günther J. Niederwimmer wrote: Hello List, Am Freitag, 17. Juni 2016, 07:51:45 CEST schrieb Petr Spacek: On 16.6.2016 21:51, Lukas Slebodnik wrote

Re: [Freeipa-users] ldap entry from an plugin

On 20.06.2016 18:12, gheorghita.butn...@tuiasi.ro wrote: Hello, I have an small plugin that adds two new fields in user details. Based on those, i need to make an new entry in directory, like i will do with ldapmodify for example ( http://pastebin.com/ZSEA64k8 ) basically every time when an u

Re: [Freeipa-users] disaster recovery

On 26.06.2016 08:17, Robert Story wrote: Hello, I was running a single ipa instance on Centos 7 for a small lab (ipa-server-4.2.0-15.0.1.el7.centos.17.x86_64), and the disk was corrupted. I have a (mostly) full backup (/var/log/ and /var/run/ excluded), which I restored. ipa server didn't star

Re: [Freeipa-users] CentOS 7 and FreeIPA

On 29.06.2016 08:32, Christophe TREFOIS wrote: Hi all, I see that the package in CentOS 7 official repo is only 4.2.0. Is this the recommended version or do people generally use the COPR repository or EPEL? I am talking here about stable production release. Hello, For stable productio

Re: [Freeipa-users] CentOS 7 and FreeIPA

ipient only. If you receive it in error please notify me and permanently delete the original message and any copies. ---- On 29 Jun 2016, at 09:51, Martin Basti <mailto:mba...@redhat.com>> wrote: On 29.06.2016 08:32, Christophe TREFOIS wrote: Hi all, I see that the package in C

[Freeipa-users] [howto] IPA (DNS) Locations

Hello all, I prepared howto for the new feature in IPA 4.4: https://www.freeipa.org/page/Howto/IPA_locations Feel free to report/fix any errors :-) With regards, Martin -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go

Re: [Freeipa-users] Unable to add CA on an already configured replica

On 22.07.2016 20:17, pgb205 wrote: Current topology: ipa-srv1<->ipa-srv2 ipa-srv1 already has CA installed but *NOT *ipa-srv2. The reason I would like to add CA on ipa-srv2 is because I want the setup to ultimately become ipa-srv2<->ipa-srv2<->ipa-srv3 however I am unable to create gpg rep

Re: [Freeipa-users] vaults and service accounts

On 24.07.2016 16:33, Anthony Clark wrote: Hello All, I have a crazy notion of storing a host's SSH private keys in a ipa vault, so that a rebuilt host can use the same keys. I'm on CentOS 7.2 and I'm using the RPMs available in the standard centos base repository, so I'm constrained to ver

Re: [Freeipa-users] vaults and service accounts

certificate. Martin On Mon, Jul 25, 2016 at 4:32 AM, Martin Basti <mailto:mba...@redhat.com>> wrote: On 24.07.2016 16:33, Anthony Clark wrote: Hello All, I have a crazy notion of storing a host's SSH private keys in a ipa vault, so that a rebuilt host can use t

Re: [Freeipa-users] IPAv3.0 WebUI User Population

On 03.08.2016 18:38, Brad Cesarone wrote: Hello All I'm trying to figure out how the webUI populates the user page. I have a mix of posix users and non-posix users. The non-posix users were added using an LDIF and imported fine. I am able to view them using ipa user-show, ldapsearch, and if I

Re: [Freeipa-users] Declarative configuration options?

On 01.08.2016 22:50, Mike LoSapio wrote: Hi there, Is there anyone out there with a good system for storing users, groups, hosts, etc.. in some sort of version controlled repo w/ flat files that could plug into "two-man" workflows for user-account creation and privilege/group membership change

Re: [Freeipa-users] IPAv3.0 WebUI User Population

, no_members=False, pkey_only=False}: SUCCESS The command outputted -- 0 users matched - Number of Entries Returned 0 -------- Thanks -Brad -Martin Basti wrote: - To: Brad Cesarone , freeipa-users@redhat.com From

Re: [Freeipa-users] IPAv3.0 WebUI User Population

'Standard LDAP objectclass' SUP top AUXILIARY MUST ( cn $ uid $ uidNumber $ gidNumber $ homeDirectory ) MAY ( userPassword $ loginShell $ gecos $ description ) X-ORIGIN 'RFC 2307' ) Martin -Martin Basti wrote: - To: Brad Cesarone From: Martin Basti Date: 08/03/

Re: [Freeipa-users] is an IPA Server, but it might be unknown, foreign or previously deleted one

On 05.08.2016 05:24, pgb205 wrote: my previous setup was srv2->replica srv1->srv2 I have removed replica and set it up with the one with identical hostname. Now I have replication from srv1->replica and am trying to create another agreement from srv2=>replica but i am getting the error messag

Re: [Freeipa-users] Querying the dir srv

On 04.08.2016 18:43, Sean Hogan wrote: Thanks Ben.. appreciated.. will give it a go. Do you guys recommend any specific ldap viewer to view the internals? I was looking at apache dir studio I think it was... but needs java and I don't want to add java to a server that does not have it incre

Re: [Freeipa-users] freeipa 4.4 online repo is down

On 08.08.2016 09:14, Lukas Slebodnik wrote: On (08/08/16 09:06), Ben .T.George wrote: Hi List, always https://copr.fedorainfracloud.org/ is down, is there any alternative repo were i can get IPA 4.4? Your link does not point to any specific repo? Which copr reposiory did you mean? LS IIR

Re: [Freeipa-users] core dump within ipa-backup

On 07.08.2016 16:00, Harald Dunkel wrote: Hi folks, ipa-backup gives me 2 segmentation faults in the logfile (see attachment). Platform is Centos 7.2. Is this something to worry about? Every helpful comment is highly appreciated Harri Hello, this is probably issue https://fedorahosted.or

Re: [Freeipa-users] Delegated Administration in IPA

On 08.08.2016 10:03, Deepak Dimri wrote: Hi List, I want some help here! i have 100 of linux servers and ec2 instances used by various teams/departments. I want to have group wise clubbing of these servers so that i can delegate administration access to manager of that particular group

Re: [Freeipa-users] Delegated Administration in IPA

Please keep freeipa-users in CC On 08.08.2016 11:22, Deepak Dimri wrote: Thanks Martin, Don't i need to create subdomain for each team and then register the hosts under that domain and finally assign HBAC? HBAC rule is per host/hostgroup and it is unrelated to domain. Read doc there shoul

Re: [Freeipa-users] core dump within ipa-backup

On 08.08.2016 13:28, Harald Dunkel wrote: Hi Martin, On 08/08/2016 09:41 AM, Martin Basti wrote: Hello, this is probably issue https://fedorahosted.org/389/ticket/48388 It was fixed, but IMO not backported to centos7.2 Martin Does it put my ipa installation at risk? Are the backups

Re: [Freeipa-users] FreeIPA LDAP Directory Extenion

On 09.08.2016 10:08, Deepak Dimri wrote: Hi All, I want to extend my FreeIPA Directory Scheme - want to add a new ObjectClass and add few attributes to existing person ObjectClass. I see lot of places it is mentioned i can do it through 389-console command but i dont find it in my freeIPA s

Re: [Freeipa-users] Why is user status different on each master replica?

On 09.08.2016 23:04, Larry Rosen wrote: This user was locked out due to Max Failure policy = 5 If they’re supposed to be replicas, why the different status? [root@il10 ~]# ipa user-status lramey --- Account disabled: False --- Server: ipa-idm-01

Re: [Freeipa-users] Declarative configuration options?

ybe is what you need https://fedorahosted.org/freeipa/ticket/5821, but it didn't get priority. Martin On Wed, Aug 3, 2016 at 1:56 PM, Martin Basti wrote: On 01.08.2016 22:50, Mike LoSapio wrote: Hi there, Is there anyone out there with a good system for storing users, groups, hosts, e

Re: [Freeipa-users] Update NON-ipa Bind slave server from IPA-DNS edit/update

On 23.08.2016 02:08, Matt . wrote: Hi Guys, What is the way to notify or update a Bind slave which is not an IPA server ? Do I need to manuallu add an also-notify to the /etc/bind.conf on the IPA master or is there a different way how to accomplish this ? I hope this is possible and anyone c

Re: [Freeipa-users] Getting ACL Syntax Error(-5)

On 31.08.2016 11:49, Deepak Dimri wrote: Hi All, I am getting *ACL Syntax Error(-5) *when trying to add ACI to my freeIPA server. Any idea why i am getting this error? Maybe your ACI is incorrect? This is the error i am getting: ldap_modify: Invalid syntax (21) *additional info: A

[Freeipa-users] Announcing FreeIPA 4.4.1

The FreeIPA team would like to announce FreeIPA v4.4.1 release! It can be downloaded from http://www.freeipa.org/page/Downloads. Builds for Fedora 24 will be available in the official COPR repository . == Highlights in 4.4.1 == =

Re: [Freeipa-users] General query regarding nameserver enrtry

On 02.09.2016 20:06, Deepak Dimri wrote: Hi All, My ipa-client-install fails until etc/resolve.conf gets updated with IPA nameserver entry. I want to avoid a task of updating resolve.conf in my automation script. Is there a way i can get my IPA client installation successful without upd

Re: [Freeipa-users] Error by creating a services

On 05.09.2016 16:53, Günther J. Niederwimmer wrote: Hello, CentOs 7.2 FreeIPA: 4.2.0-15 Why is this Error only on one Server ? Hello, probably you have something DNS related misconfigured on that particular server. Can you resolve hostname manually from server? (host, dig A commands) Ma

Re: [Freeipa-users] General query regarding nameserver enrtry

On 08.09.2016 06:49, Deepak Dimri wrote: Thanks Martin for your reply. It would be cool if i can have IPA client to resolve IPA server without specifying nameserver in resolv.conf How do i configure zone delegation? is there any document i can refer? http://www.zytrax.com/books/dns/ch9/de

Re: [Freeipa-users] Disable DNS checks using ipa-server-intall with FreeIPA 4.3.2 on Fedora 24?

On 11.09.2016 20:15, Richard Harmonson wrote: Is there an option to disable the various DNS checks using ipa-server-install with FreeIPA 4.3.2? Is there plans to do provide the option in future releases? Reviewing the ipa-server-install man page, I am not seeing it. I want to compliment the

Re: [Freeipa-users] SSL alert: CERT_VerifyCertificateNow: verify certificate failed for cert Server-Cert of family

On 14.09.2016 17:59, bahan w wrote: Hello ! I send you this mail because I cannot restart my test IPA server. When I try to start it with service ipa start, I got the following error message : ### # service ipa start Starting Directory Service Starting dirsrv: ...[14/Sep/2016:17:57:23 +

Re: [Freeipa-users] SSL alert: CERT_VerifyCertificateNow: verify certificate failed for cert Server-Cert of family

el6.x86_64 ### When I try the command you gave me I got the following error : ### # ipactl start --force Usage: ipactl start|stop|restart|status ipactl: error: no such option: --force ### Best regards. Bahan On Wed, Sep 14, 2016 at 6:14 PM, Martin Basti <mailto:mba...@redhat.com>>

Re: [Freeipa-users] SSL alert: CERT_VerifyCertificateNow: verify certificate failed for cert Server-Cert of family

Please keep freeipa-users in CC, there si no sensitive information in getcert list output (you sanitized it) Folowing certificates are expired, please try to to resubmit them. I'm also worried about this error message: ca-error: Error setting up ccache for local "host" service using default

Re: [Freeipa-users] SSL alert: CERT_VerifyCertificateNow: verify certificate failed for cert Server-Cert of family

7;,nickname='Server-Cert',token='NSS Certificate DB' CA: IPA issuer: CN=Certificate Authority,O= subject: CN=,O= expires: 2016-05-28 06:39:52 UTC eku: id-kp-serverAuth,id-kp-clientAuth

Re: [Freeipa-users] SSL alert: CERT_VerifyCertificateNow: verify certificate failed for cert Server-Cert of family

;,token='NSS Certificate DB',pinfile='/etc/dirsrv/slapd-PKI-IPA/pwdfile.txt' certificate: type=NSSDB,location='/etc/dirsrv/slapd-PKI-IPA',nickname='Server-Cert',token='NSS Certificate DB' CA: IPA issuer: CN=Ce

Re: [Freeipa-users] certificates not renewing CA_UNREACHEABLE

On 15.09.2016 11:29, Natxo Asenjo wrote: hi, one of our master servers has a problem with its certificates: # getcert list Number of certificates and requests being tracked: 8. Request ID '20121107212513': status: CA_UNREACHABLE ca-error: Server failed request, will retry: 90

Re: [Freeipa-users] certificates not renewing CA_UNREACHEABLE

On 15.09.2016 12:44, Natxo Asenjo wrote: hi, On Thu, Sep 15, 2016 at 12:33 PM, Martin Basti <mailto:mba...@redhat.com>> wrote: Hello, usually the most information can be found here /var/log/pki/pki-tomcat/ca/debug mmm, in this centos 6.8 system that does not exist:

Re: [Freeipa-users] certificates not renewing CA_UNREACHEABLE

On 16.09.2016 09:38, Natxo Asenjo wrote: hi, On Thu, Sep 15, 2016 at 1:03 PM, Natxo Asenjo <mailto:natxo.ase...@gmail.com> On Thu, Sep 15, 2016 at 12:49 PM, Martin Basti mailto:mba...@redhat.com>> wrote: On 15.09.2016 12:44, Natxo Asenjo wrote: hi,

  1   2   3   4   5   >