Re: [Freeipa-users] Adding user accounts

2011-03-28 Thread Martin Kosek
On Fri, 2011-03-25 at 20:13 +0100, Sigbjorn Lie wrote: Hi, Using --gidnumber when adding a new user with ipa user-add does not seem to have any effect. A gid number with the same value as what I specify in with the --uid parameter is chosen. I presume this is not the way user-add is

Re: [Freeipa-users] replica install failure....

2011-03-29 Thread Martin Kosek
On Mon, 2011-03-28 at 23:45 +, Steven Jones wrote: Just tried to make a replica and the install failed with, [4/11]: configuring certificate server instance root: CRITICAL failed to configure ca instance Command '/usr/bin/perl /usr/bin/pkisilent ConfigureCA -cs_hostname

Re: [Freeipa-users] client setup failure

2011-03-29 Thread Martin Kosek
On Tue, 2011-03-29 at 00:08 +, Steven Jones wrote: Trying to set up a fed14 cleint and since DNS is on the AD server (dc0002) there is no dns_discoveryso as per doc I ran the install and it should ask me for the infobut it fails with, Complete! [root@fed14-64-cli01

Re: [Freeipa-users] client setup failure

2011-03-29 Thread Martin Kosek
On Tue, 2011-03-29 at 12:49 +0200, tomasz.napier...@allegro.pl wrote: On 2011-03-29, at 10:20, Martin Kosek wrote: On Tue, 2011-03-29 at 00:08 +, Steven Jones wrote: What is a content of _ldap._tcp.ipa.ac.nz DNS SRV record? IPA client installation uses this DNS record

Re: [Freeipa-users] failure to un-install FreeIPA

2011-05-10 Thread Martin Kosek
On Tue, 2011-05-10 at 03:58 +, Steven Jones wrote: I am trying to un-install freeipa with ipa-server-install --uninstall and its saying not installed, but when I try to install its saying already installed! oops. Is there a way to force the script to check and remove everything?

Re: [Freeipa-users] disable account behavior

2011-06-09 Thread Martin Kosek
On Wed, 2011-06-08 at 17:55 -0700, Stephen Ingram wrote: I've disabled an account in FreeIPA using the UI and I don't see any changes in the directory. Are there supposed to be changes there or is this something that is accomplished in Kerberos? I was hoping to be able to search the directory

Re: [Freeipa-users] kinit working, but ipa-client-install not (client not found)

2011-06-24 Thread Martin Kosek
On Fri, 2011-06-24 at 10:28 +0200, Pieter Baele wrote: On Thu, Jun 23, 2011 at 19:59, Rob Crittenden rcrit...@redhat.com wrote: Pieter Baele wrote: My new freeipa installation is working (server + kinit on a host where I configured krb5.conf manually) but ipa-client-install gives the

Re: [Freeipa-users] setting user logins by hand

2011-10-12 Thread Martin Kosek
On Tue, 2011-10-11 at 22:10 +, Steven Jones wrote: Hi, Looks like the IPA server on RHEL6.2beta is setting user logins, I need this to be a manually editable field so I can follow company policy So at the moment adding steven jones works out as sjones when I need jonesst1 set by

Re: [Freeipa-users] ipa: ERROR: Auto Membership is not configured

2011-10-17 Thread Martin Kosek
On Sun, 2011-10-16 at 22:55 +0200, Sigbjorn Lie wrote: Hi, When I attempt to create a automember rule, I get an error message ipa: ERROR: Auto Membership is not configured. [root@ipa01 ~]# ipa automember-add --type=group s_serviceaccounts ipa: ERROR: Auto Membership is not configured

Re: [Freeipa-users] FreeIPA's 'DNS'

2011-11-23 Thread Martin Kosek
On Mon, 2011-11-21 at 11:50 -0500, Dmitri Pal wrote: On 11/21/2011 05:29 AM, Sigbjorn Lie wrote: Hi, Why not use a forwarders statement in the named.conf? Works for me. zone 11.168.192.in-addr.arpa. in { type forward; forwarders { 192.168.1.1; 192.168.1.2; }; };

[Freeipa-users] Optionistic approach for new DNS API

2011-12-14 Thread Martin Kosek
Hello all, we just had a good discussion with Rob and Endi about different approach to the new DNS API. Current DNS API proposal (patches 174-176) introduced new API based on different commands, e.g. for MX RR type: ipa dnsrecord-mx-add ZONE NAME --preference=0 --exchanger=server1.example.com.

Re: [Freeipa-users] automatic dns update failing

2012-02-20 Thread Martin Kosek
On Mon, 2012-02-20 at 17:08 +0100, Marco Pizzoli wrote: On Mon, Feb 20, 2012 at 9:46 AM, Martin Kosek mko...@redhat.com wrote: On Sun, 2012-02-19 at 17:23 +0100, Marco Pizzoli wrote: Hi, During my setup today I'm always failing in enrolling

Re: [Freeipa-users] Bug in documentation or in CLI tools?

2012-02-23 Thread Martin Kosek
On Wed, 2012-02-22 at 22:07 +0100, Marco Pizzoli wrote: Hi guys, in a previous question about FreeIPA 2.1.90 I submitted to you, I received from Martin the answer to use the command: ipa dnszone-mod my_zone --dynamic-update=TRUE other_parameters I used it and I successfully achieved my

Re: [Freeipa-users] 2.1.90 rc1 testing on F17 alpha

2012-03-13 Thread Martin Kosek
, Mar 12, 2012 at 7:19 AM, Rich Megginsonrmegg...@redhat.com wrote: On 03/12/2012 01:34 AM, Martin Kosek wrote: On Sun, 2012-03-11 at 17:55 -0400, Dmitri Pal wrote: On 03/11/2012 04:22 PM, Stephen Ingram wrote: Now I've made it to the WebUI. Login works great (also via the new form auth

Re: [Freeipa-users] Role Required for Web Portal Access

2012-03-15 Thread Martin Kosek
On Thu, 2012-03-15 at 03:57 -0400, Tim Hildred wrote: Hey all; I preparing to use IPA as the Directory Server for my RHEV installation. Formerly in RHEV, you could change users passwords using the RHEV User Portal itself. With RHEV 3.0, this is no longer posssible. Instead, users need to be

Re: [Freeipa-users] [Freeipa-devel] FreeIPA beta1: SELinux prohibits memcached

2012-03-20 Thread Martin Kosek
On Tue, 2012-03-20 at 12:44 +0100, Marco Pizzoli wrote: Hi guys, I don't know if you already know this, but in my logs I can find this: Mar 20 12:14:47 freeipa01 setroubleshoot: SELinux is preventing /usr/bin/memcached from create access on the sock_file ipa_memcached. For complete

Re: [Freeipa-users] [Freeipa-devel] FreeIPA beta1: SELinux prohibits memcached

2012-03-20 Thread Martin Kosek
On Tue, 2012-03-20 at 13:14 +0100, Marco Pizzoli wrote: Hi Martin, On Tue, Mar 20, 2012 at 1:02 PM, Martin Kosek mko...@redhat.com wrote: On Tue, 2012-03-20 at 12:44 +0100, Marco Pizzoli wrote: Hi guys, I don't know if you already know this, but in my logs I can

Re: [Freeipa-users] Error during ipa-replica-install

2012-03-22 Thread Martin Kosek
Hello Marco, judging from the output you sent, it looks like you had an installed replica on freeipa03, then stopped it with ipactl stop and after that tried to run ipa-replica-install again - krb5.conf and /var/log/messages you sent would support this theory. IPA replica agreement should be

Re: [Freeipa-users] Error during ipa-replica-install

2012-03-26 Thread Martin Kosek
On Sun, 2012-03-25 at 15:55 +0200, Marco Pizzoli wrote: Hi Martin, On Thu, Mar 22, 2012 at 11:50 AM, Martin Kosek mko...@redhat.com wrote: Hello Marco, judging from the output you sent, it looks like you had an installed replica on freeipa03

Re: [Freeipa-users] hosts/clients joining IPA but dns updating not working

2012-03-27 Thread Martin Kosek
On Tue, 2012-03-27 at 01:15 +, Steven Jones wrote: Hi, I just started adding hosts/clients but DNS isnt being updated for the client(s). Screenshot of error is attached Hello Steven, there is something wrong with your host keytab. As written in the output, ipa-client-install

Re: [Freeipa-users] ipa-client install error

2012-05-02 Thread Martin Kosek
On Tue, 2012-05-01 at 18:31 -0400, Dmitri Pal wrote: On 05/01/2012 06:15 PM, Steven Jones wrote: So this opens a chicken and egg? ie when RHEL6.3 comes out and I upgrade the IPA server(s) to 6.3 all the older 6.2 clients will break? but I cant upgrade the clients until after the

Re: [Freeipa-users] RHEL6.3 documentation error...

2012-05-24 Thread Martin Kosek
Hi Steven, thanks for reporting this, I created a Bugzilla for the doc: https://bugzilla.redhat.com/show_bug.cgi?id=824768 Martin On Thu, 2012-05-24 at 04:26 +, Steven Jones wrote: Hi, Page 381 section 18.7.2 says, ipa replica-manage connect srv2.example.com srv4.example.com when

Re: [Freeipa-users] two way changes

2012-05-24 Thread Martin Kosek
On Thu, 2012-05-24 at 05:50 +, Steven Jones wrote: Hi, Just windering but I thought that whether I did change son the original master, or on the replica that changes would flow to the other both ways? or do changes only flow original master to replica? Since we use multi-master

Re: [Freeipa-users] ipa ports

2012-05-24 Thread Martin Kosek
On Wed, 2012-05-23 at 19:27 -0400, Dmitri Pal wrote: On 05/23/2012 05:40 PM, Jan-Frode Myklebust wrote: We have quite strict firewalls, so I need to specify the IPA network ports accurately. So, we have now opening for: 80/tcp, 88/tcp, 389/tcp, 443/tcp, 464/tcp, 636/tcp 88/udp,

Re: [Freeipa-users] ipa-client-install hangs on ipa-getkeytab

2012-05-29 Thread Martin Kosek
On Mon, 2012-05-28 at 10:21 +0400, free...@noboost.org wrote: Hi All, This one has me stumped! For some reason my Centos 5.8 x64 Linux server hangs during ipa-client-install Server: * ipa-admintools-2.1.3-9.el6.x86_64 * ipa-client-2.1.3-9.el6.x86_64 *

Re: [Freeipa-users] ipa-client-install hangs on ipa-getkeytab - Fixed!!

2012-05-29 Thread Martin Kosek
On Wed, 2012-05-30 at 08:02 +0400, free...@noboost.org wrote: On Tue, May 29, 2012 at 09:00:43AM +0200, Martin Kosek wrote: On Mon, 2012-05-28 at 10:21 +0400, free...@noboost.org wrote: Hi All, This one has me stumped! For some reason my Centos 5.8 x64 Linux server hangs during

Re: [Freeipa-users] FreeIPA 2.1 - restrict users to a set of hosts

2012-06-04 Thread Martin Kosek
On Sat, 2012-06-02 at 06:52 -0700, Joe Linoff wrote: Hi: I am a newbie that is trying out FreeIPA for the first time. So far I am extremely impressed with this system but I ran into a problem that I need some help with. I am trying to figure out how to HBAC to restrict a set of users

Re: [Freeipa-users] Converting a user group to a non-posix group

2012-06-11 Thread Martin Kosek
On Sat, 2012-06-09 at 14:12 +0200, Sigbjorn Lie wrote: Hi, Is there a supported method for converting a posix user group to a non-posix user group? Regards, Siggi I am not aware of any supported method. This step is more tricky than making a non-posix group a posix one, because you

Re: [Freeipa-users] Converting a user group to a non-posix group

2012-06-11 Thread Martin Kosek
On Mon, 2012-06-11 at 13:05 +0200, Sigbjorn Lie wrote: On Mon, June 11, 2012 12:53, Sigbjorn Lie wrote: On Mon, June 11, 2012 12:21, Martin Kosek wrote: On Sat, 2012-06-09 at 14:12 +0200, Sigbjorn Lie wrote: Hi, Is there a supported method for converting a posix user group

Re: [Freeipa-users] IPA replica install A CA is already configured on this system.

2012-06-26 Thread Martin Kosek
On 06/25/2012 11:37 PM, Dan Scott wrote: Hi, I'm trying to install a new Fedora 17 replica of my existing Fedora 16 FreeIPA servers as part of my migration process. I first attempted the installation using an old replica file, but ran into some issues so I uninstalled and generated a new

Re: [Freeipa-users] What is the best way to make batch changes to the LDAP?

2012-06-27 Thread Martin Kosek
On 06/27/2012 01:56 AM, Joe Linoff wrote: Hi Everybody: Here is a python approach that I am experimenting with based on reading the source code. It seems to work but it is re-entrant? Does this make sense? Is there a better way (like ldapmodify)? #!/usr/bin/env python # #

Re: [Freeipa-users] How can I change my password from a python script?

2012-06-28 Thread Martin Kosek
On 06/28/2012 03:34 AM, Joe Linoff wrote: Hi Everybody: I need to add a lot of users to an LDAP system for testing and I would like to do it in batch mode. For my small tests have been doing something like this: #!/bin/bash # Script to create a new user. ipa user-add bigbob

Re: [Freeipa-users] How can I change my password from a python script?

2012-06-29 Thread Martin Kosek
On Thu, 2012-06-28 at 16:42 -0700, Joe Linoff wrote: Hi Petr: I implemented what you suggested and everything worked pretty well but I ran into three issues that you might be able to help me with. ISSUE #1 The first issue (and the most important) is that the password is only temporary. I

Re: [Freeipa-users] How can I change my password from a python script?

2012-06-29 Thread Martin Kosek
-Original Message- From: Alexander Bokovoy [mailto:aboko...@redhat.com] Sent: Friday, June 29, 2012 12:31 AM To: Martin Kosek Cc: Joe Linoff; freeipa-users@redhat.com Subject: Re: [Freeipa-users] How can I change my password from a python script? On Fri, 29 Jun 2012, Martin Kosek wrote

Re: [Freeipa-users] Sudo documentation correction (sudo 1.7.4p-5 update breaks working configuration)

2012-07-11 Thread Martin Kosek
On 07/11/2012 12:02 PM, James Hogarth wrote: Hi all, Having just spent an hour debugging this during my centos6.2 to centos6.3 updates here's a heads up for others and a correction to the documentation at docs.redhat.com The update to sudo mentioned changed sudo to use

Re: [Freeipa-users] IPA Error 4205 attribute idnsAllowTransfer not allowed

2012-07-30 Thread Martin Kosek
On 07/30/2012 02:57 PM, Simo Sorce wrote: On Mon, 2012-07-30 at 12:11 +0200, Robert Bowell wrote: Hi Simo, Thanks for your reply. Yes the IPA server has been updated from 2.1 to 2.2. Prior to the update, DNS zones could be created without any issues. I have also noticed that the command

Re: [Freeipa-users] IPA Error 4205 attribute idnsAllowTransfer not allowed

2012-07-30 Thread Martin Kosek
On 07/30/2012 03:21 PM, John Blaut wrote: Hi I am following the same issue with Robert. In /etc/dirsrv/slapd-DOMAIN/schema/99user.ldif we can see that these new attributes have been added. Hello John, I assume that the new attributes were not added to the MAY list in idnsZone

Re: [Freeipa-users] ipa krbtpolicy-mod --maxlife

2012-07-31 Thread Martin Kosek
On 07/30/2012 05:00 PM, george he wrote: Hello all, I'm trying to change the krb ticket life time for myself, so I used ipa krbtpolicy-mod MYUSERNAME --maxlife 36 but then after I do kinit, my new ticket is still going to expire after 24 hours, which is the default ticket life, even

Re: [Freeipa-users] resetting an admin account.

2012-07-31 Thread Martin Kosek
On 07/27/2012 12:48 AM, Steven Jones wrote: I have tried to reset my admin password (admjonesst1) using the admin account toa temp password, So I run a kinit admjonesst1 to reset it to a perm one and I get, [jonesst1@8kxl72s ~]$ kinit admjonesst1 Password for

Re: [Freeipa-users] ip changed

2012-08-30 Thread Martin Kosek
On 08/30/2012 05:38 AM, george he wrote: Hello all, I have free-ipa set up on my lab machines all running Fedora 17. Today the lab was moved to another building on campus and the IPs have to be changed. Now that the IPs are changed, I cannot even run kinit on the ipa-server. The error

Re: [Freeipa-users] Migrate from SunONE DS5.2 - UnicodeDecodeError

2012-09-20 Thread Martin Kosek
On 09/20/2012 02:55 PM, Rob Crittenden wrote: Pieter Baele wrote: Hi, I have a known problem when using the migration tool. Is there already a solution for this? As in: https://www.redhat.com/archives/freeipa-users/2012-January/msg00200.html ipa migrate-ds ldap://x.x.x.x:389

Re: [Freeipa-users] ipa host-add having both an IPv4 and an IPv6 address

2012-09-21 Thread Martin Kosek
On 09/20/2012 10:35 PM, Sigbjorn Lie wrote: Hi, I see that I can add hosts with either an IPv4 or an IPv6 address when using ipa host-add --ip-address=. Is there a way to add a host specifying both an IPv4 and an IPv6 address at the same time? Adding the --ip-address option twice

Re: [Freeipa-users] Do we need ipa-client-update script?

2012-09-24 Thread Martin Kosek
On 09/22/2012 01:22 AM, Sigbjorn Lie wrote: On 09/21/2012 10:45 AM, Petr Spacek wrote: Hello users, we have a question for client machine administrators: On 09/21/2012 10:12 AM, Martin Kosek wrote: snip ..., that it may be useful to implement a script like ipa-client-update which would

Re: [Freeipa-users] sudden ipa errors.

2012-09-24 Thread Martin Kosek
Hello Nathan, you can file the bug on Red Hat Bugzilla (bugzilla.redhat.com), you can use this link: https://bugzilla.redhat.com/enter_bug.cgi?product=Red%20Hat%20Enterprise%20Linux%206 Thanks in advance! Martin On 09/21/2012 05:53 PM, Nathan Lager wrote: Sure thing, can you point me to where

Re: [Freeipa-users] confusing users

2012-10-09 Thread Martin Kosek
On 10/09/2012 12:59 AM, Steven Jones wrote: Hi, When a user logs in for the first time nad they have to set a new password, if it doesnt meet the passowrd standard/policy it fails with a authentication token manipulation error is it possible to get that changed so it says password does not

Re: [Freeipa-users] confusing users

2012-10-10 Thread Martin Kosek
From: Martin Kosek [mko...@redhat.com] Sent: Tuesday, 9 October 2012 7:54 p.m. To: Steven Jones Cc: freeipa-users@redhat.com Subject: Re: [Freeipa-users] confusing users On 10/09/2012 12:59 AM, Steven Jones wrote: Hi, When a user logs in for the first time nad they have to set a new

Re: [Freeipa-users] Announcing FreeIPA v3.0.0 Release

2012-10-15 Thread Martin Kosek
On 10/12/2012 08:06 PM, Rob Crittenden wrote: The FreeIPA team is proud to announce version FreeIPA v3.0.0. It can be downloaded from http://www.freeipa.org/Downloads. Correction: FreeIPA 3.0.0 can be downloaded from http://www.freeipa.org/page/Downloads Martin

Re: [Freeipa-users] Failed installation

2012-10-18 Thread Martin Kosek
Hello Bret, This may be a long shot, but when I sometimes hit this kind of errors when CA installation crashed and there is still some remaining CA configuration (in /var/lib/pki-ca). I usually fix this with standard ipa-server-install --uninstall -U and then running this command:

Re: [Freeipa-users] Failed installation

2012-10-18 Thread Martin Kosek
On 10/18/2012 01:23 PM, Bret Wortman wrote: Tomcat is definitely not running and there's no log in /var/log/pki-ca. SELinux is disabled and not running. The same RPMs are installed on both my functioning and nonfunctioning system, at least as far as # rpm -qa | grep tomcat | sort revealed.

Re: [Freeipa-users] DNS forwarding problem

2012-10-23 Thread Martin Kosek
On 10/22/2012 08:28 PM, Fred van Zwieten wrote: Hello, I have a problem. My setup: - IPA server for domain example.com http://example.com on ipa.example.com http://ipa.example.com - DNS server sub.example.com http://sub.example.com on host.sub.example.com http://host.sub.example.com You

[Freeipa-users] Announcing FreeIPA v2.2.1 Release

2012-10-23 Thread Martin Kosek
permission. Jan Cholasta (1): * SSH configuration fixes. Martin Kosek (1): * Become IPA 2.2.1 Petr Viktorin (2): * replica-install: Don't copy Firefox config extension files if they're not in the replica file * Create Firefox extension on upgrade and replica-install Petr Vobornik (8

Re: [Freeipa-users] DNS / Allow PTR sync

2012-11-06 Thread Martin Kosek
On 11/06/2012 10:38 AM, Petr Spacek wrote: Hello Mike, are you talking about IPA WebUI or CLI or DNS dynamic update mechanism? On which distribution and IPA version? On 11/05/2012 10:35 PM, Michael Mercier wrote: Hello, A couple of questions regarding DNS / Allow PTR sync. 1. If you

Re: [Freeipa-users] sssd/pam login issues after upgrade to 2.2.1 on Fedora 17

2012-11-13 Thread Martin Kosek
On 11/12/2012 05:44 PM, Anthony Messina wrote: On Monday, November 12, 2012 09:51:14 AM Anthony Messina wrote: On Monday, November 12, 2012 09:17:17 AM Anthony Messina wrote: I also find that when I do a manual ldapsearch for the non-upgraded clients as follows: ldapsearch -x -D

Re: [Freeipa-users] sssd/pam login issues after upgrade to 2.2.1 on Fedora 17

2012-11-14 Thread Martin Kosek
On 11/13/2012 02:01 PM, Martin Kosek wrote: On 11/12/2012 05:44 PM, Anthony Messina wrote: On Monday, November 12, 2012 09:51:14 AM Anthony Messina wrote: On Monday, November 12, 2012 09:17:17 AM Anthony Messina wrote: I also find that when I do a manual ldapsearch for the non-upgraded

Re: [Freeipa-users] adding group fails with Type or value exists

2012-11-16 Thread Martin Kosek
On 11/16/2012 12:48 AM, Qing Chang wrote: On 15/11/2012 6:10 PM, John Dennis wrote: On 11/15/2012 04:21 PM, Qing Chang wrote: Adding group produces error message Type or value exists and fails. As shown below, I tried a few different group name to ensure that there is no duplicates:

Re: [Freeipa-users] Problem adding DNS Zones

2012-11-16 Thread Martin Kosek
On 11/16/2012 04:11 PM, Bret Wortman wrote: Using FreeIPA on a private network (where it's easier to just alias our own servers to these names than to edit config file after config file). Any idea what I'm doing wrong here? # ipa dnszone-add 0.pool.ntp.org http://0.pool.ntp.org

Re: [Freeipa-users] ipa-replica-install fails

2012-12-11 Thread Martin Kosek
On 12/11/2012 05:25 PM, Dmitri Pal wrote: On 12/11/2012 10:53 AM, Bret Wortman wrote: My replica install fails to create a DS instance: : [2/30]: creating directory server instance ipa : CRITICAL failed to create ds instance Command '/usr/sbin/setup-ds.pl http://setup-ds.pl --silent

Re: [Freeipa-users] sudo made a bit easier to configure

2012-12-21 Thread Martin Kosek
On 12/20/2012 04:43 PM, Han Boetes wrote: Hi, I discovered that using this recipe makes setting up sudo-ldap very simple. Even when anonymous binds is disabled. TLS_CACERT /etc/ipa/ca.crt TLS_REQCERT demand SASL_MECH GSSAPI BASE dc=domain,dc=com URI ldap://auth-ipa.domain.com

Re: [Freeipa-users] backup create restore

2012-12-21 Thread Martin Kosek
On 12/21/2012 01:07 PM, Артур Файзуллин wrote: HI! What about adding this functionality to IPA-server: create backup # ipa backup-create --create --output-file=pathtofile restore from backup # ipa-server-install --restore-from-backup=pathtofile I think this feature will be very usefull :)

Re: [Freeipa-users] freeIPA 3.1.0 for Redhat Enterprise 6.3?

2012-12-21 Thread Martin Kosek
Hello David, FreeIPA 3.1 requires several major dependencies that are not available in RHEL 6.x versions - the most notable ones are PKI-CA of version 10.0 and 389-ds-base of version 1.3.0 which introduced transaction support. I think the easiest way to get version 3.1 would be to wait for

Re: [Freeipa-users] two questions on IPA usage

2012-12-21 Thread Martin Kosek
On 12/20/2012 12:34 AM, David Copperfield wrote: Hi Howdy, Two questions on IPA usage are listed below. Please help. 1, How to reset a normal IPA user's password through web interface when the password is expired? when the normal user's password is close to expiration but still not

Re: [Freeipa-users] IPA 2.2.0-16 still needs CLEANRUV and CLEANALLRUV

2012-12-21 Thread Martin Kosek
On 12/19/2012 11:24 PM, David Copperfield wrote: Hi howdy, This is trying to confirm whether we still need to perform the steps of cleaning RUV records, when a freeIPA master, or a replica is removed. Months back it was rumored that some work was being done on underlying 389 LDAP and the RNV

Re: [Freeipa-users] Aiisues to wathc out fro / anticipate when upgrading RHEL6.3 and IPA 2 to 6.4 and IPA 3

2013-01-09 Thread Martin Kosek
On 01/08/2013 11:20 PM, Erinn Looney-Triggs wrote: On 01/08/13 12:45, Rob Crittenden wrote: Erinn Looney-Triggs wrote: On 01/08/13 11:44, Rob Crittenden wrote: Simo Sorce wrote: On Tue, 2013-01-08 at 19:31 +, Steven Jones wrote: HI, I assume RHEL 6.4 is GA shortly just how straigh

Re: [Freeipa-users] how do i apply patch?

2013-01-09 Thread Martin Kosek
On 01/09/2013 04:39 PM, Petr Vobornik wrote: On 01/09/2013 03:27 PM, Umarzuki Mochlis wrote: i'm interested on patch https://fedorahosted.org/freeipa/changeset/1eab43d29244f6e0b8d6f3146317624715d84af7/ so i can have user to be able to reset own password do i manually edit each listed files or

Re: [Freeipa-users] CSV support in IPA administration tools - to be, or not to be?

2013-01-14 Thread Martin Kosek
On 01/14/2013 09:09 AM, Petr Viktorin wrote: On 01/11/2013 09:57 PM, John Dennis wrote: On 01/11/2013 03:52 PM, Dmitri Pal wrote: On 01/11/2013 03:27 PM, John Dennis wrote: On 01/11/2013 03:10 PM, Dmitri Pal wrote: On 01/10/2013 11:00 AM, John Dennis wrote: On 01/10/2013 08:15 AM, Petr

Re: [Freeipa-users] DNS chages made from the WebUI take a long time to be recognized.

2013-01-15 Thread Martin Kosek
On 01/15/2013 05:29 AM, Tim Hildred wrote: Should it take several hours for me to be able to ping a host at it's new IP address when I update the DNS record in the WebUI? I deleted the old records (A and PTR), and added new records for the same FQDN, with a different IP address. But I can't

Re: [Freeipa-users] Account Expiration

2013-01-28 Thread Martin Kosek
On 01/28/2013 12:14 PM, James James wrote: Hi, in 389-ds there is a nice plugin I love, it's account policy. You can set account expiration date and the account will be inactive at this day. http://directory.fedoraproject.org/wiki/Account_Policy_Design#Detailed_Design_of_Account_Expiration

Re: [Freeipa-users] Unable to start replica server after setting up replication

2013-01-30 Thread Martin Kosek
On 01/30/2013 02:05 AM, free...@stormcloud9.net wrote: On 01/29/2013 07:49 PM, Dmitri Pal wrote: On 01/29/2013 07:26 PM, free...@stormcloud9.net wrote: Using ipa-server 2.2.0-17 on Amazon linux (RHEL6 clone), and after using the `ipa-replica-install` script to configure the replica server, the

Re: [Freeipa-users] Unable to start replica server after setting up replication

2013-01-30 Thread Martin Kosek
On 01/30/2013 03:16 PM, Patrick Hemmer wrote: On 2013/30/01 03:33, Martin Kosek wrote: On 01/30/2013 02:05 AM, free...@stormcloud9.net wrote: On 01/29/2013 07:49 PM, Dmitri Pal wrote: On 01/29/2013 07:26 PM, free...@stormcloud9.net wrote: Using ipa-server 2.2.0-17 on Amazon linux (RHEL6 clone

Re: [Freeipa-users] Unable to start replica server after setting up replication

2013-01-30 Thread Martin Kosek
On 01/30/2013 03:22 PM, free...@stormcloud9.net wrote: On 2013/30/01 09:19, Martin Kosek wrote: On 01/30/2013 03:16 PM, Patrick Hemmer wrote: On 2013/30/01 03:33, Martin Kosek wrote: On 01/30/2013 02:05 AM, free...@stormcloud9.net wrote: On 01/29/2013 07:49 PM, Dmitri Pal wrote: On 01/29

Re: [Freeipa-users] CRITICAL Failed to load upload-cacert.ldif

2013-02-04 Thread Martin Kosek
On 02/04/2013 11:31 AM, Jorick Astrego wrote: Hi, Running the installer of the latest stable on a fresh Fedora 18, I get the following error during install: [30/36]: Upload CA cert to the directory ipa : CRITICAL Failed to load upload-cacert.ldif: Command '/usr/bin/ldapmodify

Re: [Freeipa-users] Account Expiration

2013-02-06 Thread Martin Kosek
On 02/07/2013 08:31 AM, James James wrote: Thanks Rob. I have one more question. Is it possible to add a field in the ui, and get the field's value in a custom add user hook script ? James I know that Petr Vobornik is already working in better extensibility of the UI, but that would be

Re: [Freeipa-users] User Migrated from LDAP not able to change the password

2013-02-07 Thread Martin Kosek
On 02/08/2013 07:43 AM, Rajnesh Kumar Siwal wrote: We migrated the users from openldap to IPA. We are getting the following error after the User has been migrated (after he changes the password through https://ipa1/ipa/migration/) and he tries to change passwd :- Account is not locked and

Re: [Freeipa-users] Service accounts and groups

2013-02-07 Thread Martin Kosek
On 02/07/2013 08:46 PM, Steven Jones wrote: Hi, I have had little to do with permissions until now so bear with me if the Qs are obviously stupid, probably not really IPA but a linux blind spot I haveanyway, So I have a service account with its group this runs a database. So

Re: [Freeipa-users] Fedora 17 ipa.service fails to load with ipa.service failed to load. No such file or directory.

2013-02-11 Thread Martin Kosek
On 02/10/2013 08:15 AM, bin.e...@gmail.com wrote: Here is what I did: Install Fedora 17 XFCE spin. yum upgrade yum install freeipa-client enroll machine (it enrolls just fine) However, when I reboot the machine, I find the ipa.service isn't running. So I manually try to start it:

[Freeipa-users] Announcing FreeIPA 2.2.2

2013-02-13 Thread Martin Kosek
certificate to LDAP Jan Cholasta (1): * Pylint cleanup John Dennis (1): * Use secure method to acquire IPA CA certificate Martin Kosek (3): * Run index task for new indexes * Filter suffix in replication management tools * Become IPA 2.2.2 Rob Crittenden (1): * Do SSL CA verification and hostname

Re: [Freeipa-users] Logging of Who does What on IPA Server

2013-02-14 Thread Martin Kosek
On 02/14/2013 08:20 AM, Rajnesh Kumar Siwal wrote: IPA is going to be very critical Server for any environment. Do we have proper logging of who as locked whom, Who has created a sudo policy, who has allowed access to whom etc ? Hello Rajnesh, the audit component of IPA collecting and

Re: [Freeipa-users] Use of LOCAL clock in ntpd configuration

2013-02-18 Thread Martin Kosek
On 02/15/2013 07:23 PM, Chuck Lever wrote: ... (I also note that ipa-client-install does not disable chronyd, but I've only tried the client install script on Fedora 16). Hello Chuck, I would just like to comment that we address chronyd/ntpd in FreeIPA in Fedora 18. We do check if chronyd

Re: [Freeipa-users] ipa: ERROR: attribute 'idnsAllowTransfer' not allowed

2013-02-26 Thread Martin Kosek
On 02/25/2013 03:38 PM, Sigbjorn Lie wrote: On Mon, February 25, 2013 12:59, Christian Horn wrote: Hi, On Mon, Feb 25, 2013 at 09:46:49AM +0100, Sigbjorn Lie wrote: $ ipa dnszone-add example.com --name-server=ns01.example.com --admin-email=hostmaster.example.com ipa: ERROR: attribute

Re: [Freeipa-users] ipa-replica-install command failed

2013-02-26 Thread Martin Kosek
On 02/26/2013 09:01 AM, Umarzuki Mochlis wrote: hi, on tried to create a free-ipa replica on fedora 18 with freeipa-server-3.1.2-1.fc18.x86_64 below is last few lines of /var/log/ipareplica-install.log 2013-02-25T16:16:33Z DEBUG retrieving schema for SchemaCache

Re: [Freeipa-users] Password expiry when account provisioned/updated via JSON RPC

2013-02-26 Thread Martin Kosek
On 02/25/2013 04:38 PM, Brian Smith wrote: It seems that regardless of the global password expiry setting, that setting a password via the methods user-add passwd i will always have a password that expires in 90 days. I followed the instructions here

Re: [Freeipa-users] ipa-replica-install command failed

2013-02-26 Thread Martin Kosek
on the current Fedora 18 389-ds-base version (389-ds-base-0:1.3.0.2-1.fc18) Thanks, Martin On 02/26/2013 09:36 AM, Umarzuki Mochlis wrote: 2013/2/26 Martin Kosek mko...@redhat.com: Hi Martin, I found below on errors file [26/Feb/2013:00:16:14 +0800] - 389-Directory/1.3.0.3 B2013.045.10 starting up

Re: [Freeipa-users] Upgrading to 6.4 - additional information

2013-02-26 Thread Martin Kosek
On 02/26/2013 04:29 PM, Dmitri Pal wrote: On 02/21/2013 12:31 PM, Dmitri Pal wrote: On 02/21/2013 11:44 AM, Erinn Looney-Triggs wrote: On 02/21/2013 09:40 AM, Rob Crittenden wrote: Erinn Looney-Triggs wrote: On 02/21/2013 09:34 AM, Rob Crittenden wrote: Erinn Looney-Triggs wrote: On

Re: [Freeipa-users] Upgrading to 6.4 - additional information

2013-02-26 Thread Martin Kosek
On 02/26/2013 06:05 PM, Erinn Looney-Triggs wrote: On 02/26/2013 10:29 AM, Dmitri Pal wrote: On 02/21/2013 12:31 PM, Dmitri Pal wrote: On 02/21/2013 11:44 AM, Erinn Looney-Triggs wrote: On 02/21/2013 09:40 AM, Rob Crittenden wrote: Erinn Looney-Triggs wrote: On 02/21/2013 09:34 AM, Rob

Re: [Freeipa-users] Upgrading to 6.4 - additional information

2013-02-26 Thread Martin Kosek
On 02/26/2013 06:10 PM, Erinn Looney-Triggs wrote: On 02/26/2013 12:08 PM, Martin Kosek wrote: On 02/26/2013 06:05 PM, Erinn Looney-Triggs wrote: On 02/26/2013 10:29 AM, Dmitri Pal wrote: On 02/21/2013 12:31 PM, Dmitri Pal wrote: On 02/21/2013 11:44 AM, Erinn Looney-Triggs wrote: On 02/21

Re: [Freeipa-users] Non-Prod instance

2013-02-27 Thread Martin Kosek
The main purpose of this isolation is that your production clients for example do not autodiscover testing IPA instance via DNS SRV records and do not use it instead of the production instance. Martin On 02/26/2013 09:43 PM, Guy Matz wrote: Thanks! Is it a matter of isolating the networks? Or

Re: [Freeipa-users] What does the u mean in IPA messages?

2013-02-28 Thread Martin Kosek
On 02/28/2013 11:34 PM, KodaK wrote: On Thu, Feb 28, 2013 at 3:27 PM, John Dennis jden...@redhat.com wrote: On 02/28/2013 04:18 PM, KodaK wrote: When performing an operation with the IPA tools, I get a message every time similar to this: ipa: INFO: Forwarding 'hbactest' to server

Re: [Freeipa-users] ipa-* tools throws errors

2013-03-05 Thread Martin Kosek
On 03/05/2013 04:21 PM, David Fitzgerald wrote: Hello everyone, I have been running a freeIPA server on Scientific Linux 6.2 for about a year. Yesterday I started not being able to run any ipa- commands. Running kinit admin gives me the proper tickets, but when I run any ipa-

Re: [Freeipa-users] RFE: default hbac is too open

2013-03-06 Thread Martin Kosek
On 03/05/2013 10:13 PM, Matthew Barr wrote: On Mar 5, 2013, at 9:15 AM, Rob Crittenden rcrit...@redhat.com wrote: Артур Файзуллин wrote: What rule must be present for replica to work? :) (in order to remove allow-all rule) I mean may be there is somewhere a guide to write rules for strict

Re: [Freeipa-users] ipa-* tools throws errors

2013-03-06 Thread Martin Kosek
the correct name: #host 166.66.65.39 39.65.66.166.in-addr.arpa domain name pointer aurora.esci.millersville.edu. -Original Message- From: Martin Kosek [mailto:mko...@redhat.com] Sent: Tuesday, March 05, 2013 10:26 AM To: David Fitzgerald Cc: freeipa-users@redhat.com Subject: Re

Re: [Freeipa-users] Can I change an IPA client's IPA without re-enrolling it?

2013-03-06 Thread Martin Kosek
On 03/06/2013 11:08 PM, Kanwar Ranbir Sandhu wrote: On Wed, 2013-03-06 at 16:50 -0500, Rob Crittenden wrote: A re-install should not be necessary. Just be sure that forward and reverse name resolution works after making the change (something we test for during install). Thanks. I'll give

Re: [Freeipa-users] Preparing for domain trust breaks IPA services, RHEL 6.4 IPA 3.0

2013-03-07 Thread Martin Kosek
On 03/07/2013 10:26 AM, Dale Macartney wrote: Hi all I've been trying to document the domain trust process for the past two days and I am seeing the same results no matter the configuration. Basically I have nuked and rebuilt my environment several times and all yields the same

Re: [Freeipa-users] ipa-* tools throws errors

2013-03-11 Thread Martin Kosek
log gives this: Fri Mar 08 11:52:48 2013] [error] ipa: ERROR: 500 Internal Server Error: xmlserver.__call__: KRB5CCNAME not defined in HTTP request environment. I have no idea what that means. Can you help? -Original Message- From: Martin Kosek [mailto:mko...@redhat.com] Sent

Re: [Freeipa-users] check host password age

2013-03-13 Thread Martin Kosek
On 03/13/2013 09:55 AM, Petr Spacek wrote: On 12.3.2013 14:41, Stijn De Weirdt wrote: ... i guess the timestamps are somehwere in the ldap schema, i would like to know where or how i can find them. and if possible, how to do that using the ipalib python api. btw, is it correct for me to

Re: [Freeipa-users] squid problems when upgrading to 6.4

2013-03-14 Thread Martin Kosek
On 03/13/2013 11:02 PM, Natxo Asenjo wrote: On Wed, Mar 13, 2013 at 10:45 PM, Dale Macartney d...@themacartneyclan.com wrote: I've just deployed a RHEL 6.4 proxy and the guide is still accurate and works.. however I agree a config file would be a better place for the options. Both work at the

Re: [Freeipa-users] squid problems when upgrading to 6.4

2013-03-14 Thread Martin Kosek
On 03/14/2013 09:41 AM, Dale Macartney wrote: On 03/14/2013 08:11 AM, Dale Macartney wrote: On 03/14/2013 08:07 AM, Martin Kosek wrote: On 03/13/2013 11:02 PM, Natxo Asenjo wrote: ... Dale, do you plan to update the howto on FreeIPA wiki to fix the configuration section? If not, I can try

Re: [Freeipa-users] Replica installation failing

2013-03-19 Thread Martin Kosek
On 03/19/2013 01:12 PM, Bret Wortman wrote: Preparation of the replica data file went without a hitch, but on installation: # ipa-replica-install --setup-dns --no-forwarders replica-info-jsipa.damascusgrp.com http://replica-info-jsipa.damascusgrp.com --skip-conncheck Directory Manager

Re: [Freeipa-users] Replica installation failing

2013-03-19 Thread Martin Kosek
On Tue, Mar 19, 2013 at 8:48 AM, Martin Kosek mko...@redhat.com mailto:mko...@redhat.com wrote: Ok. This looks like dirsrv errors from the master machine. Are there also any interesting errors on the replica machine? Martin On 03/19

Re: [Freeipa-users] getattr cli option?

2013-03-21 Thread Martin Kosek
On 03/21/2013 06:59 AM, Brian Cook wrote: Is there something equivalent to 'getattr' for ipa host-mod? I see setattr, addattr and delattr but to get attributes you have to do host-show --all. There is no way to ask for one specific attribute? Thanks, Brian No, I am afraid there is

Re: [Freeipa-users] sudo / sssd integration problems

2013-03-22 Thread Martin Kosek
We already have a bug filed: https://bugzilla.redhat.com/show_bug.cgi?id=924395 This should be fixed along with ticket adding sudo configuration support to ipa-client-install: https://fedorahosted.org/freeipa/ticket/3358 Martin On 03/22/2013 07:13 AM, Brian Cook wrote: no problem, thanks for

  1   2   3   4   5   6   7   8   9   10   >