[Freeipa-users] FreeIPA Windows AD Replication

2012-05-22 Thread Matt
] There are no messages that relate to the connection in event viewer and nothing other then [-11 - System error] in any of the freeIPA log files. Thanks Matt ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa

Re: [Freeipa-users] FreeIPA Windows AD Replication

2012-05-28 Thread Matt
Hi, Any ideas on where to look for more information? I have been unable to make any progress on this. Thanks On 22/05/2012 10:18, Matt wrote: Hi, I am attempting to run replication between Windows AD (2008R2) and a FreeIPA (2.2.0) server (fc-17) in a test setup. I have bound FreeIPA

Re: [Freeipa-users] FreeIPA Windows AD Replication

2012-05-30 Thread Matt
On 29/05/2012 23:15, Rob Crittenden wrote: Rob Crittenden wrote: Matt wrote: Hi, Any ideas on where to look for more information? I have been unable to make any progress on this. Thanks On 22/05/2012 10:18, Matt wrote: Hi, I am attempting to run replication between Windows AD (2008R2

Re: [Freeipa-users] Sudo Commands and groups confusion

2013-06-12 Thread Matt .
required pam_unix.so session optional pam_sss.so This is not what we want with a centralized auth and policy system so I hope we can fix this bug soon. Ideas are welcome! Cheers, Matt ___ Freeipa-users mailing list Freeipa-users

Re: [Freeipa-users] Sudo Commands and groups confusion

2013-06-14 Thread Matt .
James, Is this in RHEL based systems only ? On Ubuntu there seems to be still issues. A full printout of the config file(s) would be nice to see as most people write other things down they have working, but the working ones don't write their full config down. Thanks. Cheers, Matt 2013/6/14

[Freeipa-users] User_show works from webserver, user_add ipa: ERROR: Insufficient access

2013-07-29 Thread Matt .
westill need the user_add (and so on). Has anyone some sort of sample/howto for this ? Thanks in advance. Matt ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] User_show works from webserver, user_add ipa: ERROR: Insufficient access

2013-07-29 Thread Matt .
Hi Alexander, That is great! I hope that someone can find this topic and use it as reference as it tool us some time to find the other one :) Thanks! Cheers, Matt 2013/7/29 Alexander Bokovoy aboko...@redhat.com Hi Matt, On Mon, 29 Jul 2013, Matt . wrote: Hi all, Refering

Re: [Freeipa-users] User_show works from webserver, user_add ipa: ERROR: Insufficient access

2013-07-30 Thread Matt .
. Something simple must be wrong I guess. Thanks so far for the effort! Cheers, Matt 2013/7/29 Alexander Bokovoy aboko...@redhat.com Hi! On Mon, 29 Jul 2013, Matt . wrote: Hi Alexander, That is great! I hope that someone can find this topic and use it as reference as it tool us some

Re: [Freeipa-users] User_show works from webserver, user_add ipa: ERROR: Insufficient access

2013-07-30 Thread Matt .
exectured from a php script to add a user with user_add. More details about that are welcome. Thanks! Cheers, Matt 2013/7/30 Dmitri Pal d...@redhat.com On 07/29/2013 03:02 PM, Alexander Bokovoy wrote: Hi! On Mon, 29 Jul 2013, Matt . wrote: Hi Alexander, That is great! I hope

Re: [Freeipa-users] How to communicate IPA with PHP

2013-07-30 Thread Matt .
. After this you can run a curl script from the commandline with a add_user and actually add that user to IPA. So that works. That is what we actually want to do from PHP but testing this with a HTTP/HTTPD user in IPA doesn't work. Shouldn't that be possible ? I hope so! Cheers, Matt 2013/7/26

[Freeipa-users] Dovecot/Postfix Auth, howto not working ?

2014-05-04 Thread Matt .
the feeling I'm missing something here. I hope someone can help me out! Thanks! Matt ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users

[Freeipa-users] Wildcard DNS record supported ?

2014-05-23 Thread Matt .
Hi All, Is a wildcard DNS record supported at the moment ? If so, how to accomplish this ? Thanks! Matt ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] Wildcard DNS record supported ?

2014-05-23 Thread Matt .
Hi Martin, I have seen it indeed and discusses on #freeipa Is it not possible to install bind-dyndb-ldap 4.0 manually on CentOS 6.5 ? Cheers, Mattt 2014-05-23 13:57 GMT+02:00 Martin Kosek mko...@redhat.com: On 05/23/2014 12:15 PM, Matt . wrote: Hi All, Is a wildcard DNS record

Re: [Freeipa-users] Wildcard DNS record supported ?

2014-05-23 Thread Matt .
OK, but I wonder where I can remove that * check in IPA... it must be somewhere in a template I think. 2014-05-23 15:50 GMT+02:00 Petr Spacek pspa...@redhat.com: On 23.5.2014 15:46, Martin Kosek wrote: On 05/23/2014 03:44 PM, Petr Spacek wrote: On 23.5.2014 13:59, Matt . wrote: Hi Martin

Re: [Freeipa-users] Wildcard DNS record supported ?

2014-05-23 Thread Matt .
Indeed! 2014-05-23 20:33 GMT+02:00 Dmitri Pal d...@redhat.com: On 05/23/2014 09:52 AM, Matt . wrote: OK, but I wonder where I can remove that * check in IPA... it must be somewhere in a template I think. You mean you want to contribute to the IPA code to change the validator to allow

[Freeipa-users] Automount WebDav share

2014-06-09 Thread Matt .
Hi All, Is it possible in some way to automount a WebDav share to a Ubuntu Client when a user logings in on the commandline ? I'm only able to use WebDav on these machines. I hope this is solvable. Cheers, Matt ___ Freeipa-users mailing list

Re: [Freeipa-users] Automount WebDav share

2014-06-09 Thread Matt .
Hi, Thanks for that quick search, I wasn't searching on autofs. I will let you know! Cheers, Matt 2014-06-09 12:24 GMT+02:00 Natxo Asenjo natxo.ase...@gmail.com: On Mon, Jun 9, 2014 at 12:16 PM, Matt . yamakasi@gmail.com wrote: Hi All, Is it possible in some way to automount

Re: [Freeipa-users] Automount WebDav share

2014-06-09 Thread Matt .
Hi, I'm only concerned about how to pass the password in this one... it seesm to be hardcoded and I would like to have it used by ldap/freeipa. Cheers, Matt 2014-06-09 12:35 GMT+02:00 Matt . yamakasi@gmail.com: Hi, Thanks for that quick search, I wasn't searching on autofs. I will let

Re: [Freeipa-users] Automount WebDav share

2014-06-10 Thread Matt .
Hi, Yes this is happening, or should with: share -fstype=davfs,user,rw,dir_mode=0777,file_mode=0666 http://webdavserver//webdav But it doesn't connect, or I don't see any logs about it. Ab on IRC tested this and it should work, but I'm missing something I think. Cheers, Matt 2014-06-09 13

Re: [Freeipa-users] Automount WebDav share

2014-06-10 Thread Matt .
OK, it seems that GSSAPI is key here, now I need to find out if I need something extra for GSSAPI on the WebDav Server. 2014-06-10 11:10 GMT+02:00 Matt . yamakasi@gmail.com: Hi, Yes this is happening, or should with: share -fstype=davfs,user,rw,dir_mode=0777,file_mode=0666 http

Re: [Freeipa-users] Automount WebDav share

2014-06-24 Thread Matt .
Anyone some news on this ? I'm kinda stuck with the normal webdav mount howto's I find. 2014-06-10 22:03 GMT+02:00 Matt . yamakasi@gmail.com: OK, it seems that GSSAPI is key here, now I need to find out if I need something extra for GSSAPI on the WebDav Server. 2014-06-10 11:10 GMT+02:00

[Freeipa-users] IPA Replica does not start Bind but runs Manually

2014-08-03 Thread Matt .
] Restarting HTTP Service Stopping httpd:[ OK ] Starting httpd:[ OK ] I hope someone can help me out! Thanks, Matt -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com

Re: [Freeipa-users] IPA Replica does not start Bind but runs Manually

2014-08-05 Thread Matt .
Hi, I got this solved but the replica doesn't do it's forwards on the zone's it need to foreward for, the master with the same settings does. I have done a new install but the same happens. WHat could be wrong here ? Cheers, Matt 2014-08-04 10:13 GMT+02:00 Martin Kosek mko...@redhat.com

Re: [Freeipa-users] IPA Replica does not start Bind but runs Manually

2014-08-08 Thread Matt .
Hi, Sorry, my fault, there was a FW fule in between. Thanks for the heads up. Matt 2014-08-07 14:53 GMT+02:00 Petr Spacek pspa...@redhat.com: On 5.8.2014 11:24, Matt . wrote: Hi, I got this solved but the replica doesn't do it's forwards on the zone's it need to foreward for, the master

Re: [Freeipa-users] Sudo on Ubuntu Client works, on CentOS it doesn't

2014-10-12 Thread Matt .
OK, found it... I needed to comment out my other ldap lines, but I wonder why this is needed on CentOS and Ubuntu works without them. 2014-10-12 21:14 GMT+02:00 Matt . yamakasi@gmail.com: Hi All. I'm using sudo rules on Ubuntu machines perfectly, but on CentOS I get: User username

[Freeipa-users] Primary mail address possible ?

2014-11-20 Thread Matt .
I remove it it can login again. Removing uid@sub.domain.local and only having n...@domain.tld doesn't work either. Anyone an idea how I can set uid@sub.domain.local bind a primary ? Cheers, Matt -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman

Re: [Freeipa-users] Primary mail address possible ?

2014-11-21 Thread Matt .
Hi Dimitri, What do you mean by how ? Can you be more specific what you want to know ? 2014-11-21 23:42 GMT+01:00 Dmitri Pal d...@redhat.com: On 11/20/2014 09:15 PM, Matt . wrote: Hi Guys, For authenticating a user in Kolab I need uid@sub.domain.local as emailaddress, but as my user

Re: [Freeipa-users] Primary mail address possible ?

2014-11-21 Thread Matt .
(__FILE__)); } ? Does this help you some ? 2014-11-22 0:31 GMT+01:00 Dmitri Pal d...@redhat.com: On 11/21/2014 06:04 PM, Matt . wrote: Hi Dimitri, What do you mean by how ? Can you be more specific what you want to know ? How Kolab is connecting to IPA? LDAP ? Kerberos? Direcly

Re: [Freeipa-users] Primary mail address possible ?

2014-11-21 Thread Matt .
HI, Yes and that doesn't let me login... that's the issue. 2014-11-22 1:45 GMT+01:00 Dmitri Pal d...@redhat.com: On 11/21/2014 07:12 PM, Matt . wrote: HI Dimitri, Thanks, but it seems following the kolab devs that if kolab cannot determine the base dn, the other two do not matter. So

Re: [Freeipa-users] Primary mail address possible ?

2014-11-21 Thread Matt .
I need to say, saslauth caches it, didn't restart that one actually as it's kinda late! 2014-11-22 1:55 GMT+01:00 Matt . yamakasi@gmail.com: HI, Yes and that doesn't let me login... that's the issue. 2014-11-22 1:45 GMT+01:00 Dmitri Pal d...@redhat.com: On 11/21/2014 07:12 PM, Matt

Re: [Freeipa-users] Primary mail address possible ?

2014-11-21 Thread Matt .
/ldap/mydestination.cf But when I do a postmap check on this cf with domain.tld that gives a match, as it should... So that might need some modification ? 2014-11-22 2:14 GMT+01:00 Dmitri Pal d...@redhat.com: On 11/21/2014 07:57 PM, Matt . wrote: I need to say, saslauth caches it, didn't

Re: [Freeipa-users] Primary mail address possible ?

2014-11-21 Thread Matt .
Hi, OK got it working by changing the mailadres to u...@domain.tld Actually no IPA question, but you might know, my email is not delivered in one file /var/mail/uid instead of the maildir format it should do. At least it arrives well! Thanks 2014-11-22 2:23 GMT+01:00 Matt . yamakasi

[Freeipa-users] Add extra infofield to user

2014-11-24 Thread Matt .
Hi All, I see it's possible to add an extra field to a user by creating a new userobjectclass. The issue is that this field is not yet @ the user, but can we create it here ? /usr/lib/python2.6/site-packages/ipalib/plugins/user.py Any direction would be great! Thanks, Matt -- Manage your

Re: [Freeipa-users] Add extra infofield to user

2014-11-24 Thread Matt .
Hi Dimitri, I need to use multiple email adresses, but not under mail, mail needs to be primary. I have seen I can add mailAttribute ? I need to have them as field, and the best would be something like alias1, alias2, aliasX Would be doable ? Cheers, Matt 2014-11-24 17:51 GMT+01:00 Dmitri

Re: [Freeipa-users] Add extra infofield to user

2014-11-24 Thread Matt .
Hi, I need to make sure I have a primary one which is mail, the other ones should not matter, but I think it's wiser to have it like I know what is where. The reason why I need to is because I'm using Kolab which needs at least a primary mail attribute. Cheers, Matt 2014-11-24 19:22 GMT+01:00

[Freeipa-users] KDC has no support for encryption type

2014-12-29 Thread Matt .
bug in 4.x ? And can I fix it ? Thanks! Matt -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project

Re: [Freeipa-users] Remove password exiration after useradd

2015-02-05 Thread Matt .
HI, I'm already doing so without any luck. If you remember something, would be nice to know! So it should be possible to do still ? 2015-02-05 14:26 GMT+01:00 Dmitri Pal d...@redhat.com: On 02/05/2015 07:59 AM, Matt . wrote: Hi, OK, but as far as I understand we made some change, using

Re: [Freeipa-users] Remove password exiration after useradd

2015-02-05 Thread Matt .
those days that it seems to be lost or so. Thanks, Matt 2015-02-05 13:21 GMT+01:00 Dmitri Pal d...@redhat.com: On 02/05/2015 05:54 AM, Matt . wrote: In the past we have done some testsetups with password expiring after we added a user, at the moment I have difficulties with this on 4.1.2 What

Re: [Freeipa-users] Remove password exiration after useradd

2015-02-05 Thread Matt .
calcuation... I need the global kerberos calculation time for that, but where is it located ? That would solve my issue for sure! On 02/05/2015 08:32 AM, Matt . wrote: HI, I'm already doing so without any luck. If you remember something, would be nice to know! So it should be possible

Re: [Freeipa-users] Remove password exiration after useradd

2015-02-05 Thread Matt .
OK this works out good, I can login without changing my password directly. But my expire is still on a day which should be set higer. min is on 0 everywhere, max is 90 days. How to accomplish that ? 2015-02-05 17:13 GMT+01:00 Matt . yamakasi@gmail.com: Yes, when receiving your email I

Re: [Freeipa-users] Remove password exiration after useradd

2015-02-05 Thread Matt .
I'm quite sure you can without changing code, I need to find out where it's set again... it's doable. 2015-02-05 22:04 GMT+01:00 Rob Crittenden rcrit...@redhat.com: Matt . wrote: OK this works out good, I can login without changing my password directly. But my expire is still on a day which

Re: [Freeipa-users] Remove password exiration after useradd

2015-02-05 Thread Matt .
Yes, when receiving your email I found that indeed. My ldapEditor doesn't allow me to add that value, so this need to be done using the commandline ? 2015-02-05 15:03 GMT+01:00 Rob Crittenden rcrit...@redhat.com: Matt . wrote: HI, I'm already doing so without any luck. If you remember

Re: [Freeipa-users] subjectAlternitiveName for webservice

2015-03-19 Thread Matt .
Isn't this documented well (yet) ? The RH docs are always very detailed about it, but I'm not sure here... I see solutions but not 100% from A to Z to make sure we do it the proper way. 2015-03-12 16:59 GMT+01:00 Matt . yamakasi@gmail.com: Not worried, I need to try. I think it's

Re: [Freeipa-users] subjectAlternitiveName for webservice

2015-03-19 Thread Matt .
The right way to sequest a SAN, this seems to need some extra config file ? 2015-03-19 15:04 GMT+01:00 Rob Crittenden rcrit...@redhat.com: Matt . wrote: Isn't this documented well (yet) ? Is what documented yet? rob The RH docs are always very detailed about it, but I'm not sure here

Re: [Freeipa-users] subjectAlternitiveName for webservice

2015-03-06 Thread Matt .
Hi, But as the user is the same, I could use the same keytab for each ipa server ? I need to use the API indeed, so need to issue the http service. Any other options ? 2015-03-06 14:24 GMT+01:00 Petr Spacek pspa...@redhat.com: On 6.3.2015 14:08, Martin Kosek wrote: I'm figuring out how to

Re: [Freeipa-users] subjectAlternitiveName for webservice

2015-03-06 Thread Matt .
it more clear ? 2015-03-06 15:31 GMT+01:00 Petr Spacek pspa...@redhat.com: On 6.3.2015 15:13, Matt . wrote: Hi, But as the user is the same, I could use the same keytab for each ipa server ? I need to use the API indeed, so need to issue the http service. Any other options ? I do not really

Re: [Freeipa-users] subjectAlternitiveName for webservice

2015-03-06 Thread Matt .
! Cheers, Matthijs 2015-03-06 16:16 GMT+01:00 Petr Spacek pspa...@redhat.com: On 6.3.2015 15:39, Matt . wrote: I have 2 IPA servers where I kinit to and post to the api using curl/json. If we are talking purely about scripting, you can use IPA Python API. It will handle fail over for you even

[Freeipa-users] subjectAlternitiveName for webservice

2015-03-06 Thread Matt .
Hi, I'm figuring out how to regenerate the webserver certificates so I can use a loadbalancer in front of my ipa servers. I see in the docs there is information about this, but not for the webservice. Does anyone have some directions ? Thanks. Matt -- Manage your subscription for the Freeipa

Re: [Freeipa-users] subjectAlternitiveName for webservice

2015-03-06 Thread Matt .
proceed ? I added the host like ldap.domain... where my ldap servers are ldap-01 and ldap-02 Thanks! Matt 2015-03-06 14:08 GMT+01:00 Martin Kosek mko...@redhat.com: On 03/06/2015 01:30 PM, Matt . wrote: Hi, I'm figuring out how to regenerate the webserver certificates so I can use

Re: [Freeipa-users] subjectAlternitiveName for webservice

2015-03-06 Thread Matt .
doing these command from PHP for an example. Building in extra checks in front could be done but it not ideal as a loadbalancer can handle such things much better. Thanks! Cheers, Matt 2015-03-06 16:41 GMT+01:00 Dmitri Pal d...@redhat.com: On 03/06/2015 10:24 AM, Matt . wrote: Hi, I'm

Re: [Freeipa-users] subjectAlternitiveName for webservice

2015-03-07 Thread Matt .
Hi, I will balance with IP persistance so I think there won't be any mixing as long as that used server is online. 2015-03-06 19:16 GMT+01:00 Dmitri Pal d...@redhat.com: On 03/06/2015 11:05 AM, Matt . wrote: OK, understood. But when a webservice does execute a command (from scripting

Re: [Freeipa-users] subjectAlternitiveName for webservice

2015-03-08 Thread Matt .
? 2015-03-07 10:37 GMT+01:00 Matt . yamakasi@gmail.com: Hi, I will balance with IP persistance so I think there won't be any mixing as long as that used server is online. 2015-03-06 19:16 GMT+01:00 Dmitri Pal d...@redhat.com: On 03/06/2015 11:05 AM, Matt . wrote: OK, understood

Re: [Freeipa-users] subjectAlternitiveName for webservice

2015-03-12 Thread Matt .
Hi, Security wise I can understand that. Yes I have read about that... but that would let me use the loadbalancer to connect ? I was not sure if the SAN would connect as other host. 2015-03-12 15:07 GMT+01:00 Rob Crittenden rcrit...@redhat.com: Matt . wrote: Hi Guys, Is Rob able to look

Re: [Freeipa-users] subjectAlternitiveName for webservice

2015-03-12 Thread Matt .
Hi Guys, Is Rob able to look at this ? I hope he has some sparetime as I'm kinda stuck with this issue. Thanks! 2015-03-08 12:30 GMT+01:00 Matt . yamakasi@gmail.com: I'm reviewing some things. When I'm using a loadbalancer, which I prefer in this setup I need to have the same

Re: [Freeipa-users] subjectAlternitiveName for webservice

2015-03-26 Thread Matt .
When digging around I see this documentation: http://docs.fedoraproject.org/en-US/Fedora/17/html/FreeIPA_Guide/load-balancing.html I would except that server.example.com is not going to be accepted by IPA when you visit the webgui like that ? 2015-03-26 1:57 GMT+01:00 Matt . yamakasi

Re: [Freeipa-users] Additional pre-authentication required, Ticket Wrong ?

2015-03-29 Thread Matt .
and curl against ldap-01.domain and I'm accepted and can execute stuff. My ssl is OK, ticket also it seems. Thanks M. Op 30 mrt. 2015 03:50 schreef Dmitri Pal d...@redhat.com: On 03/29/2015 04:47 AM, Matt . wrote: Hi Guys, Now my Certification issues are solved for using a loadbalancer in front

Re: [Freeipa-users] Additional pre-authentication required, Ticket Wrong ?

2015-03-30 Thread Matt .
...@redhat.com: On Mon, Mar 30, 2015 at 04:56:11AM +0200, Matt . wrote: Hi, I just tot home and typing from my cell so i'm suite short in words Create keytab for ldap-01.domain Kinit with that to ldap.domain Curl against ldap.domain Get a 301 which I manage from curl (goes well) Get kerberos

Re: [Freeipa-users] Additional pre-authentication required, Ticket Wrong ?

2015-03-31 Thread Matt .
GMT+02:00 Matt . yamakasi@gmail.com: Hi, I tried to trace some stuff but this doesn't give me much more info. What I see at the moment in the /var/log/httpd/acces_log is exactly what happens but without the info I need to get a better view: 10.10.0.121 - - [30/Mar/2015:22:22:58 +0200

Re: [Freeipa-users] Additional pre-authentication required, Ticket Wrong ?

2015-03-31 Thread Matt .
GMT+02:00 Sumit Bose sb...@redhat.com: On Tue, Mar 31, 2015 at 11:02:24AM +0200, Matt . wrote: On my client I still see: 03/31/2015 11:00:08 04/01/2015 11:00:07 krbtgt/DOMAIN.LOCAL@DOMAIN.LOCAL 03/31/2015 11:00:09 04/01/2015 11:00:07 HTTP/ldap-01.domain.local@DOMAIN.LOCAL Should ldap-01

Re: [Freeipa-users] Additional pre-authentication required, Ticket Wrong ?

2015-03-31 Thread Matt .
}) 10.10.0.121: ISSUE: authtime 1427794491, etypes {rep=18 tkt=18 ses=18}, kinituser@DOMAIN.LOCAL for HTTP/ldap-01.domain.local@DOMAIN.LOCAL I don't get the preauth needed, does it have anything todo with the 301 redirect which I follow with CURL ? 2015-03-31 11:15 GMT+02:00 Matt . yamakasi

Re: [Freeipa-users] Additional pre-authentication required, Ticket Wrong ?

2015-03-31 Thread Matt .
OK, also understood. Next item why I don't get any logging or it's not working as espected. I'm actually out of options to be honest. 2015-03-31 11:54 GMT+02:00 Sumit Bose sb...@redhat.com: On Tue, Mar 31, 2015 at 11:38:30AM +0200, Matt . wrote: Here some extra logging from the kerberos log

Re: [Freeipa-users] freeipa behind a load balancer

2015-03-31 Thread Matt .
HI Phasant, Check my mailings about it, it's not easy at least the kerberos part not, SRV records are used for that normally. Are you talking about the webgui or the ldap part ? Cheers, Matt 2015-03-31 13:56 GMT+02:00 Prashant Bapat prash...@apigee.com: Hi, I'm trying to get 2 FreeIPA

Re: [Freeipa-users] freeipa behind a load balancer

2015-03-31 Thread Matt .
script to ldap-01.domain.tld after it failed my ticket is OK for ldap-01.domain.tld and works. Is this enough information for you ? Cheers, Matt 2015-03-31 14:21 GMT+02:00 Petr Spacek pspa...@redhat.com: On 31.3.2015 14:02, Matt . wrote: HI Phasant, Check my mailings about it, it's not easy

Re: [Freeipa-users] freeipa behind a load balancer

2015-03-31 Thread Matt .
fixing this saves me really much more time than doing the another way. Thanks! Matt 2015-03-31 16:24 GMT+02:00 Petr Spacek pspa...@redhat.com: On 31.3.2015 16:10, Matt . wrote: HI Petr, We had a several of reasons why we did that. We wanted to use one language for that, and also have formatted

Re: [Freeipa-users] freeipa behind a load balancer

2015-03-31 Thread Matt .
it seems... it cannot be hard to make that accepted I would say. I'm still looking for solutions :) Cheers, Matt 2015-03-31 15:58 GMT+02:00 Petr Spacek pspa...@redhat.com: On 31.3.2015 15:23, Matt . wrote: Hi Petr, We discussed that before indeed, but SRV is not usable in this case. My

Re: [Freeipa-users] freeipa behind a load balancer

2015-03-31 Thread Matt .
we can get this fixed :) Thanks! Matt 2015-03-31 17:41 GMT+02:00 Brendan Kearney bpk...@gmail.com: On Tue, 2015-03-31 at 11:07 -0400, Dmitri Pal wrote: On 03/31/2015 10:38 AM, Matt . wrote: True, but we have some extra later between which does the cli command not usable (at least

Re: [Freeipa-users] freeipa behind a load balancer

2015-03-31 Thread Matt .
to investigate as that server is running fine). Get the idea ? Thanks again! Matt 2015-03-31 17:58 GMT+02:00 Brendan Kearney bpk...@gmail.com: On Tue, 2015-03-31 at 17:51 +0200, Matt . wrote: Hi Brendan, Yes thanks for your great explanation, I have done that indeed. But in some strange way

Re: [Freeipa-users] freeipa behind a load balancer

2015-03-31 Thread Matt .
OK, but we need to do this using IPA or (as IPA does some things different it seems). Anyone testing this perhaps ? (/me is multitasking atm) 2015-03-31 20:22 GMT+02:00 Rob Crittenden rcrit...@redhat.com: Brendan Kearney wrote: On Tue, 2015-03-31 at 13:54 -0400, Simo Sorce wrote: On Tue,

Re: [Freeipa-users] freeipa behind a load balancer

2015-03-31 Thread Matt .
something more clear. 2015-03-31 19:29 GMT+02:00 Brendan Kearney bpk...@gmail.com: On Tue, 2015-03-31 at 18:18 +0200, Matt . wrote: OK, that makes it even more clear. an ldapwhoami might be an issue. As this client is known on a different ldap server and I kinit to another ldap server

Re: [Freeipa-users] freeipa behind a load balancer

2015-03-31 Thread Matt .
Simo, Yes that was where I was thinking of also, so you say faking by DNS ? @Brendan, cnames are not that nice in networks indeed. 2015-03-31 20:10 GMT+02:00 Brendan Kearney bpk...@gmail.com: On Tue, 2015-03-31 at 13:54 -0400, Simo Sorce wrote: On Tue, 2015-03-31 at 13:50 -0400, Simo Sorce

Re: [Freeipa-users] freeipa behind a load balancer

2015-03-31 Thread Matt .
Hi Petr, We discussed that before indeed, but SRV is not usable in this case. My clients are just webservers (apache) doing some executes of CURL commands to ipa/json, actually the same commands as the webgui does using json, but we curl it. Do you have a better view now ? Cheers, Matt 2015

[Freeipa-users] Additional pre-authentication required, Ticket Wrong ?

2015-03-29 Thread Matt .
fit my situation. Why wants it the preauth when I already have a valid ticket and my redirect is followed by CURL and posted the right way ? I hope someone has an idea. Thanks, Matt -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa

Re: [Freeipa-users] subjectAlternitiveName for webservice

2015-03-27 Thread Matt .
under the altnames for HTTP/ldap-01 but there is indeed no ldap-01 as altname but only on the certificate itself. 2015-03-26 16:48 GMT+01:00 Rob Crittenden rcrit...@redhat.com: Matt . wrote: HI Rob, Yes something is wrong there I guess. In any case, it doesn't apply to what you're trying to do

Re: [Freeipa-users] subjectAlternitiveName for webservice

2015-03-27 Thread Matt .
Hi Rob, Thanks for the explanation. I understand your solution, I just thought that was the dirty way :) Thanks for your effort! Cheers, Matt 2015-03-27 18:57 GMT+01:00 Rob Crittenden rcrit...@redhat.com: Matt . wrote: I'm almost there but what happens when I regenerate a certificate

Re: [Freeipa-users] subjectAlternitiveName for webservice

2015-03-26 Thread Matt .
HI Rob, Yes something is wrong there I guess. But still, I actually need to add a SAN to the webserver cert, which is different I think than the services at least. So the question there is... how ? Cheers, Matt 2015-03-26 14:50 GMT+01:00 Rob Crittenden rcrit...@redhat.com: Matt . wrote

Re: [Freeipa-users] subjectAlternitiveName for webservice

2015-03-26 Thread Matt .
Hi Rob, Thank you very much! I think this will work out as it's only https traffic. I will report back! Thanks a lot! Matt 2015-03-26 16:48 GMT+01:00 Rob Crittenden rcrit...@redhat.com: Matt . wrote: HI Rob, Yes something is wrong there I guess. In any case, it doesn't apply to what

[Freeipa-users] Log filling up a couple of times per day

2015-03-26 Thread Matt .
day, servers that chedck if they are registered for SSSD so that it logs it is normal, but I want to get rid of it I guess. I'm throwing out I think about 6GB per day of logs, all loglevels are low. Any idea ? It's 3.x on CentOS 6.6 Any idea ? Thanks Matt -- Manage your subscription

Re: [Freeipa-users] subjectAlternitiveName for webservice

2015-03-26 Thread Matt .
|:443... connected. ERROR: no certificate subject alternative name matches requested host name 'ldap-01.domain.tld'. To connect to ldap-01.domain.tld insecurely, use `--no-check-certificate'. 2015-03-26 20:43 GMT+01:00 Matt . yamakasi@gmail.com: Hi Rob, Thank you very much! I think

Re: [Freeipa-users] subjectAlternitiveName for webservice

2015-03-26 Thread Matt .
OK some new update: When I do a curl -k https://ldap.domain.tld/ipa/config/ca.crt I get a 301 to https://ldap-01.core.prod.msp.cullie.local/ipa/config/ca.crt But when I visit the https://ldap.domain.tld/ipa/config/ca.crt with my browser it just works fine. 2015-03-26 22:11 GMT+01:00 Matt

Re: [Freeipa-users] Log filling up a couple of times per day

2015-03-26 Thread Matt .
no clue. Thanks, Matt 2015-03-26 23:01 GMT+01:00 Dmitri Pal d...@redhat.com: On 03/26/2015 05:37 PM, Matt . wrote: Hi Guys, I'm facing every day a fast filling log of: /var/log/krb5kdc.log /var/log/dirsrv/slapd-DOMAIN/access* I need to remove the files and restart ipa. The kerberos log

Re: [Freeipa-users] subjectAlternitiveName for webservice

2015-03-25 Thread Matt .
the ca.crt from /etc/ipa/ca.crt and the one I generated in the same file. I need to have them both in my curl certificate. I might be wrong here, but this is where I'm at. Thanks again for your patience. Matt 2015-03-20 15:39 GMT+01:00 Rob Crittenden rcrit...@redhat.com: Matt . wrote

Re: [Freeipa-users] subjectAlternitiveName for webservice

2015-03-28 Thread Matt .
Rob, I just saw your message on IRC from a couple of hours ago... timedifference ;) Thanks, Matt 2015-03-28 10:17 GMT+01:00 Matt . yamakasi@gmail.com: Rob, As I was responding a little bit late last night, the following come to mind. As you say I need to request my cert with two names

Re: [Freeipa-users] subjectAlternitiveName for webservice

2015-03-28 Thread Matt .
access ldap-01 directly it complains @ the services tab on some servicehosts that are in there, and some not. I think this is not a simple PTR or A record fix, I'm curious how to do. Cheers, Matt 2015-03-27 18:57 GMT+01:00 Rob Crittenden rcrit...@redhat.com: Matt . wrote: I'm almost there but what

Re: [Freeipa-users] freeipa behind a load balancer

2015-04-02 Thread Matt .
script you also see a ticket coming back from the ipa server itself. I have seen some mailings from last year too with no solution... it seems to be a showstopper on that part :( 2015-04-01 20:41 GMT+02:00 Matt . yamakasi@gmail.com: Hi, I'm not gicing up on this, so I'm testing. I'm

Re: [Freeipa-users] freeipa behind a load balancer

2015-04-01 Thread Matt .
to get some advice here. Thanks! Matt 2015-03-31 21:23 GMT+02:00 Matt . yamakasi@gmail.com: OK, but we need to do this using IPA or (as IPA does some things different it seems). Anyone testing this perhaps ? (/me is multitasking atm) 2015-03-31 20:22 GMT+02:00 Rob Crittenden rcrit

Re: [Freeipa-users] Migrate from 3.0 (CentOS 6.6) to 4.1 (CentOS 7.1)

2015-06-22 Thread Matt .
[caseIgnoreIA5SubstringsMatch] is not compatible with the syntax [1.3.6.1.4.1.1466.115.121.1.15] for the attribute [dc] [ OK ] So the error on the replica is not that strange, but how to fix this on the master ? Matt 2015-06-22 15:59 GMT+02:00 Hendrik Frenzel

[Freeipa-users] Migrate from 3.0 (CentOS 6.6) to 4.1 (CentOS 7.1)

2015-06-22 Thread Matt .
and finally go from there. But what is the best way to set my hostnames back to ipa-01 from ipa-01-1 (and maybe ipa-02-1) ? I hope for some good suggestions. Thanks! Matt -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go

Re: [Freeipa-users] Migrate from 3.0 (CentOS 6.6) to 4.1 (CentOS 7.1)

2015-06-27 Thread Matt .
Hi, Not yet, I'm busy with it right now. I created a bugreport where I'm checking the reference bugs now, but I didn't saw a solution that fast. https://bugzilla.redhat.com/show_bug.cgi?id=1235766 I did do point 3 4. Matt 2015-06-27 15:27 GMT+02:00 Dmitri Pal d...@redhat.com: On 06/23/2015

[Freeipa-users] DNS forwarder first does not fallback to local

2015-06-27 Thread Matt .
doing somethin wrong ? Thanks, Matt -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] Migrate from 3.0 (CentOS 6.6) to 4.1 (CentOS 7.1)

2015-06-23 Thread Matt .
Anyone some suggestions about this ? I'm thinking about adding from my second 3.x master where I first need to split that cluster to make that happen. 2015-06-22 22:57 GMT+02:00 Matt . yamakasi@gmail.com: OK, I'm on the go here but I have some issue. When I install the replica server

Re: [Freeipa-users] DNS forwarder first does not fallback to local

2015-06-29 Thread Matt .
might be something if I want to go this way. Thanks! Matt 2015-06-29 15:37 GMT+02:00 Petr Spacek pspa...@redhat.com: On 29.6.2015 14:07, Matt . wrote: Hi Petr, Bot servers have zone: domain.tld Server1 (192.168.1.1) has: domain.tld foo A 192.168.1.10 bar A 192.168.1.20 Server2

Re: [Freeipa-users] DNS forwarder first does not fallback to local

2015-06-29 Thread Matt .
an answer. I thought this was working but isn't and following your table it should. What are my options ? Thanks, Matt 2015-06-29 11:20 GMT+02:00 Petr Spacek pspa...@redhat.com: On 27.6.2015 19:06, Matt . wrote: Hi All, When I add a forwarder with policy to forward first, there is only

Re: [Freeipa-users] DNS forwarder first does not fallback to local

2015-06-29 Thread Matt .
.centos.x86_64 It would also be great if this is possible between IPA 3 and 4. Thanks for your help so far! Cheers, Matt 2015-06-29 13:44 GMT+02:00 Petr Spacek pspa...@redhat.com: On 29.6.2015 13:16, Matt . wrote: Hi, The zones are on both servers, just not all records are, this has a reason. One

Re: [Freeipa-users] DNS forwarder first does not fallback to local

2015-06-29 Thread Matt .
need to be added manually to the non-managed server. 2015-06-29 17:11 GMT+02:00 Petr Spacek pspa...@redhat.com: On 29.6.2015 16:10, Matt . wrote: Hi Petr, Yes I understand why this is not possible. The idea was to have a managed DNS server from scripting and one for other usage by clients

Re: [Freeipa-users] DNS forwarder first does not fallback to local

2015-06-29 Thread Matt .
at the moment. Thanks again for the heads up! Matt 2015-06-29 18:26 GMT+02:00 Petr Spacek pspa...@redhat.com: On 29.6.2015 18:22, Matt . wrote: Hi, Because it can happen that hostnames are used twice, but one for each network. This sounds a little bit odd, but it has something todo

[Freeipa-users] Userpassword randomly not working anymore.

2015-07-04 Thread Matt .
as this user the password is expired or damaged but still says in the GUI it expires in 2035 Actual results: The password expires it get's currupted or so ? Expected results: It should not expire until 2035! I hope someone has a clue here as I can't get anything logged about it. Thanks, Matt

Re: [Freeipa-users] IPA replica without CA, how to become CA

2015-07-06 Thread Matt .
Rob, Isn't it impossible to install a CA on a replica when it's master died ? I know there is normally one CA, but this is kinda confusing me so I'm testing out scenarios. Thanks, Matt 2015-07-06 18:10 GMT+02:00 Matt . yamakasi@gmail.com: Hi Rob, OK, I had difficulties

Re: [Freeipa-users] IPA replica without CA, how to become CA

2015-07-06 Thread Matt .
installation between 2 servers which only has one CA. Discussing this with Simo on IRC it seems to be some nice writing to have in the docs and now I found out... I'm trying to create this using my tests. But some unclear things have to be made clear first. Cheers, Matt 2015-07-06 19:01 GMT+02

[Freeipa-users] IPA replica without CA, how to become CA

2015-07-06 Thread Matt .
of that I can setup a replica again. What is my best approach to test this ? Cheers, Matt -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] Ubuntu Samba Server Auth against IPA

2015-08-12 Thread Matt .
DOMAIN\username as username So, the IPA way should work. Any comments here ? Cheers, Matt 2015-08-12 19:00 GMT+02:00 Matt . yamakasi@gmail.com: HI GUys, I'm testing this out and I think I almost setup, this on a CentOS samba server. I'm using the ipa-adtrust way of Youeen but it seems we

  1   2   3   >