) , tested solution and
not a resource pig. It integrates great with netgroups, by the way.
There are packages for every distribution. I run it in a esx cluster
(both the esx servers and the linux vm's and it works great).
--
natxo asenjo
___
Freeipa-users
On Wed, Feb 2, 2011 at 10:02 PM, Ian Stokes-Rees
ijsto...@hkl.hms.harvard.edu wrote:
How did you expect anyone to seriously try to use FreeIPA if they
couldn't migrate between versions? Surely installation and extended use
(weeks/months) by non-developers is part of any beta-testing plan.
If
On Fri, Apr 8, 2011 at 8:38 AM, Sigbjorn Lie sigbj...@nixtra.com wrote:
Ok, I do like the wider options for channels in Red Hat, but this bring me to
my next question:
Will there be an extra charge for this add on channel, or will this be
included in the base
subscription?
If $answer =
On Mon, Dec 5, 2011 at 10:05 PM, Steven Jones steven.jo...@vuw.ac.nz wrote:
Hi
8
What you need is some knowledge of LDAP, and to work with your vendors
to figure out how they should be configured to work with IPA.
8---
Funny but I thought a goal of IPA was to make this
On Fri, Feb 3, 2012 at 9:02 AM, Natxo Asenjo natxo.ase...@gmail.com wrote:
On Fri, Feb 3, 2012 at 8:31 AM, Dale Macartney
d...@themacartneyclan.com wrote:
I have been experimenting with how best to address this, however I am
constantly being pushed back to the only way of having a userdir
hi,
First question: according to the docs in
http://docs.redhat.com/docs/en-US/Red_Hat_Enterprise_Linux/6/html/Identity_Management_Guide/configuring-automount.html#Configuring_Automount-Configuring_autofs_on_Linuxwhen
configuring autofs you can choose to enter LDAP_URI in two ways, the
lazy on
hi,
enable a kerberized site with the fqdn is very easy with freeipa but we
would like to use virtual hosting and kerberized sites.
I have joined a host webserver01.ipa.domain.tld to a ipa realm. I then
created a spn HTTP/webserver01.ipa.domain.tld, generated the keytab,
configured the apache
On Wed, Mar 28, 2012 at 11:36 PM, Simo Sorce s...@redhat.com wrote:
CNAMEs should work just fine with the host's HTTP/A-name@REALM key.
In fact I just tested a virtual host on my ipa server using a cname and
it worked.
great!
Can you post your (sanitized) mod_auth_kerb configuration ?
On Thu, Mar 29, 2012 at 8:25 PM, Simo Sorce s...@redhat.com wrote:
Your configuration looks right, but I went back and looked at your logs
and I saw a permission denied error.
I would check that the apache user can access the keytab
file: /etc/httpd/conf/webserver01_http.keytab
If you are
On Mon, May 21, 2012 at 3:21 PM, Rich Megginson rmegg...@redhat.com wrote:
On 05/21/2012 07:13 AM, Dan Scott wrote:
https://fedorahosted.org/**freeipa/ticket/2770https://fedorahosted.org/freeipa/ticket/2770
I've modified the nagios perl script that I got from:
On Fri, Jun 8, 2012 at 12:37 PM, Ondrej Hamada oham...@redhat.com wrote:
On 06/08/2012 10:16 AM, Natxo Asenjo wrote:
hi,
This is work in progress but maybe useful for someone.
http://test.asenjo.nl/index.php/Mediawiki_ipa
(feel free to use it for the freeipa.org wiki, I consider
On Thu, Jun 14, 2012 at 12:54 PM, Dale Macartney
d...@themacartneyclan.comwrote:
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
I've just placed another wiki article for adding Jabber services to IPA.
This is a work in progress as I'm aiming for SSO ability, but thought
someone might find
hi,
After some initial troubles (thanks rcrit on irc) I got this to work
nicely. I have used the openfire
http://www.igniterealtime.org/projects/openfire/index.jsp xmpp/jabber
server.
Instructions here:
http://test.asenjo.nl/index.php/Openfire_ipa
--
Groeten,
natxo
On Sun, Jun 17, 2012 at 3:27 PM, Simo Sorce s...@redhat.com wrote:
On Sat, 2012-06-16 at 23:45 +0200, Natxo Asenjo wrote:
hi,
After some initial troubles (thanks rcrit on irc) I got this to work
nicely. I have used the openfire
http://www.igniterealtime.org/projects/openfire/index.jsp
On Tue, Jun 19, 2012 at 6:54 PM, Simo Sorce s...@redhat.com wrote:
Yes with IPA you can use service principals to initiate context w/o
problems. That's why I suggested you use a service principal.
AD has a limitation that you must use an actual user to initiate a
context, that may be where
On Tue, Jun 19, 2012 at 2:04 PM, James Hogarth james.hoga...@gmail.comwrote:
Hi all,
As mentioned on IRC today I've finished my write up of using Apache
with SNI and kerberos authentication with an IPA backend
I'd be interested in any feedback:
hi,
recently it was brought to my attendtion that isp-dhcpd version 4.2
supports getting its database information from ldap. Earlier versions
support it as well with a patch.
It would be awesome if this could be integrated in IPA.
I am aware you guys have your hands full with plenty of stuff,
On Tue, Jun 26, 2012 at 3:13 PM, Stephen Gallagher sgall...@redhat.comwrote:
On Tue, 2012-06-26 at 15:02 +0200, Natxo Asenjo wrote:
hi,
recently it was brought to my attendtion that isp-dhcpd version 4.2
supports getting its database information from ldap. Earlier versions
support
hi,
Is it 'safe' to use ipa on the internet?
My feeling is its, I mean, kerberos is meant for untrusted networks.
What are your thoughts about this?
What ports should of the kdc *not* be accessible?
--
Groeten,
natxo
___
Freeipa-users mailing list
hi,
I followed the instructions here
http://docs.redhat.com/docs/en-US/Red_Hat_Enterprise_Linux/6/html/Identity_Management_Guide/kerb-nfs.htmland
they worked flawlessly.
Is it possible to use acls on nfs4 with a rhel 6 nfs server? if that is not
possible, is it possible to use a netapp file as
On Sun, Jul 1, 2012 at 10:39 PM, ondr...@s3group.com wrote:
In fact, Netapp is (sadly to say) the only NFSv4 server in the whole world
that can provide you with a true NFSv4 ACLs (remember to turn them on
using options nfs.v4.acl = on).
The nasty hack Rob mentioned will only provide you with
hi,
I just wanted to say: awesome!
Without using the NIS compatibility layer, I just create a hostgroup, fill
it in with hosts. Then I add that hostgroup to a netgroup. That's all I
need to automagically create classes our cfengine setup can use to
distribute policies accross the hosts.
You
On Sun, Aug 26, 2012 at 6:05 AM, KodaK sako...@gmail.com wrote:
I've just been informed by my boss's boss's boss that, and I quote
from his ridiculous email:
we cannot use anything other than MS AD for authentication
I've spent months of time and much effort rolling out IPA,
consolidating
On Sun, Sep 2, 2012 at 6:58 PM, Sigbjorn Lie sigbj...@nixtra.com wrote:
On 09/02/2012 04:37 PM, Natxo Asenjo wrote:
One thing I have not yet gotten to work is that these changes are not
persistent accross reboots. The ldapclient config stays, but the service
ldap/client does not start
On Sun, Sep 2, 2012 at 9:20 PM, Sigbjorn Lie sigbj...@nixtra.com wrote:
Thank for your tips. I think there might just be something broken with
the ldap/client service in openindiana. This DUAProfile thing is really
nice to use
Agreed, it sounds like a bug in OpenIndiana.
That's odd. A
On Tue, Sep 4, 2012 at 11:18 PM, Steven Jones steven.jo...@vuw.ac.nzwrote:
Is it possible to limit when users can login?
of course, pam + time (see https://www.google.com/search?q=pam%20time,
the first result looked good on first sight if I recall it correctly).
It would be nice to have this
hi,
the subject says it all, I guess.
I know from another thread that with nexanta it is possible using
nsswitch.conf, but I was wondering if somene (Siggi :-) ? ) has (had) this
setup working.
--
Groeten,
natxo
___
Freeipa-users mailing list
On Sun, Sep 2, 2012 at 9:57 PM, Natxo Asenjo natxo.ase...@gmail.com wrote:
On Sun, Sep 2, 2012 at 9:20 PM, Sigbjorn Lie sigbj...@nixtra.com wrote:
Thank for your tips. I think there might just be something broken with
the ldap/client service in openindiana. This DUAProfile thing is really
On Thu, Sep 6, 2012 at 10:31 PM, Sigbjorn Lie sigbj...@nixtra.com wrote:
On 09/05/2012 08:12 PM, Natxo Asenjo wrote:
hi,
the subject says it all, I guess.
I know from another thread that with nexanta it is possible using
nsswitch.conf, but I was wondering if somene (Siggi :-) ? ) has
On Fri, Sep 7, 2012 at 1:33 PM, Ondrej Valousek ondr...@s3group.cz wrote:
That is actually the main benefit of the 'ldap.ADdomain' parameter. It
will allow you to simplify configuration and allows easy load
balancing/failover functionality.
We are paying for NetApp support, too so if anyone
On Wed, Sep 12, 2012 at 8:26 PM, george he george_...@yahoo.com wrote:
Hello,
My ipa server and my nfs server are the same machine running centos 6.3.
try to separate those roles if you can. You can use vm's, it'll work great.
The server was accidentally down and rebooted.
But then I got
On Wed, Sep 26, 2012 at 5:46 AM, Rob Crittenden rcrit...@redhat.com wrote:
Steven Jones wrote:
Hi,
I dont have a ldapmodify command for changing something in AD.
I have increased the only scope I/we know about which is the return of
objects from a search inside the AD gui but that might
On Fri, Oct 12, 2012 at 8:06 PM, Rob Crittenden rcrit...@redhat.com wrote:
The FreeIPA team is proud to announce version FreeIPA v3.0.0.
It can be downloaded from http://www.freeipa.org/Downloads.
A build is on the way to updates-testing for Fedora 18. FreeIPA 3.0.0 works
well in Fedora 17
hi,
how can I unlock the admin password using ldap commands? I misstyped
the password using kinit a couple of times and now the account is
locked.
I have already changed the passwd using the command in
https://www.redhat.com/archives/freeipa-users/2011-May/msg00144.html,
but I still cannot login
On Thu, Oct 25, 2012 at 11:33 PM, Natxo Asenjo natxo.ase...@gmail.com wrote:
hi,
how can I unlock the admin password using ldap commands? I misstyped
the password using kinit a couple of times and now the account is
locked.
I have already changed the passwd using the command in
https
On Thu, Oct 25, 2012 at 9:11 PM, KodaK sako...@gmail.com wrote:
We have many different development groups, but people can be members
of multiple groups. For collaboration, they'd like it when creating a
file to have that file have a group ownership of foo on machine-A,
but bar on machine-B.
requirement as nobody would ever
think of it in Windows. Not happy w/ a traditional Unix permissions? Go for
ACLs.
The only pity is that the current Posix-draft hack widely used on all
Linuxes is a mess and Rich-acl support is still nowhere in sight :-(
Ondrej
On 10/26/2012 09:07 AM, Natxo
hi,
this is a part of ipaclient-install.log
2012-11-16T12:12:32Z DEBUG Writing nsupdate commands to /etc/ipa/.dns_update.txt
:
zone ipa.domain.tld.
update delete host.ipa.domain.tld. IN SSHFP
send
update add host.ipa.domain.tld. 1200 IN SSHFP 1 1 904DA80AD2554ABEC354599E6876
89307F4ADCF3
update
hi,
when running getent negroup netgroupname I get old entries.
Apparently sssd is being helpful :-) and caching info, but it should
not do it when I am connected to the domain (IMHO).
According to
hi, Qing
On Sat, Nov 17, 2012 at 8:20 PM, Qing Chang qch...@sri.utoronto.ca wrote:
2, Dovecot + IPA: it is not an IPA issue but sss cache timeout issue, I read
it's 90 min?
When a user changes his/her password, the cache usually is not updated,
hence
problem checking IMAP email with
On Tue, Nov 20, 2012 at 9:28 AM, Petr Spacek pspa...@redhat.com wrote:
Hello,
On 11/19/2012 05:28 PM, Natxo Asenjo wrote:
On Mon, Nov 19, 2012 at 10:03 AM, Petr Spacek pspa...@redhat.com wrote:
Hello,
hi,
The log showed the root cause:
Dynamic Update is not allowed in zone
idnsname
hi,
On Wed, Nov 28, 2012 at 12:02 AM, Tim Wissman tim.wiss...@gmail.com wrote:
Folks - I have started using FreeIPA and have tried to download the Solaris
10 nss-ldap for the intel platform, but when i tried to save the file i
received an error saying the server had issues. I was able to
hi,
I'm following the howto on
http://freeipa.org/page/Libvirt_with_VNC_Consoles to authenticate
users voor virsh with ipa.
I have it mostly working :-) except for the fact that libvirtd is not
respecting the sasl_allowed_username_list parameter.
If I do not set it, and I have a realm ticket,
Sorce wrote:
Hi Natxo,
On Fri, 2012-11-30 at 13:06 +0100, Natxo Asenjo wrote:
hi,
I'm following the howto on
http://freeipa.org/page/Libvirt_with_VNC_Consoles to authenticate
users voor virsh with ipa.
I have it mostly working :-) except for the fact that libvirtd is not
respecting
On Fri, Nov 30, 2012 at 4:04 PM, Daniel P. Berrange berra...@redhat.com wrote:
On Fri, Nov 30, 2012 at 03:56:14PM +0100, Natxo Asenjo wrote:
hi,
sasl_allowed_username_list = [ad...@ipa.example.com ]
if I leave this field commented out (default setting), everybody can
manage the kvm host
On Fri, Nov 30, 2012 at 4:52 PM, Simo Sorce s...@redhat.com wrote:
Natxo it sounds odd that you are getting back a non fully qualified
principal name, are you sure your configuration is using SASL/GSSAPI ?
What other directives have you configured ?
I have followed the howto in the
On Fri, Nov 30, 2012 at 4:20 PM, Daniel P. Berrange berra...@redhat.com wrote:
On Fri, Nov 30, 2012 at 04:16:56PM +0100, Natxo Asenjo wrote:
Thanks. If I may just hijack this thread: is it possible to whitelist
groups instead of individual users to use virsh/virtual manager?
I know sasl only
hi,
the default hbac rule 'allow_all' is nice for testing, but for a
production environment I am not so sure ;-)
We do not want our users getting a shell in our kdc servers or in the
database servers for instance. We want them to use the postgresql
service, but not login the database server with
hi,
I have a 6.3 centos server that has been upgraded since 6.1. According
to the ipaserver-install.log, I installed it on feb 3 2012 so it has
been upgraded at least once.
Now that I have more hardware to run a few more vm's I can test
replicas. But apparently I am running into this problem:
On Wed, Dec 5, 2012 at 3:11 PM, Jakub Hrozek jhro...@redhat.com wrote:
On Wed, Dec 05, 2012 at 02:20:40PM +0100, Natxo Asenjo wrote:
hi,
why would I want sssd to cache group/hostgroup/netgroup membership?
Is the performance hit so huge on the ldap servers?
I ask this because Windows admins
On Wed, Dec 5, 2012 at 3:29 PM, Simo Sorce s...@redhat.com wrote:
As a test to show why the cache is important do this:
1. Create a directory
2. create 100 files in this dirctory
3. chown each file to a different user and a different group each
4. stop sssd, wipe cache file and restart
5.
hi,
On Wed, Dec 12, 2012 at 7:45 PM, Patrick Bakker patr...@vanbelle.com wrote:
I just joined this list because I was curious about the recent discussion
that Rashard Kelly had started about whether to use FreeIPA's integrated DNS
or whether to disable DNS. I'm wondering about a very similar
hi,
On Fri, Dec 7, 2012 at 4:28 PM, Rob Crittenden rcrit...@redhat.com wrote:
a bit late, but here is the output of /var/log/ipareplica-install.log
en /var/log/pki-ca/debug ; I did not find a
/var/log/ipaserver-install.log in the replica server.
The dogtag installer is failing with the
hi,
On Thu, Dec 13, 2012 at 1:46 AM, Dmitri Pal d...@redhat.com wrote:
The holidays are coming. It is unlikely that we would be able to look
into it till Jan.
that is no problem at all, we have the same issues ;-)
Do you want me to keep the vm's around for troubleshooting the issue
when
hi,
on a workstation *not* joined to the IPA domain but with the the ipa
admin tools installed I get this error when trying to modify dns
settings and I have a kerberos ticket of an admin user:
$ kinit user.ad...@unix.domain.tld
Password for user.ad...@unix.domain.tld
$ klist
Ticket cache:
On Mon, Jan 7, 2013 at 12:18 PM, Natxo Asenjo natxo.ase...@gmail.com wrote:
How could I troubleshoot this?
i have upped the debugging on sssd.conf
debug_level = 9
en reloaded sssd.
When I run
# getent netgroup nagios
nagios
[root@ipaclient01 ~]# grep -i nagios /var/log/sssd/*.log
/var/log
On Mon, Jan 7, 2013 at 1:07 PM, Jakub Hrozek jhro...@redhat.com wrote:
On Mon, Jan 07, 2013 at 12:18:12PM +0100, Natxo Asenjo wrote:
hi,
in sssd.conf I have this regarding netgroup caching info:
entry_cache_netgroup_timeout = 300
After the file was modified, the sssd daemon was reloaded
On Mon, Jan 7, 2013 at 8:20 PM, Jakub Hrozek jhro...@redhat.com wrote:
On Mon, Jan 07, 2013 at 03:55:49PM +0100, Natxo Asenjo wrote:
hi,
On Mon, Jan 7, 2013 at 3:20 PM, Jakub Hrozek jhro...@redhat.com wrote:
On Mon, Jan 07, 2013 at 01:17:21PM +0100, Natxo Asenjo wrote:
On Mon, Jan 7, 2013
On Tue, Jan 8, 2013 at 2:48 PM, Ondrej Kos o...@redhat.com wrote:
could you please provide more logs? I tried to set up same environment, with
sssd-1.8.0-32.el6.x86_64, and everything works fine, so you might be hitting
some race condition.
sure, I will send you debug 9 logs to your corporate
On Thu, Jan 24, 2013 at 10:51 PM, KodaK sako...@gmail.com wrote:
I have a need to have certain mission critical application accounts
non-expiring (people don't log in directly, but if the accounts expire
it could stop production jobs.)
Without knowing anything about this particular case, could
On Mon, Feb 4, 2013 at 9:33 AM, Rajnesh Kumar Siwal
rajnesh.si...@gmail.com wrote:
IPA client on CentOS 5.6 was not able to take care of it.)
that's why you should be using a config management tool like cfengine,
puppet, chef, ansible, ., (choose your poison).
Organizations usually have
On Fri, Jan 11, 2013 at 4:19 PM, Natxo Asenjo natxo.ase...@gmail.com wrote:
On Fri, Jan 11, 2013 at 3:51 PM, Rob Crittenden rcrit...@redhat.com wrote:
Natxo Asenjo wrote:
I just tried again to create a replica and had exactly the same error
as on the thread's first post.
in ipareplica
On Thu, Feb 14, 2013 at 10:02 AM, Dag Wieers d...@wieers.com wrote:
Hi,
Another interesting recommendation from security is that all granted access
(that is exceptional, rather than permanent) should be limited in time from
the onset.
If this is not possible all granted access needs to be
On Tue, Feb 19, 2013 at 5:58 PM, Bret Wortman
bret.wort...@damascusgrp.comwrote:
Digging a bit deeper, I found this in /var/log/pki-ca/catalina.out:
:
Could not connect to LDAP server host oldmaster.my.com port 7389 Error
netscape.ldap.LDAPException: failed to connect to server ldap://
On Fri, Feb 22, 2013 at 4:52 PM, KodaK sako...@gmail.com wrote:
Just curious if anyone has configured HP ILO to authenticate against
IPA. I'm just starting out and the fact that the ILO configuration
screen has a section for a SID has me a bit concerned.
i have not touched new HP gear for a
On Wed, Mar 13, 2013 at 10:45 PM, Dale Macartney
d...@themacartneyclan.com wrote:
I've just deployed a RHEL 6.4 proxy and the guide is still accurate and
works.. however I agree a config file would be a better place for the
options. Both work at the end of the day.
yes, the guide is accurate,
On Thu, Mar 14, 2013 at 9:41 AM, Dale Macartney
d...@themacartneyclan.com wrote:
Article updated
http://www.freeipa.org/page/Squid_Integration_with_FreeIPA_using_Single_Sign_On
awesome! Thanks,
natxo
___
Freeipa-users mailing list
hi,
apparently what I am trying to do is not very usual because I do not get
any answer on the omnios (opensolaris derivative) mailing list.
I have successfully joined a host to the ipa domain, I can log in the
omnios host as an ipa user, getent works, kerberos works (thanks to Johan
Petersson
hi,
thanks, still not working though:
# share -F nfs -o sec=krb5 -d homedirs /export/home
Could not share: /export/home: invalid security type
# zfs set sharenfs=sec=krb5 rpool/export/home
cannot set property for 'rpool/export/home': 'sharenfs' cannot be set to
invalid options
# zfs set
:
zfs set sharenfs='sec=krb5' pool/dataset
Natxo Asenjo natxo.ase...@gmail.com wrote:
hi,
thanks, still not working though:
# share -F nfs -o sec=krb5 -d homedirs /export/home
Could not share: /export/home: invalid security type
# zfs set sharenfs=sec=krb5 rpool/export/home
cannot set
hi,
On a centos 6.4 testlab I am testing a trust with a windows 2008r2 domain
(separate dns domains).
Following the docs
https://access.redhat.com/site/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Identity_Management_Guide/trust-diff-dns-domains.html
I install the cifs-utils package but
Is the cifs-utils package really necessary?
cifs-utils is not needed for trusts to function. I guess documentation
was implying that cifs-utils might have been installed for mounting CIFS
shares.
ok, thanks for clarifying this. In the link I posted you can read this:
The cifs-utils package
hi,
while following the instructions in
https://access.redhat.com/site/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Identity_Management_Guide/trust-diff-dns-domains.html
I run step 9:
smbclient -L kdc.ipa.asenjo.nx -k
lp_load_ex: changing to config backend registry
Connection to
On Fri, Apr 19, 2013 at 11:27 AM, Sumit Bose sb...@redhat.com wrote:
On Fri, Apr 19, 2013 at 11:03:02AM +0200, Natxo Asenjo wrote:
hi,
while following the instructions in
https://access.redhat.com/site/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Identity_Management_Guide/trust
I saw there is a log in /var/log/samba/log.wb-IPA
The log complains about missing keys for the spn for the hostname (not the
fqdn, just the hostname):
Connection to LDAP server failed for the 15 try!
[2013/04/19 11:39:22.352522, 0] ipa_sam.c:3689(bind_callback_cleanup)
kerberos error:
domain
Trust status: Established and verified
And it is working :-)
Awesome.
Thanks!
--
groet,
natxo
--
Groeten,
natxo
On Fri, Apr 19, 2013 at 12:11 PM, Sumit Bose sb...@redhat.com wrote:
On Fri, Apr 19, 2013 at 11:45:47AM +0200, Natxo Asenjo wrote:
I saw there is a log in /var/log/samba
hi,
just a little 'but'.
when verifying the trust (point 12
https://access.redhat.com/site/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Identity_Management_Guide/trust-diff-dns-domains.html)
# kinit user
Password for nase...@ipa.asenjo.nx:
[root@kdc ~]# kvno
On Fri, Apr 19, 2013 at 1:08 PM, Sumit Bose sb...@redhat.com wrote:
On Fri, Apr 19, 2013 at 12:47:47PM +0200, Natxo Asenjo wrote:
hi,
just a little 'but'.
when verifying the trust (point 12
https://access.redhat.com/site/documentation/en-US/Red_Hat_Enterprise_Linux/6/html
hi,
after succesfully configuring the trust between 2 different domains
(IPA.ASENJO.NX and AD.ASENJO.NX) I would like to login from the windows
host to the linux host using the trusted kerberos tickets.
This is my krb.conf in the linux host:
includedir /var/lib/sss/pubconf/krb5.include.d/
hi,
some progress. I disabled the firewall of the linux host (also the kdc,
incidentally). From the Windows host using the AD Domain and Trusts tool I
can verify the trust and using putty I can login and get the linux kerberos
tickets as a windows realm user.
If i enable the firewall and I do
hi,
a bit puzzled now. I have joined another 2k8r2 host to the AD domain that
is trusted by the ipa domain.
As AD\administrator I can ssh to the linux host.
I create a bunch of AD users, standard members of 'Domain Users'. But I
cannot login to the linux host.
When I run wbinfo --online-status
On Sat, Apr 20, 2013 at 8:32 PM, Sumit Bose sb...@redhat.com wrote:
On Fri, Apr 19, 2013 at 10:14:36PM +0200, Natxo Asenjo wrote:
# wbinfo --online-status
BUILTIN : online
IPA : online
AD : offline
# wbinfo --domain-info ad.asenjo.nx
Name : AD
Alt_Name
On Fri, May 24, 2013 at 4:18 PM, Martin Kosek mko...@redhat.com wrote:
Simo, on a side note - I am thinking, would it make sense to create a new
command ipa migrate-ipa which would migrate data from other IPA
installation?
I.e. it would migrate users, groups, hosts, sudo, hbac, automount,
On Wed, May 29, 2013 at 10:55 PM, William Muriithi
william.murii...@gmail.com wrote:
Hello
I have set up gitolite3 and its working fine when I connect to it
through ssh. I am using LDAP (FreeIPA) for authorization.
When I connect through http/https, I am authenticated, but I believe
On Sun, Jun 2, 2013 at 9:49 PM, Ryan Cunningham
ryan.cunningham.xy...@gmail.com wrote:
Hello,
I've been evaluating FreeIPA in a lab environment prior to possibly rolling
it out in our enterprise but have been having issues with a few hosts
rejecting SSH logins for users authenticated against
On Mon, Jun 3, 2013 at 12:38 AM, Ryan Cunningham
ryan.cunningham.xy...@gmail.com wrote:
What I see is:
fatal: Access denied for user admin by PAM account configuration
What about disabling selinux?
Whoops, I probably should have caught these myself.
Disabling SELinux fixed one of the
hi,
just interested. We have noticed that ldap users have this PS1 envvar:
PS1='\s-\v\$ ' instead of the usual [\u@\h \W]\$
This is a confusing moment. Changing the shell to /bin/bash solves this,
but maybe this is not optimal for other systems or users.
--
Groeten,
natxo
On Thu, Jun 6, 2013 at 4:30 PM, Rob Crittenden rcrit...@redhat.com wrote:
Natxo Asenjo wrote:
hi,
just interested. We have noticed that ldap users have this PS1 envvar:
PS1='\s-\v\$ ' instead of the usual [\u@\h \W]\$
This is a confusing moment. Changing the shell to /bin/bash solves
On Fri, Jun 7, 2013 at 11:37 AM, Endre Karlson endre.karl...@gmail.com wrote:
Hi, I am seeing some trouble with replication between two of my master
servers. Here's the logs:
[05/Jun/2013:12:59:57 +0200] slapd_ldap_sasl_interactive_bind - Error: could
not perform interactive bind for id []
On Wed, Jun 12, 2013 at 1:56 AM, Sina Owolabi shinacaly...@gmail.com wrote:
Hi
Please help me understand what I am doing wrong:
Im using two RHEL6.4 ipa servers in a multi-master configuration
Instead of creating multiple sudocmdgroups and sudo rules, I tried to subset
what I could see in
On 07/08/2013 03:49 PM, Schmitt, Christian wrote:
Hello, is there currently a good way to install FreeIPA or IdM in
virtual machines?
Currently we having some Windows Hyper-V Hypervisors since we are
planning to buy some Dell Hardware that can't run Linux yet, the Dell VRTX.
Also we want to
On 07/12/2013 10:55 AM, Christian Schmitt wrote:
I can't start the IPA Service with service ipa start after an reboot.
It fails on the pki-cad service, that only outputs
'grep --help' gives you more information.
I'm really not sure whats the correct error and how to restart ipa now.
logs?
On 07/11/2013 11:39 PM, KodaK wrote:
This only works for sshd, obviously. We do currently have ftp and
telnet open (yeah, I know) but I'm trying
to get those turned off. In the meantime I can use tcp-wrappers to only
allow those machines that need
to connect. This is sub-optimal, since
hi,
probably a stupid question but why do we need to have a host spn in the
kerberos domain for the nfsv4 client to work?
I do not need a host spn principal to access a cifs share on a Windows
AD environment, I can just kinit user@AD.domain from my laptop that is
not joined to the AD domain
On 08/28/2013 12:00 PM, Ondrej Valousek wrote:
Because with NFS (v3 or v4) it is a bit more complicated.
With smbclient, you are actually not mounting the filesystem so that the
smbclient is happy with just your TGT.
With NFS, you typically need two tickets:
1. one host (or nfs) so that root
hi,
just came accross Erinn Looney-Triggs's excellent writeup on using
kerberos voor relaying e-mail
(https://stomp.colorado.edu/blog/blog/2013/07/09/on-freeipa-postfix-and-a-relaying-smtp-client/)
and have a question.
Would it not be possibly easier to just use the host's keytab
On Wed, Dec 4, 2013 at 10:59 AM, Исаев Виталий Анатольевич
is...@fintech.ru wrote:
Dear Freeipa users and developers,
We need to alter the default behavior of the IdM server in the situation
when user exceeds the limit of incorrect password login attempts.
By default the user is getting
On Wed, Dec 4, 2013 at 11:44 AM, Natxo Asenjo natxo.ase...@gmail.com wrote:
On Wed, Dec 4, 2013 at 10:59 AM, Исаев Виталий Анатольевич
is...@fintech.ru wrote:
Dear Freeipa users and developers,
We need to alter the default behavior of the IdM server in the situation
when user exceeds
On Wed, Dec 4, 2013 at 12:05 PM, Martin Kosek mko...@redhat.com wrote:
On 12/04/2013 11:53 AM, Natxo Asenjo wrote:
On Wed, Dec 4, 2013 at 11:44 AM, Natxo Asenjo natxo.ase...@gmail.com wrote:
On Wed, Dec 4, 2013 at 10:59 AM, Исаев Виталий Анатольевич
is...@fintech.ru wrote:
To change a value
hi,
after using sudo from ipa extensively I needed to configure a local
user to also use sudo.
This is for monitoring, we use nagios.
It works but now I have lots of error messages in /var/log/messages
like this one:
sudo: GSSAPI Error: Unspecified GSS failure. Minor code may provide
more
1 - 100 of 232 matches
Mail list logo
