Re: [Freeipa-users] Policy functionality of 2.0 requirements dropped?

2010-05-04 Thread Natxo Asenjo
) , tested solution and not a resource pig. It integrates great with netgroups, by the way. There are packages for every distribution. I run it in a esx cluster (both the esx servers and the linux vm's and it works great). -- natxo asenjo ___ Freeipa-users

Re: [Freeipa-users] export entire ldap/kerberos/etc onto a new host

2011-02-02 Thread Natxo Asenjo
On Wed, Feb 2, 2011 at 10:02 PM, Ian Stokes-Rees ijsto...@hkl.hms.harvard.edu wrote: How did you expect anyone to seriously try to use FreeIPA if they couldn't migrate between versions?  Surely installation and extended use (weeks/months) by non-developers is part of any beta-testing plan. If

Re: [Freeipa-users] 6.1 beta

2011-04-08 Thread Natxo Asenjo
On Fri, Apr 8, 2011 at 8:38 AM, Sigbjorn Lie sigbj...@nixtra.com wrote: Ok, I do like the wider options for channels in Red Hat, but this bring me to my next question: Will there be an extra charge for this add on channel, or will this be included in the base subscription? If $answer =

Re: [Freeipa-users] Solaris 10 as IPA Client?

2011-12-05 Thread Natxo Asenjo
On Mon, Dec 5, 2011 at 10:05 PM, Steven Jones steven.jo...@vuw.ac.nz wrote: Hi 8 What you need is some knowledge of LDAP, and to work with your vendors to figure out how they should be configured to work with IPA. 8--- Funny but I thought a goal of IPA was to make this

Re: [Freeipa-users] Dovecot IMAP with IPA 2.x?

2012-02-03 Thread Natxo Asenjo
On Fri, Feb 3, 2012 at 9:02 AM, Natxo Asenjo natxo.ase...@gmail.com wrote: On Fri, Feb 3, 2012 at 8:31 AM, Dale Macartney d...@themacartneyclan.com wrote: I have been experimenting with how best to address this, however I am constantly being pushed back to the only way of having a userdir

[Freeipa-users] automount questions

2012-03-11 Thread Natxo Asenjo
hi, First question: according to the docs in http://docs.redhat.com/docs/en-US/Red_Hat_Enterprise_Linux/6/html/Identity_Management_Guide/configuring-automount.html#Configuring_Automount-Configuring_autofs_on_Linuxwhen configuring autofs you can choose to enter LDAP_URI in two ways, the lazy on

[Freeipa-users] http service keytab for cname virtual host

2012-03-28 Thread Natxo Asenjo
hi, enable a kerberized site with the fqdn is very easy with freeipa but we would like to use virtual hosting and kerberized sites. I have joined a host webserver01.ipa.domain.tld to a ipa realm. I then created a spn HTTP/webserver01.ipa.domain.tld, generated the keytab, configured the apache

Re: [Freeipa-users] http service keytab for cname virtual host

2012-03-29 Thread Natxo Asenjo
On Wed, Mar 28, 2012 at 11:36 PM, Simo Sorce s...@redhat.com wrote: CNAMEs should work just fine with the host's HTTP/A-name@REALM key. In fact I just tested a virtual host on my ipa server using a cname and it worked. great! Can you post your (sanitized) mod_auth_kerb configuration ?

Re: [Freeipa-users] http service keytab for cname virtual host

2012-03-29 Thread Natxo Asenjo
On Thu, Mar 29, 2012 at 8:25 PM, Simo Sorce s...@redhat.com wrote: Your configuration looks right, but I went back and looked at your logs and I saw a permission denied error. I would check that the apache user can access the keytab file: /etc/httpd/conf/webserver01_http.keytab If you are

Re: [Freeipa-users] Replication status

2012-05-21 Thread Natxo Asenjo
On Mon, May 21, 2012 at 3:21 PM, Rich Megginson rmegg...@redhat.com wrote: On 05/21/2012 07:13 AM, Dan Scott wrote: https://fedorahosted.org/**freeipa/ticket/2770https://fedorahosted.org/freeipa/ticket/2770 I've modified the nagios perl script that I got from:

Re: [Freeipa-users] howto: mediawiki + IPA

2012-06-08 Thread Natxo Asenjo
On Fri, Jun 8, 2012 at 12:37 PM, Ondrej Hamada oham...@redhat.com wrote: On 06/08/2012 10:16 AM, Natxo Asenjo wrote: hi, This is work in progress but maybe useful for someone. http://test.asenjo.nl/index.php/Mediawiki_ipa (feel free to use it for the freeipa.org wiki, I consider

Re: [Freeipa-users] eJabberd authentication with FreeIPA via LDAP with Group member validation

2012-06-14 Thread Natxo Asenjo
On Thu, Jun 14, 2012 at 12:54 PM, Dale Macartney d...@themacartneyclan.comwrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 I've just placed another wiki article for adding Jabber services to IPA. This is a work in progress as I'm aiming for SSO ability, but thought someone might find

[Freeipa-users] xmpp/jabber SSO with freeipa

2012-06-16 Thread Natxo Asenjo
hi, After some initial troubles (thanks rcrit on irc) I got this to work nicely. I have used the openfire http://www.igniterealtime.org/projects/openfire/index.jsp xmpp/jabber server. Instructions here: http://test.asenjo.nl/index.php/Openfire_ipa -- Groeten, natxo

Re: [Freeipa-users] xmpp/jabber SSO with freeipa

2012-06-17 Thread Natxo Asenjo
On Sun, Jun 17, 2012 at 3:27 PM, Simo Sorce s...@redhat.com wrote: On Sat, 2012-06-16 at 23:45 +0200, Natxo Asenjo wrote: hi, After some initial troubles (thanks rcrit on irc) I got this to work nicely. I have used the openfire http://www.igniterealtime.org/projects/openfire/index.jsp

Re: [Freeipa-users] kerberos principals for service accounts (cn=etc, cn=sysaccounts)

2012-06-19 Thread Natxo Asenjo
On Tue, Jun 19, 2012 at 6:54 PM, Simo Sorce s...@redhat.com wrote: Yes with IPA you can use service principals to initiate context w/o problems. That's why I suggested you use a service principal. AD has a limitation that you must use an actual user to initiate a context, that may be where

Re: [Freeipa-users] Request for comments - Apache SNI via IPA with kerberos authentication

2012-06-19 Thread Natxo Asenjo
On Tue, Jun 19, 2012 at 2:04 PM, James Hogarth james.hoga...@gmail.comwrote: Hi all, As mentioned on IRC today I've finished my write up of using Apache with SNI and kerberos authentication with an IPA backend I'd be interested in any feedback:

[Freeipa-users] rfe: ldap for dhcp

2012-06-26 Thread Natxo Asenjo
hi, recently it was brought to my attendtion that isp-dhcpd version 4.2 supports getting its database information from ldap. Earlier versions support it as well with a patch. It would be awesome if this could be integrated in IPA. I am aware you guys have your hands full with plenty of stuff,

Re: [Freeipa-users] rfe: ldap for dhcp

2012-06-26 Thread Natxo Asenjo
On Tue, Jun 26, 2012 at 3:13 PM, Stephen Gallagher sgall...@redhat.comwrote: On Tue, 2012-06-26 at 15:02 +0200, Natxo Asenjo wrote: hi, recently it was brought to my attendtion that isp-dhcpd version 4.2 supports getting its database information from ldap. Earlier versions support

[Freeipa-users] kdc on the internet

2012-06-29 Thread Natxo Asenjo
hi, Is it 'safe' to use ipa on the internet? My feeling is its, I mean, kerberos is meant for untrusted networks. What are your thoughts about this? What ports should of the kdc *not* be accessible? -- Groeten, natxo ___ Freeipa-users mailing list

[Freeipa-users] nfs4 acl

2012-06-29 Thread Natxo Asenjo
hi, I followed the instructions here http://docs.redhat.com/docs/en-US/Red_Hat_Enterprise_Linux/6/html/Identity_Management_Guide/kerb-nfs.htmland they worked flawlessly. Is it possible to use acls on nfs4 with a rhel 6 nfs server? if that is not possible, is it possible to use a netapp file as

Re: [Freeipa-users] nfs4 acl

2012-07-01 Thread Natxo Asenjo
On Sun, Jul 1, 2012 at 10:39 PM, ondr...@s3group.com wrote: In fact, Netapp is (sadly to say) the only NFSv4 server in the whole world that can provide you with a true NFSv4 ACLs (remember to turn them on using options nfs.v4.acl = on). The nasty hack Rob mentioned will only provide you with

[Freeipa-users] hostgroups/netgroups

2012-07-04 Thread Natxo Asenjo
hi, I just wanted to say: awesome! Without using the NIS compatibility layer, I just create a hostgroup, fill it in with hosts. Then I add that hostgroup to a netgroup. That's all I need to automagically create classes our cfengine setup can use to distribute policies accross the hosts. You

Re: [Freeipa-users] sudo hostgroup sanity check, please?

2012-07-10 Thread Natxo Asenjo
On Tue, Jul 10, 2012 at 10:16 PM, KodaK sako...@gmail.com wrote: On Tue, Jul 10, 2012 at 2:56 PM, Dmitri Pal d...@redhat.com wrote: Do you see host netgroup coming over to the system when you enumerate netgroups? I don't know how to do this at the command line. I'm googling for it.

Re: [Freeipa-users] Desperate help requested.

2012-08-27 Thread Natxo Asenjo
On Sun, Aug 26, 2012 at 6:05 AM, KodaK sako...@gmail.com wrote: I've just been informed by my boss's boss's boss that, and I quote from his ridiculous email: we cannot use anything other than MS AD for authentication I've spent months of time and much effort rolling out IPA, consolidating

Re: [Freeipa-users] openindiana ldap client

2012-09-02 Thread Natxo Asenjo
On Sun, Sep 2, 2012 at 6:58 PM, Sigbjorn Lie sigbj...@nixtra.com wrote: On 09/02/2012 04:37 PM, Natxo Asenjo wrote: One thing I have not yet gotten to work is that these changes are not persistent accross reboots. The ldapclient config stays, but the service ldap/client does not start

Re: [Freeipa-users] openindiana ldap client

2012-09-02 Thread Natxo Asenjo
On Sun, Sep 2, 2012 at 9:20 PM, Sigbjorn Lie sigbj...@nixtra.com wrote: Thank for your tips. I think there might just be something broken with the ldap/client service in openindiana. This DUAProfile thing is really nice to use Agreed, it sounds like a bug in OpenIndiana. That's odd. A

Re: [Freeipa-users] time limiting users

2012-09-04 Thread Natxo Asenjo
On Tue, Sep 4, 2012 at 11:18 PM, Steven Jones steven.jo...@vuw.ac.nzwrote: Is it possible to limit when users can login? of course, pam + time (see https://www.google.com/search?q=pam%20time, the first result looked good on first sight if I recall it correctly). It would be nice to have this

[Freeipa-users] netapp filer AD + ipa: possible?

2012-09-05 Thread Natxo Asenjo
hi, the subject says it all, I guess. I know from another thread that with nexanta it is possible using nsswitch.conf, but I was wondering if somene (Siggi :-) ? ) has (had) this setup working. -- Groeten, natxo ___ Freeipa-users mailing list

Re: [Freeipa-users] openindiana ldap client

2012-09-05 Thread Natxo Asenjo
On Sun, Sep 2, 2012 at 9:57 PM, Natxo Asenjo natxo.ase...@gmail.com wrote: On Sun, Sep 2, 2012 at 9:20 PM, Sigbjorn Lie sigbj...@nixtra.com wrote: Thank for your tips. I think there might just be something broken with the ldap/client service in openindiana. This DUAProfile thing is really

Re: [Freeipa-users] netapp filer AD + ipa: possible?

2012-09-06 Thread Natxo Asenjo
On Thu, Sep 6, 2012 at 10:31 PM, Sigbjorn Lie sigbj...@nixtra.com wrote: On 09/05/2012 08:12 PM, Natxo Asenjo wrote: hi, the subject says it all, I guess. I know from another thread that with nexanta it is possible using nsswitch.conf, but I was wondering if somene (Siggi :-) ? ) has

Re: [Freeipa-users] netapp filer AD + ipa: possible?

2012-09-07 Thread Natxo Asenjo
On Fri, Sep 7, 2012 at 1:33 PM, Ondrej Valousek ondr...@s3group.cz wrote: That is actually the main benefit of the 'ldap.ADdomain' parameter. It will allow you to simplify configuration and allows easy load balancing/failover functionality. We are paying for NetApp support, too so if anyone

Re: [Freeipa-users] Stale NFS file handle

2012-09-12 Thread Natxo Asenjo
On Wed, Sep 12, 2012 at 8:26 PM, george he george_...@yahoo.com wrote: Hello, My ipa server and my nfs server are the same machine running centos 6.3. try to separate those roles if you can. You can use vm's, it'll work great. The server was accidentally down and rebooted. But then I got

Re: [Freeipa-users] winsync agreement wipes IPA users

2012-09-26 Thread Natxo Asenjo
On Wed, Sep 26, 2012 at 5:46 AM, Rob Crittenden rcrit...@redhat.com wrote: Steven Jones wrote: Hi, I dont have a ldapmodify command for changing something in AD. I have increased the only scope I/we know about which is the return of objects from a search inside the AD gui but that might

Re: [Freeipa-users] Announcing FreeIPA v3.0.0 Release

2012-10-14 Thread Natxo Asenjo
On Fri, Oct 12, 2012 at 8:06 PM, Rob Crittenden rcrit...@redhat.com wrote: The FreeIPA team is proud to announce version FreeIPA v3.0.0. It can be downloaded from http://www.freeipa.org/Downloads. A build is on the way to updates-testing for Fedora 18. FreeIPA 3.0.0 works well in Fedora 17

[Freeipa-users] how to unlock an account from ldap

2012-10-25 Thread Natxo Asenjo
hi, how can I unlock the admin password using ldap commands? I misstyped the password using kinit a couple of times and now the account is locked. I have already changed the passwd using the command in https://www.redhat.com/archives/freeipa-users/2011-May/msg00144.html, but I still cannot login

Re: [Freeipa-users] how to unlock an account from ldap

2012-10-25 Thread Natxo Asenjo
On Thu, Oct 25, 2012 at 11:33 PM, Natxo Asenjo natxo.ase...@gmail.com wrote: hi, how can I unlock the admin password using ldap commands? I misstyped the password using kinit a couple of times and now the account is locked. I have already changed the passwd using the command in https

Re: [Freeipa-users] Different primary group on different machines.

2012-10-26 Thread Natxo Asenjo
On Thu, Oct 25, 2012 at 9:11 PM, KodaK sako...@gmail.com wrote: We have many different development groups, but people can be members of multiple groups. For collaboration, they'd like it when creating a file to have that file have a group ownership of foo on machine-A, but bar on machine-B.

Re: [Freeipa-users] Different primary group on different machines.

2012-10-26 Thread Natxo Asenjo
requirement as nobody would ever think of it in Windows. Not happy w/ a traditional Unix permissions? Go for ACLs. The only pity is that the current Posix-draft hack widely used on all Linuxes is a mess and Rich-acl support is still nowhere in sight :-( Ondrej On 10/26/2012 09:07 AM, Natxo

[Freeipa-users] failure to register dns on joining IPA domain

2012-11-16 Thread Natxo Asenjo
hi, this is a part of ipaclient-install.log 2012-11-16T12:12:32Z DEBUG Writing nsupdate commands to /etc/ipa/.dns_update.txt : zone ipa.domain.tld. update delete host.ipa.domain.tld. IN SSHFP send update add host.ipa.domain.tld. 1200 IN SSHFP 1 1 904DA80AD2554ABEC354599E6876 89307F4ADCF3 update

[Freeipa-users] sssd cache

2012-11-16 Thread Natxo Asenjo
hi, when running getent negroup netgroupname I get old entries. Apparently sssd is being helpful :-) and caching info, but it should not do it when I am connected to the domain (IMHO). According to

Re: [Freeipa-users] IPA weirdness with Samba, Dovecot IMAP and SSHD

2012-11-19 Thread Natxo Asenjo
hi, Qing On Sat, Nov 17, 2012 at 8:20 PM, Qing Chang qch...@sri.utoronto.ca wrote: 2, Dovecot + IPA: it is not an IPA issue but sss cache timeout issue, I read it's 90 min? When a user changes his/her password, the cache usually is not updated, hence problem checking IMAP email with

Re: [Freeipa-users] failure to register dns on joining IPA domain

2012-11-20 Thread Natxo Asenjo
On Tue, Nov 20, 2012 at 9:28 AM, Petr Spacek pspa...@redhat.com wrote: Hello, On 11/19/2012 05:28 PM, Natxo Asenjo wrote: On Mon, Nov 19, 2012 at 10:03 AM, Petr Spacek pspa...@redhat.com wrote: Hello, hi, The log showed the root cause: Dynamic Update is not allowed in zone idnsname

Re: [Freeipa-users] Solaris 10 and Solaris 11 clients

2012-11-28 Thread Natxo Asenjo
hi, On Wed, Nov 28, 2012 at 12:02 AM, Tim Wissman tim.wiss...@gmail.com wrote: Folks - I have started using FreeIPA and have tried to download the Solaris 10 nss-ldap for the intel platform, but when i tried to save the file i received an error saying the server had issues. I was able to

[Freeipa-users] libvirt with vnc freeipa

2012-11-30 Thread Natxo Asenjo
hi, I'm following the howto on http://freeipa.org/page/Libvirt_with_VNC_Consoles to authenticate users voor virsh with ipa. I have it mostly working :-) except for the fact that libvirtd is not respecting the sasl_allowed_username_list parameter. If I do not set it, and I have a realm ticket,

Re: [Freeipa-users] [libvirt-users] libvirt with vnc freeipa

2012-11-30 Thread Natxo Asenjo
Sorce wrote: Hi Natxo, On Fri, 2012-11-30 at 13:06 +0100, Natxo Asenjo wrote: hi, I'm following the howto on http://freeipa.org/page/Libvirt_with_VNC_Consoles to authenticate users voor virsh with ipa. I have it mostly working :-) except for the fact that libvirtd is not respecting

Re: [Freeipa-users] [libvirt-users] libvirt with vnc freeipa

2012-11-30 Thread Natxo Asenjo
On Fri, Nov 30, 2012 at 4:04 PM, Daniel P. Berrange berra...@redhat.com wrote: On Fri, Nov 30, 2012 at 03:56:14PM +0100, Natxo Asenjo wrote: hi, sasl_allowed_username_list = [ad...@ipa.example.com ] if I leave this field commented out (default setting), everybody can manage the kvm host

Re: [Freeipa-users] [libvirt-users] libvirt with vnc freeipa

2012-11-30 Thread Natxo Asenjo
On Fri, Nov 30, 2012 at 4:52 PM, Simo Sorce s...@redhat.com wrote: Natxo it sounds odd that you are getting back a non fully qualified principal name, are you sure your configuration is using SASL/GSSAPI ? What other directives have you configured ? I have followed the howto in the

Re: [Freeipa-users] [libvirt-users] libvirt with vnc freeipa

2012-11-30 Thread Natxo Asenjo
On Fri, Nov 30, 2012 at 4:20 PM, Daniel P. Berrange berra...@redhat.com wrote: On Fri, Nov 30, 2012 at 04:16:56PM +0100, Natxo Asenjo wrote: Thanks. If I may just hijack this thread: is it possible to whitelist groups instead of individual users to use virsh/virtual manager? I know sasl only

[Freeipa-users] RFE: default hbac is too open

2012-11-30 Thread Natxo Asenjo
hi, the default hbac rule 'allow_all' is nice for testing, but for a production environment I am not so sure ;-) We do not want our users getting a shell in our kdc servers or in the database servers for instance. We want them to use the postgresql service, but not login the database server with

[Freeipa-users] error adding replica

2012-12-02 Thread Natxo Asenjo
hi, I have a 6.3 centos server that has been upgraded since 6.1. According to the ipaserver-install.log, I installed it on feb 3 2012 so it has been upgraded at least once. Now that I have more hardware to run a few more vm's I can test replicas. But apparently I am running into this problem:

Re: [Freeipa-users] sssd cache

2012-12-05 Thread Natxo Asenjo
On Wed, Dec 5, 2012 at 3:11 PM, Jakub Hrozek jhro...@redhat.com wrote: On Wed, Dec 05, 2012 at 02:20:40PM +0100, Natxo Asenjo wrote: hi, why would I want sssd to cache group/hostgroup/netgroup membership? Is the performance hit so huge on the ldap servers? I ask this because Windows admins

Re: [Freeipa-users] sssd cache

2012-12-07 Thread Natxo Asenjo
On Wed, Dec 5, 2012 at 3:29 PM, Simo Sorce s...@redhat.com wrote: As a test to show why the cache is important do this: 1. Create a directory 2. create 100 files in this dirctory 3. chown each file to a different user and a different group each 4. stop sssd, wipe cache file and restart 5.

Re: [Freeipa-users] DNS: sub-domain or new domain

2012-12-12 Thread Natxo Asenjo
hi, On Wed, Dec 12, 2012 at 7:45 PM, Patrick Bakker patr...@vanbelle.com wrote: I just joined this list because I was curious about the recent discussion that Rashard Kelly had started about whether to use FreeIPA's integrated DNS or whether to disable DNS. I'm wondering about a very similar

Re: [Freeipa-users] error adding replica

2012-12-12 Thread Natxo Asenjo
hi, On Fri, Dec 7, 2012 at 4:28 PM, Rob Crittenden rcrit...@redhat.com wrote: a bit late, but here is the output of /var/log/ipareplica-install.log en /var/log/pki-ca/debug ; I did not find a /var/log/ipaserver-install.log in the replica server. The dogtag installer is failing with the

Re: [Freeipa-users] error adding replica

2012-12-13 Thread Natxo Asenjo
hi, On Thu, Dec 13, 2012 at 1:46 AM, Dmitri Pal d...@redhat.com wrote: The holidays are coming. It is unlikely that we would be able to look into it till Jan. that is no problem at all, we have the same issues ;-) Do you want me to keep the vm's around for troubleshooting the issue when

Re: [Freeipa-users] FreeIPA and Samba 4

2012-12-17 Thread Natxo Asenjo
On Mon, Dec 17, 2012 at 8:58 PM, Steven Santos ste...@simplycircus.com wrote: I know this may be a loaded question, but I am asking it anyways. Can anyone tell me what the current status and future plan for IPA / Samba 4 is? probably the same as with AD: cross realm trusts. -- groet, natxo

Re: [Freeipa-users] sudo made a bit easier to configure

2012-12-21 Thread Natxo Asenjo
On Thu, Dec 20, 2012 at 4:43 PM, Han Boetes hboe...@gmail.com wrote: Hi, I discovered that using this recipe makes setting up sudo-ldap very simple. Even when anonymous binds is disabled. Thanks! I have not yet used sudo with IPA, but it sure is in the pipeline and this comes in handy ;-)

[Freeipa-users] ipa admin tool error ipa: ERROR: Client is not configured. Run ipa-client-install.

2013-01-07 Thread Natxo Asenjo
hi, on a workstation *not* joined to the IPA domain but with the the ipa admin tools installed I get this error when trying to modify dns settings and I have a kerberos ticket of an admin user: $ kinit user.ad...@unix.domain.tld Password for user.ad...@unix.domain.tld $ klist Ticket cache:

Re: [Freeipa-users] problems with netgroups cached values

2013-01-07 Thread Natxo Asenjo
On Mon, Jan 7, 2013 at 12:18 PM, Natxo Asenjo natxo.ase...@gmail.com wrote: How could I troubleshoot this? i have upped the debugging on sssd.conf debug_level = 9 en reloaded sssd. When I run # getent netgroup nagios nagios [root@ipaclient01 ~]# grep -i nagios /var/log/sssd/*.log /var/log

Re: [Freeipa-users] problems with netgroups cached values

2013-01-07 Thread Natxo Asenjo
On Mon, Jan 7, 2013 at 1:07 PM, Jakub Hrozek jhro...@redhat.com wrote: On Mon, Jan 07, 2013 at 12:18:12PM +0100, Natxo Asenjo wrote: hi, in sssd.conf I have this regarding netgroup caching info: entry_cache_netgroup_timeout = 300 After the file was modified, the sssd daemon was reloaded

Re: [Freeipa-users] problems with netgroups cached values

2013-01-07 Thread Natxo Asenjo
hi, On Mon, Jan 7, 2013 at 3:20 PM, Jakub Hrozek jhro...@redhat.com wrote: On Mon, Jan 07, 2013 at 01:17:21PM +0100, Natxo Asenjo wrote: On Mon, Jan 7, 2013 at 1:07 PM, Jakub Hrozek jhro...@redhat.com wrote: On Mon, Jan 07, 2013 at 12:18:12PM +0100, Natxo Asenjo wrote: Which sssd version

Re: [Freeipa-users] problems with netgroups cached values

2013-01-07 Thread Natxo Asenjo
On Mon, Jan 7, 2013 at 8:20 PM, Jakub Hrozek jhro...@redhat.com wrote: On Mon, Jan 07, 2013 at 03:55:49PM +0100, Natxo Asenjo wrote: hi, On Mon, Jan 7, 2013 at 3:20 PM, Jakub Hrozek jhro...@redhat.com wrote: On Mon, Jan 07, 2013 at 01:17:21PM +0100, Natxo Asenjo wrote: On Mon, Jan 7, 2013

Re: [Freeipa-users] problems with netgroups cached values

2013-01-08 Thread Natxo Asenjo
On Tue, Jan 8, 2013 at 2:48 PM, Ondrej Kos o...@redhat.com wrote: could you please provide more logs? I tried to set up same environment, with sssd-1.8.0-32.el6.x86_64, and everything works fine, so you might be hitting some race condition. sure, I will send you debug 9 logs to your corporate

Re: [Freeipa-users] error adding replica

2013-01-11 Thread Natxo Asenjo
On Fri, Dec 14, 2012 at 1:36 AM, Dmitri Pal d...@redhat.com wrote: On 12/13/2012 03:48 AM, Natxo Asenjo wrote: hi, On Thu, Dec 13, 2012 at 1:46 AM, Dmitri Pal d...@redhat.com wrote: The holidays are coming. It is unlikely that we would be able to look into it till Jan. that is no problem

Re: [Freeipa-users] non-expiring password policy (or as close as I can come)

2013-01-24 Thread Natxo Asenjo
On Thu, Jan 24, 2013 at 10:51 PM, KodaK sako...@gmail.com wrote: I have a need to have certain mission critical application accounts non-expiring (people don't log in directly, but if the accounts expire it could stop production jobs.) Without knowing anything about this particular case, could

Re: [Freeipa-users] RHEL 6.3 identity manual - IPA

2013-02-04 Thread Natxo Asenjo
On Mon, Feb 4, 2013 at 9:33 AM, Rajnesh Kumar Siwal rajnesh.si...@gmail.com wrote: IPA client on CentOS 5.6 was not able to take care of it.) that's why you should be using a config management tool like cfengine, puppet, chef, ansible, ., (choose your poison). Organizations usually have

Re: [Freeipa-users] error adding replica

2013-02-09 Thread Natxo Asenjo
On Fri, Jan 11, 2013 at 4:19 PM, Natxo Asenjo natxo.ase...@gmail.com wrote: On Fri, Jan 11, 2013 at 3:51 PM, Rob Crittenden rcrit...@redhat.com wrote: Natxo Asenjo wrote: I just tried again to create a replica and had exactly the same error as on the thread's first post. in ipareplica

Re: [Freeipa-users] Granting rights temporarily

2013-02-14 Thread Natxo Asenjo
On Thu, Feb 14, 2013 at 10:02 AM, Dag Wieers d...@wieers.com wrote: Hi, Another interesting recommendation from security is that all granted access (that is exceptional, rather than permanent) should be limited in time from the onset. If this is not possible all granted access needs to be

Re: [Freeipa-users] Trouble creating replica

2013-02-19 Thread Natxo Asenjo
On Tue, Feb 19, 2013 at 5:58 PM, Bret Wortman bret.wort...@damascusgrp.comwrote: Digging a bit deeper, I found this in /var/log/pki-ca/catalina.out: : Could not connect to LDAP server host oldmaster.my.com port 7389 Error netscape.ldap.LDAPException: failed to connect to server ldap://

Re: [Freeipa-users] IPA with ILO

2013-02-22 Thread Natxo Asenjo
On Fri, Feb 22, 2013 at 4:52 PM, KodaK sako...@gmail.com wrote: Just curious if anyone has configured HP ILO to authenticate against IPA. I'm just starting out and the fact that the ILO configuration screen has a section for a SID has me a bit concerned. i have not touched new HP gear for a

Re: [Freeipa-users] squid problems when upgrading to 6.4

2013-03-13 Thread Natxo Asenjo
On Wed, Mar 13, 2013 at 10:45 PM, Dale Macartney d...@themacartneyclan.com wrote: I've just deployed a RHEL 6.4 proxy and the guide is still accurate and works.. however I agree a config file would be a better place for the options. Both work at the end of the day. yes, the guide is accurate,

Re: [Freeipa-users] squid problems when upgrading to 6.4

2013-03-14 Thread Natxo Asenjo
On Thu, Mar 14, 2013 at 9:41 AM, Dale Macartney d...@themacartneyclan.com wrote: Article updated http://www.freeipa.org/page/Squid_Integration_with_FreeIPA_using_Single_Sign_On awesome! Thanks, natxo ___ Freeipa-users mailing list

[Freeipa-users] bit OT: trouble getting nfsv4 with kerberos with ipa and opensolaris

2013-04-12 Thread Natxo Asenjo
hi, apparently what I am trying to do is not very usual because I do not get any answer on the omnios (opensolaris derivative) mailing list. I have successfully joined a host to the ipa domain, I can log in the omnios host as an ipa user, getent works, kerberos works (thanks to Johan Petersson

Re: [Freeipa-users] bit OT: trouble getting nfsv4 with kerberos with ipa and opensolaris

2013-04-12 Thread Natxo Asenjo
hi, thanks, still not working though: # share -F nfs -o sec=krb5 -d homedirs /export/home Could not share: /export/home: invalid security type # zfs set sharenfs=sec=krb5 rpool/export/home cannot set property for 'rpool/export/home': 'sharenfs' cannot be set to invalid options # zfs set

Re: [Freeipa-users] bit OT: trouble getting nfsv4 with kerberos with ipa and opensolaris

2013-04-13 Thread Natxo Asenjo
: zfs set sharenfs='sec=krb5' pool/dataset Natxo Asenjo natxo.ase...@gmail.com wrote: hi, thanks, still not working though: # share -F nfs -o sec=krb5 -d homedirs /export/home Could not share: /export/home: invalid security type # zfs set sharenfs=sec=krb5 rpool/export/home cannot set

[Freeipa-users] setting up a trust problem

2013-04-18 Thread Natxo Asenjo
hi, On a centos 6.4 testlab I am testing a trust with a windows 2008r2 domain (separate dns domains). Following the docs https://access.redhat.com/site/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Identity_Management_Guide/trust-diff-dns-domains.html I install the cifs-utils package but

Re: [Freeipa-users] setting up a trust problem

2013-04-18 Thread Natxo Asenjo
Is the cifs-utils package really necessary? cifs-utils is not needed for trusts to function. I guess documentation was implying that cifs-utils might have been installed for mounting CIFS shares. ok, thanks for clarifying this. In the link I posted you can read this: The cifs-utils package

[Freeipa-users] problems with trust with AD (2 different domains

2013-04-19 Thread Natxo Asenjo
hi, while following the instructions in https://access.redhat.com/site/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Identity_Management_Guide/trust-diff-dns-domains.html I run step 9: smbclient -L kdc.ipa.asenjo.nx -k lp_load_ex: changing to config backend registry Connection to

Re: [Freeipa-users] problems with trust with AD (2 different domains

2013-04-19 Thread Natxo Asenjo
On Fri, Apr 19, 2013 at 11:27 AM, Sumit Bose sb...@redhat.com wrote: On Fri, Apr 19, 2013 at 11:03:02AM +0200, Natxo Asenjo wrote: hi, while following the instructions in https://access.redhat.com/site/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Identity_Management_Guide/trust

Re: [Freeipa-users] problems with trust with AD (2 different domains

2013-04-19 Thread Natxo Asenjo
I saw there is a log in /var/log/samba/log.wb-IPA The log complains about missing keys for the spn for the hostname (not the fqdn, just the hostname): Connection to LDAP server failed for the 15 try! [2013/04/19 11:39:22.352522, 0] ipa_sam.c:3689(bind_callback_cleanup) kerberos error:

Re: [Freeipa-users] problems with trust with AD (2 different domains

2013-04-19 Thread Natxo Asenjo
domain Trust status: Established and verified And it is working :-) Awesome. Thanks! -- groet, natxo -- Groeten, natxo On Fri, Apr 19, 2013 at 12:11 PM, Sumit Bose sb...@redhat.com wrote: On Fri, Apr 19, 2013 at 11:45:47AM +0200, Natxo Asenjo wrote: I saw there is a log in /var/log/samba

Re: [Freeipa-users] problems with trust with AD (2 different domains

2013-04-19 Thread Natxo Asenjo
hi, just a little 'but'. when verifying the trust (point 12 https://access.redhat.com/site/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Identity_Management_Guide/trust-diff-dns-domains.html) # kinit user Password for nase...@ipa.asenjo.nx: [root@kdc ~]# kvno

Re: [Freeipa-users] problems with trust with AD (2 different domains

2013-04-19 Thread Natxo Asenjo
On Fri, Apr 19, 2013 at 1:08 PM, Sumit Bose sb...@redhat.com wrote: On Fri, Apr 19, 2013 at 12:47:47PM +0200, Natxo Asenjo wrote: hi, just a little 'but'. when verifying the trust (point 12 https://access.redhat.com/site/documentation/en-US/Red_Hat_Enterprise_Linux/6/html

[Freeipa-users] ssh login from windows AD trust host not working

2013-04-19 Thread Natxo Asenjo
hi, after succesfully configuring the trust between 2 different domains (IPA.ASENJO.NX and AD.ASENJO.NX) I would like to login from the windows host to the linux host using the trusted kerberos tickets. This is my krb.conf in the linux host: includedir /var/lib/sss/pubconf/krb5.include.d/

Re: [Freeipa-users] ssh login from windows AD trust host not working

2013-04-19 Thread Natxo Asenjo
hi, some progress. I disabled the firewall of the linux host (also the kdc, incidentally). From the Windows host using the AD Domain and Trusts tool I can verify the trust and using putty I can login and get the linux kerberos tickets as a windows realm user. If i enable the firewall and I do

Re: [Freeipa-users] ssh login from windows AD trust host not working

2013-04-19 Thread Natxo Asenjo
hi, a bit puzzled now. I have joined another 2k8r2 host to the AD domain that is trusted by the ipa domain. As AD\administrator I can ssh to the linux host. I create a bunch of AD users, standard members of 'Domain Users'. But I cannot login to the linux host. When I run wbinfo --online-status

Re: [Freeipa-users] ssh login from windows AD trust host not working

2013-04-20 Thread Natxo Asenjo
On Sat, Apr 20, 2013 at 8:32 PM, Sumit Bose sb...@redhat.com wrote: On Fri, Apr 19, 2013 at 10:14:36PM +0200, Natxo Asenjo wrote: # wbinfo --online-status BUILTIN : online IPA : online AD : offline # wbinfo --domain-info ad.asenjo.nx Name : AD Alt_Name

Re: [Freeipa-users] FreeIPA - Help ...

2013-05-24 Thread Natxo Asenjo
On Fri, May 24, 2013 at 4:18 PM, Martin Kosek mko...@redhat.com wrote: Simo, on a side note - I am thinking, would it make sense to create a new command ipa migrate-ipa which would migrate data from other IPA installation? I.e. it would migrate users, groups, hosts, sudo, hbac, automount,

Re: [Freeipa-users] Suppressing the domain section after authentication

2013-05-29 Thread Natxo Asenjo
On Wed, May 29, 2013 at 10:55 PM, William Muriithi william.murii...@gmail.com wrote: Hello I have set up gitolite3 and its working fine when I connect to it through ssh. I am using LDAP (FreeIPA) for authorization. When I connect through http/https, I am authenticated, but I believe

Re: [Freeipa-users] SSSD/SSH authentication issues on some hosts

2013-06-02 Thread Natxo Asenjo
On Sun, Jun 2, 2013 at 9:49 PM, Ryan Cunningham ryan.cunningham.xy...@gmail.com wrote: Hello, I've been evaluating FreeIPA in a lab environment prior to possibly rolling it out in our enterprise but have been having issues with a few hosts rejecting SSH logins for users authenticated against

Re: [Freeipa-users] SSSD/SSH authentication issues on some hosts

2013-06-02 Thread Natxo Asenjo
On Mon, Jun 3, 2013 at 12:38 AM, Ryan Cunningham ryan.cunningham.xy...@gmail.com wrote: What I see is: fatal: Access denied for user admin by PAM account configuration What about disabling selinux? Whoops, I probably should have caught these myself. Disabling SELinux fixed one of the

[Freeipa-users] why default shell /bin/sh

2013-06-06 Thread Natxo Asenjo
hi, just interested. We have noticed that ldap users have this PS1 envvar: PS1='\s-\v\$ ' instead of the usual [\u@\h \W]\$ This is a confusing moment. Changing the shell to /bin/bash solves this, but maybe this is not optimal for other systems or users. -- Groeten, natxo

Re: [Freeipa-users] why default shell /bin/sh

2013-06-06 Thread Natxo Asenjo
On Thu, Jun 6, 2013 at 4:30 PM, Rob Crittenden rcrit...@redhat.com wrote: Natxo Asenjo wrote: hi, just interested. We have noticed that ldap users have this PS1 envvar: PS1='\s-\v\$ ' instead of the usual [\u@\h \W]\$ This is a confusing moment. Changing the shell to /bin/bash solves

Re: [Freeipa-users] Error replicating between two masters over VPN

2013-06-07 Thread Natxo Asenjo
On Fri, Jun 7, 2013 at 11:37 AM, Endre Karlson endre.karl...@gmail.com wrote: Hi, I am seeing some trouble with replication between two of my master servers. Here's the logs: [05/Jun/2013:12:59:57 +0200] slapd_ldap_sasl_interactive_bind - Error: could not perform interactive bind for id []

Re: [Freeipa-users] Sudo Commands and groups confusion

2013-06-12 Thread Natxo Asenjo
On Wed, Jun 12, 2013 at 1:56 AM, Sina Owolabi shinacaly...@gmail.com wrote: Hi Please help me understand what I am doing wrong: Im using two RHEL6.4 ipa servers in a multi-master configuration Instead of creating multiple sudocmdgroups and sudo rules, I tried to subset what I could see in

Re: [Freeipa-users] Virtual Machines??

2013-07-09 Thread natxo asenjo
On 07/08/2013 03:49 PM, Schmitt, Christian wrote: Hello, is there currently a good way to install FreeIPA or IdM in virtual machines? Currently we having some Windows Hyper-V Hypervisors since we are planning to buy some Dell Hardware that can't run Linux yet, the Dell VRTX. Also we want to

Re: [Freeipa-users] Glaring hole in AIX telnet regarding HBAC rules

2013-07-10 Thread natxo asenjo
On 07/08/2013 07:44 PM, KodaK wrote: We've just discovered that AIX does not honor HBAC rules with telnet. ssh is fine. no AIX expericence, but I once overheard someone that did something like this using pam and apparently you could use the pam_permission module:

Re: [Freeipa-users] PKI-CAD couldn't start

2013-07-12 Thread natxo asenjo
On 07/12/2013 10:55 AM, Christian Schmitt wrote: I can't start the IPA Service with service ipa start after an reboot. It fails on the pki-cad service, that only outputs 'grep --help' gives you more information. I'm really not sure whats the correct error and how to restart ipa now. logs?

Re: [Freeipa-users] Glaring hole in AIX telnet regarding HBAC rules

2013-07-12 Thread natxo asenjo
On 07/11/2013 11:39 PM, KodaK wrote: This only works for sshd, obviously. We do currently have ftp and telnet open (yeah, I know) but I'm trying to get those turned off. In the meantime I can use tcp-wrappers to only allow those machines that need to connect. This is sub-optimal, since

[Freeipa-users] kerberized nfsv4 client

2013-08-28 Thread natxo asenjo
hi, probably a stupid question but why do we need to have a host spn in the kerberos domain for the nfsv4 client to work? I do not need a host spn principal to access a cifs share on a Windows AD environment, I can just kinit user@AD.domain from my laptop that is not joined to the AD domain

  1   2   3   >