[Freeipa-users] Setting up single domain but with dns subdomains

2013-01-08 Thread Orion Poplawski
: _kerberos.cora.nwra.com. TXT NWRA.COM it will then automatically look for: _kerberos._udp.nwra.com. SRV Which will hold the servers for the other office. Any suggestions? -- Orion Poplawski Technical Manager 303-415-9701 x222 NWRA, Boulder Office FAX: 303-415

[Freeipa-users] db2bak.pl and db2ldif utils

2013-01-10 Thread Orion Poplawski
this is already address in 3.1 since it only creates a single instance. Are there any IPA backup utilities on the horizon? -- Orion Poplawski Technical Manager 303-415-9701 x222 NWRA, Boulder Office FAX: 303-415-9702 3380 Mitchell Lane

Re: [Freeipa-users] db2bak.pl and db2ldif utils

2013-01-10 Thread Orion Poplawski
On 01/10/2013 03:22 PM, Rich Megginson wrote: On 01/10/2013 02:59 PM, Orion Poplawski wrote: With our current 389ds installs we are making use of the db2bak.pl and db2ldif utilities to backup the ds database. Looking at my ipa 2.2.0 install these scripts were create for the PKI-IPA ds server

Re: [Freeipa-users] db2bak.pl and db2ldif utils

2013-01-10 Thread Orion Poplawski
On 01/10/2013 03:29 PM, Orion Poplawski wrote: On 01/10/2013 03:22 PM, Rich Megginson wrote: On 01/10/2013 02:59 PM, Orion Poplawski wrote: With our current 389ds installs we are making use of the db2bak.pl and db2ldif utilities to backup the ds database. Looking at my ipa 2.2.0 install

Re: [Freeipa-users] db2bak.pl and db2ldif utils

2013-01-10 Thread Orion Poplawski
On 01/10/2013 03:50 PM, Rich Megginson wrote: On 01/10/2013 03:45 PM, Orion Poplawski wrote: FWIW - Here's my current backup script (in /etc/cron.daily/dirsrv-backup). Did this: mv /usr/lib64/dirsrv/slapd-PKI-IPA /var/lib/dirsrv/scripts-PKI-IPA ln -s /var/lib/dirsrv/scripts-PKI-IPA /usr

[Freeipa-users] compat and ou=People

2013-01-14 Thread Orion Poplawski
=nwra,dc=com in clients. -- Orion Poplawski Technical Manager 303-415-9701 x222 NWRA, Boulder Office FAX: 303-415-9702 3380 Mitchell Lane or...@nwra.com Boulder, CO 80301 http://www.nwra.com

Re: [Freeipa-users] compat and ou=People

2013-01-14 Thread Orion Poplawski
On 01/14/2013 01:40 PM, Nalin Dahyabhai wrote: On Mon, Jan 14, 2013 at 12:06:35PM -0700, Orion Poplawski wrote: We're looking at migrating from 389ds to ipa. Currently our users are in ou=People with rfc2307 attributes. Is there any way to provide an ou=people,dc=nwra,dc=com compatibility

[Freeipa-users] CA cert issues

2013-01-16 Thread Orion Poplawski
, dogtagcert, replica_fqdn, subject_base) File /usr/sbin/ipa-replica-prepare, line 143, in export_certdb raise e Any suggestions? I don't really understand how the dogtag ca fits in with this scenario. Should I just get rid of it? Can I? -- Orion Poplawski Technical Manager

Re: [Freeipa-users] CA cert issues

2013-01-16 Thread Orion Poplawski
On 01/16/2013 04:28 PM, Orion Poplawski wrote: I've installed ipa 2.2 on EL6. I initially simply did an ipa-server-install. Then I changed the cert used via ipa-server-certinstall to use a wildcard SSL cert issued by Comodo. This has led to a lot of grief and needing to install the Comodo CA

Re: [Freeipa-users] CA cert issues

2013-01-16 Thread Orion Poplawski
On 01/16/2013 06:50 PM, Rob Crittenden wrote: Orion Poplawski wrote: On 01/16/2013 04:28 PM, Orion Poplawski wrote: I've installed ipa 2.2 on EL6. I initially simply did an ipa-server-install. Then I changed the cert used via ipa-server-certinstall to use a wildcard SSL cert issued

Re: [Freeipa-users] CA cert issues

2013-01-17 Thread Orion Poplawski
-ca /var/lib/ipa/replica-info-ipapub.cora.nwra.com.gpg ... [16/30]: configuring ssl for ds instance creation of replica failed: Could not find a CA cert in /tmp/tmpPAtailipa/realm_info/dscert.p12 -- Orion Poplawski Technical Manager 303-415-9701 x222 NWRA, Boulder Office

Re: [Freeipa-users] CA cert issues

2013-01-17 Thread Orion Poplawski
On 01/17/2013 09:27 AM, Rob Crittenden wrote: Orion Poplawski wrote: But then on ipa-replica-install, problems as predicted: ipa-replica-install --setup-ca /var/lib/ipa/replica-info-ipapub.cora.nwra.com.gpg ... [16/30]: configuring ssl for ds instance creation of replica failed: Could

Re: [Freeipa-users] CA cert issues

2013-01-17 Thread Orion Poplawski
On 01/17/2013 09:49 AM, Orion Poplawski wrote: Anyway, tried again and now: Configuring Kerberos KDC: Estimated time 30 seconds [1/9]: adding sasl mappings to the directory [2/9]: writing stash file from DS [3/9]: configuring KDC [4/9]: creating a keytab for the directory [5/9

Re: [Freeipa-users] CA cert issues

2013-01-17 Thread Orion Poplawski
On 01/17/2013 12:54 PM, Rob Crittenden wrote: Orion Poplawski wrote: It seems like a most of the problems would be alleviated if instead of wiping out the old NSS dbs, it simply added the new certs. I don't know if there are any other security implications of this or not. Yes

Re: [Freeipa-users] using wildcard or other external CA certs

2013-01-23 Thread Orion Poplawski
and Firefox. Thoughts, comments, suggestions? -- Orion Poplawski Technical Manager 303-415-9701 x222 NWRA, Boulder Office FAX: 303-415-9702 3380 Mitchell Lane or...@nwra.com Boulder, CO 80301 http://www.nwra.com

Re: [Freeipa-users] using wildcard or other external CA certs

2013-01-23 Thread Orion Poplawski
On 01/23/2013 02:30 PM, Rob Crittenden wrote: Dmitri Pal wrote: On 01/23/2013 03:45 PM, Orion Poplawski wrote: On 01/23/2013 01:43 PM, Dmitri Pal wrote: Yes please. Let us do it on the user list. Ticket URL:https://fedorahosted.org/freeipa/ticket/3360#comment:14 So, my goal in using

Re: [Freeipa-users] ipa-replica-prepare failed

2013-02-08 Thread Orion Poplawski
certificate provider? -- Orion Poplawski Technical Manager 303-415-9701 x222 NWRA, Boulder Office FAX: 303-415-9702 3380 Mitchell Lane or...@nwra.com Boulder, CO 80301 http://www.nwra.com

[Freeipa-users] Non-human users

2013-02-15 Thread Orion Poplawski
Is there a recommended way to distinguish between real human user accounts in IPA and non-human system accounts in IPA? -- Orion Poplawski Technical Manager 303-415-9701 x222 NWRA, Boulder Office FAX: 303-415-9702 3380 Mitchell Lane

Re: [Freeipa-users] Non-human users

2013-02-15 Thread Orion Poplawski
On 02/15/2013 09:45 AM, Petr Viktorin wrote: On 02/15/2013 05:36 PM, Orion Poplawski wrote: Is there a recommended way to distinguish between real human user accounts in IPA and non-human system accounts in IPA? What kind of system accounts do you have in IPA? Consider not storing them

Re: [Freeipa-users] Non-human users

2013-02-15 Thread Orion Poplawski
in as. Also some accounts that own files and some services run as that are needed on multiple machines. I suppose we could use puppet to manage those, but ldap seems more convenient. -- Orion Poplawski Technical Manager 303-415-9701 x222 NWRA, Boulder Office FAX

Re: [Freeipa-users] Non-human users

2013-02-15 Thread Orion Poplawski
unless you are extraordinarily careful to remove privileges normally granted by IPA, it could lead to the complete compromise of your network. Understood. This is actually all before we have moved to IPA, but are exploring things. -- Orion Poplawski Technical Manager 303-415

Re: [Freeipa-users] Non-human users

2013-02-15 Thread Orion Poplawski
so I'll need to retest this. -- Orion Poplawski Technical Manager 303-415-9701 x222 NWRA, Boulder Office FAX: 303-415-9702 3380 Mitchell Lane or...@nwra.com Boulder, CO 80301 http://www.nwra.com

Re: [Freeipa-users] Non-human users

2013-02-15 Thread Orion Poplawski
On 02/15/2013 12:01 PM, Orion Poplawski wrote: I've been trying to track down any bugs I may have filed without success, but I'm pretty sure I tried at first adding a system user to LDAP groups and that not working unless the system user was in LDAP. This may have been before I started using

Re: [Freeipa-users] Non-human users

2013-02-15 Thread Orion Poplawski
it. The LDAP address book searches look for attributes that the *person objectclasses provide. Without them, they are excluded. -- Orion Poplawski Technical Manager 303-415-9701 x222 NWRA, Boulder Office FAX: 303-415-9702 3380 Mitchell Lane

Re: [Freeipa-users] Non-human users

2013-02-15 Thread Orion Poplawski
On 02/15/2013 01:42 PM, John Dennis wrote: On 02/15/2013 02:23 PM, Orion Poplawski wrote: On 02/15/2013 12:01 PM, Orion Poplawski wrote: I've been trying to track down any bugs I may have filed without success, but I'm pretty sure I tried at first adding a system user to LDAP groups

Re: [Freeipa-users] Non-human users

2013-02-15 Thread Orion Poplawski
On 02/15/2013 02:02 PM, John Dennis wrote: On 02/15/2013 03:57 PM, Orion Poplawski wrote: On 02/15/2013 01:56 PM, John Dennis wrote: On 02/15/2013 03:46 PM, Simo Sorce wrote: This is an interesting use case, it would probably be appropriate to have a RFE filed to allow to create ipa users

Re: [Freeipa-users] Non-human users

2013-02-15 Thread Orion Poplawski
On 02/15/2013 01:46 PM, Simo Sorce wrote: On Fri, 2013-02-15 at 12:01 -0700, Orion Poplawski wrote: What brought this up was the need to sync users from LDAP into another authentication system, and for that system we only wanted real human people to be listed. Also, we don't want

Re: [Freeipa-users] Non-human users

2013-02-15 Thread Orion Poplawski
On 02/15/2013 02:34 PM, John Dennis wrote: On 02/15/2013 04:16 PM, Orion Poplawski wrote: Hmm, that is the filter in TB for me too, but: [15/Feb/2013:11:17:21 -0700] conn=931 op=1 SRCH base=ou=people,dc=nwra,dc=com scope=2 filter=(|(mail=*apache*)(cn=*apache*)(givenName=*apache*)(sn

Re: [Freeipa-users] Non-human users

2013-02-15 Thread Orion Poplawski
On 02/15/2013 03:12 PM, John Dennis wrote: On 02/15/2013 04:54 PM, Orion Poplawski wrote: On 02/15/2013 02:34 PM, John Dennis wrote: What happens if you set the TB filter to (objectclass=person)? Yup, then it adds it: filter=((objectClass=person)(|(mail=*apac*)(cn=*apac*)(givenName=*apac

Re: [Freeipa-users] Non-human users

2013-02-15 Thread Orion Poplawski
On 02/15/2013 04:03 PM, Simo Sorce wrote: On Fri, 2013-02-15 at 17:12 -0500, John Dennis wrote: On 02/15/2013 04:54 PM, Orion Poplawski wrote: On 02/15/2013 02:34 PM, John Dennis wrote: On 02/15/2013 04:16 PM, Orion Poplawski wrote: Hmm, that is the filter in TB for me too, but: [15

Re: [Freeipa-users] Non-human users

2013-02-15 Thread Orion Poplawski
On 02/15/2013 04:06 PM, Orion Poplawski wrote: On 02/15/2013 04:03 PM, Simo Sorce wrote: On Fri, 2013-02-15 at 17:12 -0500, John Dennis wrote: On 02/15/2013 04:54 PM, Orion Poplawski wrote: Yup, then it adds it: filter=((objectClass=person)(|(mail=*apac*)(cn=*apac*)(givenName=*apac*)(sn

[Freeipa-users] Certificate Issues

2013-02-19 Thread Orion Poplawski
. This is *way* out of our (and I suspect many other small businesses) price range. -- Orion Poplawski Technical Manager 303-415-9701 x222 NWRA, Boulder Office FAX: 303-415-9702 3380 Mitchell Lane or...@nwra.com Boulder, CO 80301

Re: [Freeipa-users] Certificate Issues

2013-02-19 Thread Orion Poplawski
On 02/19/2013 03:10 PM, Simo Sorce wrote: On Tue, 2013-02-19 at 14:38 -0700, Orion Poplawski wrote: This is a followup to some previous discussions. I have been lobbying to keep (and fix) the ability to install your own certificates when configuring IPA in order to make use of wildcard SSL

Re: [Freeipa-users] Certificate Issues

2013-02-19 Thread Orion Poplawski
to easily distribute and apply the ones you need. Solves the problem but from a different side. Orion, if implemented would it work for you? My biggest concerns are Windows and OS X clients. Probably need to look at the various mozilla deployment tools. -- Orion Poplawski Technical Manager

[Freeipa-users] Updated doc, synchronization question

2014-01-08 Thread Orion Poplawski
Two questions: - Any ETA on an updated 3.3.3 Users Guide? - Is AD/IPA synchronization still supported in 3.3.3? Will it always? Thanks! -- Orion Poplawski Technical Manager 303-415-9701 x222 NWRA, Boulder/CoRA Office FAX: 303-415-9702 3380 Mitchell Lane

Re: [Freeipa-users] Updated doc, synchronization question

2014-01-09 Thread Orion Poplawski
On 01/09/2014 06:07 AM, Martin Kosek wrote: On 01/08/2014 07:16 PM, Orion Poplawski wrote: Two questions: - Any ETA on an updated 3.3.3 Users Guide? Our current plan is to release next documentation release along with FreeIPA 3.4, when more documentation fixes are factored in. Just

Re: [Freeipa-users] Announcing FreeIPA 4.0.0

2014-07-11 Thread Orion Poplawski
that yourself with a COPR repository: https://copr.fedoraproject.org/coprs/pviktori/freeipa/. Any reason not to have EL6/7 branches in the COPR repo? -- Orion Poplawski Technical Manager 303-415-9701 x222 NWRA, Boulder/CoRA Office FAX: 303-415-9702 3380 Mitchell

[Freeipa-users] Broken krb5.conf after ipa-server-install

2015-01-14 Thread Orion Poplawski
= server.nwra.com:88 admin_server = server.nwra.com:749 } [domain_realm] .nwra.com = NWRA.COM nwra.com = NWRA.COM # = # .# = # Any idea where the #'s are coming from? ipa-server-3.3.3-28.el7_0.3.x86_64 -- Orion Poplawski Technical Manager 303-415-9701 x222 NWRA, Boulder

[Freeipa-users] ipa-replica-prepare error

2015-05-28 Thread Orion Poplawski
/tls/certs/nwra.com.crt -inkey /etc/pki/tls/private/nwra.com.key -certfile /etc/pki/tls/certs/PositiveSSLCA2.crt -out nwra.com.p12 ipa-server-4.1.0-18.sl7_1.3.x86_64 Any thoughts? -- Orion Poplawski Technical Manager 303-415-9701 x222 NWRA, Boulder/CoRA Office FAX

Re: [Freeipa-users] ipa-replica-prepare error

2015-05-28 Thread Orion Poplawski
On 05/28/2015 03:09 PM, Rob Crittenden wrote: Orion Poplawski wrote: We did a CAless install: ipa-server-install -r NWRA.COM -n nwra.com -p `cat /etc/ldap.secret` -a `cat /etc/ldap.secret` --root-ca-file=PositiveSSLCA2.crt --dirsrv_pkcs12=nwra.com.p12 --dirsrv_pin= --http_pkcs12

Re: [Freeipa-users] ipa-replica-prepare failing

2015-08-17 Thread Orion Poplawski
it with: ipa-certupdate Which wrote out a correct /etc/ipa/ca.crt. See https://fedorahosted.org/freeipa/ticket/5117#comment:16 -- Orion Poplawski Technical Manager 303-415-9701 x222 NWRA, Boulder/CoRA Office FAX: 303-415-9702 3380 Mitchell Lane

Re: [Freeipa-users] ipa-replica-prepare error

2015-07-30 Thread Orion Poplawski
On 07/28/2015 11:09 PM, Jan Cholasta wrote: Dne 20.7.2015 v 19:52 Orion Poplawski napsal(a): On 07/20/2015 12:57 AM, Jan Cholasta wrote: Dne 15.7.2015 v 20:57 Orion Poplawski napsal(a): On 07/14/2015 11:53 PM, Jan Cholasta wrote: # ipa-replica-prepare -v ipa1.nwra.com --dirsrv_pkcs12

Re: [Freeipa-users] ipa-replica-prepare error

2015-07-15 Thread Orion Poplawski
On 07/14/2015 11:53 PM, Jan Cholasta wrote: Hi, Dne 10.7.2015 v 22:33 Orion Poplawski napsal(a): On 07/08/2015 11:31 AM, Orion Poplawski wrote: But then when I go to make a replica: # ipa-replica-prepare ipa1.nwra.com --dirsrv_pkcs12=nwra.com.p12 --dirsrv_pin=XX --http_pkcs12

Re: [Freeipa-users] ipa-replica-prepare error

2015-07-20 Thread Orion Poplawski
On 07/20/2015 12:57 AM, Jan Cholasta wrote: Dne 15.7.2015 v 20:57 Orion Poplawski napsal(a): On 07/14/2015 11:53 PM, Jan Cholasta wrote: # ipa-replica-prepare -v ipa1.nwra.com --dirsrv_pkcs12=nwra.com.p12 --dirsrv_pin=XX --http_pkcs12=nwra.com.p12 --http_pin=XX Directory

[Freeipa-users] Default shell for AD trust users

2015-11-10 Thread Orion Poplawski
/server? -- Orion Poplawski Technical Manager 303-415-9701 x222 NWRA, Boulder/CoRA Office FAX: 303-415-9702 3380 Mitchell Lane or...@nwra.com Boulder, CO 80301 http://www.nwra.com -- Manage your subscription for the Freeipa

Re: [Freeipa-users] Default shell for AD trust users

2015-11-11 Thread Orion Poplawski
On 11/11/2015 12:57 AM, Jakub Hrozek wrote: > On Tue, Nov 10, 2015 at 11:44:12AM -0700, Orion Poplawski wrote: >> I see that AD trust users don't get their posix shell set: >> >> # getent passwd user >> u...@ad.nwra.com:*:2260345:2260345:A User:/export

Re: [Freeipa-users] Default shell for AD trust users

2015-11-11 Thread Orion Poplawski
On 11/11/2015 12:57 AM, Jakub Hrozek wrote: > On Tue, Nov 10, 2015 at 11:44:12AM -0700, Orion Poplawski wrote: >> I see that AD trust users don't get their posix shell set: >> >> # getent passwd user >> u...@ad.nwra.com:*:2260345:2260345:A User:/export

Re: [Freeipa-users] ipa-replica-prepare error

2015-07-08 Thread Orion Poplawski
On 06/01/2015 08:54 AM, Rob Crittenden wrote: Orion Poplawski wrote: On 05/28/2015 03:09 PM, Rob Crittenden wrote: Orion Poplawski wrote: We did a CAless install: ipa-server-install -r NWRA.COM -n nwra.com -p `cat /etc/ldap.secret` -a `cat /etc/ldap.secret` --root-ca-file=PositiveSSLCA2

Re: [Freeipa-users] ipa-replica-prepare error

2015-07-10 Thread Orion Poplawski
On 07/08/2015 11:31 AM, Orion Poplawski wrote: But then when I go to make a replica: # ipa-replica-prepare ipa1.nwra.com --dirsrv_pkcs12=nwra.com.p12 --dirsrv_pin=XX --http_pkcs12=nwra.com.p12 --http_pin=XX Directory Manager (existing master) password: (SEC_ERROR_LIBRARY_FAILURE

Re: [Freeipa-users] Issue with ipa 4.2.0 upgrade

2015-12-07 Thread Orion Poplawski
On 12/07/2015 12:17 PM, Rob Crittenden wrote: > Orion Poplawski wrote: >> I just upgraded my SL7 box to ipa-server-4.2.0, but this process appears to >> have broken ipa. From the ipaupgrade.log: >> >> 2015-12-07T17:47:46Z DEBUG Starting external process >> 2015

[Freeipa-users] Issue with ipa 4.2.0 upgrade

2015-12-07 Thread Orion Poplawski
complete the upgrade manually, but this looks like a bug in the upgrade script. Sound correct? -- Orion Poplawski Technical Manager 303-415-9701 x222 NWRA, Boulder/CoRA Office FAX: 303-415-9702 3380 Mitchell Lane or...@nwra.c

Re: [Freeipa-users] RHEL 7.2 update - ns-slapd replication keep alive entry

2015-12-13 Thread Orion Poplawski
On 12/02/2015 01:42 PM, Andy Thompson wrote: > Since updating to RHEL 7.2 I've got issues with ns-slapd hanging the system > up after a period of time. The directory becomes unresponsive to searches or > any connections. After a restart I see > > [02/Dec/2015:15:27:41 -0500] - slapd started.

[Freeipa-users] web ui runtime error

2015-11-22 Thread Orion Poplawski
s/dojo/dojo.js?v=40203:1:9085 tn@https://moria.menegroth.us/ipa/ui/js/dojo/dojo.js?v=40203:1:8961 nn@https://moria.menegroth.us/ipa/ui/js/dojo/dojo.js?v=40203:1:9025 ln/i@https://moria.menegroth.us/ipa/ui/js/dojo/dojo.js?v=40203:1:10123 p.injectUrl/i@https://moria.menegroth.us/ipa/ui/js/dojo/dojo.js?

Re: [Freeipa-users] web ui runtime error

2015-11-23 Thread Orion Poplawski
On 11/23/2015 04:50 AM, Petr Vobornik wrote: On 11/23/2015 04:44 AM, Orion Poplawski wrote: Trying to install freeipa-server on Fedora 23. When I try to connect to the web UI from a non-domain EL7 client with firefox I get: Runtime error Web UI got in unrecoverable state during "init&q

[Freeipa-users] sudo sometimes doesn't work

2017-01-27 Thread Orion Poplawski
ke -i eth0 00:25:64:e0:05:fa seem to appear in the failed attempt but not a successful one. -- Orion Poplawski Technical Manager 720-772-5637 NWRA, Boulder/CoRA Office FAX: 303-415-9702 3380 Mitchell Lane or...@nwra.com Boulder

Re: [Freeipa-users] documentation or example of using S42U for NFS

2017-01-17 Thread Orion Poplawski
messages even with logging turned all the way > up. > > I'm interested in this as well. All I've been able to find so far is: https://vda.li/en/posts/2013/07/29/Setting-up-S4U2Proxy-with-FreeIPA/ haven't tried anything. -- Orion Poplawski Technical Manager 72

Re: [Freeipa-users] documentation or example of using S42U for NFS

2017-03-01 Thread Orion Poplawski
eeipa to authorize it. I tried following instructions >>> for LDAP access, but it doesn’t work. NFS seems to use a different, >>> two-stage method for getting credentials, so that’s not a surprise. There >>> are, not surprisingly, no useful error messages even with logging turned >>> a

Re: [Freeipa-users] Default gid for AD trust users

2016-09-02 Thread Orion Poplawski
FWIW - I've filed https://fedorahosted.org/freeipa/ticket/6293 to request the ability to set the primary group for AD trust users. On 08/24/2016 11:42 AM, Orion Poplawski wrote: > While that is definitely *a* convention, it's not the one we've used which > puts users by default in shared

Re: [Freeipa-users] Default gid for AD trust users

2016-09-05 Thread Orion Poplawski
On 09/02/2016 03:15 PM, Lukas Slebodnik wrote: On (24/08/16 11:42), Orion Poplawski wrote: While that is definitely *a* convention, it's not the one we've used which puts users by default in shared groups (nwra, visitors, etc). For example: uid=2941(user) gid=1991(nwra) The user "

[Freeipa-users] Default gid for AD trust users

2016-08-23 Thread Orion Poplawski
Is there any way to control the default gid for AD trust users? At the moment each user has it's own default group, e.g.: uid=22603(user@ad.domain) gid=22603(user@ad.domain) It would be nice to be able to set this to an actual group. Thanks. -- Orion Poplawski Technical Manager

Re: [Freeipa-users] Default gid for AD trust users

2016-08-24 Thread Orion Poplawski
trust users. > > Kind regards, > > Justin Stephenson > > > On 08/23/2016 06:27 PM, Orion Poplawski wrote: >> Is there any way to control the default gid for AD trust users? At the >> moment >> each user has it's own default group, e.g.: >> >> uid

[Freeipa-users] HBAC rules stop working

2016-09-29 Thread Orion Poplawski
. -- Orion Poplawski Technical Manager 303-415-9701 x222 NWRA/CoRA DivisionFAX: 303-415-9702 3380 Mitchell Lane or...@cora.nwra.com Boulder, CO 80301 http://www.cora.nwra.com -- Manage your subscription for the Freeipa-users mailing list

Re: [Freeipa-users] sudo sometimes doesn't work

2017-03-14 Thread Orion Poplawski
On 01/30/2017 01:38 AM, Jakub Hrozek wrote: > On Fri, Jan 27, 2017 at 02:15:16PM -0700, Orion Poplawski wrote: >> EL7.3 >> Users are in active directory via AD trust with IPA server >> >> sudo is configured via files - users in our default "nwra" group

Re: [Freeipa-users] ipa_add_ad_memberships_get_next errors

2017-04-03 Thread Orion Poplawski
On 04/03/2017 02:10 AM, Alexander Bokovoy wrote: > On ma, 03 huhti 2017, Jakub Hrozek wrote: >> On Fri, Mar 31, 2017 at 04:07:16PM -0600, Orion Poplawski wrote: >>> I'm seeing messages like this: >>> >>> (Fri Mar 31 13:27:38 2017) [sssd[be[nwra.com]]] >>&

Re: [Freeipa-users] subdomain errors

2017-04-03 Thread Orion Poplawski
On 04/03/2017 02:08 AM, Jakub Hrozek wrote: > On Fri, Mar 31, 2017 at 05:08:13PM -0600, Orion Poplawski wrote: >> I seem to be having some issues with users/groups that may be leading to >> errors in the subdomain status. Can anyone parse this for me? >> >> (Fri

Re: [Freeipa-users] subdomain errors

2017-04-03 Thread Orion Poplawski
On 04/03/2017 09:03 AM, Orion Poplawski wrote: > On 04/03/2017 02:08 AM, Jakub Hrozek wrote: >> On Fri, Mar 31, 2017 at 05:08:13PM -0600, Orion Poplawski wrote: >>> I seem to be having some issues with users/groups that may be leading to >>> errors in the subdomai

[Freeipa-users] subdomain errors

2017-03-31 Thread Orion Poplawski
is OK on failed request? (Fri Mar 31 16:54:26 2017) [sssd[be[nwra.com]]] [ipa_id_get_account_info_orig_done] (0x0080): Object not found, ending request -- Orion Poplawski Technical Manager 720-772-5637 NWRA, Boulder/CoRA Office FAX: 303-415-9702 3380 Mitchell Lane

[Freeipa-users] ipa_add_ad_memberships_get_next errors

2017-03-31 Thread Orion Poplawski
13:27:38 2017) [sssd[be[nwra.com]]] [sysdb_cache_search_groups] (0x2000): No such entry (Fri Mar 31 13:27:38 2017) [sssd[be[nwra.com]]] [ipa_add_ad_memberships_get_next] (0x0020): There are unresolved external group memberships even after all groups have been looked up on the LDAP server. -- Orion

[Freeipa-users] Add host to hostgroup in ipa-client-add

2017-03-10 Thread Orion Poplawski
- Orion -- Orion Poplawski Technical Manager 720-772-5637 NWRA, Boulder/CoRA Office FAX: 303-415-9702 3380 Mitchell Lane or...@nwra.com Boulder, CO 80301 http://www.nwra.com -- Manage your subscription for the Freeipa

Re: [Freeipa-users] Add host to hostgroup in ipa-client-add

2017-03-13 Thread Orion Poplawski
On 03/10/2017 10:52 PM, Alexander Bokovoy wrote: > On pe, 10 maalis 2017, Orion Poplawski wrote: >> I'm using ipa-client-add with --unattended and a OTP to enroll machines at >> install time. I'd like to be able to add them to a particular hostgroup at >> the same time

[Freeipa-users] Thank You!

2017-05-08 Thread Orion Poplawski
abhai, Rob Crittenden. My apologies if I left anyone out. I have two machines left to convert to IPA and can hardly believe sometimes that I've finally arrived at this point. So, thanks again for everyone for their work on this incredibly complex and critical set of software. - Orion -- Orion