Re: [Freeipa-users] automatic dns update failing

2012-02-20 Thread Petr Spacek
', changes in LDAP are reflected immediately. If problem persists, try to set zone's idnsUpdatePolicy to 'grant * wildcard *;' (relaxes/disables various access policy checks) Best regards, -- Petr Spacek ___ Freeipa-users mailing list Freeipa-users

Re: [Freeipa-users] named exits

2012-02-21 Thread Petr Spacek
at reload/crash time? -- Best regards, Petr Spacek ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] Replica creation problem - IPv6?

2012-03-15 Thread Petr Spacek
On 03/15/2012 03:54 PM, Simo Sorce wrote: On Thu, 2012-03-15 at 15:47 +0100, Dimitris Tsompanidis wrote: Firewalls on both machines are disabled and the firewall in between is wide open, especially in the master-slave direction where I allow everything. There is no master - slave concept in

Re: [Freeipa-users] Replica creation problem - IPv6?

2012-03-15 Thread Petr Spacek
On 03/15/2012 04:17 PM, Petr Spacek wrote: On 03/15/2012 03:54 PM, Simo Sorce wrote: On Thu, 2012-03-15 at 15:47 +0100, Dimitris Tsompanidis wrote: Firewalls on both machines are disabled and the firewall in between is wide open, especially in the master-slave direction where I allow

Re: [Freeipa-users] groups migration problem

2012-03-21 Thread Petr Spacek
On 03/20/2012 07:22 PM, Rob Crittenden wrote: Maciej Sawicki wrote: Hi, I haven't manage to migrate ldap groups (in free ipa panel I see that users are migrated) #ipa migrate-ds ldap://192.168.1.125:389 --bind-dn=cn=admin,dc=polidea,dc=pl --group-container='ou=groups,dc=polidea,dc=pl' #ipa:

Re: [Freeipa-users] hosts/clients joining IPA but dns updating not working

2012-03-29 Thread Petr Spacek
Hello, please post output from: # klist -kt /etc/krb5.keytab We still need this to better understand logs. I'm not sure if keytab contains right keys. -- Petr Spacek On 03/27/2012 09:47 PM, Steven Jones wrote: Hi Its possible the uninstall from one IPA realm didnt work properly before I

Re: [Freeipa-users] firefox on windows how to get a kerberos ticket?

2012-04-03 Thread Petr Spacek
Hello, AFAIK best way to control Kerberos environment/behaviour in MS Windows is to install Kerberos for Windows from MIT: See http://web.mit.edu/kerberos/www/dist/index.html#kfw-3.2 There is GUI and also command line utilities to configure Kerberos client, obtain tickets etc. Petr^2

Re: [Freeipa-users] While trying to connect to IPA I am getting this,

2012-04-03 Thread Petr Spacek
Hello, On 04/03/2012 02:58 AM, Steven Jones wrote: XML Parsing Error: undefined entity Location: jar:file:///usr/lib64/firefox-3.6/chrome/browser.jar!/content/browser/certerror/aboutCertError.xhtml Line Number 59, Column 12:titlecerterror.pagetitle;/title ---^

Re: [Freeipa-users] Problem with DNS

2012-04-11 Thread Petr Spacek
Hello, On 04/11/2012 08:21 PM, Christoph Kaminski wrote: Hi All I have a problem with cnames in ipa dns settings. If I set a cname, it doesnt work. I have configured a cname 'icinga' to A record 'azazel'. If I do 'host azazel' then I get: azazel.chao5.int has address 192.168.50.20 Host

Re: [Freeipa-users] Antwort: Re: Problem with DNS

2012-04-11 Thread Petr Spacek
On 04/11/2012 10:10 PM, Christoph Kaminski wrote: [root@cerber ~]# rpm -q bind-dyndb-ldap bind-dyndb-ldap-0.2.0-7.el6.x86_64 yep found the solution to (with help from ipa irc channel)... The GUI and the ipa tools created the cNAMERecord inside the A Object. This doesnt work. It needs to be a

Re: [Freeipa-users] routing requests to local servers - DNS SRV + view?

2012-04-13 Thread Petr Spacek
On 04/13/2012 10:28 PM, Jakub Hrozek wrote: On Fri, Apr 13, 2012 at 01:04:55PM -0700, Brian Cook wrote: Ideally I would rely on a -group- of servers, and then rely on DNS if it is down. I don't want to hammer one server. We're talking about 500-1000 servers running virtual

Re: [Freeipa-users] DNS zone delegation

2012-04-17 Thread Petr Spacek
On 02/02/2012 10:23 AM, Adam Tkac wrote: On 02/01/2012 07:21 PM, Loris Santamaria wrote: Hi, I have a dns zone managed by IPA and I'm trying to delegate a zone managed by Active Directory. The IPA managed zone is called corpfbk, and the AD one is ad.corpfbk. I started by adding the proper

Re: [Freeipa-users] named-dyndb-ldap looses connection when the LDAP server is under high load

2012-04-24 Thread Petr Spacek
On 04/24/2012 10:03 AM, Sigbjorn Lie wrote: Hi I have an issue that occured before, but I did not figure out what it was. It happened again today, and the issue is related to high load on the LDAP servers. I ran a batch job that added a lot of users to different groups, using the ipa

Re: [Freeipa-users] IPv6

2012-04-27 Thread Petr Spacek
On 04/26/2012 11:42 PM, Simo Sorce wrote: On Thu, 2012-04-26 at 21:18 +, Steven Jones wrote: Hi, FYI, I shutdown IPv6 as we dont do IPv6 and found that IPA wouldnt workslight oops there... Hi Steve, can you be more explicit on how you 'shutdown' IPv6 ? And can you please tell

Re: [Freeipa-users] IPv6

2012-04-30 Thread Petr Spacek
On 04/27/2012 02:43 PM, John Dennis wrote: On 04/27/2012 04:45 AM, Petr Spacek wrote: On 04/26/2012 11:42 PM, Simo Sorce wrote: On Thu, 2012-04-26 at 21:18 +, Steven Jones wrote: Hi, FYI, I shutdown IPv6 as we dont do IPv6 and found that IPA wouldnt workslight oops there... Hi

Re: [Freeipa-users] Please help: Any way to turn off IPA creation of private user group?

2012-05-09 Thread Petr Spacek
On 05/08/2012 03:29 PM, Rob Crittenden wrote: David Copperfield wrote: Hi folks, Are there any way to turn off IPA automatic creation of private user group? We use a common user group like ‘nis-wheel’, and completely disabled private groups in openldap before migration. If you disable

Re: [Freeipa-users] krbPasswordExpiration field not updating?

2012-05-09 Thread Petr Spacek
On 05/09/2012 03:31 AM, Dan Scott wrote: On Tue, May 8, 2012 at 8:45 PM,free...@noboost.org wrote: On Tue, May 08, 2012 at 09:43:13AM -0400, Rob Crittenden wrote: Dan Scott wrote: On Tue, May 8, 2012 at 1:55 AM,free...@noboost.orgwrote: Hi, Spec: Red Hat Enterprise Linux Server release

Re: [Freeipa-users] Can I change new users' default group from 'ipausers' to some thing else?

2012-05-09 Thread Petr Spacek
On 05/08/2012 03:05 PM, Simo Sorce wrote: On Mon, 2012-05-07 at 18:01 -0700, David Copperfield wrote: Hi, Can I change the default user group for new users to something else? and disable automatically creation of private groups? Yes, and yes, although I wouldn't recommend so if you have

Re: [Freeipa-users] How to rebuild IPA master?

2012-05-10 Thread Petr Spacek
On 05/10/2012 02:24 AM, Steven Jones wrote: Hi, In case everyone else is asleep now.. Do you have access to RH documentation? the 6.3beta admin guide section 18.8 talks about why and how to make a replicate a master. Just for completeness: Documentation is publicly available:

Re: [Freeipa-users] krbPasswordExpiration field not updating?

2012-05-10 Thread Petr Spacek
On 05/10/2012 03:11 PM, Simo Sorce wrote: On Thu, 2012-05-10 at 03:58 +0400, free...@noboost.org wrote: On Wed, May 09, 2012 at 01:21:39PM +0200, Petr Spacek wrote: On 05/09/2012 03:31 AM, Dan Scott wrote: On Tue, May 8, 2012 at 8:45 PM,free...@noboost.org wrote: On Tue, May 08, 2012 at 09

Re: [Freeipa-users] admin account deleted from webui

2012-05-10 Thread Petr Spacek
On 05/09/2012 10:24 PM, Rob Crittenden wrote: Sylvain Angers wrote: Hello Someone did delete the admin account by mistake, how can we recover from this? Fortunately there is nothing really special about the admin account except that they are a member of the admins group, that is the important

Re: [Freeipa-users] Please help: How to restore IPA Master/Replicas from daily IPA Replica setup???

2012-05-15 Thread Petr Spacek
Hello, IMHO it *must* be documented very well. Thank for scenario proposal! There is a new documentation ticket: https://fedorahosted.org/freeipa/ticket/2758 Another ticket exists for CA master recovery procedure: https://fedorahosted.org/freeipa/ticket/2749 Petr^2 Spacek On 05/15/2012

Re: [Freeipa-users] DNS portion of IPA Server randomly crashing

2012-05-21 Thread Petr Spacek
Hello, please provide your version of bind-dyndb-ldap package. It is interface between BIND and LDAP database. Latest version is 0.2.0-7.el6. # rpm -q bind-dyndb-ldap If you reload BIND manually, it crashes also? Every time? # rndc reload How long is log rotation period? What is Kerberos

Re: [Freeipa-users] DNS portion of IPA Server randomly crashing

2012-05-21 Thread Petr Spacek
into it ... Good night from Europe. Petr^2 Spacek Regards Charlie On Mon, May 21, 2012 at 9:44 AM, Petr Spacek pspa...@redhat.com mailto:pspa...@redhat.com wrote: Hello, please provide your version of bind-dyndb-ldap package. It is interface between BIND and LDAP database. Latest

Re: [Freeipa-users] IPA 2.2 on Fedora 17

2012-06-01 Thread Petr Spacek
On 05/31/2012 03:33 PM, Chris Evich wrote: On 05/30/2012 03:14 PM, Rob Crittenden wrote: The current 389-ds-base package in Fedora 17 is known to not work with IPA. This is any of the 1.2.11.x builds through 1.2.11.4. The only solution we have right now is to downgrade to 1.2.10.4. This is

Re: [Freeipa-users] DNS logs - named.run

2012-06-01 Thread Petr Spacek
On 05/31/2012 07:24 PM, Jimmy wrote: This message repeats numerous times per minute: zone myzone.info/IN: zone serial (2012150501) unchanged. zone may fail to transfer to slaves. I even went into the admin page and changed the serial manually to see if I could get past the message but it just

Re: [Freeipa-users] DNS logs - named.run

2012-06-07 Thread Petr Spacek
the bug. Petr^2 Spacek On Fri, Jun 1, 2012 at 11:45 AM, Petr Spacek pspa...@redhat.com mailto:pspa...@redhat.com wrote: On 05/31/2012 07:24 PM, Jimmy wrote: This message repeats numerous times per minute: zone myzone.info/IN http://myzone.info/IN: zone serial (2012150501

Re: [Freeipa-users] Non IPA Connected Slave DNS Server ?

2012-06-25 Thread Petr Spacek
Hello, sorry for a big delay. On 06/20/2012 02:25 PM, Gavin Spurgeon wrote: Hi All, Just have a quick question re: $subject I have seen some BZ's about this, but just wanted to check with the list to see what people have to say about this. I have an IPA Domain (example.com) and it is

Re: [Freeipa-users] Replication problems with having more than one replica?

2012-06-25 Thread Petr Spacek
On 06/15/2012 12:12 AM, Steven Jones wrote: I have the forward zone (ods.vuw.ac.nz) setup in IPA but the reverse zone(s) is meant to be slaved back to the MS AD masters (vuw.ac.nz) and 10/8 and (130.195./16). What should the reverse/ PTR zone setup look like? ie if I had a flat file aka

Re: [Freeipa-users] ipa installation problem

2012-06-25 Thread Petr Spacek
On 06/19/2012 05:01 PM, george he wrote: Hello Rob, netstat |grep 443 returned nothing, but lsof -i :80 (or :443) returned things like this: httpd 4206 apache 5u IPv6 846355 TCP *:http (LISTEN) is the IPv6 here a problem? Thanks, George No route to host can mean No route to host (= no record

Re: [Freeipa-users] Non IPA Connected Slave DNS Server ?

2012-06-26 Thread Petr Spacek
On 06/25/2012 11:00 AM, Petr Spacek wrote: Hello, sorry for a big delay. On 06/20/2012 02:25 PM, Gavin Spurgeon wrote: Hi All, Just have a quick question re: $subject I have seen some BZ's about this, but just wanted to check with the list to see what people have to say about this. I have

Re: [Freeipa-users] rfe: ldap for dhcp

2012-06-28 Thread Petr Spacek
Hello, On 06/27/2012 01:50 AM, William Brown wrote: Take a look at https://bitbucket.org/Firstyear/freeipa-dhcp/src/f63a7e505705/TODO.DHCP for my todo list, and at http://www.freeipa.org/page/DHCP_Integration_Design for some of my planning about this integration. Both are subject to change in

Re: [Freeipa-users] FreeIPA DNS manager

2012-07-04 Thread Petr Spacek
On 07/04/2012 04:03 AM, Josh Becigneul wrote: Hi All, I'd like to get some opinions on using the DNS component of freeIPA to manage dns zones not necessarily associated with the freeIPA realm. My thinking is to use it as a hidden master to a pre-existing group of authoritative systems, so one

Re: [Freeipa-users] BIND named.conf

2012-07-16 Thread Petr Spacek
Hello, AFAIK there were some issues with IXFR till BIND 8.2.3, but BIND 9 should work with Dynamic update and IXFR well. Combination of IXFR manual change to zone text file needs special attention (for dynamic zones): You need to run rndc freeze modify zone rndc thaw. If you have

Re: [Freeipa-users] servers going out of sync

2012-07-23 Thread Petr Spacek
On 07/23/2012 04:49 PM, KodaK wrote: On Mon, Jul 23, 2012 at 9:42 AM, KodaK sako...@gmail.com wrote: Alright, this is pretty bad. My servers keep going out of sync. I have four replicas, slpidml01 through 04. I only figure it out when weird things start happening. Is there a log somewhere

Re: [Freeipa-users] unable to logout of IPA

2012-07-27 Thread Petr Spacek
On 07/27/2012 03:28 PM, John Dennis wrote: On 07/27/2012 02:06 AM, Dan Scott wrote: Hi, I'm not sure if this is relevant, but Firefox preserves session cookies across browser restarts. This was discussed on the Security Now! podcast recently: http://www.grc.com/sn/sn-360.htm Search for

Re: [Freeipa-users] Very slow kerberos performance after upgrade to IPA 2.2

2012-07-31 Thread Petr Spacek
On 07/30/2012 10:37 PM, Sigbjorn Lie wrote: Hi, I've been having performance issues after I upgraded to RHEL 6.3 / IPA 2.2. I still have a LDAP server having unusual high cpu usage even after it's been removed from the SRV records and is serving almost no clients anymore, but it would seem as

Re: [Freeipa-users] IPA Server

2012-08-01 Thread Petr Spacek
On 08/01/2012 06:13 AM, free...@noboost.org wrote: Hi All, NOTE: I posted this on the 389 forum, they rightly suggested this is most likely and IPA issue. Spec: Redhat Enterprise Linux 6.3 x64 - ipa-server-2.2.0-16.el6.x86_64 - 389-ds-base-1.2.10.2-18.el6_3.x86_64 -

[Freeipa-users] Announcing bind-dyndb-ldap bugfix release: CVE-2012-3429 was fixed

2012-08-03 Thread Petr Spacek
Hello list, package bind-dyndb-ldap (BIND-LDAP interface for FreeIPA) was updated today. This release includes fix for the security issue CVE-2012-3429. CVE link: https://www.redhat.com/security/data/cve/CVE-2012-3429.html Information for Fedora users: Please update to

Re: [Freeipa-users] New FreeIPA Install; Testing for Proof of Concept

2012-08-08 Thread Petr Spacek
On 08/08/2012 05:42 PM, Rob Ogilvie wrote: On Tue, Aug 7, 2012 at 7:03 PM, KodaK sako...@gmail.com wrote: It's hard to tell with the obfuscation, but is your DOMAIN the same as the one handled by the domain controller vm-mapsdc2? Indeed, it is You can only have one Kerberos realm named

Re: [Freeipa-users] New FreeIPA Install; Testing for Proof of Concept

2012-08-08 Thread Petr Spacek
On 08/08/2012 07:27 PM, Rob Ogilvie wrote: On Wed, Aug 8, 2012 at 9:06 AM, Petr Spacek pspa...@redhat.com wrote: Best way is to create subdomain UNIX.MYCOMPANY.COM and fill it with proper SRV records (or let IPA to manage it). Ugh, I hope this doesn't end up pushing us back to NIS. If I can

Re: [Freeipa-users] New FreeIPA Install; Testing for Proof of Concept

2012-08-13 Thread Petr Spacek
On 08/12/2012 12:05 PM, Simo Sorce wrote: - Original Message - On 08/08/2012 08:07 PM, Simo Sorce wrote: On Wed, 2012-08-08 at 19:59 +0200, Petr Spacek wrote: On 08/08/2012 07:27 PM, Rob Ogilvie wrote: On Wed, Aug 8, 2012 at 9:06 AM, Petr Spacek pspa...@redhat.com wrote: Best way

Re: [Freeipa-users] Question about migration and scripts variables

2012-08-27 Thread Petr Spacek
On 08/17/2012 10:55 PM, James James wrote: my second question is about ipalib. I wanted to make a hook on the user creation. The hook works fine. I just want to know if there is a way to have the value of variables like the username, the name of the creator, the e-mail of the creator and stuff

Re: [Freeipa-users] Active Directory slave zone in FreeIPA DNS (Franklin)

2012-08-27 Thread Petr Spacek
Hello, On 08/23/2012 07:00 AM, Franklin Catoni wrote: Hi, Hello, Is the zone not transferring at all, or is it just the updates that's not transferred to the AD slave server? It's not transferring at all. If the zone is not transferring at all: Did yo modify the Allow transfer property of

Re: [Freeipa-users] netapp filer AD + ipa: possible?

2012-09-07 Thread Petr Spacek
On 09/07/2012 12:10 AM, Natxo Asenjo wrote: On Thu, Sep 6, 2012 at 10:31 PM, Sigbjorn Lie sigbj...@nixtra.com mailto:sigbj...@nixtra.com wrote: On 09/05/2012 08:12 PM, Natxo Asenjo wrote: hi, the subject says it all, I guess. I know from another thread that with nexanta it is

Re: [Freeipa-users] unable to logout of IPA

2012-09-10 Thread Petr Spacek
On 09/08/2012 02:05 AM, Dmitri Pal wrote: On 07/27/2012 10:30 AM, Petr Spacek wrote: On 07/27/2012 03:28 PM, John Dennis wrote: On 07/27/2012 02:06 AM, Dan Scott wrote: Hi, I'm not sure if this is relevant, but Firefox preserves session cookies across browser restarts. This was discussed

Re: [Freeipa-users] errors when one ipa server down

2012-09-10 Thread Petr Spacek
On 09/08/2012 05:03 PM, Dmitri Pal wrote: On 09/07/2012 04:50 PM, Rob Crittenden wrote: Michael Mercier wrote: On 2012-09-07, at 2:47 PM, Dmitri Pal wrote: On 09/07/2012 12:42 PM, Michael Mercier wrote: On 2012-09-07, at 12:14 PM, Dmitri Pal wrote: On 09/06/2012 10:40 AM, Michael Mercier

Re: [Freeipa-users] NFS on Mac

2012-09-19 Thread Petr Spacek
On 09/17/2012 10:32 PM, Steven Jones wrote: If anyone has MAC instructions' I'd love a copy pls. As usual, we can create account on freeipa.org wiki if anybody is interested in creating a how-to. That is the best place to share. Let us know! Petr^2 Spacek

Re: [Freeipa-users] Password requirements too stringent

2012-09-19 Thread Petr Spacek
On 09/19/2012 01:32 PM, Dmitri Pal wrote: On 09/19/2012 02:56 AM, Jakub Hrozek wrote: On Tue, Sep 18, 2012 at 09:43:48PM -0400, Tim Hildred wrote: So, commenting out: passwordrequisite pam_cracklib.so try_first_pass retry=3 type= dcredit=-1 ucredit=-1 ocredit=-1 lcredit=0 minlen=8

[Freeipa-users] Do we need ipa-client-update script?

2012-09-21 Thread Petr Spacek
Hello users, we have a question for client machine administrators: On 09/21/2012 10:12 AM, Martin Kosek wrote: snip ..., that it may be useful to implement a script like ipa-client-update which would be capable of updating client information (and could be entered in a cron for example)

Re: [Freeipa-users] mod_nss issue.

2012-10-08 Thread Petr Spacek
Hello, Did you consider virtualization for host accessible from public networks? Performance degradation is usually small nowadays and you can save some headaches (and create different one :-)). Petr^2 Spacek On 10/08/2012 04:19 PM, Simon Williams wrote: I understand exactly where you are

Re: [Freeipa-users] dyndb-ldap in standart ldap

2012-10-12 Thread Petr Spacek
-dyndb-ldap.git/tree/README Let me know if you want further assistance. -- Petr Spacek version: 1 dn: cn=dns,dc=idm,dc=lab,dc=bos,dc=redhat,dc=com objectClass: top objectClass: nsContainer objectClass: idnsConfigObject cn: dns idnsZoneRefresh: 30 dn: idnsname=idm.lab.bos.redhat.com,cn=dns,dc=idm

Re: [Freeipa-users] DNS forward to sub domain not working

2012-10-23 Thread Petr Spacek
On 10/23/2012 09:51 AM, Sumit Bose wrote: On Mon, Oct 22, 2012 at 08:57:56PM +0200, Fred van Zwieten wrote: Hello, I have a problem. My setup: - IPA server for domain example.com on ipa.example.com - DNS server sub.example.com on host.sub.example.com - client.example.com with IP-nr off

Re: [Freeipa-users] DNS forward to sub domain not working

2012-10-23 Thread Petr Spacek
you! Petr^2 Spacek On Tue, Oct 23, 2012 at 10:00 AM, Petr Spacek pspa...@redhat.com mailto:pspa...@redhat.com wrote: On 10/23/2012 09:51 AM, Sumit Bose wrote: On Mon, Oct 22, 2012 at 08:57:56PM +0200, Fred van Zwieten wrote: Hello, I have a problem. My setup

Re: [Freeipa-users] ipa user-find

2012-10-25 Thread Petr Spacek
On 10/25/2012 03:23 PM, Rob Crittenden wrote: Rich Megginson wrote: On 10/24/2012 09:16 PM, Rob Crittenden wrote: Steven Jones wrote: Hi, How do I bind as the directory manager? Ive tried and I cant figure out how. Assuming you're running on the same host as IPA: $ ldapmodify -x -D

Re: [Freeipa-users] FreeIPA for AMM users management

2012-11-05 Thread Petr Spacek
On 11/03/2012 01:12 PM, Pavel Zhukov wrote: Can you do NS lookup of the IPA server from the AMM box? yes Can you do kinit from the AMM box against IPA? Can you do ldapsearch from the AMM box against IPA? no, AMM has restricted shell and web GUI. Hmm, that is unfortunate. Can you run tcpdump

Re: [Freeipa-users] DNS / Allow PTR sync

2012-11-06 Thread Petr Spacek
Hello Mike, are you talking about IPA WebUI or CLI or DNS dynamic update mechanism? On which distribution and IPA version? On 11/05/2012 10:35 PM, Michael Mercier wrote: Hello, A couple of questions regarding DNS / Allow PTR sync. 1. If you have a zone 'example.com' and you enable Allow

Re: [Freeipa-users] ipa and cronjob

2012-11-14 Thread Petr Spacek
On 11/14/2012 07:22 AM, Anthony Messina wrote: On Wednesday, November 14, 2012 05:00:29 AM Simo Sorce wrote: On Tue, 2012-11-13 at 21:53 -0600, Anthony Messina wrote: 1. Using automatic login with the lightdm display manager, I have it run the following script to remove any old Kerberos

Re: [Freeipa-users] failure to register dns on joining IPA domain

2012-11-16 Thread Petr Spacek
On 11/16/2012 01:29 PM, Natxo Asenjo wrote: hi, this is a part of ipaclient-install.log 2012-11-16T12:12:32Z DEBUG Writing nsupdate commands to /etc/ipa/.dns_update.txt : zone ipa.domain.tld. update delete host.ipa.domain.tld. IN SSHFP send update add host.ipa.domain.tld. 1200 IN SSHFP 1 1

Re: [Freeipa-users] Problem adding DNS Zones

2012-11-16 Thread Petr Spacek
Hello, you didn't specified IPA version, OS version etc., so my reply will be valid latest IPA master but not necessarily for Your version: You are trying to use name server from another zone so you have to enter absolute DNS name. Value dns.project.net is missing the trailing dot, so DNS

[Freeipa-users] DNSSEC DNS zone spoofing (was: Problem adding DNS Zones)

2012-11-19 Thread Petr Spacek
Hello, On 11/16/2012 04:11 PM, Bret Wortman wrote: Using FreeIPA on a private network (where it's easier to just alias our own servers to these names than to edit config file after config file). Any idea what I'm doing wrong here? # ipa dnszone-add 0.pool.ntp.org http://0.pool.ntp.org

Re: [Freeipa-users] replica installation with external DNS

2012-11-21 Thread Petr Spacek
Hello, I added freeipa-users to Cc to reach bigger auditorium and mailing list archive. Please post your questions primarily to freeipa-users@redhat.com. On 11/21/2012 04:28 PM, Bilal Bas wrote: I have a small question about freeIPA DNS configuration. I have server #1 have FreeIPA installed

Re: [Freeipa-users] IPA DNS forward only is not working

2012-11-26 Thread Petr Spacek
Hello, I will try to summarize your question, please correct me if I'm wrong. - existing Windows domain: example.com - installed IPA domain: example.com (I guess from named.conf) - you want to query Windows DNS first and then try to query IPA DNS when Windows DNS do not have specific record

Re: [Freeipa-users] IPA DNS forward only is not working

2012-11-27 Thread Petr Spacek
Hello once again, some DNS scenarios are described in https://fedorahosted.org/freeipa/attachment/ticket/3268/3268.v1 It is preliminary version of new text for IPA manual. Please report any errors and ambiguities. Petr^2 Spacek On 11/27/2012 08:47 AM, Petr Spacek wrote: Hello, I will try

Re: [Freeipa-users] ttl settings for host records

2012-11-27 Thread Petr Spacek
Hello, On 11/27/2012 04:52 PM, Rob Crittenden wrote: Natxo Asenjo wrote: hi, this is puzzling me. I have an AD environment (which is leading) with integrated dns servers. In the AD dns I have a zone domain.tld. I have created a delegation unix.domain.tld in it with a glue record pointing to

Re: [Freeipa-users] ttl settings for host records

2012-11-29 Thread Petr Spacek
On 11/29/2012 01:16 PM, James Hogarth wrote: I'm not entirely sure where that 86400 came from. When we do a dynamic update the TTL is hardcoded to 1200. There is a ticket to make this configurable, https://fedorahosted.org/__freeipa/ticket/3031

[Freeipa-users] NFS v4 integration how to

2012-12-07 Thread Petr Spacek
Hello list, I accidentally found following how-to: http://wiki.linux-nfs.org/wiki/index.php/NFS_and_FreeIPA Did somebody try it? Did it work? -- Petr^2 Spacek ___ Freeipa-users mailing list Freeipa-users@redhat.com

Re: [Freeipa-users] Disadantages of using external DNS

2012-12-12 Thread Petr Spacek
On 12/12/2012 06:09 PM, rashard.ke...@sita.aero wrote: What are the disadvantages of using an external DNS source? You have to create and update all records by hand. Generally, it will work if you are careful. Also, you will get quest after adding a new IPA replica, potentially after adding a

Re: [Freeipa-users] DNS: sub-domain or new domain

2012-12-13 Thread Petr Spacek
about a very similar thing. I have a bunch of Linux servers that I'd like to start manage more centrally but we have Active Directory running the network right now. I looked at the bug attachment Petr Spacek recommended (https://fedorahosted.org/freeipa/attachment/ticket/3268/3268.v2) but one thing I

Re: [Freeipa-users] testing AD trust on Fedora 18

2012-12-19 Thread Petr Spacek
On 12/18/2012 09:56 PM, John Dennis wrote: ipa: ERROR: unable to parse cookie header 'ipa_session=f963e8e4006fdcd79e1a2a5a989b4d01; Domain=IPA.DOMAIN; Path=/ipa; Expires=Thu, 18 Dec 2012 13:54:33 GMT; Secure; HttpOnly': unable to parse expires datetime 'Thu, 18 Dec 2012 13:54:33' John, could

Re: [Freeipa-users] AD permissions needed for setting up AD trusts

2013-01-03 Thread Petr Spacek
On 12/21/2012 01:19 PM, Sumit Bose wrote: On Fri, Dec 21, 2012 at 12:30:33PM +0100, James Findley wrote: Hi What permission level is needed for the AD user when creating an AD trust? Can a regular domain user account do it, or is a domain admin needed? The account used here must be a

Re: [Freeipa-users] Fwd: user sync works, passsync eludes me

2013-01-03 Thread Petr Spacek
Hello, can you please open a bug against passsync and describe what exactly you did? Log message should clearly mention problem with certificate when it happens. Thank you. Petr^2 Spacek On 12/21/2012 03:41 PM, Nate Marks wrote: Nevermind. I was mucking up the certificate. got it fixed.

Re: [Freeipa-users] Kerberos and Cisco

2013-01-03 Thread Petr Spacek
On 12/23/2012 07:31 PM, Simo Sorce wrote: On Fri, 2012-12-21 at 18:23 -0500, Dmitri Pal wrote: On 12/21/2012 05:40 PM, Mike Mercier wrote: Hi Bret, I tried this once in the past with no success. If I recall correctly (I can't find the reference anymore), Cisco (at least in IOS 12.4 that I

Re: [Freeipa-users] Setting up single domain but with dns subdomains

2013-01-09 Thread Petr Spacek
On 8.1.2013 20:06, Rob Crittenden wrote: Orion Poplawski wrote: I'm looking into migrating our 389ds ldap + kerberos to FreeIPA and I'm wondering how to setup DNS autodiscovery (if possible) in a way to point to different servers in different locations. We have two major offices, one that uses

[Freeipa-users] CSV support in IPA administration tools - to be, or not to be?

2013-01-10 Thread Petr Spacek
Hello, is there any user of CSV support built-in to IPA administration tools (ipa command)? Do you consider it sane or even useful? Please reply. I wanted to add single TXT record with double quotation marks () inside the TXT data. I spent some time figuring out how it is supposed to work

Re: [Freeipa-users] AD permissions needed for setting up AD trusts

2013-01-11 Thread Petr Spacek
On 11.1.2013 10:19, Alexander Bokovoy wrote: On Fri, 11 Jan 2013, David Juran wrote: On fre, 2013-01-04 at 19:04 +0100, Ana Krivokapic wrote: On 01/03/2013 12:28 PM, Petr Spacek wrote: On 12/21/2012 01:19 PM, Sumit Bose wrote: On Fri, Dec 21, 2012 at 12:30:33PM +0100, James Findley wrote

Re: [Freeipa-users] error: Realm not local to KDC

2013-01-16 Thread Petr Spacek
Hello, as Dmitri said, this problem is probably related to DNS. I would recommend to run tcpdump/wireshark on the client, capture all network traffic during client enrolment and check IP addresses. You will probably see IP address of AD server more often than you should ... Petr^2 Spacek

Re: [Freeipa-users] FreeIPA Client Setup in Windows 7 Ubuntu

2013-01-22 Thread Petr Spacek
On 22.1.2013 17:04, Rob Crittenden wrote: Vijay Thakur wrote: On Monday 21 January 2013 10:30 PM, freeipa-users-requ...@redhat.com wrote: Vijay Thakur Here is the logs of server side: an 22 16:21:02 ds.example.com krb5kdc[1376](info): AS_REQ (4 etypes {18 17 16 23}) 192.168.51.16:

Re: [Freeipa-users] Failed to obtain host TGT bug

2013-02-01 Thread Petr Spacek
On 1.2.2013 15:42, William Muriithi wrote: Hello pal, I have a centos 6.3 that fails to enroll to the IPA server however much I try. I believe its because of the bug below. I have updated the IPA client but it seem it is only fixed on ipa-3.0 which ships on RHEL 6.4 How many replicas do you

Re: [Freeipa-users] ipa replica install fails

2013-02-05 Thread Petr Spacek
On 5.2.2013 15:15, Rajnesh Kumar Siwal wrote: Is there any other log file that may suggest something. It would be great if we could figure out whats the cause of the error. I would recommend to run tcpdump on one of the servers and look to what is sent over the wire. It is most effective way.

Re: [Freeipa-users] ipa replica install fails

2013-02-05 Thread Petr Spacek
On 5.2.2013 15:45, Rajnesh Kumar Siwal wrote: Finally , I installed it with --skip-conncheck:- Now DNS fails to start. I tried ipa-dns-install too:- [root@ipa2 log]# ipa-dns-install The log file for this installation can be found in /var/log/ipaserver-install.log

Re: [Freeipa-users] ipa replica install fails

2013-02-05 Thread Petr Spacek
On 5.2.2013 17:15, Rajnesh Kumar Siwal wrote: Last time the installation of replica failed. So this is second time I did it (The logs in the mail are from the second time after I uninstalled the ipa2). After installing the replica, I restarted IPA and failed to start the KDC too. So, kinit

Re: [Freeipa-users] ipa replica install fails

2013-02-06 Thread Petr Spacek
On 6.2.2013 07:17, Rajnesh Kumar Siwal wrote: I am missing these two entries in ipa1 (The Master that was installed first):- HTTP/ipa2.xyz@xyz.dmz DNS/ipa2.xyz@xyz.dmz The above entries are present only in ipa2. It seems like replication problems to me. Did you already solved problems

Re: [Freeipa-users] Account Expiration

2013-02-13 Thread Petr Spacek
On 12.2.2013 20:21, John Dennis wrote: On 02/12/2013 01:40 PM, Rob Crittenden wrote: Is it possible to ipa to send a email to user when his account is about to expire (the current date is near krbprincipalexpiration date) ? Not currently. In 3.0+ we will provide a notice when one logs into

Re: [Freeipa-users] Restricting other User's Details to be visible to a user

2013-02-13 Thread Petr Spacek
On 13.2.2013 11:38, Rajnesh Kumar Siwal wrote: It has been found that any user can see the details of other users through the IPA Web Interface (even ldapsearch with anonymous user). It would be great if we could hide the details of the other users from the current user (including emai, phone

Re: [Freeipa-users] Logging of Who does What on IPA Server

2013-02-14 Thread Petr Spacek
On 14.2.2013 09:49, Martin Kosek wrote: On 02/14/2013 08:20 AM, Rajnesh Kumar Siwal wrote: IPA is going to be very critical Server for any environment. Do we have proper logging of who as locked whom, Who has created a sudo policy, who has allowed access to whom etc ? Hello Rajnesh, the

Re: [Freeipa-users] permissions of the user uid=sudo, cn=sysaccounts, cn=etc, dc=example, dc=com

2013-02-18 Thread Petr Spacek
On 17.2.2013 20:05, Rajnesh Kumar Siwal wrote: Please guide us about the LDAP user uid=sudo,cn=sysaccounts,cn=etc,dc=example,dc=com. Does it has a read only access or read-write access to the uid=sudo,cn=sysaccounts,cn=etc,dc=example,dc=com ? Because the file /etc/ldap.conf is readable by all

Re: [Freeipa-users] KPasswd TCP issues

2013-02-20 Thread Petr Spacek
On 19.2.2013 23:29, ninib...@worldd.org wrote: On Tue, Feb 19, 2013 at 10:49:42AM -0700, ninib...@worldd.org wrote: I used IPA from the CentOS 6 repositories and I am having an issue I can't seem to solve. ?I installed a server and a client with no issues, but upon

Re: [Freeipa-users] Windows authentication against FreeIPA documentation question.

2013-02-22 Thread Petr Spacek
On 22.2.2013 09:49, Han Boetes wrote: Regarding: http://freeipa.org/page/Windows_authentication_against_FreeIPA I noticed that I have to create a matching user on the windows machine before the user can log in. I don't have to set the password, but I do have to add a user as the local admin on

Re: [Freeipa-users] FreeIPA for AMM users management

2013-02-26 Thread Petr Spacek
can send the data to me privately, if you want.) Petr^2 Spacek В Пн., 05/11/2012 в 09:32 +0100, Petr Spacek пишет: On 11/03/2012 01:12 PM, Pavel Zhukov wrote: Can you do NS lookup of the IPA server from the AMM box? yes Can you do kinit from the AMM box against IPA? Can you do ldapsearch

Re: [Freeipa-users] RHEL 6.4 , IPA 3.0 and bind-chroot

2013-02-26 Thread Petr Spacek
On 23.2.2013 23:01, Dale Macartney wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 02/23/2013 09:47 PM, Dmitri Pal wrote: On 02/23/2013 12:48 PM, Dale Macartney wrote: Hi all I've just performed a clean IPA installation and noticed that if you're using integrated DNS,

Re: [Freeipa-users] FreeIPA for AMM users management

2013-02-27 Thread Petr Spacek
find and try various settings. We can provide general advices and publish your findings on freeipa.org. Any contributions welcome! Petr^2 Spacek В Вт., 26/02/2013 в 12:41 +0100, Petr Spacek пишет: On 26.2.2013 11:49, Артур Файзуллин wrote: And what? Is there any result? I try same thing

Re: [Freeipa-users] Cannot obtain CA Certificate

2013-02-27 Thread Petr Spacek
On 26.2.2013 17:55, John Moyer wrote: Sorry for the late response, so I tried this, and it changed the error to the following: Synchronizing time with KDC... Joining realm failed: HTTP response code is 401, not 200 Installation failed. Rolling back changes. Looking at debug this is what I

Re: [Freeipa-users] Cannot obtain CA Certificate

2013-02-27 Thread Petr Spacek
On 27.2.2013 11:34, Jan-Frode Myklebust wrote: On Wed, Feb 27, 2013 at 10:42:49AM +0100, Petr Spacek wrote: HTTP/1.1 401 Authorization Required Date: Tue, 26 Feb 2013 16:54:21 GMT Server: Apache/2.2.15 (CentOS) * gss_init_sec_context() failed: : Server krbtgt/c...@example.com not found

Re: [Freeipa-users] Errors when trying IPA,Dovecot GSSAPI.

2013-03-08 Thread Petr Spacek
On 7.3.2013 18:06, Dale Macartney wrote: I have just updated the article to have dovecot automatically creating a maildir in a custom location. http://www.freeipa.org/page/Dovecot_IMAPS_Integration_with_FreeIPA_using_Single_Sign_On Its not NFS based in the homedir, but technically if you're

Re: [Freeipa-users] check host password age

2013-03-13 Thread Petr Spacek
On 12.3.2013 14:41, Stijn De Weirdt wrote: hi all, (i'm new to freeipa, so it's possible i missed some docs here and there ;) i'm looking to add hosts with some secret password to ipa, then during kickstart install they use this password to run ipa-client-install. You need to add host

Re: [Freeipa-users] Realm distrubuted across data centers

2013-03-13 Thread Petr Spacek
On 13.3.2013 14:28, Rob Crittenden wrote: Michael ORourke wrote: I think SRV records are only part of the problem. We are using integrated BIND/DNS with our IPA servers and I'm not sure it supports views. But thanks for the suggestion. I guess we could create custom krb5.conf files in each DC

Re: [Freeipa-users] Realm distrubuted across data centers

2013-03-14 Thread Petr Spacek
On 13.3.2013 16:17, de Jong, Mark-Jan wrote: On Wed, 2013-03-13 at 09:28 -0400, Rob Crittenden wrote: Michael ORourke wrote: I think SRV records are only part of the problem. We are using integrated BIND/DNS with our IPA servers and I'm not sure it supports views. But thanks for the

Re: [Freeipa-users] getattr cli option?

2013-03-21 Thread Petr Spacek
On 21.3.2013 10:15, Martin Kosek wrote: On 03/21/2013 06:59 AM, Brian Cook wrote: Is there something equivalent to 'getattr' for ipa host-mod? I see setattr, addattr and delattr but to get attributes you have to do host-show --all. There is no way to ask for one specific attribute? I would

Re: [Freeipa-users] bind-dyndb-ldap howto use wildcard

2013-03-25 Thread Petr Spacek
On 23.3.2013 18:17, Marc Roos wrote: I dont seem to get the wildcard working. Is this a correct way of creating a dns record DN: idnsName=*.241.36.65,idnsName=rbl.test.com,dc=office,dc=local objectClass: idnsRecord aRecord: 127.0.0.1 idnsName: *.241.36.65 If I do a dig on the nameserver on

  1   2   3   4   5   6   7   >