Re: [Freeipa-users] Announcing FreeIPA v2 Server Release Candidate 2 Release

2011-03-01 Thread Sigbjorn Lie
Hi, I updated my IPA test servers last night without a problem. I have only the default Fedora 14 repo + Fedora 14 updates-testing repo and the Freeipa-devel repo enabled on my IPA test servers. Rgds, Siggi On Tue, March 1, 2011 01:32, Steven Jones wrote: I have tried to download the

[Freeipa-users] IPA v2 in Red Hat

2011-03-01 Thread Sigbjorn Lie
Hi, Is there a roadmap for when version 2 of IPA is expected to be seen in RHEL? Regards, Siggi ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] IPA v2 in Red Hat

2011-03-01 Thread Sigbjorn Lie
On Tue, March 1, 2011 15:06, Dmitri Pal wrote: On 03/01/2011 06:11 AM, Sigbjorn Lie wrote: Hi, Is there a roadmap for when version 2 of IPA is expected to be seen in RHEL? Regards, Siggi ___ Freeipa-users mailing list Freeipa-users

Re: [Freeipa-users] RC3 Install fails with Unable to connect to LDAP server

2011-03-13 Thread Sigbjorn Lie
On 03/12/2011 09:58 PM, tomasz.napier...@allegro.pl wrote: On 2011-03-12, at 20:06, tomasz.napier...@allegro.pl wrote: Hi, I'm trying to install FreeIPA 2.0. RC3 on fresh, minimal F14 box, but it fails for some reason: Looks like the problem is that my realm is different than domain name

Re: [Freeipa-users] Sync with AD error

2011-03-13 Thread Sigbjorn Lie
On 03/13/2011 08:35 PM, Simo Sorce wrote: On Fri, 11 Mar 2011 21:31:50 +0100 Sigbjørn Liesigbj...@nixtra.com wrote: On 03/11/2011 09:15 PM, Dmitri Pal wrote: On 03/11/2011 03:00 PM, Sigbjørn Lie wrote: Hi, I just upgraded my FreeIPA @ F14 to 2.0.0.rc3, and attempted to add a sync

[Freeipa-users] Delete AD replica failure

2011-03-20 Thread Sigbjorn Lie
Hi, I just did a fresh installation of FreeIPA 2 on a host called ipa1, created a replica on a second server called ipa2. I then created a winsync replica to an AD domain on the ipa1 host. I noticed that I forgot the --win-subtree option and decided to delete the replication agreement: #

Re: [Freeipa-users] Delete AD replica failure

2011-03-21 Thread Sigbjorn Lie
On 03/21/2011 02:31 PM, Simo Sorce wrote: On Sun, 20 Mar 2011 18:28:12 +0100 Sigbjorn Liesigbj...@nixtra.com wrote: Hi, I just did a fresh installation of FreeIPA 2 on a host called ipa1, created a replica on a second server called ipa2. I then created a winsync replica to an AD domain on

[Freeipa-users] Adding user accounts

2011-03-25 Thread Sigbjorn Lie
Hi, Using --gidnumber when adding a new user with ipa user-add does not seem to have any effect. A gid number with the same value as what I specify in with the --uid parameter is chosen. I presume this is not the way user-add is intended to work? # ipa user-add mysql14 --first=MySQL

[Freeipa-users] NIS/local files to IPA migration

2011-03-27 Thread Sigbjorn Lie
Hi, I have written some scripts for migration from NIS/local files to IPA. They will import the passwd, group, netgroup, and hosts maps. This is the first version, be aware of bugs. :) Please read the README file before using. You can download them from here if you are interested:

Re: [Freeipa-users] Adding user accounts

2011-03-28 Thread Sigbjorn Lie
On Mon, March 28, 2011 11:10, Martin Kosek wrote: On Fri, 2011-03-25 at 20:13 +0100, Sigbjorn Lie wrote: Hi, Using --gidnumber when adding a new user with ipa user-add does not seem to have any effect. A gid number with the same value as what I specify in with the --uid parameter

Re: [Freeipa-users] Adding user accounts

2011-03-28 Thread Sigbjorn Lie
of the account, the private (invisible) group still exists. I'm missing an option to choose if I want to create or not create a private group for the user. Rgds, Siggi On Sat, March 26, 2011 18:21, Dmitri Pal wrote: On 03/25/2011 03:13 PM, Sigbjorn Lie wrote: Hi, Using --gidnumber

Re: [Freeipa-users] Adding user accounts

2011-03-28 Thread Sigbjorn Lie
Fantastic! Thanks. I will update my scripts. Is there any downside to doing this? Rgds, Siggi On Mon, March 28, 2011 16:02, Rob Crittenden wrote: Sigbjorn Lie wrote: Thanks. I also noticed that a group with the same GID number as the users UID number is automatically created when

Re: [Freeipa-users] Ethers table?

2011-03-28 Thread Sigbjorn Lie
Done, thanks. Rgds, Siggi On Mon, March 28, 2011 15:49, Dmitri Pal wrote: On 03/28/2011 09:26 AM, Sigbjorn Lie wrote: Hi, We're using the ethers table in NIS today to generate DHCP config files for clients to we can send different TFTP,DNS,etc options to different clients depening

Re: [Freeipa-users] Adding user accounts

2011-03-28 Thread Sigbjorn Lie
I open a request in bugzilla? Rgds, Siggi On 03/28/2011 04:56 PM, Dmitri Pal wrote: On 03/28/2011 10:50 AM, Rob Crittenden wrote: Sigbjorn Lie wrote: Fantastic! Thanks. I will update my scripts. Is there any downside to doing this? One thing I should warn you of though that we've run

Re: [Freeipa-users] IPA Client join

2011-03-31 Thread Sigbjorn Lie
In rc2 we had to make a change to the OID used for some operations because they were duplicated. The OID for the ipa-getkeytab operation was one of them, so older clients don't work with newer servers. IIRC the EL6 ipa-client was based on the alpha 3 release. I attached a patch that

Re: [Freeipa-users] 6.1 beta

2011-04-03 Thread Sigbjorn Lie
According to Red Hat Network it does: ipa-server-2.0.0-16.el6.x86_64 https://rhn.redhat.com/rhn/software/packages/details/Overview.do?pid=619857 Red Hat Enterprise Linux Server Beta (v. 6 for 64-bit x86_64) ipa-server-2.0.0-16.el6.i686

Re: [Freeipa-users] NIS/local files to IPA migration

2011-04-04 Thread Sigbjorn Lie
On Mon, April 4, 2011 04:58, Simo Sorce wrote: On Mon, 28 Mar 2011 15:43:18 +0200 (CEST) Sigbjorn Lie sigbj...@nixtra.com wrote: On Mon, March 28, 2011 15:24, Dmitri Pal wrote: On 03/28/2011 09:01 AM, Sigbjorn Lie wrote: On Mon, March 28, 2011 14:31, Dmitri Pal wrote: On 03/27/2011 06

Re: [Freeipa-users] 6.1 beta

2011-04-04 Thread Sigbjorn Lie
On 04/04/2011 03:43 PM, Dmitri Pal wrote: On 04/03/2011 05:41 PM, Sigbjorn Lie wrote: According to Red Hat Network it does: ipa-server-2.0.0-16.el6.x86_64 https://rhn.redhat.com/rhn/software/packages/details/Overview.do?pid=619857 Red Hat Enterprise Linux Server Beta (v. 6 for 64-bit

Re: [Freeipa-users] 6.1 beta

2011-04-04 Thread Sigbjorn Lie
On 04/04/2011 06:22 PM, Sigbjorn Lie wrote: On 04/04/2011 03:43 PM, Dmitri Pal wrote: On 04/03/2011 05:41 PM, Sigbjorn Lie wrote: According to Red Hat Network it does: ipa-server-2.0.0-16.el6.x86_64 https://rhn.redhat.com/rhn/software/packages/details/Overview.do?pid=619857 Red Hat

Re: [Freeipa-users] 6.1 beta

2011-04-04 Thread Sigbjorn Lie
On 04/04/2011 08:32 PM, Rob Crittenden wrote: Sigbjorn Lie wrote: On 04/04/2011 06:22 PM, Sigbjorn Lie wrote: On 04/04/2011 03:43 PM, Dmitri Pal wrote: On 04/03/2011 05:41 PM, Sigbjorn Lie wrote: According to Red Hat Network it does: ipa-server-2.0.0-16.el6.x86_64 https://rhn.redhat.com

Re: [Freeipa-users] NIS/local files to IPA migration

2011-04-04 Thread Sigbjorn Lie
On 04/04/2011 09:00 PM, Dmitri Pal wrote: On 04/04/2011 10:34 AM, Sigbjorn Lie wrote: On Mon, April 4, 2011 04:58, Simo Sorce wrote: On Mon, 28 Mar 2011 15:43:18 +0200 (CEST) Sigbjorn Liesigbj...@nixtra.com wrote: On Mon, March 28, 2011 15:24, Dmitri Pal wrote: On 03/28/2011 09:01 AM

Re: [Freeipa-users] 6.1 beta

2011-04-04 Thread Sigbjorn Lie
On 04/04/2011 09:36 PM, Stephen Gallagher wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 04/04/2011 03:06 PM, Dmitri Pal wrote: On 04/04/2011 03:01 PM, Sigbjorn Lie wrote: I also noticed that in /etc/sssd/sssd.conf the ipa server is specified with: ipa_server = _srv_, ipa01

Re: [Freeipa-users] 6.1 beta

2011-04-04 Thread Sigbjorn Lie
On 04/04/2011 10:12 PM, Stephen Gallagher wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 04/04/2011 03:52 PM, Sigbjorn Lie wrote: On 04/04/2011 09:36 PM, Stephen Gallagher wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 04/04/2011 03:06 PM, Dmitri Pal wrote: On 04/04/2011

Re: [Freeipa-users] 6.1 beta

2011-04-04 Thread Sigbjorn Lie
On 04/05/2011 01:25 AM, Kevin Unthank wrote: On 04/04/2011 12:06 PM, Dmitri Pal wrote: On 04/04/2011 03:01 PM, Sigbjorn Lie wrote: On 04/04/2011 08:32 PM, Rob Crittenden wrote: Sigbjorn Lie wrote: On 04/04/2011 06:22 PM, Sigbjorn Lie wrote: On 04/04/2011 03:43 PM, Dmitri Pal wrote

Re: [Freeipa-users] 6.1 beta

2011-04-07 Thread Sigbjorn Lie
On 04/05/2011 01:25 AM, Kevin Unthank wrote: On 04/04/2011 12:06 PM, Dmitri Pal wrote: On 04/04/2011 03:01 PM, Sigbjorn Lie wrote: On 04/04/2011 08:32 PM, Rob Crittenden wrote: Sigbjorn Lie wrote: On 04/04/2011 06:22 PM, Sigbjorn Lie wrote: On 04/04/2011 03:43 PM, Dmitri Pal wrote

Re: [Freeipa-users] 6.1 beta

2011-04-08 Thread Sigbjorn Lie
Just to elaborate on Dmitri's comments. In addition to the IPA client and server packages that are included in the RHEL6.1 beta channel, there will be a separate RHEL add-on channel, Enterprise Identity Replication. That add-on channel will contain ds-replication and the Windows sync

Re: [Freeipa-users] 6.1 beta

2011-04-08 Thread Sigbjorn Lie
mvh, Sigbjorn Lie 's/windows/unix/g' - Ubuntu - an African word, meaning Slackware is too hard for me On Fri, April 8, 2011 01:03, Kevin Unthank wrote: snip Just to elaborate on Dmitri's comments. In addition to the IPA client and server packages that are included in the RHEL6.1 beta

Re: [Freeipa-users] 6.1 beta

2011-04-08 Thread Sigbjorn Lie
Right, forgot to remove autosignature. :) See my post at the bottom of my last email. Rgds, Siggi On Fri, April 8, 2011 08:38, Sigbjorn Lie wrote: mvh, Sigbjorn Lie 's/windows/unix/g' - Ubuntu - an African word, meaning Slackware is too hard for me On Fri, April 8, 2011 01:03

Re: [Freeipa-users] 6.1 beta

2011-04-08 Thread Sigbjorn Lie
On Fri, April 8, 2011 09:48, Natxo Asenjo wrote: On Fri, Apr 8, 2011 at 8:38 AM, Sigbjorn Lie sigbj...@nixtra.com wrote: Ok, I do like the wider options for channels in Red Hat, but this bring me to my next question: Will there be an extra charge for this add on channel

[Freeipa-users] IPA replication in RHEL

2011-04-28 Thread Sigbjorn Lie
Hi Kevin, I requested the add-on replication channel from our RH account rep, however I was advised they we're unable to find any IPA Replication channel. Is this channel ready in RHN yet? If so, what is the name of this channel? Rgds, Siggi On Thu, April 28, 2011 00:31, Kevin Unthank

Re: [Freeipa-users] Disk layout - requirements

2011-05-06 Thread Sigbjorn Lie
On 05/06/2011 04:12 PM, Rob Crittenden wrote: Steven Jones wrote: Hi, Digging through docs / googling I cant see any disk partition suggestions and size thereof requirements... Suggestions please? sizing for 500 servers, 2000 desktops, 5000+ users... Especially around having different

Re: [Freeipa-users] FreeIPA for Linux desktop deployment

2011-05-10 Thread Sigbjorn Lie
Hi, I would like to see the ipa client scripts and possibly the admin tools in a nice Solaris package. This would make my job a lot easier as we have a lot of customers running Solaris. :) For the server part I agree with you, keep it at RHEL. SSSD @ Solaris / HP-UX / AIX ... well there

Re: [Freeipa-users] FreeIPA for Linux desktop deployment

2011-05-11 Thread Sigbjorn Lie
On Wed, May 11, 2011 14:42, Stephen Gallagher wrote: On Tue, 2011-05-10 at 23:42 +0200, Sigbjorn Lie wrote: Hi, I would like to see the ipa client scripts and possibly the admin tools in a nice Solaris package. This would make my job a lot easier as we have a lot of customers running

Re: [Freeipa-users] FreeIPA for Linux desktop deployment

2011-05-11 Thread Sigbjorn Lie
nfs4+krb clients? If so, that should be added to the script as well. Rgds, Siggi On Wed, May 11, 2011 00:24, Dmitri Pal wrote: On 05/10/2011 05:42 PM, Sigbjorn Lie wrote: Hi, I would like to see the ipa client scripts and possibly the admin tools in a nice Solaris package. This would

Re: [Freeipa-users] FreeIPA for Linux desktop deployment

2011-05-12 Thread Sigbjorn Lie
That said we have configuration instructions for other platforms, I am sure the community can hack-up scripts to use them if instructions are not enough. We can also host them if someone wants to contribute. Ok. Let's say I've pre-created the host on the IPA server. I'm logged on to the

Re: [Freeipa-users] IPA Startup issues

2011-05-16 Thread Sigbjorn Lie
On 05/16/2011 04:25 PM, Rob Crittenden wrote: Sigbjorn Lie wrote: On 05/16/2011 03:41 PM, Dmitri Pal wrote: On 05/14/2011 10:46 AM, Sigbjorn Lie wrote: I've noticed that if the machine running IPA is very busy at startup, the IPA services will not be online when the machine is started. I

Re: [Freeipa-users] IPA Startup issues

2011-05-17 Thread Sigbjorn Lie
On 05/16/2011 04:56 PM, Rich Megginson wrote: On 05/16/2011 08:43 AM, Sigbjorn Lie wrote: On 05/16/2011 03:52 PM, Simo Sorce wrote: On Sat, 2011-05-14 at 16:46 +0200, Sigbjorn Lie wrote: I've noticed that if the machine running IPA is very busy at startup, the IPA services will not be online

Re: [Freeipa-users] IPA Startup issues

2011-05-22 Thread Sigbjorn Lie
On 05/17/2011 07:24 PM, Rich Megginson wrote: On 05/17/2011 06:40 AM, Sigbjorn Lie wrote: On 05/16/2011 04:56 PM, Rich Megginson wrote: On 05/16/2011 08:43 AM, Sigbjorn Lie wrote: On 05/16/2011 03:52 PM, Simo Sorce wrote: On Sat, 2011-05-14 at 16:46 +0200, Sigbjorn Lie wrote: I've noticed

Re: [Freeipa-users] IPA Startup issues

2011-05-23 Thread Sigbjorn Lie
On 05/23/2011 09:11 PM, Christian Horn wrote: On Mon, May 23, 2011 at 08:58:53PM +, Steven Jones wrote: I just built a brand new RHEL6.1 64bit server and installed ipa-server and despite setting up the chkconfig's it wont start on boot...it will start manually later by hand... Works out of

Re: [Freeipa-users] Why not unix UIDs (numbers and range)

2011-05-23 Thread Sigbjorn Lie
That used to be true, but it's been a lot higher for some time now. Linux has had 32-bit integers for UID/GID since Linux kernel 2.4, and Solaris has had the same since Solaris 2.5.1. I can't speak for other *nix flavours. Rgds, Siggi. On 05/23/2011 11:09 PM, Steven Jones wrote: um so I

Re: [Freeipa-users] IPA Startup issues

2011-05-24 Thread Sigbjorn Lie
:15, Christian Horn wrote: Hi, On Mon, May 23, 2011 at 11:20:27PM +0200, Sigbjorn Lie wrote: My issue is startup of IPA only occurs when the host is extremely busy, such as after a reboot of the host machine when the disk is grinding and the cpu is almost going up in flames of all

[Freeipa-users] Connecting Ubuntu to IPA

2011-06-09 Thread Sigbjorn Lie
Hi, I've connected and used IPA successfully with Ubuntu 10.04, 10.10, and 11.04. NFS4+KRB successfully in 10.10 and 11.04. Install the packages below, substitute libpam-ldap for libpam-ldapd if you prefer PADL's ldap liberary which can use groups within groups for user accounts. ldapld

Re: [Freeipa-users] Connecting Ubuntu to IPA - one last important step!

2011-06-09 Thread Sigbjorn Lie
If you prefer you can use something like CFengine to automate the whole process. Rgds, Siggi. On 06/09/2011 07:21 PM, Sigbjorn Lie wrote: Hi, I've connected and used IPA successfully with Ubuntu 10.04, 10.10, and 11.04. NFS4+KRB successfully in 10.10 and 11.04. Install the packages below

[Freeipa-users] Configuring IPA replicas

2011-06-13 Thread Sigbjorn Lie
Hi, I have successfully configured one IPA replica, now I'm trying to configure a second replica, but I'm not having much success. I've attached the output of ipa-replica-install -d. I get as far as [4/11]: configuring certificate server instance. The machine is configured in the same way as

Re: [Freeipa-users] Configuring IPA replicas

2011-06-13 Thread Sigbjorn Lie
On 06/13/2011 04:12 PM, Simo Sorce wrote: On Mon, 2011-06-13 at 15:23 +0200, Sigbjorn Lie wrote: Hi, I have successfully configured one IPA replica, now I'm trying to configure a second replica, but I'm not having much success. I've attached the output of ipa-replica-install -d. I get as far

Re: [Freeipa-users] Configuring IPA replicas

2011-06-13 Thread Sigbjorn Lie
On 06/13/2011 04:41 PM, Ade Lee wrote: Hi, The replica installation is failing when the replica attempts to contact the CA on the master to log into the security domain. According to your log, this is https://ipa01.ix.test.com:9445 Can the master be resolved and reached from the replica? Can

[Freeipa-users] Multiple host records in the GUI

2011-06-13 Thread Sigbjorn Lie
Hi, How come I cannot see multiple records for the same host in the WEB GUI? I can see the records when I'm using the CLI. This goes for multiple A records for the same hostname, but also if a hostname has an A record and a record. Only the A record will show up in the WEB GUI. All

Re: [Freeipa-users] Multiple host records in the GUI

2011-06-13 Thread Sigbjorn Lie
On 06/13/2011 07:06 PM, Adam Young wrote: On 06/13/2011 12:20 PM, Sigbjorn Lie wrote: Hi, How come I cannot see multiple records for the same host in the WEB GUI? I can see the records when I'm using the CLI. This goes for multiple A records for the same hostname, but also if a hostname

Re: [Freeipa-users] Configuring IPA replicas

2011-06-13 Thread Sigbjorn Lie
On 06/13/2011 07:24 PM, Rob Crittenden wrote: Sigbjorn Lie wrote: On 06/13/2011 04:41 PM, Ade Lee wrote: Hi, The replica installation is failing when the replica attempts to contact the CA on the master to log into the security domain. According to your log, this is https://ipa01

Re: [Freeipa-users] Configuring IPA replicas

2011-06-13 Thread Sigbjorn Lie
On 06/13/2011 06:55 PM, Stephen Gallagher wrote: On Mon, 2011-06-13 at 17:29 +0200, Sigbjorn Lie wrote: On 06/13/2011 04:41 PM, Ade Lee wrote: Hi, The replica installation is failing when the replica attempts to contact the CA on the master to log into the security domain. According to your

[Freeipa-users] Thunderbird Address Book

2011-06-13 Thread Sigbjorn Lie
Hi, Has anyone had success using IPA's LDAP as address book for Thunderbird? I've tried configring IPA's LDAP as Abook for Thunderbird. As far as I can see all the required attributes are there and mapped correctly out of the box with Thunderbird 3.1, but I cannot get any names looked up.

[Freeipa-users] Using NexentaStor with FreeIPA

2011-07-11 Thread Sigbjorn Lie
On Tue, June 28, 2011 20:14, Natxo Asenjo wrote: On Tue, Jun 28, 2011 at 6:35 PM, Sigbjorn Lie sigbj...@nixtra.com wrote: In my NexentaStor configuration, the NFS service is using FreeIPA (nss_ldap+krb5), and the CIFS service is using Active Directory (nss_ad) for user authentication

Re: [Freeipa-users] doc tickets

2011-07-14 Thread Sigbjorn Lie
Hi, From: http://docs.fedoraproject.org/en-US/Fedora/15/html/FreeIPA_Guide/sudo.html Compatibility Translation for Native Sudo The native |sudo| binary does not yet support SSSD or the IPA Sudo Schema. As an interim solution, IPA has implemented a compatibility plug-in which

Re: [Freeipa-users] Dead Freeipa

2011-07-28 Thread Sigbjorn Lie
Hi, I had a similar problem. For me the /etc/dirsrv/slapd-IX-TEST-COM/dse.ldif file was suddenly 0 bytes long. I recovered by restoring a copy of the dse.ldif.bak file in the same folder. I was under the impression that this was my own fault due to continuous power cuts to my test bench,

[Freeipa-users] FreeIPA 2.1.0 - SELinux

2011-08-19 Thread Sigbjorn Lie
Hi, I've just updated to FreeIPA 2.1.0. I disabled SELinux on this machine (Fedora 15) when I installed IPA, as there was a bug with IPA's SELinux ruleset, which made the ipa-server-install script fail. That decision seem to be biting my ass now, I get the following error message:

Re: [Freeipa-users] FreeIPA 2.1.0 - SELinux

2011-08-22 Thread Sigbjorn Lie
Ah, excellent. Thanks. :) Rgds, Siggi On 08/19/2011 07:17 PM, Ade Lee wrote: Siggi, The fix for this has already been checked into the dogtag code. We'll have a new build out (for pki-ca) probably sometime next week. Ade On Fri, 2011-08-19 at 12:57 -0400, Rob Crittenden wrote: Sigbjorn

[Freeipa-users] IPA Automount cross-location support

2011-08-22 Thread Sigbjorn Lie
Hi, IPA Automount configuration: Is it possible to reference an automount map from another location? E.g. under Policy - Automount - Add map - Parent Map: reference to other location.auto.data Example: Let's say you have the following automount locations defined in IPA: NewYork, Washington,

[Freeipa-users] Updating automount location name

2011-08-22 Thread Sigbjorn Lie
Hi, I receive an error when I attempt to go to Policy - Automount - custom_location - Settings - Update: IPA Error 905 unknown command u'automountlocation_mod' Indeed the command is not available using the CLI either. A known issue? Also, when choosing Add to add a map, the Indirect map

Re: [Freeipa-users] Updating automount location name

2011-08-22 Thread Sigbjorn Lie
On 08/22/2011 10:02 PM, Rob Crittenden wrote: Sigbjorn Lie wrote: Hi, I receive an error when I attempt to go to Policy - Automount - custom_location - Settings - Update: IPA Error 905 unknown command u'automountlocation_mod' Indeed the command is not available using the CLI either

Re: [Freeipa-users] Updating automount location name

2011-08-23 Thread Sigbjorn Lie
On 08/23/2011 12:04 AM, Dmitri Pal wrote: On 08/22/2011 04:48 PM, Sigbjorn Lie wrote: On 08/22/2011 10:02 PM, Rob Crittenden wrote: Sigbjorn Lie wrote: Hi, I receive an error when I attempt to go to Policy - Automount - custom_location - Settings - Update: IPA Error 905 unknown

Re: [Freeipa-users] IPA Automount cross-location support

2011-08-23 Thread Sigbjorn Lie
On 08/23/2011 12:06 AM, Dmitri Pal wrote: On 08/22/2011 03:44 PM, Sigbjorn Lie wrote: Hi, IPA Automount configuration: Is it possible to reference an automount map from another location? E.g. under Policy - Automount - Add map - Parent Map:reference to other location.auto.data Example

Re: [Freeipa-users] Test scenario

2011-09-05 Thread Sigbjorn Lie
On Mon, September 5, 2011 00:08, Steven Jones wrote: Hi, From evaluation purposes I am looking to write test cases to evaluate authentication products so here is one I am thinking of. From what I can see of IPA it would be fairly easy to implement centrally? Lets say I have four

[Freeipa-users] Error message when denied by HBAC

2011-09-06 Thread Sigbjorn Lie
Hi, I attempt a login with a user account that's being denied access to the host via HBAC, I receive the following generic error message. Sep 6 20:02:03 ipa01 sshd[11592]: pam_sss(sshd:account): Access denied for user username: 4 (System error) Would it be an idea to change this to

Re: [Freeipa-users] Error message when denied by HBAC

2011-09-06 Thread Sigbjorn Lie
On 09/06/2011 08:37 PM, Stephen Gallagher wrote: On Tue, 2011-09-06 at 20:04 +0200, Sigbjorn Lie wrote: Hi, I attempt a login with a user account that's being denied access to the host via HBAC, I receive the following generic error message. Sep 6 20:02:03 ipa01 sshd[11592]: pam_sss

Re: [Freeipa-users] Error message when denied by HBAC

2011-09-06 Thread Sigbjorn Lie
On 09/06/2011 09:08 PM, Stephen Gallagher wrote: On Tue, 2011-09-06 at 20:58 +0200, Sigbjorn Lie wrote: On 09/06/2011 08:37 PM, Stephen Gallagher wrote: On Tue, 2011-09-06 at 20:04 +0200, Sigbjorn Lie wrote: Hi, I attempt a login with a user account that's being denied access to the host via

[Freeipa-users] [Fwd: RHN Errata Alert: ipa-client bug fix update]

2011-09-15 Thread Sigbjorn Lie
I have received this errata for RHEL5, but not RHEL6. Has the issue been fixed in RHEL 6 as well? Rgds, Siggi -Original Message- From: Red Hat Network Alert [mailto:dev-n...@rhn.redhat.com] Sent: 15. september 2011 09:58 To: Sigbjørn Lie Subject: RHN Errata Alert: ipa-client bug

[Freeipa-users] Add user - custom script

2011-09-15 Thread Sigbjorn Lie
Hi, Is there a custom script hook for when a user account is added using either the cli, webui, or the winsync module? I have a custom script I run when creating a user account, and having this run automatically by IPA would make my life a lot easier. Regards, Siggi

Re: [Freeipa-users] Add user - custom script

2011-09-15 Thread Sigbjorn Lie
On 09/15/2011 09:59 PM, Dmitri Pal wrote: On 09/15/2011 03:45 PM, Sigbjorn Lie wrote: Hi, Is there a custom script hook for when a user account is added using either the cli, webui, or the winsync module? I have a custom script I run when creating a user account, and having this run

Re: [Freeipa-users] Add user - custom script

2011-09-16 Thread Sigbjorn Lie
On 09/16/2011 07:35 AM, Dmitri Pal wrote: On 09/15/2011 04:14 PM, Sigbjorn Lie wrote: On 09/15/2011 09:59 PM, Dmitri Pal wrote: On 09/15/2011 03:45 PM, Sigbjorn Lie wrote: Hi, Is there a custom script hook for when a user account is added using either the cli, webui, or the winsync module

Re: [Freeipa-users] Add user - custom script

2011-09-16 Thread Sigbjorn Lie
On 09/16/2011 01:53 PM, Simo Sorce wrote: On Fri, 2011-09-16 at 11:29 +0300, Alexander Bokovoy wrote: On Fri, 16 Sep 2011, Dmitri Pal wrote: On 09/15/2011 04:14 PM, Sigbjorn Lie wrote: On 09/15/2011 09:59 PM, Dmitri Pal wrote: On 09/15/2011 03:45 PM, Sigbjorn Lie wrote: Hi

Re: [Freeipa-users] Add user - custom script

2011-09-16 Thread Sigbjorn Lie
On 09/16/2011 02:45 PM, Rob Crittenden wrote: Alexander Bokovoy wrote: On Fri, 16 Sep 2011, Simo Sorce wrote: As a proof of concept sounds nice, but as is this would be bad, as changes to /etc/ipa/server.conf are not replicated through all masters. So a change on one server would require

Re: [Freeipa-users] Add user - custom script

2011-09-16 Thread Sigbjorn Lie
On 09/16/2011 05:43 PM, Alexander Bokovoy wrote: On Fri, 16 Sep 2011, Sigbjorn Lie wrote: We can't do it now. AFAIR there was a ticket about something like this in the deferred bucket... Could not find it... But I remember a discussion. We might need to file a ticket to track this but sound

Re: [Freeipa-users] Add user - custom script

2011-09-16 Thread Sigbjorn Lie
On 09/16/2011 05:59 PM, Dmitri Pal wrote: On 09/16/2011 11:34 AM, Sigbjorn Lie wrote: On 09/16/2011 07:35 AM, Dmitri Pal wrote: On 09/15/2011 04:14 PM, Sigbjorn Lie wrote: On 09/15/2011 09:59 PM, Dmitri Pal wrote: On 09/15/2011 03:45 PM, Sigbjorn Lie wrote: Hi, Is there a custom script

Re: [Freeipa-users] Debian clients?

2011-09-16 Thread Sigbjorn Lie
On 09/16/2011 05:19 PM, Johan Sunnerstig wrote: Hello. I'm wondering if anyone has used FreeIPA with Debian clients, and if so, what client software you opted to use? Right now I have nss-pam-ldapd (http://arthurdejong.org/nss-pam-ldapd/) and the MIT-based krb software that's included in

Re: [Freeipa-users] Add user - custom script

2011-09-16 Thread Sigbjorn Lie
On 09/16/2011 10:29 AM, Alexander Bokovoy wrote: On Fri, 16 Sep 2011, Dmitri Pal wrote: On 09/15/2011 04:14 PM, Sigbjorn Lie wrote: On 09/15/2011 09:59 PM, Dmitri Pal wrote: On 09/15/2011 03:45 PM, Sigbjorn Lie wrote: Hi, Is there a custom script hook for when a user account is added using

Re: [Freeipa-users] Add user - custom script

2011-09-21 Thread Sigbjorn Lie
On 09/19/2011 03:42 PM, Rob Crittenden wrote: Sigbjorn Lie wrote: On Fri, September 16, 2011 23:18, Rob Crittenden wrote: Sigbjorn Lie wrote: On 09/16/2011 10:29 AM, Alexander Bokovoy wrote: On Fri, 16 Sep 2011, Dmitri Pal wrote: On 09/15/2011 04:14 PM, Sigbjorn Lie wrote: On 09/15

[Freeipa-users] Client re-installation

2011-09-25 Thread Sigbjorn Lie
Hi, When a client is re-installed and the ipa-client-install script is run, the kerberos host keytab /etc/krb5.keytab is not retreived and placed on the client. Why? If I unprovision the host before reinstalling the client and running ipa-client-install, a new keytab is placed on the

[Freeipa-users] Certificate error when modifying/deleting a host

2011-09-25 Thread Sigbjorn Lie
Hi, I have a host that refuses to be modified or deleted. I get the same error from the webui and the cli. I am using F15, FreeIPA 2.1.1 + all updates from the updates repository. I cannot find any error in any log. I have tried to reboot my ipa servers. All services seem to be running and

Re: [Freeipa-users] Certificate error when modifying/deleting a host

2011-09-25 Thread Sigbjorn Lie
On 09/25/2011 11:49 PM, Sigbjorn Lie wrote: Hi, I have a host that refuses to be modified or deleted. I get the same error from the webui and the cli. I am using F15, FreeIPA 2.1.1 + all updates from the updates repository. I cannot find any error in any log. I have tried to reboot my ipa

Re: [Freeipa-users] libcurl fix

2011-09-26 Thread Sigbjorn Lie
My systems are updated (RHEL5/6 and Fedora 15) to latest available version from the respective repositories. And I have no issues with libcurl. I noticed updates from RHN a few weeks back. My current RHEL6 pkg: libcurl-7.19.7-26.el6_1.2.x86_64. Rgds, Siggi On Mon, September 26, 2011

Re: [Freeipa-users] Certificate error when modifying/deleting a host

2011-09-26 Thread Sigbjorn Lie
On 09/26/2011 12:01 AM, Sigbjorn Lie wrote: On 09/25/2011 11:49 PM, Sigbjorn Lie wrote: Hi, I have a host that refuses to be modified or deleted. I get the same error from the webui and the cli. I am using F15, FreeIPA 2.1.1 + all updates from the updates repository. I cannot find any error

Re: [Freeipa-users] Certificate error when modifying/deleting a host

2011-09-27 Thread Sigbjorn Lie
On 09/27/2011 12:34 AM, Dmitri Pal wrote: On 09/25/2011 05:49 PM, Sigbjorn Lie wrote: Hi, I have a host that refuses to be modified or deleted. I get the same error from the webui and the cli. I am using F15, FreeIPA 2.1.1 + all updates from the updates repository. I cannot find any error

Re: [Freeipa-users] Certificate error when modifying/deleting a host

2011-09-27 Thread Sigbjorn Lie
On 09/27/2011 09:54 PM, Sigbjorn Lie wrote: On 09/27/2011 12:34 AM, Dmitri Pal wrote: On 09/25/2011 05:49 PM, Sigbjorn Lie wrote: Hi, I have a host that refuses to be modified or deleted. I get the same error from the webui and the cli. I am using F15, FreeIPA 2.1.1 + all updates from

Re: [Freeipa-users] Certificate error when modifying/deleting a host

2011-09-27 Thread Sigbjorn Lie
On 09/27/2011 10:46 PM, Simo Sorce wrote: On Tue, 2011-09-27 at 22:22 +0200, Sigbjorn Lie wrote: On 09/27/2011 09:54 PM, Sigbjorn Lie wrote: On 09/27/2011 12:34 AM, Dmitri Pal wrote: On 09/25/2011 05:49 PM, Sigbjorn Lie wrote: Hi, I have a host that refuses to be modified or deleted. I get

Re: [Freeipa-users] Certificate error when modifying/deleting a host

2011-09-28 Thread Sigbjorn Lie
On 09/28/2011 03:33 AM, Adam Young wrote: After talking with the PKI developer that is fixing this, I found out that one other file needs to be modified: /var/lib/pki-ca/conf/CS.cfg http.port=8080 https.port=8443 On 09/27/2011 07:55 PM, Adam Young wrote: Siggi, This is my comment in

Re: [Freeipa-users] Certificate error when modifying/deleting a host

2011-09-28 Thread Sigbjorn Lie
On 09/28/2011 11:35 PM, Adam Young wrote: On 09/28/2011 05:03 PM, Sigbjorn Lie wrote: On 09/28/2011 03:33 AM, Adam Young wrote: After talking with the PKI developer that is fixing this, I found out that one other file needs to be modified: /var/lib/pki-ca/conf/CS.cfg http.port=8080

Re: [Freeipa-users] [Fwd: [Freeipa-devel] script to proxy-ize a dogtag instance]

2011-09-29 Thread Sigbjorn Lie
On 09/28/2011 11:36 PM, Ade Lee wrote: Cross-posting to freeipa-users. In addition, Adam determined that the following dirctives need to be enabled in /etc/httpd/conf.d/nss.conf : NSSRenegotiation on NSSRequireSafeNegotiation on Ade I have manually verified the files from reading your

[Freeipa-users] Configure browser

2011-10-12 Thread Sigbjorn Lie
Hi, I have just installed RHEL 6.2 beta, with ipa-server-2.1.1-4.el6.x86_64. I have installed firefox locally on the ipa server, for testings sake. I ran kinit, got a kerberos ticket. Started firefox, and followed the first time user instructions. Installing the cert worked fine. However when

[Freeipa-users] Default shell in Configuration in the WEBUI

2011-10-12 Thread Sigbjorn Lie
Hi, What's happened with the option for default shell under ipa server - configuration in the webui? This seem to be missing? I can still see and change the value for default shell using the CLI. Regards, Siggi ___ Freeipa-users mailing list

[Freeipa-users] Extending schema

2011-10-13 Thread Sigbjorn Lie
Hi, What is your recommendations for avoiding incompatability with future upgrades of IPA if extending the dirsrv schema and adding custom objects to the LDAP server is required? What considerations and precautions should be taken? Such as adding RBAC support for Solaris clients...

[Freeipa-users] ipa: ERROR: Auto Membership is not configured

2011-10-16 Thread Sigbjorn Lie
Hi, When I attempt to create a automember rule, I get an error message ipa: ERROR: Auto Membership is not configured. [root@ipa01 ~]# ipa automember-add --type=group s_serviceaccounts ipa: ERROR: Auto Membership is not configured [root@lieipa01 ~]# ipa group-add --desc=Developers devel

Re: [Freeipa-users] ipa: ERROR: Auto Membership is not configured

2011-10-17 Thread Sigbjorn Lie
On Mon, October 17, 2011 09:42, Martin Kosek wrote: On Sun, 2011-10-16 at 22:55 +0200, Sigbjorn Lie wrote: Hi, When I attempt to create a automember rule, I get an error message ipa: ERROR: Auto Membership is not configured. [root@ipa01 ~]# ipa automember-add --type=group

Re: [Freeipa-users] Centos 6

2011-10-19 Thread Sigbjorn Lie
For the stable version I suppose you have to wait for CentOS 6.2, after RHEL 6.2 is out. At the moment even CentOS 6.1 hasn't been released, so I thin it will be a while. Have a look at Scientific Linux instead: http://www.scientificlinux.org/ They're already got a 6.1 release with updated pkgs

[Freeipa-users] The concept of sites...

2011-10-19 Thread Sigbjorn Lie
Hi, Has there been given any thought to the concept of sites within IPA to improve cross-site implementations? This should be easy to implement as you are already using DNS SRV records to locate the ldap/kerberos servers. E.g. Site: Boston Site: London Create a subdomain of the IPA dns

Re: [Freeipa-users] The concept of sites...

2011-10-19 Thread Sigbjorn Lie
...@redhat.com [freeipa-users-boun...@redhat.com] on behalf of Sigbjorn Lie [sigbj...@nixtra.com] Sent: Thursday, 20 October 2011 8:14 a.m. To: freeipa-users@redhat.com Subject: [Freeipa-users] The concept of sites... Hi, Has there been given any thought to the concept of sites within

Re: [Freeipa-users] The concept of sites...

2011-10-19 Thread Sigbjorn Lie
On Wed, October 19, 2011 21:27, Simo Sorce wrote: On Wed, 2011-10-19 at 15:24 -0400, Dmitri Pal wrote: On 10/19/2011 03:14 PM, Sigbjorn Lie wrote: Hi, Has there been given any thought to the concept of sites within IPA to improve cross-site implementations? This should be easy

Re: [Freeipa-users] The concept of sites...

2011-10-19 Thread Sigbjorn Lie
only one winsync agreement? regards Steven Jones Technical Specialist - Linux RHCE Victoria University, Wellington, NZ 0064 4 463 6272 From: Sigbjorn Lie [sigbj...@nixtra.com] Sent: Thursday, 20 October 2011 9:11 a.m. To: Steven Jones Cc

Re: [Freeipa-users] The concept of sites...

2011-10-20 Thread Sigbjorn Lie
/1032 On 10/19/2011 10:25 PM, Sigbjorn Lie wrote: The London/newyork dns sub-domains would be used for looking up srv records for the local kerberos/ldap servers only. The actual domain configured on the client and the kerberos and LDAP base would still be the ipa.domain.com. Sync with AD

[Freeipa-users] No hosts showing as enrolled

2011-10-21 Thread Sigbjorn Lie
Hi, I've updated to freeipa-server-2.1.3-2.fc15.x86_64. There is no hosts showing as enrolled in the webui. In the CLI hosts are reported to have a keytab. Is this a known issue? Rgds, Siggi PS. KUDOS on the speed of lookups! MASSIVE improvement both in the CLI and in the WEBUI!!!

Re: [Freeipa-users] No hosts showing as enrolled

2011-10-21 Thread Sigbjorn Lie
On 10/21/2011 08:15 PM, Adam Young wrote: On 10/21/2011 02:04 PM, Sigbjorn Lie wrote: Hi, I've updated to freeipa-server-2.1.3-2.fc15.x86_64. There is no hosts showing as enrolled in the webui. In the CLI hosts are reported to have a keytab. Is this a known issue? Rgds, Siggi PS. KUDOS

  1   2   3   >