Re: [Freeipa-users] Using FreeIPA as password backend for Samba

2009-09-23 Thread Simo Sorce
On Wed, 2009-09-23 at 10:46 +0200, Tomasz Z. Napierala wrote: Hi, I'm currently deploying IPA in our server infrastructure and I came across one particular problem. I have several development servers hooked up to IPA. Devs are locally developing code on them, accessing it through Samba

Re: [Freeipa-users] FreeIPA crashes after many mystery connections

2009-10-22 Thread Simo Sorce
. -- Simo Sorce * Red Hat, Inc * New York ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] As a non-developer, how can I contribute??

2009-10-23 Thread Simo Sorce
be really appreciated and so on. You don't need a developer to help, just look at the project and identify a week area where you think you can contribute and let us know what you plan to do. Simo. -- Simo Sorce * Red Hat, Inc * New York ___ Freeipa-users

RE: [Freeipa-users] FreeIPA crashes after many mystery connections

2009-10-23 Thread Simo Sorce
On Fri, 2009-10-23 at 09:59 +0100, Andy Singleton wrote: There isn't much in the krb5kdc.logs. Server A has a few entries about a minute before the incident. Then nothing until we had to reboot the box. Very strange ... Do yo ustill have the DS error log ? Anything in there ? Simo. -- Simo

RE: [Freeipa-users] FreeIPA crashes after many mystery connections

2009-10-26 Thread Simo Sorce
On Mon, 2009-10-26 at 08:46 +, Andy Singleton wrote: As far as I can see, whatever was trying to connect kept trying, and filling up new slots as they became available until I rebooted. How many clients do you have ? Simo. -- Simo Sorce * Red Hat, Inc * New York

Re: [Freeipa-users] LDAP-101

2009-12-08 Thread Simo Sorce
restart. Simo. -- Simo Sorce * Red Hat, Inc * New York ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] Cross realm authentication

2009-12-18 Thread Simo Sorce
. This second part requires a way to provide the other realm users to your system. At the moment we do not have any automated mechanism in FreeIPA itself or in the client to provide that. We will work on these features next year. Simo. -- Simo Sorce * Red Hat, Inc * New York

Re: [Freeipa-users] AD user intergration with IPA

2010-01-11 Thread Simo Sorce
is to provide sudo access for the users you want to grant root privs to. Simo. -- Simo Sorce * Red Hat, Inc * New York ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] FreeIPA master replica generation divorce?

2010-01-13 Thread Simo Sorce
. Of course, as Rob already pointed out, you may want to add replication channels between replicas so that your master server is not critical for replication if you have to shut it down. Simo. -- Simo Sorce * Red Hat, Inc * New York ___ Freeipa-users

Re: [Freeipa-users] DNS replica setup problem

2010-02-01 Thread Simo Sorce
On Mon, 1 Feb 2010 10:57:35 -0800 Scott Kaminski scott.kamin...@gmail.com wrote: What is it that i'm missing here? Anything in /etc/hosts ? Simo. -- Simo Sorce * Red Hat, Inc * New York ___ Freeipa-users mailing list Freeipa-users@redhat.com https

Re: [Freeipa-users] Needed_Preauth Issue

2010-03-09 Thread Simo Sorce
back to password auth I suggest looking at the server's logs. Simo. -- Simo Sorce * Red Hat, Inc * New York ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] MemberOf plugin keeps disabling account

2010-03-17 Thread Simo Sorce
both enabled they would interfere, only one or the other. The 389 memberof plugin is probably better now, as we merge all the code we developed for ipa in there. But unless you have specific problems you can just leave it as it is. Simo. -- Simo Sorce * Red Hat, Inc * New York

Re: [Freeipa-users] Password Attribute Syncing Support

2010-03-19 Thread Simo Sorce
password for both google apps *and* your company resources. Simo. -- Simo Sorce * Red Hat, Inc * New York ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] Is sssd currently useable with freeipa v2 ?

2010-05-02 Thread Simo Sorce
for the first time. Simo. -- Simo Sorce * Red Hat, Inc * New York ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] Give laptops bidirectional anywhere access to freeipa and /home/

2010-05-12 Thread Simo Sorce
connections, or is there more ? Simo. -- Simo Sorce * Red Hat, Inc * New York ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] Give laptops bidirectional anywhere access to freeipa and /home/

2010-05-26 Thread Simo Sorce
to start an effort on our own, we may reconsider this after we get 2.0 out of the door. Simo. -- Simo Sorce * Red Hat, Inc * New York ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] NFS4 after client upgrade to Fedora 13

2010-05-27 Thread Simo Sorce
rekey your NFS credentials to add RC4/AES keys (rekeying works only if both client and server kernels supporting anything but DES, I think F13's kernels should have those patches now, but old kernels support only DES). Simo. -- Simo Sorce * Red Hat, Inc * New York

Re: [Freeipa-users] NFS4 after client upgrade to Fedora 13

2010-05-27 Thread Simo Sorce
On Thu, 27 May 2010 12:27:49 -0400 Simo Sorce sso...@redhat.com wrote: Tom, apologies, I meant Thomas, not enough sleep I gues :/ Simo. -- Simo Sorce * Red Hat, Inc * New York ___ Freeipa-users mailing list Freeipa-users@redhat.com https

Re: [Freeipa-users] NFS4 after client upgrade to Fedora 13

2010-05-27 Thread Simo Sorce
On Thu, 27 May 2010 19:13:47 +0200 Thomas Sailer t.sai...@alumni.ethz.ch wrote: On Thu, 2010-05-27 at 12:27 -0400, Simo Sorce wrote: Try adding allow_weak_crypto = true to your krb5.conf or alternatively rekey your NFS credentials to add RC4/AES keys (rekeying works only if both client

Re: [Freeipa-users] NFS4 after client upgrade to Fedora 13

2010-05-27 Thread Simo Sorce
it as unconfined. Can you check /var/log/audit/audit.log ? Simo. -- Simo Sorce * Red Hat, Inc * New York ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] Problem with FreeIPA and Samba 3...

2010-06-16 Thread Simo Sorce
is cn=ipa-dna,cn=plugins,cn=config There may be something else we found I am missing, but these 2 are pretty fundamental things. Simo. -- Simo Sorce * Red Hat, Inc * New York ___ Freeipa-users mailing list Freeipa-users@redhat.com https

Re: [Freeipa-users] SSSD Cache

2010-06-29 Thread Simo Sorce
and restarting SSSD. The db file to be deleted has the domain name (as used in the sssd.conf section tag) in the file name. Simo. -- Simo Sorce * Red Hat, Inc * New York ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com

Re: [Freeipa-users] SSSD Cache

2010-06-30 Thread Simo Sorce
reflected by the results of the 'id' command. Ok this is the expected behavior. Maybe the cache was corrupted? Unlikely, maybe your SSSD went offline and wasn't able to get back online for some reason until you restarted it ? Simo. -- Simo Sorce * Red Hat, Inc * New York

Re: [Freeipa-users] SSS problems with eDirectory

2010-07-22 Thread Simo Sorce
On Thu, 22 Jul 2010 15:30:23 -0400 Scott Duckworth sduc...@clemson.edu wrote: On Thu, Jul 22, 2010 at 11:59 AM, Simo Sorce sso...@redhat.com wrote: On Thu, 22 Jul 2010 11:10:25 -0400 Scott Duckworth sduc...@clemson.edu wrote: I removed all files from /var/lib/sss/db/ and restarted

Re: [Freeipa-users] SSS problems with eDirectory

2010-07-22 Thread Simo Sorce
On Thu, 22 Jul 2010 16:22:45 -0400 Scott Duckworth sduc...@clemson.edu wrote: On Thu, Jul 22, 2010 at 3:39 PM, Simo Sorce sso...@redhat.com wrote: On Thu, 22 Jul 2010 15:30:23 -0400 Scott Duckworth sduc...@clemson.edu wrote: On Thu, Jul 22, 2010 at 11:59 AM, Simo Sorce sso

Re: [Freeipa-users] SSS problems with eDirectory

2010-07-22 Thread Simo Sorce
of will be very helpful. memberof is not required by rfc2307bis. Actually it is not even mentioned by rfc2307bis, so it is our fault if we depend on it. rfc2307bis actually mentions only uniquemember. Simo. -- Simo Sorce * Red Hat, Inc * New York

Re: [Freeipa-users] SSS problems with eDirectory

2010-07-26 Thread Simo Sorce
that do not use any form of nesting. The parameter should actually probably be an integer that determines the level of nesting we allow to search at runtime, with 0 meaning none and any other value up to a maximum we define allowing deeper and deeper nesting. Simo. -- Simo Sorce * Red Hat, Inc

Re: [Freeipa-users] 389-ds to free-ipa transition; transparent?

2010-09-02 Thread Simo Sorce
any IPA controlled subtree. Simo. -- Simo Sorce * Red Hat, Inc * New York ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] Replica not syncing 'memberOf' attributes

2010-10-06 Thread Simo Sorce
, and should be simply re-generated on the receiving replica when member attributes are replicated. Are the IPA versions on the master and the replica the same ? Simo. -- Simo Sorce * Red Hat, Inc * New York ___ Freeipa-users mailing list Freeipa

Re: [Freeipa-users] Secure nfs4 and Fedora 14

2010-11-11 Thread Simo Sorce
. This looks like a kernel/rpc.gssd bug, I would file a ticket against those components. Simo. -- Simo Sorce * Red Hat, Inc * New York ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] krb5 nfs failure between F14 freeipa server and F14 client

2010-12-06 Thread Simo Sorce
your data first). Simo. -- Simo Sorce * Red Hat, Inc * New York ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] krb5 nfs failure between F14 freeipa server and F14 client

2010-12-06 Thread Simo Sorce
On Mon, 06 Dec 2010 18:31:37 +0100 Thomas Sailer sai...@sailer.dynip.lugs.ch wrote: On Mon, 2010-12-06 at 10:55 -0500, Simo Sorce wrote: Hi Simo, thanks for your response! We are seeing an issue with F14 DS where it has been built against opneldap libraries while we still have

Re: [Freeipa-users] krb5 nfs failure between F14 freeipa server and F14 client

2010-12-06 Thread Simo Sorce
On Mon, 06 Dec 2010 19:43:29 +0100 Thomas Sailer sai...@sailer.dynip.lugs.ch wrote: On Mon, 2010-12-06 at 13:35 -0500, Simo Sorce wrote: Keys are stored in ldap and asn.1 encoding is generated using ldap libraries before storing it. If that operation fails it may generate malformed

Re: [Freeipa-users] krb5 nfs failure between F14 freeipa server and F14 client

2010-12-08 Thread Simo Sorce
On Tue, 07 Dec 2010 10:51:55 +0100 Thomas Sailer sai...@sailer.dynip.lugs.ch wrote: On Mon, 2010-12-06 at 13:53 -0500, Simo Sorce wrote: Hi Simo, I pushed the patch in git just today :) Your patch indeed helps :) I've adapted it to the fc14 srpm, compiled it, and at least the extop

Re: [Freeipa-users] Unable to access web interface

2010-12-31 Thread Simo Sorce
___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users -- --- Simo Sorce * Red Hat, Inc. * New York ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com

Re: [Freeipa-users] Unable to change Admin password

2011-01-12 Thread Simo Sorce
will be greatly appreciated Is ipa_kpasswd running ? Simo. -- Simo Sorce * Red Hat, Inc * New York ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] certificate verify failed - WinSync strangeness - ipa-server-1.2.2-0

2011-01-17 Thread Simo Sorce
from, or how I can do things the proper way for IPA? /etc/ipa/ca.crt is another place where the cert can be found. but for winsync you can pass the cacert on the command line, have you tried that ? Simo. -- Simo Sorce * Red Hat, Inc * New York

Re: [Freeipa-users] Freeipa-users Digest, Vol 30, Issue 8

2011-01-19 Thread Simo Sorce
: DsInstance instance has no attribute 'subject_base' I have opened ticket 807[1] to track this. Would you be available to test a patch ? Simo. [1] https://fedorahosted.org/freeipa/ticket/807 -- Simo Sorce * Red Hat, Inc * New York ___ Freeipa-users

Re: [Freeipa-users] Freeipa-users Digest, Vol 30, Issue 8

2011-01-19 Thread Simo Sorce
On Wed, 19 Jan 2011 09:28:45 -0500 Simo Sorce sso...@redhat.com wrote: On Wed, 19 Jan 2011 12:52:54 +0530 Aravind GV aravind...@gmail.com wrote: Hi All Please help me in adding a synchronization agreement. I followed ( http://freeipa.org/docs/2.0.0/Installation_Deployment_Guide/en-US

Re: [Freeipa-users] Freeipa-users Digest, Vol 30, Issue 8

2011-01-19 Thread Simo Sorce
dirsrv: AGV-COM...[ OK ] PKI-IPA...[ OK ] *INFO:root:stderr=* *unexpected error: 'Env' object has no attribute 'ra_plugin'* Regards, AGV On Wed, Jan 19, 2011 at 8:29 PM, Simo Sorce sso...@redhat.com wrote: On Wed, 19 Jan 2011 09:28:45 -0500 Simo Sorce sso

Re: [Freeipa-users] Freeipa-users Digest, Vol 30, Issue 8

2011-01-20 Thread Simo Sorce
, but at the moment I do not have a test environment that lets me test winsync replication. Hopefully this new patch should fix the remaining regressions. Simo. -- Simo Sorce * Red Hat, Inc * New York From 5c9952b5e166dde222bc8c5433ca97480432a980 Mon Sep 17 00:00:00 2001 From: Simo Sorce sso

Re: [Freeipa-users] Unable to start the krb5kdc

2011-01-25 Thread Simo Sorce
this assertion. I have not tried to restart the ipa services on the working server for fera that it might stop working. Do you see errors in /var/log/krb5kdc.log ? Simo. -- Simo Sorce * Red Hat, Inc * New York ___ Freeipa-users mailing list Freeipa

Re: [Freeipa-users] Unable to start the krb5kdc

2011-01-25 Thread Simo Sorce
On Tue, 25 Jan 2011 15:58:35 -0500 James Roman james.ro...@ssaihq.com wrote: On 1/25/11 2:44 PM, Simo Sorce wrote: On Tue, 25 Jan 2011 14:33:14 -0500 James Romanjames.ro...@ssaihq.com wrote: On 01/25/2011 12:42 PM, Simo Sorce wrote: On Tue, 25 Jan 2011 12:04:25 -0500 James

Re: [Freeipa-users] admin password

2011-01-27 Thread Simo Sorce
On Thu, 2011-01-27 at 09:09 -0500, Uzor Ide wrote: Hi all How do I make admin password not to expire immediately after changing it? It is always set to expire even if you use kpasswd to change it ? Simo. -- Simo Sorce * Red Hat, Inc * New York

Re: [Freeipa-users] Unable to start the krb5kdc

2011-01-28 Thread Simo Sorce
On Thu, 27 Jan 2011 19:20:02 -0500 James Roman james.ro...@ssaihq.com wrote: On 1/27/11 12:58 PM, Simo Sorce wrote: On Wed, 2011-01-26 at 13:59 -0500, James Roman wrote: So it looks like the replication password issue was a red herring as far as the kerberos is concerned. I issued

Re: [Freeipa-users] Unable to start the krb5kdc

2011-01-28 Thread Simo Sorce
was not protected against it. In v2 we perfected the pw policies check so that the kerberos policies covers also binds done against DS directly. I also am adding a patch so that uid=kdc is protected in case DS policy is enabled nonetheless for whatever reason. Simo. -- Simo Sorce * Red Hat, Inc

Re: [Freeipa-users] Unable to start the krb5kdc

2011-01-28 Thread Simo Sorce
On Fri, 28 Jan 2011 17:39:14 -0500 James Roman james.ro...@ssaihq.com wrote: On 01/28/2011 10:39 AM, Simo Sorce wrote: Rirst of all. I am glad this was resolved, it looked puzzling indeed. I just want to note that we do not support using the DS password policy in ipa as we already

Re: [Freeipa-users] IPA server certificate update and Directory Manager password

2011-02-01 Thread Simo Sorce
the users/host/services data by using the ipa user-add/host-add/srvice-add commands. Simo. -- Simo Sorce * Red Hat, Inc * New York ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] FreeIPA future releases.

2011-02-04 Thread Simo Sorce
. However we will evaluate whether integrating DHCP is something we can do for a future release, or maybe something people are willing to contribute. Simo. -- Simo Sorce * Red Hat, Inc * New York ___ Freeipa-users mailing list Freeipa-users@redhat.com https

Re: [Freeipa-users] Freeipa Windows 7 client authentication

2011-02-09 Thread Simo Sorce
on the KDC. Simo. -- Simo Sorce * Red Hat, Inc * New York ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] Freeipa Windows 7 client authentication

2011-02-11 Thread Simo Sorce
On Wed, 9 Feb 2011 16:13:39 + Brett Maton mat...@ltresources.co.uk wrote: I can't get a Windows 7 client to authenticate against Freeipa (ver 2.0.0.pre2) running on Fedora 14. Brett, can you tell me what krb5-server package do you have installed ? Simo. -- Simo Sorce * Red Hat, Inc

Re: [Freeipa-users] limit access to a specific CN

2011-02-15 Thread Simo Sorce
an ACI on the container to give the user you want full control on that container. Simo. -- Simo Sorce * Red Hat, Inc * New York ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] Announcing FreeIPA v2 Server Release Candidate 2 Release

2011-03-01 Thread Simo Sorce
search: 2 result: 32 No such object What is the realm name you choose ? # numResponses: 1 [root@fed14-64-ipam001 /]# fed14-64-ipam001 NETWORKING=yes HOSTNAME=fed14-64-ipam001 NTPSERVERARGS=iburst The server hostname must be fully qualified on an ipa server. Simo. -- Simo Sorce

Re: [Freeipa-users] Time bug

2011-03-04 Thread Simo Sorce
as all my machines think its NZST while the IPA master server's software might be thinking they are telling it April? hence security certificates etc go boom? No, it is just a display issue in the UI, internally all software uses unix timestamps and UTC. Simo. -- Simo Sorce * Red Hat, Inc * New

Re: [Freeipa-users] Unable to authenticate a client user against IPA

2011-03-08 Thread Simo Sorce
-- 8- Looks like you have no host key in the keytab. That's the root of the problem. Seems like IPA-client-install failed to populate it. Rob, do you have any insight here? does /var/log/ipaclient-install.log show any error ? Simo. -- Simo Sorce * Red Hat, Inc

Re: [Freeipa-users] Unable to authenticate a client user against IPA

2011-03-10 Thread Simo Sorce
-client-install in future. Simo. -- Simo Sorce * Red Hat, Inc. * New York ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] Unable to authenticate a client user against IPA

2011-03-10 Thread Simo Sorce
. -- Simo Sorce * Red Hat, Inc. * New York ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] Sync with AD error

2011-03-13 Thread Simo Sorce
Hi, I upgraded in place. I did the initial installation on the 12th of February. I think I started out with the first RC. Do I still have to reinstall? Have you run ipa-ldap-updater after the rpm upgrade ? Simo. -- Simo Sorce * Red Hat, Inc * New York

Re: [Freeipa-users] Delete AD replica failure

2011-03-21 Thread Simo Sorce
disconnect dc01.ad.nowhere.com After re-creating the sync agreement with the win-subtree option, IPA synced with AD successfully. Great, Simo. -- Simo Sorce * Red Hat, Inc * New York ___ Freeipa-users mailing list Freeipa-users@redhat.com https

Re: [Freeipa-users] ipa client install

2011-03-24 Thread Simo Sorce
by IPA. But if you wanted to setup an HTTP server that uses the same PKI as IPA you'd have a certificate and key available. cheers -- Simo Sorce * Red Hat, Inc * New York ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com

Re: [Freeipa-users] extending FreeIPA

2011-05-06 Thread Simo Sorce
will let Adma reply to this one. HTH, Simo. -- Simo Sorce * Red Hat, Inc * New York ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] RHEL client to IPA

2011-05-13 Thread Simo Sorce
. And also probably changed the admin password to rubbish. Simo. -- Simo Sorce * Red Hat, Inc * New York ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] IPA Startup issues

2011-05-16 Thread Simo Sorce
. -- Simo Sorce * Red Hat, Inc * New York ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] RHEL client to IPA

2011-05-18 Thread Simo Sorce
On Wed, 2011-05-18 at 03:18 +, Steven Jones wrote: Im getting, SASL bind failed! As I said earlier this is happening because you changed the admin password with a random secret when you passed -p admin in the previous attempt. Simo. -- Simo Sorce * Red Hat, Inc * New York

Re: [Freeipa-users] RHEL client to IPA

2011-05-18 Thread Simo Sorce
On Wed, 2011-05-18 at 20:30 +, Steven Jones wrote: Which is why I asked rob how to reset it which I didso its not that?..at least it makes no obvious sense that it is? Once you reset the password as Rob told you all is fine again. Simo. -- Simo Sorce * Red Hat, Inc * New York

Re: [Freeipa-users] IPA server as a DNS server and design things

2011-05-18 Thread Simo Sorce
that... It is not necessary, although I would recommend that you properly set the ptr records at least for your servers in the DNS that is managing your reverse zones. Simo. -- Simo Sorce * Red Hat, Inc * New York ___ Freeipa-users mailing list Freeipa-users

Re: [Freeipa-users] help! IPA server she explode!

2011-05-19 Thread Simo Sorce
On Thu, 2011-05-19 at 01:41 +, Steven Jones wrote: I have an internal ajax error! :( the logs say, Ping me later on IRC, I'd like you to run some commands, and it will be easier done interactively. Simo. ___ Freeipa-users mailing list

Re: [Freeipa-users] DNS denied for clients

2011-05-24 Thread Simo Sorce
or in another ? Simo. -- Simo Sorce * Red Hat, Inc * New York ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] DNS denied for clients

2011-05-24 Thread Simo Sorce
an apply the proper allows as Adam suggested in the other message. Simo. -- Simo Sorce * Red Hat, Inc * New York ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] DNS denied for clients

2011-05-24 Thread Simo Sorce
named.conf Simo. -- Simo Sorce * Red Hat, Inc * New York ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] kerberos to keberos inter-realm trusts

2011-05-25 Thread Simo Sorce
On Wed, 2011-05-25 at 04:23 +, Steven Jones wrote: Can IPA do this? Technically MIT Kerberos can do that, but we do not have any infrastructure to properly handle trusts yet at the identity level. Cross-Realm trusts are the focus of version 3.0 Simo. -- Simo Sorce * Red Hat, Inc * New

Re: [Freeipa-users] Migration from FreeIPA 1.2.1 to 2

2011-05-25 Thread Simo Sorce
, but the V2 docs currently seem quite developer-centric, does anyone have any links for me? Take a look at this: http://obriend.fedorapeople.org/freeIPA2.0/Identity_and_Policy_Management_Guide/html-single/ Still a work in progress but there is a lot already. Simo. -- Simo Sorce * Red Hat, Inc

Re: [Freeipa-users] Migration from FreeIPA 1.2.1 to 2

2011-05-26 Thread Simo Sorce
would work like in the Kerberos+openldap setup in the school you meantion. So it is technically possible, we simply do not yet make it easy for you by providing wrappers. Simo. -- Simo Sorce * Red Hat, Inc * New York ___ Freeipa-users mailing list

Re: [Freeipa-users] Can FreeIPA v2 be used as Zimbra external LDAP authenticator?

2011-05-27 Thread Simo Sorce
it for the web interface too at some point). It would be awesome to get a similar writeup of how to configure it in that case. I am sure many users would be delighted to be able to do SSO against the mail server (ie no need to enter any password at all after login). Simo. -- Simo Sorce * Red Hat

Re: [Freeipa-users] bug in ipa user-add

2011-05-31 Thread Simo Sorce
On Tue, 2011-05-31 at 02:17 +, Steven Jones wrote: Hi, So the docs should cover this at the least Sorry Steve, that's basic shell behavior, and you'll fine info in the bash man pages. Nothing to do with the IPA commands. Simo. -- Simo Sorce * Red Hat, Inc * New York

Re: [Freeipa-users] Difficulty installing freeipa

2011-06-03 Thread Simo Sorce
, Simo -- Simo Sorce * Red Hat, Inc * New York ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] sync passwords with AD or not per user

2011-06-08 Thread Simo Sorce
. Will it be rejected, accepted? The ipa-pwd-extop module has a list of users that can set passwords w/o having them quality checked. The passsync user is normally one of these users. And passwords replicated from windows are not quality checked. Simo. -- Simo Sorce * Red Hat, Inc * New York

Re: [Freeipa-users] DNS in freeipa

2011-06-08 Thread Simo Sorce
-users -- Simo Sorce * Red Hat, Inc * New York ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] Inconsistant first login behaviour

2011-06-08 Thread Simo Sorce
..later logins are fine. Steven, so the problem is that you got a bogus warning, but it is working properly beyond that ? Simo. -- Simo Sorce * Red Hat, Inc * New York ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com

Re: [Freeipa-users] Inconsistant first login behaviour

2011-06-08 Thread Simo Sorce
On Wed, 2011-06-08 at 22:56 +, Steven Jones wrote: Bogus except it wouldnt allow me to login unless I changed my password, yes. Was this right after you used an administrative account to change the user password ? Simo. -- Simo Sorce * Red Hat, Inc * New York

Re: [Freeipa-users] Inconsistant first login behaviour

2011-06-09 Thread Simo Sorce
On Wed, 2011-06-08 at 23:08 +, Steven Jones wrote: Hi, Nope.password1 was set on buildit hasnt been changed by root or the user at all. I think this will apply then: http://www.freeipa.org/page/NewPasswordsExpired Simo. -- Simo Sorce * Red Hat, Inc * New York

Re: [Freeipa-users] New user first login behaviour (Fedora 15)

2011-06-09 Thread Simo Sorce
home directories at login if they are not available yet. Simo. -- Simo Sorce * Red Hat, Inc * New York ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] Kerberos problem with account with changed attributes

2011-06-09 Thread Simo Sorce
, ... then use ldapmodrdn -r cn=1211,cn=users,cn=acc. cn=username This will rename the user properly and a plugin will take care of renaming also the kerberos principal. Local client caches may need some purging to properly pick up the new value. Simo. -- Simo Sorce * Red Hat, Inc * New York

Re: [Freeipa-users] FreeIPA 2, adding Samba attributes

2011-06-09 Thread Simo Sorce
: sambaSid: ...-$uid, where $uid is expanded when the user is created. You probably want to use the DNA plugin to generate the sambaSid for you once you have a domain SID, it's not too difficult and will be much less error prone. Simo. -- Simo Sorce * Red Hat, Inc * New York

Re: [Freeipa-users] Inconsistant first login behaviour

2011-06-10 Thread Simo Sorce
, please open a bug against the specific distro version, feel free to assign it to the sssd components or pam_krb5 components depending on what you are using on the specific machine. Simo. -- Simo Sorce * Red Hat, Inc * New York ___ Freeipa-users

Re: [Freeipa-users] Configuring IPA replicas

2011-06-13 Thread Simo Sorce
this error, have you created a new replica package with ipa-replica-prepare to create the second replica ? Simo. -- Simo Sorce * Red Hat, Inc * New York ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo

Re: [Freeipa-users] Disable ldap dns lookup in freeipa?

2011-06-13 Thread Simo Sorce
:) Use your regular DNS servers as forwarders, and configure the /etc/resolv.conf file to point to 127.0.0.1 It will make your life much easier. Simo. -- Simo Sorce * Red Hat, Inc * New York ___ Freeipa-users mailing list Freeipa-users@redhat.com https

Re: [Freeipa-users] Where do I find info on how to allow or stop users logging into hosts?

2011-06-13 Thread Simo Sorce
___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users -- Simo Sorce * Red Hat, Inc * New York ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo

Re: [Freeipa-users] Change UID range

2011-06-14 Thread Simo Sorce
the 1M-2B range, so almost 10k different possible buckets. The chance 2 installations end up getting the same bucket are very low. owever you can always force the UID to be used at user creation by explicitly specifying the IDs you want. Simo. -- Simo Sorce * Red Hat, Inc * New York

Re: [Freeipa-users] Change UID range

2011-06-14 Thread Simo Sorce
On Tue, 2011-06-14 at 09:48 -0400, Simo Sorce wrote: On Tue, 2011-06-14 at 07:42 -0400, Stephen Gallagher wrote: The decision to make the range start at 1 billion was made specifically BECAUSE the chances of a company having that many users was statistically unlikely. Correction we

Re: [Freeipa-users] SRV record to tell w2k8 machines to use IPA server for ldap

2011-06-18 Thread Simo Sorce
not complete, but has enough basic AD infrastructure to work for single domain deployments, with some minor restrictions. Simo. [1] http://www.freeipa.org/page/Implementing_FreeIPA_in_a_mixed_Environment_ %28Windows/Linux%29_-_Step_by_step -- Simo Sorce * Red Hat, Inc * New York

Re: [Freeipa-users] Insufficient access during winsync agreement

2011-06-21 Thread Simo Sorce
-Setting_up_Windows_Sync_on_the_IPA_Server If the command didn't give you an error it is a bug, can you please open a ticket ? Simo. -- Simo Sorce * Red Hat, Inc * New York ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman

Re: [Freeipa-users] DNS zone transfers

2011-06-21 Thread Simo Sorce
On Tue, 2011-06-21 at 12:12 +0200, Adam Tkac wrote: On 06/16/2011 09:38 PM, Loris Santamaria wrote: El jue, 16-06-2011 a las 11:27 -0400, Simo Sorce escribió: On Thu, 2011-06-16 at 10:31 -0430, Loris Santamaria wrote: Hi, I would like to use my freeIPA v2 server as my master name server

Re: [Freeipa-users] AD/IPA Full Name

2011-06-23 Thread Simo Sorce
consequences it could have, that IPA is changing read-only attributes in the AD? The Full Name field is not read-only in AD. It is exactly the attribute in which you are supposed to put the user's Full Name. Simo. -- Simo Sorce * Red Hat, Inc * New York

Re: [Freeipa-users] adding PTR record for a host on the network

2011-06-29 Thread Simo Sorce
4.22.168.192.in-addr.arpa. not found: 3(NXDOMAIN) Thanks for having a look! Have you just recently created the 22.168.192.in-addr.arpa zone ? One thing we still haven't addressed is that when you create new zones you have to restart named before it will serve them. Simo. -- Simo Sorce * Red Hat

Re: [Freeipa-users] ipa-client-install failed to join the IPA realm if DNS setting is incorrect

2011-06-30 Thread Simo Sorce
. That said if you want to use your main DNS for client, you can simply fix issues by adding reverse records into it at least for IPA servers. Or give the IPA machine a subnet and forward requests for that subnet too. Simo. -- Simo Sorce * Red Hat, Inc * New York

Re: [Freeipa-users] Alternatives to freeipa

2011-07-08 Thread Simo Sorce
- unfortunately winbind is hopelessly broken in the last versions of Samba and none seems to care). What is broken ? I certainly do care. Please reply privately, as this is not the right place to discuss other projects bugs. Simo. -- Simo Sorce * Red Hat, Inc * New York

Re: [Freeipa-users] Alternatives to freeipa

2011-07-08 Thread Simo Sorce
in this case to avoid problems is to just ignore the 'non-authoritative' setting on the backend being used. On a Samba server with LDAP the authoritative id the gidNumber. On AD (obviously) the authoritative one is the primary group Sid, so gidNumber is ignored. -- Simo Sorce * Red Hat, Inc * New York

Re: [Freeipa-users] Joining realm failed because of failing XML-RPC request FreIPA V2

2011-07-08 Thread Simo Sorce
/nssdb because certmonger can't communicate with the IPA backend. The other option is to downgrade curl to a previously working version, although the upgrade was supposedly a security fix and the fix was to remove this functionality ... Simo. -- Simo Sorce * Red Hat, Inc * New York

Re: [Freeipa-users] Dead Freeipa

2011-07-28 Thread Simo Sorce
dirsrv immediately upon startup. The only case where ipactl stops dirsrv is when it fails to find information with the ldapsearch done immediately after dirsrv starts. Is it possible the dirsrv init script returns before dirsrv is actually ready to serve requests ? Simo. -- Simo Sorce * Red Hat

  1   2   3   4   5   6   7   8   >