[Freeipa-users] Importing from shadow: ERROR: Constraint violation: pre-hashed passwords are not valid

2016-01-05 Thread Simpson Lachlan
Hi, New install of FreeIPA 4.2.0-15.el7.centos.3 on Centos 7.2.1511 (and I'm very new to FreeIPA) Following the advice I got from here: http://www.freeipa.org/page/NIS_accounts_migration_preserving_Passwords I dumped old shadow into a csv, then wrote a small bash script to import all the

Re: [Freeipa-users] Importing from shadow: ERROR: Constraint violation: pre-hashed passwords are not valid

2016-01-06 Thread Simpson Lachlan
> -Original Message- > From: Alexander Bokovoy [mailto:aboko...@redhat.com] > > >When I execute this, I get this error for every entry: "ipa: ERROR: > >Constraint violation: pre-hashed passwords are not valid" > > > >What have I done wrong? > Did you enable migration mode? The check in

[Freeipa-users] Inconsistant results with HBAC and SSH?

2016-05-26 Thread Simpson Lachlan
With the “allow all” HBAC rule enabled, we have no trouble logging in to any machine via ssh. When we disable the “allow all” rule and make specific per-machine rules (as per the idea of ‘host based’ in HBAC), we get unpredictable results, primarily resulting in an inability to login via ssh.

Re: [Freeipa-users] Inconsistant results with HBAC and SSH?

2016-05-26 Thread Simpson Lachlan
> With the “allow all” HBAC rule enabled, we have no trouble logging in to any > machine via ssh. When we disable the “allow all” rule and make specific per- > machine rules (as per the idea of ‘host based’ in HBAC), we get unpredictable > results, primarily resulting in an inability to login via

Re: [Freeipa-users] IPA wont start, all services fail

2016-01-17 Thread Simpson Lachlan
> -Original Message- > > My syntax was all wrong. (Does anyone know how can I clear out bad syntax from > the systemctld output?) > > Anyway, I have a running dirsrv, but SMB still fails, and it's failing on > winbind first > (see notes below). It looks like it's because there's no

Re: [Freeipa-users] IPA wont start, all services fail

2016-01-17 Thread Simpson Lachlan
> -Original Message- > From: Alexander Bokovoy [mailto:aboko...@redhat.com] > >This is from the smb log: > > > >It's hard to tell why they won't start, but it looks a little like > >Kerberos won't start because there aren't any values in LDAP, and LDAP > >won't start because Kerberos isn't

[Freeipa-users] IPA wont start, all services fail

2016-01-14 Thread Simpson Lachlan
Hi I’m not 100% sure where I've gone wrong, but I obviously have. Running Centos 7.2, with FreeIPA 4.2.0 from the repos. FreeIPA was set up per instructions (# ipa-server-install ), and we could surf to the website and interact with it. I set up a second server, yum install -y ipa-client,

Re: [Freeipa-users] IPA wont start, all services fail

2016-01-18 Thread Simpson Lachlan
> -Original Message- > From: freeipa-users-boun...@redhat.com [mailto:freeipa-users- I’m coming back to this thread for consistency, but is a result of me running ipactl on the system we got working a couple of hours ago. See email titled "idoverride-add gives incorrect, inconsistant

[Freeipa-users] idoverride-add gives incorrect, inconsistant results?

2016-01-18 Thread Simpson Lachlan
Since I got the service back up and running, I was continuing my tests/learning by following the steps on the V4 Migrating existing environments to Trust page: http://www.freeipa.org/page/V4/Migrating_existing_environments_to_Trust#How_to_Test [root@vmts-linuxidm ~]# id testu...@co.org.au

Re: [Freeipa-users] IPA wont start, all services fail

2016-01-18 Thread Simpson Lachlan
> -Original Message- > From: Simpson Lachlan I've rebooted the machine, confirmed that FreeIPA isn't functioning (nothing in the browser, nothing in sc). I run sc start dirsrv@UNIX-CO-ORG-AU.service ipactl start Starting Directory Service Starting krb5kdc Service Starting

Re: [Freeipa-users] IPA wont start, all services fail

2016-01-18 Thread Simpson Lachlan
> -Original Message- > From: Alexander Bokovoy [mailto:aboko...@redhat.com] > This error says you don't have 'Default SMB Group' with a SID in it. > Re-run ipa-adtrust-install to re-create working setup. > > ipa-adtrust-install will attempt to fix those parts that are missing. Ok. I

Re: [Freeipa-users] IPA wont start, all services fail

2016-01-18 Thread Simpson Lachlan
> -Original Message- > From: Simpson Lachlan > Sent: Tuesday, 19 January 2016 9:46 AM > To: 'Alexander Bokovoy' > Cc: freeipa-users@redhat.com > Subject: RE: [Freeipa-users] IPA wont start, all services fail > > > -Original Message- > > From

Re: [Freeipa-users] IPA wont start, all services fail

2016-01-18 Thread Simpson Lachlan
> -Original Message- > From: Alexander Bokovoy [mailto:aboko...@redhat.com] > > - /etc/nsswitch.conf is all "files sss" - there's no winbind anywhere. > winbindd has multiple operations and we are using trust topology part of it, > not > identity management. Ok, thanks. > >My syntax

[Freeipa-users] "Installing the client"

2016-02-02 Thread Simpson Lachlan
In the docs, there is a section called "Installing the client". https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html-single/Linux_Domain_Identity_Authentication_and_Policy_Guide/index.html#setting-up-clients The very first step contains language that is not explained.

[Freeipa-users] Joining a host

2016-02-02 Thread Simpson Lachlan
Hola, Presuming a regular machine, I've started the join as per instructions: yum install ipa-client [root@vmts-linux1 ~]# ipa-client-install Error checking LDAP: Operations error: 04DC: LdapErr: DSID-0C0906E8, comment: In order to perform this operation a successful bind must be completed

Re: [Freeipa-users] User mapping between domains

2016-02-02 Thread Simpson Lachlan
> -Original Message- > From: Simpson Lachlan > > and that via the ID Views Default Trust View the IPA server would: > - see that jsmith is "Smith Jane" in AD > - authenticate against "Smith Jane"'s AD password > - see that jsmith's uid now need

[Freeipa-users] User mapping between domains

2016-02-02 Thread Simpson Lachlan
IPA is successfully installed, a one way trust created, and we have been able to login using AD credentials. For future googler's, there is some bare bones documentation on how to allow AD users to login to your system, under the heading "Allow access for users from AD domain to protected

[Freeipa-users] Client Host isn't picking up the idduseroverrides

2016-02-03 Thread Simpson Lachlan
When my users log into the IPA server, the id user over rides work. But they don't when we log into a client host? What are we doing wrong? The overrides are in the "Default Trust View" so should be applied to all hosts. We are trying to find *why* and *where* this is failing, but without much

[Freeipa-users] FW: Joining a host

2016-02-02 Thread Simpson Lachlan
> -Original Message- > From: Simpson Lachlan > Sent: Wednesday, 3 February 2016 9:50 AM > To: Simpson Lachlan > Subject: RE: Joining a host > > > -Original Message- > > From: Simpson Lachlan > > > > [root@vmts-linux1 ~]# ipa-clie

Re: [Freeipa-users] Joining a host

2016-02-02 Thread Simpson Lachlan
> > -Original Message- > > From: Simpson Lachlan > > Sent: Wednesday, 3 February 2016 9:50 AM > > > > [root@vmts-linux1 ~]# ipa-client-install > > --server=vmts-linuxidm.unix.example.org - -domain=unix.example.org > > Autodis

Re: [Freeipa-users] IPA wont start, all services fail

2016-01-19 Thread Simpson Lachlan
> -Original Message- > From: Alexander Bokovoy [mailto:aboko...@redhat.com] > Let's start from the beginning: > > - What distribution you are running? Centos, Linux release 7.2.1511 (Core) > - What IPA packages are installed? [root@vmts-linuxidm ~]# yum list installed | grep ipa

Re: [Freeipa-users] IPA wont start, all services fail

2016-01-20 Thread Simpson Lachlan
> -Original Message- > From: Simpson Lachlan > I would like to test a few things, but I'm finding it hard to find good > examples. > > How can I test that the one way trust relationship between the FreeIPA server >and the AD DC is still in effect? (FreeI

Re: [Freeipa-users] IPA wont start, all services fail

2016-01-20 Thread Simpson Lachlan
> -Original Message- > From: Alexander Bokovoy [mailto:aboko...@redhat.com] > Sent: Thursday, 21 January 2016 9:22 AM > >ses=4294967295 subj=kernel pid=18340 comm="httpd" reason="memory > >violation" sig=11 type=ANOM_ABEND msg=audit(1453325558.988:1245): > >auid=4294967295 uid=991

Re: [Freeipa-users] IPA wont start, all services fail

2016-01-20 Thread Simpson Lachlan
> -Original Message- > > Is there any coredump available with 389-ds crashing? I've asked you to use > http://www.port389.org/docs/389ds/FAQ/faq.html#debugging-crashes to enable > coredumps for 389-ds in one of previous discussions, was it done? > You seemed to get diverted to winbindd

Re: [Freeipa-users] IPA wont start, all services fail

2016-01-20 Thread Simpson Lachlan
> -Original Message- > From: Alexander Bokovoy [mailto:aboko...@redhat.com] > Sent: Thursday, 21 January 2016 9:22 AM > To: Simpson Lachlan > Cc: freeipa-users@redhat.com > Subject: Re: [Freeipa-users] IPA wont start, all services fail > > On Wed, 20 Jan 201

Re: [Freeipa-users] IPA wont start, all services fail

2016-01-20 Thread Simpson Lachlan
> -Original Message- > From: Alexander Bokovoy [mailto:aboko...@redhat.com] > Sent: Thursday, 21 January 2016 8:44 AM > To: Simpson Lachlan > Cc: tbor...@redhat.com; freeipa-users@redhat.com > Subject: Re: [Freeipa-users] IPA wont start, all services fail > > On W

[Freeipa-users] ipa-trust and SRV records

2016-01-26 Thread Simpson Lachlan
At the end of the installation of the ipa-adtrust-install, there is a message along the lines of: Add the following service records to your DNS server for DNS zone unix.co.org.au: _ldap._tcp.Default-First-Site-Name._sites.dc._msdcs _ldap._tcp.dc._msdcs

Re: [Freeipa-users] Removing the requirement to add domain to users login

2016-03-22 Thread Simpson Lachlan
Stacy With regard to you first problem, IIRC you can have it default to a single domain – it doesn’t matter which. Users from the other domain, will need to login via the u...@my.other.domain.com I had exactly this problem. If you want to change it, it’s the

[Freeipa-users] Version name changed?

2016-03-03 Thread Simpson Lachlan
Hi, I have just installed Spacewalk to manage my servers and I noticed that the FreeIPA wanted to update some packages. My FreeIPA server is Centos 7. I notices in Spacewalk that the ipa-server package (and various bits) wanted to update, and the relevant versions were: Installed packages:

Re: [Freeipa-users] File user and group ownership listings...

2016-05-19 Thread Simpson Lachlan
> -Original Message- > From: freeipa-users-boun...@redhat.com [mailto:freeipa-users- > boun...@redhat.com] On Behalf Of Alexander Bokovoy > Sent: Thursday, 19 May 2016 5:12 PM > To: Lachlan Musicman > Cc: freeipa-users@redhat.com > Subject: Re: [Freeipa-users] File user and group ownership

Re: [Freeipa-users] File user and group ownership listings...

2016-05-19 Thread Simpson Lachlan
> -Original Message- > From: freeipa-users-boun...@redhat.com [mailto:freeipa-users- > boun...@redhat.com] On Behalf Of Jakub Hrozek > Sent: Thursday, 19 May 2016 5:22 PM > To: freeipa-users@redhat.com > Subject: Re: [Freeipa-users] File user and group ownership listings... > > On Thu,

Re: [Freeipa-users] AD replication and password passthrough

2016-05-24 Thread Simpson Lachlan
by those three? L. From: Redmond, Stacy [mailto:stacy.redm...@blueshieldca.com] Sent: Wednesday, 25 May 2016 9:15 AM To: Simpson Lachlan Subject: RE: AD replication and password passthrough I am replacing ODS, and would like to replicate AD (ad.foo.com) to my new IPA installation (ipa.foo.com

Re: [Freeipa-users] HBAC access denied, all AD groups not detected

2016-05-18 Thread Simpson Lachlan
> -Original Message- > From: freeipa-users-boun...@redhat.com [mailto:freeipa-users- > boun...@redhat.com] On Behalf Of Jakub Hrozek > Sent: Wednesday, 18 May 2016 5:40 PM > To: freeipa-users@redhat.com > Subject: Re: [Freeipa-users] HBAC access denied, all AD groups not detected > > On

Re: [Freeipa-users] AD group membership

2016-05-19 Thread Simpson Lachlan
> -Original Message- > From: freeipa-users-boun...@redhat.com [mailto:freeipa-users- > boun...@redhat.com] On Behalf Of Alexander Bokovoy > Sent: Thursday, 19 May 2016 4:07 PM > To: Lachlan Musicman > Cc: freeipa-users@redhat.com > Subject: Re: [Freeipa-users] AD group membership > > On

Re: [Freeipa-users] AD Primary Groups are ignored in FreeIPA?

2016-05-17 Thread Simpson Lachlan
> -Original Message- > From: freeipa-users-boun...@redhat.com [mailto:freeipa-users- > boun...@redhat.com] On Behalf Of Martin Kosek > Sent: Monday, 16 May 2016 11:28 PM > To: Lachlan Musicman; freeipa-users@redhat.com > Subject: Re: [Freeipa-users] AD Primary Groups are ignored in

Re: [Freeipa-users] AD Primary Groups are ignored in FreeIPA?

2016-05-17 Thread Simpson Lachlan
> -Original Message- > From: freeipa-users-boun...@redhat.com [mailto:freeipa-users- > boun...@redhat.com] On Behalf Of Alexander Bokovoy > Sent: Monday, 16 May 2016 11:46 PM > To: Lachlan Musicman > Cc: freeipa-users@redhat.com > Subject: Re: [Freeipa-users] AD Primary Groups are ignored

Re: [Freeipa-users] After successful ipa-client-install, sssd not used?

2016-05-15 Thread Simpson Lachlan
> -Original Message- > From: freeipa-users-boun...@redhat.com [mailto:freeipa-users- > boun...@redhat.com] On Behalf Of Jakub Hrozek > Sent: Monday, 16 May 2016 1:32 AM > To: freeipa-users@redhat.com > Subject: Re: [Freeipa-users] After successful ipa-client-install, sssd not > used? > >

Re: [Freeipa-users] Unable to ssh after establishing trust

2016-07-19 Thread Simpson Lachlan
From: freeipa-users-boun...@redhat.com [mailto:freeipa-users-boun...@redhat.com] On Behalf Of pgb205 Sent: Wednesday, 20 July 2016 5:28 AM To: Sumit Bose Cc: Freeipa-users Subject: Re: [Freeipa-users] Unable to ssh after establishing trust well...I'm not sure what I changed, if anything, but I

Re: [Freeipa-users] In webgui, ID Views slow, to crashingly slow

2016-09-19 Thread Simpson Lachlan
> -Original Message- > > On 09/19/2016 03:12 AM, Lachlan Musicman wrote: > > Hi > > > > Sometimes when I visit the ID Views page in the webgui, it is > > crushingly slow, and often it times out. > > > > Centos 7, ipa --version > > VERSION: 4.2.0, API_VERSION: 2.156 > > > > Is there a

Re: [Freeipa-users] can't get sudo to work.

2016-08-23 Thread Simpson Lachlan
What version of sssd are you using? We found that it wouldn't work w sssd<1.14 On the IPA server, it would say "yep rule applies", but then on any particular machine it wouldn't (well, it would - but only intermittently). There's a COPR repo for Centos7 if you aren't on Fedora/RedHat. Cheers

Re: [Freeipa-users] This again :) - ssh authentication for users in complex AD forest - where am I going wrong?

2016-11-22 Thread Simpson Lachlan
> -Original Message- > From: freeipa-users-boun...@redhat.com [mailto:freeipa-users- > boun...@redhat.com] On Behalf Of Chris Dagdigian > Sent: Wednesday, 23 November 2016 2:37 AM > To: freeipa-users@redhat.com > Subject: [Freeipa-users] This again :) - ssh authentication for users in >

Re: [Freeipa-users] This again :) - ssh authentication for users in complex AD forest - where am I going wrong?

2016-11-22 Thread Simpson Lachlan
> -Original Message- > From: Chris Dagdigian [mailto:d...@sonsorol.org] > Sent: Wednesday, 23 November 2016 9:28 AM > To: Simpson Lachlan > Cc: freeipa-users@redhat.com > Subject: Re: [Freeipa-users] This again :) - ssh authentication for users in > complex > AD f

Re: [Freeipa-users] Password Complexity Requirements Seems Insufficient

2016-10-12 Thread Simpson Lachlan
> -Original Message- > From: freeipa-users-boun...@redhat.com [mailto:freeipa-users- > boun...@redhat.com] On Behalf Of Bennett, Chip > Sent: Thursday, 13 October 2016 7:21 AM > To: Florence Blanc-Renaud; freeipa-users@redhat.com > Subject: Re: [Freeipa-users] Password Complexity