Re: [Freeipa-users] Active directory trust and SSH

how to login without prompting for passwords, but I think it is still necessary to provide the username with AD realm when logging in. If you're always logging in as the same user to certain machines, you could configure a default user in the ssh_config. Perhaps someone else will have a better

Re: [Freeipa-users] CA Fails to build Replica (w/External CA)

fo['trust_flags'] KeyError: 'trust_flags' -- Korey Hi Korey, could you check if there is any more info in /var/log/pki/pki-ca-spawn log? It might also be helpful verify if correct trust flags are set in nssdb: certutil -d /etc/pki/pki-tomcat/alias/ -L Finally, can you ch

Re: [Freeipa-users] ipa-server-install & certificates

noarch pki-server-10.2.5-10.el7_2.noarch pki-tools-10.2.5-10.el7_2.x86_64 python-nss-0.16.0-3.el7.x86_64 sssd-krb5-1.13.0-40.el7_2.12.x86_64 sssd-krb5-common-1.13.0-40.el7_2.12.x86_64 Hi, can you check if your certificate can be used for an SSL server? You can use the following command ope

Re: [Freeipa-users] DNS search timeouts and incomplete results

ed to increase this size limit, you will have to modify the nsslapd-sizelimit in cn=config. -- Tomas Krizek -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] new install on Fedora 24 kinit: Generic preauthentication failure while getting initial credentials

equired Nov 28 11:15:35 krb5kdc[19573](info): closing down fd 11 Hi, you're hitting an issue with Let's Encrypt setup. https://github.com/freeipa/freeipa-letsencrypt/issues/1 unfortunately, I'm not aware of any workaround or solution as of now. -- Tomas Krizek -- Manage

Re: [Freeipa-users] new install on Fedora 24 kinit: Generic preauthentication failure while getting initial credentials

On 11/29/2016 10:50 AM, Tomas Krizek wrote: On 11/28/2016 05:38 PM, Robert Kudyba wrote: There seems to be a problem either with Kerberos and/or using a self signed certificate vs. Let’s Encrypt. I tried to run the set up script from https://github.com/freeipa/freeipa-letsencrypt and below

[Freeipa-users] Announcing bind-dyndb-ldap version 11.0

list: http://www.redhat.com/mailman/listinfo/freeipa-users -- Tomas Krizek -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] Manually configuring Freeipa bind configs to host secondary zones

ce you want to only add a secondary zone in the main section, you should be fine. -- Tomas Krizek -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] DNS service fails to start on replica master

I don't understand whether you went through the steps and identified any issue. Does your setup use simple authentication or Kerberos? When you try to manually set named.conf to use the other option, does it work? Are you able to authenticate to LDAP using these methods in commands like ldapsearch? > > Jeff > > > -- Tomas Krizek -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] Error while issuing ipa-replica-install

ly working on a fix. You can fix the problem yourself by modifying /var/lib/pki/pki-tomcat/conf/server.xml on the master server. In the AJP/1.3 Connector settings, change address from '::1' to 'localhost'. After you restart the pki-tomcat service, you should be able to install

Re: [Freeipa-users] bind-dyndb-ldap, AXFR and DS records

Could you be affected by the limitations mentioned in [1]? [1] - https://fedorahosted.org/bind-dyndb-ldap/wiki/BIND9/Design/DNSSEC/OpenDNSSEC2BINDKeyStates#Limitationsmissingfeatures -- Tomas Krizek signature.asc Description: OpenPGP digital signature -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] bind-dyndb-ldap, AXFR and DS records

tly in BIND. If the AXFR doesn't contain the DS records then, it's related to BIND. Perhaps the BIND users (bind-us...@lists.isc.org) list might be able to assist you. -- Tomas Krizek signature.asc Description: OpenPGP digital signature -- Manage your subscription for the Freeipa-use

Re: [Freeipa-users] ipa-replica-conncheck wants listener on port 7389

o? > > Thanks! > On a CentOS 7 IPA server, port 7389 should not be required. You can bypass the check with --skip-conncheck when running ipa-replica-install. -- Tomas Krizek signature.asc Description: OpenPGP digital signature -- Manage your subscription for the Freeipa-users mailing l

Re: [Freeipa-users] cannot connect to ldaps during replica install, port 636 not listening

> Interfaces port 389 for LDAP requests > [28/Feb/2017:13:37:50 -0600] - Listening on All Interfaces port 636 > for LDAPS requests > [28/Feb/2017:13:37:50 -0600] - Listening on > /var/run/slapd-TEST-EXAMPLE-COM.socket for LDAPI requests > > I'm not sure why it is missing thoug

Re: [Freeipa-users] cannot connect to ldaps during replica install, port 636 not listening

On 03/04/2017 12:51 AM, Chris Herdt wrote: > On Fri, Mar 3, 2017 at 4:22 AM, Tomas Krizek wrote: >> >> On 03/02/2017 06:25 PM, Chris Herdt wrote: >> >> On Thu, Mar 2, 2017 at 10:06 AM, Martin Basti wrote: >>> >>> >>> >>> On 02.03.201

Re: [Freeipa-users] What is the next free IP address for a DNS record

does not assign the addresses. That's something DHCP would do. If you do not use DHCP and assign the IP addresses statically, the network administrator would be the person responsible for assigning you a free IP address. -- Tomas Krizek PGP: 4A8B A48C 2AED 933B D495 C509 A1FB A5F7 EF8C 4869

[Freeipa-users] Announcing bind-dyndb-ldap 11.1

the upcoming weeks. == Feedback == Please provide comments, report bugs, and send any other feedback via the freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users <http://www.redhat.com/mailman/listinfo/freeipa-users> -- Tomas Krizek PGP: 4A8B A48C 2AED 933

Re: [Freeipa-users] Configuring freeipa 4.4 as a subCA to in-house rootCA : ERROR IPA CA certificate not found in

install.cli.install_tool(Server): ERRORThe > ipa-server-install command failed. See /var/log/ipaserver-install.log for > more information The installation most likely fails because mail= is expected to be a part of the signed certificate's subject field. -- Tomas Krizek

Re: [Freeipa-users] bind-dyndb-ldap replication errors

eem to fail. i am not sure where to look > for issues. You might be able to track down why does the zone update fail if you run named in the foreground with a higher debug level to see more log messages: $ sudo -u named named -g -d 50 Then you can check what does bind-dyndb-ldap log before you

Re: [Freeipa-users] Weird problem with DNS updates from dhcp clients

rds, configure dyndns_refresh_interval option in /etc/sssd/sssd.conf. -- Tomas Krizek PGP: 4A8B A48C 2AED 933B D495 C509 A1FB A5F7 EF8C 4869 signature.asc Description: OpenPGP digital signature -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mai

Re: [Freeipa-users] Any passwd vault examples?

Vault documentation on the FreeIPA wiki [1]. I think you'd probably be most interested in the Vault Management chapters in the Implementation documents. [1] - https://www.freeipa.org/page/V4/Password_Vault -- Tomas Krizek PGP: 4A8B A48C 2AED 933B D495 C509 A1FB A5F7 EF8C 4869 signature.a