Re: [Freeipa-users] Problem to install FreeIPA Server 3.0 on a RedHat 6.4

2015-05-29 Thread bahan w
May 29 2015 5:37 PM, bahan w bahanw042...@gmail.com %22bahan%20w%22%20%3cbahanw042...@gmail.com%3E wrote: Hello everyone. I send you this mail because I have a problem with the installation of FreeIPA Server 3.0 on a VM running on RHEL 6.4. First, when I performed the yum install ipa

[Freeipa-users] Problem to install FreeIPA Server 3.0 on a RedHat 6.4

2015-05-29 Thread bahan w
Hello everyone. I send you this mail because I have a problem with the installation of FreeIPA Server 3.0 on a VM running on RHEL 6.4. First, when I performed the yum install ipa-server, I got an error but the installation finished finally with a complete. Here it is :

Re: [Freeipa-users] Problem to install FreeIPA Server 3.0 on a RedHat 6.4

2015-06-01 Thread bahan w
Hello everyone. I modified the /etc/selinux/config file : # # This file controls the state of SELinux on the system. # SELINUX=disabled # enforcing - SELinux security policy is enforced. # permissive - SELinux prints warnings

[Freeipa-users] ipa-client-install remove the passwordless connection with root

2015-06-02 Thread bahan w
Hello ! I send you this mail because I have a problem linked with SSH and FreeIPA. I have multiple servers : - One with FreeIPA server 3.0.0-26 - The others with FreeIPA client 3.0.0-26 They are running on RHEL 6.4. I configured a root user on each of them. On one specific server, I created an

[Freeipa-users] Cannot uninstall ipa-server

2015-08-19 Thread bahan w
Hello. After an unsuccessfull installation of ipa-server, 3.0.0-42, I try to uninstall it, but the uninstallation hangs at the following step : ### ipa-server-install --uninstall This is a NON REVERSIBLE operation and will delete all data and configuration! Are you sure you want to continue

[Freeipa-users] GID, groups and ipa group-show

2015-08-21 Thread bahan w
Hello ! I contact you because I notice something strange with IPA environment. I created a group : ipa group-add g1 --desc=my first group Then I created a user with the GID of g1 GID1=`ipa group-show g1 | awk '/GID/ {printf(%s,$2)}'` ipa user-add --first=u1 --last=u1 --homedir=/home/u1

[Freeipa-users] How to modify the logging dir

2015-08-20 Thread bahan w
Hello. I send you this mail because I'm looking for a way to modify the logging dir of the different components embedded with FreeIPA. I already check here : http://docs.fedoraproject.org/en-US/Fedora/15/html/FreeIPA_Guide/server-config.html But I cannot see how to modify the logging dir of

[Freeipa-users] Service and Headless Keytabs

2015-08-21 Thread bahan w
Hello ! I send you this mail because I have a noobish question about keytabs. What is the difference between a service keytab and a headless keytab. In which keytab do we use a service keytab ? What is the definition of a service ? Is that a daemon running on a specific host ? When we perform a

Re: [Freeipa-users] Concerning the krb5.conf

2015-08-11 Thread bahan w
Wow thank you Alexander for this information ! Best regards. Gwenael Le Barzic Le 11 août 2015 08:45, Alexander Bokovoy aboko...@redhat.com a écrit : On Mon, 10 Aug 2015, bahan w wrote: Hello. I don't know if you receive my previous mail, but thank you for your answer. I have two

[Freeipa-users] Concerning the krb5.conf

2015-08-07 Thread bahan w
Hello ! We are using freeipa version 3 and we are encountering a problem in our environment. We have one master kdc and two replicas. On the different linux servers on our environment, we have the following krb5.conf (I modified the hostname for NDA) : ### #File modified by ipa-client-install

Re: [Freeipa-users] Concerning the krb5.conf

2015-08-10 Thread bahan w
of these three servers is currently used per server with this krb5.conf ? I need to check how I can resynchronize the last server. Best regards. Bahan On Fri, Aug 7, 2015 at 11:05 PM, Alexander Bokovoy aboko...@redhat.com wrote: On Fri, 07 Aug 2015, bahan w wrote: Hello ! We are using freeipa version 3

[Freeipa-users] User, keytab, password and ldap

2015-09-23 Thread bahan w
Hello ! I'm using IPA 3.0.0 and I have a problem with one of the user I created. user3 I created this user with the command ipa user-add without specifying any password. Then I performed an ipa-getkeytab command with the -P option to have a keytab and a password. When I check the ldap server

[Freeipa-users] FreeIPA - Mixing clients using sssd for some and nscd/nslcd for others

2016-01-06 Thread bahan w
Hello ! I send you this mail because I am using this topology : - FreeIPA 3.0.0-42 - RHEL6.6 - Two masters (replicated) - n clients My question is the following : May I use for some clients sssd and for others the couple nscd/nslcd ? I would like to perform tests to compare both and I wondering

Re: [Freeipa-users] FreeIPA 4.x + CentOS 6.4

2016-01-05 Thread bahan w
Hello. I have some questions related to this point : 1. On a RHEL6.6, may I install the package ipa-client 4.x and enroll to an ipa server 4.x located on a RHEL7 ? May you remind me the version of sssd embedded with ipa-client 4.x ? 2. The ipa-server 4.x can only be installed on RHEL7+,

Re: [Freeipa-users] FreeIPA 4.x + CentOS 6.4

2016-01-05 Thread bahan w
Thanks. And for the ipa-client package ? Is it installable on Redhat 6.6 ? Or is it only installable on Redhat 7.x ? Best regards. Bahan On Tue, Jan 5, 2016 at 3:31 PM, Lukas Slebodnik <lsleb...@redhat.com> wrote: > On (05/01/16 15:11), bahan w wrote: > >Hello. > > >

[Freeipa-users] How to secure the access to ldap with IPA

2016-01-08 Thread bahan w
Hello ! I configured my IPA server 3.0.0.42 without SSL/TLS access to the LDAP and I would like to enable this for the ldap. Is there something specific to use with FreeIPA or may I follow the DS389 doc

[Freeipa-users] FreeIPA availability, what to do client side ?

2015-12-21 Thread bahan w
Hello ! I contact you because I have a question relative to high availbility with FreeIPA and replications. In the documentation, we can see information about what to do server side. But I can't find any information about what to do client side. Imagine one of the master server crash, how the

Re: [Freeipa-users] Problem with ipa-getkeytab, usage of ldappasswd

2016-01-08 Thread bahan w
version of IPA ? Best regards. Bahan On Fri, Jan 8, 2016 at 2:37 PM, Alexander Bokovoy <aboko...@redhat.com> wrote: > On Fri, 08 Jan 2016, bahan w wrote: > >> Hello Alexander. >> >> Thank you for your answer. >> > Please don't ask in private, use freeipa-

Re: [Freeipa-users] How to secure the access to ldap with IPA

2016-01-08 Thread bahan w
Re. I installed the server like this : ### ipa-server-install -r -n --hostname= -p '' -a '' --no-ntp --no-ssh --no-sshd -U ### And for the clients : ### ipa-client-install --domain= --realm= --fixed-primary --server= --principal=admin --password='' --mkhomedir --hostname= --no-ntp --no-ssh

[Freeipa-users] Problem with ipa-getkeytab, usage of ldappasswd

2016-01-08 Thread bahan w
Hello ! I send you this mail, because I have a problem with a user who needs keytab and password. I already sent a mail some time ago, and the answer was to use the option -P of the ipa-getkeytab command. I'm still running IPA 3.0.0-42 with RHEL 6.6 for specific reasons and I cannot move to

[Freeipa-users] How to migrate from freeipa distribution to separate components

2016-01-13 Thread bahan w
Hello ! I send you this mail because I have a question relative to the migration from the IPA distribution to the separate components. With FreeIPA, we are using only : - MIT Kerberos - DS389 - The PKI CA is installed but not used from our side Is it possible to migrate to the following

Re: [Freeipa-users] How to migrate from freeipa distribution to separate components

2016-01-13 Thread bahan w
com> wrote: > On 01/13/2016 03:57 PM, bahan w wrote: > > Re. > > > > Thanks both of you for your answers. > > > > Simo, MIT Kerberos and OpenLDAP can work on their own and provide the > same > > kind of service that we want from IPA, even if it is not embedde

Re: [Freeipa-users] How to migrate from freeipa distribution to separate components

2016-01-13 Thread bahan w
016-01-13 at 14:54 +0100, bahan w wrote: > > Hello ! > > > > I send you this mail because I have a question relative to the migration > > from the IPA distribution to the separate components. > > > > With FreeIPA, we are using only : > > - MIT Kerberos >

Re: [Freeipa-users] How to migrate from freeipa distribution to separate components

2016-01-13 Thread bahan w
. Bahan On Wed, Jan 13, 2016 at 3:33 PM, Alexander Bokovoy <aboko...@redhat.com> wrote: > On Wed, 13 Jan 2016, bahan w wrote: > >> Hello Simo ! >> >> For the reason : >> The production team wants to use only the two components openLDAP and MIT >>

Re: [Freeipa-users] ipa-client-install and nsslapd-allow-anonymous-access: off

2016-01-20 Thread bahan w
l.log DEBUG log somewhere so > that > we can get the full context of the bug? You may also want to open a RHEL-6 > Bugzilla as FreeIPA 3.0.0 is no longer developed upstream, but only > maintained > in RHEL-6.x. > > Thanks, > Martin > > On 01/20/2016 01:39 PM, bahan w wrote: >

Re: [Freeipa-users] ipa-client-install and nsslapd-allow-anonymous-access: off

2016-01-20 Thread bahan w
Ah sorry, for security reasons I didn't want to put the original name and I made a mistake. Here we are, for the confusing lines : ### Assuming realm is the same as domain: Generated basedn from realm: dc= Discovery result: NO_ACCESS_TO_LDAP; server=None, domain=, kdc=None, basedn=dc= Validated

[Freeipa-users] Incremental update failed and requires administrator action

2016-01-25 Thread bahan w
Hello ! I recently installed a replica (master2) in addition of my master (master1) with IPA 3.0.0-47 on RHEL6.6. I don't know from when exactly, but the dirsrv (and the whole ipa service) on master1 crashes regularly with the following logs. ### [22/Jan/2016:15:38:20 +0100] -

[Freeipa-users] ipa-client-install and nsslapd-allow-anonymous-access: off

2016-01-20 Thread bahan w
Hello ! I send you this mail because of the following topic. I have FreeIPA 3.0.0.25 with RHEL 6.6 and I deactivated the anonymous access for security reasons. But now, I have a problem when I try to enroll a new host. Here is the command I try : ### ipa-client-install --domain= --realm=

[Freeipa-users] Logging configuration for ipa server

2016-02-17 Thread bahan w
Hello ! I send you this mail for a question about the kerberos logs on the ipa server. On the server, there are two configuration files : - kdc.conf : for the server - krb5.conf : for the client In both of these files, we can put a logging section. In this section, there is 3 parameters : -

[Freeipa-users] About ipa passwd and kpasswd

2016-02-18 Thread bahan w
Hello everyone. I send you this mail because I have sometimes a problem when using ipa passwd to generate a One Time Password and then using kpasswd to set a strong random password using a password policy. When I perform the ipa passwd command and just after the kpasswd command, I got an error

[Freeipa-users] ipa user-add, two entries in the ldap

2016-05-13 Thread bahan w
Hello ! I performed recently an ipa user-add for a new user and when I check in the ldap, I can see two entries for it : - One in uid=,cn=users,cn=compat,dc= - One in uid=,cn=users,cn=accounts,dc= Is it normal ? I know that my user is the one defined in the tree cn=users,cn=accounts,dc=. What

Re: [Freeipa-users] ipa user-add, two entries in the ldap

2016-05-13 Thread bahan w
Please ignore the character "-" in . On Fri, May 13, 2016 at 4:09 PM, bahan w <bahanw042...@gmail.com> wrote: > Hello ! > > I performed recently an ipa user-add for a new user and when I check in > the ldap, I can see two entries for it : > - One in uid=,cn=users,c

[Freeipa-users] A question related to ipa webui

2016-08-11 Thread bahan w
Hello ! I'm using ipa 3.0.0.47. I have an architecture where the IPA server is located on a secure zone, not accessible from anyone. The IPA server has 2 network interfaces : - IP1 - IP2 In the secure zone, the IP1 network is used for the communication between the servers. The IP2 is used for

[Freeipa-users] Impossible to restart IPA because of the presence of a file called CS.cfg.bak.saved

2016-07-12 Thread bahan w
Hello everyone. I'm using ipa 3.0.0-47 on a RHEL6.6 OS (multi-masters). Today I tried to restart the IPA service with the commande ### service ipa restart ### And I got the following warning concerning the pkica service : ### Since the file '/var/lib/pki-ca/conf/CS.cfg.bak.saved' exists, a

[Freeipa-users] A question related the passwords in the ldap

2016-07-05 Thread bahan w
Hello ! I'm running ipa 3.0.0.47 and I have a question related to the password stored in the ldap. I was wondering if the users password were natively encrypted ? if yes, do you know by which mechanism ? Thank you in advance for your help. BR. Bahan -- Manage your subscription for the

[Freeipa-users] How to deactivate automatic kinit at ssh login ?

2016-06-30 Thread bahan w
Hello ! I'm using freeipa 3.0.0-47. I send you this mail concerning the automatic kinit at ssh login ? I wanted to know if it was possible to deactivate it on a specific server ? The reason is that I have some of my users who often use another ticket that their own and this feature can be

Re: [Freeipa-users] Two masters and one of them is desynchronized

2016-08-25 Thread bahan w
Le 24 août 2016 18:42, "bahan w" <bahanw042...@gmail.com> a écrit : > Hey guys. > > I rechecked and in fact I also have the same message on the multi master > setup with one master unsynchronized : > ### > Master: :389 ldap://:389/ > Replic

Re: [Freeipa-users] Two masters and one of them is desynchronized

2016-08-25 Thread bahan w
Hello everyone. Could you explain to me about this field Sent/Skipped please ? I checked the doc and found this : ### Sent/Skipped : The number of changes that were sent from the supplier and the number skipped in the replication update. The numbers are kept in suppliers’ memory only and are

Re: [Freeipa-users] SSL alert: CERT_VerifyCertificateNow: verify certificate failed for cert Server-Cert of family

2016-09-14 Thread bahan w
ABLE Any idea ? Best regards. Bahan On Wed, Sep 14, 2016 at 6:38 PM, bahan w <bahanw042...@gmail.com> wrote: > Ok, I managed to restart the IPA service by adding this line in the file > /etc/httpd/conf.d/nss.conf : > ### > NSSEnforceValidCerts off > ### > > But w

Re: [Freeipa-users] SSL alert: CERT_VerifyCertificateNow: verify certificate failed for cert Server-Cert of family

2016-09-14 Thread bahan w
### Best regards. Bahan On Wed, Sep 14, 2016 at 6:14 PM, Martin Basti <mba...@redhat.com> wrote: > > > On 14.09.2016 17:59, bahan w wrote: > > Hello ! > > I send you this mail because I cannot restart my test IPA server. > > When I try to start it with service ipa

Re: [Freeipa-users] SSL alert: CERT_VerifyCertificateNow: verify certificate failed for cert Server-Cert of family

2016-09-14 Thread bahan w
: RUNNING CA Service: RUNNING ### I'm checking the /var/log/pki-ca logs to see if I find something. Best regards. Bahan On Wed, Sep 14, 2016 at 7:02 PM, bahan w <bahanw042...@gmail.com> wrote: > Sorry Martin, > > This is not the first time I forgot to add back freeipa users. &g

Re: [Freeipa-users] SSL alert: CERT_VerifyCertificateNow: verify certificate failed for cert Server-Cert of family

2016-09-14 Thread bahan w
mba...@redhat.com> wrote: > did you restart IPA when you moved time? Is there are more detailed error > description in output of getcert list? > > On 14.09.2016 18:45, bahan w wrote: > > I set the date-time when the certificates were valid : > ### > # date -s '2016-05-27 1

Re: [Freeipa-users] SSL alert: CERT_VerifyCertificateNow: verify certificate failed for cert Server-Cert of family

2016-09-14 Thread bahan w
called selftests.container.instance.SystemC ertsVerification running at startup FAILED! ### But nothing else. Best regards. Bahan On Wed, Sep 14, 2016 at 7:27 PM, bahan w <bahanw042...@gmail.com> wrote: > I tried also the following commands : > ### > # ipa cert-show 1 > ipa:

[Freeipa-users] SSL alert: CERT_VerifyCertificateNow: verify certificate failed for cert Server-Cert of family

2016-09-14 Thread bahan w
Hello ! I send you this mail because I cannot restart my test IPA server. When I try to start it with service ipa start, I got the following error message : ### # service ipa start Starting Directory Service Starting dirsrv: ...[14/Sep/2016:17:57:23 +0200] - SSL alert:

[Freeipa-users] Problem with a filer and FreeIPA

2016-09-22 Thread bahan w
Hello ! I contact you because I have a problem with a filer mounted on a server on which I installed freeipa client. I'm using FreeIPA 3.0.0-47 for both client and servers. The filer is mounted on /myfiler I have a user defined in freeipa : User1 I have a group defined in freeipa : Group1 I

[Freeipa-users] Two masters and one of them is desynchronized

2016-08-23 Thread bahan w
Hello ! I am using IPA 3.0.0 on RedHat 6.6 servers. I have two masters and this evening, I realized that one of them was desynchronized, some users and groups were missing. I was wondering if there was an ipa command to resynchronize replica which are not sync with the other ? Thank you in

Re: [Freeipa-users] Two masters and one of them is desynchronized

2016-08-24 Thread bahan w
Hey guys. I performed it : ### # /usr/bin/repl-monitor.pl -f /tmp/checkconf -s Directory Server Replication Status (Version 1.1) Time: Wed Aug 24 2016 18:16:50 Master: :389 ldap://:389/ Replica ID: 4 Replica Root: dc= Max CSN: 57bdc89700030004 (08/24/2016 18:17:27 3 0) Receiver: :389

[Freeipa-users] Insufficient access: SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (Ticket expired)

2016-10-25 Thread bahan w
Hello everyone ! I have an ipa server and an ipa client both in 3.0.0-47. In order to connect via SSH to the host of the ipa-client, I use root. When I'm connected to the ipa-client via ssh being root, I do a kinit of a user with a keytab : ### kinit -kt /etc/security/keytabs/.headless.keytab

Re: [Freeipa-users] Insufficient access: SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (Ticket expired)

2016-10-25 Thread bahan w
storage which is mentioned in the logs ? Best regards. Bahan On Tue, Oct 25, 2016 at 12:18 PM, Martin Babinsky <mbabi...@redhat.com> wrote: > On 10/25/2016 10:27 AM, bahan w wrote: > >> Hello everyone ! >> >> I have an ipa server and an ipa client both in 3.0.0

Re: [Freeipa-users] Insufficient access: SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (Ticket expired)

2016-10-27 Thread bahan w
Help ? Best regards. Bahan On Tue, Oct 25, 2016 at 1:00 PM, bahan w <bahanw042...@gmail.com> wrote: > Re. > > There is no time difference between client and server. > > I checked the httpd error log and saw no errors. > Same with the dirsrv error logs. > > A