[Freeipa-users] Freeipa deployment request

Hi team, We have plan to integrate windows ad and openshift origin with freeipa. We have doubt about that DNS working between those. And also needs configuration details of replication between those. If guys you provide any kind of information for above, I am really would like to go for with

Re: [Freeipa-users] idoverride-add gives incorrect, inconsistant results?

The /var/log/sssd/ldap_child.log have one line repeated: [[sssd[ldap_child[9738 [ldap_child_get_tgt_sync] (0x0010): Failed to init credentials: Cannot contact any KDC for realm UNIX.CO.ORG.AU All other log files are 0 size. cheers L. -- The most dangerous phrase in the language is,

Re: [Freeipa-users] Freeipa 4.3.0 replica installation fails with DuplicateEntry: This entry already exists

On 01/22/2016 11:04 AM, Nathan Peters wrote: Wow, strange stuff, the search I linked in the last email for our non working dev environment seems short some entries. For comparison, here is the same search run against our currently working prod environment. As you can see, our prod

Re: [Freeipa-users] Freeipa 4.3.0 replica installation fails with DuplicateEntry: This entry already exists

On 01/22/2016 04:48 AM, Nathan Peters wrote: Here are the results for that aci search using a non gssapi bind by directory manager on the old master that we are attempting to join agains. I don't see anything in this list that would indicate that some users should or should not have access

Re: [Freeipa-users] IPA KDC Proxy

- Original Message - > Hi all, > > I configured an IPA client using de FreeIPA 4.2 KDC Proxy something like > this: > > ~ > dns_lookup_realm = false > dns_lookup_kdc = false > ~ > [realms] > LINUX.EXAMPLE.COM = { > pkinit_anchors = FILE:/etc/ipa/ca.crt > http_anchors =

Re: [Freeipa-users] IPA KDC Proxy

On 2016-01-22 11:57, Alexander Bokovoy wrote: > - Original Message - >> Hi all, >> >> I configured an IPA client using de FreeIPA 4.2 KDC Proxy something like >> this: >> >> ~ >> dns_lookup_realm = false >> dns_lookup_kdc = false >> ~ >> [realms] >> LINUX.EXAMPLE.COM = { >> pkinit_anchors

[Freeipa-users] Active Directory users are not controlled by HBAC

Hi. I have a been successful using Freeipa 4.1 configuring active directory users and with sudo. The problem I am having is that the HBAC rules are not applying to my active directory users. They have access to all systems even if I disable my Allow_ALL rule. Is there something special I

Re: [Freeipa-users] FREAK Vulnerability

On 01/21/2016 05:54 PM, Terry John wrote: I've been trying to tidy the security on my FreeIPA and this is causing me some problems. I'm using OpenVAS vulnerability scanner and it is coming up with this issue EXPORT_RSA cipher suites supported by the remote server: TLSv1.0:

Re: [Freeipa-users] FREAK Vulnerability

On 2016-01-21 17:54, Terry John wrote: > Thanks for the info. I have tried nearly all the NSSCipherSuite settings in > that ticket but none so far has eliminated the FREAK report. > Christian thanks for the heads up on the syntax, I wasn't sure of what I was > doing > > Each time I've made a

[Freeipa-users] IPA KDC Proxy

Hi all, I configured an IPA client using de FreeIPA 4.2 KDC Proxy something like this: ~  dns_lookup_realm = false  dns_lookup_kdc = false ~ [realms]  LINUX.EXAMPLE.COM = {   pkinit_anchors = FILE:/etc/ipa/ca.crt  

Re: [Freeipa-users] IPA KDC Proxy

On 2016-01-22 11:25, Winfried de Heiden wrote: > Now, is it possible to use the IPA-server as a proxy for the trusted > Windows Domain? How...? I haven't tried yet it but it should be possible. MS-KKDCP requests are prefixed with the requested realm name. You have to configure the mapping from

Re: [Freeipa-users] Samba crashes with recent F23 update

On Fri, 22 Jan 2016, John Obaterspok wrote: Hello, I'm running F23 and now IPA fails to start due to crash in smb: -- Unit smb.service has begun starting up. jan 22 08:38:52 ipa.win.lan audit[7037]: ANOM_ABEND auid=4294967295 uid=0 gid=0 ses=4294967295 subj=system_u:system_r:smbd_t:s0

Re: [Freeipa-users] Active Directory users are not controlled by HBAC

On Fri, Jan 22, 2016 at 09:27:40AM +, Birnbaum, Warren (ETW) wrote: > Hi. > > I have a been successful using Freeipa 4.1 configuring active directory users > and with sudo. The problem I am having is that the HBAC rules are not > applying to my active directory users. They have access to

Re: [Freeipa-users] Freeipa 4.3.0 replica installation fails with DuplicateEntry: This entry already exists

[root@dc2-ipa-dev-nvan ~]# ldapsearch -D "cn=directory manager" -W -b "cn=config" "(aci=*)" aci Enter LDAP Password: # extended LDIF # # LDAPv3 # base

Re: [Freeipa-users] Active Directory users are not controlled by HBAC

Thanks for you reply. I understand what you are saying but don¹t see how this would work because Allow_All is my current situation (even with this rule disabled). My understand is you can¹t restrict through a rule, only limit. I am missing something? On 1/22/16, 1:51 PM,

Re: [Freeipa-users] Active Directory users are not controlled by HBAC

On Fri, 22 Jan 2016, Birnbaum, Warren (ETW) wrote: Thanks for you reply. I understand what you are saying but don¹t see how this would work because Allow_All is my current situation (even with this rule disabled). My understand is you can¹t restrict through a rule, only limit. I am missing

Re: [Freeipa-users] IPA KDC Proxy

On Fri, 22 Jan 2016, Christian Heimes wrote: On 2016-01-22 11:57, Alexander Bokovoy wrote: - Original Message - Hi all, I configured an IPA client using de FreeIPA 4.2 KDC Proxy something like this: ~ dns_lookup_realm = false dns_lookup_kdc = false ~ [realms] LINUX.EXAMPLE.COM = {

Re: [Freeipa-users] Freeipa 4.3.0 replica installation fails with DuplicateEntry: This entry already exists

On 01/21/2016 08:48 PM, Nathan Peters wrote: Here are the results for that aci search using a non gssapi bind by directory manager on the old master that we are attempting to join agains. I don't see anything in this list that would indicate that some users should or should not have access

Re: [Freeipa-users] idoverride-add gives incorrect, inconsistant results?

No, I've not updated to 1.13.0-41 - I do the "yum upgrades" relatively frequently, I don't think it's in the repos yet. cheers L. -- The most dangerous phrase in the language is, "We've always done it this way." - Grace Hopper On 20 January 2016 at 19:42, Jakub Hrozek

Re: [Freeipa-users] Samba crashes with recent F23 update

On Fri, 22 Jan 2016, Alexander Bokovoy wrote: On Fri, 22 Jan 2016, John Obaterspok wrote: Hello, I'm running F23 and now IPA fails to start due to crash in smb: -- Unit smb.service has begun starting up. jan 22 08:38:52 ipa.win.lan audit[7037]: ANOM_ABEND auid=4294967295 uid=0 gid=0

Re: [Freeipa-users] Freeipa 4.3.0 replica installation fails with DuplicateEntry: This entry already exists

On 01/22/2016 10:15 AM, Nathan Peters wrote: [root@dc2-ipa-dev-nvan ~]# ldapsearch -D "cn=directory manager" -W -b "cn=config" "(aci=*)" aci Enter LDAP Password: # extended LDIF # # LDAPv3 # base

Re: [Freeipa-users] Support status of additional OU's / acis in ipa ds

On Sat, 23 Jan 2016, William Brown wrote: Hi, I'm wondering about what the freeipa support policy is on adding an extra OU to the root of my domain, as well as my own acis. Will FreeIPA ignore this? Or will it potentially cause future issues?  IE adding ou=contacts,dc=ipa,dc=example,dc=com

[Freeipa-users] Support status of additional OU's / acis in ipa ds

Hi, I'm wondering about what the freeipa support policy is on adding an extra OU to the root of my domain, as well as my own acis. Will FreeIPA ignore this? Or will it potentially cause future issues?  IE adding ou=contacts,dc=ipa,dc=example,dc=com -- Sincerely, William Brown Software