[Freeipa-users] HowTo/LDAP

Hello, I was wondering,is this still valid: http://www.freeipa.org/page/HowTo/LDAP I am using these rpms: ipa-client-4.2.0-15.el7.centos.x86_64 python-iniparse-0.4-9.el7.noarch device-mapper-multipath-libs-0.4.9-85.el7.x86_64 libipa_hbac-1.13.0-40.el7.x86_64

Re: [Freeipa-users] IPA certificates expired, please help!

Linov Suresh wrote: I logged into my IPA master, and found that the cert had expired again, we renewed these certificates about 18 months ago. Our environment is CentOS 6.4 and IPA 3.0.0-26. I followed the Redhat documentation,How do I manually renew Identity Management (IPA) certificates

[Freeipa-users] IPA certificates expired, please help!

I logged into my IPA master, and found that the cert had expired again, we renewed these certificates about 18 months ago. Our environment is CentOS 6.4 and IPA 3.0.0-26. I followed the Redhat documentation, How do I manually renew Identity Management (IPA) certificates after

Re: [Freeipa-users] FreeIPA 4.2.0 CentOS 7: DNS zone forwarding

There was a solution: explicitly disable DNSSEC in /etc/named.conf on all IPA masters/replicas and restart the named-pkcs11 service. After that, zone forwarding worked as expected. Thanks, Dan [cid:image001.jpg@01D1DEA7.77DC3540] Daniel Alex Finkelstein| Lead Dev

Re: [Freeipa-users] Please Provide the IPA Client Configuration Doc for Ubuntu 12.04, 14.04

Ubuntu 12.04 won't work very well out of the box. You can get it to work with the freeipa and sssd ppas, but you'll still need some small hacks on top of it. 14.04 is much better, and 16.04 is presumably the best in terms of things working out of the box. On Fri, Jul 15, 2016 at 3:59 AM, Jakub

Re: [Freeipa-users] IPA HBAC access using SSSD for user in trusted AD domain (RHEL 6.8)

Jakub, Thank you for replying to me. Before I forget I will say that I am still on sssd 1.13 on the domain controller; I didn’t upgrade it because I haven’t had any problems logging into that system yet. That being said: Thank you, but did this command return "No such user” ? Yes.

Re: [Freeipa-users] FreeIPA 4.2.0 CentOS 7: DNS zone forwarding

To give this a little more context, I've tried this: [root@ipa ~]# ipa dnsforwardzone-add example2.com. --forwarder=10.55.10.151 --forward-policy=only Server will check DNS forwarder(s). This may take some time, please wait ... ipa: WARNING: DNSSEC validation failed: record 'example2.com. SOA'

Re: [Freeipa-users] IPA HBAC access using SSSD for user in trusted AD domain (RHEL 6.8)

On Fri, Jul 15, 2016 at 01:22:07PM +, Sullivan, Daniel [AAA] wrote: > Jakub, > > Sure, no problem, I am happy to provide the output that you are requesting. > Thank you for taking the time to help me. > > To answer your question, no record is returned (not missing groups). For > example,

Re: [Freeipa-users] IPA HBAC access using SSSD for user in trusted AD domain (RHEL 6.8)

On Fri, Jul 15, 2016 at 02:04:43PM +, Sullivan, Daniel [AAA] wrote: > Hi, > > Changing pam_id_timeout = 60 and krb5_auth_timeout = 60 on the client in > conjunction with enabling tmpfs caching for /var/lib/sss/db on the DC appears > to have helped significantly. pam_id_timeout and

[Freeipa-users] FreeIPA 4.2.0 CentOS 7: DNS zone forwarding

Hi all, I'm trying to follow the directions (and cautions) from here: http://www.freeipa.org/page/V4/Forward_zones, but when I add a new zone (example2.com) and a forwarding address and set the zone to forward-only, no records are returned for hosts like, say, testhost.example2.com. The NS

Re: [Freeipa-users] IPA HBAC access using SSSD for user in trusted AD domain (RHEL 6.8)

Hi, Changing pam_id_timeout = 60 and krb5_auth_timeout = 60 on the client in conjunction with enabling tmpfs caching for /var/lib/sss/db on the DC appears to have helped significantly. This issue is becoming much more difficult to reproduce, although I can still reproduce it. Now, it appears

Re: [Freeipa-users] IPA HBAC access using SSSD for user in trusted AD domain (RHEL 6.8)

Jakub, Sure, no problem, I am happy to provide the output that you are requesting. Thank you for taking the time to help me. To answer your question, no record is returned (not missing groups). For example, the output of the failure was: [root@cri-kcriwebgdp1 log]# id mjarsulic id:

Re: [Freeipa-users] IPA HBAC access using SSSD for user in trusted AD domain (RHEL 6.8)

On Fri, Jul 15, 2016 at 12:00:56PM +, Sullivan, Daniel [AAA] wrote: > Lukas, > > Thank you for your reply and inquiry. > > First, to answer your question; yes, we have been using the > default_domain_suffix for some time. I am not sure what you mean by > previously, but it is currently

Re: [Freeipa-users] IPA HBAC access using SSSD for user in trusted AD domain (RHEL 6.8)

Lukas, Also, I would be interested to have high-level knowledge of known regressions you describe so that we can more quickly identify that we are being impacted by a known issue as we move forward with testing and evaluation of our IPA implementation, particularly if they are missing from the

Re: [Freeipa-users] IPA HBAC access using SSSD for user in trusted AD domain (RHEL 6.8)

Lukas, Thank you for your reply and inquiry. First, to answer your question; yes, we have been using the default_domain_suffix for some time. I am not sure what you mean by previously, but it is currently implemented and has been implemented prior to our 1.13 -> 1.14 upgrade. And yes, I am

Re: [Freeipa-users] IPA HBAC access using SSSD for user in trusted AD domain (RHEL 6.8)

On (14/07/16 21:23), Sullivan, Daniel [AAA] wrote: >Justin, > >Thank you for taking the time to reply to me; I really appreciate your >willingness to help. > >Upgrading to sssd1.14 (from the copr repo) on the client seems to have fixed >this problem across the board. I don’t have a system that

Re: [Freeipa-users] DNS Forwarding stops working

On 07/15/2016 12:49 PM, Marc Boorshtein wrote: > I've got a freeipa server using an AD server as a DNS forwarder. It > was working great until about an hour ago and now FreeIPA won't > forward any requests to the DNS server. using nslookup from the > server against ad works perfectly.

[Freeipa-users] DNS Forwarding stops working

I've got a freeipa server using an AD server as a DNS forwarder. It was working great until about an hour ago and now FreeIPA won't forward any requests to the DNS server. using nslookup from the server against ad works perfectly. Restarting services has not worked. How can I debug this issue?

Re: [Freeipa-users] Error in selinux child: libsemanage can't parse spaces in AD user names

Wont be able to check until Monday morning (Australia's weekend has started) but can check, yes. And the reason I reported to you is because you will have more weight with selinux bug tickets than I would. cheers L. -- The most dangerous phrase in the language is, "We've always done it this

Re: [Freeipa-users] Migrating to FreeIPA from an existing Heimdal Kerberos and 389-ds deployment

Hi, > Hi all, > > I'm part of the CMU Computer Club and our Kerberos/LDAP deployment has > been a pain point for quite some time. I've heard that FreeIPA might > be a solution worth exploring. > > I would like to try to avoid user visible disruption if possible, > however. This means that we

Re: [Freeipa-users] FreeIPA (Add Replica fails on GSSAPI)

On 07/14/2016 10:16 PM, Devin Acosta wrote: > When i tried to create the replica from another server, it fails giving me > this? > > [root@ipa02-aws ~]# ipa-replica-prepare ipa03-aws.rsinc.local --ip-address > 10.40.x.x > Directory Manager (existing master) password: > > If you installed IPA

Re: [Freeipa-users] Replication Agreement issues noticed with repl-monitor.pl

On 07/15/2016 08:17 AM, Martin Kosek wrote: > You should be able to succeed with "ipa-replica-manage del " > and --force/--cleanup flags: but first call ipa-csreplica-manage del --force/--cleanup > > $ man ipa-replica-manage > ... >-c, --cleanup > When deleting a

Re: [Freeipa-users] Please Provide the IPA Client Configuration Doc for Ubuntu 12.04, 14.04

On Fri, Jul 15, 2016 at 11:41:03AM +0530, Visakh MV wrote: > Hi Team, > > I forgot to describe the actual requirement on IPA client machines, which > we needs to configure client machine SUDO privilege from FreeIPA server for > IPA Server users. after configuring client machines can able to login

Re: [Freeipa-users] HBAC and AD users

On Fri, Jul 15, 2016 at 01:07:00PM +1000, Lachlan Musicman wrote: > I've updated all the relevant hosts and the FreeIPA server to the COPR sssd > 1.14.0 release and the problem seems to have disappeared. Great, but please keep an eye on the machine, the 1.14 branch is still kindof fresh and we

Re: [Freeipa-users] Can we disable HTTP TRACE / TRACK Method in IPA

On 07/15/2016 08:17 AM, Zeal Vora wrote: > Hi > > In our Internal VA, Vulnerability Assessment tools generates the HTTP TRACE / > TRACK method in IPA as a medium based vulnerability. > > Is there a need to allow those two methods in IPA ? > > If not, what is the optimal way to disable those

Re: [Freeipa-users] Error in selinux child: libsemanage can't parse spaces in AD user names

On (15/07/16 12:56), Lachlan Musicman wrote: >This line: > >We have SELinux disabled on all of our servers, but we hadn't disabled this >check in sssd.conf. So we enabled it in sssd.conf and everything worked >fine. > >Should read that we *disabled* selinux. > >selinux_provider = none Could you

Re: [Freeipa-users] Replication Agreement issues noticed with repl-monitor.pl

You should be able to succeed with "ipa-replica-manage del " and --force/--cleanup flags: $ man ipa-replica-manage ... -c, --cleanup When deleting a master with the --force flag, remove leftover references to an already deleted master. ... Martin On

[Freeipa-users] Can we disable HTTP TRACE / TRACK Method in IPA

Hi In our Internal VA, Vulnerability Assessment tools generates the HTTP TRACE / TRACK method in IPA as a medium based vulnerability. Is there a need to allow those two methods in IPA ? If not, what is the optimal way to disable those methods ? Thanks, Zeal -- Manage your subscription for

Re: [Freeipa-users] Please Provide the IPA Client Configuration Doc for Ubuntu 12.04, 14.04

Hi Team, I forgot to describe the actual requirement on IPA client machines, which we needs to configure client machine SUDO privilege from FreeIPA server for IPA Server users. after configuring client machines can able to login as a IPA user but unable to give sudo privilege from. Please revert