[Freeipa-users] Re: Question regarding filtering of users seen by managing users

Hi Rob, thank you for this clarification, it’s highly appreciated. Best regards, Tom From: Rob Crittenden via FreeIPA-users Reply: FreeIPA users list Date: 19 July 2017 at 20:57:18 To: FreeIPA users list Cc: Thomas Handler , Rob Crittenden Subject:  [Freeipa-users] Re: Question regarding

[Freeipa-users] Re: Preserved IPA users got deleted from AD

Well, I certainly don't understand what happened under the covers, but is 100% clear to me that the users got "deleted" in AD while "preserving" them in IPA. I could see an argument where "ipa user-del user --preserve" is technically still a delete (semantics). I might look at migrating to a trust

[Freeipa-users] Re: Preserved IPA users got deleted from AD

Rob Brown wrote: > yeah, I did find the users in AD under: > CN=Deleted Objects,DC=foo,DC=domain,DC=com > and, the users actually have the attribute: > isDeleted = TRUE > so, looks like they were actually deleted (from AD perspective). > It seems like the delete sync is two-way (surprising, since c

[Freeipa-users] Re: Two way trust problem

On Thu, Jul 20, 2017 at 12:20:31PM -0400, Steve Weeks via FreeIPA-users wrote: > We've setup a two-way trust with AD and it seems to have worked, but it > doesn't look like it is working correctly. > > The kerberos commands (kinit and kvno) work fine, but things like 'id > adu...@addomain.example.

[Freeipa-users] Re: ipa-client-install generates bad sssd.conf

On Thu, Jul 20, 2017 at 02:33:50PM +0200, John Keates via FreeIPA-users wrote: > Hi, > > Using SSSD 1.15.2-1 and FreeIPA Client 4.4.4-1 on Debian Stretch 9.0 > generates a broken SSSD configuration. > Adding the services manually to sssd.conf fixes this: > > services = nss, sudo, pam, ssh > > F

[Freeipa-users] Re: Preserved IPA users got deleted from AD

Rob Brown via FreeIPA-users wrote: > Our company recently implemented freeipa to replace a cent5 kerberos > infrastructure. We set it up with a Winsync agreement with an AD domain, > and is working pretty well. > Our user disposition workflow in AD is this: user account is disabled, > and moved to

[Freeipa-users] Preserved IPA users got deleted from AD

Our company recently implemented freeipa to replace a cent5 kerberos infrastructure. We set it up with a Winsync agreement with an AD domain, and is working pretty well. Our user disposition workflow in AD is this: user account is disabled, and moved to a "terminated users" OU in AD. The account di

[Freeipa-users] Re: different failed auth times?

Vince Mele via FreeIPA-users wrote: > On Thu, Jul 20, 2017 at 10:41 AM, Rob Crittenden via FreeIPA-users > > wrote: > > Kat via FreeIPA-users wrote: > > Hi, > > > > If I have a simple pair of FreeIPA servers and one is showing different

[Freeipa-users] Re: different failed auth times?

On Thu, Jul 20, 2017 at 10:41 AM, Rob Crittenden via FreeIPA-users < freeipa-users@lists.fedorahosted.org> wrote: > Kat via FreeIPA-users wrote: > > Hi, > > > > If I have a simple pair of FreeIPA servers and one is showing different > > failed auth times for a user -- is this a good indication the

[Freeipa-users] Two way trust problem

We've setup a two-way trust with AD and it seems to have worked, but it doesn't look like it is working correctly. The kerberos commands (kinit and kvno) work fine, but things like 'id adu...@addomain.example.com' and 'getent passwd adu...@addomain.example.com' don't work. # ipa trust-add --type

[Freeipa-users] Re: different failed auth times?

Kat via FreeIPA-users wrote: > Hi, > > If I have a simple pair of FreeIPA servers and one is showing different > failed auth times for a user -- is this a good indication they are out > of sync? Should I not see same failures on both? The lockout attributes are per-server (not replicated). rob _

[Freeipa-users] Re: keys for cert - how to get those?

lejeczek via FreeIPA-users wrote: > > > On 19/07/17 20:06, Rob Crittenden via FreeIPA-users wrote: >> lejeczek via FreeIPA-users wrote: >>> hello fallas >>> >>> those certs I see with: >>> $ ipa cert-find >>> is it possible to get private key(s) for a given cert? With means of >>> (any)command li

[Freeipa-users] different failed auth times?

Hi, If I have a simple pair of FreeIPA servers and one is showing different failed auth times for a user -- is this a good indication they are out of sync? Should I not see same failures on both? -k ___ FreeIPA-users mailing list -- freeipa-users@li

[Freeipa-users] Re: Replica from RHEL6 7 fails to create CA with clone URI mismatch

On Thu, 2017-07-20 at 01:11 -0400, Endi Sukma Dewata wrote: > - Original Message - > > David Hendén via FreeIPA-users wrote: > > > Hi all, > > > > > > I'm trying to set up a replica from RHEL6.9 FreeIPA 3.0.0 to > > > RHEL7.3 RHEL > > > 4.4.0. > > > > > > What I'm trying to achieve is an

[Freeipa-users] ipa-client-install generates bad sssd.conf

Hi, Using SSSD 1.15.2-1 and FreeIPA Client 4.4.4-1 on Debian Stretch 9.0 generates a broken SSSD configuration. Adding the services manually to sssd.conf fixes this: services = nss, sudo, pam, ssh For some reason, ipa-client-install thinks we have socket-activated SSSD services, but we don’t.

[Freeipa-users] Re: keys for cert - how to get those?

On 19/07/17 20:06, Rob Crittenden via FreeIPA-users wrote: lejeczek via FreeIPA-users wrote: hello fallas those certs I see with: $ ipa cert-find is it possible to get private key(s) for a given cert? With means of (any)command line? Not from the CA, no. The CA doesn't store the private key