Re: [Freeipa-users] IPA-AD trust group membership: display 'short' group names for *two* AD domains?

On Fri, Oct 21, 2016 at 04:07:16PM +1100, Robert Sturrock wrote: > > On Thu, Oct 20, 2016 at 04:46:01PM +1100, Robert Sturrock wrote: > > […] > > > However, when I try logging in as a student domain user > > > (student.example.au), > > > I don't see any of the groups (there should be 8): > > > >

Re: [Freeipa-users] Promote CA-less replica

Hi,Thanks again. Lastly, we've switched away from Ubuntu's FreeIPA due to a bad Samba compilation choice stopping AD trusts from working (samba isn't using MIT kerberos).  We're now using CentOS 7.2.  While we know the CentOS version will operate correctly, we only get to use 4.2 of FreeIPA

Re: [Freeipa-users] IPA-AD trust group membership: display 'short' group names for *two* AD domains?

> On Thu, Oct 20, 2016 at 04:46:01PM +1100, Robert Sturrock wrote: > […] > > However, when I try logging in as a student domain user > > (student.example.au), > > I don't see any of the groups (there should be 8): > > > > $ ssh -l rnst student example au ipa-client-rh7.ipa.example.au > >

Re: [Freeipa-users] IPA-AD Trust unable to resolve child domain

Thanks for the clarification. Regards 2016-10-20 14:23 GMT-04:00 Alexander Bokovoy : > On to, 20 loka 2016, Carlos Raúl Laguna wrote: > >> Hi Alexander, >> I do belive is a DNS problem, the command failing are >> >> host -t srv _ldap._tcp.ad_domain >> or >> dig SRV _ldap._tcp.ad_domain >> after c

Re: [Freeipa-users] IPA-AD Trust unable to resolve child domain

On to, 20 loka 2016, Carlos Raúl Laguna wrote: Hi Alexander, I do belive is a DNS problem, the command failing are host -t srv _ldap._tcp.ad_domain or dig SRV _ldap._tcp.ad_domain after checkig the logs a see this error "no valid DS resolving '_ldap._tcp.ad_domain /SRV/IN': 10.20.4.22#53" so i

Re: [Freeipa-users] IPA-AD Trust unable to resolve child domain

Hi Alexander, I do belive is a DNS problem, the command failing are host -t srv _ldap._tcp.ad_domain or dig SRV _ldap._tcp.ad_domain after checkig the logs a see this error "no valid DS resolving '_ldap._tcp.ad_domain /SRV/IN': 10.20.4.22#53" so i disable the dnssec validation on IPA and it work

Re: [Freeipa-users] Impossible to renew certificate. pki-tomcat issue

On 10/19/2016 08:18 PM, Bertrand Rétif wrote: *De: *"Bertrand Rétif" *À: *freeipa-users@redhat.com *Envoyé: *Mercredi 19 Octobre 2016 15:42:07 *Objet: *Re: [Freeipa-users] Impossible to renew certificate. pki-tomcat issue ---

Re: [Freeipa-users] Getting Minimum SSF not met.

Hi Deepak, What you did was disabling unsecure connections to the directory service. As such, use LDAPS to connect and enable unsecure connections again: ldapmodify -D "cn=directory manager" -W -H ldaps://`hostname` dn: cn=config changetype: modify replace: nsslapd-minssf nsslapd-minssf: 0 If

[Freeipa-users] Replication error acquiring replica: unknown error

Hi folks, My second master shows me that it would push local changes to ipa1, but it doesn't: [root@ipa2 ipa]# ipa-replica-manage list ipa3.aixigo.de: master ipa4.aixigo.de: master ipa1.aixigo.de: master ipa2.aixigo.de: master [root@ipa2 ~]# ipa-replica-manage list `hostname` ipa1.aixigo.de: repl

Re: [Freeipa-users] IPA-AD Trust unable to resolve child domain

On to, 20 loka 2016, Carlos Raúl Laguna wrote: Hello everyone, Both server are fresh install 2008r2 and fedora 24 server freeipa 4.3.2 as documentation explain in http://www.freeipa.org/page/Active_Directory_trust_setup#If_AD_is_subdomain_of_IPA however the server is unable to resolve any recor

[Freeipa-users] IPA-AD Trust unable to resolve child domain

Hello everyone, Both server are fresh install 2008r2 and fedora 24 server freeipa 4.3.2 as documentation explain in http://www.freeipa.org/page/Active_Directory_trust_setup#If_AD_is_subdomain_of_IPA however the server is unable to resolve any record from my child domain, i found this bug https://

[Freeipa-users] FreeIPA JSON API does not work behind Load Balancer because Services4User

Hi all, I need advice or help with freeIPA implementation behind F5 bigip loadbalancer. My goal is to have all freeIPA services (including json/xml API) behind loadbalancer for freeIPA clients. >> Because RHEL support says me IPA behind loadbalancer is not supported I was >> coming out of these

[Freeipa-users] Getting Minimum SSF not met.

Hi All, I wanted to enable secure LDAP connection on freeIPA but alas after changing cn=config nsslapd-minssf from 0 to 128 i am getting below error: ipactl restart Failed to read data from Directory Service: Unknown error when retrieving list of services from LDAP: Server is unwilling to

[Freeipa-users] Setting "preserve" as default action when deleting in webUI

Hi everyone, In order to prevent administrators to make mistakes that could have silly consequences, I would like to set "preserve" as the default selected action in freeipa's webui. What do you think would be the best way to achieve this ? Thank you in advance, Sebastien Julliot. -- Ma

Re: [Freeipa-users] replica DS failure deadlock

On 10/19/2016 06:28 PM, Andrew E. Bruno wrote: On Wed, Oct 19, 2016 at 05:41:37PM +0200, Ludwig Krispenz wrote: On 10/19/2016 05:02 PM, Ludwig Krispenz wrote: On 10/19/2016 03:48 PM, Andrew E. Bruno wrote: On Wed, Oct 19, 2016 at 10:13:26AM +0200, Ludwig Krispenz wrote: On 10/18/2016 08:52 P

Re: [Freeipa-users] IPA-AD trust group membership: display 'short' group names for *two* AD domains?

On Thu, Oct 20, 2016 at 04:46:01PM +1100, Robert Sturrock wrote: > Hello, > > We have an IPA (4.2) server setup on RHEL 7.2 in a trust arrangement with > our University organisational AD. The AD forest contains *two* > domains: > > EXAMPLE.AU (staff users) > STUDENT.EXAMPLE.AU (student users