> -Original Message-
> From: Fraser Tweedale [mailto:ftwee...@redhat.com]
> Sent: Wednesday, 23 September 2015 10:59 AM
> To: Les Stott
> Cc: Winfried de Heiden; freeipa-users@redhat.com
> Subject: Re: [Freeipa-users] sec_error_reused_issuer_and_serial
>
> On Tu
The only way to get around it, because you are using the same domain name, is
to use different browsers to visit each site. Firefox for sitea, chrome for
siteb.
It's got to do with the fact that the Parent certificate name (generated
automatically during install) is the same on both and because
@redhat.com
> Subject: Re: [Freeipa-users] freeipa and User Private Groups
>
> On Mon, Jul 13, 2015 at 09:11:09AM +, Les Stott wrote:
> > Hi All,
> >
> > Running ipa-3.0.0-42.el6 and sssd-1.11.6-30.el6_6.3.x86_64
> >
> > So, by default, when you create a user in
Hi All,
Running ipa-3.0.0-42.el6 and sssd-1.11.6-30.el6_6.3.x86_64
So, by default, when you create a user in freeipa, That user will be set to
have a primary group that is hidden and not a POSIX group.
This means that when the user logs in to a host, they will see something like...
id: cannot
Randall,
Check your apache error logs for any errors and the modules loaded via
httpd.conf. The ipa server log does show that it can reach apache for most
things.
I had a similar issue not too long ago when trying to install a CA replica on
an existing ipa server, which is pretty much the same
From: freeipa-users-boun...@redhat.com
[mailto:freeipa-users-boun...@redhat.com] On Behalf Of Dmitri Pal
Sent: Thursday, 26 March 2015 12:52 PM
To: freeipa-users@redhat.com
Subject: Re: [Freeipa-users] clarification on expired password behaviour
On 03/25/2015 09:14 PM, Les Stott wrote:
Hi All
Hi All,
Running freeipa 3.0.0.42 on rhel 6.6, all standard packages.
I also have freeradius installed which is used for network devices (cisco,
brocade, f5, ucs etc) to authenticate users. Freeradius is using the ldap store
in FreeIPA as an authentication backend.
All is working fine.
But I w
> -Original Message-
> From: Endi Sukma Dewata [mailto:edew...@redhat.com]
> Sent: Thursday, 26 February 2015 1:50 AM
> To: Martin Kosek
> Cc: Les Stott; Rob Crittenden; freeipa-users@redhat.com; Jan Cholasta
> Subject: Re: [Freeipa-users] ipa-getcert list fails t
> -Original Message-
> From: Martin Kosek [mailto:mko...@redhat.com]
> Sent: Wednesday, 25 February 2015 10:35 PM
> To: Les Stott; Rob Crittenden; freeipa-users@redhat.com; Endi Dewata; Jan
> Cholasta
> Subject: Re: [Freeipa-users] ipa-getcert list fails to report corr
slate.
Then install works as normal for IPA Server, Replica and CA Replica
installations.
Hope this saves someone else time in the future.
Regards,
Les
> -Original Message-
> From: freeipa-users-boun...@redhat.com [mailto:freeipa-users-
> boun...@redhat.com] On Behalf Of Le
> -Original Message-
> From: freeipa-users-boun...@redhat.com [mailto:freeipa-users-
> boun...@redhat.com] On Behalf Of Les Stott
> Sent: Monday, 23 February 2015 8:01 PM
> To: Rob Crittenden; Martin Kosek; freeipa-users@redhat.com; Endi Dewata;
> Jan Cholasta
>
> -Original Message-
> From: freeipa-users-boun...@redhat.com [mailto:freeipa-users-
> boun...@redhat.com] On Behalf Of Les Stott
> Sent: Monday, 23 February 2015 12:18 PM
> To: Rob Crittenden; Martin Kosek; freeipa-users@redhat.com; Endi Dewata;
> Jan Cholasta
>
> -Original Message-
> From: Rob Crittenden [mailto:rcrit...@redhat.com]
> Sent: Saturday, 21 February 2015 1:39 AM
> To: Martin Kosek; Les Stott; freeipa-users@redhat.com; Endi Dewata; Jan
> Cholasta
> Subject: Re: [Freeipa-users] ipa-getcert list fails to report cor
Hi all,
The following is blocking the ability for me to install a CA replica.
Environment:
RHEL 6.6
IPA 3.0.0-42
PKI 9.0.3-38
On the master the following is happening:
ipa-getcert list
Number of certificates and requests being tracked: 5.
(but it shows no certificate details in the output)
Ru
Has anyone got any ideas on the below errors I am now receiving?
Thanks in advance,
Les
> >
> > I will test this out (update to 3.7.19-260) next week as I've got a
> > few more CA replicas to setup.
> >
>
> I'm still having issues. Different one this time.
>
> As I have previously worked aroun
> -Original Message-
> From: freeipa-users-boun...@redhat.com [mailto:freeipa-users-
> boun...@redhat.com] On Behalf Of Les Stott
> Sent: Saturday, 7 February 2015 9:39 AM
> To: freeipa-users@redhat.com
> Subject: Re: [Freeipa-users] bug in pki during install
> -Original Message-
> From: Endi Sukma Dewata [mailto:edew...@redhat.com]
> Sent: Saturday, 7 February 2015 1:53 AM
> To: Martin Kosek; Les Stott; freeipa-users@redhat.com; Matthew Harmsen
> Subject: Re: [Freeipa-users] bug in pki during install of CA replica and
> w
> -Original Message-
> From: Martin Kosek [mailto:mko...@redhat.com]
> Sent: Saturday, 7 February 2015 1:40 AM
> To: Les Stott; freeipa-users@redhat.com; Matthew Harmsen; Endi Dewata
> Subject: Re: [Freeipa-users] bug in pki during install of CA replica and
> workaroun
Hi,
I found a bug in the pki packages and CA replica installation.
Environment:
Rhel 6.6
IPA Server 3.0.0-42
Pki components:
pki-symkey-9.0.3-38.el6_6.x86_64
pki-common-9.0.3-38.el6_6.noarch
pki-setup-9.0.3-38.el6_6.noarch
pki-selinux-9.0.3-38.el6_6.noarch
pki-java-tools-9.0.3-38.el6_6.noarch
pki
com]
> Sent: Thursday, 5 February 2015 2:24 AM
> To: Les Stott; freeipa-users@redhat.com
> Cc: Ade Lee
> Subject: Re: [Freeipa-users] CA Replication Installation Failing
>
> Les Stott wrote:
> > Has anyone got any ideas on this?
> >
> > I am stuck with not being
lf Of Les Stott
> Sent: Friday, 30 January 2015 4:48 PM
> To: freeipa-users@redhat.com
> Subject: Re: [Freeipa-users] CA Replication Installation Failing
>
>
>
> > -Original Message-
> > From: freeipa-users-boun...@redhat.com [mailto:freeipa-users-
> &g
> -Original Message-
> From: freeipa-users-boun...@redhat.com [mailto:freeipa-users-
> boun...@redhat.com] On Behalf Of Les Stott
> Sent: Wednesday, 10 December 2014 6:22 PM
> To: freeipa-users@redhat.com
> Subject: Re: [Freeipa-users] CA Replication In
> -Original Message-
> From: Ade Lee [mailto:a...@redhat.com]
> Sent: Wednesday, 10 December 2014 5:05 AM
> To: Les Stott
> Cc: freeipa-users@redhat.com
> Subject: Re: [Freeipa-users] CA Replication Installation Failing
>
> On Tue, 2014-12-09 at 07:4
/2014 11:04 PM, Les Stott wrote:
Does anyone have any ideas on the below errors when trying to add CA
replication to an existing replica?
> People who might be able to help are or PTO right now.
>
> Is your installation older than 2 years?
No, December 2013 was when it was originally buil
Does anyone have any ideas on the below errors when trying to add CA
replication to an existing replica?
Thanks in advance,
Les
From: freeipa-users-boun...@redhat.com
[mailto:freeipa-users-boun...@redhat.com] On Behalf Of Les Stott
Sent: Tuesday, 2 December 2014 6:17 PM
To: freeipa-users
Hi All,
I have RHEL6 with ipa servers running standard ipa server 3.0.0-42. Pki
components are also standard version 9.0.3-38.
Servera is the master
Serverb is the replica
Both have been running for many, many months. Serverb was initially setup as a
replica, but not a CA replica.
I am now tr
> -Original Message-
> From: Rob Crittenden [mailto:rcrit...@redhat.com]
> Sent: Wednesday, 12 November 2014 6:33 AM
> To: Fraser Tweedale; Les Stott
> Cc: freeipa-users@redhat.com
> Subject: Re: [Freeipa-users] how to overcome same serial number in cert
> issue on dif
> -Original Message-
> From: Fraser Tweedale [mailto:ftwee...@redhat.com]
> Sent: Tuesday, 11 November 2014 1:59 PM
> To: Les Stott
> Cc: freeipa-users@redhat.com
> Subject: Re: [Freeipa-users] how to overcome same serial number in cert
> issue on different master serv
> -Original Message-
> From: Fraser Tweedale [mailto:ftwee...@redhat.com]
> Sent: Tuesday, 11 November 2014 12:51 PM
> To: Les Stott
> Cc: freeipa-users@redhat.com
> Subject: Re: [Freeipa-users] how to overcome same serial number in cert
> issue on different master
Hi,
I have a standard rhel6 deployment for FreeIPA in two environments.
One environment is in our Production Data Center, The Other in our DR Data
Center.
Both environments are setup with the same domain (mydomain.com) for FreeIPA.
This is to support dr/failover etc.
In each environment, ther
> -Original Message-
> From: Martin Kosek [mailto:mko...@redhat.com]
> Sent: Monday, 10 November 2014 10:50 PM
> To: Les Stott; freeipa-users@redhat.com
> Subject: Re: [Freeipa-users] restored replica ssl issue
>
> On 11/10/2014 08:34 AM, Les Stott wrote:
> &g
Hi all,
I have a standard freeipa environment under rhel6.
One of my replica servers, lets call it "serverB" had issues and I eventually
rebuilt it.
I rebuilt and restored data, but something wasn't right. Replication wasn't
working. I had tried to re-initialize replication but it didn't help.
Hi all,
I have a FreeIPA environment with standard rhel6 package sets.
Everything is working well.
I would like to get our Cisco UCS 5108 authenticating via ldap with TLS using
ldap group based checks. The ucs manager runs the latest 2.2(3a)
Currently I have it authenticating via radius (which
FYI...
I used OTP for this. Works a treat!
Thanks again Dmitri.
Regards,
Les
From: freeipa-users-boun...@redhat.com
[mailto:freeipa-users-boun...@redhat.com] On Behalf Of Les Stott
Sent: Thursday, 2 October 2014 8:21 AM
To: freeipa-users@redhat.com
Subject: Re: [Freeipa-users] can ipa-client
: [Freeipa-users] can ipa-client-install be updated to call
username/password from a file?
On 10/01/2014 05:44 AM, Yiorgos Stamoulis wrote:
On 01/10/14 08:19, Les Stott wrote:
Hi,
I am using freeipa in a rhel6 environment with ipa-3.0.0-37.el6 client.
I am working on doing an unattended ipa
Hi,
I am using freeipa in a rhel6 environment with ipa-3.0.0-37.el6 client.
I am working on doing an unattended ipa client installation. I have it working
with the following
/usr/sbin/ipa-client-install -p admin -w -U --no-ntp
While this works, while it runs, the value is visable in the
s
On 21.8.2014 06:17, Les Stott wrote:
> Hi All,
>
> Am about to start rolling out clinet installs on rhel6 hosts with dns
> autodiscovery.
>
> Enviroment: rhel6, ipa-3.0.0-37.el6.
>
> I already have setup SRV records for Kerberos and ldap etc.
>
> Are the follow
Hi All,
Am about to start rolling out clinet installs on rhel6 hosts with dns
autodiscovery.
Enviroment: rhel6, ipa-3.0.0-37.el6.
I already have setup SRV records for Kerberos and ldap etc.
Are the following ntp records as SRV records necessary also?
;ntp server
_ntp._udp IN SRV
That helps, and I read http://www.freeipa.org/page/Howto/HBAC_and_allow_all
Now I understand how it works and the expected behaviour.
Thanks.
Les
-Original Message-
From: Martin Kosek [mailto:mko...@redhat.com]
Sent: Tuesday, 4 February 2014 6:30 PM
To: Les Stott; freeipa-users
Hi,
Running freeipa 3.0.0-37.el6 on rhel 6.4 and just had a query about HBAC rules
and how the global allow_all rule applies.
I configured a rule for a single host (host1) allowing access via ssh to only a
single user (john) via ssh. i.e.
# ipa hbacrule-show host1_access
Rule name: host1_acc
rtin Kosek [mailto:mko...@redhat.com]
Sent: Friday, 17 January 2014 6:46 PM
To: Les Stott; freeipa-users@redhat.com
Subject: Re: [Freeipa-users] export users/groups from one ipa server to another
On 01/17/2014 07:24 AM, Les Stott wrote:
> Hi All,
>
> Looking for the quickest and easiest
attributes will that avoid users
having to regenerate the kerberos credentials?
Thanks,
Les
From: Rob Crittenden [rcrit...@redhat.com]
Sent: Saturday, January 18, 2014 1:36 AM
To: Martin Kosek; Les Stott; freeipa-users@redhat.com
Subject: Re: [Freeipa-us
Petr, Martin,
thanks for the suggestions, i will try next week.
fyi... it will be the same domain so i'll have a look at "ipa migrate-ds".
Regards,
Les
From: Martin Kosek [mko...@redhat.com]
Sent: Friday, January 17, 2014 6:46 PM
To: Les
Hi All,
Looking for the quickest and easiest way to export users from one freeipa
server and install on another.
I have an existing freeipa server, 3.0.0 standard rhel6 in a DR environment.
I am setting up an identical freeipa server in a Production Environment.
The two environments will not be
Rich Megginson [mailto:rmegg...@redhat.com]
Sent: Wednesday, 15 January 2014 2:13 PM
To: Les Stott; freeipa-users@redhat.com
Subject: Re: [Freeipa-users] HP ILO Authentication via LDAP (or even kerberos)
On 01/14/2014 07:57 PM, Les Stott wrote:
Still no joy. Although I don't profess to be a schema c
ompat-entry-attribute: cn=%{cn}
schema-compat-entry-rdn: cn=%{cn}
Left the rest as default.
When I ldapsearch against the compat tree, I see it working the way I want
(i.e. dn starts with cn instead of uid).
ldapsearch -x -b "cn=compat,dc=mydomain,dc=com" "cn=Les Stott"
#
Freeipa-users] HP ILO Authentication via LDAP (or even kerberos)
On 01/13/2014 10:44 PM, Les Stott wrote:
Been banging my head against the wall on this one for a few days, trying to get
a workable configuration for HP ILO to authenticate via FreeIPA.
I have a standard rhel6 environment (64 bi
: uid=less,cn=users,cn=accounts,dc=mydomain,dc=com
The test settings button in the ILO works only with the full dn.
It doesn't work if I use the uid (less), or the cn (Les Stott).
I can then login to ILO with
Username: uid=less,cn=users,cn=accounts,dc=mydomain,dc=com
If I try to login wit
Hi,
I've seen a few references to this when searching the lists and mention of
enhancements to later versions of freeipa to allow setting certain users to
have passwords that don't expire.
I'm on rhel6, which has an older freeipa, and I cant see it being updated
anytime soon. So I thought I'd
Thanks Rob.
-Original Message-
From: Rob Crittenden [mailto:rcrit...@redhat.com]
Sent: Thursday, 19 December 2013 12:08 PM
To: Les Stott; freeipa-users@redhat.com
Subject: Re: [Freeipa-users] Question: re replica install
Les Stott wrote:
> Hi All,
>
> (RHEL 6.4, FreeIPA
Hi All,
(RHEL 6.4, FreeIPA 3.0.0-37)
Say I want to install a replica server in a restricted network, but I don't
want to enable http management on the replica.
I am pretty sure the following is true, but ask the question just to be sure
Can a replica work (for authentication and replicatio
this before installing the replica on existing
machines.
Regards,
Les
-Original Message-
From: Alexander Bokovoy [mailto:aboko...@redhat.com]
Sent: Tuesday, 17 December 2013 12:52 AM
To: Les Stott
Cc: freeipa-users@redhat.com
Subject: Re: [Freeipa-users] Trouble with replica install
ards,
Les
____
From: Les Stott
Sent: Monday, December 16, 2013 11:44 PM
To: freeipa-users@redhat.com
Subject: RE: [Freeipa-users] Trouble with replica install
Petr,
The below was the error from apache error logs
> Apache logs the following error at the same time...
>
>
httpd_t:s0
Regards,
Les
From: Petr Spacek [pspa...@redhat.com]
Sent: Monday, December 16, 2013 10:38 PM
To: Les Stott; freeipa-users@redhat.com
Subject: Re: [Freeipa-users] Trouble with replica install
On 16.12.2013 10:55, Les Stott wrote:
> Sorry, when I said "selinu
Les
From: freeipa-users-boun...@redhat.com
[mailto:freeipa-users-boun...@redhat.com] On Behalf Of Les Stott
Sent: Monday, 16 December 2013 8:47 PM
To: freeipa-users@redhat.com
Subject: [Freeipa-users] Trouble with replica install
Hi,
Running ipa-server-3.0.0-37.el6.x86_64 on rhel6.
Already setup master
Hi,
Running ipa-server-3.0.0-37.el6.x86_64 on rhel6.
Already setup master server, now trying to install replica (which I've done
before and its worked fine).
The replica install gets all the way to the end but errors out. For the most
part, it looks like it is complete, but I want to be sure th
-Original Message-
From: Alexander Bokovoy [mailto:aboko...@redhat.com]
Sent: Saturday, 30 November 2013 12:32 AM
To: Les Stott
Cc: freeipa-users@redhat.com
Subject: Re: [Freeipa-users] gssapi sasl error - only picking up short hostname
when running ipa-client-install (and failing)
On Fri, 29 Nov
_________
From: Martin Kosek [mko...@redhat.com]
Sent: Friday, November 29, 2013 8:49 PM
To: Les Stott; freeipa-users@redhat.com
Subject: Re: [Freeipa-users] gssapi sasl error - only picking up short hostname
when running ipa-client-install (and failing)
On 11/29/2013 0
Hi,
Recently installed freeipa on two servers in multi-master mode. We want to have
a central authentication system for many hosts. Environment is RHEL 6.4 for
servers, RHEL 6.1 for the first client host, standard rpm packages used -
ipa-server-3.0.0-26.el6_4.4.x86_64 and ipa-client-3.0.0-37.e
59 matches
Mail list logo
