Re: [Freeipa-users] Password sync woes
Thank you Rich, must have been a type-o in my install, I gutted it restarted it and am All good now thank you From: Rich Megginson [mailto:rmegg...@redhat.com] Sent: Thursday, March 13, 2014 4:24 PM To: Todd Maugh; freeipa-users@redhat.com Subject: Re: [Freeipa-users] Password sync woes On 03/13/2014 05:18 PM, Todd Maugh wrote: Sorry Guys me again. So I have my winsync agreement up and I know have my password sync setup the cert has been imported SSL is configured properly, but when I go to change a password in AD I see this error in passsync.log LDAP error in QueryUsername 32: No such object It means your suffix/base DN that you used in PassSync setup is incorrect. You can check the access log to see what it is doing - /var/log/dirsrv/slapd-YOUR-DOMAIN/access - look for connections from the IP address of your AD machine. Note that the suffix/base DN that you used in PassSync setup is the suffix/base DN of your IdM server, which is not necessarily the same as your AD server. any thoughts on this? thanks -Todd ___ Freeipa-users mailing list Freeipa-users@redhat.commailto:Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Password sync woes
On 03/14/2014 10:58 AM, Todd Maugh wrote: Thank you Rich, must have been a type-o in my install, I gutted it restarted it and am All good now thank you Great! *From:*Rich Megginson [mailto:rmegg...@redhat.com] *Sent:* Thursday, March 13, 2014 4:24 PM *To:* Todd Maugh; freeipa-users@redhat.com *Subject:* Re: [Freeipa-users] Password sync woes On 03/13/2014 05:18 PM, Todd Maugh wrote: Sorry Guys me again. So I have my winsync agreement up and I know have my password sync setup the cert has been imported SSL is configured properly, but when I go to change a password in AD I see this error in passsync.log LDAP error in QueryUsername 32: No such object It means your suffix/base DN that you used in PassSync setup is incorrect. You can check the access log to see what it is doing - /var/log/dirsrv/slapd-YOUR-DOMAIN/access - look for connections from the IP address of your AD machine. Note that the suffix/base DN that you used in PassSync setup is the suffix/base DN of your IdM server, which is not necessarily the same as your AD server. any thoughts on this? thanks -Todd ___ Freeipa-users mailing list Freeipa-users@redhat.com mailto:Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
[Freeipa-users] winsync agreement for multiple subtrees
good morning, every day it's something new. so turns out my AD admin has built ad with user accounts spread out over multiple subtrees' and I need to handle them all. is there a way to sync everything under dc=bwinc,dc=local. instead of doing cn=users,dc=bwinc,dc=local does this make sense? thank you -Todd Maugh ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] winsync agreement for multiple subtrees
I did find this similar request that I thought looked to be owned by Rich Megginson https://fedorahosted.org/389/ticket/460 Rich Can you shed any light on this, or the command I would use to winsync multiple subtrees? From: freeipa-users-boun...@redhat.com [freeipa-users-boun...@redhat.com] on behalf of Todd Maugh [tma...@boingo.com] Sent: Friday, March 14, 2014 10:13 AM To: freeipa-users@redhat.com Subject: [Freeipa-users] winsync agreement for multiple subtrees good morning, every day it's something new. so turns out my AD admin has built ad with user accounts spread out over multiple subtrees' and I need to handle them all. is there a way to sync everything under dc=bwinc,dc=local. instead of doing cn=users,dc=bwinc,dc=local does this make sense? thank you -Todd Maugh ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] winsync agreement for multiple subtrees
On 03/14/2014 12:06 PM, Todd Maugh wrote: I did find this similar request that I thought looked to be owned by Rich Megginson https://fedorahosted.org/389/ticket/460 Rich Can you shed any light on this, or the command I would use to winsync multiple subtrees? If you can't sync from the top level entry e.g. if you can't sync using dc=bwinc,dc=local as your AD subtree, then you can't do it. It may or may not work for you, I don't know, you'll just have to try it. From: freeipa-users-boun...@redhat.com [freeipa-users-boun...@redhat.com] on behalf of Todd Maugh [tma...@boingo.com] Sent: Friday, March 14, 2014 10:13 AM To: freeipa-users@redhat.com Subject: [Freeipa-users] winsync agreement for multiple subtrees good morning, every day it's something new. so turns out my AD admin has built ad with user accounts spread out over multiple subtrees' and I need to handle them all. is there a way to sync everything under dc=bwinc,dc=local. instead of doing cn=users,dc=bwinc,dc=local does this make sense? thank you -Todd Maugh ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] winsync agreement for multiple subtrees
I actually hadnt tried yet to sync from the top level directory would I just leave the CN out to try that? From: Rich Megginson [rmegg...@redhat.com] Sent: Friday, March 14, 2014 11:12 AM To: Todd Maugh; freeipa-users@redhat.com Subject: Re: winsync agreement for multiple subtrees On 03/14/2014 12:06 PM, Todd Maugh wrote: I did find this similar request that I thought looked to be owned by Rich Megginson https://fedorahosted.org/389/ticket/460 Rich Can you shed any light on this, or the command I would use to winsync multiple subtrees? If you can't sync from the top level entry e.g. if you can't sync using dc=bwinc,dc=local as your AD subtree, then you can't do it. It may or may not work for you, I don't know, you'll just have to try it. From: freeipa-users-boun...@redhat.com [freeipa-users-boun...@redhat.com] on behalf of Todd Maugh [tma...@boingo.com] Sent: Friday, March 14, 2014 10:13 AM To: freeipa-users@redhat.com Subject: [Freeipa-users] winsync agreement for multiple subtrees good morning, every day it's something new. so turns out my AD admin has built ad with user accounts spread out over multiple subtrees' and I need to handle them all. is there a way to sync everything under dc=bwinc,dc=local. instead of doing cn=users,dc=bwinc,dc=local does this make sense? thank you -Todd Maugh ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] winsync agreement for multiple subtrees
On 03/14/2014 12:24 PM, Todd Maugh wrote: I actually hadnt tried yet to sync from the top level directory would I just leave the CN out to try that? The cn=users? Yes. From: Rich Megginson [rmegg...@redhat.com] Sent: Friday, March 14, 2014 11:12 AM To: Todd Maugh; freeipa-users@redhat.com Subject: Re: winsync agreement for multiple subtrees On 03/14/2014 12:06 PM, Todd Maugh wrote: I did find this similar request that I thought looked to be owned by Rich Megginson https://fedorahosted.org/389/ticket/460 Rich Can you shed any light on this, or the command I would use to winsync multiple subtrees? If you can't sync from the top level entry e.g. if you can't sync using dc=bwinc,dc=local as your AD subtree, then you can't do it. It may or may not work for you, I don't know, you'll just have to try it. From: freeipa-users-boun...@redhat.com [freeipa-users-boun...@redhat.com] on behalf of Todd Maugh [tma...@boingo.com] Sent: Friday, March 14, 2014 10:13 AM To: freeipa-users@redhat.com Subject: [Freeipa-users] winsync agreement for multiple subtrees good morning, every day it's something new. so turns out my AD admin has built ad with user accounts spread out over multiple subtrees' and I need to handle them all. is there a way to sync everything under dc=bwinc,dc=local. instead of doing cn=users,dc=bwinc,dc=local does this make sense? thank you -Todd Maugh ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
[Freeipa-users] sudo to local users prompts for password
Hello We just upgraded our clients from ipa-client-2.2.0-16.el6.x86_64 to ipa-client-3.0.0-37.el6.x86_64 and started noticing this. We have some scripts which sudo to a local account like apache and run. Earlier we were never prompted to put apache's password, now it is. Any thoughts? Shreeraj Change is the only Constant !___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
[Freeipa-users] IPA / AD Trust
Does IPA support a trust with AD yet. I've seen that this is coming in a future release but I havent found something that said it has been released. -Todd ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] sudo to local users prompts for password
On 03/14/2014 02:43 PM, Shree wrote: Hello We just upgraded our clients from ipa-client-2.2.0-16.el6.x86_64 to ipa-client-3.0.0-37.el6.x86_64 and started noticing this. We have some scripts which sudo to a local account like apache and run. Earlier we were never prompted to put apache's password, now it is. Any thoughts? Shreeraj Change is the only Constant ! ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users No attachment. -- Thank you, Dmitri Pal Sr. Engineering Manager for IdM portfolio Red Hat Inc. --- Looking to carve out IT costs? www.redhat.com/carveoutcosts/ ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] IPA / AD Trust
On 03/14/2014 03:20 PM, Todd Maugh wrote: Does IPA support a trust with AD yet. I've seen that this is coming in a future release but I havent found something that said it has been released. -Todd ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users IPA 3.3.x + SSSD 1.11.x It is release upstream and in Fedora. Will be a part of RHEL7 release. -- Thank you, Dmitri Pal Sr. Engineering Manager for IdM portfolio Red Hat Inc. --- Looking to carve out IT costs? www.redhat.com/carveoutcosts/ ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] sudo to local users prompts for password
Dmitri Pal wrote: On 03/14/2014 02:43 PM, Shree wrote: Hello We just upgraded our clients from ipa-client-2.2.0-16.el6.x86_64 to ipa-client-3.0.0-37.el6.x86_64 and started noticing this. We have some scripts which sudo to a local account like apache and run. Earlier we were never prompted to put apache's password, now it is. Any thoughts? Shreeraj Change is the only Constant ! ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users No attachment. I tend to agree with Dmitri here. What other package(s) were updated at the same time? Normally merely updating packages won't affect the IPA client configuration. You'd need to re-run ipa-client-install. So I don't quite understand why the change either. Are you using ldap or sssd for sudo? I would assume ldap given the old 2.x client. rob ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
