Re: [Freeipa-users] sssd client cache timer and merging IPA domains

On Thu, Aug 16, 2012 at 09:00:23PM +, Steven Jones wrote: > Hi, > > What is the default length of time the sssd daemon on a client caches for > once IPA is off line pls? > If the IPA provider is offline, we never remove anything from the cache, so indefinitely. If the provider is online, w

Re: [Freeipa-users] IPA over the Internet - Security Implications

Hi, Let us assume just the two systems directly connected to the internet. I am specifically interested in what the security implications would be, not ways to get around them (e.g. point-to- point tunnel). I have read that kerberos was designed for untrusted networks, just how untrusted

Re: [Freeipa-users] sssd client cache timer and merging IPA domains

Lucas Yamanishi wrote: On 08/16/2012 05:39 PM, Rob Crittenden wrote: Lucas Yamanishi wrote: On 08/16/2012 05:32 PM, Rob Crittenden wrote: Lucas Yamanishi wrote: I just migrated my IPA instance from one to another a couple days ago to recover after a lost CA and failed yum upgrade. The "ipa

Re: [Freeipa-users] IPA over the Internet - Security Implications

- Original Message - > Hi, > > Let us assume just the two systems directly connected to the > internet. I am specifically interested in what the security > implications would be, not ways to get around them (e.g. point-to- > point tunnel). I have read that kerberos was designed for untru

Re: [Freeipa-users] IPA over the Internet - Security Implications

On 08/16/2012 09:14 PM, Michael Mercier wrote: Hello, I was wondering what the security implications would be setting up a server to be a freeipa client at one site, and have it join a freeipa system over the internet at another site. ipaclient (siteA) <-- internet --> ipaserver (siteB) Is the

Re: [Freeipa-users] IPA over the Internet - Security Implications

On 08/17/2012 07:02 AM, Michael Mercier wrote: Hi, Let us assume just the two systems directly connected to the internet. I am specifically interested in what the security implications would be, not ways to get around them (e.g. point-to-point tunnel). I have read that kerberos was designed for

Re: [Freeipa-users] sssd client cache timer and merging IPA domains

On 08/17/2012 08:38 AM, Rob Crittenden wrote: > Lucas Yamanishi wrote: >> >> On 08/16/2012 05:39 PM, Rob Crittenden wrote: >>> Lucas Yamanishi wrote: On 08/16/2012 05:32 PM, Rob Crittenden wrote: > Lucas Yamanishi wrote: >> I just migrated my IPA instance from one to another a co

[Freeipa-users] Announcing FreeIPA v3.0.0 beta 2 Release

The FreeIPA team is proud to announce version FreeIPA v3.0.0 beta 2. It can be downloaded from http://www.freeipa.org/page/Downloads. A build is available in the Fedora 18 and rawhide repositories or for Fedora 17 via the freeipa-devel repo on www.freeipa.org: http://freeipa.org/downloads/free

Re: [Freeipa-users] FreeIPA, rkhunter & "unknown rootkit"

On Monday, July 23, 2012 04:08:25 AM Anthony Messina wrote: > I have installed freeipa-server-2.2.0-1.fc17.x86_64 and it's running > well. I have also installed rkhunter-1.4.0-1.fc17.noarch on the IPA > server and each morning I receive the following report from rkhunter. > > I imagine/hope that

Re: [Freeipa-users] sssd client cache timer and merging IPA domains

On Fri, 2012-08-17 at 11:42 +0200, Jakub Hrozek wrote: > On Thu, Aug 16, 2012 at 09:00:23PM +, Steven Jones wrote: > > Hi, > > > > What is the default length of time the sssd daemon on a client caches for > > once IPA is off line pls? > > > > If the IPA provider is offline, we never remove

Re: [Freeipa-users] FreeIPA, rkhunter & "unknown rootkit"

On Fri, 2012-08-17 at 13:42 -0500, Anthony Messina wrote: > On Monday, July 23, 2012 04:08:25 AM Anthony Messina wrote: > > I have installed freeipa-server-2.2.0-1.fc17.x86_64 and it's running > > well. I have also installed rkhunter-1.4.0-1.fc17.noarch on the IPA > > server and each morning I rec

Re: [Freeipa-users] FreeIPA, rkhunter & "unknown rootkit"

Hi Anthony, I would start off by seeing what files the PID is opening to make sure it is truly being good: #lsof -p 1513 To avoid these warnings, you can reconfigure rkhunter to ignore these false positives by editing the rkhunter.conf file: vi /etc/rkhunter.conf. RTKT_FILE_WHITELIST=" /

Re: [Freeipa-users] FreeIPA, rkhunter & "unknown rootkit"

On Friday, August 17, 2012 02:59:31 PM Mark St. Laurent wrote: Hi Anthony, I would start off by seeing what files the PID is opening to make sure it is truly being good: #lsof -p 1513 To avoid these warnings, you can reconfigure rkhunter to ignore these false positives by editing the rkhunte

Re: [Freeipa-users] FreeIPA, rkhunter & "unknown rootkit"

On Friday, August 17, 2012 03:25:45 PM Stephen Gallagher wrote: > On Fri, 2012-08-17 at 13:42 -0500, Anthony Messina wrote: > > On Monday, July 23, 2012 04:08:25 AM Anthony Messina wrote: > > > I have installed freeipa-server-2.2.0-1.fc17.x86_64 and it's running > > > well. I have also installed r

[Freeipa-users] Question about migration and scripts variables

Hi, my first question is about the migrate process. Is it possible to renumber the users during the migrate process (ipa migrate-ds) in a way that all imported users will have a new UID ? my second question is about ipalib. I wanted to make a hook on the user creation. The hook works fine. I just