Re: [Freeipa-users] sssd receives another uid/gid after disabled HBAC rule

Hello Sumit, i think maybe there is a different problem i just discovered by accident. As stated in the first email, i have an AD trust with FreeIPA that receives all POSIX attributes from AD, but i get different values: On the FreeIPA server that has the AD trust (ipa1.linux.intern) i get the corr

Re: [Freeipa-users] unhappy replication?

On 09/09/2014 07:40 PM, Kat wrote: some stats: ~2000 users ~275 groups ~largest groups = 150+ users (a couple dozen of these) Does not sound offensive... May be we should take a look at your DS logs for the failed replication after migration. Any chance we can take a look? Is this the proble

Re: [Freeipa-users] unhappy replication?

some stats: ~2000 users ~275 groups ~largest groups = 150+ users (a couple dozen of these) ~K On 9/9/14 4:32 PM, Dmitri Pal wrote Well may be the data is so big that the replication gets stuck? May be there is some huge group membership issue or something like. Do you have a huge group? Multi

Re: [Freeipa-users] unhappy replication?

On 09/09/2014 06:44 PM, Rob Crittenden wrote: Kat wrote: On 9/9/14 3:18 PM, Dmitri Pal wrote: On 09/09/2014 12:55 PM, Rich Megginson wrote: On 09/09/2014 10:41 AM, Kat wrote: The problem I see is simple - not being able to add additional replicas after the migration? What I meant to say is -

Re: [Freeipa-users] unhappy replication?

Kat wrote: > On 9/9/14 3:18 PM, Dmitri Pal wrote: >> On 09/09/2014 12:55 PM, Rich Megginson wrote: >>> On 09/09/2014 10:41 AM, Kat wrote: The problem I see is simple - not being able to add additional replicas after the migration? >>> >>> What I meant to say is - Is the workaround of sett

Re: [Freeipa-users] unhappy replication?

On 9/9/14 3:18 PM, Dmitri Pal wrote: On 09/09/2014 12:55 PM, Rich Megginson wrote: On 09/09/2014 10:41 AM, Kat wrote: The problem I see is simple - not being able to add additional replicas after the migration? What I meant to say is - Is the workaround of setting replication first, then doi

Re: [Freeipa-users] Sane request?

On 09/09/2014 05:21 PM, Nordgren, Bryce L -FS wrote: Sweet! Yes I am apparently talking about that. Consider this an independent request for that. J Please add a comment to the ticket that you are an an independent requester of this feature. You are talking about this, right? https://fed

Re: [Freeipa-users] unhappy replication?

On 09/09/2014 12:55 PM, Rich Megginson wrote: On 09/09/2014 10:41 AM, Kat wrote: The problem I see is simple - not being able to add additional replicas after the migration? What I meant to say is - Is the workaround of setting replication first, then doing migration, acceptable? On 9/9/1

Re: [Freeipa-users] Sane request?

Sweet! Yes I am apparently talking about that. Consider this an independent request for that. :) You are talking about this, right? https://fedorahosted.org/freeipa/ticket/4509 This electronic message contains information generated by the USDA solely for the intended recipients. Any una

Re: [Freeipa-users] ACI for ipa-getkeytab

SOLVED. realm-proxy has to be indirect member of : memberofindirect: cn=manage host keytab,cn=privileges,cn=pbac,dc=example,dc=com Thanks for your help. 2014-09-09 16:59 GMT+02:00 Rob Crittenden : > James James wrote: > > My user : realm-proxy is in a group (Smart Proxy Host Management) which >

Re: [Freeipa-users] Sane request?

On 09/08/2014 08:02 PM, Nordgren, Bryce L -FS wrote: Is it sane to request that freeipa store ssh keys for users who come into the environment via a trust? Not all of them, of course, but those who want to store public keys there. My freeipa server is mostly there to manage machines, and use

Re: [Freeipa-users] Solaris 10 client auth (ssh + kerberos) not working

Dear below must be configured in the pam.conf also each host needs seperate keytab, solaris 11 is same as solaris 10 login auth requisite pam_authtok_get.so.1 login auth required pam_dhkeys.so.1 login auth required pam_unix_cred.so.1 login auth suffi

[Freeipa-users] IPA Version 3.0.0 Allow Self-Signed Certificates

I'm trying to find a way to enable FreeIPA to allow Self-Signed Certificates. I haven't found a way to enable that capability yet.. I've manually edited configuration files within /etc/dirsrv/slapd-EXAMPLE-COM, specifically the nsslapd-ssl-check-hostname, nsslapd-validate-cert options set to off

Re: [Freeipa-users] unhappy replication?

On 09/09/2014 10:41 AM, Kat wrote: The problem I see is simple - not being able to add additional replicas after the migration? What I meant to say is - Is the workaround of setting replication first, then doing migration, acceptable? On 9/9/14 9:24 AM, Rich Megginson wrote: On 09/09/2014

Re: [Freeipa-users] unhappy replication?

The problem I see is simple - not being able to add additional replicas after the migration? On 9/9/14 9:24 AM, Rich Megginson wrote: On 09/09/2014 10:12 AM, Kat wrote: Well - here is the problem and solution: Fails every time: Install master, enable migration, migrate existing LDAP config/u

Re: [Freeipa-users] unhappy replication?

On 09/09/2014 10:12 AM, Kat wrote: Well - here is the problem and solution: Fails every time: Install master, enable migration, migrate existing LDAP config/users, setup replication, fails. Works every time: Install master, setup replication, enable migration, migrate existing LDAP config/

Re: [Freeipa-users] unhappy replication?

Well - here is the problem and solution: Fails every time: Install master, enable migration, migrate existing LDAP config/users, setup replication, fails. Works every time: Install master, setup replication, enable migration, migrate existing LDAP config/users, works perfectly. So -- a pr

Re: [Freeipa-users] freeipa server install fails on fedora 20

On Tue, Sep 9, 2014 at 10:41 AM, Rob Crittenden wrote: > Olga Kornievskaia wrote: > > > > > > On Mon, Sep 8, 2014 at 7:41 PM, Dmitri Pal > > wrote: > > > > On 09/08/2014 07:29 PM, Olga Kornievskaia wrote: > >> Thank you very much for your quick reply. > >> > >>

Re: [Freeipa-users] unhappy replication?

On 09/09/2014 09:20 AM, Kat wrote: This brings up a question - if I just installed a master -- shouldn't I be able to create the replica immediately after (even if I did a migration from an old LDAP server?) Yes. Am I looking at some sort of "wait until I'm done.." condition with the primar

Re: [Freeipa-users] unhappy replication?

This brings up a question - if I just installed a master -- shouldn't I be able to create the replica immediately after (even if I did a migration from an old LDAP server?) Am I looking at some sort of "wait until I'm done.." condition with the primary server? This is the only other replica s

Re: [Freeipa-users] unhappy replication?

On 09/09/2014 08:39 AM, Kat wrote: Anyone seen this before -- 2 freshly kicked CentOS 7 installs: On the replica from the ipa-replica-install : reports: Update failed! Status: [10 Total update abortedLDAP error: Referral] Your system may be partly configured. Run /usr/sbin/ipa-server-install

Re: [Freeipa-users] ACI for ipa-getkeytab

James James wrote: > My user : realm-proxy is in a group (Smart Proxy Host Management) which > has the Manager host keytab permission : > > Permission name: Manage host keytab > Permissions: write > Attributes: krbprincipalkey, krblastpwdchange > Type: host > Granted to Privilege: Host

Re: [Freeipa-users] freeipa server install fails on fedora 20

Olga Kornievskaia wrote: > > > On Mon, Sep 8, 2014 at 7:41 PM, Dmitri Pal > wrote: > > On 09/08/2014 07:29 PM, Olga Kornievskaia wrote: >> Thank you very much for your quick reply. >> >> It is a brand new fedora 20 vm. > > OK good. > Can you send or

[Freeipa-users] unhappy replication?

Anyone seen this before -- 2 freshly kicked CentOS 7 installs: On the replica from the ipa-replica-install : reports: Update failed! Status: [10 Total update abortedLDAP error: Referral] Your system may be partly configured. Run /usr/sbin/ipa-server-install --uninstall to clean up. and then t

Re: [Freeipa-users] freeipa server install fails on fedora 20

On Mon, Sep 8, 2014 at 7:41 PM, Dmitri Pal wrote: > On 09/08/2014 07:29 PM, Olga Kornievskaia wrote: > > Thank you very much for your quick reply. > > It is a brand new fedora 20 vm. > > > OK good. > Can you send or share the ipa server installation log? > Can you please suggest how I can do t

Re: [Freeipa-users] ACI for ipa-getkeytab

James James wrote: > My IPA version is 3.0.0 . > Thanks The permission 'Manage host keytab' should do the trick. rob > > 2014-09-09 1:22 GMT+02:00 Dmitri Pal >: > > On 09/08/2014 06:52 PM, James James wrote: >> Hi everybody, >> >> I want a user to be able t

Re: [Freeipa-users] RHEL 7 Upgrade experience so far

On 2014-08-28 10:58, Nicklas Björk wrote: > 2014-08-27T14:45:19Z DEBUG stderr=pkispawn: WARNING ... unable > to validate security domain user/password through REST interface. > Interface not available Digging a bit further I found the following in /var/lib/pki-ca/logs/debug on the FreeIPA

Re: [Freeipa-users] Solaris 10 client auth (ssh + kerberos) not working

Hi Mohammad, This is for Solaris 11; it seems that some of the options for the pam.conf file are not available in Solaris 10 (I think it was the following options: auth definitive pam_user_policy.so.1 account requiredpam_tsol_account.so.1 password required pam_authtok_sto

Re: [Freeipa-users] Solaris 10 client auth (ssh + kerberos) not working

On Mon, Sep 8, 2014 at 11:44 AM, Gerardo Padierna wrote: > Hello folks, > hi, I'm setting up an IPA-server instance aimed to be used primarily for > Linux/Unix clients ssh authentication (with kerberos). > I've managed to successfully set up debian clients (via sssd and also on > older debians

Re: [Freeipa-users] Error cretaing Replica

Finally Found solution. check the file /etc/sysconfig/named and comment #ROOTDIR="/var/named/chroot" line. And restart named service On 09-09-2014 11:29, Tevfik Ceydeliler wrote: Another symptom is : -- [root@srv ~]# service named status rndc: connect failed: 127.0.0.1#953: connection refused n

Re: [Freeipa-users] Error cretaing Replica

On 09/09/14 10:29, Tevfik Ceydeliler wrote: Another symptom is : -- [root@srv ~]# service named status rndc: connect failed: 127.0.0.1#953: connection refused named dead but pid file exists --- Please send logs, why bind failed. journalctl -u named And restart named On 09-09-2014 11:00, Tev

Re: [Freeipa-users] Error cretaing Replica

Another symptom is : -- [root@srv ~]# service named status rndc: connect failed: 127.0.0.1#953: connection refused named dead but pid file exists --- On 09-09-2014 11:00, Tevfik Ceydeliler wrote: By the way, When i try to ping rep.pa.grp from srv.ipa.grp cant resolve IP address. There is same r

Re: [Freeipa-users] Error cretaing Replica

On 09/09/14 10:00, Tevfik Ceydeliler wrote: By the way, When i try to ping rep.pa.grp from srv.ipa.grp cant resolve IP address. There is same result when I try to ping srv.ipa.grp from rep.pra.grp Is there a BIND problem? [root@srv ~]# kinit admin Password for ad...@ipa.grp: [root@srv ~]#

Re: [Freeipa-users] ipa-replica-prepare failed - could not create forward DNS zone

On 09/09/14 09:35, Tevfik Ceydeliler wrote: Hi, I try to create replica to my IPA Server env. When I try to use : ipa-replica-prepare rep.ipa.grp --ip-address 10.1.1.183 At the end I have an error: [root@srv ~]# ipa-replica-prepare rep.ipa.grp --ip-address 10.1.1.

Re: [Freeipa-users] Error cretaing Replica

By the way, When i try to ping rep.pa.grp from srv.ipa.grp cant resolve IP address. There is same result when I try to ping srv.ipa.grp from rep.pra.grp Is there a BIND problem? [root@srv ~]# kinit admin Password for ad...@ipa.grp: [root@srv ~]# ping rep.ipa.grp ping: unknown host rep.ipa.

[Freeipa-users] Error cretaing Replica

Hi, I try to create replica to my IPA Server env. When I try to use : ipa-replica-prepare rep.ipa.grp --ip-address 10.1.1.183 At the end I have an error: [root@srv ~]# ipa-replica-prepare rep.ipa.grp --ip-address 10.1.1.183 Directory Manager (existing master) passw

Re: [Freeipa-users] [freeipa 3.0.0] Changing the DN in the signing request

Hi, I try to create replica to my IPA Server env. When I try to use : ipa-replica-prepare rep.ipa.grp --ip-address 10.1.1.183 At the end I have an error: [root@srv ~]# ipa-replica-prepare rep.ipa.grp --ip-address 10.1.1.183 Directory Manager (existing master) passw

Re: [Freeipa-users] ACI for ipa-getkeytab

My IPA version is 3.0.0 . Thanks 2014-09-09 1:22 GMT+02:00 Dmitri Pal : > On 09/08/2014 06:52 PM, James James wrote: > > Hi everybody, > > I want a user to be able to do ipa-getkeytab to retrieve the keys from > any host in the realm. > > How can I do this ? > > Where I can find an ACI examp