Re: [Freeipa-users] ipa-getcert list fails to report correctly - RESOLVED

On 2/26/2015 8:02 AM, Les Stott wrote: rm -rf /etc/pki-ca /var/lib/pki-ca /var/log/pki-ca /etc/certmonger /etc/sysconfig/pki-ca /etc/sysconfig/pki /var/run/pki-ca.pid /usr/share/pki /etc/ipa /var/log/ipa* reboot Now you have a clean slate. Do you know which step of the steps above actually hel

Re: [Freeipa-users] ipa-getcert list fails to report correctly - RESOLVED

> -Original Message- > From: Endi Sukma Dewata [mailto:edew...@redhat.com] > Sent: Thursday, 26 February 2015 1:50 AM > To: Martin Kosek > Cc: Les Stott; Rob Crittenden; freeipa-users@redhat.com; Jan Cholasta > Subject: Re: [Freeipa-users] ipa-getcert list fails to report correctly - > RE

Re: [Freeipa-users] ipa-getcert list fails to report correctly - RESOLVED

> -Original Message- > From: Martin Kosek [mailto:mko...@redhat.com] > Sent: Wednesday, 25 February 2015 10:35 PM > To: Les Stott; Rob Crittenden; freeipa-users@redhat.com; Endi Dewata; Jan > Cholasta > Subject: Re: [Freeipa-users] ipa-getcert list fails to report correctly - > RESOLVED >

Re: [Freeipa-users] Web UI plugins or other extensions

On 02/25/2015 05:39 PM, Hugh wrote: On 2/25/2015 3:11 PM, Dmitri Pal wrote: I think you can start with adding ntUser object class into the list of the object classes in the IPA configuration in UI. That would apply it to the new entries automatically. How is that done? I'd rather not have to tw

Re: [Freeipa-users] [Solaris 10] Cannot login through console or ssh with ipa users

On 02/25/2015 04:37 PM, nat...@nathanpeters.com wrote: It does not seem to recognize the user in the secan attempt but the first attempt seems to authenticate and then disconnect. I do not see trace from accounting session but I suspect that your pam stack does not authorize authenticated user. T

Re: [Freeipa-users] 2-Factor and services

On 02/25/2015 04:54 PM, Matt Wells wrote: I've got many of users setup with 2-Factor and I'd like to enforce it with some services. For example. Server vpn.example.com is an openvpn servers setup to use PAM. Since he's tied to my 4.X IDM servers I can use 2-Factor with

Re: [Freeipa-users] 2-Factor and services

Hi, So pass authentication to a RSA radius server and key fobs? Looks like RHEL7.1 can do this, I am waiting for its release to do just this. regards Steven Jones B.Eng (Hons) Technical Specialist - Linux RHCE Victoria University ITS, Level 8 Rankin Brown Building, Wellington, NZ 6012

Re: [Freeipa-users] [Solaris 10] Cannot login through console or ssh with ipa users

> It does not seem to recognize the user in the secan attempt but the > first attempt seems to authenticate and then disconnect. > I do not see trace from accounting session but I suspect that your pam > stack does not authorize authenticated user. > Try to allow all authenticated users first. This

Re: [Freeipa-users] Web UI plugins or other extensions

On 2/25/2015 3:11 PM, Dmitri Pal wrote: > I think you can start with adding ntUser object class into the list of > the object classes in the IPA configuration in UI. That would apply it > to the new entries automatically. How is that done? I'd rather not have to tweak the package files, since that

[Freeipa-users] 2-Factor and services

I've got many of users setup with 2-Factor and I'd like to enforce it with some services. For example. Server vpn.example.com is an openvpn servers setup to use PAM. Since he's tied to my 4.X IDM servers I can use 2-Factor with him. However I want to enforce that users from this system/service req

Re: [Freeipa-users] [SSSD] default_domain_suffix breaks IPA user logins

> On Wed, Feb 25, 2015 at 12:11:10PM -0800, nat...@nathanpeters.com wrote: >> FreeIPA Server 4.1.2 >> FreeIPA client 3.0.0-42 >> >> I'm not sure how to go about fixing this or working around it. >> >> In our organization we have a trust relationship between >> ad.somedomain.net >> and ipadomain.net

Re: [Freeipa-users] [Solaris 10] Cannot login through console or ssh with ipa users

> It does not seem to recognize the user in the secan attempt but the > first attempt seems to authenticate and then disconnect. > I do not see trace from accounting session but I suspect that your pam > stack does not authorize authenticated user. > Try to allow all authenticated users first. This

Re: [Freeipa-users] [SSSD] default_domain_suffix breaks IPA user logins

On Wed, Feb 25, 2015 at 12:11:10PM -0800, nat...@nathanpeters.com wrote: > FreeIPA Server 4.1.2 > FreeIPA client 3.0.0-42 > > I'm not sure how to go about fixing this or working around it. > > In our organization we have a trust relationship between ad.somedomain.net > and ipadomain.net. > > We

Re: [Freeipa-users] Web UI plugins or other extensions

On 02/25/2015 02:15 PM, Hugh wrote: On 2/25/2015 12:50 PM, Dmitri Pal wrote: Will all users created via IPA interface synched to AD? Is there any harm to make all users be created with the attributes mentioned earlier in this thread? Almost all. We have some users that will be role accounts fo

Re: [Freeipa-users] [Solaris 10] Cannot login through console or ssh with ipa users

On 02/25/2015 02:58 PM, nat...@nathanpeters.com wrote: I am having trouble logging in with an IPA user on Solaris 10. The machine is able to correctly initialize tickets using kinit. The issue appears to be PAM related. I am using FreeIPA 4.1.3. I have tried to follow the instructions here as

[Freeipa-users] [SSSD] default_domain_suffix breaks IPA user logins

FreeIPA Server 4.1.2 FreeIPA client 3.0.0-42 I'm not sure how to go about fixing this or working around it. In our organization we have a trust relationship between ad.somedomain.net and ipadomain.net. We don't want our AD users having to type usern...@ad.somedomain.net when logging in to an IPA

[Freeipa-users] [Solaris 10] Cannot login through console or ssh with ipa users

I am having trouble logging in with an IPA user on Solaris 10. The machine is able to correctly initialize tickets using kinit. The issue appears to be PAM related. I am using FreeIPA 4.1.3. I have tried to follow the instructions here as best I can : http://docs.fedoraproject.org/en-US/Fedora/

Re: [Freeipa-users] Web UI plugins or other extensions

On 2/25/2015 12:50 PM, Dmitri Pal wrote: > Will all users created via IPA interface synched to AD? > Is there any harm to make all users be created with the attributes > mentioned earlier in this thread? > Almost all. We have some users that will be role accounts for various pieces of software. I

Re: [Freeipa-users] Web UI plugins or other extensions

On 02/25/2015 01:22 PM, Hugh wrote: On 2/25/2015 11:02 AM, Dmitri Pal wrote: But let us step back and ask the question why do you need to create the users you sync manually first? The users in a specific OU will be synced anyways without you manually creating them in IPA. So this is unclear why

Re: [Freeipa-users] Web UI plugins or other extensions

On 2/25/2015 11:02 AM, Dmitri Pal wrote: > But let us step back and ask the question why do you need to create the > users you sync manually first? > The users in a specific OU will be synced anyways without you manually > creating them in IPA. > So this is unclear why the whole thing is actually n

Re: [Freeipa-users] Forward first not working

On 25/02/15 18:51, Shaun Martin wrote: Hi Martin, The zone name is the following for both servers. Zone name: 1.10.in-addr.arpa. I am using zone forwarders. With forward first enabled though it should try and return an answer from the local DNS, it clearly does not though. The only ti

Re: [Freeipa-users] Forward first not working

Hi Martin, The zone name is the following for both servers. Zone name: 1.10.in-addr.arpa. I am using zone forwarders. With forward first enabled though it should try and return an answer from the local DNS, it clearly does not though. The only time I receive the local record is when forwardi

Re: [Freeipa-users] Forward first not working

On 25/02/15 17:59, Shaun Martin wrote: Hi, I am having an issue with the forward first not appear to be working. I have two separate IPA servers that server separate realms. I have for the reverse zone configured forwarders to point to the other realms IPA server. All versions are identical o

[Freeipa-users] Forward first not working

Hi, I am having an issue with the forward first not appear to be working. I have two separate IPA servers that server separate realms. I have for the reverse zone configured forwarders to point to the other realms IPA server. All versions are identical on the IPA servers. I have included detail

Re: [Freeipa-users] Web UI plugins or other extensions

On 02/25/2015 09:53 AM, Petr Vobornik wrote: On 02/25/2015 09:12 AM, Hugh wrote: All, We're running ipa-server-3.0.0-42/389-ds-base-1.2.11.15-48 on CentOS 6.5. We've set up synching between our IPA and AD and that seems to be working. What we'd like to do now is allow admins when they're creati

Re: [Freeipa-users] Web UI plugins or other extensions

On 02/25/2015 09:12 AM, Hugh wrote: All, We're running ipa-server-3.0.0-42/389-ds-base-1.2.11.15-48 on CentOS 6.5. We've set up synching between our IPA and AD and that seems to be working. What we'd like to do now is allow admins when they're creating users in IPA to be able to set those users

Re: [Freeipa-users] ipa-getcert list fails to report correctly - RESOLVED

On 2/25/2015 6:35 PM, Martin Kosek wrote: yum -y remove pki-selinux pki-ca pki-common pki-setup pki-silent pki-java-tools pki-symkey pki-util pki-native-tools ipa-server-selinux ipa-server ipa-client ipa-admintools ipa-python ipa-pki-ca-theme ipa-pki-common-theme 389-ds-base 389-ds-base-libs u

[Freeipa-users] Announcing FreeIPA 4.1.3

The FreeIPA team would like to announce FreeIPA v4.1.3 bug fix release! It can be downloaded from http://www.freeipa.org/page/Downloads . Fedora 21 builds are already on their way to updates-testing repository. Builds for Fedora 20 are available in the official COPR repository [https://copr.fe

Re: [Freeipa-users] AD sync via polling?

On 02/25/2015 06:48 AM, Dmitri Pal wrote: On 02/25/2015 07:44 AM, Janne Blomqvist wrote: Hi, is it possible to use winsync to sync stuff from AD without having to create domain trusts, or install some kind of sync services on the AD DC's? For some background, we want to fetch user/group inf

[Freeipa-users] Web UI plugins or other extensions

All, We're running ipa-server-3.0.0-42/389-ds-base-1.2.11.15-48 on CentOS 6.5. We've set up synching between our IPA and AD and that seems to be working. What we'd like to do now is allow admins when they're creating users in IPA to be able to set those users up for synching to AD with the web UI

Re: [Freeipa-users] AD sync via polling?

On 02/25/2015 07:44 AM, Janne Blomqvist wrote: Hi, is it possible to use winsync to sync stuff from AD without having to create domain trusts, or install some kind of sync services on the AD DC's? For some background, we want to fetch user/group info and authenticate against AD (managed by

[Freeipa-users] AD sync via polling?

Hi, is it possible to use winsync to sync stuff from AD without having to create domain trusts, or install some kind of sync services on the AD DC's? For some background, we want to fetch user/group info and authenticate against AD (managed by another department), but we also have a need to

Re: [Freeipa-users] ipa-getcert list fails to report correctly - RESOLVED

On 02/25/2015 03:11 AM, Les Stott wrote: > > >> -Original Message- >> From: freeipa-users-boun...@redhat.com [mailto:freeipa-users- >> boun...@redhat.com] On Behalf Of Les Stott >> Sent: Monday, 23 February 2015 8:01 PM >> To: Rob Crittenden; Martin Kosek; freeipa-users@redhat.com; Endi D