Re: [Freeipa-users] upgrade 3.0 -> 4.1

On 04/07/2015 11:29 PM, Dmitri Pal wrote: > On 04/07/2015 03:04 PM, Natxo Asenjo wrote: >> hi, >> >> On Fri, Apr 3, 2015 at 4:41 PM, Dmitri Pal > > wrote: >> >> On 04/03/2015 09:46 AM, Brian Topping wrote: On Apr 3, 2015, at 6:48 AM, Tamas Papp

Re: [Freeipa-users] Setup of freeipa 4.1.3 failed

> Endi Sukma Dewata hat am 1. April 2015 um 23:56 > geschrieben: > > > On 4/1/2015 4:29 PM, Markus Roth wrote: > > Am Mittwoch, 1. April 2015, 16:04:54 schrieben Sie: > >> On 4/1/2015 11:56 AM, Endi Sukma Dewata wrote: > > On 03/31/2015 01:54 PM, Markus Roth wrote: > >> Hi all, > >> >

Re: [Freeipa-users] Replica with external ca + custom subject in certificate

Dne 7.4.2015 v 15:31 Martin Kosek napsal(a): On 04/07/2015 02:08 PM, James James wrote: I will try to give a better explanation : I have a CentOS 6.6 with ipa 3.0 named ipa-master. ipa-master has been installed with an external CA about 3 years ago and I will have to renew the certificate soon

Re: [Freeipa-users] Creating arbitrary users?

On Tue, 2015-04-07 at 22:01 -0400, Coy Hile wrote: > > On Apr 7, 2015, at 2:58 PM, Simo Sorce wrote: > > > > On Tue, 2015-04-07 at 18:54 +, Coy Hile wrote: > >> Quoting Simo Sorce : > >> > > > > > I guess that makes sense. Is it possible to add a user that simply > doesn'

Re: [Freeipa-users] Creating arbitrary users?

> On Apr 7, 2015, at 2:58 PM, Simo Sorce wrote: > > On Tue, 2015-04-07 at 18:54 +, Coy Hile wrote: >> Quoting Simo Sorce : >> > > I guess that makes sense. Is it possible to add a user that simply doesn't have the posix attributes defined? In the particular case of

Re: [Freeipa-users] Creating arbitrary users?

On 04/07/2015 10:22 AM, Simo Sorce wrote: On Tue, 2015-04-07 at 14:16 +, coy.h...@coyhile.com wrote: Quoting Simo Sorce On Mon, 2015-04-06 at 21:16 -0400, Coy Hile wrote: In MIT land, one can potentially have multiple instances tied (by convention) to a given user (that is, that administ

Re: [Freeipa-users] upgrade 3.0 -> 4.1

On 04/07/2015 03:04 PM, Natxo Asenjo wrote: hi, On Fri, Apr 3, 2015 at 4:41 PM, Dmitri Pal > wrote: On 04/03/2015 09:46 AM, Brian Topping wrote: On Apr 3, 2015, at 6:48 AM, Tamas Papp wrote: hi All, I have CentOS 6.6 s

Re: [Freeipa-users] Troubleshooting SSO

On 4/6/15, 2:26 PM, "Gould, Joshua" wrote: On 4/4/15, 9:57 AM, "Sumit Bose" wrote: Really strange but SSO is working from the test Windows box to both the IPA server and client. No changes were made other than I added the linux client to the IPA domain. (It was with ipa-client-install, it auto-

Re: [Freeipa-users] upgrade 3.0 -> 4.1

hi, On Fri, Apr 3, 2015 at 4:41 PM, Dmitri Pal wrote: > On 04/03/2015 09:46 AM, Brian Topping wrote: > > On Apr 3, 2015, at 6:48 AM, Tamas Papp > wrote: > > hi All, > > I have CentOS 6.6 server and want to upgrade to 7.1. > > What is the upgrade path, can I do it directly or first I need to

Re: [Freeipa-users] Slow logins on FreeIPA 4.1.2 (F21)

On Tue, Apr 07, 2015 at 01:15:46PM -0500, Dan Mossor wrote: > On 04/07/2015 03:05 AM, Jakub Hrozek wrote: > >On Mon, Apr 06, 2015 at 08:01:46PM -0500, Dan Mossor wrote: > >>On 04/05/2015 12:51 PM, Dmitri Pal wrote: > >>>Several tips. > >>>Please check your DNS configuration. > >>>Such delay is usua

Re: [Freeipa-users] Creating arbitrary users?

On Tue, 2015-04-07 at 18:54 +, Coy Hile wrote: > Quoting Simo Sorce : > > >> > > >> > > >> I guess that makes sense. Is it possible to add a user that simply > >> doesn't have the posix attributes defined? In the particular case of > >> */admin, I would expect that user to login to the ipa ui

Re: [Freeipa-users] Creating arbitrary users?

Quoting Simo Sorce : > > I guess that makes sense. Is it possible to add a user that simply doesn't have the posix attributes defined? In the particular case of */admin, I would expect that user to login to the ipa ui or to be kinit'd to prior to running ipa administrative commands, but I shou

Re: [Freeipa-users] Two way trust vs one way trust and IPA features

On Tue, 07 Apr 2015, Andrey Ptashnik wrote: Hello, I’m wondering if establishing two way trust or one way trust in upcoming 4.2 release somehow is going to affect FreeIPA feature set, like ability to add windows groups to external groups or anything else I may not think of right now? No, it sho

Re: [Freeipa-users] Slow logins on FreeIPA 4.1.2 (F21)

On 04/07/2015 03:05 AM, Jakub Hrozek wrote: On Mon, Apr 06, 2015 at 08:01:46PM -0500, Dan Mossor wrote: On 04/05/2015 12:51 PM, Dmitri Pal wrote: Several tips. Please check your DNS configuration. Such delay is usually caused by the DNS lookups timing out. That means that the servers probably t

[Freeipa-users] Two way trust vs one way trust and IPA features

Hello, I’m wondering if establishing two way trust or one way trust in upcoming 4.2 release somehow is going to affect FreeIPA feature set, like ability to add windows groups to external groups or anything else I may not think of right now? Our Windows security team is expressing concerns about

Re: [Freeipa-users] Slow logins on FreeIPA 4.1.2 (F21)

On Tue, 2015-04-07 at 17:57 +0200, Martin (Lists) wrote: > Hallo > > attached you can find the data from krb_child.log. As far as I can see > it, the three seconds are due to the communication with the kerberos > server. (1.2.3.4 is my server). Do you experience the same latency if you kinit manu

Re: [Freeipa-users] Slow logins on FreeIPA 4.1.2 (F21)

On Tue, Apr 07, 2015 at 05:57:49PM +0200, Martin (Lists) wrote: > Hallo > > attached you can find the data from krb_child.log. As far as I can see > it, the three seconds are due to the communication with the kerberos > server. (1.2.3.4 is my server). > > regards > Martin Yes. It looks like kini

Re: [Freeipa-users] Slow logins on FreeIPA 4.1.2 (F21)

Hallo attached you can find the data from krb_child.log. As far as I can see it, the three seconds are due to the communication with the kerberos server. (1.2.3.4 is my server). regards Martin Am 07.04.2015 um 11:21 schrieb Jakub Hrozek: > On Tue, Apr 07, 2015 at 11:12:40AM +0200, Martin (Lists)

Re: [Freeipa-users] Creating arbitrary users?

On Tue, 2015-04-07 at 14:16 +, coy.h...@coyhile.com wrote: > Quoting Simo Sorce > > > On Mon, 2015-04-06 at 21:16 -0400, Coy Hile wrote: > >> In MIT land, one can potentially have multiple instances tied (by > >> convention) to a given user (that is, that administratively one knows > >> are t

Re: [Freeipa-users] Creating arbitrary users?

Quoting Simo Sorce On Mon, 2015-04-06 at 21:16 -0400, Coy Hile wrote: In MIT land, one can potentially have multiple instances tied (by convention) to a given user (that is, that administratively one knows are the same set of eyeballs). For example, I might have my normal user (hile), and I m

[Freeipa-users] FreeIPA 4 AD Integration issue

Hey all, I’m having a problem with integrating a FreeIPA4 infrastructure to an AD environment. AD Domain is fioptics.int FreeIPA infrastructure is preprod.fioptics.int The AD Controller in this environment is at 10.32.145.134 The FreeIPA 4 server is at 10.32.146.40 I’m attaching the procedure

Re: [Freeipa-users] Replica with external ca + custom subject in certificate

On 04/07/2015 02:08 PM, James James wrote: > I will try to give a better explanation : > > > I have a CentOS 6.6 with ipa 3.0 named ipa-master. ipa-master has been > installed with an external CA about 3 years ago and I will have to renew > the certificate soon. > > I have created a test server

Re: [Freeipa-users] FreeIPA sudo configuration on FreeIPA, version: 4.1.0

Thanx for the feedback ,let me read a bit and will share how I managed to resolve it -Original Message- From: Lukas Slebodnik [mailto:lsleb...@redhat.com] Sent: Tuesday, April 07, 2015 2:16 PM To: Jakub Hrozek Cc: Chamambo Martin; freeipa-users@redhat.com Subject: Re: [Freeipa-users] Fre

Re: [Freeipa-users] Creating arbitrary users?

On Mon, 2015-04-06 at 21:16 -0400, Coy Hile wrote: > In MIT land, one can potentially have multiple instances tied (by > convention) to a given user (that is, that administratively one knows > are the same set of eyeballs). For example, I might have my normal > user (hile), and I might have anothe

Re: [Freeipa-users] Replication failed

Great! additional comments inline Martin On 07/04/15 13:56, Sanju A wrote: Dear Martin, Thanks for your help and the replication issue got resolved after syncing the time. But I am not able to login to the replica server web ui. Keep on getting "Your session has expired. Please re-login.".

Re: [Freeipa-users] Replica with external ca + custom subject in certificate

I will try to give a better explanation : I have a CentOS 6.6 with ipa 3.0 named ipa-master. ipa-master has been installed with an external CA about 3 years ago and I will have to renew the certificate soon. I have created a test server (ipa-dev) with the same configuration (centos 6.6 and ipa

Re: [Freeipa-users] FreeIPA sudo configuration on FreeIPA, version: 4.1.0

On (07/04/15 12:57), Jakub Hrozek wrote: >On Tue, Apr 07, 2015 at 12:48:37PM +0200, Chamambo Martin wrote: >> Sorry for the confusion about that one ,that client I used to aunthenticate >> to a pure 389 directory server and I have since changed it to free ipa and >> below is the correct configurati

Re: [Freeipa-users] FreeIPA sudo configuration on FreeIPA, version: 4.1.0

On Tue, Apr 07, 2015 at 01:55:43PM +0200, Chamambo Martin wrote: > Thanx Jakub for pointing me to the right direction .This is what I have now > and I have increased the debug level during troubleshooting > > [domain/ai.co.zw] > > debug_level=3 > cache_credentials = True > krb5_store_password_if

Re: [Freeipa-users] FreeIPA sudo configuration on FreeIPA, version: 4.1.0

Thanx Jakub for pointing me to the right direction .This is what I have now and I have increased the debug level during troubleshooting [domain/ai.co.zw] debug_level=3 cache_credentials = True krb5_store_password_if_offline = True ipa_domain = ai.co.zw id_provider = ipa sudo_provider = ipa auth_

Re: [Freeipa-users] Replication failed

Dear Martin, Thanks for your help and the replication issue got resolved after syncing the time. But I am not able to login to the replica server web ui. Keep on getting "Your session has expired. Please re-login.". Please find the logs. [07/Apr/2015:17:24:49 +051800] csngen_new_csn - Warning

Re: [Freeipa-users] Replica with external ca + custom subject in certificate

ok. Is there a way to migrate from an external CA to a CA-less or a self-signed CA ? 2015-04-07 12:51 GMT+02:00 Martin Kosek : > On 04/03/2015 11:39 AM, James James wrote: > > Hello, > > > > I want to initialize a new replica with an external CA. My Certificate > > Authority wants a CSR with th

Re: [Freeipa-users] Replica with external ca + custom subject in certificate

On 04/07/2015 01:44 PM, James James wrote: > ok. > > Is there a way to migrate from an external CA to a CA-less or a self-signed > CA ? Yes, you can use ipa-cacert-manage tool introduced in FreeIPA 4.1.0: https://www.freeipa.org/page/Howto/CA_Certificate_Renewal https://www.freeipa.org/page/V4/

Re: [Freeipa-users] 'Preauthentication failed' with SSSD in ipa_server_mode

> On Apr 3, 2015, at 14:40, Bobby Prins wrote: > >> - Oorspronkelijk bericht - >> Van: "Alexander Bokovoy" >> Aan: "Bobby Prins" >> Cc: d...@redhat.com, freeipa-users@redhat.com >> Verzonden: Vrijdag 3 april 2015 14:26:17 >> Onderwerp: Re: [Freeipa-users] 'Preauthentication failed' wit

[Freeipa-users] ipa-replica-prepare failing

Hello, I am trying to setup a replica for my master which has been setup with an external CA to use our godaddy wildcard certificate. The ipa-replica-prepare is failing with the following debug information. I am using --http-cert and --dirsrv-cert with my pk12 server certificate. What can I verif

Re: [Freeipa-users] multihome - single interface?

On 04/05/2015 08:03 PM, Dmitri Pal wrote: > On 04/05/2015 12:51 PM, Janelle wrote: >> Hello, >> >> Trying to find a way on a multi-homed server to force IPA and its related >> apps to listen on a specific interface. I can find all kinds of info saying >> "the services listen on all interfaces by de

Re: [Freeipa-users] Replication failed

On 07/04/15 13:13, Sanju A wrote: Dear All, Replication was working fine for the last 1 month and recently the replica server (ipa2) is having some hardware issue and it was down for a week. Replication is not working once the machine is up. Please help. [root@ipa etc]# service dirsrv statu

Re: [Freeipa-users] Proper configuration of service accounts

On 04/03/2015 03:36 PM, Brian Topping wrote: >> On Apr 3, 2015, at 6:17 AM, Dmitri Pal wrote: >> >> On 04/03/2015 01:51 AM, Brian Topping wrote: >>> Great work on 4.1.0! As a CentOS user, I am able to convey the 3.x -> >>> 4.1.0 upgrade went smoothly via the CentOS 7.0 -> 7.1 upgrade on my >>> re

[Freeipa-users] Replication failed

Dear All, Replication was working fine for the last 1 month and recently the replica server (ipa2) is having some hardware issue and it was down for a week. Replication is not working once the machine is up. Please help. [root@ipa etc]# service dirsrv status dirsrv PKI-IPA (pid 29954) is runni

Re: [Freeipa-users] FreeIPA sudo configuration on FreeIPA, version: 4.1.0

On Tue, Apr 07, 2015 at 12:48:37PM +0200, Chamambo Martin wrote: > Sorry for the confusion about that one ,that client I used to aunthenticate > to a pure 389 directory server and I have since changed it to free ipa and > below is the correct configuration. > > I managed to add the line sudo_provi

Re: [Freeipa-users] ipa and external ca

On 04/03/2015 08:25 PM, Dmitri Pal wrote: > On 04/03/2015 02:03 PM, James James wrote: >> Hi everybody, sorry to repost my original question but this time my problem >> is better described. >> >> I want to install a ipa sever on centos 6 with an external ca. My problem is >> to add emailAddress in

Re: [Freeipa-users] upgrade 3.0 -> 4.1

On 04/03/2015 04:45 PM, Tamas Papp wrote: > > > On 04/03/2015 03:46 PM, Brian Topping wrote: >>> On Apr 3, 2015, at 6:48 AM, Tamas Papp wrote: >>> >>> hi All, >>> >>> I have CentOS 6.6 server and want to upgrade to 7.1. >>> >>> What is the upgrade path, can I do it directly or first I need to ma

Re: [Freeipa-users] IPA Web UI - blank screen

On 04/01/2015 08:42 PM, Janelle wrote: the example of a blank screen -- anyone seen this before? Seems to be very random, but across all browsers. ~J Hello Janelle, Do you see any errors in browser console (part of browser developer tools, usually opened by F12 key) when this happen? http

Re: [Freeipa-users] Replica with external ca + custom subject in certificate

On 04/03/2015 11:39 AM, James James wrote: > Hello, > > I want to initialize a new replica with an external CA. My Certificate > Authority wants a CSR with the field emailAddress in the subject like : > > /C=FR/O=TESTO/OU=TESTOU/CN=*.example.com/emailAddress=n...@none.com I am not a bit confused

Re: [Freeipa-users] FreeIPA sudo configuration on FreeIPA, version: 4.1.0

Sorry for the confusion about that one ,that client I used to aunthenticate to a pure 389 directory server and I have since changed it to free ipa and below is the correct configuration. I managed to add the line sudo_provider = ipa and im getting the below error on my client [admin@ironhide post

Re: [Freeipa-users] FreeIPA sudo configuration on FreeIPA, version: 4.1.0

On Tue, Apr 07, 2015 at 11:58:35AM +0200, Chamambo Martin wrote: > I have deployed FreeIPA on RedHat 7 and everything is working perfectly fine > except when I try to configure SUDO. All my clients are all centos 6 and > RedHat 6 clients and have the below config . I have followed every how-to > an

[Freeipa-users] FreeIPA sudo configuration on FreeIPA, version: 4.1.0

I have deployed FreeIPA on RedHat 7 and everything is working perfectly fine except when I try to configure SUDO. All my clients are all centos 6 and RedHat 6 clients and have the below config . I have followed every how-to and I just can't seem to get it.I have configured the sudo commands and rul

Re: [Freeipa-users] Slow logins on FreeIPA 4.1.2 (F21)

On Tue, Apr 07, 2015 at 11:12:40AM +0200, Martin (Lists) wrote: > Am 05.04.2015 um 11:51 schrieb Martin (Lists): > > > > Hallo > > > > I have a similar issue. On login (graphic systems and ssh) and on the > > screen saver I have a delay from about 2 secons to 10 seconds. > > > > According to my

Re: [Freeipa-users] Slow logins on FreeIPA 4.1.2 (F21)

Am 05.04.2015 um 11:51 schrieb Martin (Lists): > > Hallo > > I have a similar issue. On login (graphic systems and ssh) and on the > screen saver I have a delay from about 2 secons to 10 seconds. > > According to my logfile i have the following timeline at login: > > 0 pam_unix (auth) > 3

Re: [Freeipa-users] freeipa-server on Raspberry Pi 2

I realize the default.conf is replaced during install, pausing IPA will not help. The easiest way is modify the source file. ipalib/constants.py:('startup_timeout', 300), The file should be in /usr/lib/python2.7/site-packages/ipalib/constants.py Modify file and run ipa-server-install, it sh

Re: [Freeipa-users] Replication issues

On 04/07/2015 10:51 AM, Prashant Bapat wrote: Hi Thierry, Thanks for the reply. Turned out that the slapi-plugin was not ignoring the replicated operations. Problem solved. Great news ! regards thierry Regards. --Prashant On 6 April 2015 at 23:25, thierry bordaz

Re: [Freeipa-users] Antwort: Re: Upgrade fail 3.3.3 (rhel7) to 4.1 (rhel7.1)

Hello, comments inline Martin On 02/04/15 18:54, Christoph Kaminski wrote: see this in ipupgrade.log 2015-04-02T11:27:02Z ERROR Pre schema upgrade failed with [Errno 111] Connection refused 2015-04-02T11:27:02Z DEBUG Traceback (most recent call last): File "/usr/lib/python2.7/site-package

Re: [Freeipa-users] Replication issues

Hi Thierry, Thanks for the reply. Turned out that the slapi-plugin was not ignoring the replicated operations. Problem solved. Regards. --Prashant On 6 April 2015 at 23:25, thierry bordaz wrote: > Hello Prashant, > > If you are able to reproduce the problem (ipasshpubkey not replicated), > w

Re: [Freeipa-users] Question on freeipa-server-trust-ad

On Sat, 04 Apr 2015, Coy Hile wrote: Hi all, What purpose does this package serve? The way I’ve done Kerberos between Active Directory and AD, the trust was always one way (outgoing): the MIT realm is authoritative and AD “shadow accounts” were mapped to ‘real’ principals via the alternateSecur

Re: [Freeipa-users] freeipa-server on Raspberry Pi 2

Hi, I gave it a try, but neither ~/.ipa/default.conf or /etc/ipa/default.conf did work. I also tried "to fool" the ipa-server-install script by pausing it and wait for the CA to start. After "un-pausing" the script the same error occurs: "CA did not start i

Re: [Freeipa-users] Slow logins on FreeIPA 4.1.2 (F21)

On Mon, Apr 06, 2015 at 08:01:46PM -0500, Dan Mossor wrote: > On 04/05/2015 12:51 PM, Dmitri Pal wrote: > >On 04/05/2015 12:10 AM, Dan Mossor wrote: > >>I've recently deployed a new domain based on 4.1.2 in F21. We've > >>noticed an issue and can't quite seem to nail it down. The problem is > >>tha

Re: [Freeipa-users] multihome - single interface?

On 5.4.2015 20:03, Dmitri Pal wrote: > On 04/05/2015 12:51 PM, Janelle wrote: >> Hello, >> >> Trying to find a way on a multi-homed server to force IPA and its related >> apps to listen on a specific interface. I can find all kinds of info saying >> "the services listen on all interfaces by default