-Original Message-
From: Martin Kosek [mailto:mko...@redhat.com]
Sent: Thursday, April 09, 2015 11:51 AM
To: Alexander Frolushkin (SIB); 'thierry bordaz'
Cc: 'Ludwig Krispenz'; freeipa-users@redhat.com
Subject: Re: [Freeipa-users] Accident upgrade 3.3 to 4.1
On 04/09/2015 05:59 AM, Alexan
On 04/09/2015 05:59 AM, Alexander Frolushkin wrote:
> -Original Message-
> From: thierry bordaz [mailto:tbor...@redhat.com]
> Sent: Wednesday, April 08, 2015 6:36 PM
> To: Alexander Frolushkin (SIB)
> Cc: 'Ludwig Krispenz'; Martin Kosek; freeipa-users@redhat.com
> Subject: Re: [Freeipa-user
Dne 8.4.2015 v 17:43 James James napsal(a):
It's a little bit more clear. Thanks.
I have created a new ipa 4.1 replica but when I want run :
# ipa-cacert-manage renew --self-signed
I've got this message :
[root@ipa-devel-centos7 ~]# ipa-cacert-manage renew --self-signed
CA is not configured o
-Original Message-
From: thierry bordaz [mailto:tbor...@redhat.com]
Sent: Wednesday, April 08, 2015 6:36 PM
To: Alexander Frolushkin (SIB)
Cc: 'Ludwig Krispenz'; Martin Kosek; freeipa-users@redhat.com
Subject: Re: [Freeipa-users] Accident upgrade 3.3 to 4.1
On 04/08/2015 02:19 PM, Alexande
On 04/08/2015 09:04 PM, Martin Chamambo wrote:
I managed to install my ipa client on centos 5 using this command below
ipa-client-install --server cyclops.ai.co.zw --domain ai.co.zw
and it worked perfectly , i can getent passwd for users in the freeIPA
server which is good.
I am now t
I managed to install my ipa client on centos 5 using this command below
ipa-client-install --server cyclops.ai.co.zw --domain ai.co.zw
and it worked perfectly , i can getent passwd for users in the freeIPA
server which is good.
I am now trying to configure SUDO on centos and there seem t
Good day
I managed to configure sudo and its working for all my centos 6.6 and RHEL 6.6
clients. somehow i managed to change the sudo rules ,sudo comands and sudo
groups to be less restrictive ,thats when i managed to access root owned files
using sudo
thanx for your help
My advice when con
For all my sudo commands i do sudo command_name_here
From: freeipa-users-boun...@redhat.com [freeipa-users-boun...@redhat.com] on
behalf of Craig White [cwh...@skytouchtechnology.com]
Sent: Thursday, April 09, 2015 1:52 AM
To: freeipa-users@redhat.com
Subject: [Fr
rpm -q sssd
sssd-1.11.6-30.el6_6.4.x86_64
rpm -q ipa-client
ipa-client-3.0.0-42.el6.x86_64
[test2.user@app001 ~]$ sudo su - weblogic
[sudo] password for test2.user:
Sorry, user test2.user is not allowed to execute '/bin/su - weblogic' as root
on app001.stt.local.
[test2.user@app001 ~]$ sudo -l
[s
On 04/08/2015 04:04 PM, Guertin, David S. wrote:
I have a mixed environment of RHEL 5 and RHEL 6 clients, and three
RHEL 7 IPA servers (one master and two duplicates). I'm trying to
ensure that if one server goes down, the remain server(s) will still
allow logins. With the RHEL 6 clients this
Guertin, David S. wrote:
> I have a mixed environment of RHEL 5 and RHEL 6 clients, and three RHEL
> 7 IPA servers (one master and two duplicates). I'm trying to ensure that
> if one server goes down, the remain server(s) will still allow logins.
> With the RHEL 6 clients this is easy -- the line
>
I have a mixed environment of RHEL 5 and RHEL 6 clients, and three RHEL 7 IPA
servers (one master and two duplicates). I'm trying to ensure that if one
server goes down, the remain server(s) will still allow logins. With the RHEL 6
clients this is easy -- the line
ipa_server = _srv_, server1.
John Williams wrote:
> I'm looking at the following link for recovering expired certificates on
> FreeeIPA 3.0.0:
>
> https://www.freeipa.org/page/Howto/CA_Certificate_Renewal
>
>
> Problem is when Iook inside my /etc/pki-ca/CS.cfg file for a
> subsystemCert I do not find one. I see the other
I'm looking at the following link for recovering expired certificates on
FreeeIPA 3.0.0:
https://www.freeipa.org/page/Howto/CA_Certificate_Renewal
Problem is when Iook inside my /etc/pki-ca/CS.cfg file for a subsystemCert I do
not find one. I see the other three:
auditSigningCert cert-pki-ca
It looks like Vault is the functionality I was looking for.
Thank you Rob and Dmitri for your responses.
Regards,
Andrey
On 4/8/15, 5:59 PM, "Rob Crittenden" wrote:
>Andrey Ptashnik wrote:
>> Hello Team,
>>
>> I know that FreeIPA server supports management of public keys for each
>> use
On 04/08/2015 06:54 AM, Ben .T.George wrote:
HI Traino,
thanks for the info
i have checked the hots and confirmed that entry was
format
And the DNS everything is working
[root@kwtprsolipa01 slapd-SUN-LOCAL]# for i in _ldap._tcp
_kerberos._tcp _kerberos._udp _kerberos-master._tcp
_kerbe
Прохоров Сергей wrote:
> Hello, I have self-signed freeipa replica. The problem is that I lose my
> freeipa primary server after hdd error.
> Now I need to create new replication server but I can't without primary
> server. I read this documentation and a lot of community correspondence
> but don't
On 04/08/2015 07:12 AM, Прохоров Сергей wrote:
Hello, I have self-signed freeipa replica. The problem is that I lose
my freeipa primary server after hdd error.
Now I need to create new replication server but I can't without
primary server. I read this documentation and a lot of community
corres
On 04/08/2015 12:42 PM, Aric Wilisch wrote:
I'm having issues with getting my RHEL 7 server running Freeipa 4 to
join my Windows 2012R2 domain.
DNS checks out fine. When I try to establish the join I get the below
listed errors popping up. I've tried both creating the trust from
Freeipa and j
On Wed, 08 Apr 2015, Aric Wilisch wrote:
I’m having issues with getting my RHEL 7 server running Freeipa 4 to
join my Windows 2012R2 domain.
DNS checks out fine. When I try to establish the join I get the below
listed errors popping up. I’ve tried both creating the trust from
Freeipa and just th
Andrey Ptashnik wrote:
> Hello Team,
>
> I know that FreeIPA server supports management of public keys for each
> user and it is a very convenient feature.
> Are there any possible way to manage private keys as well including
> features like re-issuing the key pair if it gets compromised?
I assum
On 04/08/2015 11:31 AM, Andrey Ptashnik wrote:
Hello Team,
I know that FreeIPA server supports management of public keys for each
user and it is a very convenient feature.
First of all IPA does not support user certs yet. It supports SSH public
keys if this is what you are referring to.
Ar
I’m having issues with getting my RHEL 7 server running Freeipa 4 to join my
Windows 2012R2 domain.
DNS checks out fine. When I try to establish the join I get the below listed
errors popping up. I’ve tried both creating the trust from Freeipa and just
this morning I setup the trust on the AD
On 04/08/2015 08:42 AM, Jan Pazdziora wrote:
Hello world!
The ability to run FreeIPA server in a container was recently
improved by adding support for storing the server configuration and
data in a volume, making it easier to backup the server, upgrade it to
newer versions, as well as adding th
Hello Team,
I know that FreeIPA server supports management of public keys for each user and
it is a very convenient feature.
Are there any possible way to manage private keys as well including features
like re-issuing the key pair if it gets compromised?
Regards,
Andrey
--
Manage your subscri
It's a little bit more clear. Thanks.
I have created a new ipa 4.1 replica but when I want run :
# ipa-cacert-manage renew --self-signed
I've got this message :
[root@ipa-devel-centos7 ~]# ipa-cacert-manage renew --self-signed
CA is not configured on this system
If I want to install the CA I'v
Coy Hile wrote:
> Hi all,
>
> When I installed FreeIPA, it created a default ID range (of which user
> admin
> is currently the only user existing). Through the UI, I've found that
> one can
> create additional ranges (and that the ipa tools will complain if a user
> has a
> uid assigned manually
Hi all,
When I installed FreeIPA, it created a default ID range (of which user admin
is currently the only user existing). Through the UI, I've found that one can
create additional ranges (and that the ipa tools will complain if a user has a
uid assigned manually that falls outside the defined r
On Wed, 2015-04-08 at 10:11 +0200, Martin (Lists) wrote:
> Am 07.04.2015 um 18:27 schrieb Simo Sorce:
> > On Tue, 2015-04-07 at 17:57 +0200, Martin (Lists) wrote:
> >> Hallo
> >>
> >> attached you can find the data from krb_child.log. As far as I can see
> >> it, the three seconds are due to the co
Hello, I have self-signed freeipa replica. The problem is that I lose my
freeipa primary server after hdd error.
Now I need to create new replication server but I can't without primary
server. I read this documentation and a lot of community correspondence
but don't find my issue:
http://docs.
Hello world!
The ability to run FreeIPA server in a container was recently
improved by adding support for storing the server configuration and
data in a volume, making it easier to backup the server, upgrade it to
newer versions, as well as adding the ability to start a container
as a replica of
On 04/08/2015 02:19 PM, Alexander Frolushkin wrote:
On one of accidently upgraded server I have following error in dirsrv logs:
[08/Apr/2015:13:24:12 +0300] connection - conn=1095 fd=131 Incoming BER Element
was too long, max allowable is 209715200 bytes. Change the nsslapd-maxbersize
attribut
>> On one of accidently upgraded server I have following error in dirsrv logs:
>>
>> [08/Apr/2015:13:24:12 +0300] connection - conn=1095 fd=131 Incoming BER
>> Element was too long, max allowable is 209715200 bytes. Change the
>> nsslapd-maxbersize attribute in cn=config to increase.
>> [08/Apr/2
From: Jakub Hrozek [jhro...@redhat.com]
Sent: Wednesday, April 08, 2015 2:01 PM
To: Martin Chamambo
Cc: freeipa-users@redhat.com
Subject: Re: [Freeipa-users] FreeIPA, version: 4.1.0 and sudo configuration
On Wed, Apr 08, 2015 at 01:39:44PM +0200, Chamambo
On 04/08/2015 12:36 PM, Alexander Frolushkin wrote:
-Original Message-
From: Ludwig Krispenz [mailto:lkris...@redhat.com]
Sent: Wednesday, April 08, 2015 4:18 PM
To: Martin Kosek
Cc: Alexander Frolushkin (SIB); freeipa-users@redhat.com; Thierry Bordaz
Subject: Re: [Freeipa-users] Accident
On Wed, Apr 08, 2015 at 11:40:08AM +, Alexander Frolushkin wrote:
> After that, client are able to login via ssh on servers connected to 7.1
> servers, but still no login on client servers connected to 7.0 IPA servers...
There we might be a problem with ACIs, can you check the logs on the
cli
On 04/08/2015 01:40 PM, Alexander Frolushkin wrote:
>
> -Original Message-
> From: Jakub Hrozek [mailto:jhro...@redhat.com]
> Sent: Wednesday, April 08, 2015 5:12 PM
> To: Alexander Frolushkin (SIB)
> Cc: 'Martin Kosek'; freeipa-users@redhat.com; Ludwig Krispenz; Thierry Bordaz
> Subject:
On Wed, Apr 08, 2015 at 01:39:44PM +0200, Chamambo Martin wrote:
> Sudo seems to be configured correctly but somehow it's not working
>
> Even if I do a sudo -l under the admin user
>
> [admin@ironhide tmp]$ sudo -l
> [sudo] password for admin:
> Matching Defaults entries for admin on this hos
-Original Message-
From: Jakub Hrozek [mailto:jhro...@redhat.com]
Sent: Wednesday, April 08, 2015 5:12 PM
To: Alexander Frolushkin (SIB)
Cc: 'Martin Kosek'; freeipa-users@redhat.com; Ludwig Krispenz; Thierry Bordaz
Subject: Re: [Freeipa-users] Accident upgrade 3.3 to 4.1
On Wed, Apr 08, 2
Sudo seems to be configured correctly but somehow it's not working
Even if I do a sudo -l under the admin user
[admin@ironhide tmp]$ sudo -l
[sudo] password for admin:
Matching Defaults entries for admin on this host:
requiretty, !visiblepw, always_set_home, env_reset, env_keep="COLORS
On Wed, Apr 08, 2015 at 11:07:25AM +, Alexander Frolushkin wrote:
> -Original Message-
> From: Martin Kosek [mailto:mko...@redhat.com]
> Sent: Wednesday, April 08, 2015 4:47 PM
> To: Alexander Frolushkin (SIB); freeipa-users@redhat.com; Ludwig Krispenz;
> Thierry Bordaz; Jakub Hrozek
>
-Original Message-
From: Martin Kosek [mailto:mko...@redhat.com]
Sent: Wednesday, April 08, 2015 4:47 PM
To: Alexander Frolushkin (SIB); freeipa-users@redhat.com; Ludwig Krispenz;
Thierry Bordaz; Jakub Hrozek
Subject: Re: [Freeipa-users] Accident upgrade 3.3 to 4.1
>> In any case, upgrade
HI Traino,
thanks for the info
i have checked the hots and confirmed that entry was
format
And the DNS everything is working
[root@kwtprsolipa01 slapd-SUN-LOCAL]# for i in _ldap._tcp _kerberos._tcp
_kerberos._udp _kerberos-master._tcp _kerberos-master._udp _ntp._udp; do
echo ""; dig @mha.lo
On 04/08/2015 12:12 PM, Alexander Frolushkin wrote:
>
> -Original Message-
> From: Martin Kosek [mailto:mko...@redhat.com]
> Sent: Wednesday, April 08, 2015 4:04 PM
> To: Alexander Frolushkin (SIB); freeipa-users@redhat.com; Ludwig Krispenz;
> Thierry Bordaz
> Subject: Re: [Freeipa-users]
-Original Message-
From: Ludwig Krispenz [mailto:lkris...@redhat.com]
Sent: Wednesday, April 08, 2015 4:18 PM
To: Martin Kosek
Cc: Alexander Frolushkin (SIB); freeipa-users@redhat.com; Thierry Bordaz
Subject: Re: [Freeipa-users] Accident upgrade 3.3 to 4.1
On 04/08/2015 12:04 PM, Martin
Hi Ben
On Wed, Apr 8, 2015 at 12:39 PM, Ben .T.George wrote:
> HI
>
> i am getting krb5kdc: Server error on ligs:
>
> krb5kdc: Server error - while fetching master key K/M for realm SUN.LOCAL
>
> and the ipactl status is taking long time. Web interface is not able to
> athenticate.
>
> If i iss
On 04/08/2015 12:04 PM, Martin Kosek wrote:
On 04/08/2015 11:52 AM, Alexander Frolushkin wrote:
Hello!
We used have a geo-replicated IPA with RHEL 7.0, and on one site ipa servers
was upgraded by mistake to RHEL 7.1 (ipa-server-4.1.0-18.el7_1.3.x86_64).
Now it is broken globally, in logs I see
-Original Message-
From: Martin Kosek [mailto:mko...@redhat.com]
Sent: Wednesday, April 08, 2015 4:04 PM
To: Alexander Frolushkin (SIB); freeipa-users@redhat.com; Ludwig Krispenz;
Thierry Bordaz
Subject: Re: [Freeipa-users] Accident upgrade 3.3 to 4.1
On 04/08/2015 11:52 AM, Alexander Fr
On 04/08/2015 11:52 AM, Alexander Frolushkin wrote:
> Hello!
> We used have a geo-replicated IPA with RHEL 7.0, and on one site ipa servers
> was upgraded by mistake to RHEL 7.1 (ipa-server-4.1.0-18.el7_1.3.x86_64).
> Now it is broken globally, in logs I see these:
>
> [08/Apr/2015:13:06:47 +0600
Hello!
We used have a geo-replicated IPA with RHEL 7.0, and on one site ipa servers
was upgraded by mistake to RHEL 7.1 (ipa-server-4.1.0-18.el7_1.3.x86_64).
Now it is broken globally, in logs I see these:
[08/Apr/2015:13:06:47 +0600] NSACLPlugin - ACL PARSE ERR(rv=-5):
(targetattr="ipaProtected
HI
i am getting krb5kdc: Server error on ligs:
krb5kdc: Server error - while fetching master key K/M for realm SUN.LOCAL
and the ipactl status is taking long time. Web interface is not able to
athenticate.
If i issue ipactl restart, noting is happening
to solve this issue currently i am restar
Am 08.04.2015 um 10:57 schrieb Jakub Hrozek:
>
> >
> >
> > Most of the host can only communicate in the local net, which has not
> > that much hosts (10). The wired ones are connected via GBit Network,
> > wireless it is up to 150MBit. Server is a Xeon E3-1225 with 8GB Mem. All
> > Systems have F
> Martin Kosek hat am 8. April 2015 um 10:59 geschrieben:
>
>
> On 04/08/2015 07:57 AM, Markus Roth wrote:
> >
> >> Endi Sukma Dewata hat am 1. April 2015 um 23:56
> >> geschrieben:
> >>
> >>
> >> On 4/1/2015 4:29 PM, Markus Roth wrote:
> >>> Am Mittwoch, 1. April 2015, 16:04:54 schrieben Sie:
>
On 04/08/2015 07:57 AM, Markus Roth wrote:
>
>> Endi Sukma Dewata hat am 1. April 2015 um 23:56
>> geschrieben:
>>
>>
>> On 4/1/2015 4:29 PM, Markus Roth wrote:
>>> Am Mittwoch, 1. April 2015, 16:04:54 schrieben Sie:
On 4/1/2015 11:56 AM, Endi Sukma Dewata wrote:
>>> On 03/31/2015 01:54
I have done below and its giving me the correct results and at the moment
LET ME enable debugging in sudo itself and see if that will get me somewhere
[root@ironhide ~]# getent netgroup mailservers
mailservers (ironhide.ai.co.zw,-,ai.co.zw)
(alvin.ai.co.zw,-,ai.co.zw) (madagascar.ai.co.
On Wed, Apr 08, 2015 at 10:43:10AM +0200, Martin (Lists) wrote:
> Am 08.04.2015 um 10:27 schrieb Jakub Hrozek:
> > Can you run:
> > KRB5_TRACE=/dev/stderr kinit yourprinc@YOUR.REALM
> >
> > So that we can compare with the krb5_child.log you sent earlier? I
> > wonder if SSSD talks to a KDC that
On Wed, Apr 8, 2015 at 7:57 AM, Markus Roth wrote:
>
> Yersterday I did the installation of freeipa on my banana Pi with
> modifying the source file ipalib/constants.py:('startup_timeout', 300).
> I changed it to 900 s. And the setup process was successful! The start of
> the CA had a duratio
Am 08.04.2015 um 10:27 schrieb Jakub Hrozek:
> Can you run:
> KRB5_TRACE=/dev/stderr kinit yourprinc@YOUR.REALM
>
> So that we can compare with the krb5_child.log you sent earlier? I
> wonder if SSSD talks to a KDC that is slower or far away from your
> client..
>
This is my trace from kinit:
On Wed, Apr 08, 2015 at 10:17:59AM +0200, Chamambo Martin wrote:
> I have this log after doing a debug_level=6 in the sudo section and have
> attached a txt file for the ldbsearch -H /var/lib/sss/db/cache_ai.co.zw.ldb
>
> (Wed Apr 8 10:14:52 2015) [sssd[sudo]] [sudosrv_get_sudorules_query_cache
On Wed, Apr 08, 2015 at 10:11:01AM +0200, Martin (Lists) wrote:
> Am 07.04.2015 um 18:27 schrieb Simo Sorce:
> > On Tue, 2015-04-07 at 17:57 +0200, Martin (Lists) wrote:
> >> Hallo
> >>
> >> attached you can find the data from krb_child.log. As far as I can see
> >> it, the three seconds are due to
Am 07.04.2015 um 18:27 schrieb Simo Sorce:
> On Tue, 2015-04-07 at 17:57 +0200, Martin (Lists) wrote:
>> Hallo
>>
>> attached you can find the data from krb_child.log. As far as I can see
>> it, the three seconds are due to the communication with the kerberos
>> server. (1.2.3.4 is my server).
>
>
I have this log after doing a debug_level=6 in the sudo section and have
attached a txt file for the ldbsearch -H /var/lib/sss/db/cache_ai.co.zw.ldb
[root@ironhide ~]# tail -f /var/log/sssd/sssd_sudo.log
(Wed Apr 8 10:10:03 2015) [sssd[sudo]] [sysdb_domain_init_internal]
(0x0200): DB File for ai
On Wed, Apr 08, 2015 at 10:00:50AM +0200, Chamambo Martin wrote:
> I have these logs and cant seem to make sense of them
These are not the logs we asked for. What we need is debug_level=6 in
the sudo section, then run sudo, then attach
/var/log/sssd/sssd_sudo.log.
It would also be nice if you c
I have these logs and cant seem to make sense of them
I have created the hostgroup mailservers and have added the sudo rule that
allows the users to execute sudo vim anyfile
(Wed Apr 8 09:58:45 2015) [sssd[be[ai.co.zw]]] [fo_resolve_service_send]
(0x0100): Trying to resolve service 'IPA'
(Wed
On (08/04/15 09:25), Chamambo Martin wrote:
>Good day
>
>I am running FreeIPA, version: 4.1.0 and everything is working well except
>SUDO configuration.
>
ipa-client-install on CentOS 7.1 should configure sudo by default.
>I have 3 questions
>
> 1: I have configured the bare minimum sudo co
On Wed, Apr 08, 2015 at 09:25:33AM +0200, Chamambo Martin wrote:
> Good day
>
> I am running FreeIPA, version: 4.1.0 and everything is working well except
> SUDO configuration.
>
> I have 3 questions
>
> 1: I have configured the bare minimum sudo configuration without
> hostgroups and net
Good day
I am running FreeIPA, version: 4.1.0 and everything is working well except
SUDO configuration.
I have 3 questions
1: I have configured the bare minimum sudo configuration without
hostgroups and netgroups , just sudo commands and sudo command groups that
have been added as sudo
67 matches
Mail list logo