Re: [Freeipa-users] Sudo entry not found by sssd in the cache db

"Molnár Domokos" írta: >On 09/14/2015 03:08 PM, Pavel Březina wrote: >>On 09/11/2015 02:40 PM, Molnár Domokos wrote: >>>Full log attached. >>>"Molnár Domokos" írta: >>> >>> >>>"Pavel Březina" írta: >>> >>>On 09/09/2015 09:31 PM, Molnár Domokos wrote: >>> > I have a workin

Re: [Freeipa-users] Sudo entry not found by sssd in the cache db

Jakub Hrozek írta: >On Tue, Sep 15, 2015 at 07:25:17AM +0200, Molnár Domokos wrote: >> On 09/14/2015 03:08 PM, Pavel Březina wrote: >> >On 09/11/2015 02:40 PM, Molnár Domokos wrote: >> >> >>Full log attached. >> >>"Molnár Domokos" írta: >> >> >> >> >> >>"Pavel Březina" írta: >> >> >> >>

Re: [Freeipa-users] ipa-client-install not creating reverse DNS entries

On 15.9.2015 03:29, Nathan Peters wrote: > I think it was not having dynamic updates enabled for the reverse zone. I Yes, that is it. See https://fedorahosted.org/bind-dyndb-ldap/wiki/BIND9/SyncPTR for more details. > enabled those and PTR sync on both the forward and reverse and now it seems to

Re: [Freeipa-users] Sudo entry not found by sssd in the cache db

On Tue, Sep 15, 2015 at 09:13:09AM +0200, Molnár Domokos wrote: > > Jakub Hrozek írta: > >On Tue, Sep 15, 2015 at 07:25:17AM +0200, Molnár Domokos wrote: > >> On 09/14/2015 03:08 PM, Pavel Březina wrote: > >> >On 09/11/2015 02:40 PM, Molnár Domokos wrote: > >> > >> >>Full log attached. > >> >>"

Re: [Freeipa-users] Sudo entry not found by sssd in the cache db

Jakub Hrozek írta: >On Tue, Sep 15, 2015 at 09:13:09AM +0200, Molnár Domokos wrote: >> >> Jakub Hrozek írta: >> >On Tue, Sep 15, 2015 at 07:25:17AM +0200, Molnár Domokos wrote: >> >> On 09/14/2015 03:08 PM, Pavel Březina wrote: >> >> >On 09/11/2015 02:40 PM, Molnár Domokos wrote: >> >> >> >>

Re: [Freeipa-users] ipa-client-install --request-cert fails

On Mon, Sep 14, 2015 at 09:59:40AM +0200, Jan Pazdziora wrote: > On Sat, Sep 12, 2015 at 03:14:35PM +0200, Natxo Asenjo wrote: > > On Sat, Sep 12, 2015 at 12:18 PM, Natxo Asenjo > > wrote: > > > > > on a a centos 7.1 host when enrolling it with (among other) the switch > > > --request-cert it doe

Re: [Freeipa-users] add SubjectAltName (SAN) to IPA certificate

On Sat, 2015-09-12 at 08:57 -0400, Brian J. Murrell wrote: > Due to the bug in mod_nss that prevents SNI from functioning (i.e. > limits a port to a single certificate) I need to add SANs > (SubjectAltName) to the certificate that freeipa created for the > webserver (Server-Cert) so that I can add

Re: [Freeipa-users] Sudo entry not found by sssd in the cache db

On Tue, 15 Sep 2015, Molnár Domokos wrote: #hostnamectl set-hostname nappali.silva on modern systems. doma@nappali:/home/doma> hostname --fqdn nappali.szilva doma@nappali:/home/doma> su Password: nappali:/home/doma # hostnamectl set-hostname nappali.szilva nappali:/home/doma # hostname nappali

Re: [Freeipa-users] add SubjectAltName (SAN) to IPA certificate

On 09/15/2015 12:35 PM, Brian J. Murrell wrote: > On Sat, 2015-09-12 at 08:57 -0400, Brian J. Murrell wrote: >> Due to the bug in mod_nss that prevents SNI from functioning (i.e. >> limits a port to a single certificate) I need to add SANs >> (SubjectAltName) to the certificate that freeipa created

Re: [Freeipa-users] add SubjectAltName (SAN) to IPA certificate

On Tue, 2015-09-15 at 13:01 +0200, Martin Kosek wrote: > BTW, there was related thread on freeipa-users in the past, with some > links to > related information: > > https://www.redhat.com/archives/freeipa-users/2012-June/msg00216.html So this writeup seems to ignore the fact that Apache and the c

Re: [Freeipa-users] Sudo entry not found by sssd in the cache db

On Tue, Sep 15, 2015 at 01:58:07PM +0300, Alexander Bokovoy wrote: > On Tue, 15 Sep 2015, Molnár Domokos wrote: > >>#hostnamectl set-hostname nappali.silva > >>on modern systems. > >> > >>>doma@nappali:/home/doma> hostname --fqdn > >>>nappali.szilva > >doma@nappali:/home/doma> su > >Password: > >na

[Freeipa-users] rhel 6.7 upgrade - sssd/sudo

I just updated several machines to RHEL 6.7 and seem to have broken my sudo rules. I've tracked the problem down to having Default_domain_suffix = ad.domain In the sssd.conf. If I remove that I can login using the fqn from AD and sudo rules are applied as configured. However I don't want to

Re: [Freeipa-users] rhel 6.7 upgrade - sssd/sudo

Sorry for not replying sooner, many of us were mostly offline last week. I'll try to reproduce locally.. On Tue, Sep 15, 2015 at 12:24:45PM +, Andy Thompson wrote: > I just updated several machines to RHEL 6.7 and seem to have broken my sudo > rules. I've tracked the problem down to having

Re: [Freeipa-users] Sudo entry not found by sssd in the cache db

On 09/15/2015 01:37 PM, Jakub Hrozek wrote: >On Tue, Sep 15, 2015 at 01:58:07PM +0300, Alexander Bokovoy wrote: >>On Tue, 15 Sep 2015, Molnár Domokos wrote: #hostnamectl set-hostname nappali.silva on modern systems. >doma@nappali:/home/doma> hostname --fqdn nappali.szilva >>>doma@n

Re: [Freeipa-users] Failed to start pki-tomcatd Service

So, here is the recap : I migrate a single IPA server Centos 6.6 to dual IP server Centos 7.1. The PKI was only installed on server two. Everything was working fine, replication OK, new enrollements OK, authentication with Kerberos and LDAP OK. After some time, I discover that pki tomcatd service d

[Freeipa-users] Partial replica

Hello list. I'm trying to make a test deploy of FreeIPA, and I was wondering if it is possible to authenticate remote sites via LDAP by havong a partial replica based on saome filter (maybe a group, an attribute or similar). Sorry if this is a silly question, but I am trying to explore the po

Re: [Freeipa-users] Failed to start pki-tomcatd Service

Hi, I am in a similar boat, well RHEL6.7 to RHEL7.1. I joined a RHEL7.1 / IPA4.1 to the 6.7 / IPA3.0 --self-cert domain, got rid of all the 6.7's so I was ca-less. Did a full backup on the RHEL7.1 / IPA 4.1. Blew away the ipa server, installed fresh, pki-tomcat runs, did a restore and pki-t