[Freeipa-users] Slow non-kerberised nfs mounts when ipa started

Hi I'm not sure this is quite the right place to post this query, but the problem is provoked by starting the ipa server so hopefully someone on the list might have encountered and resolved the issue already. This on a fully updated Redhat 7.2 system. Once I have my ipa server started I'm

[Freeipa-users] How to migrate from freeipa distribution to separate components

Hello ! I send you this mail because I have a question relative to the migration from the IPA distribution to the separate components. With FreeIPA, we are using only : - MIT Kerberos - DS389 - The PKI CA is installed but not used from our side Is it possible to migrate to the following

Re: [Freeipa-users] How to migrate from freeipa distribution to separate components

On Wed, 2016-01-13 at 14:54 +0100, bahan w wrote: > Hello ! > > I send you this mail because I have a question relative to the migration > from the IPA distribution to the separate components. > > With FreeIPA, we are using only : > - MIT Kerberos > - DS389 > - The PKI CA is installed but not

Re: [Freeipa-users] How to migrate from freeipa distribution to separate components

On Wed, 2016-01-13 at 17:10 +0100, bahan w wrote: > Re ! > > Thank both of you again for your answers, guys. > > Simo, I would be very interested in this feature list in fact. > Do you know if there is a way to find it ? > I would really need it, it would help a lot. You can start from here:

Re: [Freeipa-users] IPA users not visible in NIS passwd map

They are authenticated using CRYPT passwords. i.e. Even after a user is disabled in ipa, it's entry is still visible in ypcat passwd on the clients. On Wed, Jan 13, 2016 at 4:17 PM, Alexander Bokovoy wrote: > On Wed, 13 Jan 2016, Prasun Gera wrote: > >> I think I've solved

Re: [Freeipa-users] IPA users not visible in NIS passwd map

I think I've solved this. I don't know what or who enabled it, but for some reason the original NIS service (ypserv) was running on the server. That was taking precedence over ipa's fake NIS, and causing problems. I have now deleted the maps and commented them out in the Makefile so that it

[Freeipa-users] configure: error: xmlrpc-c/base.h not found

Hi all, I am getting an error with make for both freeipa-4.3.0 and freeipa-4.2.0; both errors are the same: checking for xmlrpc-c/base.h... no configure: error: xmlrpc-c/base.h not found make: *** [client-autogen] Error 1 I read from http://www.freeipa.org/page/Releases/4.0.0 that XMLRPC system

Re: [Freeipa-users] IPA users not visible in NIS passwd map

On Wed, 13 Jan 2016, Prasun Gera wrote: I think I've solved this. I don't know what or who enabled it, but for some reason the original NIS service (ypserv) was running on the server. That was taking precedence over ipa's fake NIS, and causing problems. I have now deleted the maps and commented

Re: [Freeipa-users] configure: error: xmlrpc-c/base.h not found

Anthony Cheng wrote: > Hi all, > > I am getting an error with make for both freeipa-4.3.0 > and freeipa-4.2.0; both errors are the same: > > checking for xmlrpc-c/base.h... no > configure: error: xmlrpc-c/base.h not found > make: *** [client-autogen] Error 1 > > I read from

[Freeipa-users] IPA-Server installation

Hi, Trying to install IPA-Server but failing. The file "b0789cdf06109ebe3313dab51585247700dd285b7eb0bc83f9d80a90cf2360f6-primary.sqlite.bz2" is no longer available. It has been replace by "14824767ac8a1b07914066cf2f721b1ba0de7cf93e04662a6f669cb302de61d1-primary.sqlite.bz2" NEW FILE

Re: [Freeipa-users] py.test is missing

On Wed, 13 Jan 2016, Adam Kaczka wrote: Hi, I am trying to run make-test in 4.0.2 after make and I see that it is trying to run py.test but I don't see py.test anywhere in the directory? For some reason it is simply missing. pytest is a separate package which you need to install. -- /

Re: [Freeipa-users] Fwd: NetworkError : invalid continuation byte with utf8 codec

Thanks It works like a charm. Btw I switched to en_US.iso Fixed for me. > Le 6 janv. 2016 à 22:21, Carlos Raúl Laguna a écrit : > > Happy new year to all, just to point out that this also affect Fedora23 > Free-IPA 4.2.0 and 4.3.0 from corps. locale are set to

[Freeipa-users] py.test is missing

Hi, I am trying to run make-test in 4.0.2 after make and I see that it is trying to run py.test but I don't see py.test anywhere in the directory? For some reason it is simply missing. -- Manage your subscription for the Freeipa-users mailing list:

Re: [Freeipa-users] IPA-Server installation

On Wed, 13 Jan 2016, Gady Notrica wrote: Hi, Trying to install IPA-Server but failing. The file "b0789cdf06109ebe3313dab51585247700dd285b7eb0bc83f9d80a90cf2360f6-primary.sqlite.bz2" is no longer available. It has been replace by

Re: [Freeipa-users] FreeIPA Replica / HA Issues

Hello, this log is weird: On 14.1.2016 03:02, Jeff Hallyburton wrote: >> 2016-01-14T00:45:35Z DEBUG [IPA Discovery] >> 2016-01-14T00:45:35Z DEBUG Starting IPA discovery with >> domain=west-2.production.example.com, servers=None, >> hostname=test.west-2.production.example.com >>

Re: [Freeipa-users] IPA users not visible in NIS passwd map

On Wed, 13 Jan 2016, Prasun Gera wrote: They are authenticated using CRYPT passwords. i.e. Even after a user is disabled in ipa, it's entry is still visible in ypcat passwd on the clients. https://fedorahosted.org/slapi-nis/ticket/10 The definition is unfortunately in the C code, so it would

Re: [Freeipa-users] IPA users not visible in NIS passwd map

Great! I hope it makes it downstream to RHEL. On Wed, Jan 13, 2016 at 4:27 PM, Alexander Bokovoy wrote: > On Wed, 13 Jan 2016, Prasun Gera wrote: > >> They are authenticated using CRYPT passwords. i.e. Even after a user is >> disabled in ipa, it's entry is still visible in

[Freeipa-users] replica install failing with : "Clone does not have all the required certificates"

I need to upgrade from IPA3.0 to IPA4.2 (from centos 6.7 to 7.2) and the replica process is failing to install on the new system: 2016-01-13T17:27:46Z DEBUG Starting external process 2016-01-13T17:27:46Z DEBUG args='/usr/sbin/pkispawn' '-s' 'CA' '-f' '/tmp/tmpjklK4o' 2016-01-13T17:28:19Z DEBUG

[Freeipa-users] FreeIPA Replica / HA Issues

We've deployed a FreeIPA server in a client infrastructure and now we're working on making that setup HA. We've created a replica and I can verify that the replica has connectivity to the existing master and ensured that the auto-discovery DNS records are set up for LDAP / Kerberos / etc, but I'm

Re: [Freeipa-users] FreeIPA Replica / HA Issues

Jeff Hallyburton wrote: > We've deployed a FreeIPA server in a client infrastructure and now we're > working on making that setup HA. We've created a replica and I can > verify that the replica has connectivity to the existing master and > ensured that the auto-discovery DNS records are set up

Re: [Freeipa-users] GID, groups and ipa group-show

This is an old thread, but I can confirm that this is still an issue on RHEL 7.2 + 4.2. This creates problems when there are roles associated with groups, but group membership through GID is broken. I had migrated all old NIS accounts into ipa. I then added the host enrollment role to a particular

Re: [Freeipa-users] replica install failing with : "Clone does not have all the required certificates"

Followup:  I also tested converting an existing 4.2 system to be a CA by running ipa-ca-install and got the same error. So it seems the original system had a failure point prior to the heating issues. The 4.2 system has been running for quite a while (with regular updates from an early 4.0). On

Re: [Freeipa-users] FreeIPA Replica / HA Issues

Rob, Full log is attached. Jeff Jeff Hallyburton Strategic Systems Engineer Bloomip Inc. Web: http://www.bloomip.com Engineering Support: supp...@bloomip.com Billing Support: bill...@bloomip.com Customer Support Portal: https://my.bloomip.com On Wed, Jan 13, 2016 at

Re: [Freeipa-users] tricky one in OpenLDAP migration, groups

Might it be possible with a user-mod or group-add/group-mod to accomplish? Just thinking outside the box I guess. ~J On 1/13/16 7:59 AM, Rob Crittenden wrote: Janelle wrote: Hello, This may not be possible, or if it is I am going to guess it is not going to be easy. If I have an old OpenLDAP

Re: [Freeipa-users] How to migrate from freeipa distribution to separate components

Re ! Thank both of you again for your answers, guys. Simo, I would be very interested in this feature list in fact. Do you know if there is a way to find it ? I would really need it, it would help a lot. Best regards. Bahan On Wed, Jan 13, 2016 at 4:11 PM, Martin Kosek

Re: [Freeipa-users] tricky one in OpenLDAP migration, groups

Janelle wrote: > Might it be possible with a user-mod or group-add/group-mod to accomplish? > > Just thinking outside the box I guess. The hard part is the UPG. I think you'd need an ldapmodify to achieve that. IIRC you'd need to manually create the managed group entry and in the same update

Re: [Freeipa-users] tricky one in OpenLDAP migration, groups

Janelle wrote: > Hello, > > This may not be possible, or if it is I am going to guess it is not > going to be easy. If I have an old OpenLDAP environment with users who > never had unique UIG/GID - in other words, the GID was not unique to a > user, instead it was some global group. Well, I was

Re: [Freeipa-users] How to migrate from freeipa distribution to separate components

On 01/13/2016 03:57 PM, bahan w wrote: > Re. > > Thanks both of you for your answers. > > Simo, MIT Kerberos and OpenLDAP can work on their own and provide the same > kind of service that we want from IPA, even if it is not embedded in > integrated solution like IPA. > > I totally agree that

[Freeipa-users] tricky one in OpenLDAP migration, groups

Hello, This may not be possible, or if it is I am going to guess it is not going to be easy. If I have an old OpenLDAP environment with users who never had unique UIG/GID - in other words, the GID was not unique to a user, instead it was some global group. Well, I was hoping to migrate over

[Freeipa-users] tricky one in OpenLDAP migration, groups

Hello, This may not be possible, or if it is I am going to guess it is not going to be easy. If I have an old OpenLDAP environment with users who never had unique UIG/GID - in other words, the GID was not unique to a user, instead it was some global group. Well, I was hoping to migrate over

Re: [Freeipa-users] How to migrate from freeipa distribution to separate components

El mié, 13-01-2016 a las 15:57 +0100, bahan w escribió: > Re. > > Thanks both of you for your answers. > > Simo, MIT Kerberos and OpenLDAP can work on their own and provide the > same kind of service that we want from IPA, even if it is not > embedded in integrated solution like IPA. > > I

Re: [Freeipa-users] How to migrate from freeipa distribution to separate components

Hello Simo ! For the reason : The production team wants to use only the two components openLDAP and MIT Kerberos, possibily on different servers. For the explanation : They want to install only MIT Kerberos and openLDAP. We already have an existing FreeIPA installation, with users, groups,

Re: [Freeipa-users] How to migrate from freeipa distribution to separate components

On Wed, 13 Jan 2016, bahan w wrote: Hello Simo ! For the reason : The production team wants to use only the two components openLDAP and MIT Kerberos, possibily on different servers. For the explanation : They want to install only MIT Kerberos and openLDAP. We already have an existing FreeIPA

Re: [Freeipa-users] How to migrate from freeipa distribution to separate components

On Wed, 2016-01-13 at 15:10 +0100, bahan w wrote: > Hello Simo ! > > For the reason : > The production team wants to use only the two components openLDAP and MIT > Kerberos, possibily on different servers. > > For the explanation : > They want to install only MIT Kerberos and openLDAP. > We

Re: [Freeipa-users] How to migrate from freeipa distribution to separate components

Re. Thanks both of you for your answers. Simo, MIT Kerberos and OpenLDAP can work on their own and provide the same kind of service that we want from IPA, even if it is not embedded in integrated solution like IPA. I totally agree that IPA provides a lot of things but I am quite sure the

Re: [Freeipa-users] How to migrate from freeipa distribution to separate components

On Wed, 2016-01-13 at 15:57 +0100, bahan w wrote: > Re. > > Thanks both of you for your answers. > > Simo, MIT Kerberos and OpenLDAP can work on their own and provide the same > kind of service that we want from IPA, even if it is not embedded in > integrated solution like IPA. > > I totally