Re: [Freeipa-users] ipa trust-add seems to work, but doesn't add the trust in FreeIPA

On Thu, 10 Mar 2016, Darren Poulson wrote: Hi, So, after I got the ipa-adtrust-install working, I tried to create a trust between our freeipa cluster, and a new AD machine. It seemed to run ok, and gave an output, but in the ui under trusts, there is nothing. [root@freeipa1-01 httpd]# ipa

Re: [Freeipa-users] [requirements gathering] Notification system / hooks

As an admin, I want to get a notification when a user's password is rest, or when they update their password, so that I can disable an user who does not change their password a certain amount of time after it was reset. Basically, the goal is to have a way to implement a policy like "if we reset

[Freeipa-users] ipa trust-add seems to work, but doesn't add the trust in FreeIPA

Hi, So, after I got the ipa-adtrust-install working, I tried to create a trust between our freeipa cluster, and a new AD machine. It seemed to run ok, and gave an output, but in the ui under trusts, there is nothing. [root@freeipa1-01 httpd]# ipa trust-add --type=ad ad.genops --admin

[Freeipa-users] sudo users

Hi, I am trying to deploy sudo rules in FreeIPA 4.2 on Centos 7.2. I have created 2 sudo rules, one with sudo options=!authenticate (NOPASSWD) and the other sudo options=authenticate (PASSWD) (which I assume requires the user to key in the password to run). The NOPASSWD works but the one with

Re: [Freeipa-users] Adding RID base to existing range

Thanks, Adding with ldapmodify seems to have done the trick. Can run ipa-adtrust-install at least. Now having other issues, but that’s for a different thread. :) Cheers, Darren. On 3/9/16, 3:17 PM, "Sumit Bose" wrote: >On Wed, Mar 09, 2016 at 02:21:31PM +, Darren

Re: [Freeipa-users] Existing clients join new cluster

Ash Alam wrote: > Hello > > I am looking for some advice on how to make my existing clients join a > new ipa cluster. We have an existing cluster (3.0) and after several > attempts at upgrading we decided to just build fresh cluster (4.2) We > now want the clients join the new cluster. It seems

Re: [Freeipa-users] Cannot add password policy

Bob Hinton wrote: > Hi, > > I've been trying to add a password policy for an existing user group > called "services" in IPA version 4.2.0. > > ipa pwpolicy-add services > ipa: ERROR: entry with name "services" already exists > > ipa pwpolicy-show services > ipa: ERROR: services: password policy

Re: [Freeipa-users] ipa replica failed PR_DeleteSemaphore

On 03/09/2016 05:51 PM, Andrew E. Bruno wrote: On Wed, Mar 09, 2016 at 05:21:50PM +0100, Ludwig Krispenz wrote: On 03/09/2016 04:46 PM, Andrew E. Bruno wrote: On Wed, Mar 09, 2016 at 10:37:05AM -0500, Andrew E. Bruno wrote: On Wed, Mar 09, 2016 at 04:13:28PM +0100, Ludwig Krispenz wrote: if

Re: [Freeipa-users] ipa replica failed PR_DeleteSemaphore

On Wed, Mar 09, 2016 at 05:21:50PM +0100, Ludwig Krispenz wrote: > > On 03/09/2016 04:46 PM, Andrew E. Bruno wrote: > >On Wed, Mar 09, 2016 at 10:37:05AM -0500, Andrew E. Bruno wrote: > >>On Wed, Mar 09, 2016 at 04:13:28PM +0100, Ludwig Krispenz wrote: > >>>if the process hangs, could you get a

[Freeipa-users] Replica without CA: implications?

Hi Somehow i picked the wrong cookbook when i provisioned my first (and only) replica and it lacks CA aso, as pointed out in a recent thread, creates a single point of failure. Not ready to set up more 2 replicas yet and am still in testing. Is it possible to replicate the master's CA to

Re: [Freeipa-users] ipa replica failed PR_DeleteSemaphore

On Wed, Mar 09, 2016 at 04:13:28PM +0100, Ludwig Krispenz wrote: > > On 03/09/2016 03:46 PM, Andrew E. Bruno wrote: > >Hello, > > > >We had a replica fail today with: > > > >[09/Mar/2016:09:39:59 -0500] NSMMReplicationPlugin - changelog program - > >_cl5NewDBFile: PR_DeleteSemaphore: >

Re: [Freeipa-users] Users directory Browsing -

A really good point however I'm fortunate enough that the only items authentication are applications. I agree with you also that it's a bit of a Pandoras box; I've decided that it's best to leave the systems in default state and use a tool like PWM for this self service component. On Wed, Mar 9,

Re: [Freeipa-users] Adding RID base to existing range

On Wed, Mar 09, 2016 at 02:21:31PM +, Darren Poulson wrote: > Hi, > > Here’s what I get. The initial default range as created by freeipa and > contains all our users, and a second one that I created for system > accounts. The 'ipa idrange' utility does various checks to prevent that idranges

Re: [Freeipa-users] ipa replica failed PR_DeleteSemaphore

On 03/09/2016 03:46 PM, Andrew E. Bruno wrote: Hello, We had a replica fail today with: [09/Mar/2016:09:39:59 -0500] NSMMReplicationPlugin - changelog program - _cl5NewDBFile: PR_DeleteSemaphore: /var/lib/dirsrv/slapd-CBLS-CCR-BUFFALO-EDU/cldb/e909b405-2cb811e5-ac0b8f7e-e0b1a377.sema; NSPR

Re: [Freeipa-users] ipa-getcert and SELinux

On 03/07/2016 10:03 PM, Thomas Raehalme wrote: > Hi! > > I have setup certificates for Puppet as described here: > http://www.freeipa.org/page/Using_IPA's_CA_for_Puppet > > Unfortunately SELinux is giving me hard time when invoking "ipa-getcert > request" to generate the private/public key for

[Freeipa-users] ipa replica failed PR_DeleteSemaphore

Hello, We had a replica fail today with: [09/Mar/2016:09:39:59 -0500] NSMMReplicationPlugin - changelog program - _cl5NewDBFile: PR_DeleteSemaphore: /var/lib/dirsrv/slapd-CBLS-CCR-BUFFALO-EDU/cldb/e909b405-2cb811e5-ac0b8f7e-e0b1a377.sema; NSPR error - -5943 dirsrv just hangs here. Doesn't

Re: [Freeipa-users] Adding RID base to existing range

Hi, Here’s what I get. The initial default range as created by freeipa and contains all our users, and a second one that I created for system accounts. [root@freeipa1-01 ~]# ipa idrange-find 2 ranges matched Range name: BUR.US.GENOPS_id_range First Posix ID

Re: [Freeipa-users] Adding RID base to existing range

On Wed, Mar 09, 2016 at 01:31:00PM +, Darren Poulson wrote: > Hi, > > I’d tried that, but get this: > > [root@freeipa1-01 ~]# ipa idrange-mod _id_range --rid-base=1000 > ipa: ERROR: This command can not be used to change ID allocation for local > IPA domain. Run `ipa help idrange` for more

Re: [Freeipa-users] Adding RID base to existing range

Hi, I’d tried that, but get this: [root@freeipa1-01 ~]# ipa idrange-mod _id_range --rid-base=1000 ipa: ERROR: This command can not be used to change ID allocation for local IPA domain. Run `ipa help idrange` for more information Thanks, Darren. On 3/9/16, 9:45 AM,

Re: [Freeipa-users] Kerberos process coredump | authentication fails

To follow up on this. I think the issue is resolved. We have 8 IPA servers. And the primary server on which this error was occurring had 7 replication agreements! Ended up changing the replication agreements so that 2 servers had 4 agreements (3 + 1 amongst themselves) and all others with 2

Re: [Freeipa-users] Adding RID base to existing range

On Wed, Mar 09, 2016 at 01:29:14AM +, Darren Poulson wrote: > Hi, > > We¹re currently trying to set up an AD domain (great fun for a bunch of > linux adminsŠ not) so that we can get authentication working with various > bits of hardware that only support AD. We want this domain to trust our >

Re: [Freeipa-users] Users directory Browsing -

On 8.3.2016 15:29, Matt Wells wrote: > For my use case it is. Essentially the system will be application auth for > separate groups that have no need to know of one another, almost a > multi-tenant mode. I wanted to expose a 'self service' url. I've found a > community ipa portal for password