Hi Petr,
Thanks for the response.
I didn't know about Samba 4, so that's worth some further investigation on my
part - Thanks.
So from what you've said below it can't run as a standalone, but SSSD does
allow caching(if a user has authenticated previous).. does IPA have the ability
to cache cr
Hi again
After further testing, it seems like my problems were caused by the use
of the -F option on the kinit line.
Roderick
On 05/05/2016 22:31, Roderick Johnstone wrote:
Hi Mike
Thanks for sharing your setup. It looks pretty much like mine.
I just tried your kinit command syntax and the
[This didn't show up in the archives or list after 12 house, so resending.
Sorry if it's a dupe.]
I've been googling and looking through the documentation, but I have yet to
find official docs for the Python API for FreeIPA.
The first result for 'python' when doing a search on www.freeipa.org i
Anthony Cheng wrote:
More updates; it turns out that there were some duplicate and expired
certificates as well as incorrect trust attributes; (e.g. seeing 2
instances of Server-Cert from certutil -L -d /etc/httpd/alias). So I
deleted the duplicate cert and re-add certificate w/ valid date and
f
More updates; it turns out that there were some duplicate and expired
certificates as well as incorrect trust attributes; (e.g. seeing 2
instances of Server-Cert from certutil -L -d /etc/httpd/alias). So I
deleted the duplicate cert and re-add certificate w/ valid date and
fix cert trust attribute
Hi Mike
Thanks for sharing your setup. It looks pretty much like mine.
I just tried your kinit command syntax and then I can ipa ping
successfully. Then I tried my kinit syntax (after a kdestroy) and I can
still ipa ping successfully!
So, it does work now, but I don't know why it didn't work
On Thu, May 05, 2016 at 12:46:48PM -0700, Ha T. Lam wrote:
> Hi Fraser,
>
> Thank you very much for the immediate response. Our use-case for Dogtag is:
> our installation engineers request a signing CA cert through the Dogtag web
> interface, and our admin grants the request, anything following is
Hi Fraser,
Thank you very much for the immediate response. Our use-case for Dogtag is:
our installation engineers request a signing CA cert through the Dogtag web
interface, and our admin grants the request, anything following is not
managed with Dogtag. So we only use Dogtag for managing the root
Roderick,
Here's how we do it.
Create a service account user, for example "svc_useradm".
Then generate a keytab for the service account, and store it somewhere secure.
ipa-getkeytab -s infrae2u01.lnx.dr.local -p svc_useradm -k
/root/svc_useradm.keytab
Now we can leverage the keytab for that u
As a control, I fired up a new VPS, did a new minimal CentOS 7.2 install and
I have the same problem.
These are the steps I took:
# yum update -y
# yum install -y nano net-tools wget
# yum install -y
https://dl.fedoraproject.org/pub/epel/epel-release-latest-7.noarch.rpm
# cd /etc/yum.repos.d/
# w
Hi
I need to run some ipa commands in cron jobs.
The post here:
https://www.redhat.com/archives/freeipa-users/2014-March/msg00044.html
suggests I need to use a keytab file to authenticate kerberos.
I've tried the prescription there, with variations, without success.
My current testing frame
I'm not entirely sure if this is what you were asking for, but here's a
manual LDAP query and the associated logs, and then I restarted
ipa-dnskeysyncd and the logs associated with that as well:
[root@host /]# date
Thu May 5 10:52:12 EDT 2016
[root@host /]# ldapsearch -Y GSSAPI -b 'cn=dns,dc=exa
On Thu, May 05, 2016 at 08:13:00PM +0530, Rakesh Rajasekharan wrote:
> (Thu May 5 14:35:49 2016) [[sssd[krb5_child[32281 [get_and_save_tgt]
> (0x0020): 1000: [-1765328353][Decrypt integrity check failed]
> (Thu May 5 14:35:49 2016) [[sssd[krb5_child[32281 [map_krb5_error]
> (0x0020): 1069
On 05.05.2016 15:54, Andrew Holway wrote:
Hello,
We've been using Freeipa on Centos for a while and found one day that the
replication stuff was broken and that the LDAP database on our pair of IPA
servers was inconsistent. We didn't know how long this had been broken for but
we were n
I'm trying to create a new replica and i receive the following message:
onfiguring Kerberos KDC (krb5kdc). Estimated time: 30 seconds
[1/8]: adding sasl mappings to the directory
[2/8]: configuring KDC
[3/8]: creating a keytab for the directory
[4/8]: creating a keytab for the machine
[
On 05/05/2016 03:54 PM, Andrew Holway wrote:
Hello,
We've been using Freeipa on Centos for a while and found one day that
the replication stuff was broken and that the LDAP database on our pair
of IPA servers was inconsistent. We didn't know how long this had been
broken for but we were not able
Hello,
We've been using Freeipa on Centos for a while and found one day that the
replication stuff was broken and that the LDAP database on our pair of IPA
servers was inconsistent. We didn't know how long this had been broken for
but we were not able to repair it either.
We use AWS so we've now
lejeczek wrote:
On Wed, 2016-05-04 at 13:26 -0400, Rob Crittenden wrote:
lejeczek wrote:
hi users, as one follows official docs and issues a certificate for a
service/host, one wonders what is the correct way to move such a
certificate to a host(which is domain member) ? I understand
certificat
On 05/05/2016 11:44 AM, lejeczek wrote:
> On Wed, 2016-05-04 at 13:26 -0400, Rob Crittenden wrote:
>> lejeczek wrote:
>>> hi users, as one follows official docs and issues a certificate for a
>>> service/host, one wonders what is the correct way to move such a
>>> certificate
>>> to a host(which
+1 For enforcing OTP in web UI.
When the user logs in for the first time he should be taken to a page to
create a OTP token. Users should be able to login only using passwd+OTP.
Are there any ideas for ensuring that all users are using OTP tokens ?
On 4 May 2016 at 05:12, Peter Bisroev wrote:
Hi all:
Orginal config server <> server02 , either server can add user and syn
Now server < server02 ,GSSAPI show as below ..ANY idea? THX
[05/May/2016:17:29:03 +0800] - 389-Directory/1.2.11.25 B2013.325.1951
starting up
[05/May/2016:17:29:03 +0800] - WARNING: userRoot: entry cache size
1048576
On Wed, 2016-05-04 at 13:26 -0400, Rob Crittenden wrote:
> lejeczek wrote:
> > hi users,
> >
> > as one follows official docs and issues a certificate for a
> > service/host, one wonders what is the correct way to move such a
> > certificate to a host(which is domain member) ?
> > I understand cer
On 5.5.2016 06:28, David LeVene wrote:
> Hey All,
>
> I'm looking for a bit of direction around the best way to configure/setup an
> on-site cache &/or replica from an AD Server which will be uni-directional
> (AD -> IPA/slapd)
>
> The master are multiple AD Servers located around the place, an
On 4.5.2016 16:33, Jakub Hrozek wrote:
> On Wed, May 04, 2016 at 04:23:00PM +0200, Martin Kosek wrote:
>> On 05/04/2016 09:23 AM, Jakub Hrozek wrote:
>>> On Tue, May 03, 2016 at 11:31:02PM +0200, Lukas Slebodnik wrote:
On (03/05/16 15:09), Alexandre de Verteuil wrote:
> Hello all,
>
>>
Hi All:
I restore from backup but some lib / pki error come.
As the package is ipa-server-3.0.0-26.el6_4.4.x86_64
But now is ipa-server-3.0.0-47.el6.centos.2.x86_64 , it seem no harm ?
How to tune it ?
Starting KDC Service
Starting Kerberos 5 KDC: [ OK
25 matches
Mail list logo