It's worth noting that, in difference to the bug report:
1. We aren't making changes to the overrides. The overrides exist, they
just aren't propagating evenly or consistently.
2. We are seeing these errors in the various logs:
sssd_DOMAIN.log:(Wed May 18 09:00:01 2016) [sssd[be[DOMAIN]]]
[sysdb
Hmmm, I also now see
https://fedorahosted.org/sssd/ticket/2642
and
https://bugzilla.redhat.com/show_bug.cgi?id=1217127
Versions being run:
sssd-client-1.13.0-40.el7_2.4.x86_64
sssd-ad-1.13.0-40.el7_2.4.x86_64
sssd-proxy-1.13.0-40.el7_2.4.x86_64
sssd-1.13.0-40.el7_2.4.x86_64
sssd-common-1.13.0-40
If it's the admin account, there would be a pretty good likelihood of
bruteforce attempts if your server is on the internet. One option is to
rename it to something else.
On 17 May 2016 11:36 a.m., "Rich Megginson" wrote:
> On 05/17/2016 08:18 AM, Rob Crittenden wrote:
>
>> John Duino wrote:
>>
>
Alexander Bokovoy wrote:
On Tue, 17 May 2016, Stephen Berg (Contractor) wrote:
I'm trying to set up an account that will only have read permissions
to FreeIPA's user and host info to get some automated documentation
tasks running. Basically I want to set up a cron job on a FreeIPA
server that w
On Tue, 17 May 2016, John Meyers wrote:
All,
I have established a 2-way forest trust between FreeIPA (4.2.4-1.fc23)
and AD (Windows 2012R2). The IPA side works perfect and AD users can
authenticate against IPA resources. However, when one tries to add an
IPA user or group to a Windows permissi
All,
I have established a 2-way forest trust between FreeIPA (4.2.4-1.fc23)
and AD (Windows 2012R2). The IPA side works perfect and AD users can
authenticate against IPA resources. However, when one tries to add an
IPA user or group to a Windows permission set (e.g. an NTFS ACL or user
right), W
On Tue, 17 May 2016, Stephen Berg (Contractor) wrote:
I'm trying to set up an account that will only have read permissions
to FreeIPA's user and host info to get some automated documentation
tasks running. Basically I want to set up a cron job on a FreeIPA
server that will read info using the
I'm trying to set up an account that will only have read permissions to
FreeIPA's user and host info to get some automated documentation tasks
running. Basically I want to set up a cron job on a FreeIPA server that
will read info using the ipa command line tools like "ipa user-find",
"ipa user
On Tue, 17 May 2016, lejeczek wrote:
On Tue, 2016-05-17 at 17:10 +0300, Alexander Bokovoy wrote:
On Tue, 17 May 2016, lejeczek wrote:
> hi users/devs
>
> I've used wiki pages to set AD - IPA trust, and it always end up
> being
> realm type of trust (@ AC DC end) whereas wiki shows forest type.
>
On 05/17/2016 08:18 AM, Rob Crittenden wrote:
John Duino wrote:
Is there a (relatively easy) way to determine what is causing a user
account to be locked out? The admin account on our 'primary' ipa host is
locked out frequently, but somewhat randomly; sometimes it will be less
than 5 minutes it
Hello,
This is an older thread now but our mitigation guys found a solution in
fixing this that I think you all may want as the output has now changed
from the 13 ciphers that would not change to the below. Its a rather easy
fix as well and possible I missed it with assumptions.
You need to
On Tue, 2016-05-17 at 17:10 +0300, Alexander Bokovoy wrote:
> On Tue, 17 May 2016, lejeczek wrote:
> > hi users/devs
> >
> > I've used wiki pages to set AD - IPA trust, and it always end up
> > being
> > realm type of trust (@ AC DC end) whereas wiki shows forest type.
> > What am I doing wrong?
>
Adam Kaczka wrote:
I found from [root@host pki-ca]# tail -n 100 /var/log/pki-ca/system that
CA chain is missing; so I am thinking I may have to use
|ipa-server-certinstall| to reinstall the two certs.
I really doubt it. I'm not sure what can't be found, maybe one of the
dogtag devs has an idea
John Duino wrote:
Is there a (relatively easy) way to determine what is causing a user
account to be locked out? The admin account on our 'primary' ipa host is
locked out frequently, but somewhat randomly; sometimes it will be less
than 5 minutes it is available, and other times several hours.
i
On Tue, 17 May 2016, lejeczek wrote:
hi users/devs
I've used wiki pages to set AD - IPA trust, and it always end up being
realm type of trust (@ AC DC end) whereas wiki shows forest type.
What am I doing wrong?
Probably because you are choosing wrong type of trust on AD side.
Remove any trust
barry...@gmail.com wrote:
Hi :
2 servers configured as multi master nut one of them cannot telnet 7389
how can I check and renable it ?
Server cannot telnet 7389 should I reinstall CA service ...is it
rerelated ?
Directory Service: RUNNING
KDC Service: RUNNING
KPASSWD Service: RUNNING
M
Is there a “soft” way to change the number of rows in tables like the hosts and
DNS records search facets? I think I’d happily trade a little interactivity
when going from one facet to another for the ability to see four or five times
as much information on a single screen at once. I get that I
On 05/17/2016 12:49 PM, Ludwig Krispenz wrote:
On 05/16/2016 11:19 PM, Giuseppe Sarno wrote:
Hello,
I am new to freeIPA and I am recently working on a project to
integrate freeIPA with some legacy application which uses LDAP for
user management.
I have initially created our own ldap stru
hi users/devs
I've used wiki pages to set AD - IPA trust, and it always end up being
realm type of trust (@ AC DC end) whereas wiki shows forest type.
What am I doing wrong?
I think I must be doing something wrong for having that trust
established (or I least I think I have it) when @IPA end I do:
On Tue, 2016-05-17 at 09:27 +0100, lejeczek wrote:
> On Fri, 2016-05-13 at 15:14 +0200, Sumit Bose wrote:
> > On Wed, May 11, 2016 at 05:17:03PM +0100, lejeczek wrote:
> > > .. if possible, would you know?
> > > hi everybody,
> > > I'm trying, and hoping it is possible to realm join an AD but is
>
On Tue, May 17, 2016 at 03:08:37PM +1000, Lachlan Musicman wrote:
> FWIW,
>
> We are seeing the issues that are described here:
>
> https://www.redhat.com/archives/freeipa-users/2015-December/msg00046.html
>
> I was about to write when I found this, it explains exactly what I am
> seeing - right
On Mon, 16 May 2016, Giuseppe Sarno wrote:
Hello,
I am new to freeIPA and I am recently working on a project to integrate
freeIPA with some legacy application which uses LDAP for user
management. I have initially created our own ldap structure and I
tried to run the code against freeIPA/389DS. W
On 05/16/2016 11:19 PM, Giuseppe Sarno wrote:
Hello,
I am new to freeIPA and I am recently working on a project to
integrate freeIPA with some legacy application which uses LDAP for
user management.
I have initially created our own ldap structure and I tried to run the
code against freeIP
On 16.5.2016 23:19, Giuseppe Sarno wrote:
> Hello,
> I am new to freeIPA and I am recently working on a project to integrate
> freeIPA with some legacy application which uses LDAP for user management.
> I have initially created our own ldap structure and I tried to run the code
> against freeIPA/
On 05/16/2016 11:19 PM, Giuseppe Sarno wrote:
Hello,
I am new to freeIPA and I am recently working on a project to integrate
freeIPA with some legacy application which uses LDAP for user management.
I have initially created our own ldap structure and I tried to run the
code against freeIPA/389D
On 16.5.2016 19:59, Simo Sorce wrote:
> On Mon, 2016-05-16 at 17:00 +0100, lejeczek wrote:
>> hi users/devel
>>
>> I'm trying to grasp the concepts - can IPA be plugged into AD domain,
>> be part of it as a subdomain?
>
> No, the only trust type we handle is a Forest level trust, so FreeIPA
> need
On Fri, 2016-05-13 at 15:14 +0200, Sumit Bose wrote:
> On Wed, May 11, 2016 at 05:17:03PM +0100, lejeczek wrote:
> > .. if possible, would you know?
> > hi everybody,
> > I'm trying, and hoping it is possible to realm join an AD but is
> > such a
> > way so I tap my IPA into specific OU within that
> I have some questions for the author himself or anyone who has replicated
> his work:
>
> - Which OS X versions has this been tested on?
10.6.7 through 10.10.4 (latest Snow Leopard through latest Yosemite in May
2015). The client had two Snow Leopards, one or two Lions, 10 Mountain Lions
a
FWIW,
We are seeing the issues that are described here:
https://www.redhat.com/archives/freeipa-users/2015-December/msg00046.html
I was about to write when I found this, it explains exactly what I am
seeing - right down to the "impossible to reproduce because it's so
(seemingly) random".
I am
> -Original Message-
> From: freeipa-users-boun...@redhat.com [mailto:freeipa-users-
> boun...@redhat.com] On Behalf Of Alexander Bokovoy
> Sent: Monday, 16 May 2016 11:46 PM
> To: Lachlan Musicman
> Cc: freeipa-users@redhat.com
> Subject: Re: [Freeipa-users] AD Primary Groups are ignored i
On Tue, 17 May 2016, Simpson Lachlan wrote:
>I feel like it would be an obvious need - to translate or override AD
>primary groups to FreeIPA groups, but this doesn't seem possible.
There is only one primary group for a user. For Kerberos operations we currently
don't take ID overrides into accou
Hi :
2 servers configured as multi master nut one of them cannot telnet 7389
how can I check and renable it ?
Server cannot telnet 7389 should I reinstall CA service ...is it
rerelated ?
Directory Service: RUNNING
KDC Service: RUNNING
KPASSWD Service: RUNNING
MEMCACHE Service: RUNNING
HTT
> -Original Message-
> From: freeipa-users-boun...@redhat.com [mailto:freeipa-users-
> boun...@redhat.com] On Behalf Of Martin Kosek
> Sent: Monday, 16 May 2016 11:28 PM
> To: Lachlan Musicman; freeipa-users@redhat.com
> Subject: Re: [Freeipa-users] AD Primary Groups are ignored in FreeIPA?
Is there a (relatively easy) way to determine what is causing a user
account to be locked out? The admin account on our 'primary' ipa host is
locked out frequently, but somewhat randomly; sometimes it will be less
than 5 minutes it is available, and other times several hours.
ipa user-status admin
I found from [root@host pki-ca]# tail -n 100 /var/log/pki-ca/system that CA
chain is missing; so I am thinking I may have to use ipa-server-certinstall
to reinstall the two certs.
5135.main - [27/Jan/2016:14:10:14 EST] [3] [3] CASigningUnit: Object
certificate not found. Error org.mozilla.jss.cryp
Forgot to mention this is for ipa-server-3.0.0-47.el6_7.1.x86_64
Thanks
Sean Hogan
From: Sean Hogan/Durham/IBM@IBMUS
To: freeipa-users
Date: 05/16/2016 04:01 PM
Subject:[Freeipa-users] IPA and RSA
Sent by:freeipa-users-boun...@redhat.com
Hello all,
New req com
Hello,
I am new to freeIPA and I am recently working on a project to integrate freeIPA
with some legacy application which uses LDAP for user management.
I have initially created our own ldap structure and I tried to run the code
against freeIPA/389DS. While running this example I noticed that 389
37 matches
Mail list logo
