my previous setup wassrv2->replica
srv1->srv2
I have removed replica and set it up with the one with identical hostname.Now
I have replication from srv1->replica
and am trying to create another agreement from srv2=>replica
but i am getting the error message above. My guess is that old hostname i
On Thu, 04 Aug 2016, Jake wrote:
Hey All,
I've added external enterprise admins to my local admins group, however
I cannot authenticate to the IPA web interface (nor can I request
kerberos spn's to generate dogtag certs even if authenticated on a ipa
client).
Not possible right now.
Is it poss
On Thu, 04 Aug 2016, Matt Comben wrote:
Hi all,
TLDR - Is it possible to sync users FROM FreeIPA TO 'AD'
TLDR - No.
I've started introducing FreeIPA into our network (which is currently
LDAP with linux clients) and migration client servers to authenticate
against FreeIPA (which has been work
Hey All,
I've added external enterprise admins to my local admins group, however I
cannot authenticate to the IPA web interface (nor can I request kerberos spn's
to generate dogtag certs even if authenticated on a ipa client).
Is it possible to use external ldap credentials to manage the IPA A
On 03/08/2016 14:13, Rob Crittenden wrote:
> Bob Hinton wrote:
>> On 03/08/2016 07:15, Petr Spacek wrote:
>>> On 3.8.2016 00:58, Bob Hinton wrote:
Hi,
Something went wrong when trying to restore some preserved users so I
deleted them and then tried to recreate them. This failed
Adam Lewis wrote:
Yup. I'm currently still sitting back in time. But any time I try to
resubmit either the ipaCert or the subsystemCert it errors out.
getcert list shows :
ca-error: Server at
"https://ipa.local.domain:9443/ca/agent/ca/profileProcess"; replied: 1:
Authentication Error
And the de
Hi all,
TLDR - Is it possible to sync users FROM FreeIPA TO 'AD'
I've started introducing FreeIPA into our network (which is currently LDAP with
linux clients) and migration client servers to authenticate against FreeIPA
(which has been working great).
In the past couple of weeks, we were forc
Anon Lister wrote:
I'd also like to throw in that the requirements you are facing are
likely requiring FIPS Certified, not just compliant, as I'm somewhat
familiar with them. (800-53 or 800-171)
Essentially it will have to fall back on the FIPS compliant openssl
implementation, however I believe
Hey All,
Has anyone come across this issue when attempting to use kerberos auth from
windows.
PS C:\Users\jevans> ssh -V
OpenSSH_7.1p2, OpenSSL 1.0.2h 3 May 2016
running command:
ssh ipaclient.ipa.example.com -K -v -oGSSAPIDelegateCredentials=yes
-oGSSAPIAuthentication=yes
debug1: Next
Thanks Ben.. appreciated.. will give it a go. Do you guys recommend any
specific ldap viewer to view the internals? I was looking at apache dir
studio I think it was... but needs java and I don't want to add java
to a server that does not have it increasing the mitigation/vulnerability
factor o
Is there any indication of a timeframe for it to become FIPS compliant? If
we are talking weeks, rather than years...
Michael Sean Conley
From: Rob Crittenden
To: Michael Sean Conley ,
freeipa-users@redhat.com
Date: 08/04/2016 11:37 AM
Subject:Re: [Freeipa-users]
Sorry, certified openssl implementation*
On Aug 4, 2016 9:38 AM, "Anon Lister" wrote:
> I'd also like to throw in that the requirements you are facing are likely
> requiring FIPS Certified, not just compliant, as I'm somewhat familiar with
> them. (800-53 or 800-171)
>
> Essentially it will have
I'd also like to throw in that the requirements you are facing are likely
requiring FIPS Certified, not just compliant, as I'm somewhat familiar with
them. (800-53 or 800-171)
Essentially it will have to fall back on the FIPS compliant openssl
implementation, however I believe there are other cryp
Michael Sean Conley wrote:
Does ANYONE have any experience getting IPA to work with FIPS?
We're trying desperately to get this going, as we have some requirements
that the Identity Management Tool we choose must be FIPS 140-2 compliant.
No, it doesn't work in FIPS mode yet. If you open a suppo
Does ANYONE have any experience getting IPA to work with FIPS?
We're trying desperately to get this going, as we have some requirements
that the Identity Management Tool we choose must be FIPS 140-2 compliant.
GGHHH
Michael Sean Conley--
Manage your subscription for the Freeipa-users ma
Greetings!
Thanks for clarifying. That makes more sense now.
I'm still not sure what sorts of headaches I would be running into if I do
have FreeIPA and AD both managing servers in the company.com domain. Somehow I
need to find out if these are just mild headaches, or if they are
i
On 08/04/2016 11:31 AM, Sean Hogan wrote:
Hi All,
Where can I find information about the IPA schema as in what = what in
the dir srv? I do not have a ldap viewer.
I am looking to pull specific info from it such as a list of servers
that have enrolled = true and have been playing with ldapsear
Jakub,
Resolved seems to be working (I swear restarting sssd and adding the debug line
does some magic), the sssd performance blog worked out quite well.
I did not need to make any changes to my trust relationship, re-running the ad
trust setup steps and restarting sssd did the trick.
Thank You
Hi All,
Where can I find information about the IPA schema as in what = what in
the dir srv? I do not have a ldap viewer.
I am looking to pull specific info from it such as a list of servers that
have enrolled = true and have been playing with ldapsearch to no avail.
Sean Hogan
--
Mana
Wow, that's actually pretty obvious. That works, thanks!
On 4 August 2016 at 17:10, Jan Pazdziora wrote:
> On Thu, Aug 04, 2016 at 05:01:00PM +0200, Tiemen Ruiten wrote:
> >
> > Currently it is possible to add multiple SSH-keys for a single user in
> > FreeIPA. We are using this capability to gr
On Thu, Aug 04, 2016 at 05:01:00PM +0200, Tiemen Ruiten wrote:
>
> Currently it is possible to add multiple SSH-keys for a single user in
> FreeIPA. We are using this capability to grant access to multiple
> contractors under a single user (so user company1, with keys A, B, C to
> give access to t
Hello,
Currently it is possible to add multiple SSH-keys for a single user in
FreeIPA. We are using this capability to grant access to multiple
contractors under a single user (so user company1, with keys A, B, C to
give access to three persons at company1).
Unfortunately it's not possible to lab
On Thu, Aug 04, 2016 at 03:39:26PM +0200, Troels Hansen wrote:
> Hmm, was too fast.
>
> ldap_user_principal = nosuchattr
> subdomain_inherit = ldap_user_principal
>
> Works, but ONLY from the IPA server.
>
> If I do the same from a client, I still get:
>
> (Thu Aug 4 15:32:05 2016) [[sssd[krb5
Hmm, was too fast.
ldap_user_principal = nosuchattr
subdomain_inherit = ldap_user_principal
Works, but ONLY from the IPA server.
If I do the same from a client, I still get:
(Thu Aug 4 15:32:05 2016) [[sssd[krb5_child[16374 [get_and_save_tgt]
(0x0020): 1234: [-1765328378][Client 'drext...
Solved it myself.
http://www.redhat.com/archives/freeipa-users/2016-May/msg00209.html
Apparently its well known, and will be solved in 7.3
- On Aug 4, 2016, at 1:56 PM, Troels Hansen t...@casalogic.dk wrote:
> Hmm, well, yes, it did:
>
> (Thu Aug 4 13:46:58 2016) [[sssd[krb5_child[181
Hmm, well, yes, it did:
(Thu Aug 4 13:46:58 2016) [[sssd[krb5_child[18121 [unpack_buffer]
(0x0100): cmd [249] uid [1349938498] gid [1349938498] validate [true]
enterprise principal [false] offline [false] UPN [drext...@dr.dk]
(Thu Aug 4 13:46:58 2016) [[sssd[krb5_child[18121 [k5c_setup
On Wed, Aug 03, 2016 at 09:44:26PM +, Gregory Koch wrote:
> I've been following the documentation at
> https://www.freeipa.org/page/Active_Directory_trust_setup and I was able to
> establish a two-way forest trust with Active Directory. I'm getting stuck
> when mapping external AD groups in
On Thu, Aug 04, 2016 at 12:57:40PM +0200, Troels Hansen wrote:
> Hi, we have set up IPA in a AD trust and is about 90% done, but still have
> one problem using SSH login.
>
> Kerberos works:
> # kdestroy
> # kinit drext...@net.dr.dk
> Password for drext...@net.dr.dk:
> # klist
> Ticket cach
On Thu, Aug 04, 2016 at 12:28:33PM +0200, Petr Vobornik wrote:
> On 08/04/2016 11:48 AM, Keller, Mario wrote:
> > Hello,
> >
> > I've setup two ipa-servers on RHEL 7 that are up an running. Replication is
> > also working.
> >
> > #ipa-replica-manage list
> > Directory Manager password:
> >
>
Hi, we have set up IPA in a AD trust and is about 90% done, but still have one
problem using SSH login.
Kerberos works:
# kdestroy
# kinit drext...@net.dr.dk
Password for drext...@net.dr.dk:
# klist
Ticket cache: KEYRING:persistent:0:0
Default principal: drext...@net.dr.dk
Valid starting
On 08/03/2016 08:06 PM, Ian Harding wrote:
> I deleted a replica that had a corrupted ldap database and it caused
> some problems. I'm now getting the dreaded
What do you mean by "deleted"? Ran `ipa-replica-mange del $server`?
Removed the machine completely? Or something else?
>
> [root@edinbur
On 08/04/2016 11:48 AM, Keller, Mario wrote:
> Hello,
>
> I've setup two ipa-servers on RHEL 7 that are up an running. Replication is
> also working.
>
> #ipa-replica-manage list
> Directory Manager password:
>
> s-fcbg-ipa2.ipa.cornelsen.de: master
> s-onli-ipa1.ipa.cornelsen.de: master
>
>
I've been following the documentation at
https://www.freeipa.org/page/Active_Directory_trust_setup and I was able to
establish a two-way forest trust with Active Directory. I'm getting stuck when
mapping external AD groups into a POSIX group (the "Allow access for users from
AD domain to prote
Hello,
I've setup two ipa-servers on RHEL 7 that are up an running. Replication is
also working.
#ipa-replica-manage list
Directory Manager password:
s-fcbg-ipa2.ipa.cornelsen.de: master
s-onli-ipa1.ipa.cornelsen.de: master
Both servers running ipa-server-4.2 :
rpm -qa | grep ipa-server
ipa-
On Wed, 2016-08-03 at 15:22 -0500, Alston, David wrote:
> Greetings!
>
> >> 2. Active Directory must never know anything about a DNS domain
>
> >> freeipa.company.com (I'm not sure why)
>
> > Correct because if that happened then AD considers the whole
> subdomain as part of its realm and trust
On 08/03/2016 07:54 PM, Richard Harmonson wrote:
On Wed, Aug 3, 2016 at 12:49 AM, Florence Blanc-Renaud mailto:f...@redhat.com>> wrote:
On 08/02/2016 04:52 AM, Richard Harmonson wrote:
On Mon, Aug 1, 2016 at 10:15 AM, Petr Vobornik
mailto:pvobo...@redhat.com>
On Wed, Aug 03, 2016 at 08:38:00PM -0400, Jake wrote:
> Thanks Jakub,
> turns out 'getent password usern...@legacy.example.org' only works on 1 of
> the 4 ipa servers (the one I created the domain trust with).
OK, then we need to first fix all the servers before proceeding to the
clients.
>
> I
On 3.8.2016 22:22, Alston, David wrote:
> Greetings!
>
>>> 2. Active Directory must never know anything about a DNS domain
>>> freeipa.company.com (I'm not sure why)
>> Correct because if that happened then AD considers the whole subdomain as
>> part of its realm and trust routing will not work.
38 matches
Mail list logo