On 20/03/2017 08:29, Jakub Hrozek wrote:
> On Fri, Mar 17, 2017 at 01:52:17PM +0000, Bob Hinton wrote:
>> On 17/03/2017 12:48, Lukas Slebodnik wrote:
>>> On (17/03/17 10:40), Bob Hinton wrote:
>>>> On 17/03/2017 08:41, Jakub Hrozek wrote:
>>>>> On Fri,
On 18/03/2017 19:09, Alexander Bokovoy wrote:
> On la, 18 maalis 2017, Bob Hinton wrote:
>> On 18/03/2017 17:03, Alexander Bokovoy wrote:
>>> On la, 18 maalis 2017, Bob Hinton wrote:
>>>> Hi,
>>>>
>>>> The first IPA master we built was
On 18/03/2017 17:03, Alexander Bokovoy wrote:
> On la, 18 maalis 2017, Bob Hinton wrote:
>> Hi,
>>
>> The first IPA master we built was ipa001.local.lan. We have since
>> created a number of subdomains of local.lan and have created a number of
>> replicas.
?
Is there a way to change the default nisdomain ? Rebuilding all the new
IPA masters and migrating all the data again would be a lot of work.
Many thanks
Bob Hinton
--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http
On 17/03/2017 14:01, Lukas Slebodnik wrote:
> On (17/03/17 13:52), Bob Hinton wrote:
>> On 17/03/2017 12:48, Lukas Slebodnik wrote:
>>> On (17/03/17 10:40), Bob Hinton wrote:
>>>> On 17/03/2017 08:41, Jakub Hrozek wrote:
>>>>> On Fri, Mar 1
On 17/03/2017 14:01, Lukas Slebodnik wrote:
> On (17/03/17 13:52), Bob Hinton wrote:
>> On 17/03/2017 12:48, Lukas Slebodnik wrote:
>>> On (17/03/17 10:40), Bob Hinton wrote:
>>>> On 17/03/2017 08:41, Jakub Hrozek wrote:
>>>>> On Fri, Mar 1
On 17/03/2017 12:48, Lukas Slebodnik wrote:
> On (17/03/17 10:40), Bob Hinton wrote:
>> On 17/03/2017 08:41, Jakub Hrozek wrote:
>>> On Fri, Mar 17, 2017 at 06:50:34AM +, Bob Hinton wrote:
>>>> Morning,
>>>>
>>>> We have a collection of
On 17/03/2017 08:41, Jakub Hrozek wrote:
> On Fri, Mar 17, 2017 at 06:50:34AM +0000, Bob Hinton wrote:
>> Morning,
>>
>> We have a collection of hosts within prod1.local.lan. However, the
>> domain section of the shadow netgroups for the hosts is
>> mgmt.prod.loca
of
nsslapd-cachememsize
3. ipactl start
This seemed to work in that it made the error messages go away and it
made heavily loaded servers more stable. However, I've not tried this on
a recent version of ipa so it may no longer work or not be needed any more.
Regards
Bob
On 17/03/2017 02:20
in the migration
process. Is there a way to correct the netgroup domains of these hosts,
or is the only option to run ipa-client-install --uninstall followed by
ipa-client-install to reattach them ?
Many thanks
Bob
--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com
On 11/01/2017 13:55, Petr Vobornik wrote:
> On 01/10/2017 09:31 PM, Bob Hinton wrote:
>> Hi,
>>
>> The pki-tomcatd services on our IPA servers seem to have stopped working.
>>
>> This seems to be related to the expiry of several certificates -
>>
>> [
ntpd and vmware tools timesync.
Finally ipa-certupdate seems to have been needed to propagate the new
certs to the other replicas.
Many thanks
Bob
On 10/01/2017 20:47, Adam Tkac wrote:
> Hello,
>
> we hit similar issue (although due to different conditions - we rotated
> root CA cert and t
ipa 3.3 server that no
longer exists, I don't know if that's relevant.
Anyway, I'm stumped on how to fix this so could anyone please help.
Many thanks
Bob
--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project
ipa 3.3 server that no
longer exists, I don't know if that's relevant.
Anyway, I'm stumped on how to fix this so could anyone please help.
Many thanks
Bob
--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project
so that Rundeck sees a valid SSL certificate. This means
that the authentication fails if that particular IPA master is down.
Is it possible to create a single SSL certificate that would support a
LDAPS connection to any of the IPA masters and, if so then how is this
done ?
Many thanks
Bob Hinton
On 03/08/2016 14:13, Rob Crittenden wrote:
> Bob Hinton wrote:
>> On 03/08/2016 07:15, Petr Spacek wrote:
>>> On 3.8.2016 00:58, Bob Hinton wrote:
>>>> Hi,
>>>>
>>>> Something went wrong when trying to restore some preserved users so I
>>
On 03/08/2016 07:15, Petr Spacek wrote:
> On 3.8.2016 00:58, Bob Hinton wrote:
>> Hi,
>>
>> Something went wrong when trying to restore some preserved users so I
>> deleted them and then tried to recreate them. This failed with -
>>
>> ipa: ERROR: Unable
group. A group 'X' already exists.
Trying to detach it with
ipa group-detach X
produces
ipa: ERROR: X: group not found
ipa group-show X
displays the group, but "ipa group-find X" doesn't
How can get rid of the group so I can recreate the user ?
Many thanks
Bob
dapsearch (see below), but this seems to give numbers
that don't match the replica IDs. Do I need to translate the search
results in some fashion or use a different search ?
Many Thanks
Bob Hinton
-sh-4.2$ cat /etc/redhat-release
Red Hat Enterprise Linux Server release 7.2 (Maipo)
-sh-4.2$ ipa --ve
he named issue or is it much simpler to
disconnect the replica, uninstall it and start again ?
Thanks
Bob Hinton
--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project
On 14/07/2016 08:39, Martin Babinsky wrote:
> On 07/13/2016 09:56 PM, Bob Hinton wrote:
>> Hi,
>>
>> We are trying to create a new replica on RHEL 7.2
>>
>> This completes but named-pkcs11 fails to start -
>>
>> systemctl status named-pkcs11.service
he named issue or is it much simpler to
disconnect the replica, uninstall it and start again ?
Thanks
Bob Hinton
--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project
Hi Martin,
On 27/05/2016 14:01, Martin Kosek wrote:
> On 05/25/2016 09:51 PM, Bob Hinton wrote:
>> Hello,
>>
>> We are trying to get Zenoss login authentication to use freeipa over
>> LDAP. Group mappings don't currently work and we think this is because
>> Zenos
wo
replicas running IPA v4.2.0 on RHEL 7.2.
Do I need to make the same change to all three servers ? Can I leave the
replicas connected or do I need to break the replication and
re-establish it? Do I need the "ipa permission-mod" if so then how do I
avoid it freezing ?
Many thanks
Bo
listed.
http://www.freeipa.org/page/Directory_Server
Looking in the directory DT of a "VERSION: 4.2.0, API_VERSION: 2.156"
installed on Redhat 7, I do see the account policy plugin in the
config tree.
Is the use of this account policy plugin supported with IPA? Should it work?
Thanks,
On 09/03/2016 22:14, Rob Crittenden wrote:
> Bob Hinton wrote:
>> Hi,
>>
>> I've been trying to add a password policy for an existing user group
>> called "services" in IPA version 4.2.0.
>>
>> ipa pwpolicy-add services
>> ipa: ERROR: entry
For Solaris we are using the pam_list module to control which LDAP users
can have system access. The pam_list module allow netgroups to be listed in
a user.allow file.
On Sat, Aug 15, 2015 at 1:05 PM, Natxo Asenjo natxo.ase...@gmail.com
wrote:
On Sat, Aug 15, 2015 at 5:24 PM, Rob Crittenden
contents
and I get the same error (it seems odd that it's reporting that the host
key of the master has changed when it's the client that has been
reinstalled). How do I clear-out the client's knowledge of the old host
keys?
In this case I'm using ipa-client v3.0.0 on RHEL6.6
Thanks
Bob
--
Manage
/USER/.ssh/known_hosts delete
the IP line.
On Wed, Jun 10, 2015 at 5:33 AM, Bob Hinton b...@jackland.demon.co.uk
mailto:b...@jackland.demon.co.uk wrote:
Hello,
If I uninstall the ipa client with ipa-client-install
--uninstall then
reinstall it to the same ipa master
On 10/06/2015 14:37, Lukas Slebodnik wrote:
On (10/06/15 11:33), Bob Hinton wrote:
Hello,
If I uninstall the ipa client with ipa-client-install --uninstall then
reinstall it to the same ipa master then most functions work fine.
However, if I attempt to ssh from the client to the master
/ssh_host_ecdsa_key.pub keyfix.sh
echo -n ',' keyfix.sh
sudo cat /etc/ssh/ssh_host_ed25519_key.pub keyfix.sh
echo ' keyfix.sh
vi keyfix.sh (keep pressing J to join everything into one long line)
sh keyfix.sh
On 10/06/2015 17:09, Bob Hinton wrote:
On 10/06/2015 14:37, Lukas Slebodnik wrote
On 01/06/2015 11:01, Petr Vobornik wrote:
On 06/01/2015 11:36 AM, Bob Hinton wrote:
On 01/06/2015 09:55, Petr Vobornik wrote:
On 05/31/2015 12:21 PM, Bob Hinton wrote:
Hello,
I've written a Ruby script to add IPA users from CSV files. This works
fine when specifying a username and password
restored using ipa-restore a
number of times, so I don't know if this is a factor.
Thanks
Bob
-sh-4.2$ ./ipa-import-users -h
Usage ipa-import-users [options] file1.csv ...
-u, --user USER Kerberos principal that can add users
-p, --password PASSWORD Password
is enabled on the target VMs, but
presumably this isn't an issue.
Many thanks
Bob Hinton
trying https://ipa001.jackland.co.uk/ipa/json
Forwarding 'ping' to json server 'https://ipa001.jackland.co.uk/ipa/json'
Cannot connect to the server due to generic error: cannot connect to
'https://ipa001
and
ipa-client installed.
Many thanks
Bob
Name: ipa-server
Arch: x86_64
Version : 4.1.0
Release : 18.el7_1.3
Size: 4.2 M
Repo: installed
From repo : rhel-7-server-rpms
Summary : The IPA authentication server
URL : http://www.freeipa.org/
Licence
List more than 1 LDAP sever in you config then.
ldap_uri, ldap_backup_uri (string)
Specifies the comma-separated list of URIs of the LDAP servers to which
SSSD should connect in the order of preference. Refer to the FAILOVER
section for more information on failover and server redundancy. If
Is there anyway to do a nsupdate of a DNS records in a IPA server using a
TSIG key without having a kerberos ticket?
We were going to swap out bind in favor of IPA, but we need to be able to
nsupdates.
On Mon, May 12, 2014 at 10:11 AM, Bob harv...@gmail.com wrote:
We use nsupdate to to move
:59 AM, Bob wrote:
Is there anyway to do a nsupdate of a DNS records in a IPA server using
a TSIG key without having a kerberos ticket?
We were going to swap out bind in favor of IPA, but we need to be able to
nsupdates.
If you are using IPA you can give you clients keytabs.
It is all
I ran
ipa dnszone-mod vh1.vzwnet.com --update-policy=grant bob-key name
test.vh1.vzwnet.com.;
I then execute the nsupdate:
[root@nj51rhidms16v ~]# ./bobtest.sh
; TSIG error with server: tsig indicates error
update failed: NOTAUTH(BADKEY)
[root@nj51rhidms16v ~]# cat ./bobtest.sh
#!/bin/ksh
How can I create the
id=passsync,cn=sysaccounts,cn=etc,dc=example,dc=com account without
creating a replication agreement.
I do not want to replicate accounts between AD and ipa, but I do want
password changes on AD to be sent to ipa.
Is this possible?
thanks,
Bob H
password that a LDAP bind would use. Meaning I have many
applications that can not use Kerberos, but can use LDAP. Can these
applications use IPA and expect that a given user account will have the
LDAP password kept in sync with the krb5 password?
thanks,
Bob
, Bob Sauvage wrote:
Hi Dale,
You mean that if I turn this option to 'yes', I'll be able to connect to the
server through SSH without needing to authenticate again ? Even if I'm
connected on the domain from a Windows workstation ?
If you setup trusts between IPA and AD then yes
on the RHEL server, he wants to use the command reboot
now but this one is not authorized by the IPA server for this user on this
server. = Is this possible ?
Many thanks,
- Message d'origine -
De : david t. klein
Envoyés : 24.01.13 14:19
À : 'Bob Sauvage', d...@redhat.com
Objet : RE
but with such a small site
that's your call.
regards
Steven Jones
Technical Specialist - Linux RHCE
Victoria University, Wellington, NZ
0064 4 463 6272
-
*From:* freeipa-users-boun...@redhat.com [
freeipa-users-boun...@redhat.com ] on behalf of Bob Sauvage
? Do you have some articles ?
Thanks in advance,
Bob !
___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users
45 matches
Mail list logo