Are you trying to mount the network home dirs to /home? I usually do something
like create /home/net/ and mount them there. That way local users home dirs do
not match an auto mount key.
Brian
On Jun 18, 2013, at 4:49 PM, Dean Hunter wrote:
> Thank you for your response. As you suggested
no problem, thanks for trying! I just figured it out.
yum -y install libsss_sudo fixed it. Should this package be a dependency that
gets pulled in when IPA client is installed? shall I file a bug?
Thanks,
Brian
---
Brian Cook
Solutions Architect, Red Hat, Inc.
407-212-7079
On Mar 21, 2013
NOPASSWD: ALL" >> /etc/sudoers
>
>
> Thanks,
> _____
> John Moyer
>
>
> On Mar 21, 2013, at 11:27 PM, Brian Cook wrote:
>
>> Running F18 and following the instructions here:
>> http://jhrozek.fedorapeople.o
Running F18 and following the instructions here:
http://jhrozek.fedorapeople.org/sssd/1.9.1/man/sssd-sudo.5.html
When I try to run sudo -l as any user I get the following error:
bash-4.2$ sudo -l
sudo: Unable to dlopen /usr/lib64/libsss_sudo.so: (null)
sudo: Unable to initialize SSS source. Is SS
Is there something equivalent to 'getattr' for ipa host-mod?
I see setattr, addattr and delattr but to get attributes you have to do
host-show --all. There is no way to ask for one specific attribute?
Thanks,
Brian
___
Freeipa-users mailing list
Fre
expression in the rule.
Thanks!
Brian
On Feb 18, 2013, at 7:35 PM, Rob Crittenden wrote:
> Brian Cook wrote:
>> More info - attached var/log/secure, and sshd_config.
>>
>> Password authentication works, just gssapi fails. in the securecrt provided
>> I have disabled
ntering: type 81\
Feb 18 16:02:56 ipa1 sshd[21047]: debug3: mm_request_receive entering\
Feb 18 16:02:56 ipa1 sshd[21047]: debug1: do_cleanup\
Feb 18 16:02:56 ipa1 sshd[21047]: debug1: PAM: cleanup\
Feb 18 16:02:56 ipa1 sshd[21047]: debug3: PAM: sshpam_thread_cleanup entering}
On Feb 18, 2013, at
I am trying to ssh from Windows - > IPA server using GSS-API. I've tried
putty, which provides very little debug out. I then downloaded securecrt which
provides more output.
On the server side, I just see postponed gss-with-mic and then a failure
message. I'm attaching the output from secur
On Feb 15, 2013, at 3:11 PM, Simo Sorce wrote:
> On Fri, 2013-02-15 at 17:34 -0500, Dmitri Pal wrote:
>> On 02/15/2013 05:12 PM, John Dennis wrote:
>>> On 02/15/2013 04:54 PM, Orion Poplawski wrote:
On 02/15/2013 02:34 PM, John Dennis wrote:
> On 02/15/2013 04:16 PM, Orion Poplawski wro
On Feb 15, 2013, at 1:02 PM, John Dennis wrote:
> On 02/15/2013 03:57 PM, Orion Poplawski wrote:
>> On 02/15/2013 01:56 PM, John Dennis wrote:
>>> On 02/15/2013 03:46 PM, Simo Sorce wrote:
This is an interesting use case, it would probably be appropriate to
have a RFE filed to allow to
o a remote system.
Brian
---
Brian Cook
Solutions Architect, Red Hat, Inc.
407-212-7079
On Feb 15, 2013, at 9:52 AM, John Dennis wrote:
> On 02/15/2013 12:32 PM, Orion Poplawski wrote:
>> On 02/15/2013 09:45 AM, Petr Viktorin wrote:
>>> On 02/15/2013 05:36 PM, Orion Popl
I know that syncing w/ AD has a limitation to one domain, or multiple but only
if there are no overlapping accounts in the AD domains.
Does the current AD trust implementation allow multiple domains, and does it
have the same overlapping account issues?
Thanks,
Brian
_
>
> Is it possible to lock out an user account on a set date?
>
>
You should be able to set the krbPrincipalExpiration attribute to expire
an account on a set date.
However note this: https://fedorahosted.org/freeipa/ticket/3305
I
Okay, I'll open an RFE. Fwiw, when AD can't resolve a SID for any reason, it
does display the SID itself but only as a fallback mechanism. I think this
would be acceptable behavior.
-Brian
On Dec 10, 2012, at 4:12 AM, Alexander Bokovoy wrote:
> On Sun, 09 Dec 2012, Bri
pen an RFE?
Brian
On Dec 9, 2012, at 10:13 PM, Alexander Bokovoy wrote:
> - Original Message -----
>> From: "Brian Cook"
>> To: freeipa-users@redhat.com
>> Sent: Monday, December 10, 2012 3:30:38 AM
>> Subject: [Freeipa-users] cross realm trust - SID doesn
How do you let a remote user be an admin for IPA?
I followed the fedora group example
external group:ad_admins_external
Posix Group: ad_admins
Then I made ad_admins a group member of ipa group 'admins' - theoretically now
MSAD\Administrator is an IPA admin? I get the following. How does this
I was able to get cross realm trust working with 2k8 R2 DC and RHEL 6.4 beta.
I created an external group in IPA and then added member MSAD\Domain Users
Now in the members of group external-test I have an unresolved sid instead of
the name of the group. How might I go about troubleshooting / fi
Hi
I'm trying to setup a cross realm trust with AD using directions here:
http://freeipa.org/page/IPAv3_testing_AD_trust#Prepare_FreeIPA_server_for_trusts
I got all the way to creating the trust, but then I get:
[root@ipa1 slapd-IPA-TEST]# ipa trust-add --type=ad msad.test --admin
Administrato
Having a read-only replica would be ideal for placement in a DMZ. See active
directory's read-only domain controller introduced in 2008 R2 for just that use
case.
-Brian
On Nov 14, 2012, at 6:07 AM, Simo Sorce wrote:
> On Wed, 2012-11-14 at 11:54 -0200, Andre Rodrigues wrote:
>> Hi,
>> I'm
THe problem with the cross realm trust support as I understand it is that it
requires you to populate posix attributes in AD, which many AD admins are
hesitant to do. You have to install the AD services for unix pack and create
metadata object in the directory for tracking UID and GID and then
wrote:
> On 04/20/2012 11:47 AM, Rich Megginson wrote:
>>
>> On 04/20/2012 08:46 AM, Brian Cook wrote:
>>>
>>>
>>> On Apr 16, 2012, at 12:40 PM, Dmitri Pal wrote:
>>>
>>>>> 2) What is everyone else doing to prepare IPA for a DR?
On Apr 16, 2012, at 12:40 PM, Dmitri Pal wrote:
>> 2) What is everyone else doing to prepare IPA for a DR? I've read
>> that the best way to do it is to turn off the IPA services on a
>> replica and then back that replica up. I also read that this will
>> miss some important files that only exi
ation loading from text files. However, views would be very useful
for IPA to be able to do internally, so figuring out how to get this option in
to BIND using 389ds backend would be a useful step.
Thanks,
Brian
---
Brian Cook
Solutions Architect, Red Hat, Inc.
407-212-7079
On Apr 13, 2012,
Ideally I would rely on a -group- of servers, and then rely on DNS if it is
down. I don't want to hammer one server. We're talking about 500-1000 servers
running virtual machines, so potentially a lot of traffic. Got any suggestions
for that?
---
Brian Cook
Solutions Architec
tackle this
issue.
Thanks,
Brian
---
Brian Cook
___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users
wrong list
---
Brian Cook
Solutions Architect, Red Hat, Inc.
407-212-7079
On Mar 15, 2012, at 8:18 AM, Brian Cook wrote:
> ?
>
> ---
> Brian Cook
> Solutions Architect, Red Hat, Inc.
> 407-212-7079
>
>
>
>
> ___
?
---
Brian Cook
Solutions Architect, Red Hat, Inc.
407-212-7079
___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users
}
If you don't do tcp/ heimdahl uses UDP by default.
Good Luck..
Brian
--
Brian Cook
Solutions Architect, Red Hat, Inc.
407-212-7079
On Mar 14, 2012, at 11:57 PM, Hagenrud HÃ¥kan wrote:
> Hello
>
> I just joined this list so please excuse if this question has been asked
>
Also, I would not use 'delegation record' from AD, use conditional forwarding
for *.unix.abcd.ca. Your AD admins should know how to do it.
---
Brian Cook
Solutions Architect, Red Hat, Inc.
407-212-7079
On Mar 8, 2012, at 9:04 AM, Simo Sorce wrote:
> On Thu, 2012-03-08 a
down, you can still resolve names.
---
Brian Cook
Solutions Architect, Red Hat, Inc.
407-212-7079
On Mar 8, 2012, at 8:54 AM, Sylvain Angers wrote:
> Alright!
>
> I am now requesting to our DNS team
>
> please delegate dns zone "unix.abcd.ca" to ???
> Question
updates
[root@ipasvr yum.repos.d]#
---
Brian Cook
On Feb 27, 2012, at 9:54 PM, Brian Cook wrote:
> Yes, that is the repo file I put in yum.repos.d. The devel repo is enabled,
> the other two disabled. Even though I see the x86_64 vers
to me.
-Brian
On Feb 27, 2012, at 9:46 PM, John Dennis wrote:
> On 02/28/2012 12:25 AM, Brian Cook wrote:
>> Hi,
>>
>> I've added the devel repo at
>> http://jdennis.fedorapeople.org/ipa-devel/fedora/$releasever/$basearch/os/
>>
>> to my F16 install
e for testing patches that were recently committed, and is
the repo metadata up to date?
Thanks,
Brian
---
Brian Cook
Solutions Architect
Red Hat, Inc.
407-212-7079
bc...@redhat.com
___
Freeipa-users mailing list
Freeipa-users@redhat.com
s
>
> Steven Jones
>
> Technical Specialist - Linux RHCE
>
> Victoria University, Wellington, NZ
>
> 0064 4 463 6272
>
> ____
> From: freeipa-users-boun...@redhat.com [freeipa-users-boun...@redhat.com] on
> behalf of Brian Cook [bc..
ation as to what
problems exist, why, is it a bug or just a fact, is it our bug our is it a
MS-AD issue, etc. I need to understand what is going on as I have customers
who are looking to deploy mixed IPA / AD environments. Any help or information
would be appreciated.
Thanks,
Brian
---
Brian
35 matches
Mail list logo
