[Freeipa-users] IPA DNS response issue

e environment quickly. FreeIPA has treated us extraordinarily well so far! David About our configuration: OS: CentOS 6.5, x86_64 Packages: bind-9.8.2-0.23.rc1.el6_5.1.x86_64 bind-dyndb-ldap-2.3-5.el6.x86_64 ipa-server-3.0.0-37.el6.x86_64 Configuration: bind-dyndb-ldap is used in conjunction

Re: [Freeipa-users] IPA DNS response issue

On Wed, Mar 19, 2014 at 01:57:24PM +0100, Petr Spacek wrote: On 18.3.2014 15:26, David wrote: We have an installation of FreeIPA (through CentOS 6.5) that's exhibiting some odd behavior with respect to serving DNS. Periodically (interval at random) named running on a replica will stop se

[Freeipa-users] Fedora 15 IPA Server Upgrade Broke LDAP

After upgrading the IPA server on a Fedora 15 host to freeipa-server-2.1.4-3.fc15.x86_64 along with the LDAP dependency of 389-ds-base-1.2.10.2-1.fc15.x86_64, the IPA server fails to start due to the following error: Failed to read data from Directory Service: Failed to get list of services t

Re: [Freeipa-users] BIND named.conf

One thing to be aware of, you may see some performance hits if the master for that zone is setup for dynamic updates. A dynamic zone cannot send IXFR and so any time the slave receives notification, he will ask for an IXFR and will instead receive an AXFR. If the zones are small, this is not a big

Re: [Freeipa-users] BIND named.conf

n (for dynamic zones): You need to run rndc freeze && "modify zone" && rndc thaw. If you have "ixfr-from-differences yes" configured in /etc/named.conf, then IXFR should work. This detail should be only "hard part", if I didn't miss something. Petr^2

[Freeipa-users] Password failing for sudo-ldap authentication only from one host

Hello, I'm experiencing an issue with sudo-ldap: I have some commands defined in a rule, have granted permissions to my user to execute them via sudo following the docs: 1. # ipa sudorule-show networking-commands 2. Rule name: networking-commands 3. Enabled: TRUE 4. Users: dsas

Re: [Freeipa-users] Password failing for sudo-ldap authentication only from one host

On Wed, Sep 26, 2012 at 11:08 PM, David Sastre Medina < d.sastre.med...@gmail.com> wrote: > On Wed, Sep 26, 2012 at 03:06:40PM -0400, Rob Crittenden wrote: > > David Sastre wrote: > > > [big snip] > > Does sssd work on this machine otherwise? getent passwd , you &

Re: [Freeipa-users] clients very slow

From: freeipa-users-boun...@redhat.com [mailto:freeipa-users-boun...@redhat.com] On Behalf Of Dmitri Pal Sent: Thursday, September 13, 2012 6:50 PM To: freeipa-users@redhat.com Subject: Re: [Freeipa-users] clients very slow On 09/13/2012 09:54 AM, David Fitzgerald wrote: Hello Everyone, I

Re: [Freeipa-users] Password failing for sudo-ldap authentication only from one host

On Thu, Sep 27, 2012 at 10:53 AM, David Sastre wrote: > On Thu, Sep 27, 2012 at 10:01 AM, Jakub Hrozek wrote: > >> On Thu, Sep 27, 2012 at 08:18:21AM +0200, David Sastre wrote: >> > On Wed, Sep 26, 2012 at 11:08 PM, David Sastre Medina wrote: >> > > On Wed, Sep

[Freeipa-users] RHEL5 IPA client for RHEL6.3 IPA server?

RHEL 6.3 install instructions but nothing I have tried is working so far! Thanks in advance for any help or pointers you can provide. - David Summers ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] RHEL5 IPA client for RHEL6.3 IPA server?

On 10/17/2012 7:49 AM, Rob Crittenden wrote: David Summers wrote: I have looked back through the last year of mail archives for this list and haven't yet found anything on this. I spent a day or so trying to get a RHEL6.3 server set up with several clients, Clients: RHEL 6.3 32-bit RHE

[Freeipa-users] Backup and Restore procedures for IPA 2.2.0?

Hi all,   Is the backup and restore procedure for IPA available now? It's rumored months back that some one was working on it but not sure what is the progress on it. Please shed a light if you have any ideas.  I'm running the default latest 2.2.0 IPA on Redhat/Centos 6.3. Tha

Re: [Freeipa-users] Backup and Restore procedures for IPA 2.2.0?

Got it.  Is there any IPA resources on market we can hire for a backup/restoration solution? Our company is at Bay Area. Thanks. --David From: Dmitri Pal To: freeipa-users@redhat.com Sent: Tuesday, December 18, 2012 10:42 AM Subject: Re: [Freeipa-users

[Freeipa-users] Any way to delegate subordinate account management to managers?

Hi all,  Just wonder whether there is a way to delegate to managers the authority/permissions to manage his/her subordinate user accounts? Similar to host/services delegation. Please elaborate if there is a way to reach this or similar. Let's say, we create a user group of subordinate employ

[Freeipa-users] IPA 2.2.0-16 still needs CLEANRUV and CLEANALLRUV

Hi howdy,  This is trying to confirm whether we still need to perform the steps of cleaning RUV records, when a freeIPA master, or a replica is removed. Months back it was rumored that some work was being done on underlying 389 LDAP and the RNV cleaning steps would be obsoleted when IPA Master&

[Freeipa-users] two questions on IPA usage

Hi Howdy,  Two questions on IPA usage are listed below. Please help.  1, How to reset a normal IPA user's password through web interface when the password is expired?  when the normal user's password is close to expiration but still not expired, he/she can change it by self through the web i

Re: [Freeipa-users] Any way to delegate subordinate account management to managers?

Thanks a lot, Dmitri. That's exactly I am looking for. --David. From: Dmitri Pal To: freeipa-users@redhat.com Sent: Wednesday, December 19, 2012 2:58 PM Subject: Re: [Freeipa-users] Any way to delegate subordinate account management to managers?

[Freeipa-users] freeIPA 3.1.0 for Redhat Enterprise 6.3?

Hi Rob and all, Can FreeIPA be compiled and installed on Redhat Enterprise 6.3?  Or I have to upgrade/install some underlying packages first? Thanks. --David From: Johan Petersson To: Sigbjorn Lie Cc: "freeipa-users@redhat.com" Sent: Thursday

[Freeipa-users] delegation questions: how to reset password for subordinate?

ct ALL fields with read&right permissions to make it work, but that definitely is a over kill and hurts privacy potentially. Thanks. --David ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users

[Freeipa-users] getent netgroup doesn't work on centos 6, but works on centos 5

will report problems at the same time, not 5.8 works while 6.3 fails, right? Any one has encountered same issue? Please shed a light here. Thanks. --David ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/fr

Re: [Freeipa-users] delegation questions: how to reset password for subordinate?

Hi Simo,  That works perfectly. Thanks a lot. --David From: Simo Sorce To: David Copperfield Cc: "freeipa-users@redhat.com" Sent: Friday, December 28, 2012 5:51 AM Subject: Re: [Freeipa-users] delegation questions: how to reset password for s

[Freeipa-users] replication procedure and status check?

icate/sync from changes on IPA replicas during the server's down time?   2, How to check the replication/sync processes?   3, are the IPA commands failed as a protection because the IPA server is still in replication/sync waiting/doing process? T

Re: [Freeipa-users] AD permissions needed for setting up AD trusts

on to AD trusts documentation? > > > >>> The windows team at my place of work will want to know exactly what > >>> the tool will do before they grant permission. > > > I have added this information to the AD trusts wiki page: > http://www.freeipa.org/page/IPAv3_AD_t

[Freeipa-users] ipa-* tools throws errors

in=dogtag mode=production +++ David Fitzgerald Department of Earth Sciences Millersville University Millersville, PA 17551 Phone: 717-871-2394 ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] ipa-* tools throws errors

The host command returns the correct name: #host 166.66.65.39 39.65.66.166.in-addr.arpa domain name pointer aurora.esci.millersville.edu. -Original Message- From: Martin Kosek [mailto:mko...@redhat.com] Sent: Tuesday, March 05, 2013 10:26 AM To: David Fitzgerald Cc: freeipa-users

Re: [Freeipa-users] ipa-* tools throws errors

Can you help? -Original Message- From: Martin Kosek [mailto:mko...@redhat.com] Sent: Wednesday, March 06, 2013 3:05 AM To: David Fitzgerald Cc: freeipa-users@redhat.com Subject: Re: [Freeipa-users] ipa-* tools throws errors Ok. Can you try if this hostname is not returned in a SRV DNS

Re: [Freeipa-users] ipa-* tools throws errors

essage- From: freeipa-users-boun...@redhat.com [mailto:freeipa-users-boun...@redhat.com] On Behalf Of David Fitzgerald Sent: Friday, March 08, 2013 12:04 PM To: Martin Kosek Cc: freeipa-users@redhat.com Subject: Re: [Freeipa-users] ipa-* tools throws errors Thanks for getting back to me! I don&#x

[Freeipa-users] kinit seg-fault for Solaris 9

Hi, I've setup FreeIPA for the first time and am using it successfully with Linux and Solaris 10 clients. On 8 separate Solaris 9 clients I'm running into an issue where 'kinit USER', for any user, fails with a segmentation fault after prompting for a password. On the client side there are no log

Re: [Freeipa-users] kinit seg-fault for Solaris 9

lp would be greatly appreciated. Thanks, Dave ~""~ On Tue, Mar 26, 2013 at 4:05 PM, Rob Crittenden wrote: > David Redmond wrote: > >> Hi, >> >> I've setup FreeIPA for the first time and am using it successfully with >> Linux and Solaris 10 clients. On

Re: [Freeipa-users] kinit seg-fault for Solaris 9

send to > > the > > client and only used for book-keeing and auditing on the server side. > > > I don't recall the root/admin story, looks odd to me, but nothing of > this matter to a *client* segfaulting. > > Clients do not get access to this data this is purely

Re: [Freeipa-users] kinit seg-fault for Solaris 9

named: > cn=,cn=Kerberos, > > The current defaults for new installs do *not* include DES as it is a > broken algorithm for security at this point. > > > Simo. > > On Wed, 2013-03-27 at 09:36 -0700, David Redmond wrote: > > I run the ipa-getkeytab command as the use

[Freeipa-users] Sudo rule still working after deactivation

ing each uses's login? I appreciate any help and thanking you in advance. Cheers, David ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users

[Freeipa-users] Sudo rule still working after deactivation

Thanks for the fast reply and great support. The usage of 'entry_cache_sudo_timeout' parameter does the trick. ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users

[Freeipa-users] SSS for sudoers confusion

ou=sudoers,dc=test,dc=example,dc=net ldap_sasl_mech = GSSAPI ldap_sasl_authid = host/ipa-client.test.example.net ldap_sasl_realm = TEST.EXAMPLE.NET domains = test.example.net [nss] [pam] [sudo] [autofs] [ssh] [pac] -- -

Re: [Freeipa-users] SSS for sudoers confusion

about configuring a password on the ldap user however following the suggestions I found didn't actually work. Best regards David Taylor -Original Message- From: freeipa-users-boun...@redhat.com [mailto:freeipa-users-boun...@redhat.com] On Behalf Of Dmitri Pal Sent: Tuesday, 11 March

[Freeipa-users] FW: SSS for sudoers confusion (Solved)

Ok here is the info that finally made it all work https://www.redhat.com/archives/freeipa-users/2013-June/msg00064.html I seem to have had all the elements in there already so I suspect it was a statement order issue Best regards David Taylor -Original Message- From: freeipa-users-boun

[Freeipa-users] Problem using IPA for Apache LDAP Auth

----- Any help is greatly appreciated. Best regards David Taylor ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users

[Freeipa-users] PasswordAuthentication option for SSH

Keberos authentication? IPA client 3.0.0 IPA server 3.3.2 Thanking you in advance. David ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] PasswordAuthentication option for SSH

sted.certmonger.duplicate: Certificate at same location is already used by request with nickname "20140416200517" So to certificate is already there. Do you have some hints? - Original Message ----- From: "Simo Sorce" To: "David Kreuter" Cc: freeipa-users

[Freeipa-users] Keberos authentication - Unspecified GSS failure

Yesterday I installed the FreeIPA client on machine and after the installation the login with password worked fine. After that I tried to login with a valid Kerberos ticket and it failed. First i traced the ssh login: ssh -vvv da...@test.example.com ---cut--- debug2: key: /home/david/.ssh

Re: [Freeipa-users] Keberos authentication - Unspecified GSS failure

: [libdefaults] ignore_acceptor_hostname = true I'm still wondering what is wrong with the machine's configuration. - Original Message - From: "Rob Crittenden" To: "David Kreuter" , freeipa-users@redhat.com Sent: Thursday, 17 April, 2014 12:13:48 A

Re: [Freeipa-users] Keberos authentication - Unspecified GSS failure

Exactly, this was the issue. After fixing the etc hosts configuration kerberos authentication works fine for this machine without having this special krb option set. Thanks! On 18 April 2014 15:49:50 CEST, Simo Sorce wrote: >On Fri, 2014-04-18 at 10:14 +0200, David Kreuter wrote: >>

[Freeipa-users] ipa 3.0 expired cert renewal

annoyed students to placate. Thanks! --- David Fitzgerald Adjunct Professor Department of Earth Sciences Millersville University Millersville, PA 17551 E-mail: david.fitzger...@millersville.edu PH: 717-871-2394 _

Re: [Freeipa-users] ipa 3.0 expired cert renewal

From: freeipa-users-boun...@redhat.com [mailto:freeipa-users-boun...@redhat.com] On Behalf Of Dmitri Pal Sent: Wednesday, May 28, 2014 8:51 PM To: freeipa-users@redhat.com Subject: Re: [Freeipa-users] ipa 3.0 expired cert renewal On 05/28/2014 10:40 AM, David Fitzgerald wrote: Hello, My

[Freeipa-users] Centos IPA Client fails after upgrade to 6.6

I just recently updated one of our test servers from CentOS 6.5 to CentOS 6.6, after which I noticed that IPA logons were no longer available. From what I can see the upgrade includes quite a few changes with regard to sssd. - NTP is up and synced on the Auth servers and the client. -

Re: [Freeipa-users] Centos IPA Client fails after upgrade to 6.6

sswordrequired pam_deny.so session optional pam_keyinit.so revoke session required pam_limits.so session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid session required pam_unix.so session optional pam_sss.so Best regards

Re: [Freeipa-users] Centos IPA Client fails after upgrade to 6.6

As an add on, I’ve upgraded our Xen template to 6.6 and run up a new VM using that and it attaches to the IPA environment perfectly well, so I’m guessing it is an issue with the upgrade scripts. Best regards David Taylor From: Michael Lasevich [mailto:mlasev...@gmail.com] Sent: Friday, 7

Re: [Freeipa-users] IPA-Server v3.0 Replication Broken

www.flbog.edu [BOG-wordmark-wideFOR EMAIL-color] Hi, this looks similar to: https://www.redhat.com/archives/freeipa-users/2015-January/msg00331.html and https://fedorahosted.org/freeipa/ticket/4807 Did you try to raise the nsslapd-sasl-max-buffer-size? -- David Kupka -- Manage your subscription for

[Freeipa-users] ipa group-add mixed case?

it gets created using lowercase. I was wondering if there is a way around this? Even perhaps changing a small part in the code. I tried looking into the code of the ipa admin tool but could not find the part that change the group name to lowercase. Any tips or help? Kind Regards, David -- Manage

Re: [Freeipa-users] chrony support

Hello Bryan, I'm currently working on this. This feature should be available in freeipa-4.2. -- David Kupka On 02/13/2015 01:25 PM, Bryan Pearson wrote: One of our IPA servers, is in a virtualized environment and is continuously losing time, resulting in invalid credentials and bre

[Freeipa-users] Typo on Troubleshooting page

Hi there, There's a typo here -> http://www.freeipa.org/page/Troubleshooting The word "error" is spell incorrectly in this sentence: "If changes done on one FreeIPA master are not replicated to another master, always verify errros log on both master and replica." Thanks, Dave -- Manage your s

[Freeipa-users] question about Active Directory authentication

nce I already have 150 users, will I have to delete their IPA accounts before setting up the trust? W Sorry if my questions are a bit basic, but I need some guidance to get me started. Thanks! Dave ++ David Fitzgerald Department of Earth Sciences Millersville Unive

Re: [Freeipa-users] question about Active Directory authentication

Thanks for all the info. I think I will go the trust route with IPA 4.1 and see what happens (in a test environment first of course.) From: freeipa-users-boun...@redhat.com [mailto:freeipa-users-boun...@redhat.com] On Behalf Of Steven Jones Sent: Tuesday, February 17, 2015 6:25 PM To: freeipa-us

Re: [Freeipa-users] Adding external CA

th/to/external_ca_certificate -- David Kupka -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] AD integration: Could not convert objectSID to a UNIX ID

ldap_idmap_range_size = 200 Setting these two identically let me resolve AD ID¹s with the id command. Hopefully this works for you too. Bingo! Thank you! That was indeed the solution. I needed to set the ID range in both places, and now users can log in. David Guertin -- Manage your

Re: [Freeipa-users] FreeIPA and Windows

If you use the MSLSA credential cache MIT kerberos works. kinit -c MSLSA: user@REALM Not sure about the MIT ticket manager. Am 11.11.2015 um 01:54 schrieb Loris Santamaria : > > > El mar, 10-11-2015 a las 16:15 -0700, Randolph Morgan escribió: >> Yes they are in the same DNS domain as the IP

[Freeipa-users] Purge old entries in /var/lib/dirsrv/slapd-xxx/cldb/xxx.db4 file

! David -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] GID, groups and ipa group-show

group with this GID.) David On Mon, Aug 24, 2015 at 5:01 AM, David Kupka mailto:dku...@redhat.com>> wrote: On 21/08/15 15:21, bahan w wrote: Hello ! I contact you because I notice something strange with IPA environment. I created a group :

Re: [Freeipa-users] How to reference to IPA Server in Multi-Master Setup ?

n IP address is needed it can be resolved from the name included in SRV response. HTH, -- David Kupka -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project

[Freeipa-users] Client-Install failures

v 4.2.0 running on Centos 7 and will include the offending httpd error log. Thanks for your help, David error_log Description: error_log -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info

Re: [Freeipa-users] Purge old entries in /var/lib/dirsrv/slapd-xxx/cldb/xxx.db4 file

Hi, > Hi, On 12/22/2015 11:43 AM, David Goudet wrote: >>Hi, >>I have multimaster replication environment. On each replica, folder >> /var/lib/dirsrv/slapd-/cldb/ has big size (3~GB) and old entries in >> /var/lib/dirsrv/slapd-xxx/cldb/xxx.db

Re: [Freeipa-users] Client-Install failures

Any guess as what it would be then? The location that is “missing a file” is specified by the gssapi config in /etc/httpd/conf.d/ipa.conf. So I assumed that this would be a mod_gssapi failure… Thanks for your help, David > On Jan 28, 2016, at 5:55 AM, Simo Sorce wrote: > > Doe

Re: [Freeipa-users] Server error with multiple clients joining domain simultaneously

This sounds exactly like the problem I am having. I will attach my error log. Is this what yours looks like? error_log Description: error_log On Jan 28, 2016, at 1:10 PM, Izzo, Anthony wrote:I’m seeing what feels like a concurrency error.  I’m in a cloud environment and laun

Re: [Freeipa-users] Server error with multiple clients joining domain simultaneously

(That’s not a solution, just a data point for those interested in this behavior). Thanks. From: Izzo, Anthony (U.S. Person) Sent: Thursday, January 28, 2016 1:35 PM To: freeipa-users@redhat.com<mailto:freeipa-users@redhat.com> Cc: 'David Zabner' mailto:da...@cazena.com>> Sub

Re: [Freeipa-users] Server error with multiple clients joining domain simultaneously

tigate it! > > Here is a ticket: > https://fedorahosted.org/freeipa/ticket/5653 > > You can Cc yourself to it and watch the progress. > > Petr^2 Spacek > > On 28.1.2016 20:17, David Zabner wrote: >> I was guessing that it was a problem with mod_auth_gssapi and so I t

Re: [Freeipa-users] Server error with multiple clients joining domain simultaneously

iled to write data, referer: https://ipa.foo.internal/ipa/xml [Fri Jan 29 17:09:23.973680 2016] [:error] [pid 11772] ipa: INFO: [jsonserver_kerb] admin@FOO.INTERNAL: cert_show(u'1', out=u'/etc/openvpn/ca.crt', version=u'2.156'): NetworkError [Fri Jan 29 17:09:23.975618 2

Re: [Freeipa-users] Split backup actions in stop - backup - start commands

unning server unless you stopped it before. It can result in inconsistent data in backup archive. [0] https://git.fedorahosted.org/cgit/freeipa.git/tree/ipaserver/install/ipa_backup.py#n293 [1] https://git.fedorahosted.org/cgit/freeipa.git/tree/ipaserver/install/ipa_backup.py#n316 -- David Kupka --

Re: [Freeipa-users] Logging configuration for ipa server

vent in the kdc log on server: Feb 17 10:10:35 vm-248.example.test krb5kdc[11350](info): AS_REQ (6 etypes {18 17 16 23 25 26}) 192.0.2.248: CLIENT_NOT_FOUND: nonexist...@example.test for krbtgt/example.t...@example.test, Client not found in Kerberos database -- David Kupka -- Manage your subsc

Re: [Freeipa-users] Split backup actions in stop - backup - start commands

On 17/02/16 10:47, Matt . wrote: Hi David, I have tested your way out and it seems to be OK. The reason why I need this was is so I can perform a stop and ipa-backup before I start my backup to my backupserver. (pre-command). If I use ipa-backup directly it errors between the stop of ipa and

Re: [Freeipa-users] Recovering from data-only backup doesn't recover Kerberos keys properly

fully, someone, who understand kerberos better will advice. -- David Kupka -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] Not able to get kerberos ticket from keytab

Thanks Hello! I don't know why it does not work with ktutil but I've find other way how to get keytab for a user: $ kinit ttester $ ipa-getkeytab -p ttes...@example.test -k ttester.keytab -e aes256-cts-hmac-sha1-96 $ kdestroy ttester $ kinit ttes...@example.test -kt ttester.key

Re: [Freeipa-users] Not able to get kerberos ticket from keytab

On 26/02/16 08:56, David Kupka wrote: On 26/02/16 02:22, Teik Hooi Beh wrote: Hi, I have manged to deployed 1 ipa master and 1 ipa client with success on centos 7.2 with freeipa v4.2. I also managed to create user and set sshd-rules to for ttester user and also successfully get krb ticket

Re: [Freeipa-users] Purge old entries in /var/lib/dirsrv/slapd-xxx/cldb/xxx.db4 file

ReplicaTombstonePurgeInterval: 86400 I follwed the good documentation: https://access.redhat.com/documentation/en-US/Red_Hat_Directory_Server/9.0/html-single/Configuration_Command_and_File_Reference/index.html Thanks for your help! David - Original Message - From: "Ludwig Krispe

Re: [Freeipa-users] freeipa restore backup on a new server

d its logs? I believe that all services in FreeIPA depends on host names and resolve IP address from DNS when needed. But if DNS server is part of FreeIPA server you're trying to restore it is holding old records with old IP addresses. Maybe this is the cause but it's just wild guess

Re: [Freeipa-users] FreeIPA & FreeRadius LDAP auth issue

eap=PEAP identity="user@freeipa.local" anonymous_identity="anonymous" password="asdfasdf" phase2="autheap=MSCHAPV2" } Regards, David > Am 12.04.2016 um 14:02 schrieb Boris Cheperis : > > Hi, > > I’ve star

Re: [Freeipa-users] How To: Create Admin Account with all Permissions but the ability to Delete?

on from "User Administrator" privilege ($ ipa privilege-remove-permission "User Administrators" --permissions "System: Remove Users"). HTH, -- David Kupka -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] ipa -v ping lies about the cert database

5 14:00 secmod.db Please check the permission on your system. If it's different and you (or system admin) haven't changed it please file a ticket (https://fedorahosted.org/freeipa/newticket). -- David Kupka -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat

Re: [Freeipa-users] howto ldapsearch for disabled/enabled users?

lpful hint is highly welcome Harri Hello Harri, the attribute you're looking for is 'nsaccountlock'. This command should give you uids of all disabled users: $ ldapsearch -LLL -Y GSSAPI -b cn=users,cn=accounts,dc=example,dc=test "(nsaccountlock=TRUE)" uid

Re: [Freeipa-users] Object class violation

orahosted.org/freeipa/newticket) and provide reproducer? -- David Kupka -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] ipa -v ping lies about the cert database

On 15/04/16 15:16, Harald Dunkel wrote: Hi David, Hello Harri, the FreeIPA certificate database is stored in /etc/ipa/nssdb, by default the permissions are set to: $ ls -dl /etc/ipa/nssdb/ drwxr-xr-x. 2 root root 73 Apr 15 14:00 /etc/ipa/nssdb/ $ ls -l /etc/ipa/nssdb/ total 80 -rw-r--r

Re: [Freeipa-users] IPA & Yubikey

ubikey. > 3) Does Yubikey auth require talking to the outside world to function? Our > IPA setup is within a secure zone, with no direct connectivity to the outside > world, so if this is necessary, it would be a possible deal-breaker for these. No, this would only be needed if you w

Re: [Freeipa-users] Best practice for requesting a certificate in Kickstart?

gi?id=1134497 [2] https://bugzilla.redhat.com/show_bug.cgi?id=1271551 HTH, -- David Kupka -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] migration user passwords from openldap to freeipa

Are you sure that your bind dn has read access userPassword? A default OpenLDAP installation usually has a admin user. Gosa ACLs are only applied when using the web interface, they are not used for direct access via LDAP. > Am 27.04.2016 um 03:43 schrieb siology.io : > > I'm having issues migr

Re: [Freeipa-users] can live turn off nsslapd-security: to off ?

g nsslapd-requiresrestart I don't see nsslapd-security listed so it should be possible to change it in runtime. -- David Kupka -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] can live turn off nsslapd-security: to off ?

On 27/04/16 13:15, barry...@gmail.com wrote: Do u meant use ldapmodify? I tried update the dse.ldif but it will fall back after a while. 2016年4月27日 下午7:10 於 "David Kupka" mailto:dku...@redhat.com>> 寫道： On 27/04/16 12:48, barry...@gmail.com <mailto:barry...@gmail.com&

Re: [Freeipa-users] ca-error: Error setting up ccache for local "host" service using default keytab: Clock skew too great.

CA: dogtag-ipa-renew-agent issuer: CN=Certificate Authority,O=sample.NET subject: CN=RA Subsystem,O=sample.NET expires: 2017-10-13 14:09:49 UTC eku: id-kp-serverAuth,id-kp-clientAuth pre-save command: post-save command: /usr/lib64/ipa/certmonger/renew_ra_cert track: yes auto-renew: yes Request ID '20130519130745': status: NEED_CSR_GEN_PIN ca-error: Internal error: no response to "http://test.sample.net:9180/ca/ee/ca/profileSubmit?profileId=caServerCert&serial_num=63&renewal=true&xml=true";. stuck: yes key pair storage: type=NSSDB,location='/var/lib/pki-ca/alias',nickname='Server-Cert cert-pki-ca',token='NSS Certificate DB',pin='297100916664 ' certificate: type=NSSDB,location='/var/lib/pki-ca/alias',nickname='Server-Cert cert-pki-ca',token='NSS Certificate DB' CA: dogtag-ipa-renew-agent issuer: CN=Certificate Authority,O=sample.NET subject: CN=test.sample.net <http://test.sample.net>,O=sample.NET expires: 2017-10-13 14:09:49 UTC eku: id-kp-serverAuth,id-kp-clientAuth pre-save command: post-save command: track: yes auto-renew: yes -- Thanks, Anthony Hello Anthony! After stopping NTP (or other time synchronizing service) and setting time manually server really don't have a way to determine that its time differs from the real one. I think this might be issue with Kerberos ticket. You can show content of root's ticket cache using klist. If there is anything clean it with kdestroy and try to resubmit the request again. -- David Kupka -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project

[Freeipa-users] Advise for the best way to achieve AD Caching?

n't be in the Global Directory - but managed from the same place. Are there any other setup's that will achieve what I require? Have seen slapd with proxy cache but I'm not sure on this options either and configuring slapd with all the ldif files manually seems a little dauntin

Re: [Freeipa-users] Advise for the best way to achieve AD Caching?

as it caches credentials/details for ~ 1 hour that's acceptable. Regards David -Original Message- From: freeipa-users-boun...@redhat.com [mailto:freeipa-users-boun...@redhat.com] On Behalf Of Petr Spacek Sent: Thursday, May 05, 2016 18:17 To: freeipa-users@redhat.com Subject: Re: [Free

Re: [Freeipa-users] Advise for the best way to achieve AD Caching?

Thanks for the information Petr - As you have recommended another AD server or Samba 4 is the best solution. Cheers David -Original Message- From: Petr Spacek [mailto:pspa...@redhat.com] Sent: Friday, May 06, 2016 17:27 To: David LeVene ; freeipa-users@redhat.com Subject: Re: [Freeipa

Re: [Freeipa-users] mod_nss FreeIPA

erver-Cert u,u,u EXAMPLE.TEST IPA CA CT,C,C Signing-Cert u,u,u If this is not what you was asking please try to explain what you want to achieve with more details. -- David Kupka -- M

Re: [Freeipa-users] SSH login to client

on client? -- David Kupka -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project

[Freeipa-users] ipa-client-install

there a command I can run that will delete the host that does not require the client to be installed? Thanks for the assistance, David -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the

[Freeipa-users] IPA - Password time outs / failures on trusted AD Users

(Note: versions below) All, I am getting password failures for accounts coming from a sub-ad domain. I originally was not able to do 'getent' lookups of random users or groups and found that it was timing out during ldap scan. I upped the timeout on the 'IPA Configuration' tab in the web interfa

Re: [Freeipa-users] IPA - Password time outs / failures on trusted AD Users

-Original Message- From: Alexander Bokovoy mailto:alexander%20bokovoy%20%3caboko...@redhat.com%3e>> To: David Fischer mailto:david%20fischer%20%3cdfisc...@petsmart.com%3e>> Cc: freeipa-users@redhat.com mailto:%22freeipa-us...@redhat.com%22%20%3cfreeipa-us...@redhat.com%3e&g

Re: [Freeipa-users] IPA - Password time outs / failures on trusted AD Users

:07 PM To: David Fischer Cc: freeipa-users@redhat.com Subject: Re: [Freeipa-users] IPA - Password time outs / failures on trusted AD Users On Mon, 13 Jun 2016, David Fischer wrote: >(Note: versions below) > >All, >I am getting password failures for accounts coming from a sub-a

Re: [Freeipa-users] IPA - Password time outs / failures on trusted AD Users

eployments/ -Original Message- From: Alexander Bokovoy [mailto:aboko...@redhat.com] Sent: Tuesday, June 14, 2016 1:03 PM To: David Fischer Cc: freeipa-users@redhat.com Subject: Re: [Freeipa-users] IPA - Password time outs / failures on trusted AD Users On Tue, 14 Jun 2016, David Fis

Re: [Freeipa-users] IPA - Password time outs / failures on trusted AD Users

missing. getent and id -a both work fine and there are no HBAC. Any thought would be helpfull. Thanks -Original Message- From: Alexander Bokovoy mailto:alexander%20bokovoy%20%3caboko...@redhat.com%3e>> To: David Fischer mailto:david%20fischer%20%3cdfisc...@petsmart.com%3e>>

Re: [Freeipa-users] IPA - Password time outs / failures on trusted AD Users

-Original Message- From: Alexander Bokovoy mailto:alexander%20bokovoy%20%3caboko...@redhat.com%3e>> To: David Fischer mailto:david%20fischer%20%3cdfisc...@petsmart.com%3e>> Cc: freeipa-users@redhat.com mailto:%22freeipa-us...@redhat.com%22%20%3cfreeipa-us...@redhat.com%

Re: [Freeipa-users] How to unset a user's kerberos principal expiration date?

RFE (https://fedorahosted.org/freeipa/newticket)? -- David Kupka -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project

[Freeipa-users] Replicating users/groups from AD

the same domain in some release in the future. Am I waiting for a feature that will never come? --David Alston -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project

  1   2   3   4   >