I'm running IPA 2.2.0 on RHEL6
Server:
[root@validserver ~]# rpm -qa | grep ipa
ipa-client-2.2.0-16.el6.x86_64
ipa-pki-common-theme-9.0.3-7.el6.noarch
libipa_hbac-python-1.8.0-32.el6.x86_64
ipa-python-2.2.0-16.el6.x86_64
ipa-server-2.2.0-16.el6.x86_64
ipa-server-selinux-2.2.0-16.el6.x86_64
ipa-pk
Further information:
I do have:
ldap_netgroup_search_base = cn=ng,cn=compat,dc=validdomain,dc=com
In /etc/sssd/sssd.conf
Is cn=ng,cn=compat correct?
--Jason
On Tue, Jul 10, 2012 at 2:15 PM, KodaK wrote:
> I'm running IPA 2.2.0 on RHEL6
>
> Server:
>
> [root@validserve
On Tue, Jul 10, 2012 at 2:56 PM, Dmitri Pal wrote:
> On 07/10/2012 03:15 PM, KodaK wrote:
>> I'm running IPA 2.2.0 on RHEL6
>>
>> Server:
>>
>> [root@validserver ~]# rpm -qa | grep ipa
>> ipa-client-2.2.0-16.el6.x86_64
>> ipa-pki-common-theme-9.0
Has anyone rolled out a self-service password reset utility for IPA?
If so did you use something off the shelf that speaks LDAP or roll
your own?
I'm looking at this:
http://code.google.com/p/pwm/
But I'm just starting down this path.
Thanks,
--Jason
--
The government is going to read our ma
On Fri, Jul 13, 2012 at 3:13 PM, Michael Mercier wrote:
> Hello,
>
> When using IPA 2.2.0 with DNS setup (--setup-dns), is there any issues with
> adding slaves to the named.conf file?
>
> example on ipaserver1:
>
> zone "myzone.tld" {
> type slave;
> file "slave/myzone.db"
>
I've been banging my head on this for a couple of days, and I can't
find anything in the docs or by searching.
I'm trying to do what I think should be pretty simple: I have a group
of users and an application account, all in IPA. I want users in that
group to be able to "sudo su - appacct".
Wha
On Tue, Jul 17, 2012 at 11:06 AM, Dmitri Pal wrote:
> On 07/17/2012 11:50 AM, KodaK wrote:
>> I've been banging my head on this for a couple of days, and I can't
>> find anything in the docs or by searching.
>>
>> I'm trying to do what I think should be
On Tue, Jul 17, 2012 at 1:40 PM, KodaK wrote:
> On Tue, Jul 17, 2012 at 11:06 AM, Dmitri Pal wrote:
>> On 07/17/2012 11:50 AM, KodaK wrote:
>>> I've been banging my head on this for a couple of days, and I can't
>>> find anything in the docs or by searching.
Alright, this is pretty bad.
My servers keep going out of sync. I have four replicas, slpidml01
through 04. I only figure it out when weird things start happening.
Is there a log somewhere that I can parse that says that updates
aren't getting sent out? What are the types of things that can cau
On Mon, Jul 23, 2012 at 9:42 AM, KodaK wrote:
> Alright, this is pretty bad.
>
> My servers keep going out of sync. I have four replicas, slpidml01
> through 04. I only figure it out when weird things start happening.
> Is there a log somewhere that I can parse that says that u
I have an unusual situation. Our DBAs want different passwords for
the oracle account
on production and development machines. I'm using local
authentication for oracle
on all the boxes, but they're also not allowed to log in directly as
oracle, only su, but
su always wants to go to ldap first.
D
was easiest for now.
On Tue, Aug 7, 2012 at 10:02 AM, KodaK wrote:
> I have an unusual situation. Our DBAs want different passwords for
> the oracle account
> on production and development machines. I'm using local
> authentication for oracle
> on all the boxes, but t
I suspect I'm SOL on this one, but I'd like confirmation.
We have two servers in an HA cluster:
source:
sla710ph1.unix.magellanhealth.com
target:
slahat01.unix.magellanhealth.com
and a service name of:
sla710ph.unix.magellanhealth.com
The service name will float between the HA source and ta
On Tue, Aug 7, 2012 at 4:48 PM, Rob Ogilvie wrote:
> I just found this additional log file entries on my IPA server. The
> vm-mapsdc2 is one of the domain controllers/DNS servers not associated
> with IPA other than being one of our authoritative DNS servers. Is
> something misconfigured in IPA
On Wed, Aug 8, 2012 at 11:06 AM, Petr Spacek wrote:
> Best way is to create subdomain UNIX.MYCOMPANY.COM and fill it with proper
> SRV records (or let IPA to manage it).
Absolutely, this is the best way.
> You can configure each all servers and client statically with
> /etc/krb5.conf, but it is
Rob, you may want to read through this whole FAQ, but this one covers
what I'm talking about:
http://www.cmf.nrl.navy.mil/CCS/people/kenh/kerberos-faq.html#realms
--
The government is going to read our mail anyway, might as well make it
tough for them. GPG Public key ID: B6A1A7C6
___
On Wed, Aug 8, 2012 at 2:16 PM, Rob Ogilvie wrote:
> On Wed, Aug 8, 2012 at 11:52 AM, Simo Sorce wrote:
>> On Wed, 2012-08-08 at 11:23 -0700, Rob Ogilvie wrote:
>> > -I'm going to set up the IPA server with a new realm;
>> > UNIX.MYCOMPANY.COM (do I need to have our DNS folks put an SRV record
>>
I've kerberized a bunch of AIX machines, and I noticed when I was
starting out that AIX allows people to connect that have expired
passwords, and does not prompt for changes.
1) does anyone know what I need to do on AIX to make this happen (I
don't hold out much hope for this.)
2) alternately, do
I apologize in advance for not having very much information to go on.
We have exactly 100 hosts in IPA right now. On occasion, maybe once
or twice a day, all authentication just pauses for some amount of
time. It can range from just a few seconds to about 30 seconds. I
can see this happen, I ca
OK, so it works if you allow all hosts, but fails if you specify a
host. This leads me to believe that the host may not "know" who it
is.
Run the gamut on local hostname configuration:
Check /etc/hosts, is the host listed with the FQDN first?
Check "hostname" -- it should report the FQDN.
Check
t;
>
> regards
>
> Steven Jones
>
> Technical Specialist - Linux RHCE
>
> Victoria University, Wellington, NZ
>
> 0064 4 463 6272
>
>
> From: KodaK [sako...@gmail.com]
> Sent: Wednesday, 15 August 2012 9:41 a.m.
> To: S
On Tue, Aug 21, 2012 at 2:50 AM, Innes, Duncan
wrote:
>I can't be alone in deploying IPA in a network already "dominated" by AD.
You're certainly not. In my case it appears the Windows people have
done everything they can to sabotage my efforts to implement SSO in
unix-land that they can do with
I've just been informed by my boss's boss's boss that, and I quote
from his ridiculous email:
"we cannot use anything other than MS AD for authentication"
I've spent months of time and much effort rolling out IPA,
consolidating authentication across our Linux and AIX machines. To
paraphrase Babb
Thanks, everyone, for your input. It has helped tremendously.
--Jason
--
The government is going to read our mail anyway, might as well make it
tough for them. GPG Public key ID: B6A1A7C6
___
Freeipa-users mailing list
Freeipa-users@redhat.com
http
Thank you everyone. We finally had our meeting today (it was delayed
from Tuesday.) It went much better than I was expecting. Regardless
of the email that said "we can't authenticate to anything but MS AD,"
apparently his *actual* concern was having a third party tie-in to
Active Directory that
On Mon, Sep 10, 2012 at 4:16 PM, Steven Jones wrote:
> Hi,
>
> Not sure if this is an IPA issue but Im finding ssh takes long time to login.
> It looks like ssh is querying IPA for authentication mechanisms?...if so can
> I simply turn this off? and if so how?
"Slow" SSH is (in my experience,
101 - 126 of 126 matches
Mail list logo