On 04/19/2017 12:31 PM, Martin Bašti wrote:
On 17.04.2017 19:42, David Goudet wrote:
Hi,
Nobody has response about my questions?
The main question is: Is it possible to configure SSSD to update DNS
(option dyndns_update) with only IP address "primary" in ip addr list
or which
elp.
Best regards,
On 03/27/2017 06:34 PM, David Goudet wrote:
Hi,
Thanks to dyndns_update=True parameter, SSSD service on client machine updating
host DNS entry in FreeIPA.
Everything is fine on machines which have only one IP adress on network
interface.
I have problem with machines which
server-dns-4.4.0-12.el7.noarch
https://serverfault.com/questions/809810/minimal-example-of-extending-already-existing-api-and-cli-call-in-freeipa-4
Thank you a lot!
David
--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http:
Mon Mar 27 17:03:56 2017) [sssd[be[]]] [nsupdate_child_stdin_done]
(0x1000): Sending nsupdate data complete
(Mon Mar 27 17:03:56 2017) [sssd[be[]]] [be_nsupdate_args] (0x0200):
nsupdate auth type: GSS-TSIG
setup_system()
Thank you for your help!
--
David GOUDET
LYRA NETWORK
IT Operations ser
om/mailman/listinfo/freeipa-users
> Go to http://freeipa.org for more info on the project
Hello Ranbir,
are other records (A, , PTR, ...) created for the client in random.ipa and
just SSHFP missing? Is the domain random.ipa properly delegated? Is sshd
installed and keys generated on client
t
You can also look into RHEL documentation:
https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Linux_Domain_Identity_Authentication_and_Policy_Guide/creating-the-replica.html
--
David Kupka
signature.asc
Description: PGP signature
--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project
,
as already described in the output you've posted ipa-replica-prepare is no
longer used when domain level is above 0. Since domain level 1 new replica is
first joined to FreeIPA domain as client using ipa-client-install and then
promoted to replica using ipa-replica-install.
You can find out more ab
when IPA was first installed, if any
> config files or certificates need to be brought back. I can provide further
> log excerpts if needed.
>
> Thank you in advance,
> Paul Brennan
>
> --
> Manage your subscription for the Freeipa-users mailing list:
&g
update user entries
there and once the entry is complete you can call stageuser-activate to create
user entry with using values from stageuser entry.
You can find description of the feature and examples on design page [1].
[1] http://www.freeipa.org/page/V4/User_Life-Cycle_Management
--
David
ht help but I
never tried.
Generally I would not recommend touching this on production system. Why do you
want to change the database format?
(1) certutil -d sql:HTTPD_ALIAS_DIR --upgrade-merge --source-dir
HTTPD_ALIAS_DIR --upgrade-id 1
--
David Kupka
signature.asc
Description: PGP signat
Certmonger [2] is configured during ipa-server-install to track and renew
certificates.
[1] https://www.freeipa.org/page/V4/External_DNS_integration_with_installer
[2] https://pagure.io/certmonger
--
David Kupka
signature.asc
Description: PGP signature
--
Manage your subscription for the F
ock the user account after period of time or at
specified time. You need to call "ipa user-disable LOGIN" manually.
You can file ticket and describe your use-case here:
https://pagure.io/freeipa/new_issue
--
David Kupka
signature.asc
Description: PGP signature
--
Manage yo
nt as I
proposed in [2]? Why is separate deployment of FreeIPA for the project
required?
[1] https://technet.microsoft.com/en-us/library/cc730749(v=ws.11).aspx
[2] https://www.redhat.com/archives/freeipa-users/2017-February/msg00136.html
--
David Kupka
signature.asc
Description: PGP si
ilman/listinfo/freeipa-users
> Go to http://freeipa.org for more info on the project
Hello!
From man 8 useradd:
Usernames may only be up to 32 characters long.
--
David Kupka
signature.asc
Description: PGP signature
--
Manage your subscription for the Freeipa-users mailing list:
htt
On Thu, Feb 16, 2017 at 06:05:48PM -0500, William Muriithi wrote:
> David
>
>
> >
> > The fact that your desktops are using SSSD changes the situation
> > dramatically.
> >
> > SSSD (with ipa or krb5 provider) obtains ticket for user when he is
>
On Thu, Feb 16, 2017 at 07:54:47AM -0500, William Muriithi wrote:
> Morning David,
>
> Thank you very much for your help.
>
> > first you're mentioning "key expiry" but if I understand correctly you're
> > interested in "ticket lifetime"
10day krbtgt/EXAMPLE.ORG
Principal "krbtgt/example@example.org" modified.
: exit
To increase 3) you need to change 'max_life' in /var/kerberos/krb5kdc/kdc.conf
and restart krb5kdc service.
But generally I don't think it's a good idea to have such long tickets. Wo
I would say that the Project IPA is not
necessary in the desribed scenario.
You can create accounts for all the users involved in Project in Enterprise
IPA and assign them to Project group. You can also enroll all Project hosts
to Enterprise IPA and add them to Project hostgroup. Then you can use
omains),
c) will likely result in weird behavior,
d) is definitelly not supported nor encouraged.
--
David Kupka
signature.asc
Description: PGP signature
--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project
ream git clone [1] add the desired
patches and build your own package.
[1] https://git.centos.org/commit/rpms!ipa.git
--
David Kupka
--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project
gt;Role Based Access Control->Permissions (eg. System: Read User
Addressbook Attributes) and change "Bind rule type" from all to
"permission".
But be aware that modifying the permissions may result in SSSD being
unable to resolve users unless you add those permissions to hosts
On 17/01/17 12:16, Peter Fern wrote:
On 17/01/17 21:48, David Kupka wrote:
Ok, your plugin is not really a plugin but that should not be a problem.
To make it work:
1) replace "from ipalib.plugins.user import user" with "from
ipaserver.plugins.user import use
On 17/01/17 11:30, Peter Fern wrote:
On 17/01/17 20:39, David Kupka wrote:
in 4.4 we split the plugins to the server and client plugins. Simple
plugins (like server plugin) needs to exist only on server and all
what is needed is to move it from ipalib/plugins to ipaserver/plugins.
But if
plugin define interactive_prompt_callback (like
dns plugin) or forward (like vault plugin) you will need to split the
client and server part of the plugin.
--
David Kupka
--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org
s://fedorahosted.org/freeipa/ticket/5814
--
David Kupka
--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project
0*24*3600)))"
+'%Y%m%d%H%M%S'Z)
END_LDIF
It works but I would not recommend using it in production environment.
--
David Kupka
--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project
on master and replica and 6.9 (ipa-client 3.0.0-51) on client
and it worked for me as expected.
I've done these steps:
[master] # ipa-server-install -a Secret123 -p Secret123 --domain
example.test --realm EXAMPLE.TEST --setup-dns --auto-forwarders -U
[replica] # ipa-client-install -p admin -w
On 13/12/16 07:52, Stephen Ingram wrote:
On Sun, Dec 11, 2016 at 11:31 PM, David Kupka wrote:
yes you can do it. DNS domain and Kerberos realm are two different things.
It's common and AFAIK recommended to capitalize DNS domain to get the realm
but it's not required.
If you real
ou want to have the realm different from the
domain?
--
David Kupka
--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project
Hi Simo, I think this is not true, because part of IPA web UI is IPA JSON API
also - and there is problem with loadbalancing, as you can see there
https://www.redhat.com/archives/freeipa-users/2016-October/msg00223.html.
David
--
Manage your subscription for the Freeipa-users mailing list
Hello,
I'm almost sure that 'krbcanonicalname' has nothing to do with this.
Adding krbcanonicalname attribute was done to allow principal aliases
(multiple kerberos principals for one user/host/service), see [1] for
details.
Unfortunately, I don't know what's wrong
On 30/11/16 15:30, Callum Guy wrote:
Hi David,
I can confirm that using FreeOTP resolves the problem for me.
What a frustration, I am surprised that Google wouldn't add support beyond
SHA1 - perhaps a notice on the OTP documentation page would help others in
this situation.
Thank you so
Hi,
The Pki service is running and I cannot find any issues with it. I can run
a curl request to the master hostname on port 8443 and communication works
fine.
Any other idea why this replica install code would fail and log
CA_UNREACHABLE?
Regards,
David
2016-11-29 22:16 GMT+01:00 Florence
On 30/11/16 10:13, David Kupka wrote:
On 29/11/16 12:57, Callum Guy wrote:
Hi Alexander,
I can confirm that I am using version 4.2.0.
The bug link provided mentions that it caused GA to fail to scan the
codes.
In my situation it is FreeIPA (or related service) which appears to
fail to
ion or warranty as to the absence of
viruses in this email or any attachments.
--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project
--
/ Alexander Bokovoy
--
David Kupk
Can you give me a couple of test commands?
I am not familiar with Dogtag.
Groeten,
David
2016-11-29 14:57 GMT+01:00 David Kupka :
> On 29/11/16 13:55, David Dejaeghere wrote:
>
>> Correct. Same symptoms.
>>
>> 2016-11-29T10:29:42Z DEBUG certmonger request is
On 29/11/16 13:55, David Dejaeghere wrote:
Correct. Same symptoms.
2016-11-29T10:29:42Z DEBUG certmonger request is in state
dbus.String(u'CA_UNREACHABLE', variant_level=1)
Fedora 24 Server
[root@ns02 ~]# dnf history userinstalled
Packages installed by user
freeipa-client-4.3.2-2.f
64
grub2-1:2.02-0.34.fc24.x86_64
kernel-4.5.5-300.fc24.x86_64
kernel-4.8.8-200.fc24.x86_64
lvm2-2.02.150-2.fc24.x86_64
xfsprogs-4.5.0-2.fc24.x86_64
2016-11-29 13:41 GMT+01:00 Petr Vobornik :
> On 11/29/2016 12:43 PM, David Kupka wrote:
> > On 29/11/16 12:15, David Dejaeghere wrote:
> &
On 29/11/16 12:15, David Dejaeghere wrote:
Seems like it is but it does not show a server cert for dirsrv
[root@ns02 ~]# ls -lZ /etc/dirsrv/slapd-SOMETHING-BE/
total 468
-rw---. 1 dirsrv root unconfined_u:object_r:dirsrv_config_t:s0 65536
Nov 29 11:29 cert8.db
-rw-rw. 1 dirsrv dirsrv
/XPI
CN=something-PAPRIKA-CA,DC=something,DC=localCT,C,C
SOMETHING.BE IPA CA CT,C,C
[root@ns02 ~]# ausearch -m avc -i
2016-11-29 12:09 GMT+01:00 David Kupka :
> On 29/11/16 11:51, David Dejaeghere wrote:
>
>> Hi,
&g
On 29/11/16 11:51, David Dejaeghere wrote:
Hi,
I have a setup where i want to add a replica. The first master setup has
an externally signed cert for dirsrv and httpd. The replica is prepapred
succesfully with ipa-client-install but the replica install then keeps
failing. It seems that
Hi,
I have a setup where i want to add a replica. The first master setup has
an externally signed cert for dirsrv and httpd. The replica is prepapred
succesfully with ipa-client-install but the replica install then keeps
failing. It seems that during install dirserv is not configured correctly
omain-configuration-of-dns/
The article is about CentOS 6 and more than 3 years old but still might
be helpful because it's mainly about Bind 9 configuration.
--
David Kupka
--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Can somebody help us how to move ahead with this issue?
It seems like nobody is picking this up?
Kind Regards,
David
2016-10-26 13:43 GMT+02:00 David Dejaeghere :
> Does anybody have a clue on how to continue with this?
>
> Kind Regards,
>
> David
>
> 2016-10-24
installed it).
samba-common contains files for samba client and server so removing it
may remove applications that can behave as samba client.
--
David Kupka
--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org
Does anybody have a clue on how to continue with this?
Kind Regards,
David
2016-10-24 10:10 GMT+02:00 David Dejaeghere :
> These are both the subjects for the old and new root ca cert.
>
> Subject: "CN=tokio-PAPRIKA-CA,DC=tokio,DC=local"
> S
#x27;s expiration or the account's expiration. My
/var/log/secure has messages like "pam_sss(sshd:auth): received for user
uname: 13 (User account has expired)". Is there a setting for default
expiration of user accounts ? I don't remember setting it anywhere.
On Mon, Oct 24, 2
On 24/10/16 19:26, Gilbert Wilson wrote:
On Oct 24, 2016, at 5:51 AM, David Kupka wrote:
On 22/10/16 00:15, Gilbert Wilson wrote:
We have a lot of FreeBSD systems that I would like to streamline certificate
issuance and renewal. Ideally, we could leverage our FreeIPA system's CA
install and run certmonger using FreeBSD's Linux
Binary Compatibility [1]? Though I don't know what are the limitations
or possible issues it could be a way.
[1] http://www.freebsd.cz/doc/handbook/linuxemu.html
--
David Kupka
--
Manage your subscription for the Freeipa-
A has no way to say the password
is expired.
When the user tries to obtain Kerberos ticket he will be forced to
change the password and NTLM hash will be also regenerated.
--
David Kupka
--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/fr
a:2d:25:d5:43:b6:a7:75:a1:ef:58:f9:c9:11:e8:
09:1d
Exponent: 65537 (0x10001)
2016-10-24 5:49 GMT+02:00 Fil Di Noto :
> Hi,
>
> Can you give an example of what's different between the two subjects?
>
> On Sun, Oct 23, 2016 at 9:03 AM, Davi
Does somebody have an idea how to replace our certificates when the new
ROOT ca certificate has a different subject?
The UI is down because of this.
2016-10-19 11:42 GMT+02:00 David Dejaeghere :
> Hello,
>
> When installing FreeIPA we used the CA from our Windows servers.
> This
> on LB are from the same authority as certificates for IPA nodes.
>> Now I am in state all services working fine (LDAP, HTTP web gui, NTP, DNS)
>> with kerberos auth bud freeIPA json or xml api NOT.
david@dklima:~$ ldapsearch -H ldap://hub.internal.services -Y GSSAPI
SASL/
certnew.pem -n mycert -t C,,
Installing CA certificate, please wait
Failed to install the certificate: subject public key info mismatch
After validating the subjects are indeed different.
How can we replace the required certs for dirsrv and http when the ca is
not installable?
Kind Regards,
David
n upstream? Create pull request on GitHub
(https://github.com/freeipa/freeipa ).
Do you want to contribute the translations? Submit it via zanata
(https://fedora.zanata.org/project/view/freeipa ).
HTH,
--
David Kupka
--
Manage your subscription for the Freeipa-users mailing list:
https://www.
nly on one master and by default is enabled
on first master that is installed with CA. Here you can find more
information and how to:
https://www.freeipa.org/page/Howto/Promote_CA_to_Renewal_and_CRL_Master
HTH,
--
David Kupka
--
Manage your subscription for the Freeipa-users mailing list:
http
cally.
--
David Kupka
--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project
On 08/16/2016 10:51 PM, Alexander Bokovoy wrote:
> On Tue, 16 Aug 2016, David Kowis wrote:
>> On 08/15/2016 09:27 PM, David Kowis wrote:
>>> On 08/15/2016 08:05 PM, Rob Crittenden wrote:
>>>> David Kowis wrote:
>>>>> On 08/15/2016 04:33 AM, Petr Sp
On 08/16/2016 10:51 PM, Alexander Bokovoy wrote:
> On Tue, 16 Aug 2016, David Kowis wrote:
>> On 08/15/2016 09:27 PM, David Kowis wrote:
>>> On 08/15/2016 08:05 PM, Rob Crittenden wrote:
>>>> David Kowis wrote:
>>>>> On 08/15/2016 04:33 AM, Petr Sp
On 08/15/2016 09:27 PM, David Kowis wrote:
> On 08/15/2016 08:05 PM, Rob Crittenden wrote:
>> David Kowis wrote:
>>> On 08/15/2016 04:33 AM, Petr Spacek wrote:
>>>> This is weird as LDAP SASL & GSSAPI is pretty standard thing.
>>>>
>>>
On 08/15/2016 08:05 PM, Rob Crittenden wrote:
> David Kowis wrote:
>> On 08/15/2016 04:33 AM, Petr Spacek wrote:
>>> This is weird as LDAP SASL & GSSAPI is pretty standard thing.
>>>
>>> In any case, you can check server logs or use tcpdump/wireshark and
12:53 -0500] conn=1307 op=0 RESULT err=7 tag=97
nentries=0 etime=0
[15/Aug/2016:18:12:54 -0500] conn=1307 op=1 UNBIND
[15/Aug/2016:18:12:54 -0500] conn=1307 op=1 fd=68 closed - U1
Something tries to bind with no dn, and then fails I think?
--
David Kowis
signature.asc
Description: O
On 08/14/2016 07:57 PM, David Kowis wrote:
> On 08/14/2016 02:31 PM, David Kowis wrote:
>> Perhaps someone else has had this error before, or maybe just knows what
>> I need to do?
>
> Digging through the mailing list, I only find this guy:
> https://www.redhat.com/arc
On 08/14/2016 02:31 PM, David Kowis wrote:
> Perhaps someone else has had this error before, or maybe just knows what
> I need to do?
Digging through the mailing list, I only find this guy:
https://www.redhat.com/archives/freeipa-devel/2014-October/msg00480.html
Seems someone had the exac
d failed. See /var/log/ipaserver-install.log
for more information
A google search for freeipa authentication method not supported sasl
mechanism not supported
Or just for freeipa sasl mechanism not supported doesn't find me
anything useful :(
Perhaps someone else has had this error before,
y are
incapacitating migraines that will drive us all insane.
--David Alston
-Original Message-
From: Simo Sorce [mailto:s...@redhat.com]
Sent: Thursday, August 04, 2016 4:31 AM
To: Alston, David
Cc: freeipa-users@redhat.com
Subject: Re: [Freeipa-users] FreeIPA and AD trusts on the sam
ironment).
Also, thanks for your other answers. They were very helpful :^)
--David Alston
-Original Message-
From: Simo Sorce [mailto:s...@redhat.com]
Sent: Wednesday, August 03, 2016 2:13 PM
To: Alston, David
Cc: freeipa-users@redhat.com
Subject: Re: [Freeipa-users] FreeIPA and
eated in FreeIPA?
--David Alston
-Original Message-
From: Simo Sorce [mailto:s...@redhat.com]
Sent: Wednesday, August 03, 2016 1:28 PM
To: Alston, David
Cc: freeipa-users@redhat.com
Subject: Re: [Freeipa-users] FreeIPA and AD trusts on the same DNS domain
On Wed, 2016-08-03 at 13:24
wouldn't setting up a one-way trust so that FREEIPA.COMPANY.COM trusts
COMPANY.COM (with all involved servers having the "company.com" DNS domain)?
As I understand it, the Kerberos realm FreeIPA uses can be specified during the
initial setup and it doesn't have to match the doma
trusting an AD Kerberos realm while on the same DNS domain. I've come across
some new information that I'd like to check with ya'll.
Thanks, everyone, for your answers!
--David Alston
-Original Message-
From: freeipa-users-boun...@redhat.com
[mailto:freeipa-use
opposite (installing CS on CA-less freeipa
server). Feel free to file an RFE https://fedorahosted.org/freeipa/newticket
--
David Kupka
--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on
r accounts from an external
AD/LDAP server seems to be built-in, at the moment. There aren't any plans to
take that away, is there? Ideally, I'd want a two way sync so that password
changes and user group changes are replicated back to AD as well.
--David Alston
-Original Mes
the same
domain in some release in the future. Am I waiting for a feature that will
never come?
--David Alston
--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project
RFE (https://fedorahosted.org/freeipa/newticket)?
--
David Kupka
--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project
-Original Message-
From: Alexander Bokovoy
mailto:alexander%20bokovoy%20%3caboko...@redhat.com%3e>>
To: David Fischer
mailto:david%20fischer%20%3cdfisc...@petsmart.com%3e>>
Cc: freeipa-users@redhat.com
mailto:%22freeipa-us...@redhat.com%22%20%3cfreeipa-us...@redhat.com%
missing. getent and id -a both work fine and
there are no HBAC. Any thought would be helpfull.
Thanks
-Original Message-
From: Alexander Bokovoy
mailto:alexander%20bokovoy%20%3caboko...@redhat.com%3e>>
To: David Fischer
mailto:david%20fischer%20%3cdfisc...@petsmart.com%3e>>
eployments/
-Original Message-
From: Alexander Bokovoy [mailto:aboko...@redhat.com]
Sent: Tuesday, June 14, 2016 1:03 PM
To: David Fischer
Cc: freeipa-users@redhat.com
Subject: Re: [Freeipa-users] IPA - Password time outs / failures on trusted AD
Users
On Tue, 14 Jun 2016, David Fis
:07 PM
To: David Fischer
Cc: freeipa-users@redhat.com
Subject: Re: [Freeipa-users] IPA - Password time outs / failures on trusted AD
Users
On Mon, 13 Jun 2016, David Fischer wrote:
>(Note: versions below)
>
>All,
>I am getting password failures for accounts coming from a sub-a
-Original Message-
From: Alexander Bokovoy
mailto:alexander%20bokovoy%20%3caboko...@redhat.com%3e>>
To: David Fischer
mailto:david%20fischer%20%3cdfisc...@petsmart.com%3e>>
Cc: freeipa-users@redhat.com
mailto:%22freeipa-us...@redhat.com%22%20%3cfreeipa-us...@redhat.com%3e&g
(Note: versions below)
All,
I am getting password failures for accounts coming from a sub-ad domain.
I originally was not able to do 'getent' lookups of random users or groups and
found that it was timing out during ldap scan. I upped the timeout on the 'IPA
Configuration' tab in the web interfa
there a command I can run that will delete the host that does not require
the client to be installed?
Thanks for the assistance,
David
--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the
on client?
--
David Kupka
--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project
erver-Cert u,u,u
EXAMPLE.TEST IPA CA CT,C,C
Signing-Cert u,u,u
If this is not what you was asking please try to explain what you want
to achieve with more details.
--
David Kupka
--
M
Thanks for the information Petr - As you have recommended another AD server or
Samba 4 is the best solution.
Cheers
David
-Original Message-
From: Petr Spacek [mailto:pspa...@redhat.com]
Sent: Friday, May 06, 2016 17:27
To: David LeVene ; freeipa-users@redhat.com
Subject: Re: [Freeipa
as
it caches credentials/details for ~ 1 hour that's acceptable.
Regards
David
-Original Message-
From: freeipa-users-boun...@redhat.com
[mailto:freeipa-users-boun...@redhat.com] On Behalf Of Petr Spacek
Sent: Thursday, May 05, 2016 18:17
To: freeipa-users@redhat.com
Subject: Re: [Free
n't be in the Global Directory - but managed from the same
place.
Are there any other setup's that will achieve what I require? Have seen slapd
with proxy cache but I'm not sure on this options either and configuring slapd
with all the ldif files manually seems a little dauntin
CA: dogtag-ipa-renew-agent
issuer: CN=Certificate Authority,O=sample.NET
subject: CN=RA Subsystem,O=sample.NET
expires: 2017-10-13 14:09:49 UTC
eku: id-kp-serverAuth,id-kp-clientAuth
pre-save command:
post-save command: /usr/lib64/ipa/certmonger/renew_ra_cert
track: yes
auto-renew: yes
Request ID '20130519130745':
status: NEED_CSR_GEN_PIN
ca-error: Internal error: no response to
"http://test.sample.net:9180/ca/ee/ca/profileSubmit?profileId=caServerCert&serial_num=63&renewal=true&xml=true";.
stuck: yes
key pair storage:
type=NSSDB,location='/var/lib/pki-ca/alias',nickname='Server-Cert
cert-pki-ca',token='NSS Certificate DB',pin='297100916664
'
certificate:
type=NSSDB,location='/var/lib/pki-ca/alias',nickname='Server-Cert
cert-pki-ca',token='NSS Certificate DB'
CA: dogtag-ipa-renew-agent
issuer: CN=Certificate Authority,O=sample.NET
subject: CN=test.sample.net <http://test.sample.net>,O=sample.NET
expires: 2017-10-13 14:09:49 UTC
eku: id-kp-serverAuth,id-kp-clientAuth
pre-save command:
post-save command:
track: yes
auto-renew: yes
--
Thanks, Anthony
Hello Anthony!
After stopping NTP (or other time synchronizing service) and setting
time manually server really don't have a way to determine that its time
differs from the real one.
I think this might be issue with Kerberos ticket. You can show content
of root's ticket cache using klist. If there is anything clean it with
kdestroy and try to resubmit the request again.
--
David Kupka
--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project
On 27/04/16 13:15, barry...@gmail.com wrote:
Do u meant use ldapmodify?
I tried update the dse.ldif but it will fall back after a while.
2016年4月27日 下午7:10 於 "David Kupka" mailto:dku...@redhat.com>> 寫道:
On 27/04/16 12:48, barry...@gmail.com <mailto:barry...@gmail.com&
g
nsslapd-requiresrestart
I don't see nsslapd-security listed so it should be possible to change
it in runtime.
--
David Kupka
--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project
Are you sure that your bind dn has read access userPassword? A default OpenLDAP
installation usually has a admin user.
Gosa ACLs are only applied when using the web interface, they are not used for
direct access via LDAP.
> Am 27.04.2016 um 03:43 schrieb siology.io :
>
> I'm having issues migr
gi?id=1134497
[2] https://bugzilla.redhat.com/show_bug.cgi?id=1271551
HTH,
--
David Kupka
--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project
ubikey.
> 3) Does Yubikey auth require talking to the outside world to function? Our
> IPA setup is within a secure zone, with no direct connectivity to the outside
> world, so if this is necessary, it would be a possible deal-breaker for these.
No, this would only be needed if you w
On 15/04/16 15:16, Harald Dunkel wrote:
Hi David,
Hello Harri,
the FreeIPA certificate database is stored in /etc/ipa/nssdb, by default the
permissions are set to:
$ ls -dl /etc/ipa/nssdb/
drwxr-xr-x. 2 root root 73 Apr 15 14:00 /etc/ipa/nssdb/
$ ls -l /etc/ipa/nssdb/
total 80
-rw-r--r
orahosted.org/freeipa/newticket) and provide reproducer?
--
David Kupka
--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project
lpful hint is highly welcome
Harri
Hello Harri,
the attribute you're looking for is 'nsaccountlock'. This command should
give you uids of all disabled users:
$ ldapsearch -LLL -Y GSSAPI -b cn=users,cn=accounts,dc=example,dc=test
"(nsaccountlock=TRUE)" uid
5 14:00 secmod.db
Please check the permission on your system. If it's different and you
(or system admin) haven't changed it please file a ticket
(https://fedorahosted.org/freeipa/newticket).
--
David Kupka
--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat
on from "User Administrator" privilege ($ ipa
privilege-remove-permission "User Administrators" --permissions "System:
Remove Users").
HTH,
--
David Kupka
--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project
eap=PEAP
identity="user@freeipa.local"
anonymous_identity="anonymous"
password="asdfasdf"
phase2="autheap=MSCHAPV2"
}
Regards,
David
> Am 12.04.2016 um 14:02 schrieb Boris Cheperis :
>
> Hi,
>
> I’ve star
d its logs?
I believe that all services in FreeIPA depends on host names and resolve
IP address from DNS when needed.
But if DNS server is part of FreeIPA server you're trying to restore it
is holding old records with old IP addresses. Maybe this is the cause
but it's just wild guess
ReplicaTombstonePurgeInterval: 86400
I follwed the good documentation:
https://access.redhat.com/documentation/en-US/Red_Hat_Directory_Server/9.0/html-single/Configuration_Command_and_File_Reference/index.html
Thanks for your help!
David
- Original Message -
From: "Ludwig Krispe
1 - 100 of 364 matches
Mail list logo
