[Freeipa-users] FreeIPA wiki troubleshooting page re-org

2018-05-31 Thread Fraser Tweedale via FreeIPA-users
Hi all, The troubleshooting page was getting huge and unwieldy. I have broken the various sections out into separate pages. Now the main troubleshooting page is just some high-level info/advice and a list of links to other topics. https://www.freeipa.org/page/Troubleshooting I haven't made any

[Freeipa-users] Re: Two way trust setup issue

2018-05-31 Thread Alexander Bokovoy via FreeIPA-users
On to, 31 touko 2018, Merritt, Todd R - (tmerritt) wrote: On 5/30/18, 10:59 PM, "Alexander Bokovoy" wrote: On ke, 30 touko 2018, Merritt, Todd R - (tmerritt) wrote: > > >On 5/29/18, 7:59 PM, "Alexander Bokovoy" wrote: > >On ti, 29 touko 2018, Merritt, Todd R - (tmerrit

[Freeipa-users] Re: CA_UNREACHABLE during ipa-replica-install

2018-05-31 Thread r hartikainen via FreeIPA-users
Hello, In my case this error message was directly related to security hardening with openscap using disa stig for rhel 7 policy. First clue of problems was with the webui on freshly installed primary, with admin account always got every time error ”login failed for unknown reason”. Replica inst

[Freeipa-users] Re: Two way trust setup issue

2018-05-31 Thread Merritt, Todd R - (tmerritt) via FreeIPA-users
On 5/30/18, 10:59 PM, "Alexander Bokovoy" wrote: On ke, 30 touko 2018, Merritt, Todd R - (tmerritt) wrote: > > >On 5/29/18, 7:59 PM, "Alexander Bokovoy" wrote: > >On ti, 29 touko 2018, Merritt, Todd R - (tmerritt) via FreeIPA-users wrote: >>Hi, >>

[Freeipa-users] Re: Odd - random failed from PAM?

2018-05-31 Thread Striker Leggette via FreeIPA-users
I would start here: May 30 21:00:06 grover1-prod sshd[87570]: pam_sss(sshd:account): Access denied for user blahblahusername: 4 (System error) However, you might want to set 'debug_level = 9' instead. After reproducing and getting the same error from the system's logs, grep the SSSD domain log

[Freeipa-users] Re: concept at migration of http://server.com/ipa/migration

2018-05-31 Thread Rob Crittenden via FreeIPA-users
barrykfl--- via FreeIPA-users wrote: > Yes I read the point knew they are difference ..But if most users 90% no > need access httsps://myserver.com/ipa/UI > and just use ldap authorization ...so I don't need ask user migration or > change password ? our users 90% use 3r

[Freeipa-users] Re: [BLOG] Replacing a lost or broken CA in FreeIPA

2018-05-31 Thread Angus Clarke via FreeIPA-users
Thanks Fraser! On 31 May 2018 at 09:29, Fraser Tweedale via FreeIPA-users < freeipa-users@lists.fedorahosted.org> wrote: > My latest blog post looks at how to clean up and install a *new* CA > within an existing FreeIPA deployment. This handles scenarios were > a CA installation has failed, or t

[Freeipa-users] [BLOG] Replacing a lost or broken CA in FreeIPA

2018-05-31 Thread Fraser Tweedale via FreeIPA-users
My latest blog post looks at how to clean up and install a *new* CA within an existing FreeIPA deployment. This handles scenarios were a CA installation has failed, or the original CA has been lost (e.g. all CA replicas decommissioned). Enjoy! As usual, I am keen for whatever feedback or questio

[Freeipa-users] Odd - random failed from PAM?

2018-05-31 Thread Kat via FreeIPA-users
Hi all - Here is an odd one. I have a group of userIDs that login via SSH keys (stored in .ssh/authorized_keys and NOT in IPA) to a system enrolled in IPA of course. Actually all the systems are enrolled in IPA, so that should be a given. Environment - RHEL 7.4 or 7.5 with current IPA on all

[Freeipa-users] Re: concept at migration of http://server.com/ipa/migration

2018-05-31 Thread barrykfl--- via FreeIPA-users
ys but we use third party passwd manager to allow user change password on anther site different address .( But most users ask admin reset for them) Users won't touch any ldap server address UI. 2018-05-31 15:43 GMT+08:00 Ernedin Zajko : > Dear barrykfl, > > one of the issues that will emerge - us

[Freeipa-users] Re: concept at migration of http://server.com/ipa/migration

2018-05-31 Thread Barry via FreeIPA-users
yes but we use third party passwd manager to allow user change password on anther site different address .( But most users ask admin reset for them) Users won't touch any ldap server address UI. 2018-05-31 15:43 GMT+08:00 Ernedin Zajko : > Dear barrykfl, > > one of the issues that will emerge - u

[Freeipa-users] Re: concept at migration of http://server.com/ipa/migration

2018-05-31 Thread Ernedin Zajko via FreeIPA-users
Dear barrykfl, one of the issues that will emerge - users updating (changing) passwords (if you want them to use ipa ui) regards, --- Ernedin ZAJKO eza...@root.ba > 340282366920938463463374607431768211456 On Thu, May 31, 2018 at 9:06 AM wrote: > > Yes I read the point knew they are difference

[Freeipa-users] Re: concept at migration of http://server.com/ipa/migration

2018-05-31 Thread barrykfl--- via FreeIPA-users
Yes I read the point knew they are difference ..But if most users 90% no need access httsps://myserver.com/ipa/UI and just use ldap authorization ...so I don't need ask user migration or change password ? our users 90% use 3rd party open source and LDAP Auth. ??? actual what example of Kerberos aut