[Freeipa-users] indirect automount offsets

Hello, I'm trying to figure out how to use automounts in freeipa with offsets. currently I have this: the default location containing 3 maps auto.direct auto.home auto.master auto.direct is empty auto.home contains: key : * mount information : -rw nfs.example.com:/homes/& auto.master contains ke

Re: [Freeipa-users] indirect automount offsets

any ideas on how to set the privileges in such a way that not everybody requires access to the exports ? Rob Verduijn 2015-04-16 5:36 GMT+02:00 Rob Crittenden : > Rob Verduijn wrote: >> Hello, >> >> I'm trying to figure out how to use automounts in freeipa with offsets

[Freeipa-users] certificate alert

Hello, Is there an easy way to get alerts for soon to expire certificates in freeipa ? Because the day you forget to do the checks via the gui or cli is the day you will be regretting. Cheers Rob -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/lis

[Freeipa-users] what is the best way to create a search account

Hello, What would be the most appropriate way to create a search account so that a third party tool (wildfly) can use it to search the ipa domain for credentials ? Cheers Rob -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go

Re: [Freeipa-users] what is the best way to create a search account

thanx 2016-06-30 13:59 GMT+02:00 Tomasz Torcz : > On Thu, Jun 30, 2016 at 01:22:34PM +0200, Rob Verduijn wrote: > > Hello, > > > > > > What would be the most appropriate way to create a search account so > that a > > third party tool (wildfly) can

Re: [Freeipa-users] sudo - differences between Centos 6.5 and Centos 7.0?

hi, just a long shot here.. I've been battling sudo for a couple days now and found that my issue was one related to symlinks on centos7 'which cat' says /bin/cat but on centos /bin is a symlink to /usr/bin and sudo knows a symlink when it sees one and to prevent abuse it requires the 'real' path

[Freeipa-users] sss / nsswitch

nfs4 shares belong to nobody:nobodyy again. Anybody who has a tip on how to work around this until they fix sssd ? Cheers Rob Verduijn -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info o

Re: [Freeipa-users] sss / nsswitch

2016-09-13 15:07 GMT+02:00 Lukas Slebodnik : > On (13/09/16 10:39), Sumit Bose wrote: > >On Tue, Sep 13, 2016 at 10:13:12AM +0200, Rob Verduijn wrote: > >> Hi, > >> > >> Thanks that did it. > >> > >> Is there a less painfull way to be noti

Re: [Freeipa-users] sss / nsswitch

2016-09-23 10:27 GMT+02:00 Lukas Slebodnik : > On (13/09/16 16:18), Rob Verduijn wrote: > >2016-09-13 15:07 GMT+02:00 Lukas Slebodnik : > > > >> On (13/09/16 10:39), Sumit Bose wrote: > >> >On Tue, Sep 13, 2016 at 10:13:12AM +0200, Rob Verduijn wrote: > &g

[Freeipa-users] ipa fails to start hangs on pki-tomcatd

Hello, For some reason my ipa server no longer boots. It keeps trying to start pki-tomcat service. Does anybody know where I should start looking to get this fixed ? Rob Verduijn ipactl -d start gives this output: ipa: DEBUG: The CA status is: check interrupted due to error: Command '

Re: [Freeipa-users] ipa fails to start hangs on pki-tomcatd

2016-12-01 15:41 GMT+01:00 Rob Crittenden : > Rob Verduijn wrote: > > Hello, > > > > For some reason my ipa server no longer boots. > > It keeps trying to start pki-tomcat service. > > > > Does anybody know where I should start looking to get this fixed ?

Re: [Freeipa-users] ipa fails to start hangs on pki-tomcatd

2016-12-01 17:20 GMT+01:00 Rob Crittenden : > Rob Verduijn wrote: > > > > > > 2016-12-01 15:41 GMT+01:00 Rob Crittenden > <mailto:rcrit...@redhat.com>>: > > > > Rob Verduijn wrote: > > > Hello, > > > > > >

Re: [Freeipa-users] ipa fails to start hangs on pki-tomcatd

2016-12-01 19:44 GMT+01:00 Rob Verduijn : > > > 2016-12-01 17:20 GMT+01:00 Rob Crittenden : > >> Rob Verduijn wrote: >> > >> > >> > 2016-12-01 15:41 GMT+01:00 Rob Crittenden > > <mailto:rcrit...@redhat.com>>: >> > >>

[Freeipa-users] ipa fails to start after centos 7.3 upgrade

-ignore-service-failure' Is there a way to explain the script that it should check for chronyd instead of ntpd ? I also see this a lot in the logs: dns_rdatatype_fromtext() failed for attribute 'idnsTemplateAttribute;cnamerecord': unknown class/type Is that a serious error ? Rob Verduij

Re: [Freeipa-users] ipa fails to start after centos 7.3 upgrade

2016-12-15 13:47 GMT+01:00 Petr Vobornik : > On 12/12/2016 08:53 PM, Rob Verduijn wrote: > > Hello, > > > > I've recently upgraded to centos 7.3. > > Didn't intend to so soon but should have checked the anounce lists before > > launching my ansible updat

[Freeipa-users] FYI incorrect configuration when using ipa-client-automount

used to seeing closed not supported on the redhat bugzilla when the word centos is mentioned I've posterd it in the centos buglist : https://bugs.centos.org/view.php?id=12415 Cheers Rob Verduijn -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/l

[Freeipa-users] ipa-dnskeysyncd not starting

non-zero exit status 1 systemd[1]: ipa-dnskeysyncd.service: main process exited, code=exited, status=1/FAILURE systemd[1]: Unit ipa-dnskeysyncd.service entered failed state. systemd[1]: ipa-dnskeysyncd.service failed. for some reason the ipa-dnskeysyncd keeops crashing. Anybody know where to start look

Re: [Freeipa-users] ipa-dnskeysyncd not starting

2016-12-19 15:52 GMT+01:00 Petr Spacek : > On 19.12.2016 14:07, Rob Verduijn wrote: > > Hello, > > > > I'm running ipa on centos 7.3 with the latest patches applied. > > > > It seem to run fine however the ipa-dnskeysyncd keeps failing to start > and

Re: [Freeipa-users] ipa-dnskeysyncd not starting

2016-12-19 16:07 GMT+01:00 Rob Verduijn : > > > > 2016-12-19 15:52 GMT+01:00 Petr Spacek : > >> On 19.12.2016 14:07, Rob Verduijn wrote: >> > Hello, >> > >> > I'm running ipa on centos 7.3 with the latest patches applied. >> > >>

Re: [Freeipa-users] ipa-dnskeysyncd not starting

2016-12-19 17:06 GMT+01:00 Martin Basti : > > > On 19.12.2016 16:27, Rob Verduijn wrote: > > > > 2016-12-19 16:07 GMT+01:00 Rob Verduijn : > >> >> >> >> 2016-12-19 15:52 GMT+01:00 Petr Spacek : >> >>> On 19.12.2016 14:07, Rob Verduij

Re: [Freeipa-users] ipa-dnskeysyncd not starting

2016-12-19 18:53 GMT+01:00 Martin Basti : > > > On 19.12.2016 17:51, Rob Verduijn wrote: > > 2016-12-19 17:06 GMT+01:00 Martin Basti : > >> >> >> On 19.12.2016 16:27, Rob Verduijn wrote: >> >> >> >> 2016-12-19 16:07 GMT+01:00 Rob V

[Freeipa-users] issues with nfs4 privileges.

Hello, I'm a bit at loss with my freeipa kerberized nfs4 shares. the nfs4 shares mount fine and users can read and write their files. However pulse audio does not work properly, and some programs fail to start. When logging in with a local account using a local homedrive pulseaudio works, and the

Re: [Freeipa-users] issues with nfs4 privileges.

Hi Simo, Thanx for the quick answer, i will consider the root implications. However, what about pulse audio not working ? The logs complain about that one not beeing able to write in home as well. Rob 2014-06-20 18:27 GMT+02:00 Simo Sorce : > On Fri, 2014-06-20 at 18:02 +0200, Rob Verdu

Re: [Freeipa-users] issues with nfs4 privileges.

orce : > On Fri, 2014-06-20 at 18:57 +0200, Rob Verduijn wrote: >> Hi Simo, >> >> Thanx for the quick answer, i will consider the root implications. >> However, what about pulse audio not working ? >> The logs complain about that one not beeing able to write in hom

Re: [Freeipa-users] issues with nfs4 privileges.

Considering the root immplications. Handing out root to all nfs clients is indeed something that is undesirable. However personally I believe manually creating homedirs to be a procedure from the previous millenium. Can I get freeipa to do this automatically the right way ? (respecting security)

Re: [Freeipa-users] Having difficulty installing on Fedora 20

err http://www.freeipa.org/docs/master/html-desktop/index.html#Preparing_for_an_IPA_Installation ofcourse Rob 2014-06-24 21:12 GMT+02:00 Rob Verduijn : > I saw this in your log : > > > Global DNS configuration in LDAP server is empty > You can use 'dnsconfig-mod'

Re: [Freeipa-users] Having difficulty installing on Fedora 20

I saw this in your log : Global DNS configuration in LDAP server is empty You can use 'dnsconfig-mod' command to set global DNS options that would override settings in local named.conf files Did you install bind and bind-dyndb-ldap ? http://www.freeipa.org/docs/master/html-desktop/index.html#in

[Freeipa-users] GSSAPIDelegateCredentials yes

Hello, I've set up host that mounts a kerberized nfs4 homedrive. This all works fine, however when logging in remotely with a user using ssh the kerberos ticket is not set for that user. This requires either manually doing kinit or setting the GSSAPIDelegateCredentials yes in either .ssh config or

Re: [Freeipa-users] GSSAPIDelegateCredentials yes

> >> On Sat, 2014-07-05 at 15:01 +0200, Rob Verduijn wrote: >>> >>> Hello, >>> >>> I've set up host that mounts a kerberized nfs4 homedrive. >>> This all works fine, however when logging in remotely with a user >>> using ssh the ke

[Freeipa-users] sudo without the !authenticate

Hello, I've a freeipa running on fedora 20 with fedora 20 clients. When I configure sudo with the !authenticate option, everything works fine. ie 'sudo journalctl' works fine, you get to see the logs However when I remove the !authenticate option the sudo command asks for a password but it alway

Re: [Freeipa-users] sudo without the !authenticate

2014-09-01 18:47 GMT+02:00 Dmitri Pal : > On 09/01/2014 06:17 PM, Rob Verduijn wrote: > > Hello, > > I've a freeipa running on fedora 20 with fedora 20 clients. > > When I configure sudo with the !authenticate option, everything works > fine. > ie 'sudo j

[Freeipa-users] apache kerberized nfs4 /var/www/html access denied for apache user

Hello, I've got a webserver whose default export is on a kerberized nfs4 export. The export works fine for regular ipa users However the apache user is not allowed to read anything from the export. What would be the best practice to allow the apache user access to the nfs4 export without switc

Re: [Freeipa-users] apache kerberized nfs4 /var/www/html access denied for apache user

on a kerberized nfs4 share being a very nice use case. btw after I posted this I spend some more time on google and found this old kb article on access.redhat.com com that deals with a kerberized nfs document root for apache: https://access.redhat.com/solutions/56581 I haven't tried it yet cause it

Re: [Freeipa-users] apache kerberized nfs4 /var/www/html access denied for apache user

credentials from a keytab. Have gss-proxy do it or have gss-proxy use s4u2proxy to fetch the keytab ? (which might also solve some of my ssh anoyances but that's a bit off topic) Rob Verduijn -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project

Re: [Freeipa-users] apache kerberized nfs4 /var/www/html access denied for apache user

eytab cred_usage = initiate allow_any_uid = yes trusted = yes euid = 0 2014-09-17 9:15 GMT+02:00 Rob Verduijn : > > > 2014-09-16 20:57 GMT+02:00 Nordgren, Bryce L -FS : > > >> > Also opened https://fedorahosted.org/freeipa/ticket/4544 >> >> Tried to summari

Re: [Freeipa-users] apache kerberized nfs4 /var/www/html access denied for apache user

sage = initiate allow_any_uid = no trusted = yes euid = 48 2014-09-20 18:15 GMT+02:00 Simo Sorce : > On Sat, 20 Sep 2014 16:53:48 +0200 > Rob Verduijn wrote: > > > Hello all, > > > > I've managed to get the gssproxy to work on my installation. > > I can

Re: [Freeipa-users] apache kerberized nfs4 /var/www/html access denied for apache user

2014-09-22 21:50 GMT+02:00 Simo Sorce : > On Mon, 22 Sep 2014 15:09:42 -0400 > Dmitri Pal wrote: > > > On 09/20/2014 05:19 PM, Simo Sorce wrote: > > > On Sat, 20 Sep 2014 19:44:28 +0200 > > > Rob Verduijn wrote: > > > > > >> Hi again, >

[Freeipa-users] dns stops working after upgrade

Hello all, I'm running freeipa 3.3.0 on fedora 20 x86_65 and it is set up as my main dns server. I've tried the upgrade to 4.1 using the copr repositorie. I performed the following steps: 1 apply latest fedora updates 2 shutdown system 3 create a snapshot from the freeipa vm as a backup (which

Re: [Freeipa-users] dns stops working after upgrade

start in 300.0s I guess its something with the update for the ca certificate server that failed. Any clues on how to proceed ? Rob 2014-10-26 11:39 GMT+01:00 John Obaterspok : > Hello Rob, > > Did systemd report any failed services? (systemctl --failed) > > > -- john > &

Re: [Freeipa-users] dns stops working after upgrade

"/usr/lib/python2.7/site-packages/ipapython/ipaldap.py", line 1421, in get_entries base_dn=base_dn, scope=scope, filter=filter, attrs_list=attrs_list) File "/usr/lib/python2.7/site-packages/ipapython/ipaldap.py", line 1527, in find_entries break File "/usr/lib64/

Re: [Freeipa-users] dns stops working after upgrade

apshot again :( Please help Rob 2014-10-26 21:38 GMT+01:00 Rob Crittenden : > Rob Verduijn wrote: > > h > > > > after some more digging (monitoring the upgrade more closely.) > > I saw that the upgrade kept waiting for the ca to start, which it did &

Re: [Freeipa-users] dns stops working after upgrade

date certmonger certificate renewal configuration to version 2] [Enable PKIX certificate path discovery and validation] PKIX already enabled The ipa-upgradeconfig command was successful Any ideas ? I'm rather stuck now. Rob 2014-10-27 22:59 GMT+01:00 Rob Verduijn : > Hello, > &

Re: [Freeipa-users] dns stops working after upgrade

zones from LDAP instance 'ipa' loaded (0 zones defined, 0 inactive, 0 failed to load) It claims 0 zones loaded but I can see my forward and reverse zones in ipa what could cause it not to load the zones that I defined in ipa ? Rob 2014-10-27 23:05 GMT+01:00 Rob Verduijn : > sorry fo

Re: [Freeipa-users] dns stops working after upgrade

before the update its 4.5-1.fc20.x86_64.rpm from fedora 20 updates repo after the update its 6.0-5.fc20.x86_64.rpm from copr repo Regards Rob 2014-10-28 17:58 GMT+01:00 Martin Basti : > On 28/10/14 16:10, Rob Verduijn wrote: > > Hello all, > > I've been digging into

Re: [Freeipa-users] dns stops working after upgrade

Hello, I've checked and I see a lot of objects representing my dns entries. Still I get no answers if i try to resolve any of them :( Rob 2014-10-29 13:28 GMT+01:00 Petr Spacek : > On 28.10.2014 18:42, Rob Verduijn wrote: > >> before the update its 4.5-1.fc20.x86_64.rpm from

Re: [Freeipa-users] dns stops working after upgrade

ne (I really started to appreciate snapshots with this upgrade :-) Rob 2014-10-29 14:50 GMT+01:00 Petr Spacek : > On 29.10.2014 14:32, Rob Verduijn wrote: > >> I've checked and I see a lot of objects representing my dns entries. >> Still I get no answers if i try to resolve a

Re: [Freeipa-users] dns stops working after upgrade

can pinpoint what goes wrong with the update script if you like. Rob 2014-10-29 16:13 GMT+01:00 Martin Basti : > On 29/10/14 15:56, Martin Basti wrote: > > On 29/10/14 15:46, Rob Verduijn wrote: > > You're right > duh I should read more carefully and not try to do

Re: [Freeipa-users] dns stops working after upgrade

Hello again, I jumped to early. # ipa-ldap-updater /usr/share/ipa/updates/55-pbacmemberof.update didn't work but "ipa-ldap-updater " fixes the problem for me. Rob 2014-10-29 16:55 GMT+01:00 Martin Basti : > On 29/10/14 16:46, Rob Verduijn wrote: > > Hello, > >

Re: [Freeipa-users] dns stops working after upgrade

;t resolv after the update ipa-ldap-updater /usr/share/ipa/updates/55-pbacmemberof.update didn't fix it ipa-ldap-updater did fix the 'access control instructions' and my internal dns zones started to resolv again :-) Cheers Rob 2014-10-29 18:14 GMT+01:00 Petr Spacek : > On

Re: [Freeipa-users] dns stops working after upgrade

freeipa 3.3.5 again (with a working katello integration, so I got some mixed emotions about it) Any ideas anyone ? Rob 2014-10-29 22:14 GMT+01:00 Rob Verduijn : > Hello, > > I've tested the update again. > > The bind-utils conflict is still there when I issue "yu

Re: [Freeipa-users] dns stops working after upgrade

;System: ' prefix. Rob 2014-11-04 15:52 GMT+01:00 Petr Spacek : > On 4.11.2014 15:27, Rob Verduijn wrote: > >> Hello again, >> >> I've managed to integrate my katello configuration with freeipa. >> Now I not only use freeipa authentication in katello but als

Re: [Freeipa-users] dns stops working after upgrade

> Foreman proxy? Or not? I.e. is it working when you revert the snapshot? > > Do you have other replicas in the replication topology? Please keep in > mind that changes in LDAP (including changes to permissions) are replicated > so reverting one VM and not others is not necessar

Re: [Freeipa-users] dns stops working after upgrade

Petr Spacek : > Hello, > > Rob V., you did not answered to my question when DNS worked for you last > time. Did it work right after reverting the snapshot? > > Petr^2 Spacek > > > On 5.11.2014 16:09, Rob Verduijn wrote: > >> Hello again, >> >> I don&#x

Re: [Freeipa-users] dns stops working after upgrade

Hello, Yes I noticed the name change it took me a while to realise it was a known ruby bug in katello that caused the real problem. I also checked after I updated the 'katello integrated' update from 3.3.5 to 4.1 and the permissions were neatly renamed to their new counterparts. However the inte

Re: [Freeipa-users] dns stops working after upgrade

remove those :P Rob 2014-11-05 16:20 GMT+01:00 Stephen Benjamin : > On Wed, Nov 05, 2014 at 04:09:18PM +0100, Rob Verduijn wrote: > > Hello again, > > > > I don't know about foreman upstream, the current version that I am using > > included in the katello install

Re: [Freeipa-users] dns stops working after upgrade

nd in 4.1 it becomes 'Write DNS Configuration' Rob 2014-11-05 16:25 GMT+01:00 Petr Spacek : > On 5.11.2014 16:20, Rob Verduijn wrote: > >> Hello, >> >> Yes I noticed the name change it took me a while to realise it was a known >> ruby bug in katello that cause

[Freeipa-users] missing package in 4.1.1 repo

Hi, There is a dependency error in the updated repo. I did a yum clean all then a yum update. I got this error: Error: Package: freeipa-server-4.1.1-1.fc20.x86_64 (mkosek-freeipa) Requires: slapi-nis >= 0.54.1-1 Removing: slapi-nis-0.52-1.fc20.x86_64 (@private.updates)

Re: [Freeipa-users] DS failed after upgrade

> > Original Message Subject: Re: [Freeipa-users] dns > stops working after upgrade Date: Thu, 6 Nov 2014 21:42:55 +0100 From: Rob > VerduijnTo: Martin > Basti > > Hi again, > > I tried the update to 4.1.1 > It didn't went well, actuall

Re: [Freeipa-users] DNS stops working after upgrade (was DS failed after upgrade)

ration,cn=plugins,cn=config 2014-11-07T13:10:03Z DEBUG Live 1, updated 1 2014-11-07T13:10:03Z DEBUG Unhandled LDAPError: OPERATIONS_ERROR: {'desc': 'Operations error'} 2014-11-07T13:10:03Z ERROR Update failed: Operations error: That's it Rob 2014-11-07 13:56 GMT+01:00

Re: [Freeipa-users] DNS stops working after upgrade (was DS failed after upgrade)

Yup that solved it. Everything looks ok now :-) Thank you for you great effort. Rob 2014-11-07 14:55 GMT+01:00 Martin Basti : > On 07/11/14 14:26, Rob Verduijn wrote: > > Hello, > > Yes this time there are > This section : > 2014-11-07T13:10:03Z INFO Updating existing

[Freeipa-users] multi-tenancy status

Hello, I'm interested in setting up ipa with multiple tenancies. However I can only find this document about the subject: http://www.freeipa.org/page/V3/Multitenancy What is the status of the implementation of multiple tenancies. Cheers Rob Verduijn -- Manage your subscription fo

Re: [Freeipa-users] multi-tenancy status

/Security_Assertion_Markup_Language Cheers Rob 2015-02-24 19:48 GMT+01:00 Dmitri Pal : > On 02/24/2015 12:34 PM, Rob Verduijn wrote: > > Hello, > > I'm interested in setting up ipa with multiple tenancies. > > However I can only find this document about the subject: > h

Re: [Freeipa-users] multi-tenancy status

Thanx, That all sounds very interesting, I've got some reading up to do. I'm going to point this out to some people :-) Rob 2015-02-24 20:55 GMT+01:00 Rob Crittenden : > Rob Verduijn wrote: > > Now that sounds like an interesting project :-) > > > > beside

[Freeipa-users] OTP and cached credentials

' is being used ? Or with a radius proxy ? Rob Verduijn -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] OTP and cached credentials

For which sssd release is this feature targetted ? Rob Verduijn 2015-03-12 23:26 GMT+01:00 Dmitri Pal : > On 03/12/2015 04:59 PM, Jakub Hrozek wrote: > >> On 12 Mar 2015, at 21:32, Rob Verduijn wrote: >>> >>> Hello, >>> >>> I was looking into o

[Freeipa-users] could anybody give an update on the multitenancy status for freeipa ?

already. Now that ipsilon has reached 1.0.0, is there a change regarding the possibility for multitenancy ? http://www.freeipa.org/page/V3/Multitenancy Cheers Rob Verduijn -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http

Re: [Freeipa-users] could anybody give an update on the multitenancy status for freeipa ?

2015-10-30 20:14 GMT+01:00 Rob Crittenden : > Rob Verduijn wrote: >> Hello all, >> >> It has been a while since I asked this before. >> >> Multitenancy was put in the freezer back then in favor of this nice project : >> https://fedorahosted.org/ipsilon/wiki/

[Freeipa-users] service account for ovirt

with this ? Cheers Rob Verduijn -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] service account for ovirt

2015-11-18 15:51 GMT+01:00 Martin Kosek : > On 11/18/2015 08:23 AM, Rob Verduijn wrote: >> Hello all, >> >> I've read a lot regarding service accounts on this mailinglist in the past. >> But it's rather unclear to me what is the current preffered method to >

Re: [Freeipa-users] service account for ovirt

rtal in the users menu # after the users have been added you can assign permissions for them on the vm's # Cheers Rob Verduijn 2015-11-18 20:34 GMT+01:00 Martin Kosek : > On 11/18/2015 04:27 PM, Rob Verduijn wrote: >> >> 2015-11-18 15:51 GMT+01:00 Martin Kosek : >>>

[Freeipa-users] Default shell for AD-domain accounts

mentation/en-US/Red_Hat_Enterprise_Linux/7/html/Windows_Integration_Guide/ex.sssd-ad-posix.html How do I define a new default shell for all ms-AD accounts in ipa ? Cheers Rob Verduijn -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://

Re: [Freeipa-users] Default shell for AD-domain accounts

? Cheers Rob Verduijn 2016-01-24 15:40 GMT+01:00 Alexander Bokovoy : > On Sun, 24 Jan 2016, Rob Verduijn wrote: >> >> Hello, >> >> I'm trying to get an ipa server to trust a microsoft AD-domain. >> >> So far I've managed to get the trust to work an

Re: [Freeipa-users] Default shell for AD-domain accounts

f. This is required I guess on all ipa-clients that AD-accounts get access to. And now all users seem to get the /bin/bash that can be set in the AD-user attribute loginShell ( glad to see the keep their camel case in sync everywhere in the AD ) Thanks for thinking along on this one. Rob Verduij

Re: [Freeipa-users] Default shell for AD-domain accounts

. dig +short -t SRV _kerberos._tcp.dc._msdcs.ad.example.com. This gives a response I also validated the trust on the AD side, I'm not sure this is needed. After doing this I can issue the command : 'id AD.DOMAIN\\ADUSER' and I get a response telling me the uid/gid/ad-id/ad-grou

[Freeipa-users] multimaster ad one way trust setup

Hi all, When you have an ipa 4.2 server with an one way trust to the ad. What steps are needed to install a second ipa master that also has a one way trust to the ad ? Rob Verduijn -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa

Re: [Freeipa-users] multimaster ad one way trust setup

Since the first option has less impact, that one sounds the most interesting. However, does this also remain functional when the first ipa server is taken offline ? Rob Verduijn 2016-01-25 12:41 GMT+01:00 Alexander Bokovoy : > On Mon, 25 Jan 2016, Rob Verduijn wrote: >> >> Hi all,

Re: [Freeipa-users] multimaster ad one way trust setup

Cool Thanx Rob Verduijn 2016-01-25 12:59 GMT+01:00 Alexander Bokovoy : > On Mon, 25 Jan 2016, Rob Verduijn wrote: >> >> Since the first option has less impact, that one sounds the most >> interesting. >> However, does this also remain functional when the first ipa

[Freeipa-users] ipa replica is ad trust controller but refuses ad users

ot do ad-authentication ? Rob Verduijn -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] ipa replica is ad trust controller but refuses ad users

Verduijn 2016-01-28 13:26 GMT+01:00 Rob Verduijn : > Hello, > > I've set up an ipa-server with an one way trust to a windows 2012r2 > controller. > All works on this server. > I can login with ad accounts on this server. > > I added an ipa replica, and checked it all worked

[Freeipa-users] what is the sudo rule runasuser local user account

Hello, I've noticed that the sudorule-add-runasuser no longer has en --external option What is the current method to add a local service account to a sud rule list so that users may run sudo as that service account (ie apache or jboss) Cheers Rob Verudijn -- Manage your subscription for the Fr

Re: [Freeipa-users] what is the sudo rule runasuser local user account

On Centos7.2 all patches applied I used the command: ipa-client-install --enable-dns-updates Rob 2016-02-04 16:45 GMT+01:00 Jakub Hrozek : > On Thu, Feb 04, 2016 at 03:52:25PM +0100, Rob Verduijn wrote: >> Hello, >> >> I've noticed that the sudorule-add-runasuser n

Re: [Freeipa-users] what is the sudo rule runasuser local user account

On Centos7.2 all patches applied I used the command: ipa-client-install --enable-dns-updates That configures the client for sudo as well if I'm not mistaken. Rob Verduijn 2016-02-04 16:45 GMT+01:00 Jakub Hrozek : > On Thu, Feb 04, 2016 at 03:52:25PM +0100, Rob Verduijn wrote:

Re: [Freeipa-users] what is the sudo rule runasuser local user account

That does seem to work for me as well, however I can only add the external user via the web-gui Any idea how to do this with the command line tools ? Rob Verduijn 2016-02-04 17:00 GMT+01:00 Baird, Josh : > Actually, I use local (external) users in my sudo rules in IPA 4.2 with no > p

Re: [Freeipa-users] what is the sudo rule runasuser local user account

hi all, I tried and figured it out.. ipa sudorule-add-runasuser --users= Is the command syntax I was looking for. I guess that if the --users isn't an ipa user it is automatically flagged as an external user. Cheers Rob Verduijn 2016-02-04 17:33 GMT+01:00 Jakub Hrozek : > On Thu

Re: [Freeipa-users] FreeIPA and samba 4

Howdy, out of curiousity any targetted release for UPN ? Cheers Rob 2016-03-10 15:15 GMT+01:00 Petr Spacek : > On 10.3.2016 13:34, Giulio Casella wrote: >> I've seen that howto, but it's not my case. I cannot establish a trust >> between >> IPA and AD, because AD domain involves additional

[Freeipa-users] ipa client deletes dns record from ipa domain

configs and logs , but I can't seem to find any errors or inconsystencies with the flawed system or the ones that do work. Any ideas what could cause this ? I now have set it to false on the system that keeps deleting its record, but I keep wondering what is causing this. Regards Rob Verduijn

Re: [Freeipa-users] ipa client deletes dns record from ipa domain

debug logging from sssd is rather overwhelming, What am I looking for in the logs ? Rob 2016-05-02 11:54 GMT+02:00 Jakub Hrozek : > On Mon, May 02, 2016 at 11:48:48AM +0200, Rob Verduijn wrote: >> Hello, >> >> I'm a bit at loss here. >> For some reason when

Re: [Freeipa-users] ipa client deletes dns record from ipa domain

found it, I needed to set dyndns_iface to the proper device It was set to the original device which was bridged, so no ip address was assigned to it. After setting it to bridge0 the update went ok Rob Verduijn 2016-05-02 13:06 GMT+02:00 Rob Verduijn : > debug logging from sssd is rat

[Freeipa-users] get freeipa to update ad users and groups more often

wait for a couple hours, and also I do not like to clean up the sssd cache folder each time a new user appears. Is there a way to tell ipa and all clients to refresh their cache ? Regards Rob Verduijn -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/ma

Re: [Freeipa-users] get freeipa to update ad users and groups more often

This goes especially for ad groups that are bested in ipa_groups ie : microsft group is defined as an external group, and that external group is member of an ipa group and that ipa group takes forever. Regards Rob Verduijn 2016-05-04 16:10 GMT+02:00 Rob Verduijn : > Hello, > > I&

Re: [Freeipa-users] get freeipa to update ad users and groups more often

including ad_linux_administrators (ipa group) and 'linux administrat...@ad-domain.com' getent group ad_linux_administrators only shows the group ad, no members, these pop up after a very long time getent group 'linux administrat...@ad-domain.com' imediatly show all members wei

Re: [Freeipa-users] get freeipa to update ad users and groups more often

86_64 sssd-ad-1.13.0-40.el7_2.2.x86_64 Cheers Rob Verduijn 2016-05-04 18:06 GMT+02:00 Jakub Hrozek : > On Wed, May 04, 2016 at 05:00:50PM +0200, Rob Verduijn wrote: >> to make sure I did the following on the ipa host >> >> systemctl stop sssd.service >> rm -f /var

Re: [Freeipa-users] CentOS 6 -> 7 migration

client Try looking at http://libguestfs.org/virt-p2v.1.html to migrate your current system to a vm (side effect : instant full backup) When you got the vm up and running you can reinstall your main system with the new os and ipa. Then replicate the old ipa to the new one. Rob Verduijn 2017-02

Re: [Freeipa-users] CentOS 6 -> 7 migration

Rob Verduijn 2017-02-26 14:40 GMT+01:00 Ian Pilcher : > On 02/26/2017 05:08 AM, Rob Verduijn wrote: > >> You should consider setting up a temporary vm to migrate from. >> On one of your client systems, I assume you got at least 1 ipa client >> >> Try looking at http: