Hello,
I’ve got FreeIPA setup where I have multiple domains for client machines depending on their geography.
For example, ca.example.com, and ny.example.com.
I have a NFS server in nfs-server.ny.example.com and users mapping the NFS server on their clients from ny.example.com and ca.example.com. Users in ny.example.com show files owner:group just fine but users in ca.example.com everything on the nfs server shows nobody:nogroup or nobody: 4294967294
On the clients I’m seeing this issue on I see these error messages in the log.
Oct 4 16:53:14 aiml1 nfsidmap[7867]: nss_getpwnam: name ‘user@ny.example.com' does not map into domain 'ca.example.com’
I did some googling and people are saying to add the domain to /etc/idmapd.conf but since I already have multiple domains (3 actually) I don’t see how this will work for all instances unless I can add multiple domains. I don’t see an obvious way to add multiple domains.
Is there a clean way to handle this?
-Kevin
If you use krb5 authentication you should have no issues, are you using auth=sys instead ?
On Fri, 2019-10-04 at 17:10 -0500, Kevin Vasko via FreeIPA-users wrote:
Hello,
I’ve got FreeIPA setup where I have multiple domains for client machines depending on their geography.
For example, ca.example.com, and ny.example.com.
I have a NFS server in nfs-server.ny.example.com and users mapping the NFS server on their clients from ny.example.com and ca.example.com. Users in ny.example.com show files owner:group just fine but users in ca.example.com everything on the nfs server shows nobody:nogroup or nobody: 4294967294
On the clients I’m seeing this issue on I see these error messages in the log.
Oct 4 16:53:14 aiml1 nfsidmap[7867]: nss_getpwnam: name ‘user@ny.example.com' does not map into domain 'ca.example.com’
I did some googling and people are saying to add the domain to /etc/idmapd.conf but since I already have multiple domains (3 actually) I don’t see how this will work for all instances unless I can add multiple domains. I don’t see an obvious way to add multiple domains.
Is there a clean way to handle this?
-Kevin _______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahoste...
Note I assume that by "domains" you mean just DNS domains not separate FreeIPA installs, if they are separate installs then it would be a lot more complicated.
Another way that you can handle auth sys is to configure the domain on the server (as any of the domain strings you want) and then use the same domain on all clients), that should make them work.
On Mon, 2019-10-07 at 12:37 -0400, Simo Sorce via FreeIPA-users wrote:
If you use krb5 authentication you should have no issues, are you using auth=sys instead ?
On Fri, 2019-10-04 at 17:10 -0500, Kevin Vasko via FreeIPA-users wrote:
Hello,
I’ve got FreeIPA setup where I have multiple domains for client machines depending on their geography.
For example, ca.example.com, and ny.example.com.
I have a NFS server in nfs-server.ny.example.com and users mapping the NFS server on their clients from ny.example.com and ca.example.com. Users in ny.example.com show files owner:group just fine but users in ca.example.com everything on the nfs server shows nobody:nogroup or nobody: 4294967294
On the clients I’m seeing this issue on I see these error messages in the log.
Oct 4 16:53:14 aiml1 nfsidmap[7867]: nss_getpwnam: name ‘user@ny.example.com' does not map into domain 'ca.example.com’
I did some googling and people are saying to add the domain to /etc/idmapd.conf but since I already have multiple domains (3 actually) I don’t see how this will work for all instances unless I can add multiple domains. I don’t see an obvious way to add multiple domains.
Is there a clean way to handle this?
-Kevin _______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahoste...
-- Simo Sorce RHEL Crypto Team Red Hat, Inc
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahoste...
Thanks.
So the clients have different host names depending on where they are located geographically.
For example
machines in CA have a FQDN of client1.ca.example.com
machines in NY have a FQDN of client8.ny.example.com
They both still belong to the same REALM of EXAMPLE.COM.
In their idmapd.conf file the
# Domain = hostname.local
is commented out, and by default it uses the hostnames domain as the value.
So client1 Domain value by default would be set to ca.example.com and client8 would be set to ny.example.com.
Should I be listing both ca.example.com AND ny.example.com in their idmapd.conf file?
Based off what you are saying I should just be able to get away with listing “Domain = example.com” which is the REALM?
-Kevin
On Oct 7, 2019, at 11:40 AM, Simo Sorce simo@redhat.com wrote:
Note I assume that by "domains" you mean just DNS domains not separate FreeIPA installs, if they are separate installs then it would be a lot more complicated.
Another way that you can handle auth sys is to configure the domain on the server (as any of the domain strings you want) and then use the same domain on all clients), that should make them work.
On Mon, 2019-10-07 at 12:37 -0400, Simo Sorce via FreeIPA-users wrote: If you use krb5 authentication you should have no issues, are you using auth=sys instead ?
On Fri, 2019-10-04 at 17:10 -0500, Kevin Vasko via FreeIPA-users wrote: Hello,
I’ve got FreeIPA setup where I have multiple domains for client machines depending on their geography.
For example, ca.example.com, and ny.example.com.
I have a NFS server in nfs-server.ny.example.com and users mapping the NFS server on their clients from ny.example.com and ca.example.com. Users in ny.example.com show files owner:group just fine but users in ca.example.com everything on the nfs server shows nobody:nogroup or nobody: 4294967294
On the clients I’m seeing this issue on I see these error messages in the log.
Oct 4 16:53:14 aiml1 nfsidmap[7867]: nss_getpwnam: name ‘user@ny.example.com' does not map into domain 'ca.example.com’
I did some googling and people are saying to add the domain to /etc/idmapd.conf but since I already have multiple domains (3 actually) I don’t see how this will work for all instances unless I can add multiple domains. I don’t see an obvious way to add multiple domains.
Is there a clean way to handle this?
-Kevin _______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahoste...
-- Simo Sorce RHEL Crypto Team Red Hat, Inc
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahoste...
-- Simo Sorce RHEL Crypto Team Red Hat, Inc
Hi Kevin, comments inline.
On Mon, 2019-10-07 at 11:50 -0500, Kevin Vasko wrote:
Thanks.
So the clients have different host names depending on where they are located geographically.
For example
machines in CA have a FQDN of client1.ca.example.com
machines in NY have a FQDN of client8.ny.example.com
They both still belong to the same REALM of EXAMPLE.COM.
Good, REALM an domain should be the same in your case IMO.
Subdomains are just an organizational tool for you, the actual authentication/identity domain is the same as the REALM.
In their idmapd.conf file the
# Domain = hostname.local
is commented out, and by default it uses the hostnames domain as the value.
So client1 Domain value by default would be set to ca.example.com and client8 would be set to ny.example.com.
Should I be listing both ca.example.com AND ny.example.com in their idmapd.conf file?
Don't think so
Based off what you are saying I should just be able to get away with listing “Domain = example.com” which is the REALM?
Yes, this is what you should do, IMO.
Simo.
-Kevin
On Oct 7, 2019, at 11:40 AM, Simo Sorce simo@redhat.com wrote:
Note I assume that by "domains" you mean just DNS domains not separate FreeIPA installs, if they are separate installs then it would be a lot more complicated.
Another way that you can handle auth sys is to configure the domain on the server (as any of the domain strings you want) and then use the same domain on all clients), that should make them work.
On Mon, 2019-10-07 at 12:37 -0400, Simo Sorce via FreeIPA-users wrote: If you use krb5 authentication you should have no issues, are you using auth=sys instead ?
On Fri, 2019-10-04 at 17:10 -0500, Kevin Vasko via FreeIPA-users wrote: Hello,
I’ve got FreeIPA setup where I have multiple domains for client machines depending on their geography.
For example, ca.example.com, and ny.example.com.
I have a NFS server in nfs-server.ny.example.com and users mapping the NFS server on their clients from ny.example.com and ca.example.com. Users in ny.example.com show files owner:group just fine but users in ca.example.com everything on the nfs server shows nobody:nogroup or nobody: 4294967294
On the clients I’m seeing this issue on I see these error messages in the log.
Oct 4 16:53:14 aiml1 nfsidmap[7867]: nss_getpwnam: name ‘user@ny.example.com' does not map into domain 'ca.example.com’
I did some googling and people are saying to add the domain to /etc/idmapd.conf but since I already have multiple domains (3 actually) I don’t see how this will work for all instances unless I can add multiple domains. I don’t see an obvious way to add multiple domains.
Is there a clean way to handle this?
-Kevin _______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahoste...
-- Simo Sorce RHEL Crypto Team Red Hat, Inc
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahoste...
-- Simo Sorce RHEL Crypto Team Red Hat, Inc
Ok thanks! I just tried it and that seems to do it! Just using the “example.com” domain in the idmapd.conf file that is.
I’ll just need to modifying all of my clients idmapd config, which isn’t that big of deal.
Thanks for the help.
-Kevin
On Oct 7, 2019, at 12:13 PM, Simo Sorce simo@redhat.com wrote:
Hi Kevin, comments inline.
On Mon, 2019-10-07 at 11:50 -0500, Kevin Vasko wrote: Thanks.
So the clients have different host names depending on where they are located geographically.
For example
machines in CA have a FQDN of client1.ca.example.com
machines in NY have a FQDN of client8.ny.example.com
They both still belong to the same REALM of EXAMPLE.COM.
Good, REALM an domain should be the same in your case IMO.
Subdomains are just an organizational tool for you, the actual authentication/identity domain is the same as the REALM.
In their idmapd.conf file the
# Domain = hostname.local
is commented out, and by default it uses the hostnames domain as the value.
So client1 Domain value by default would be set to ca.example.com and client8 would be set to ny.example.com.
Should I be listing both ca.example.com AND ny.example.com in their idmapd.conf file?
Don't think so
Based off what you are saying I should just be able to get away with listing “Domain = example.com” which is the REALM?
Yes, this is what you should do, IMO.
Simo.
-Kevin
On Oct 7, 2019, at 11:40 AM, Simo Sorce simo@redhat.com wrote:
Note I assume that by "domains" you mean just DNS domains not separate FreeIPA installs, if they are separate installs then it would be a lot more complicated.
Another way that you can handle auth sys is to configure the domain on the server (as any of the domain strings you want) and then use the same domain on all clients), that should make them work.
On Mon, 2019-10-07 at 12:37 -0400, Simo Sorce via FreeIPA-users wrote: If you use krb5 authentication you should have no issues, are you using auth=sys instead ?
On Fri, 2019-10-04 at 17:10 -0500, Kevin Vasko via FreeIPA-users wrote: Hello,
I’ve got FreeIPA setup where I have multiple domains for client machines depending on their geography.
For example, ca.example.com, and ny.example.com.
I have a NFS server in nfs-server.ny.example.com and users mapping the NFS server on their clients from ny.example.com and ca.example.com. Users in ny.example.com show files owner:group just fine but users in ca.example.com everything on the nfs server shows nobody:nogroup or nobody: 4294967294
On the clients I’m seeing this issue on I see these error messages in the log.
Oct 4 16:53:14 aiml1 nfsidmap[7867]: nss_getpwnam: name ‘user@ny.example.com' does not map into domain 'ca.example.com’
I did some googling and people are saying to add the domain to /etc/idmapd.conf but since I already have multiple domains (3 actually) I don’t see how this will work for all instances unless I can add multiple domains. I don’t see an obvious way to add multiple domains.
Is there a clean way to handle this?
-Kevin _______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahoste...
-- Simo Sorce RHEL Crypto Team Red Hat, Inc
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahoste...
-- Simo Sorce RHEL Crypto Team Red Hat, Inc
-- Simo Sorce RHEL Crypto Team Red Hat, Inc
On Mon, Oct 7, 2019 at 8:39 PM Kevin Vasko via FreeIPA-users freeipa-users@lists.fedorahosted.org wrote:
Ok thanks! I just tried it and that seems to do it! Just using the “example.com” domain in the idmapd.conf file that is.
I’ll just need to modifying all of my clients idmapd config, which isn’t that big of deal.
If you like, newer versions of ipa-client-automount have a new knob to specify just that: https://pagure.io/freeipa/issue/7918
Apologies for not seeing this thread earlier.
François
Thanks for the help.
-Kevin
On Oct 7, 2019, at 12:13 PM, Simo Sorce simo@redhat.com wrote:
Hi Kevin, comments inline.
On Mon, 2019-10-07 at 11:50 -0500, Kevin Vasko wrote: Thanks.
So the clients have different host names depending on where they are located geographically.
For example
machines in CA have a FQDN of client1.ca.example.com
machines in NY have a FQDN of client8.ny.example.com
They both still belong to the same REALM of EXAMPLE.COM.
Good, REALM an domain should be the same in your case IMO.
Subdomains are just an organizational tool for you, the actual authentication/identity domain is the same as the REALM.
In their idmapd.conf file the
# Domain = hostname.local
is commented out, and by default it uses the hostnames domain as the value.
So client1 Domain value by default would be set to ca.example.com and client8 would be set to ny.example.com.
Should I be listing both ca.example.com AND ny.example.com in their idmapd.conf file?
Don't think so
Based off what you are saying I should just be able to get away with listing “Domain = example.com” which is the REALM?
Yes, this is what you should do, IMO.
Simo.
-Kevin
On Oct 7, 2019, at 11:40 AM, Simo Sorce simo@redhat.com wrote:
Note I assume that by "domains" you mean just DNS domains not separate FreeIPA installs, if they are separate installs then it would be a lot more complicated.
Another way that you can handle auth sys is to configure the domain on the server (as any of the domain strings you want) and then use the same domain on all clients), that should make them work.
On Mon, 2019-10-07 at 12:37 -0400, Simo Sorce via FreeIPA-users wrote: If you use krb5 authentication you should have no issues, are you using auth=sys instead ?
On Fri, 2019-10-04 at 17:10 -0500, Kevin Vasko via FreeIPA-users wrote: Hello,
I’ve got FreeIPA setup where I have multiple domains for client machines depending on their geography.
For example, ca.example.com, and ny.example.com.
I have a NFS server in nfs-server.ny.example.com and users mapping the NFS server on their clients from ny.example.com and ca.example.com. Users in ny.example.com show files owner:group just fine but users in ca.example.com everything on the nfs server shows nobody:nogroup or nobody: 4294967294
On the clients I’m seeing this issue on I see these error messages in the log.
Oct 4 16:53:14 aiml1 nfsidmap[7867]: nss_getpwnam: name ‘user@ny.example.com' does not map into domain 'ca.example.com’
I did some googling and people are saying to add the domain to /etc/idmapd.conf but since I already have multiple domains (3 actually) I don’t see how this will work for all instances unless I can add multiple domains. I don’t see an obvious way to add multiple domains.
Is there a clean way to handle this?
-Kevin _______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahoste...
-- Simo Sorce RHEL Crypto Team Red Hat, Inc
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahoste...
-- Simo Sorce RHEL Crypto Team Red Hat, Inc
-- Simo Sorce RHEL Crypto Team Red Hat, Inc
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahoste...
Thanks for the heads up. I was just changing the config manually. I’ve kind of stayed away from automount because i’ve had a lot of trouble wit it on Ubuntu boxes. Didn’t actually realize it modifies the idmapd config.
No problem! I posted on Friday so I figured it might be a few days before someone even saw this. Thanks for answering.
-Kevin
On Oct 7, 2019, at 2:19 PM, François Cami fcami@redhat.com wrote:
On Mon, Oct 7, 2019 at 8:39 PM Kevin Vasko via FreeIPA-users freeipa-users@lists.fedorahosted.org wrote:
Ok thanks! I just tried it and that seems to do it! Just using the “example.com” domain in the idmapd.conf file that is.
I’ll just need to modifying all of my clients idmapd config, which isn’t that big of deal.
If you like, newer versions of ipa-client-automount have a new knob to specify just that: https://pagure.io/freeipa/issue/7918
Apologies for not seeing this thread earlier.
François
Thanks for the help.
-Kevin
On Oct 7, 2019, at 12:13 PM, Simo Sorce simo@redhat.com wrote:
Hi Kevin, comments inline.
On Mon, 2019-10-07 at 11:50 -0500, Kevin Vasko wrote: Thanks.
So the clients have different host names depending on where they are located geographically.
For example
machines in CA have a FQDN of client1.ca.example.com
machines in NY have a FQDN of client8.ny.example.com
They both still belong to the same REALM of EXAMPLE.COM.
Good, REALM an domain should be the same in your case IMO.
Subdomains are just an organizational tool for you, the actual authentication/identity domain is the same as the REALM.
In their idmapd.conf file the
# Domain = hostname.local
is commented out, and by default it uses the hostnames domain as the value.
So client1 Domain value by default would be set to ca.example.com and client8 would be set to ny.example.com.
Should I be listing both ca.example.com AND ny.example.com in their idmapd.conf file?
Don't think so
Based off what you are saying I should just be able to get away with listing “Domain = example.com” which is the REALM?
Yes, this is what you should do, IMO.
Simo.
-Kevin
On Oct 7, 2019, at 11:40 AM, Simo Sorce simo@redhat.com wrote:
Note I assume that by "domains" you mean just DNS domains not separate FreeIPA installs, if they are separate installs then it would be a lot more complicated.
Another way that you can handle auth sys is to configure the domain on the server (as any of the domain strings you want) and then use the same domain on all clients), that should make them work.
On Mon, 2019-10-07 at 12:37 -0400, Simo Sorce via FreeIPA-users wrote: If you use krb5 authentication you should have no issues, are you using auth=sys instead ?
> On Fri, 2019-10-04 at 17:10 -0500, Kevin Vasko via FreeIPA-users wrote: > Hello, > > I’ve got FreeIPA setup where I have multiple domains for client machines depending on their geography. > > For example, ca.example.com, and ny.example.com. > > I have a NFS server in nfs-server.ny.example.com and users mapping the NFS server on their clients from ny.example.com and ca.example.com. Users in ny.example.com show files owner:group just fine but users in ca.example.com everything on the nfs server shows nobody:nogroup or nobody: 4294967294 > > On the clients I’m seeing this issue on I see these error messages in the log. > > Oct 4 16:53:14 aiml1 nfsidmap[7867]: nss_getpwnam: name ‘user@ny.example.com' does not map into domain 'ca.example.com’ > > I did some googling and people are saying to add the domain to /etc/idmapd.conf but since I already have multiple domains (3 actually) I don’t see how this will work for all instances unless I can add multiple domains. I don’t see an obvious way to add multiple domains. > > Is there a clean way to handle this? > > -Kevin > _______________________________________________ > FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org > To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org > Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines > List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahoste...
-- Simo Sorce RHEL Crypto Team Red Hat, Inc
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahoste...
-- Simo Sorce RHEL Crypto Team Red Hat, Inc
-- Simo Sorce RHEL Crypto Team Red Hat, Inc
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahoste...
freeipa-users@lists.fedorahosted.org