[Freeipa-users] how to revert ipa-adtrust-install...

lejeczek peljasz at yahoo.co.uk
Wed Nov 2 21:45:13 UTC 2016 


On 19/09/16 08:49, Martin Babinsky wrote:
> On 09/17/2016 12:43 PM, lejeczek wrote:
>>
>>
>> On 15/09/16 22:37, Rob Crittenden wrote:
>>> What do you mean control? If you don't want ipactl to 
>>> manage the smb
>>> service, look for an entry in
>>> cn=masters,cn=ipa,cn=etc,dc=example,dc=com and delete it 
>>> if you find it.
>>>
>>> rob
>> all I find there is:
>>
>> objectClass: nsContainer
>> objectClass: top
>> cn: masters
>>
>

does the same pertain winbind? Does IPA need/use winbind if 
Samba under IPA is not the case?

> You must perform subtree search and search for the entry 
> named 'cn=ADTRUST', like so:
>
> """
> ldapsearch -Y GSSAPI -b 
> 'cn=masters,cn=ipa,cn=etc,dc=ipa,dc=test' '(cn=ADTRUST)'
> SASL/GSSAPI authentication started
> SASL username: admin at IPA.TEST
> SASL SSF: 56
> SASL data security layer installed.
> # extended LDIF
> #
> # LDAPv3
> # base <cn=masters,cn=ipa,cn=etc,dc=ipa,dc=test> with 
> scope subtree
> # filter: (cn=ADTRUST)
> # requesting: ALL
> #
>
> # ADTRUST, master1.ipa.test, masters, ipa, etc, ipa.test
> dn: 
> cn=ADTRUST,cn=master1.ipa.test,cn=masters,cn=ipa,cn=etc,dc=ipa,dc=test 
>
> objectClass: ipaConfigObject
> objectClass: nsContainer
> objectClass: top
> ipaConfigString: startOrder 60
> ipaConfigString: enabledService
> cn: ADTRUST
>
> # search result
> search: 4
> result: 0 Success
>
> # numResponses: 2
> # numEntries: 1
> """
>
> Then remove the "ipaConfigString: enabledService" 
> attribute from the entry to tell "ipactl" that it should 
> not control this service anymore:
>
> [root at master1 ~]# ldapmodify -Y GSSAPI
> SASL/GSSAPI authentication started
> SASL username: admin at IPA.TEST
> SASL SSF: 56
> SASL data security layer installed.
> dn: 
> cn=ADTRUST,cn=master1.ipa.test,cn=masters,cn=ipa,cn=etc,dc=ipa,dc=test 
>
> changetype: modify
> delete: ipaConfigString
> ipaConfigString: enabledService
>
> modifying entry 
> "cn=ADTRUST,cn=master1.ipa.test,cn=masters,cn=ipa,cn=etc,dc=ipa,dc=test" 
>
>
> If you then do "ipactl restart" and "ipactl status", it 
> should not display smb.service anymore and you are free to 
> use them as you wish.
>

More information about the Freeipa-users mailing list