Hi,
As far as I understand it Kerberos service tickets are granted for a user
to access a particular principle (host/service@REALM) and cannot be reused.
Kerberos uses symmetric key cryptography so, if someone were able to access
the memory of the machine, then they may indeed be able to snoop
On 30.3.2015 09:28, Andrew Holway wrote:
Hi,
As far as I understand it Kerberos service tickets are granted for a user
to access a particular principle (host/service@REALM) and cannot be reused.
Kerberos uses symmetric key cryptography so, if someone were able to access
the memory of the
On 30/03/15 04:27, Gokulnath wrote:
Thanks for getting back.
1. As security Kerberos can ticket and in memory can be taken and that session
key
Can be used to gain access every where. Primarily this because the plan is to
use the solution in cloud.
2. Can I disable DNS as well? And have IPA
On Mon, Mar 30, 2015 at 02:18:00PM +0530, Yogesh Sharma wrote:
Hi List,
We have trying to install IPA-Client using source code.
Why?
While installing we
are seeing many error out of which most are resolved but stuck at below
while doing make.
Is there any suggestion to get out of it. I
On Mon, Mar 30, 2015 at 02:53:39PM +0530, Yogesh Sharma wrote:
Hi Jakub:
FreeIPA package is not available in Amazon Linux running on EC2 Instance.
We tried to install individually packages but it is breaking at many place.
It is not 1.x. We had a directory with this name and I extracted
Hello,
Am Sonntag, 29. März 2015, 22:25:07 schrieb Rob Crittenden:
Dmitri Pal wrote:
On 03/29/2015 06:00 PM, Günther J. Niederwimmer wrote:
Hello,
My automount is not working correct?
I have a centos 7 with cr Update, this is IPA 4.1 and sssd 1.12
I have this Error in the logs
On Mon, Mar 30, 2015 at 08:09:43AM +, Alexander Frolushkin wrote:
Hello everyone.
We have a IPA 3 and AD domain trust.
Users from AD successfully logs on to linux servers via ssh and hbac rules
works fine with external groups. But not a sudo rules.
When rule defines as 'who' IPA users
On Mon, Mar 30, 2015 at 10:48 AM, Yogesh Sharma yks0...@gmail.com wrote:
Hi List,
We have trying to install IPA-Client using source code. While installing
we are seeing many error out of which most are resolved but stuck at below
while doing make.
Is there any suggestion to get out of it.
Sure.
*Best Regards,__*
*Yogesh Sharma*
*Email: yks0...@gmail.com yks0...@gmail.com | Web: www.initd.in
http://www.initd.in*
RHCE, VCE-CIA, RackSpace Cloud U
[image: My LinkedIn Profile] http://in.linkedin.com/in/yks
On Mon, Mar 30, 2015 at 3:05
On Mon, Mar 30, 2015 at 05:36:00AM +0100, g.fer.or...@unicyber.co.uk wrote:
Hey Guys
Not sure if I am missing any bit but this was the thing in the end:
http://generations.menteyarte.org/archives/195-freeipa-server-and-SSSD-on-Ubuntu.html
I managed to have it working and I have
Hi List,
We have trying to install IPA-Client using source code. While installing we
are seeing many error out of which most are resolved but stuck at below
while doing make.
Is there any suggestion to get out of it. I will update if I found anything.
gcc -DHAVE_CONFIG_H -I. -I. -I.
Hi Jakub:
FreeIPA package is not available in Amazon Linux running on EC2 Instance.
We tried to install individually packages but it is breaking at many place.
It is not 1.x. We had a directory with this name and I extracted the tar in
same folder hence showing like this :).
We are using 3.0.2
On 03/29/2015 10:27 PM, Gokulnath wrote:
Thanks for getting back.
1. As security Kerberos can ticket and in memory can be taken and that session
key
Can be used to gain access every where. Primarily this because the plan is to
use the solution in cloud.
You can use Kerberos in the cloud. It
On 03/29/2015 10:56 PM, Matt . wrote:
Hi,
I just tot home and typing from my cell so i'm suite short in words
Create keytab for ldap-01.domain
Kinit with that to ldap.domain
Curl against ldap.domain
Get a 301 which I manage from curl (goes well)
Get kerberos ticket error
now I don't kinit
Thanks for the update.
The reason for weigh in the Kerberos option is to have that as an option to
disable if needed, security is more important. I had to say this because there
was a question on why I would disable it.
I agree that the otp should definitely provide some additional layer of
On Mon, Mar 30, 2015 at 04:56:11AM +0200, Matt . wrote:
Hi,
I just tot home and typing from my cell so i'm suite short in words
Create keytab for ldap-01.domain
Kinit with that to ldap.domain
Curl against ldap.domain
Get a 301 which I manage from curl (goes well)
Get kerberos ticket
SSO works intermittently. I’m having trouble tracing the issue. Here is what I
see from /var/log/secure. Where should I look for more detail to figure out why
the SSO login is failing?
Mar 30 08:47:39 mid-ipa-vp01 sshd[9317]: Starting session: shell on pts/0 for
root from 10.34.149.105 port
On Mon, Mar 30, 2015 at 09:08:54AM -0400, Gould, Joshua wrote:
SSO works intermittently. I’m having trouble tracing the issue. Here is what
I see from /var/log/secure. Where should I look for more detail to figure out
why the SSO login is failing?
assuming you have a valid Kerberos ticket
I configured the .k5login per the RH docs.
$ cat .k5login
adm-faru03@TEST.OSUWMC
TEST.OSUWMC\adm-faru03
$
I upped the debugging to DEBUG3 but I can¹t make sense of the error. Can
you help? I¹m getting better but I can¹t get this one yet.
Mar 30 09:57:20 mid-ipa-vp01 sshd[12793]: Connection
On (30/03/15 05:36), g.fer.or...@unicyber.co.uk wrote:
Hey Guys
Not sure if I am missing any bit but this was the thing in the end:
http://generations.menteyarte.org/archives/195-freeipa-server-and-SSSD-on-Ubuntu.html
I managed to have it working and I have documented all those nasty bits
For LDAP-only clients, I see an issue with performance on the dirsrv
backends, and much of it has to do with 2 things:
1. Anonymous binds (1000's because of 7000+ hosts)
2. unindexed searches -- perhaps the biggest problem and working on
troubleshooting that and figuring out how to fix it.
Yes that's right, Fedora works great.
Gokul
Sent from iPhone
On Mar 30, 2015, at 4:35 AM, Jakub Hrozek jhro...@redhat.com wrote:
On Mon, Mar 30, 2015 at 02:53:39PM +0530, Yogesh Sharma wrote:
Hi Jakub:
FreeIPA package is not available in Amazon Linux running on EC2 Instance.
We tried
On Mon, Mar 30, 2015 at 09:08:54AM -0400, Gould, Joshua wrote:
SSO works intermittently. I’m having trouble tracing the issue. Here is what
I see from /var/log/secure. Where should I look for more detail to figure out
why the SSO login is failing?
What OS versions is this and how was the
On 03/30/2015 04:23 AM, Rob Crittenden wrote:
Dmitri Pal wrote:
On 03/29/2015 06:35 AM, Peter Fern wrote:
On 29/03/15 05:46, Rob Crittenden wrote:
Should be back up now.
rob
Appears to be dead again.
It is in fact down again.
The quote is exceeded in the openshift gear. I cleaned up
On Mon, Mar 30, 2015 at 10:09:00AM -0400, Gould, Joshua wrote:
I configured the .k5login per the RH docs.
$ cat .k5login
adm-faru03@TEST.OSUWMC
TEST.OSUWMC\adm-faru03
The second line is not needed. Please note that .k5login must only be
read-writable for the owner.
Can you check by calling
It¹s actually my IPA server which is also a client, so both are 7.1. My
memory is fuzzy as far as the client on the server. Isn¹t it setup already
as part of the server install?
On 3/30/15, 10:45 AM, Jan Pazdziora jpazdzi...@redhat.com wrote:
On Mon, Mar 30, 2015 at 09:08:54AM -0400, Gould,
Hi Jakub
Yes, I can also include that.
The configuration I was showing was a simple one, mainly I focused on
the library set as it is usually the most problematic part in old
distributions, but I will also include your comment as indeed makes more
sense.
As I was suggesting in the post, sssd
Yes, you are right.
I was using the enumerate on my testing
I forgot to disable the enumerate when I was templating the configuration.
On 30/03/2015 07:21, Lukas Slebodnik wrote:
On (30/03/15 05:36), g.fer.or...@unicyber.co.uk wrote:
Hey Guys
Not sure if I am missing any bit but this was
Sorry I mis-read your question!
We’re trying SSO from the test domain conroller via ssh (putty) to the
test IPA server.
Unix.test.osuwmc is the IPA realm.
Test.osuwmc is the AD realm.
IPA server is RHEL 7.1
Windows AD DC is Windows Server 2008 R2
They have a two way trust and we’re mapping
You need the development package. that should be popt-devel
If you are still using amazon you have to modify the sources to include
the devel
Otherwise if you feel very crafty you can get to a site such us:
http://rpm.pbone.net/ and look for the relevant development package
which got the
On Mon, Mar 30, 2015 at 11:04:58AM -0400, Gould, Joshua wrote:
We’re trying SSO from the test domain conroller via ssh (putty) to the
test IPA server.
Unix.test.osuwmc is the IPA realm. Test.osuwmc is the AD realm.
IPA server is RHEL 7.1
Windows AD DC is Windows Server 2008 R2
They
On Mon, Mar 30, 2015 at 10:50:11AM -0400, Gould, Joshua wrote:
It¹s actually my IPA server which is also a client, so both are 7.1. My
memory is fuzzy as far as the client on the server. Isn¹t it setup already
as part of the server install?
So you are logging in from the server to the server?
Hi,
I'm testing FreeIPA (v4.1.3, Centos 7) - AD (2012 R2) trust on branch site
where only AD read-only domain controller (RODC) exists.
I'm aware that for initial establishing of trust I need access to writable
domain controller so IPA can add trust to AD domains and trusts.
But after initial
The include is there:
# head /etc/krb5.conf
includedir /var/lib/sss/pubconf/krb5.include.d/
[logging]
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log
[libdefaults]
default_realm = UNIX.TEST.OSUWMC
dns_lookup_realm = true
# ls -l
Hello list!
I have recently started investigating FreeIPA and centralized logging/audit,
capturing, processing and visualization of the logs centrally in an ELK
instance or similar.
This is a pretty loaded topic, audit/centralized log processing is a big task
beyond IPA itself, which is also one
On 3/30/15, 11:56 AM, Dmitri Pal d...@redhat.com wrote:
# auth_to_local =
RULE:[1:$1@$0](^.*@TEST.OSUWMC$)s/@TEST.OSUWMC/@test.osuwmc/
auth_to_local = RULE:[1:$1 $0](^ *
TEST.OSUWMC$)s/@TEST.OSUWMC/@test.osuwmc/
If you use the plugin then this RULE should not be needed.
Have you tried
Perform vlv indexing on those attributes and tune the directory for memory.
Gokul
Sent from iPhone
On Mar 30, 2015, at 11:02 AM, Rob Crittenden rcrit...@redhat.com wrote:
Dmitri Pal wrote:
On 03/30/2015 10:15 AM, Janelle wrote:
For LDAP-only clients, I see an issue with performance on the
Thanks Sir.
*Best Regards,__*
*Yogesh Sharma*
*Email: yks0...@gmail.com yks0...@gmail.com | Web: www.initd.in
http://www.initd.in*
RHCE, VCE-CIA, RackSpace Cloud U
[image: My LinkedIn Profile] http://in.linkedin.com/in/yks
On Mon, Mar 30, 2015 at
Hi,
I tried to trace some stuff but this doesn't give me much more info.
What I see at the moment in the /var/log/httpd/acces_log is exactly
what happens but without the info I need to get a better view:
10.10.0.121 - - [30/Mar/2015:22:22:58 +0200] POST /ipa/json HTTP/1.1 301 258
10.10.0.121 -
On 03/30/2015 10:15 AM, Janelle wrote:
For LDAP-only clients, I see an issue with performance on the dirsrv
backends, and much of it has to do with 2 things:
1. Anonymous binds (1000's because of 7000+ hosts)
2. unindexed searches -- perhaps the biggest problem and working on
troubleshooting
On 03/30/2015 11:17 AM, Gould, Joshua wrote:
The include is there:
# head /etc/krb5.conf
includedir /var/lib/sss/pubconf/krb5.include.d/
[logging]
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log
[libdefaults]
default_realm =
Dmitri Pal wrote:
On 03/30/2015 10:15 AM, Janelle wrote:
For LDAP-only clients, I see an issue with performance on the dirsrv
backends, and much of it has to do with 2 things:
1. Anonymous binds (1000's because of 7000+ hosts)
2. unindexed searches -- perhaps the biggest problem and working
On 03/30/2015 11:12 AM, Srdjan Dutina wrote:
Hi,
I'm testing FreeIPA (v4.1.3, Centos 7) - AD (2012 R2) trust on branch
site where only AD read-only domain controller (RODC) exists.
I'm aware that for initial establishing of trust I need access to
writable domain controller so IPA can add
43 matches
Mail list logo