Re: [Freeipa-users] Web UI access from outside the home network via port forwarding

On Mon, Jul 11, 2016 at 07:00:04PM -0700, Harry Kashouli wrote: > > I have a freeipa server set up, and would like to access the Web UI > remotely (from outside my home network). > > I set up a fresh Fedora 24 server install, and installed freeipa-server. > - I own a domain, domain.com > - The

Re: [Freeipa-users] FreeIPA (Add Replica fails on GSSAPI)

Well, I just had the same problem, but in my case I also tried to install a ca: “ipa-replica-install --setup-ca …..” Without “--set-up” the installation succeeded. Regards, Bjarne From: Devin Acosta [mailto:linuxguru...@gmail.com] Sent: 12. juli 2016 21:35 To: freeipa-users@redhat.com

Re: [Freeipa-users] Deny bind for external LDAP if password is expired

Tough luck! If its tricky for you (FreeIPA core developers) then its pretty much impossible to solve it for mere mortals like me ! On 11 July 2016 at 19:43, Rob Crittenden wrote: > Prashant Bapat wrote: > >> I cherrypicked the commit id

Re: [Freeipa-users] HBAC and AD users

Ok, I have some logs of sssd 1.13.0 not working. Same values as before: FreeIPA server: Centos 7, ipa 4.2, API_VERSION 2.156 Installed Packages Name: ipa-server Arch: x86_64 Version : 4.2.0 Release : 15.0.1.el7.centos.17 Size: 5.0 M Repo: installed >From

Re: [Freeipa-users] Web UI access from outside the home network via port forwarding

Thanks for all the info. I think I sorted out the rewrite rules now, and the error I get is "Secure Connection Failed. SSL_ERROR_UNRECOGNIZED_NAME_ALERT". I'm going to try and google this, since I'm assuming I need a ServerAlias somewhere. If someone knows the correct way, please let me know :)

[Freeipa-users] named-pkcs11 fails to start on new replica

Hi, We are trying to create a new replica on RHEL 7.2 This completes but named-pkcs11 fails to start - systemctl status named-pkcs11.service ● named-pkcs11.service - Berkeley Internet Name Domain (DNS) with native PKCS#11 Loaded: loaded (/usr/lib/systemd/system/named-pkcs11.service;

Re: [Freeipa-users] IPA HBAC access using SSSD for user in trusted AD domain (RHEL 6.8)

Jakub, Justin, Thank you both very much for taking the time to continue helping me resolve this issue. I apologize for not replying right away; I’ve been dealing with a production issue for most of the morning. An invocation of ‘id

Re: [Freeipa-users] IPA HBAC access using SSSD for user in trusted AD domain (RHEL 6.8)

Hi, Lachlan, Yes, I see that from here (https://www.redhat.com/archives/freeipa-users/2016-May/msg00322.html). Unfortunately clearing the cache and restarting SSSD is not proving to help us. I’d be interested to know any progress you make on this issue. Thank you for responding to me.

Re: [Freeipa-users] IPA HBAC access using SSSD for user in trusted AD domain (RHEL 6.8)

Sumit, Thank you for getting back to me I really appreciate you taking the time to help me assess this problem (I am not authorized to view this bug). In order to test I upgraded to ipa-server 4.2.0-15.el7_2.17 and flushed the cache on both the client and the server; the problem still

Re: [Freeipa-users] Web UI access from outside the home network via port forwarding

Hi Rob, On that note, how do you handle password changes / first time logins for users that are external to the organization? We need to create accounts for external partners, and expose the UI to the outside so that people can login and change their passwords / add their SSH keys. However,

Re: [Freeipa-users] Web UI access from outside the home network via port forwarding

Harry Kashouli wrote: I tried uncommenting everything in the ipa-rewrite.conf file, but it still changed the web address. I'll try clearing the cache, in case that was still remembering the links. I may be attacking my original thought badly, if this is going to be bad for security. I'm wanting

Re: [Freeipa-users] (DRAFT) HA mail services with FreeIPA, postfix, dovecot, amavisd-new, clamd and PLAIN/GSSAPI SSO

Günther J. Niederwimmer wrote: Hello, some days ago I found this doc, now I like to setup a secure mail server but the article is now missing? Can this come back? Thanks, This is on the freeipa.org wiki which would have been nice to mention. It isn't exactly missing but the contents are

Re: [Freeipa-users] sudo - differences between Centos 6.5 and Centos 7.0?

Update to this one: It has been running smoothly on 6.5 [root@dev-zlei.sec1 ~]# cat /etc/redhat-release CentOS release 6.5 (Final) [root@dev-zlei.sec1 ~]# rpm -qa | grep sssd sssd-client-1.12.4-47.el6.x86_64 sssd-ldap-1.12.4-47.el6.x86_64 sssd-ad-1.12.4-47.el6.x86_64

Re: [Freeipa-users] sudo - differences between Centos 6.5 and Centos 7.0?

Thanks, I will try. But I am afraid to update to more recent version then those in official repos. Thanks anyway. T. 2016-07-13 15:39 GMT+02:00 : > Update to at least 1.12 sssd and libsss_sudo. As I recall sudo ipa > provider did not work under 1.11 > > Sent from my

Re: [Freeipa-users] sudo - differences between Centos 6.5 and Centos 7.0?

Update to at least 1.12 sssd and libsss_sudo. As I recall sudo ipa provider did not work under 1.11 Sent from my iPhone > On Jul 13, 2016, at 9:02 AM, Tomas Simecek wrote: > > Hi, > versions are: > sssd-client-1.11.6-30.el6.x86_64 > sssd-ipa-1.11.6-30.el6.x86_64 >

Re: [Freeipa-users] sudo - differences between Centos 6.5 and Centos 7.0?

Hi, versions are: sssd-client-1.11.6-30.el6.x86_64 sssd-ipa-1.11.6-30.el6.x86_64 ipa-client-3.0.0-50.el6.centos.1.x86_64 as part of: CentOS release 6.6 (Final) T. 2016-07-13 14:52 GMT+02:00 : > Again what is client version on 6.5? > > > Sent from my iPhone > > On Jul

Re: [Freeipa-users] sudo - differences between Centos 6.5 and Centos 7.0?

Again what is client version on 6.5? Sent from my iPhone > On Jul 13, 2016, at 8:25 AM, Tomas Simecek wrote: > > Thanks for your information Lukas, > I have changed sudo_provider to ipa, restarted sssd and no difference. > Logfile still says "Access granted by HBAC

Re: [Freeipa-users] sudo - differences between Centos 6.5 and Centos 7.0?

Thanks for your information Lukas, I have changed sudo_provider to ipa, restarted sssd and no difference. Logfile still says "Access granted by HBAC rule..." and sudo says simecek.to...@sd-stc.cz is not allowed to run sudo on zp-cml-test. Btw. man sssd-sudo says: The following example shows how

Re: [Freeipa-users] sudo - differences between Centos 6.5 and Centos 7.0?

On (13/07/16 13:36), Tomas Simecek wrote: >Lukas, >yes, I went through that guide and I configured sssd.conf as per the doc >(you can see it in the beginning of the thread). > >Actually the installation is: >[root@zp-cml-test sssd]# cat /etc/redhat-release >CentOS release 6.6 (Final) > >and

Re: [Freeipa-users] sudo - differences between Centos 6.5 and Centos 7.0?

Lukas, yes, I went through that guide and I configured sssd.conf as per the doc (you can see it in the beginning of the thread). Actually the installation is: [root@zp-cml-test sssd]# cat /etc/redhat-release CentOS release 6.6 (Final) and versions are: [root@zp-cml-test sssd]# rpm -qa |grep sssd

Re: [Freeipa-users] sudo - differences between Centos 6.5 and Centos 7.0?

On (13/07/16 11:18), Tomas Simecek wrote: >Dear freeIPA gurus, >in previous thread ( >https://www.redhat.com/archives/freeipa-users/2016-July/msg00046.html) you >helped me make sudo working for AD users on Centos 7.0 ( >spcss-2t-www.linuxdomain.cz). >It was caused by not knowing sudo needs to be

Re: [Freeipa-users] sudo - differences between Centos 6.5 and Centos 7.0?

Diky Jakube, in domain log below I can see that rules were found properly: (Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz]]] [hbac_service_attrs_to_rule] (0x1000): Processing PAM services for rule [Unixari na test servery] (Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz]]]

Re: [Freeipa-users] sudo - differences between Centos 6.5 and Centos 7.0?

On Wed, Jul 13, 2016 at 11:18:21AM +0200, Tomas Simecek wrote: > Dear freeIPA gurus, > in previous thread ( > https://www.redhat.com/archives/freeipa-users/2016-July/msg00046.html) you > helped me make sudo working for AD users on Centos 7.0 ( > spcss-2t-www.linuxdomain.cz). > It was caused by not

Re: [Freeipa-users] Unable to ssh after establishing trust

On Tue, Jul 12, 2016 at 06:40:22PM +, pgb205 wrote: > +freeipa-users list > > From: pgb205 > To: Sumit Bose > Sent: Tuesday, July 12, 2016 2:12 PM > Subject: Re: [Freeipa-users] Unable to ssh after establishing trust > > Sumit, thanks for

[Freeipa-users] sudo - differences between Centos 6.5 and Centos 7.0?

Dear freeIPA gurus, in previous thread ( https://www.redhat.com/archives/freeipa-users/2016-July/msg00046.html) you helped me make sudo working for AD users on Centos 7.0 ( spcss-2t-www.linuxdomain.cz). It was caused by not knowing sudo needs to be enabled in HBAC rules. Now it works properly on

Re: [Freeipa-users] IPA HBAC access using SSSD for user in trusted AD domain (RHEL 6.8)

On Wed, Jul 13, 2016 at 08:37:44AM +0200, Jakub Hrozek wrote: > On Wed, Jul 13, 2016 at 09:10:07AM +0300, Alexander Bokovoy wrote: > > On Tue, 12 Jul 2016, Sullivan, Daniel [AAA] wrote: > > > Justin, > > > > > > I really appreciate you taking the time to respond to me. This problem > > > is

Re: [Freeipa-users] IPA HBAC access using SSSD for user in trusted AD domain (RHEL 6.8)

On Wed, Jul 13, 2016 at 09:10:07AM +0300, Alexander Bokovoy wrote: > On Tue, 12 Jul 2016, Sullivan, Daniel [AAA] wrote: > > Justin, > > > > I really appreciate you taking the time to respond to me. This problem > > is driving me crazy and I will certainly take any help I can get. My > >