[Freeipa-users] ipa-client-install: please look for SELINUX=disabled

Hi folks, RHEL 7.3, sssd 1.14.0: If /etc/selinux/config says "SELINUX=disabled", then pam seems to fail (without telling why) and users cannot login. *Extremely* painful. Do you think ipa-client-install could add selinux_provider = none to the generated sssd.conf file, if selinux is

[Freeipa-users] Timing behavior on access to AD groups

I have noticed this behavior when setting up an external AD group: 1. create trust 2. create external group 3. add Group@Domain to external group - FAILS: "trusted domain object not found" 4. retry: add Group@Domain to external group - SUCCESS Two questions: 1.

Re: [Freeipa-users] Fresh Install of FreeIPA-Server - CentOS7

Robert L. Harris wrote: > > Hmmm > > {0}:/var/log>ls > anaconda btmp dmesg grubby maillog pppsecure > tallylog wtmp > audit cron dmesg.old grubby_prune_debug messages rhsm spooler > tuned yum.log > boot.log cups firewalld lastlog

Re: [Freeipa-users] Fresh Install of FreeIPA-Server - CentOS7

Hmmm {0}:/var/log>ls anaconda btmp dmesg grubby maillog pppsecure tallylog wtmp audit cron dmesg.old grubby_prune_debug messages rhsm spooler tuned yum.log boot.log cups firewalld lastlog ntpstats samba sssd

Re: [Freeipa-users] How do you allow Active Directory Users to login to the webgui

On pe, 12 touko 2017, Tym Rehm wrote: So I'm testing a new freeipa 4.x setup that has a one-way trust to Active Directory. I have been able to define user groups to access the AD groups and configure the groups to work with HBAC rules. So my AD users are able to ssh into the client machines if

Re: [Freeipa-users] How do you allow Active Directory Users to login to the webgui

On 05/12/2017 04:09 PM, Tym Rehm wrote: So I'm testing a new freeipa 4.x setup that has a one-way trust to Active Directory. I have been able to define user groups to access the AD groups and configure the groups to work with HBAC rules. So my AD users are able to ssh into the client machines if

Re: [Freeipa-users] Fwd: DNS update failing

I apologize, nsupdate is working as intended, I was attempting to update a client from the host ipa. I've a separate issue from clients when running testbook3:etc jsherrill$ kinit -kt /etc/krb5.keytab Thanks again! On Fri, May 12, 2017 at 10:34 AM, Jason Sherrill wrote:

Re: [Freeipa-users] IPA Compat + ID Views + AIX 7.1

Krb5kdc issues tickets on correct passwords, and errors out on incorrect ones. syslog didn’t reveal any clear hints except “failed password for ” from SSH Is there any way for AIX native auth to be more verbose? From: Iulian Roman [mailto:iulian.ro...@gmail.com] Sent: vrijdag 12 mei 2017 16:35

Re: [Freeipa-users] IPA Compat + ID Views + AIX 7.1

On Fri, May 12, 2017 at 4:03 PM, wrote: > Yes, kinit works with IPA users. GSSAPI authentication is not keeping it > simple, since we want passwords to work before trying TGS based logins over > GSSAPI. > > The keytab works sinds lsuser is still able to get user data. >

[Freeipa-users] How do you allow Active Directory Users to login to the webgui

So I'm testing a new freeipa 4.x setup that has a one-way trust to Active Directory. I have been able to define user groups to access the AD groups and configure the groups to work with HBAC rules. So my AD users are able to ssh into the client machines if HBAC allows them to. The issue I'm

Re: [Freeipa-users] IPA Compat + ID Views + AIX 7.1

Yes, kinit works with IPA users. GSSAPI authentication is not keeping it simple, since we want passwords to work before trying TGS based logins over GSSAPI. The keytab works sinds lsuser is still able to get user data. (Documentation specifies that enabling krb5 in ldap.cfg makes the bind user

Re: [Freeipa-users] IPA Compat + ID Views + AIX 7.1

On Fri, May 12, 2017 at 3:31 PM, wrote: > The shell is shown correctly as ksh in lsuser, so that doesnt appear to be > an issue for the ID view. > My advice would be to start simple ,prove that your authentication works and you can develop a more elaborated setup

Re: [Freeipa-users] IPA Compat + ID Views + AIX 7.1

The shell is shown correctly as ksh in lsuser, so that doesnt appear to be an issue for the ID view. Verzonden vanaf mijn Samsung-apparaat Oorspronkelijk bericht Van: Luiz Fernando Vianna da Silva Datum: 12-05-17 15:03 (GMT+01:00) Aan: "Hummelink,

Re: [Freeipa-users] IPA Compat + ID Views + AIX 7.1

"Why don't you just use the /bin/sh as default shell in IPA ? In aix /bin/sh is the same as /bin/ksh and in linux it is a symlink to /bin/bash ." Wow, never thought of that, very elegant solution! Atenciosamente/Best Regards __ Luiz Fernando Vianna da

Re: [Freeipa-users] Authenticate on GNOME display manager with freeipa

On Fri, May 12, 2017 at 03:00:42PM +0200, tuxderlinuxfuch...@gmail.com wrote: > It worked with pam_mkhomedir. So I don't see anything left to do at the > moment > ah, I thought ... > > On 12-May-17 12:52 PM, Sumit Bose wrote: > > On Fri, May 12, 2017 at 12:11:28PM +0200,

Re: [Freeipa-users] IPA Compat + ID Views + AIX 7.1

On Fri, May 12, 2017 at 2:32 PM, wrote: > Hi All, > > > > We’re running a POC to integrate IPA and AIX using AIX KRB5LDAP compound > module. > > All the moving parts seem to be working on their own, however logging in > doesn’t work with SSH on AIX reporting Failed

Re: [Freeipa-users] IPA Compat + ID Views + AIX 7.1

Hello Wouter. It may seem silly, but try installing bash on one AIX server and test authenticating against that one. Its a single rpm with no dependencies. For me it did the trick and I ended up doing that on all my AIX servers. Let me know how it goes or if you have any issues. Best Regards

[Freeipa-users] Fwd: DNS update failing

Mistakenly failed to post to freeipa-users. -- Forwarded message -- From: Jason Sherrill Date: Thu, May 11, 2017 at 9:16 AM Subject: Re: [Freeipa-users] DNS update failing To: Martin Bašti Thank you for the assistance, Martin. The

Re: [Freeipa-users] Authenticate on GNOME display manager with freeipa

It worked with pam_mkhomedir. So I don't see anything left to do at the moment On 12-May-17 12:52 PM, Sumit Bose wrote: > On Fri, May 12, 2017 at 12:11:28PM +0200, tuxderlinuxfuch...@gmail.com wrote: >> The directory didn't exist > Then I guess that the process doesn't has the needed permissions

[Freeipa-users] IPA Compat + ID Views + AIX 7.1

Hi All, We're running a POC to integrate IPA and AIX using AIX KRB5LDAP compound module. All the moving parts seem to be working on their own, however logging in doesn't work with SSH on AIX reporting Failed password for user We're using ID views to overwrite the user shell and home dirs.

Re: [Freeipa-users] Authenticate on GNOME display manager with freeipa

On Fri, May 12, 2017 at 12:11:28PM +0200, tuxderlinuxfuch...@gmail.com wrote: > The directory didn't exist Then I guess that the process doesn't has the needed permissions during the session phase anymore. Please try to replace pam_mkhomedir by pam_oddjob_mkhomedir. This will try to create the

Re: [Freeipa-users] Authenticate on GNOME display manager with freeipa

The directory didn't exist On 12-May-17 11:48 AM, Sumit Bose wrote: > On Fri, May 12, 2017 at 11:25:04AM +0200, tuxderlinuxfuch...@gmail.com wrote: >> Thanks! >> >> I followed this manual: >> https://help.ubuntu.com/lts/serverguide/sssd-ad.html#sssd-ad-mkhomedir >> >> added the line >> >>

Re: [Freeipa-users] Fresh Install of FreeIPA-Server - CentOS7

That's weird, it should be super fast, anything in /var/log/httpd/error_log? On 11.05.2017 22:23, Robert L. Harris wrote: Odd, must have clicked reply instead of reply-all. Anyway, I did the revert and re-install. Actual install went through fine then the "ipa-server-install" ran until

Re: [Freeipa-users] k5login loophole even account is disabled on FreeIPA

On Fri, May 12, 2017 at 08:41:07AM +0200, Sumit Bose wrote: > On Fri, May 12, 2017 at 09:35:40AM +0300, Alexander Bokovoy wrote: > > On pe, 12 touko 2017, Thomas Lau wrote: > > > Folks, > > > > > > let's say I am user thomas, and user "temp1" already marked as "disabled" > > > on FreeIPA, but

Re: [Freeipa-users] k5login loophole even account is disabled on FreeIPA

On Fri, May 12, 2017 at 09:35:40AM +0300, Alexander Bokovoy wrote: > On pe, 12 touko 2017, Thomas Lau wrote: > > Folks, > > > > let's say I am user thomas, and user "temp1" already marked as "disabled" > > on FreeIPA, but tho...@domain.com is on /home/temp1/.k5login list, how come > > I could

Re: [Freeipa-users] k5login loophole even account is disabled on FreeIPA

On pe, 12 touko 2017, Thomas Lau wrote: Folks, let's say I am user thomas, and user "temp1" already marked as "disabled" on FreeIPA, but tho...@domain.com is on /home/temp1/.k5login list, how come I could still "sudo su - temp1"? It seems skip the checking on FreeIPA even account is disabled.

Re: [Freeipa-users] Authenticate on GNOME display manager with freeipa

On Fri, May 12, 2017 at 12:50:08AM +0200, tuxderlinuxfuch...@gmail.com wrote: > I have attached the syslog with gdm debug mode enabled > > > On 11-May-17 1:54 PM, Sumit Bose wrote: > > On Thu, May 11, 2017 at 01:29:33PM +0200, tuxderlinuxfuch...@gmail.com > > wrote: > >> Hello, > >> > >> I have

[Freeipa-users] k5login loophole even account is disabled on FreeIPA

Folks, let's say I am user thomas, and user "temp1" already marked as "disabled" on FreeIPA, but tho...@domain.com is on /home/temp1/.k5login list, how come I could still "sudo su - temp1"? It seems skip the checking on FreeIPA even account is disabled. Did I miss any setting or it's normal? --