Hi Dan
> With a one-way trust from FreeIPA 4.4 to Active Directory on WinServ2012r2, I
> am
> trying to use FreeIPA LDAP for user authentication.
> Is that supposed to work?
In the way you have described it, no. AD users/groups will not be in the
FreeIPA LDAP. So attempting to authenticate a
yinit.so force revoke
> session requiredpam_limits.so
> session required pam_env.so readenv=1
> session requiredpam_env.so readenv=1 user_readenv=1
> envfile=/etc/default/locale
> @include common-session
> @include common-password
>
> Thanks already!
> I set up my freeIPA instance and it works very well for my client
> computers (Ubuntu Desktop 16.04.2 LTS), I can login via SSH using a
> freeIPA managed user account.
> But I cannot login to the GNOME 3 Desktop on the client. I used the
> netinstall ISO image of Ubuntu. During installation, I
> But I cannot login to the GNOME 3 Desktop on the client. I used the
> netinstall ISO image of Ubuntu. During installation, I have chose
> "Ubuntu GNOME Desktop" as the only desktop.
>
> So my display manager is gdm3.
It sounds as if GDM has its own PAM module that isn't configured to use SSSD.
Hi Tiemen,
> To be clear, what I'm trying to do: log in from an AD account (adm.tiemen),
> from
> an AD host ( [ http://leon.clients.rdmedia.com/ | leon.clients.rdmedia.com ] )
> to a FreeIPA host ( [ http://neodymium.test.ams.i.rdmedia.com/ |
> neodymium.test.ams.i.rdmedia.com ] ) with the
_domain_suffix" in sssd.conf the user name is
"adu...@addomain.tld". If you have configured "default_domain_suffix" make sure
that your user names in AD don't conflict with the user names in IPA.
Regards,
j
> On 2 May 2017 at 17:40, Jason B. Nance < [ mai
Hi Dewangga,
> [root@idm ~]# ipa sudorule-show sudo_rules_rekanalar
> Rule name: sudo_rules_rekanalar
> Enabled: TRUE
> Command category: all
> RunAs User category: all
> RunAs Group category: all
> User Groups: rekanalar
> Host Groups: rekanalarservers
> Sudo Option: !authenticate
>
>
Hi Chris,
> # remoteu, sysaccounts, etc, example.com
> dn: uid=remoteu,cn=sysaccounts,cn=etc,dc=example,dc=com
> objectClass: account
> objectClass: simplesecurityobject
> objectClass: top
> uid: remoteu
> userPassword:: [hash value]
>
> This new user is unable to run LDAP searches though:
>
Hi Greg,
> I'm trying to set up a rule based on server hostname. So for example, 10.100.*
> would be put into the 'developers' hostgroup. I can't figure out the proper
> format of the inclusive regex. I've tried:
I believe that your regex needs to match the host name, not the IP address.
Hi Ronald,
> Some details regarding my setup: I have a CentOS 7.3 machine acting as
> an NFS server. It is a host within my IPA domain and enrolled as an IPA
> client.
>
> [root@ipanfs ~]# cat /etc/exports
>
> /homeshare*(rw,sec=krb5:krb5i:krb5p)
This isn't related to your issue but you
>> You cannot use indirect mounting and enablemkhomedir at the same time.
>> Indirect
>> mounts require that the directory you are attempting to mount already exists
>> on
>> the NFS server and that you let autofs fully manage the "parent" directory on
>> the client machine. In this case, no
Hello,
I'm using AD trusts with FreeIPA 4.4.0 and am having a heck of a time with
strange behavior. Some examples include:
- Trust user's home directory sporadically getting set to '/' instead of
/home/domain/user
- Trust user losing HBAC privileges (granted via group membership)
- Trust user
hout involving Active Directory server."
> On Thu, Mar 23, 2017 at 11:46 AM, Jason B. Nance < [
> mailto:ja...@tresgeek.net |
> ja...@tresgeek.net ] > wrote:
>>> We are primarily linux/osx shop and we currently have FreeIPA/IDM (ver 4.2)
>>> as
>>>
> We are primarily linux/osx shop and we currently have FreeIPA/IDM (ver 4.2) as
> our master. I will need to add a handful of windows machines and been trying
> to
> figure out how to authenticate our windows users with FreeIPA/IDM. Is this
> even
> possible? I know Global Catalogs may not
>I have a FreeIPA 4.4.0 setup with Active Directory trusts. Users
>connecting to
>Linux servers from their domain-joined workstations are not required to
>enter a
>password for the first connection. However, if they attempt to ssh to a
>second
>Linux machine from
I have a FreeIPA 4.4.0 setup with Active Directory trusts. Users
connecting to
Linux servers from their domain-joined workstations are not required to
enter a
password for the first connection. However, if they attempt to ssh to a
second
Linux machine from the
>> I have a FreeIPA 4.4.0 setup with Active Directory trusts. Users
>> connecting to Linux servers from their domain-joined workstations are
>> not required to enter a password for the first connection. However,
>> if they attempt to ssh to a second Linux machine from the first they
>> are being
>>I have a FreeIPA 4.4.0 setup with Active Directory trusts. Users connecting
>>to
>>Linux servers from their domain-joined workstations are not required to enter
>>a
>>password for the first connection. However, if they attempt to ssh to a
>>second
>>Linux machine from the first they are
Hello,
I have a FreeIPA 4.4.0 setup with Active Directory trusts. Users connecting to
Linux servers from their domain-joined workstations are not required to enter a
password for the first connection. However, if they attempt to ssh to a second
Linux machine from the first they are being
Hello,
I was wondering if this thread regarding AD trusts and sites is still correct:
https://www.redhat.com/archives/freeipa-users/2015-December/msg00214.html
(no way to make use of AD sites)
If so, is there already an RFE for this that I can vote for and track?
Thanks,
j
--
Manage your
> I realized I had made one more change. I setup the FreeIPA server again and
> this
> time I added the --enable-compat with my /usr/sbin/ipa-adtrust-install
> command.
Is it safe to re-run ipa-adtrust-install? I have existing trusts in place.
Thanks,
j
--
Manage your subscription for the
> For example, for user that would be (&(objectClass=posixAccount)(uid=%s))
> where %s is ad_u...@server.com according to your example.
>
> This is what would be intercepted and queried through SSSD.
>
> For example:
>
> $ ldapsearch -Y GSSAPI -b cn=compat,dc=xs,dc=ipa,dc=cool
>
> We have a script stored on a particular server in our realm that executes a
> number of non-privileged commands and are wanting to add /sbin/vgs command.
> The
> script uses SSH to then execute the same set of commands on all the servers in
> the realm.
> The owner of the script is in the
> There is none. Compat tree is built with RFC2307 queries in mind.
> RFC2307 clients issue a request with a specific user or group name and
> that triggers lookup of AD user/group through SSSD and insertion into
> the compat tree. A part of the trigger is how LDAP filter is built (see
> RFC for
Hello All,
I have managed to lose the Directory Manager password for my FreeIPA 4.4.0
instance. I've found the following documentation:
http://directory.fedoraproject.org/docs/389ds/howto/howto-resetdirmgrpassword.html
And:
>>> - User/group management in general becomes largely a command-line operation
>> > (such as mapping groups so they can be used in HBAC and sudo rules)
>> While this is a nice-to-have, it isn't a deal breaker.
> This definitely exists in WebUI? Unless you mean something I don't understand.
>
>> - Users can't login to a Linux box using just "username" (user@ad.domain
>> is
>> used)
>
> In the current version you can use the 'default_domain_suffix' option in
> sssd.conf on the clients. In RHEL-7.4 we are looking into making this
> limitation go away.
Thank you very much,
Hello everyone,
I'm about to deploy a fresh IPA domain that needs to integrate with Active
Directory. In my lab environment I've setup a trust with AD and the following
items are driving me away from using the trust:
- Users can't login to a Linux box using just "username" (user@ad.domain
>> I have a pair of FreeIPA 4.4.0 servers setup whose forwarders are each set
>> to an
>> Active Directory domain controller. When a client attempts to lookup any DNS
>> record other than those to which FreeIPA is authoritative the client reports
>> NXDOMAIN and the FreeIPA server has the
Hi Matthew,
> Where should I start looking?
I would start by tailing the logs on the destination host while the user
attempts to login with the account that isn't working. On an EL 7 host you can
use 'journalctl -f', on EL 6 and older you can use 'tail -F /var/log/messages
/var/log/secure'.
Hello everyone,
I have a pair of FreeIPA 4.4.0 servers setup whose forwarders are each set to
an Active Directory domain controller. When a client attempts to lookup any
DNS record other than those to which FreeIPA is authoritative the client
reports NXDOMAIN and the FreeIPA server has the
31 matches
Mail list logo
