well I dont know how or what command to use to display the logs, could you 
teach me how? , but yes the network.negotiate-auth.trusted-uris has the same 
domain name which is example.com this is on the server side only

while on the client side, even though the network.negotiate-auth.trusted-uris 
is configured correctly, the web UI can't be accessed so its a really weird 
scenario. but the registration of the ipa client to the server says its 


On Tuesday, November 11, 2014 2:56 PM, Martin Kosek <mko...@redhat.com> wrote:

On 11/11/2014 06:37 AM, Rolf Nufable wrote:
> or could you guys direct me or guide me on how to deploy this ipa server? 
> I've been successful deploying ipa version 3.3.5 before but this 4.0 and 
> above series is really giving me a headache 

Hm, that is worrying. FreeIPA 4.0+ should definitely not be more difficult to
deploy, on the contrary, it should be much cooler than 3.3.

> On Tuesday, November 11, 2014 1:24 PM, Rolf Nufable 
> <rolf_16_nufa...@yahoo.com> wrote:
> well I'll try them now, my sssd config only consists of these lines added to 
> the sudo area 
> sudo_provider = ldap
> ldap_uri = ldap://myipaserver.example.com
> ldap_sudo_search_base = ou=sudoers,dc=example,dc=com
> ldap_sasl_mech = GSSAPI
> ldap_sasl_authid = host/myipaserver.example.com
> ldap_sasl_realm = EXAMPLE.COM
> krb_server = myipaserver.example.com

BWT, with FreeIPA 4.0+ / RHEL-6.6+ / recent Fedoras you can use "ipa" sudo
provider. Actually, FreeIPA 4.0+ clients do that for you.

More info here:

> plus another question why is it that when I invoke the kinit admin command 
> for the kerberos I couldnt access the web UI and keeps asking me to configure 
> my web browser ( firefox) though I've already configured it many times.. 

Are you sure that network.negotiate-auth.trusted-uris in about:config
correctly? Are you saying that your Firefox works with FreeIPA 3.3 server but
not with FreeIPA 4.0+? What is the domain of the FreeIPA 4.0+ server and what
is the setting of network.negotiate-auth.trusted-uris?

In any case, it is still hard to advise as I still did not see any related
logs, error messages or actual real errors preventing you from enrolling 


> TIA 
> On Monday, November 10, 2014 8:41 PM, Jakub Hrozek <jhro...@redhat.com> wrote:
> On Mon, Nov 10, 2014 at 12:56:00PM +0100, Martin Kosek wrote:
>> On 11/10/2014 02:05 AM, Rolf
>  Nufable wrote:
>>> Hello 
>>> I have tons of questions on why free ipa wont't work on my network , I've 
>>> been using fedora 20 as the os for the server and client free ipa .
>>> I deployed freeipa 4.0.3 at the server side and freeipa 4.1.0 for the 
>>> client side using 2 VM's at first it was okay, got it connected and used 
>>> ldap to pass sudo for the client side, but when I finally deployed it in 
>>> our real network consisting of an esxi server and one work station having 
>>> the same versions of free ipa for server and client, the error that I'm 
>>> getting is that " the user does not exist " when I invoked the " su - ( 
>>> user ) " command, so My question is how can I solve this problem?? I've 
>>> been at it for 3 weeks now ..
>> I assume this is on Fedora 20, running from the mkosek/freeipa Copr repo. I
>> assume this is a problem in SSSD client part, if the user cannot be found.
>> CCing Lukas and Jakub to advise.
> Sorry, I skipped this thread b/c the subject didn't look like it was
> SSSD-related.
> I think we need to examine SSSD logs...
Manage your subscription for the Freeipa-users mailing list:
Go To http://freeipa.org for more info on the project

Reply via email to