On Fri, Nov 09, 2018 at 08:02:05AM +0100, Natxo Asenjo via FreeIPA-users wrote:
> hi,
>
> trying to get smart card authentication using a yubikey.
>
> I follow the
>
> $ opensc-tool --list-readers
> # Detected readers (pcsc)
> Nr. Card Features Name
> 0Yes Yubico Yubikey NEO O
hi,
trying to get smart card authentication using a yubikey.
I follow the
$ opensc-tool --list-readers
# Detected readers (pcsc)
Nr. Card Features Name
0Yes Yubico Yubikey NEO OTP+U2F+CCID 00 00
I managed to import a key and certificate (generated by openssl):
$ yubico-piv-t
On Thu, Nov 8, 2018 at 11:32 PM Fraser Tweedale wrote:
>
> Naxto, could you please provide Dogtag debug log from
> /var/log/pki/pki-tomcat/ca/debug and, if there is any traceback in
> the journal at the time of this error, please give detail of that
> too (`journalctl -u pki-tomcatd@pki-tomcat`).
Hi Fraser, I am making some progress. Let's please continue.
[1]
I was able to follow your info and find common date in past for all certs to be
valid.
Note, in case this is important, I have four IPA servers and I do this on CA
renewal master.
[2]
Then system clock was set to past time (a
On 9/11/18 3:07 pm, John Petrini via FreeIPA-users wrote:
The mname override now lives in ldap and is configured using the
dnsserver-mod command. fake_mname is no longer included in named.conf.
I think that feature was added to address this issue:
https://pagure.io/bind-dyndb-ldap/issue/162
We u
The mname override now lives in ldap and is configured using the
dnsserver-mod command. fake_mname is no longer included in named.conf.
I think that feature was added to address this issue:
https://pagure.io/bind-dyndb-ldap/issue/162
We use TSIG for dynamic updates without any issues, not sure if
It can be done, but there are some caveats you should be aware of:
- You'll need to disable the fake_mname that bind gets configured with
for your SOA to show up correctly
- Any time you add/change a replica, you'll need to check your NS/SOA
records and probably correct them again, as they get
On 9/11/18 2:14 pm, John Petrini via FreeIPA-users wrote:
Yes. When you create a new zone it creates NS records for each IPA
server by default but you can change them to whatever you want.
If you do this you'll probably want to remove the SOA mname override
from each of your IPA DNS servers othe
Yes. When you create a new zone it creates NS records for each IPA
server by default but you can change them to whatever you want.
If you do this you'll probably want to remove the SOA mname override
from each of your IPA DNS servers otherwise changing the authoritative
name server on the zone wil
If I set up FreeIPA on 10.x.x.x internal IP, and have it manage company.net,
it seems to want to set the NS record to it's FQDN that only will be
reachable internally. The internal IP is SNAT mapped to an external IP (vs
using DMZ), so DNS requests can reach the server via the external IP.
Other t
On Thu, Nov 08, 2018 at 09:27:14PM +0100, Alex Corcoles via FreeIPA-users wrote:
> On Thu, Nov 8, 2018 at 8:03 PM Alex Corcoles wrote:
>
> > This is not timestamped, but I guess it is the thing. Weird, I don't
> > remember my provisioning does anything JRE-related, but I will do some
> > digging
On Thu, Nov 08, 2018 at 05:16:53PM -0500, Rob Crittenden via FreeIPA-users
wrote:
> Natxo Asenjo via FreeIPA-users wrote:
> > hi,
> >
> > I am testing smartcard authentication with a yubikey neo like described
> > in
> > https://frasertweedale.github.io/blog-redhat/posts/2016-08-12-yubikey-sc-log
On Thu, Nov 08, 2018 at 11:39:41AM +, Peter Oliver wrote:
> On Thu, 8 Nov 2018, 01:41 Fraser Tweedale
> >
> > Please check the LDAP entry 'uid=pkidbuser,ou=people,o=ipaca'.
> > Do the 'userCertificate', 'description' and 'seeAlso' attributes
> > match the IPA RA certificate (/var/lib/ipa/ra-a
Natxo Asenjo via FreeIPA-users wrote:
> hi,
>
> I am testing smartcard authentication with a yubikey neo like described
> in
> https://frasertweedale.github.io/blog-redhat/posts/2016-08-12-yubikey-sc-login.html
>
> I successfully generated a key using the yubico-piv-tool, and with that
> a csr.
>
hi,
I am testing smartcard authentication with a yubikey neo like described in
https://frasertweedale.github.io/blog-redhat/posts/2016-08-12-yubikey-sc-login.html
I successfully generated a key using the yubico-piv-tool, and with that a
csr.
yubico-piv-tool -a verify-pin -a request-certificate -
On Thu, Nov 8, 2018 at 8:03 PM Alex Corcoles wrote:
> This is not timestamped, but I guess it is the thing. Weird, I don't
> remember my provisioning does anything JRE-related, but I will do some
> digging myself.
>
Yay, I'm an idiot. I have automatic updates via yum-cron and OpenJDK had
been up
I actually ended up figuring this out. For whatever reasons NFS_SECURE=“yes”
was not in the configuration file (/etc/sysconfig/nfs). Once I added that to
the configuration on the NFS server and the client (not sure if it’s needed
there or not) but it started working after resetting all the servi
On to, 08 marras 2018, Alfredo De Luca via FreeIPA-users wrote:
Hi alexander. Thanks for your info.
Here are 2 logs. One is the pam.log and the other one is the domain.log at
the time when we got the error below.
Nov 8 17:09:06 sftp-test sshd[25100]: pam_sss(sshd:account): Access denied
for use
Hi Fraser and the new guys!
I think this may be it:
https://gist.github.com/alexpdp7/358626a92a07c787fbf246b2761dddb3#file-_var_log_pki_pki-tomcat_localhost-2018-11-07-log
snip:
SEVERE: Servlet.service() for servlet [caUpdateNumberRange] in context with
path [/ca] threw exception [Could not ini
Hello everyone,
I'm having an issue with OTP when logging into a vpn server that is a client of
FreeIPA. I can login with no issues when OTP is disabled.
FreeIPA Setup:
CentOS 7.5
FreeIPA 4.5.4
HBAC Service: openvpn
HBAC Rule:
[root@ipa ~]# ipa hbacrule-show openvpn_access
Rule name: openvpn_a
Hello everyone,
I'm having an issue with OTP when logging into a vpn server that is a client of
FreeIPA. I can login with no issues when OTP is disabled.
FreeIPA Setup:
CentOS 7.5
FreeIPA 4.5.4
HBAC Service: openvpn
HBAC Rule:
[root@ipa ~]# ipa hbacrule-show openvpn_access
Rule name: openvpn_a
Hello everyone,
I'm having an issue with OTP when logging into a vpn server that is a client of
FreeIPA. I can login with no issues when OTP is disabled.
FreeIPA Setup:
CentOS 7.5
FreeIPA 4.5.4
HBAC Service: openvpn
HBAC Rule:
[root@ipa ~]# ipa hbacrule-show openvpn_access
Rule name: openvpn_a
Kevin Vasko via FreeIPA-users
writes:
> I followed these instructions to enable kerberos within my realm/domain.
>
> My FreeIPA, NFS server and my NFS client is CentOS 7.4
>
> https://docs.fedoraproject.org/en-US/Fedora/18/html/FreeIPA_Guide/kerb-nfs.html
>
> I’m completely stuck in that when I
On Thu, 8 Nov 2018, 01:41 Fraser Tweedale
> Please check the LDAP entry 'uid=pkidbuser,ou=people,o=ipaca'.
> Do the 'userCertificate', 'description' and 'seeAlso' attributes
> match the IPA RA certificate (/var/lib/ipa/ra-agent.pem)?
>
> If not, update the entry to match the certificate.
>
Thanks
On Thu, Nov 08, 2018 at 06:03:27AM -, Zarko D via FreeIPA-users wrote:
> Thank you Fraser for the support.
> 'REALM.COM IPA CA' or caSigningCert is valid for 20 years, should be no
> problem here.
> But I am afraid I can't find common date for remaining four certs. As per
> bellow data:
>
On Wed, Nov 07, 2018 at 09:53:03PM +, Nathan Harper via FreeIPA-users wrote:
> Hi all,
>
> We have noticed some behaviour that we are trying to work out if it is
> expected or not (or if this is an SSSD thing). We have a pair of FreeIPA
> replicas running on CentOS 7 (v4.5.x), with various C
26 matches
Mail list logo