[Freeipa-users] CentOS patch management on FreeIPA server

[Lakshan Jayasekara]

Hi All,

I'm using FreeIPA server VERSION: 4.4.0, API_VERSION: 2.213 and running on 
CentOS 7 and have one replica server as well. I need to patch up centos system 
as per PCI DSS compliance. Let me know whether I can proceed as usual or to 
follow any sequential steps to achieve the task.



Lakshanth Chandika Jayasekara















-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] IPA Compat + ID Views + AIX 7.1

[Bjarne Blichfeldt]

Thank you for pointing that out.
I should of course have been more specific: native aix sudo does not support 
ldap and therefore sudorules from ldap, but it is possible
to install a different sudo version with ldap enabled.
Unfortunately, in our case, using external rpm's is not an option.

Regards
Bjarne Blichfeldt.

From: Luiz Fernando Vianna da Silva [mailto:luiz.via...@tivit.com.br]
Sent: 16. maj 2017 16:43
To: Bjarne Blichfeldt ; freeipa-users@redhat.com
Subject: Re: [Freeipa-users] IPA Compat + ID Views + AIX 7.1

As far as I found out, it is not possible to integrate sudo rules from IPA into 
AIX. sudo on aix does not support that.
You will have to maintain /etc/sudoers by som other means.
Thats where you are mistaken. It is possible to integrate sudo rules into AIX, 
I've done it and have documented it here: 
https://www.freeipa.org/page/SUDO_Integration_for_AIX

Give it a try, its a fairly simple procedure.

P.S.

IBM has recently pimped the AIX toolbox RPMs and even implemented it as a YUM 
server. I haven't tried using these new RPMs yet to see if they work with sudo 
integration.

If you want to keep it safe, user perzl RPMs as I describe on the 
documentation. If you want, and I would appreciate it if you would, give the 
new RPMs from toolbox a go and if it works please update the documentaion, or 
send me your notes and I'll update it.
Atenciosamente/Best Regards
__
Luiz Fernando Vianna da Silva
Em 15-05-2017 02:53, Bjarne Blichfeldt escreveu:
We have a working setup on three aix servers and by comparing our config with 
yours, I see the following differences:

LDAP:
/etc/security/ldap/ldap.cfg :
userattrmappath:/etc/security/ldap/FreeIPAuser.map
groupattrmappath:/etc/security/ldap/FreeIPAgroup.map
userclasses:posixaccount

/etc/security/ldap/FreeIPAuser.map:

#FreeIPAuser.map file

# 
https://docs.fedoraproject.org/en-US/Fedora/15/html/FreeIPA_Guide/Configuring_an_IPA_Client_on_AIX.html





keyobjectclass  SEC_CHARposixaccounts



# The following attributes are required by AIX to be functional

usernameSEC_CHARuid s

id  SEC_INT uidnumber   s

pgrpSEC_CHARgidnumber   s

homeSEC_CHARhomedirectory   s

shell   SEC_CHARloginshell  s

gecos   SEC_CHARgecos   s

spassword   SEC_CHARuserpasswords

lastupdate  SEC_INT shadowlastchanges


/etc/security/ldap/FreeIPAgroup.map:
#FreeIPAgroup.map file
# 
https://docs.fedoraproject.org/en-US/Fedora/15/html/FreeIPA_Guide/Configuring_an_IPA_Client_on_AIX.html

groupname   SEC_CHARcn  s
id  SEC_INT gidNumber   s
users   SEC_LISTmember  m


To test if the ldap is working:
ls-secldapclntd
lsldap -a passwd
lsuser -R LDAP ALL

KERBEROS:

/etc/methods.cfg:
KRB5:
program = /usr/lib/security/KRB5
program_64 = /usr/lib/security/KRB5_64
options = 
authonly,is_kadmind_compat=no,tgt_verify=no,allow_expired_pwd=yes



Add Kerberos to authorized authentication entities and verify:
chauthent -k5 -std
#Verify
lsauthent
Kerberos 5
Standard Aix

To test:
lsuser -R KRB5LDAP 

Configure aix to create homedir during login:
/etc/security/login.cfg:
mkhomeatlogin = true

usw:
shells = 
/bin/sh,/bin/bsh,/bin/csh,/bin/ksh,/bin/tsh,/bin/ksh93,/usr/bin/sh,/usr/bin/bsh,/usr/bin/csh,/usr/bin/ksh,/usr/bin/tsh,/usr/bin/ksh93,/
usr/bin/rksh,/usr/bin/rksh93,/usr/sbin/sliplogin,/usr/sbin/uucp/uucico,/usr/sbin/snappd
maxlogins = 32767
logintimeout = 30
maxroles = 8
auth_type = STD_AUTH
mkhomeatlogin = true


Also remember: user can be locked in AIX so use smitty to unlock user and reset 
login attempts.

As far as I found out, it is not possible to integrate sudo rules from IPA into 
AIX. sudo on aix does not support that.
You will have to maintain /etc/sudoers by som other means.

Hope that helps, good luck.





Regards
Bjarne Blichfeldt.

From: wouter.hummel...@kpn.com 
[mailto:wouter.hummel...@kpn.com]
Sent: 12. maj 2017 16:03
To: iulian.ro...@gmail.com
Cc: freeipa-users@redhat.com
Subject: Re: [Freeipa-users] IPA Compat + ID Views + AIX 7.1

Yes, kinit works with IPA users. GSSAPI authentication is not keeping it 
simple, since we want passwords to work before trying TGS based logins over 
GSSAPI.
The keytab works sinds lsuser is still able to get user data. (Documentation 
specifies that enabling krb5 in ldap.cfg makes the bind user and password moot, 
secldapclntd uses krb5 to identify itself to IPA)

Also we are able to kinit 
host/aixlpar.example@example.org
 -kt /etc/krb5/krb5.keytab

We van try using su from an unprivileged user, but su has some 

Re: [Freeipa-users] Spam

[Alexander Bokovoy]

On ke, 17 touko 2017, Christopher Lamb wrote:

 and I was feeling left out because I wasn't getting any spam, despite
other users reporting it.

Then I posted a new thread a few days ago, and within seconds I got several
spams, and did so for each post I made on that thread.

So I as far as I can see something is picking up fresh posts, and
responding to those.  I will probably get another dose (of spam) following
this post .

We discussed this topic multiple times in past on this list, you can
check archives for details. There is no a subscribed person that spams.
It is a bot using archives to retrieve emails.

We are in a process to migrate to a different mail list provider
(lists.fedoraproject.org) this week, you'll get a notification soon.


--
/ Alexander Bokovoy

--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] Spam

[Christopher Lamb]

to be more precise, a few minutes after I post, and a few seconds after I
get the mail with my post from freeipa-users



From:   Christopher Lamb/Switzerland/IBM@IBMCH
To: "freeipa-users@redhat.com" 
Date:   17/05/2017 06:26
Subject:Re: [Freeipa-users] Spam
Sent by:freeipa-users-boun...@redhat.com



 and I was feeling left out because I wasn't getting any spam, despite
other users reporting it.

Then I posted a new thread a few days ago, and within seconds I got several
spams, and did so for each post I made on that thread.

So I as far as I can see something is picking up fresh posts, and
responding to those. I will probably get another dose (of spam) following
this post .

Chris

Inactive hide details for Andrey Dudin ---17/05/2017 03:58:00---Me too.  I
received a lot of spam messages from Amy Kristen. сAndrey Dudin
---17/05/2017 03:58:00---Me too. I received a lot of spam messages from Amy
Kristen. ср, 17 мая 2017 г. в 3:16, Vinny Del Si

From: Andrey Dudin 
To: Andrew Holway , Vinny Del Signore

Cc: "freeipa-users@redhat.com" 
Date: 17/05/2017 03:58
Subject: Re: [Freeipa-users] Spam
Sent by: freeipa-users-boun...@redhat.com



Me too.  I received a lot of spam messages from Amy Kristen.


ср, 17 мая 2017 г. в 3:16, Vinny Del Signore :
  Hi Andrew,

  I just sent my first mail today around 5:30pm EST and have already
  received five spam e-mails from "Amy Kristen". Three of these
  included nude photos. These are the two e-mail addresses used so far.
  Hoping this stops.


  -Vin

  Amy Kristen 
  Amy Kristen 





   
 Vin   
   




  Andrew Holway ---05/16/2017 07:54:37 PM---Whats up with this wierd
  spam. This is the only list where I see this. --

  From: Andrew Holway 
  To: "freeipa-users@redhat.com" 
  Date: 05/16/2017 07:54 PM
  Subject: [Freeipa-users] Spam
  Sent by: freeipa-users-boun...@redhat.com






  Whats up with this wierd spam. This is the only list where I see
  this.--
  Manage your subscription for the Freeipa-users mailing list:
  https://www.redhat.com/mailman/listinfo/freeipa-users
  Go to http://freeipa.org for more info on the project


  --
  Manage your subscription for the Freeipa-users mailing list:
  https://www.redhat.com/mailman/listinfo/freeipa-users
  Go to http://freeipa.org for more info on the project


--
С уважением Дудин Андрей[attachment "graycol.gif" deleted by Christopher
Lamb/Switzerland/IBM] --
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project





-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] Spam

[Christopher Lamb]

 and I was feeling left out because I wasn't getting any spam, despite
other users reporting it.

Then I posted a new thread a few days ago, and within seconds I got several
spams, and did so for each post I made on that thread.

So I as far as I can see something is picking up fresh posts, and
responding to those.  I will probably get another dose (of spam) following
this post .

Chris



From:   Andrey Dudin 
To: Andrew Holway , Vinny Del Signore

Cc: "freeipa-users@redhat.com" 
Date:   17/05/2017 03:58
Subject:Re: [Freeipa-users] Spam
Sent by:freeipa-users-boun...@redhat.com



Me too.  I received a lot of spam messages from Amy Kristen.


ср, 17 мая 2017 г. в 3:16, Vinny Del Signore :
  Hi Andrew,

  I just sent my first mail today around 5:30pm EST and have already
  received five spam e-mails from "Amy Kristen". Three of these included
  nude photos. These are the two e-mail addresses used so far. Hoping this
  stops.


  -Vin

  Amy Kristen 
  Amy Kristen 






   
 Vin   
   




  Andrew Holway ---05/16/2017 07:54:37 PM---Whats up with this wierd spam.
  This is the only list where I see this. --

  From: Andrew Holway 
  To: "freeipa-users@redhat.com" 
  Date: 05/16/2017 07:54 PM
  Subject: [Freeipa-users] Spam
  Sent by: freeipa-users-boun...@redhat.com






  Whats up with this wierd spam. This is the only list where I see this.--
  Manage your subscription for the Freeipa-users mailing list:
  https://www.redhat.com/mailman/listinfo/freeipa-users
  Go to http://freeipa.org for more info on the project


  --
  Manage your subscription for the Freeipa-users mailing list:
  https://www.redhat.com/mailman/listinfo/freeipa-users
  Go to http://freeipa.org for more info on the project
--
С уважением Дудин Андрей[attachment "graycol.gif" deleted by Christopher
Lamb/Switzerland/IBM] --
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] Spam

[Andrey Dudin]

Me too.  I received a lot of spam messages from Amy Kristen.


ср, 17 мая 2017 г. в 3:16, Vinny Del Signore :

> Hi Andrew,
>
> I just sent my first mail today around 5:30pm EST and have already
> received five spam e-mails from "Amy Kristen". Three of these included nude
> photos. These are the two e-mail addresses used so far. Hoping this stops.
>
>
> -Vin
>
> Amy Kristen 
> Amy Kristen 
>
>
>
>
> *Vin* 
>
> [image: Inactive hide details for Andrew Holway ---05/16/2017 07:54:37
> PM---Whats up with this wierd spam. This is the only list where]Andrew
> Holway ---05/16/2017 07:54:37 PM---Whats up with this wierd spam. This is
> the only list where I see this. --
>
> From: Andrew Holway 
> To: "freeipa-users@redhat.com" 
> Date: 05/16/2017 07:54 PM
> Subject: [Freeipa-users] Spam
> Sent by: freeipa-users-boun...@redhat.com
> --
>
>
>
>
> Whats up with this wierd spam. This is the only list where I see this.--
> Manage your subscription for the Freeipa-users mailing list:
> https://www.redhat.com/mailman/listinfo/freeipa-users
> Go to http://freeipa.org for more info on the project
>
>
> --
> Manage your subscription for the Freeipa-users mailing list:
> https://www.redhat.com/mailman/listinfo/freeipa-users
> Go to http://freeipa.org for more info on the project

-- 
С уважением Дудин Андрей
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] Spam

[Vinny Del Signore]

Hi Andrew,

I just sent my first mail today around 5:30pm EST and have already received
five spam e-mails from "Amy Kristen".  Three of these included nude photos.
These are the two e-mail addresses used so far.  Hoping this stops.


-Vin

Amy Kristen 
Amy Kristen 



 
   Vin   
 






From:   Andrew Holway 
To: "freeipa-users@redhat.com" 
Date:   05/16/2017 07:54 PM
Subject:[Freeipa-users] Spam
Sent by:freeipa-users-boun...@redhat.com



Whats up with this wierd spam. This is the only list where I see this.--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

[Freeipa-users] Spam

[Andrew Holway]

Whats up with this wierd spam. This is the only list where I see this.
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] Confused: LDAP authentication of AD users

[Jason B. Nance]

Hi Dan 

> With a one-way trust from FreeIPA 4.4 to Active Directory on WinServ2012r2, I 
> am
> trying to use FreeIPA LDAP for user authentication.

> Is that supposed to work?

In the way you have described it, no. AD users/groups will not be in the 
FreeIPA LDAP. So attempting to authenticate a Windows user by pointing an LDAP 
client at a FreeIPA server will fail. 

Installing the FreeIPA client on a Linux host and enrolling it in an IPA domain 
with a trust to an Active Directory domain will allow you to authenticate 
Windows users on the Linux host. This is done using SSSD, among other things. 

Regards, 

j 
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] Fresh Install of FreeIPA-Server - CentOS7

[Dagan McGregor]

On 17 May 2017 8:50:02 AM NZST, "Robert L. Harris"  
wrote:
>I can, though that's what I did 2 days ago, fresh install from latest
>ISO.
>
>
>On Tue, May 16, 2017 at 2:40 PM Andrew Holway 
>wrote:
>
>> I have a feeling that there is something broken with your image.
>Could you
>> try installing Centos from ISO?
>>
>>
>> On 16 May 2017 at 22:37, Robert L. Harris 
>> wrote:
>>
>>>
>>> I left SELinux enabled, no change, still streaming the same error:
>>>
>>> [Tue May 16 14:36:48.957848 2017] [:error] [pid 10780]
>NSS_Initialize
>>> failed. Certificate database: /etc/httpd/alias.
>>> [Tue May 16 14:36:48.957883 2017] [:error] [pid 10780] SSL Library
>Error:
>>> -8038 SEC_ERROR_NOT_INITIALIZED
>>> [Tue May 16 14:36:48.957886 2017] [:error] [pid 10780] Does the NSS
>>> database exist?
>>>
>>>
>>>
>>> On Tue, May 16, 2017 at 2:12 PM Andrew Holway
>
>>> wrote:
>>>
 Yea, I would try installing IPA then making the changes that you
>want. I
 think SELinux should be left enabled however. It makes admin super
>fun! :)


 On 16 May 2017 at 21:57, Robert L. Harris
>
 wrote:

>
> I did disable selinux as it gave errors setting up my standard
>users,
> etc.  I can roll back the snapshot, set it at 4Gigs of RAM and
>re-enable
> selinux and then try again.
>
>
> On Tue, May 16, 2017 at 1:52 PM Andrew Holway
>
> wrote:
>
>> This is pretty weird. FreeIPA installation normally works.
>>
>> Has the operating system image been changed or optimised somehow?
>> Perhaps SELinux has been disabled? Have you tried installing
>Centos7 from
>> the ISO?
>>
>> On 16 May 2017 at 21:48, Robert L. Harris
>
>> wrote:
>>
>>>
>>>2 Gigs, it's a VM.  The VM didn't report any memory issues (
>no
>>> alarms on VMWare )
>>>
>>>
>>> On Tue, May 16, 2017 at 12:29 PM Andrew Holway <
>>> andrew.hol...@gmail.com> wrote:
>>>
 Hallo,

 How much memory do you have on the machine. I have a sneaking
 suspicion that you're running out.

 Ta,

 Andrew

 On 16 May 2017 at 17:16, Robert L. Harris
> wrote:

>
> Last night I rolled back my snapshot.  Here's what I have
>after the
> yum install
>
> "minimal" install of Centos7 + basic build.
> {0}:/var/log>cat /etc/*elease
> CentOS Linux release 7.3.1611 (Core)
> NAME="CentOS Linux"
> VERSION="7 (Core)"
> ID="centos"
> ID_LIKE="rhel fedora"
> VERSION_ID="7"
> PRETTY_NAME="CentOS Linux 7 (Core)"
> ANSI_COLOR="0;31"
> CPE_NAME="cpe:/o:centos:centos:7"
> HOME_URL="https://www.centos.org/;
> BUG_REPORT_URL="https://bugs.centos.org/;
>
> CENTOS_MANTISBT_PROJECT="CentOS-7"
> CENTOS_MANTISBT_PROJECT_VERSION="7"
> REDHAT_SUPPORT_PRODUCT="centos"
> REDHAT_SUPPORT_PRODUCT_VERSION="7"
>
> CentOS Linux release 7.3.1611 (Core)
> CentOS Linux release 7.3.1611 (Core)
>
>
> {0}:/var/log>rpm -q -a | egrep -i 'http|apach|tomc|ipa|krb'
> sssd-krb5-common-1.14.0-43.el7_3.14.x86_64
> python2-ipaclient-4.4.0-14.el7.centos.7.noarch
> ipa-common-4.4.0-14.el7.centos.7.noarch
> perl-HTTP-Tiny-0.033-3.el7.noarch
> python-iniparse-0.4-9.el7.noarch
> ipa-client-common-4.4.0-14.el7.centos.7.noarch
> pam_krb5-2.4.8-6.el7.x86_64
> sssd-krb5-1.14.0-43.el7_3.14.x86_64
> python-ipaddress-1.0.16-2.el7.noarch
> python2-ipalib-4.4.0-14.el7.centos.7.noarch
> krb5-libs-1.14.1-27.el7_3.x86_64
> libipa_hbac-1.14.0-43.el7_3.14.x86_64
> python-libipa_hbac-1.14.0-43.el7_3.14.x86_64
> sssd-ipa-1.14.0-43.el7_3.14.x86_64
> krb5-workstation-1.14.1-27.el7_3.x86_64
> ipa-client-4.4.0-14.el7.centos.7.x86_64
>
> Tried to pull an exact client.  The "yum install ipa-server"
>went
> fine:
>
> {0}:/var/log/httpd>rpm -a -q | grep -i ipa-server
> ipa-server-4.4.0-14.el7.centos.7.x86_64
> ipa-server-common-4.4.0-14.el7.centos.7.noarch
>
>
> "ipa-server-install" ran clean but has been stuck for 2 days:
>
> Restarting the directory server
> Restarting the KDC
> Please add records in this file to your DNS system:
> /tmp/ipa.system.records.qLsLyx.db
> Restarting the web server
> Configuring client side components
> Using existing certificate '/etc/ipa/ca.crt'.
> Client hostname: ipa.rdlg.net
> Realm: RDLG.NET
> DNS Domain: rdlg.net

[Freeipa-users] Confused: LDAP authentication of AD users

[Dan Dietterich]

With a one-way trust from FreeIPA 4.4 to Active Directory on WinServ2012r2, I 
am trying to use FreeIPA LDAP for user authentication.
Is that supposed to work?



-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] Fresh Install of FreeIPA-Server - CentOS7

[Robert L. Harris]

  I can, though that's what I did 2 days ago, fresh install from latest ISO.


On Tue, May 16, 2017 at 2:40 PM Andrew Holway 
wrote:

> I have a feeling that there is something broken with your image. Could you
> try installing Centos from ISO?
>
>
> On 16 May 2017 at 22:37, Robert L. Harris 
> wrote:
>
>>
>> I left SELinux enabled, no change, still streaming the same error:
>>
>> [Tue May 16 14:36:48.957848 2017] [:error] [pid 10780] NSS_Initialize
>> failed. Certificate database: /etc/httpd/alias.
>> [Tue May 16 14:36:48.957883 2017] [:error] [pid 10780] SSL Library Error:
>> -8038 SEC_ERROR_NOT_INITIALIZED
>> [Tue May 16 14:36:48.957886 2017] [:error] [pid 10780] Does the NSS
>> database exist?
>>
>>
>>
>> On Tue, May 16, 2017 at 2:12 PM Andrew Holway 
>> wrote:
>>
>>> Yea, I would try installing IPA then making the changes that you want. I
>>> think SELinux should be left enabled however. It makes admin super fun! :)
>>>
>>>
>>> On 16 May 2017 at 21:57, Robert L. Harris 
>>> wrote:
>>>

 I did disable selinux as it gave errors setting up my standard users,
 etc.  I can roll back the snapshot, set it at 4Gigs of RAM and re-enable
 selinux and then try again.


 On Tue, May 16, 2017 at 1:52 PM Andrew Holway 
 wrote:

> This is pretty weird. FreeIPA installation normally works.
>
> Has the operating system image been changed or optimised somehow?
> Perhaps SELinux has been disabled? Have you tried installing Centos7 from
> the ISO?
>
> On 16 May 2017 at 21:48, Robert L. Harris 
> wrote:
>
>>
>>2 Gigs, it's a VM.  The VM didn't report any memory issues ( no
>> alarms on VMWare )
>>
>>
>> On Tue, May 16, 2017 at 12:29 PM Andrew Holway <
>> andrew.hol...@gmail.com> wrote:
>>
>>> Hallo,
>>>
>>> How much memory do you have on the machine. I have a sneaking
>>> suspicion that you're running out.
>>>
>>> Ta,
>>>
>>> Andrew
>>>
>>> On 16 May 2017 at 17:16, Robert L. Harris >> > wrote:
>>>

 Last night I rolled back my snapshot.  Here's what I have after the
 yum install

 "minimal" install of Centos7 + basic build.
 {0}:/var/log>cat /etc/*elease
 CentOS Linux release 7.3.1611 (Core)
 NAME="CentOS Linux"
 VERSION="7 (Core)"
 ID="centos"
 ID_LIKE="rhel fedora"
 VERSION_ID="7"
 PRETTY_NAME="CentOS Linux 7 (Core)"
 ANSI_COLOR="0;31"
 CPE_NAME="cpe:/o:centos:centos:7"
 HOME_URL="https://www.centos.org/;
 BUG_REPORT_URL="https://bugs.centos.org/;

 CENTOS_MANTISBT_PROJECT="CentOS-7"
 CENTOS_MANTISBT_PROJECT_VERSION="7"
 REDHAT_SUPPORT_PRODUCT="centos"
 REDHAT_SUPPORT_PRODUCT_VERSION="7"

 CentOS Linux release 7.3.1611 (Core)
 CentOS Linux release 7.3.1611 (Core)


 {0}:/var/log>rpm -q -a | egrep -i 'http|apach|tomc|ipa|krb'
 sssd-krb5-common-1.14.0-43.el7_3.14.x86_64
 python2-ipaclient-4.4.0-14.el7.centos.7.noarch
 ipa-common-4.4.0-14.el7.centos.7.noarch
 perl-HTTP-Tiny-0.033-3.el7.noarch
 python-iniparse-0.4-9.el7.noarch
 ipa-client-common-4.4.0-14.el7.centos.7.noarch
 pam_krb5-2.4.8-6.el7.x86_64
 sssd-krb5-1.14.0-43.el7_3.14.x86_64
 python-ipaddress-1.0.16-2.el7.noarch
 python2-ipalib-4.4.0-14.el7.centos.7.noarch
 krb5-libs-1.14.1-27.el7_3.x86_64
 libipa_hbac-1.14.0-43.el7_3.14.x86_64
 python-libipa_hbac-1.14.0-43.el7_3.14.x86_64
 sssd-ipa-1.14.0-43.el7_3.14.x86_64
 krb5-workstation-1.14.1-27.el7_3.x86_64
 ipa-client-4.4.0-14.el7.centos.7.x86_64

 Tried to pull an exact client.  The "yum install ipa-server" went
 fine:

 {0}:/var/log/httpd>rpm -a -q | grep -i ipa-server
 ipa-server-4.4.0-14.el7.centos.7.x86_64
 ipa-server-common-4.4.0-14.el7.centos.7.noarch


 "ipa-server-install" ran clean but has been stuck for 2 days:

 Restarting the directory server
 Restarting the KDC
 Please add records in this file to your DNS system:
 /tmp/ipa.system.records.qLsLyx.db
 Restarting the web server
 Configuring client side components
 Using existing certificate '/etc/ipa/ca.crt'.
 Client hostname: ipa.rdlg.net
 Realm: RDLG.NET
 DNS Domain: rdlg.net
 IPA Server: ipa.rdlg.net
 BaseDN: dc=rdlg,dc=net

 Skipping synchronizing time with NTP server.
 New SSSD config will be created
 Configured sudoers in /etc/nsswitch.conf
 Configured 

Re: [Freeipa-users] Why OTP not working

[Jochen Hein]

Andrey Dudin  writes:

> I trying to use OTP auth in Freeipa but have some problems.

OTP (with RADIUS) works for me.

> I have user *test:*
>
> [root@ipa-centos]# ipa user-show test
...

Did you enable --user-auth-type=otp with "ipa config-mod"?  I have:

[root@freeipa1 log]# ipa config-show --raw
...
  ipauserauthtype: otp
  ipauserauthtype: password
  ipauserauthtype: radius

Look at the mouse-over-docs in Webui -> IPA-Server -> Configuration ->
User Authentication Types for more info.

Otherwise, you need to enable --user-auth-type=otp for your user.  I
have for RADIUS both password and radius for my OTP user:

[root@freeipa1 log]# ipa user-show jochen --raw
...
  ipauserauthtype: password
  ipauserauthtype: radius

If you need both password and otp, use both --user-auth-type=password
and --user-auth-type=otp for "ipa user-mod" or "ipa config-mod".

When I do a "su - jochen", I get asked for "First Factor" and "Second
Factor", since sssd knows I use RADIUS for OTP.  That might be easier to
first test that you can authenticate with OTP.

> Server with FreeIpa:
>
> [root@ipa-centos]# ipa host-show ipa-centos.mydomain.com
...
>   Authentication Indicators: otp

Is there a simple way to check on the command line, whether or not an
authentication indicator was set when authenticating?  I can't remember
anything from reading the docs - I expected some option for klist.

Jochen

-- 
This space is intentionally left blank.

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] Fresh Install of FreeIPA-Server - CentOS7

[Andrew Holway]

I have a feeling that there is something broken with your image. Could you
try installing Centos from ISO?

On 16 May 2017 at 22:37, Robert L. Harris  wrote:

>
> I left SELinux enabled, no change, still streaming the same error:
>
> [Tue May 16 14:36:48.957848 2017] [:error] [pid 10780] NSS_Initialize
> failed. Certificate database: /etc/httpd/alias.
> [Tue May 16 14:36:48.957883 2017] [:error] [pid 10780] SSL Library Error:
> -8038 SEC_ERROR_NOT_INITIALIZED
> [Tue May 16 14:36:48.957886 2017] [:error] [pid 10780] Does the NSS
> database exist?
>
>
>
> On Tue, May 16, 2017 at 2:12 PM Andrew Holway 
> wrote:
>
>> Yea, I would try installing IPA then making the changes that you want. I
>> think SELinux should be left enabled however. It makes admin super fun! :)
>>
>>
>> On 16 May 2017 at 21:57, Robert L. Harris 
>> wrote:
>>
>>>
>>> I did disable selinux as it gave errors setting up my standard users,
>>> etc.  I can roll back the snapshot, set it at 4Gigs of RAM and re-enable
>>> selinux and then try again.
>>>
>>>
>>> On Tue, May 16, 2017 at 1:52 PM Andrew Holway 
>>> wrote:
>>>
 This is pretty weird. FreeIPA installation normally works.

 Has the operating system image been changed or optimised somehow?
 Perhaps SELinux has been disabled? Have you tried installing Centos7 from
 the ISO?

 On 16 May 2017 at 21:48, Robert L. Harris 
 wrote:

>
>2 Gigs, it's a VM.  The VM didn't report any memory issues ( no
> alarms on VMWare )
>
>
> On Tue, May 16, 2017 at 12:29 PM Andrew Holway <
> andrew.hol...@gmail.com> wrote:
>
>> Hallo,
>>
>> How much memory do you have on the machine. I have a sneaking
>> suspicion that you're running out.
>>
>> Ta,
>>
>> Andrew
>>
>> On 16 May 2017 at 17:16, Robert L. Harris 
>> wrote:
>>
>>>
>>> Last night I rolled back my snapshot.  Here's what I have after the
>>> yum install
>>>
>>> "minimal" install of Centos7 + basic build.
>>> {0}:/var/log>cat /etc/*elease
>>> CentOS Linux release 7.3.1611 (Core)
>>> NAME="CentOS Linux"
>>> VERSION="7 (Core)"
>>> ID="centos"
>>> ID_LIKE="rhel fedora"
>>> VERSION_ID="7"
>>> PRETTY_NAME="CentOS Linux 7 (Core)"
>>> ANSI_COLOR="0;31"
>>> CPE_NAME="cpe:/o:centos:centos:7"
>>> HOME_URL="https://www.centos.org/;
>>> BUG_REPORT_URL="https://bugs.centos.org/;
>>>
>>> CENTOS_MANTISBT_PROJECT="CentOS-7"
>>> CENTOS_MANTISBT_PROJECT_VERSION="7"
>>> REDHAT_SUPPORT_PRODUCT="centos"
>>> REDHAT_SUPPORT_PRODUCT_VERSION="7"
>>>
>>> CentOS Linux release 7.3.1611 (Core)
>>> CentOS Linux release 7.3.1611 (Core)
>>>
>>>
>>> {0}:/var/log>rpm -q -a | egrep -i 'http|apach|tomc|ipa|krb'
>>> sssd-krb5-common-1.14.0-43.el7_3.14.x86_64
>>> python2-ipaclient-4.4.0-14.el7.centos.7.noarch
>>> ipa-common-4.4.0-14.el7.centos.7.noarch
>>> perl-HTTP-Tiny-0.033-3.el7.noarch
>>> python-iniparse-0.4-9.el7.noarch
>>> ipa-client-common-4.4.0-14.el7.centos.7.noarch
>>> pam_krb5-2.4.8-6.el7.x86_64
>>> sssd-krb5-1.14.0-43.el7_3.14.x86_64
>>> python-ipaddress-1.0.16-2.el7.noarch
>>> python2-ipalib-4.4.0-14.el7.centos.7.noarch
>>> krb5-libs-1.14.1-27.el7_3.x86_64
>>> libipa_hbac-1.14.0-43.el7_3.14.x86_64
>>> python-libipa_hbac-1.14.0-43.el7_3.14.x86_64
>>> sssd-ipa-1.14.0-43.el7_3.14.x86_64
>>> krb5-workstation-1.14.1-27.el7_3.x86_64
>>> ipa-client-4.4.0-14.el7.centos.7.x86_64
>>>
>>> Tried to pull an exact client.  The "yum install ipa-server" went
>>> fine:
>>>
>>> {0}:/var/log/httpd>rpm -a -q | grep -i ipa-server
>>> ipa-server-4.4.0-14.el7.centos.7.x86_64
>>> ipa-server-common-4.4.0-14.el7.centos.7.noarch
>>>
>>>
>>> "ipa-server-install" ran clean but has been stuck for 2 days:
>>>
>>> Restarting the directory server
>>> Restarting the KDC
>>> Please add records in this file to your DNS system:
>>> /tmp/ipa.system.records.qLsLyx.db
>>> Restarting the web server
>>> Configuring client side components
>>> Using existing certificate '/etc/ipa/ca.crt'.
>>> Client hostname: ipa.rdlg.net
>>> Realm: RDLG.NET
>>> DNS Domain: rdlg.net
>>> IPA Server: ipa.rdlg.net
>>> BaseDN: dc=rdlg,dc=net
>>>
>>> Skipping synchronizing time with NTP server.
>>> New SSSD config will be created
>>> Configured sudoers in /etc/nsswitch.conf
>>> Configured /etc/sssd/sssd.conf
>>> trying https://ipa.rdlg.net/ipa/json
>>> Forwarding 'schema' to json server 'https://ipa.rdlg.net/ipa/json'
>>>
>>> Checking the /var/log/httpd/error.log has 2 days of just this:
>>>
>>> [Tue May 16 09:14:42.941476 2017] [:error] [pid 1182] NSS_Initialize

Re: [Freeipa-users] Fresh Install of FreeIPA-Server - CentOS7

[Robert L. Harris]

I left SELinux enabled, no change, still streaming the same error:

[Tue May 16 14:36:48.957848 2017] [:error] [pid 10780] NSS_Initialize
failed. Certificate database: /etc/httpd/alias.
[Tue May 16 14:36:48.957883 2017] [:error] [pid 10780] SSL Library Error:
-8038 SEC_ERROR_NOT_INITIALIZED
[Tue May 16 14:36:48.957886 2017] [:error] [pid 10780] Does the NSS
database exist?



On Tue, May 16, 2017 at 2:12 PM Andrew Holway 
wrote:

> Yea, I would try installing IPA then making the changes that you want. I
> think SELinux should be left enabled however. It makes admin super fun! :)
>
>
> On 16 May 2017 at 21:57, Robert L. Harris 
> wrote:
>
>>
>> I did disable selinux as it gave errors setting up my standard users,
>> etc.  I can roll back the snapshot, set it at 4Gigs of RAM and re-enable
>> selinux and then try again.
>>
>>
>> On Tue, May 16, 2017 at 1:52 PM Andrew Holway 
>> wrote:
>>
>>> This is pretty weird. FreeIPA installation normally works.
>>>
>>> Has the operating system image been changed or optimised somehow?
>>> Perhaps SELinux has been disabled? Have you tried installing Centos7 from
>>> the ISO?
>>>
>>> On 16 May 2017 at 21:48, Robert L. Harris 
>>> wrote:
>>>

2 Gigs, it's a VM.  The VM didn't report any memory issues ( no
 alarms on VMWare )


 On Tue, May 16, 2017 at 12:29 PM Andrew Holway 
 wrote:

> Hallo,
>
> How much memory do you have on the machine. I have a sneaking
> suspicion that you're running out.
>
> Ta,
>
> Andrew
>
> On 16 May 2017 at 17:16, Robert L. Harris 
> wrote:
>
>>
>> Last night I rolled back my snapshot.  Here's what I have after the
>> yum install
>>
>> "minimal" install of Centos7 + basic build.
>> {0}:/var/log>cat /etc/*elease
>> CentOS Linux release 7.3.1611 (Core)
>> NAME="CentOS Linux"
>> VERSION="7 (Core)"
>> ID="centos"
>> ID_LIKE="rhel fedora"
>> VERSION_ID="7"
>> PRETTY_NAME="CentOS Linux 7 (Core)"
>> ANSI_COLOR="0;31"
>> CPE_NAME="cpe:/o:centos:centos:7"
>> HOME_URL="https://www.centos.org/;
>> BUG_REPORT_URL="https://bugs.centos.org/;
>>
>> CENTOS_MANTISBT_PROJECT="CentOS-7"
>> CENTOS_MANTISBT_PROJECT_VERSION="7"
>> REDHAT_SUPPORT_PRODUCT="centos"
>> REDHAT_SUPPORT_PRODUCT_VERSION="7"
>>
>> CentOS Linux release 7.3.1611 (Core)
>> CentOS Linux release 7.3.1611 (Core)
>>
>>
>> {0}:/var/log>rpm -q -a | egrep -i 'http|apach|tomc|ipa|krb'
>> sssd-krb5-common-1.14.0-43.el7_3.14.x86_64
>> python2-ipaclient-4.4.0-14.el7.centos.7.noarch
>> ipa-common-4.4.0-14.el7.centos.7.noarch
>> perl-HTTP-Tiny-0.033-3.el7.noarch
>> python-iniparse-0.4-9.el7.noarch
>> ipa-client-common-4.4.0-14.el7.centos.7.noarch
>> pam_krb5-2.4.8-6.el7.x86_64
>> sssd-krb5-1.14.0-43.el7_3.14.x86_64
>> python-ipaddress-1.0.16-2.el7.noarch
>> python2-ipalib-4.4.0-14.el7.centos.7.noarch
>> krb5-libs-1.14.1-27.el7_3.x86_64
>> libipa_hbac-1.14.0-43.el7_3.14.x86_64
>> python-libipa_hbac-1.14.0-43.el7_3.14.x86_64
>> sssd-ipa-1.14.0-43.el7_3.14.x86_64
>> krb5-workstation-1.14.1-27.el7_3.x86_64
>> ipa-client-4.4.0-14.el7.centos.7.x86_64
>>
>> Tried to pull an exact client.  The "yum install ipa-server" went
>> fine:
>>
>> {0}:/var/log/httpd>rpm -a -q | grep -i ipa-server
>> ipa-server-4.4.0-14.el7.centos.7.x86_64
>> ipa-server-common-4.4.0-14.el7.centos.7.noarch
>>
>>
>> "ipa-server-install" ran clean but has been stuck for 2 days:
>>
>> Restarting the directory server
>> Restarting the KDC
>> Please add records in this file to your DNS system:
>> /tmp/ipa.system.records.qLsLyx.db
>> Restarting the web server
>> Configuring client side components
>> Using existing certificate '/etc/ipa/ca.crt'.
>> Client hostname: ipa.rdlg.net
>> Realm: RDLG.NET
>> DNS Domain: rdlg.net
>> IPA Server: ipa.rdlg.net
>> BaseDN: dc=rdlg,dc=net
>>
>> Skipping synchronizing time with NTP server.
>> New SSSD config will be created
>> Configured sudoers in /etc/nsswitch.conf
>> Configured /etc/sssd/sssd.conf
>> trying https://ipa.rdlg.net/ipa/json
>> Forwarding 'schema' to json server 'https://ipa.rdlg.net/ipa/json'
>>
>> Checking the /var/log/httpd/error.log has 2 days of just this:
>>
>> [Tue May 16 09:14:42.941476 2017] [:error] [pid 1182] NSS_Initialize
>> failed. Certificate database: /etc/httpd/alias.
>> [Tue May 16 09:14:42.941499 2017] [:error] [pid 1182] SSL Library
>> Error: -8038 SEC_ERROR_NOT_INITIALIZED
>> [Tue May 16 09:14:42.941501 2017] [:error] [pid 1182] Does the NSS
>> database exist?
>>
>>
>> Robert
>>
>> On Fri, May 12, 2017 

Re: [Freeipa-users] Fresh Install of FreeIPA-Server - CentOS7

[Andrew Holway]

Yea, I would try installing IPA then making the changes that you want. I
think SELinux should be left enabled however. It makes admin super fun! :)

On 16 May 2017 at 21:57, Robert L. Harris  wrote:

>
> I did disable selinux as it gave errors setting up my standard users,
> etc.  I can roll back the snapshot, set it at 4Gigs of RAM and re-enable
> selinux and then try again.
>
>
> On Tue, May 16, 2017 at 1:52 PM Andrew Holway 
> wrote:
>
>> This is pretty weird. FreeIPA installation normally works.
>>
>> Has the operating system image been changed or optimised somehow? Perhaps
>> SELinux has been disabled? Have you tried installing Centos7 from the ISO?
>>
>> On 16 May 2017 at 21:48, Robert L. Harris 
>> wrote:
>>
>>>
>>>2 Gigs, it's a VM.  The VM didn't report any memory issues ( no
>>> alarms on VMWare )
>>>
>>>
>>> On Tue, May 16, 2017 at 12:29 PM Andrew Holway 
>>> wrote:
>>>
 Hallo,

 How much memory do you have on the machine. I have a sneaking suspicion
 that you're running out.

 Ta,

 Andrew

 On 16 May 2017 at 17:16, Robert L. Harris 
 wrote:

>
> Last night I rolled back my snapshot.  Here's what I have after the
> yum install
>
> "minimal" install of Centos7 + basic build.
> {0}:/var/log>cat /etc/*elease
> CentOS Linux release 7.3.1611 (Core)
> NAME="CentOS Linux"
> VERSION="7 (Core)"
> ID="centos"
> ID_LIKE="rhel fedora"
> VERSION_ID="7"
> PRETTY_NAME="CentOS Linux 7 (Core)"
> ANSI_COLOR="0;31"
> CPE_NAME="cpe:/o:centos:centos:7"
> HOME_URL="https://www.centos.org/;
> BUG_REPORT_URL="https://bugs.centos.org/;
>
> CENTOS_MANTISBT_PROJECT="CentOS-7"
> CENTOS_MANTISBT_PROJECT_VERSION="7"
> REDHAT_SUPPORT_PRODUCT="centos"
> REDHAT_SUPPORT_PRODUCT_VERSION="7"
>
> CentOS Linux release 7.3.1611 (Core)
> CentOS Linux release 7.3.1611 (Core)
>
>
> {0}:/var/log>rpm -q -a | egrep -i 'http|apach|tomc|ipa|krb'
> sssd-krb5-common-1.14.0-43.el7_3.14.x86_64
> python2-ipaclient-4.4.0-14.el7.centos.7.noarch
> ipa-common-4.4.0-14.el7.centos.7.noarch
> perl-HTTP-Tiny-0.033-3.el7.noarch
> python-iniparse-0.4-9.el7.noarch
> ipa-client-common-4.4.0-14.el7.centos.7.noarch
> pam_krb5-2.4.8-6.el7.x86_64
> sssd-krb5-1.14.0-43.el7_3.14.x86_64
> python-ipaddress-1.0.16-2.el7.noarch
> python2-ipalib-4.4.0-14.el7.centos.7.noarch
> krb5-libs-1.14.1-27.el7_3.x86_64
> libipa_hbac-1.14.0-43.el7_3.14.x86_64
> python-libipa_hbac-1.14.0-43.el7_3.14.x86_64
> sssd-ipa-1.14.0-43.el7_3.14.x86_64
> krb5-workstation-1.14.1-27.el7_3.x86_64
> ipa-client-4.4.0-14.el7.centos.7.x86_64
>
> Tried to pull an exact client.  The "yum install ipa-server" went fine:
>
> {0}:/var/log/httpd>rpm -a -q | grep -i ipa-server
> ipa-server-4.4.0-14.el7.centos.7.x86_64
> ipa-server-common-4.4.0-14.el7.centos.7.noarch
>
>
> "ipa-server-install" ran clean but has been stuck for 2 days:
>
> Restarting the directory server
> Restarting the KDC
> Please add records in this file to your DNS system:
> /tmp/ipa.system.records.qLsLyx.db
> Restarting the web server
> Configuring client side components
> Using existing certificate '/etc/ipa/ca.crt'.
> Client hostname: ipa.rdlg.net
> Realm: RDLG.NET
> DNS Domain: rdlg.net
> IPA Server: ipa.rdlg.net
> BaseDN: dc=rdlg,dc=net
>
> Skipping synchronizing time with NTP server.
> New SSSD config will be created
> Configured sudoers in /etc/nsswitch.conf
> Configured /etc/sssd/sssd.conf
> trying https://ipa.rdlg.net/ipa/json
> Forwarding 'schema' to json server 'https://ipa.rdlg.net/ipa/json'
>
> Checking the /var/log/httpd/error.log has 2 days of just this:
>
> [Tue May 16 09:14:42.941476 2017] [:error] [pid 1182] NSS_Initialize
> failed. Certificate database: /etc/httpd/alias.
> [Tue May 16 09:14:42.941499 2017] [:error] [pid 1182] SSL Library
> Error: -8038 SEC_ERROR_NOT_INITIALIZED
> [Tue May 16 09:14:42.941501 2017] [:error] [pid 1182] Does the NSS
> database exist?
>
>
> Robert
>
> On Fri, May 12, 2017 at 11:14 AM Rob Crittenden 
> wrote:
>
>> Robert L. Harris wrote:
>> >
>> > Hmmm
>> >
>> > {0}:/var/log>ls
>> > anaconda  btmp  dmesg  grubby  maillog   ppp
>> secure
>> > tallylog  wtmp
>> > audit cron  dmesg.old  grubby_prune_debug  messages  rhsm
>>  spooler
>> >  tuned yum.log
>> > boot.log  cups  firewalld  lastlog ntpstats  samba  sssd
>> > vmware-vmsvc.log
>> >
>> >
>> > root@ipa
>> > {1}:/var/log>rpm -q -l http
>> > package http is not 

Re: [Freeipa-users] Fresh Install of FreeIPA-Server - CentOS7

[Robert L. Harris]

I did disable selinux as it gave errors setting up my standard users, etc.
I can roll back the snapshot, set it at 4Gigs of RAM and re-enable selinux
and then try again.


On Tue, May 16, 2017 at 1:52 PM Andrew Holway 
wrote:

> This is pretty weird. FreeIPA installation normally works.
>
> Has the operating system image been changed or optimised somehow? Perhaps
> SELinux has been disabled? Have you tried installing Centos7 from the ISO?
>
> On 16 May 2017 at 21:48, Robert L. Harris 
> wrote:
>
>>
>>2 Gigs, it's a VM.  The VM didn't report any memory issues ( no alarms
>> on VMWare )
>>
>>
>> On Tue, May 16, 2017 at 12:29 PM Andrew Holway 
>> wrote:
>>
>>> Hallo,
>>>
>>> How much memory do you have on the machine. I have a sneaking suspicion
>>> that you're running out.
>>>
>>> Ta,
>>>
>>> Andrew
>>>
>>> On 16 May 2017 at 17:16, Robert L. Harris 
>>> wrote:
>>>

 Last night I rolled back my snapshot.  Here's what I have after the yum
 install

 "minimal" install of Centos7 + basic build.
 {0}:/var/log>cat /etc/*elease
 CentOS Linux release 7.3.1611 (Core)
 NAME="CentOS Linux"
 VERSION="7 (Core)"
 ID="centos"
 ID_LIKE="rhel fedora"
 VERSION_ID="7"
 PRETTY_NAME="CentOS Linux 7 (Core)"
 ANSI_COLOR="0;31"
 CPE_NAME="cpe:/o:centos:centos:7"
 HOME_URL="https://www.centos.org/;
 BUG_REPORT_URL="https://bugs.centos.org/;

 CENTOS_MANTISBT_PROJECT="CentOS-7"
 CENTOS_MANTISBT_PROJECT_VERSION="7"
 REDHAT_SUPPORT_PRODUCT="centos"
 REDHAT_SUPPORT_PRODUCT_VERSION="7"

 CentOS Linux release 7.3.1611 (Core)
 CentOS Linux release 7.3.1611 (Core)


 {0}:/var/log>rpm -q -a | egrep -i 'http|apach|tomc|ipa|krb'
 sssd-krb5-common-1.14.0-43.el7_3.14.x86_64
 python2-ipaclient-4.4.0-14.el7.centos.7.noarch
 ipa-common-4.4.0-14.el7.centos.7.noarch
 perl-HTTP-Tiny-0.033-3.el7.noarch
 python-iniparse-0.4-9.el7.noarch
 ipa-client-common-4.4.0-14.el7.centos.7.noarch
 pam_krb5-2.4.8-6.el7.x86_64
 sssd-krb5-1.14.0-43.el7_3.14.x86_64
 python-ipaddress-1.0.16-2.el7.noarch
 python2-ipalib-4.4.0-14.el7.centos.7.noarch
 krb5-libs-1.14.1-27.el7_3.x86_64
 libipa_hbac-1.14.0-43.el7_3.14.x86_64
 python-libipa_hbac-1.14.0-43.el7_3.14.x86_64
 sssd-ipa-1.14.0-43.el7_3.14.x86_64
 krb5-workstation-1.14.1-27.el7_3.x86_64
 ipa-client-4.4.0-14.el7.centos.7.x86_64

 Tried to pull an exact client.  The "yum install ipa-server" went fine:

 {0}:/var/log/httpd>rpm -a -q | grep -i ipa-server
 ipa-server-4.4.0-14.el7.centos.7.x86_64
 ipa-server-common-4.4.0-14.el7.centos.7.noarch


 "ipa-server-install" ran clean but has been stuck for 2 days:

 Restarting the directory server
 Restarting the KDC
 Please add records in this file to your DNS system:
 /tmp/ipa.system.records.qLsLyx.db
 Restarting the web server
 Configuring client side components
 Using existing certificate '/etc/ipa/ca.crt'.
 Client hostname: ipa.rdlg.net
 Realm: RDLG.NET
 DNS Domain: rdlg.net
 IPA Server: ipa.rdlg.net
 BaseDN: dc=rdlg,dc=net

 Skipping synchronizing time with NTP server.
 New SSSD config will be created
 Configured sudoers in /etc/nsswitch.conf
 Configured /etc/sssd/sssd.conf
 trying https://ipa.rdlg.net/ipa/json
 Forwarding 'schema' to json server 'https://ipa.rdlg.net/ipa/json'

 Checking the /var/log/httpd/error.log has 2 days of just this:

 [Tue May 16 09:14:42.941476 2017] [:error] [pid 1182] NSS_Initialize
 failed. Certificate database: /etc/httpd/alias.
 [Tue May 16 09:14:42.941499 2017] [:error] [pid 1182] SSL Library
 Error: -8038 SEC_ERROR_NOT_INITIALIZED
 [Tue May 16 09:14:42.941501 2017] [:error] [pid 1182] Does the NSS
 database exist?


 Robert

 On Fri, May 12, 2017 at 11:14 AM Rob Crittenden 
 wrote:

> Robert L. Harris wrote:
> >
> > Hmmm
> >
> > {0}:/var/log>ls
> > anaconda  btmp  dmesg  grubby  maillog   ppp
> secure
> > tallylog  wtmp
> > audit cron  dmesg.old  grubby_prune_debug  messages  rhsm
>  spooler
> >  tuned yum.log
> > boot.log  cups  firewalld  lastlog ntpstats  samba  sssd
> > vmware-vmsvc.log
> >
> >
> > root@ipa
> > {1}:/var/log>rpm -q -l http
> > package http is not installed
> >
> > root@ipa
> > {1}:/var/log>rpm -q -a | grep -i http
> > perl-HTTP-Tiny-0.033-3.el7.noarch
> >
> > root@ipa
> > {0}:/var/log>rpm -q -a | grep -i tomcat
> >
> >
> > Doesn't look like an httpd was installed as a dependancy?
>
> I find this very hard to believe given that it go so far as to
> configure
> things in 

Re: [Freeipa-users] Fresh Install of FreeIPA-Server - CentOS7

[Andrew Holway]

This is pretty weird. FreeIPA installation normally works.

Has the operating system image been changed or optimised somehow? Perhaps
SELinux has been disabled? Have you tried installing Centos7 from the ISO?

On 16 May 2017 at 21:48, Robert L. Harris  wrote:

>
>2 Gigs, it's a VM.  The VM didn't report any memory issues ( no alarms
> on VMWare )
>
>
> On Tue, May 16, 2017 at 12:29 PM Andrew Holway 
> wrote:
>
>> Hallo,
>>
>> How much memory do you have on the machine. I have a sneaking suspicion
>> that you're running out.
>>
>> Ta,
>>
>> Andrew
>>
>> On 16 May 2017 at 17:16, Robert L. Harris 
>> wrote:
>>
>>>
>>> Last night I rolled back my snapshot.  Here's what I have after the yum
>>> install
>>>
>>> "minimal" install of Centos7 + basic build.
>>> {0}:/var/log>cat /etc/*elease
>>> CentOS Linux release 7.3.1611 (Core)
>>> NAME="CentOS Linux"
>>> VERSION="7 (Core)"
>>> ID="centos"
>>> ID_LIKE="rhel fedora"
>>> VERSION_ID="7"
>>> PRETTY_NAME="CentOS Linux 7 (Core)"
>>> ANSI_COLOR="0;31"
>>> CPE_NAME="cpe:/o:centos:centos:7"
>>> HOME_URL="https://www.centos.org/;
>>> BUG_REPORT_URL="https://bugs.centos.org/;
>>>
>>> CENTOS_MANTISBT_PROJECT="CentOS-7"
>>> CENTOS_MANTISBT_PROJECT_VERSION="7"
>>> REDHAT_SUPPORT_PRODUCT="centos"
>>> REDHAT_SUPPORT_PRODUCT_VERSION="7"
>>>
>>> CentOS Linux release 7.3.1611 (Core)
>>> CentOS Linux release 7.3.1611 (Core)
>>>
>>>
>>> {0}:/var/log>rpm -q -a | egrep -i 'http|apach|tomc|ipa|krb'
>>> sssd-krb5-common-1.14.0-43.el7_3.14.x86_64
>>> python2-ipaclient-4.4.0-14.el7.centos.7.noarch
>>> ipa-common-4.4.0-14.el7.centos.7.noarch
>>> perl-HTTP-Tiny-0.033-3.el7.noarch
>>> python-iniparse-0.4-9.el7.noarch
>>> ipa-client-common-4.4.0-14.el7.centos.7.noarch
>>> pam_krb5-2.4.8-6.el7.x86_64
>>> sssd-krb5-1.14.0-43.el7_3.14.x86_64
>>> python-ipaddress-1.0.16-2.el7.noarch
>>> python2-ipalib-4.4.0-14.el7.centos.7.noarch
>>> krb5-libs-1.14.1-27.el7_3.x86_64
>>> libipa_hbac-1.14.0-43.el7_3.14.x86_64
>>> python-libipa_hbac-1.14.0-43.el7_3.14.x86_64
>>> sssd-ipa-1.14.0-43.el7_3.14.x86_64
>>> krb5-workstation-1.14.1-27.el7_3.x86_64
>>> ipa-client-4.4.0-14.el7.centos.7.x86_64
>>>
>>> Tried to pull an exact client.  The "yum install ipa-server" went fine:
>>>
>>> {0}:/var/log/httpd>rpm -a -q | grep -i ipa-server
>>> ipa-server-4.4.0-14.el7.centos.7.x86_64
>>> ipa-server-common-4.4.0-14.el7.centos.7.noarch
>>>
>>>
>>> "ipa-server-install" ran clean but has been stuck for 2 days:
>>>
>>> Restarting the directory server
>>> Restarting the KDC
>>> Please add records in this file to your DNS system:
>>> /tmp/ipa.system.records.qLsLyx.db
>>> Restarting the web server
>>> Configuring client side components
>>> Using existing certificate '/etc/ipa/ca.crt'.
>>> Client hostname: ipa.rdlg.net
>>> Realm: RDLG.NET
>>> DNS Domain: rdlg.net
>>> IPA Server: ipa.rdlg.net
>>> BaseDN: dc=rdlg,dc=net
>>>
>>> Skipping synchronizing time with NTP server.
>>> New SSSD config will be created
>>> Configured sudoers in /etc/nsswitch.conf
>>> Configured /etc/sssd/sssd.conf
>>> trying https://ipa.rdlg.net/ipa/json
>>> Forwarding 'schema' to json server 'https://ipa.rdlg.net/ipa/json'
>>>
>>> Checking the /var/log/httpd/error.log has 2 days of just this:
>>>
>>> [Tue May 16 09:14:42.941476 2017] [:error] [pid 1182] NSS_Initialize
>>> failed. Certificate database: /etc/httpd/alias.
>>> [Tue May 16 09:14:42.941499 2017] [:error] [pid 1182] SSL Library Error:
>>> -8038 SEC_ERROR_NOT_INITIALIZED
>>> [Tue May 16 09:14:42.941501 2017] [:error] [pid 1182] Does the NSS
>>> database exist?
>>>
>>>
>>> Robert
>>>
>>> On Fri, May 12, 2017 at 11:14 AM Rob Crittenden 
>>> wrote:
>>>
 Robert L. Harris wrote:
 >
 > Hmmm
 >
 > {0}:/var/log>ls
 > anaconda  btmp  dmesg  grubby  maillog   pppsecure
 > tallylog  wtmp
 > audit cron  dmesg.old  grubby_prune_debug  messages  rhsm
  spooler
 >  tuned yum.log
 > boot.log  cups  firewalld  lastlog ntpstats  samba  sssd
 > vmware-vmsvc.log
 >
 >
 > root@ipa
 > {1}:/var/log>rpm -q -l http
 > package http is not installed
 >
 > root@ipa
 > {1}:/var/log>rpm -q -a | grep -i http
 > perl-HTTP-Tiny-0.033-3.el7.noarch
 >
 > root@ipa
 > {0}:/var/log>rpm -q -a | grep -i tomcat
 >
 >
 > Doesn't look like an httpd was installed as a dependancy?

 I find this very hard to believe given that it go so far as to configure
 things in Apache, restart it, etc. What version of [free]ipa-server is
 installed? How did you install it and from what repo?

 rob

 >
 >
 >
 >
 >
 > On Fri, May 12, 2017 at 1:17 AM Martin Bašti  > wrote:
 >
 > That's weird, it should be super fast, anything in
 > /var/log/httpd/error_log?
 >
 >
 

[Freeipa-users] Why OTP not working

[Andrey Dudin]

Hello all.

I trying to use OTP auth in Freeipa but have some problems.

I have user *test:*

[root@ipa-centos]# ipa user-show test
  User login: test
  First name: test
  Last name: test
  Home directory: /home/test
  Login shell: /bin/sh
  Principal name: t...@mydomain.com
  Principal alias: t...@mydomain.com
  Email address: t...@mydomain.com
  UID: 15221
  GID: 15221
  Account disabled: False
  Password: True
  Member of groups: trust admins, ipausers, admins
  Kerberos keys available: True


And his token:

[root@ipa-centos]# ipa otptoken-show 7fa47f65-dc72-486e-8dd4-6393c7e389bd
  Unique ID: 7fa47f65-dc72-486e-8dd4-6393c7e389bd
  Type: TOTP
  Owner: test
  Manager: test


Server with FreeIpa:

[root@ipa-centos]# ipa host-show ipa-centos.mydomain.com
  Host name: ipa-centos.mydomain.com
  Principal name: host/ipa-centos.mydomain@mydomain.com
  Principal alias: host/ipa-centos.mydomain@mydomain.com
  SSH public key fingerprint: %some fingerprints%
  Authentication Indicators: otp
  Password: False
  Member of host-groups: ipaservers
  Keytab: True
  Managed by: ipa-centos.mydomain.com


And service for freeipa http by default:

[root@ipa-centos]# ipa service-show http/ipa-centos.mydomain.com
  Principal name: HTTP/ipa-centos.mydomain@mydomain.com
  Principal alias: HTTP/ipa-centos.mydomain@mydomain.com
  Certificate: %cert%
  Subject: CN=ipa-centos.mydomain.com,O=MYDOMAIN.COM
  Serial Number: 9
  Serial Number (hex): 0x9
  Issuer: CN=Certificate Authority,O=MYDOMAIN.COM
  Not Before: Tue May 16 11:32:36 2017 UTC
  Not After: Fri May 17 11:32:36 2019 UTC
  Fingerprint (MD5): e8:76:3b:a7:94:37:2e:e1:c8:ed:a1:87:38:16:65:e1
  Fingerprint (SHA1):
de:65:18:38:23:5e:8a:0d:49:2c:eb:de:64:0a:61:eb:61:bd:ea:04
  Authentication Indicators: otp
  Keytab: True
  Managed by: ipa-centos.mydomain.com


As u can see, all properties for OTP auth in Freeipa web interface are
applied, but I can login into web interface only using password, if I try
logging in with password+otptoken I have error.

What's wrong?

[root@ipa-centos]# ipa --version
VERSION: 4.4.0, API_VERSION: 2.213

[root@ipa-centos]# cat /etc/os-release

NAME="CentOS Linux"
VERSION="7 (Core)"
ID="centos"
ID_LIKE="rhel fedora"
VERSION_ID="7"
PRETTY_NAME="CentOS Linux 7 (Core)"
ANSI_COLOR="0;31"
CPE_NAME="cpe:/o:centos:centos:7"
HOME_URL="https://www.centos.org/;
BUG_REPORT_URL="https://bugs.centos.org/;
CENTOS_MANTISBT_PROJECT="CentOS-7"
CENTOS_MANTISBT_PROJECT_VERSION="7"
REDHAT_SUPPORT_PRODUCT="centos"
REDHAT_SUPPORT_PRODUCT_VERSION="7"
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] Fresh Install of FreeIPA-Server - CentOS7

[Robert L. Harris]

   2 Gigs, it's a VM.  The VM didn't report any memory issues ( no alarms
on VMWare )


On Tue, May 16, 2017 at 12:29 PM Andrew Holway 
wrote:

> Hallo,
>
> How much memory do you have on the machine. I have a sneaking suspicion
> that you're running out.
>
> Ta,
>
> Andrew
>
> On 16 May 2017 at 17:16, Robert L. Harris 
> wrote:
>
>>
>> Last night I rolled back my snapshot.  Here's what I have after the yum
>> install
>>
>> "minimal" install of Centos7 + basic build.
>> {0}:/var/log>cat /etc/*elease
>> CentOS Linux release 7.3.1611 (Core)
>> NAME="CentOS Linux"
>> VERSION="7 (Core)"
>> ID="centos"
>> ID_LIKE="rhel fedora"
>> VERSION_ID="7"
>> PRETTY_NAME="CentOS Linux 7 (Core)"
>> ANSI_COLOR="0;31"
>> CPE_NAME="cpe:/o:centos:centos:7"
>> HOME_URL="https://www.centos.org/;
>> BUG_REPORT_URL="https://bugs.centos.org/;
>>
>> CENTOS_MANTISBT_PROJECT="CentOS-7"
>> CENTOS_MANTISBT_PROJECT_VERSION="7"
>> REDHAT_SUPPORT_PRODUCT="centos"
>> REDHAT_SUPPORT_PRODUCT_VERSION="7"
>>
>> CentOS Linux release 7.3.1611 (Core)
>> CentOS Linux release 7.3.1611 (Core)
>>
>>
>> {0}:/var/log>rpm -q -a | egrep -i 'http|apach|tomc|ipa|krb'
>> sssd-krb5-common-1.14.0-43.el7_3.14.x86_64
>> python2-ipaclient-4.4.0-14.el7.centos.7.noarch
>> ipa-common-4.4.0-14.el7.centos.7.noarch
>> perl-HTTP-Tiny-0.033-3.el7.noarch
>> python-iniparse-0.4-9.el7.noarch
>> ipa-client-common-4.4.0-14.el7.centos.7.noarch
>> pam_krb5-2.4.8-6.el7.x86_64
>> sssd-krb5-1.14.0-43.el7_3.14.x86_64
>> python-ipaddress-1.0.16-2.el7.noarch
>> python2-ipalib-4.4.0-14.el7.centos.7.noarch
>> krb5-libs-1.14.1-27.el7_3.x86_64
>> libipa_hbac-1.14.0-43.el7_3.14.x86_64
>> python-libipa_hbac-1.14.0-43.el7_3.14.x86_64
>> sssd-ipa-1.14.0-43.el7_3.14.x86_64
>> krb5-workstation-1.14.1-27.el7_3.x86_64
>> ipa-client-4.4.0-14.el7.centos.7.x86_64
>>
>> Tried to pull an exact client.  The "yum install ipa-server" went fine:
>>
>> {0}:/var/log/httpd>rpm -a -q | grep -i ipa-server
>> ipa-server-4.4.0-14.el7.centos.7.x86_64
>> ipa-server-common-4.4.0-14.el7.centos.7.noarch
>>
>>
>> "ipa-server-install" ran clean but has been stuck for 2 days:
>>
>> Restarting the directory server
>> Restarting the KDC
>> Please add records in this file to your DNS system:
>> /tmp/ipa.system.records.qLsLyx.db
>> Restarting the web server
>> Configuring client side components
>> Using existing certificate '/etc/ipa/ca.crt'.
>> Client hostname: ipa.rdlg.net
>> Realm: RDLG.NET
>> DNS Domain: rdlg.net
>> IPA Server: ipa.rdlg.net
>> BaseDN: dc=rdlg,dc=net
>>
>> Skipping synchronizing time with NTP server.
>> New SSSD config will be created
>> Configured sudoers in /etc/nsswitch.conf
>> Configured /etc/sssd/sssd.conf
>> trying https://ipa.rdlg.net/ipa/json
>> Forwarding 'schema' to json server 'https://ipa.rdlg.net/ipa/json'
>>
>> Checking the /var/log/httpd/error.log has 2 days of just this:
>>
>> [Tue May 16 09:14:42.941476 2017] [:error] [pid 1182] NSS_Initialize
>> failed. Certificate database: /etc/httpd/alias.
>> [Tue May 16 09:14:42.941499 2017] [:error] [pid 1182] SSL Library Error:
>> -8038 SEC_ERROR_NOT_INITIALIZED
>> [Tue May 16 09:14:42.941501 2017] [:error] [pid 1182] Does the NSS
>> database exist?
>>
>>
>> Robert
>>
>> On Fri, May 12, 2017 at 11:14 AM Rob Crittenden 
>> wrote:
>>
>>> Robert L. Harris wrote:
>>> >
>>> > Hmmm
>>> >
>>> > {0}:/var/log>ls
>>> > anaconda  btmp  dmesg  grubby  maillog   pppsecure
>>> > tallylog  wtmp
>>> > audit cron  dmesg.old  grubby_prune_debug  messages  rhsm   spooler
>>> >  tuned yum.log
>>> > boot.log  cups  firewalld  lastlog ntpstats  samba  sssd
>>> > vmware-vmsvc.log
>>> >
>>> >
>>> > root@ipa
>>> > {1}:/var/log>rpm -q -l http
>>> > package http is not installed
>>> >
>>> > root@ipa
>>> > {1}:/var/log>rpm -q -a | grep -i http
>>> > perl-HTTP-Tiny-0.033-3.el7.noarch
>>> >
>>> > root@ipa
>>> > {0}:/var/log>rpm -q -a | grep -i tomcat
>>> >
>>> >
>>> > Doesn't look like an httpd was installed as a dependancy?
>>>
>>> I find this very hard to believe given that it go so far as to configure
>>> things in Apache, restart it, etc. What version of [free]ipa-server is
>>> installed? How did you install it and from what repo?
>>>
>>> rob
>>>
>>> >
>>> >
>>> >
>>> >
>>> >
>>> > On Fri, May 12, 2017 at 1:17 AM Martin Bašti >> > > wrote:
>>> >
>>> > That's weird, it should be super fast, anything in
>>> > /var/log/httpd/error_log?
>>> >
>>> >
>>> > On 11.05.2017 22:23, Robert L. Harris wrote:
>>> >>
>>> >> Odd, must have clicked reply instead of reply-all.
>>> >>
>>> >> Anyway, I did the revert and re-install.  Actual install went
>>> >> through fine then the "ipa-server-install" ran until this:
>>> >>
>>> >>   [8/9]: restoring configuration
>>> >>   [9/9]: starting directory server
>>> >> Done.
>>> >> Restarting the directory server
>>> >> Restarting the 

Re: [Freeipa-users] Fresh Install of FreeIPA-Server - CentOS7

[Andrew Holway]

Hallo,

How much memory do you have on the machine. I have a sneaking suspicion
that you're running out.

Ta,

Andrew

On 16 May 2017 at 17:16, Robert L. Harris  wrote:

>
> Last night I rolled back my snapshot.  Here's what I have after the yum
> install
>
> "minimal" install of Centos7 + basic build.
> {0}:/var/log>cat /etc/*elease
> CentOS Linux release 7.3.1611 (Core)
> NAME="CentOS Linux"
> VERSION="7 (Core)"
> ID="centos"
> ID_LIKE="rhel fedora"
> VERSION_ID="7"
> PRETTY_NAME="CentOS Linux 7 (Core)"
> ANSI_COLOR="0;31"
> CPE_NAME="cpe:/o:centos:centos:7"
> HOME_URL="https://www.centos.org/;
> BUG_REPORT_URL="https://bugs.centos.org/;
>
> CENTOS_MANTISBT_PROJECT="CentOS-7"
> CENTOS_MANTISBT_PROJECT_VERSION="7"
> REDHAT_SUPPORT_PRODUCT="centos"
> REDHAT_SUPPORT_PRODUCT_VERSION="7"
>
> CentOS Linux release 7.3.1611 (Core)
> CentOS Linux release 7.3.1611 (Core)
>
>
> {0}:/var/log>rpm -q -a | egrep -i 'http|apach|tomc|ipa|krb'
> sssd-krb5-common-1.14.0-43.el7_3.14.x86_64
> python2-ipaclient-4.4.0-14.el7.centos.7.noarch
> ipa-common-4.4.0-14.el7.centos.7.noarch
> perl-HTTP-Tiny-0.033-3.el7.noarch
> python-iniparse-0.4-9.el7.noarch
> ipa-client-common-4.4.0-14.el7.centos.7.noarch
> pam_krb5-2.4.8-6.el7.x86_64
> sssd-krb5-1.14.0-43.el7_3.14.x86_64
> python-ipaddress-1.0.16-2.el7.noarch
> python2-ipalib-4.4.0-14.el7.centos.7.noarch
> krb5-libs-1.14.1-27.el7_3.x86_64
> libipa_hbac-1.14.0-43.el7_3.14.x86_64
> python-libipa_hbac-1.14.0-43.el7_3.14.x86_64
> sssd-ipa-1.14.0-43.el7_3.14.x86_64
> krb5-workstation-1.14.1-27.el7_3.x86_64
> ipa-client-4.4.0-14.el7.centos.7.x86_64
>
> Tried to pull an exact client.  The "yum install ipa-server" went fine:
>
> {0}:/var/log/httpd>rpm -a -q | grep -i ipa-server
> ipa-server-4.4.0-14.el7.centos.7.x86_64
> ipa-server-common-4.4.0-14.el7.centos.7.noarch
>
>
> "ipa-server-install" ran clean but has been stuck for 2 days:
>
> Restarting the directory server
> Restarting the KDC
> Please add records in this file to your DNS system:
> /tmp/ipa.system.records.qLsLyx.db
> Restarting the web server
> Configuring client side components
> Using existing certificate '/etc/ipa/ca.crt'.
> Client hostname: ipa.rdlg.net
> Realm: RDLG.NET
> DNS Domain: rdlg.net
> IPA Server: ipa.rdlg.net
> BaseDN: dc=rdlg,dc=net
>
> Skipping synchronizing time with NTP server.
> New SSSD config will be created
> Configured sudoers in /etc/nsswitch.conf
> Configured /etc/sssd/sssd.conf
> trying https://ipa.rdlg.net/ipa/json
> Forwarding 'schema' to json server 'https://ipa.rdlg.net/ipa/json'
>
> Checking the /var/log/httpd/error.log has 2 days of just this:
>
> [Tue May 16 09:14:42.941476 2017] [:error] [pid 1182] NSS_Initialize
> failed. Certificate database: /etc/httpd/alias.
> [Tue May 16 09:14:42.941499 2017] [:error] [pid 1182] SSL Library Error:
> -8038 SEC_ERROR_NOT_INITIALIZED
> [Tue May 16 09:14:42.941501 2017] [:error] [pid 1182] Does the NSS
> database exist?
>
>
> Robert
>
> On Fri, May 12, 2017 at 11:14 AM Rob Crittenden 
> wrote:
>
>> Robert L. Harris wrote:
>> >
>> > Hmmm
>> >
>> > {0}:/var/log>ls
>> > anaconda  btmp  dmesg  grubby  maillog   pppsecure
>> > tallylog  wtmp
>> > audit cron  dmesg.old  grubby_prune_debug  messages  rhsm   spooler
>> >  tuned yum.log
>> > boot.log  cups  firewalld  lastlog ntpstats  samba  sssd
>> > vmware-vmsvc.log
>> >
>> >
>> > root@ipa
>> > {1}:/var/log>rpm -q -l http
>> > package http is not installed
>> >
>> > root@ipa
>> > {1}:/var/log>rpm -q -a | grep -i http
>> > perl-HTTP-Tiny-0.033-3.el7.noarch
>> >
>> > root@ipa
>> > {0}:/var/log>rpm -q -a | grep -i tomcat
>> >
>> >
>> > Doesn't look like an httpd was installed as a dependancy?
>>
>> I find this very hard to believe given that it go so far as to configure
>> things in Apache, restart it, etc. What version of [free]ipa-server is
>> installed? How did you install it and from what repo?
>>
>> rob
>>
>> >
>> >
>> >
>> >
>> >
>> > On Fri, May 12, 2017 at 1:17 AM Martin Bašti > > > wrote:
>> >
>> > That's weird, it should be super fast, anything in
>> > /var/log/httpd/error_log?
>> >
>> >
>> > On 11.05.2017 22:23, Robert L. Harris wrote:
>> >>
>> >> Odd, must have clicked reply instead of reply-all.
>> >>
>> >> Anyway, I did the revert and re-install.  Actual install went
>> >> through fine then the "ipa-server-install" ran until this:
>> >>
>> >>   [8/9]: restoring configuration
>> >>   [9/9]: starting directory server
>> >> Done.
>> >> Restarting the directory server
>> >> Restarting the KDC
>> >> Please add records in this file to your DNS system:
>> >> /tmp/ipa.system.records.v5Jwrt.db
>> >> Restarting the web server
>> >> Configuring client side components
>> >> Using existing certificate '/etc/ipa/ca.crt'.
>> >> Client hostname: ipa.rdlg.net 
>> >> Realm: 

[Freeipa-users] UI customization: Default values on host addition

[Steve Huston]

I've extended the UI for host addition by including a multivalued
widget which stores puppetVar values (as well as the accompanying
Python plugin to handle it and schema update in the directory).  This
works well, but I'd like to add one more thing and am not sure how to
do it.

There are certain variables which are basically always set for every
host, and so I'd like them to default to those values in the UI, while
still giving the admin the choice to edit or remove them just like
they were entered by hand.  I'm not sure, however, how to "push"
values into the UI that way.

Is there some attribute of a field I can edit to insert a default
value into the UI, while still allowing that to be removed or edited
before the user submits the page?

-- 
Steve Huston - W2SRH - Unix Sysadmin, PICSciE/CSES & Astrophysical Sci
  Princeton University  |ICBM Address: 40.346344   -74.652242
345 Lewis Library   |"On my ship, the Rocinante, wheeling through
  Princeton, NJ   08544 | the galaxies; headed for the heart of Cygnus,
(267) 793-0852  | headlong into mystery."  -Rush, 'Cygnus X-1'

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] Fresh Install of FreeIPA-Server - CentOS7

[Robert L. Harris]

Last night I rolled back my snapshot.  Here's what I have after the yum
install

"minimal" install of Centos7 + basic build.
{0}:/var/log>cat /etc/*elease
CentOS Linux release 7.3.1611 (Core)
NAME="CentOS Linux"
VERSION="7 (Core)"
ID="centos"
ID_LIKE="rhel fedora"
VERSION_ID="7"
PRETTY_NAME="CentOS Linux 7 (Core)"
ANSI_COLOR="0;31"
CPE_NAME="cpe:/o:centos:centos:7"
HOME_URL="https://www.centos.org/;
BUG_REPORT_URL="https://bugs.centos.org/;

CENTOS_MANTISBT_PROJECT="CentOS-7"
CENTOS_MANTISBT_PROJECT_VERSION="7"
REDHAT_SUPPORT_PRODUCT="centos"
REDHAT_SUPPORT_PRODUCT_VERSION="7"

CentOS Linux release 7.3.1611 (Core)
CentOS Linux release 7.3.1611 (Core)


{0}:/var/log>rpm -q -a | egrep -i 'http|apach|tomc|ipa|krb'
sssd-krb5-common-1.14.0-43.el7_3.14.x86_64
python2-ipaclient-4.4.0-14.el7.centos.7.noarch
ipa-common-4.4.0-14.el7.centos.7.noarch
perl-HTTP-Tiny-0.033-3.el7.noarch
python-iniparse-0.4-9.el7.noarch
ipa-client-common-4.4.0-14.el7.centos.7.noarch
pam_krb5-2.4.8-6.el7.x86_64
sssd-krb5-1.14.0-43.el7_3.14.x86_64
python-ipaddress-1.0.16-2.el7.noarch
python2-ipalib-4.4.0-14.el7.centos.7.noarch
krb5-libs-1.14.1-27.el7_3.x86_64
libipa_hbac-1.14.0-43.el7_3.14.x86_64
python-libipa_hbac-1.14.0-43.el7_3.14.x86_64
sssd-ipa-1.14.0-43.el7_3.14.x86_64
krb5-workstation-1.14.1-27.el7_3.x86_64
ipa-client-4.4.0-14.el7.centos.7.x86_64

Tried to pull an exact client.  The "yum install ipa-server" went fine:

{0}:/var/log/httpd>rpm -a -q | grep -i ipa-server
ipa-server-4.4.0-14.el7.centos.7.x86_64
ipa-server-common-4.4.0-14.el7.centos.7.noarch


"ipa-server-install" ran clean but has been stuck for 2 days:

Restarting the directory server
Restarting the KDC
Please add records in this file to your DNS system:
/tmp/ipa.system.records.qLsLyx.db
Restarting the web server
Configuring client side components
Using existing certificate '/etc/ipa/ca.crt'.
Client hostname: ipa.rdlg.net
Realm: RDLG.NET
DNS Domain: rdlg.net
IPA Server: ipa.rdlg.net
BaseDN: dc=rdlg,dc=net

Skipping synchronizing time with NTP server.
New SSSD config will be created
Configured sudoers in /etc/nsswitch.conf
Configured /etc/sssd/sssd.conf
trying https://ipa.rdlg.net/ipa/json
Forwarding 'schema' to json server 'https://ipa.rdlg.net/ipa/json'

Checking the /var/log/httpd/error.log has 2 days of just this:

[Tue May 16 09:14:42.941476 2017] [:error] [pid 1182] NSS_Initialize
failed. Certificate database: /etc/httpd/alias.
[Tue May 16 09:14:42.941499 2017] [:error] [pid 1182] SSL Library Error:
-8038 SEC_ERROR_NOT_INITIALIZED
[Tue May 16 09:14:42.941501 2017] [:error] [pid 1182] Does the NSS database
exist?


Robert

On Fri, May 12, 2017 at 11:14 AM Rob Crittenden  wrote:

> Robert L. Harris wrote:
> >
> > Hmmm
> >
> > {0}:/var/log>ls
> > anaconda  btmp  dmesg  grubby  maillog   pppsecure
> > tallylog  wtmp
> > audit cron  dmesg.old  grubby_prune_debug  messages  rhsm   spooler
> >  tuned yum.log
> > boot.log  cups  firewalld  lastlog ntpstats  samba  sssd
> > vmware-vmsvc.log
> >
> >
> > root@ipa
> > {1}:/var/log>rpm -q -l http
> > package http is not installed
> >
> > root@ipa
> > {1}:/var/log>rpm -q -a | grep -i http
> > perl-HTTP-Tiny-0.033-3.el7.noarch
> >
> > root@ipa
> > {0}:/var/log>rpm -q -a | grep -i tomcat
> >
> >
> > Doesn't look like an httpd was installed as a dependancy?
>
> I find this very hard to believe given that it go so far as to configure
> things in Apache, restart it, etc. What version of [free]ipa-server is
> installed? How did you install it and from what repo?
>
> rob
>
> >
> >
> >
> >
> >
> > On Fri, May 12, 2017 at 1:17 AM Martin Bašti  > > wrote:
> >
> > That's weird, it should be super fast, anything in
> > /var/log/httpd/error_log?
> >
> >
> > On 11.05.2017 22:23, Robert L. Harris wrote:
> >>
> >> Odd, must have clicked reply instead of reply-all.
> >>
> >> Anyway, I did the revert and re-install.  Actual install went
> >> through fine then the "ipa-server-install" ran until this:
> >>
> >>   [8/9]: restoring configuration
> >>   [9/9]: starting directory server
> >> Done.
> >> Restarting the directory server
> >> Restarting the KDC
> >> Please add records in this file to your DNS system:
> >> /tmp/ipa.system.records.v5Jwrt.db
> >> Restarting the web server
> >> Configuring client side components
> >> Using existing certificate '/etc/ipa/ca.crt'.
> >> Client hostname: ipa.rdlg.net 
> >> Realm: RDLG.NET 
> >> DNS Domain: rdlg.net 
> >> IPA Server: ipa.rdlg.net 
> >> BaseDN: dc=rdlg,dc=net
> >>
> >> Skipping synchronizing time with NTP server.
> >> New SSSD config will be created
> >> Configured sudoers in /etc/nsswitch.conf
> >> Configured /etc/sssd/sssd.conf
> >> trying https://ipa.rdlg.net/ipa/json
> >> Forwarding 'schema' 

Re: [Freeipa-users] Password and OTP auth

[Andrey Dudin]

Thanks, but I think I have a problem.

I have test user:

[root@ipa-centos]# ipa user-show test
  User login: test
  First name: test
  Last name: test
  Home directory: /home/test
  Login shell: /bin/sh
  Principal name: t...@mydomain.com
  Principal alias: t...@mydomain.com
  Email address: t...@mydomain.com
  UID: 15221
  GID: 15221
  Account disabled: False
  Password: True
  Member of groups: trust admins, ipausers, admins
  Kerberos keys available: True


And test host:

[root@ipa-centos]# ipa host-show ipa-client.mydomain.com
  Host name: ipa-client.mydomain.com
  Principal name: host/ipa-client.mydomain@mydomain.com
  Principal alias: host/ipa-client.mydomain@mydomain.com
  SSH public key fingerprint: %SOME FINGERPRINTS%
  Authentication Indicators: otp
  Password: False
  Keytab: True
  Managed by: ipa-client.mydomain.com


When I trying to login to ipa-client.mydomain.com with password+otptoken I
have error:

[mynotebook]$ ssh t...@ipa-client.mydomain.com
t...@ipa-client.mydomain.com's password:
Permission denied, please try again.


Same if I trying to use just password.

On ipa server in krb5kdc.log I see:

May 16 11:00:53 ipa-centos krb5kdc[2280](info): AS_REQ (6 etypes {18 17 16
23 25 26}) 10.0.1.22: NEEDED_PREAUTH: t...@mydomain.com for krbtgt/
mydomain@mydomain.com, Additional pre-authentication required
May 16 11:00:53 ipa-centos krb5kdc[2280](info): closing down fd 12
May 16 11:00:53 ipa-centos krb5kdc[2280](info): AS_REQ (6 etypes {18 17 16
23 25 26}) 10.0.1.22: NEEDED_PREAUTH: t...@mydomain.com for krbtgt/
mydomain@mydomain.com, Additional pre-authentication required
May 16 11:00:53 ipa-centos krb5kdc[2280](info): closing down fd 12
May 16 11:00:53 ipa-centos krb5kdc[2280](info): AS_REQ (6 etypes {18 17 16
23 25 26}) 10.0.1.22: ISSUE: authtime 1494946853, etypes {rep=18 tkt=18
ses=18}, t...@mydomain.com for krbtgt/mydomain@mydomain.com
May 16 11:00:53 ipa-centos krb5kdc[2280](info): closing down fd 12
May 16 11:00:53 ipa-centos krb5kdc[2280](info): TGS_REQ (6 etypes {18 17 16
23 25 26}) 10.0.1.22: HIGHER_AUTHENTICATION_REQUIRED: authtime 1494946853,
t...@mydomain.com for host/ipa-client.mydomain@mydomain.com, Required
auth indicators not present in ticket: otp
May 16 11:00:53 ipa-centos krb5kdc[2280](info): closing down fd 12
May 16 11:00:53 ipa-centos krb5kdc[2280](info): TGS_REQ (6 etypes {18 17 16
23 25 26}) 10.0.1.22: HIGHER_AUTHENTICATION_REQUIRED: authtime 1494946853,
t...@mydomain.com for host/ipa-client.mydomain@mydomain.com, Required
auth indicators not present in ticket: otp
May 16 11:00:53 ipa-centos krb5kdc[2280](info): closing down fd 12

What's wrong?

2017-05-16 17:16 GMT+03:00 Sumit Bose :

> On Tue, May 16, 2017 at 04:48:42PM +0300, Andrey Dudin wrote:
> > Hello all.
> >
> > tell me please. Is it possible to use password and otp auth at the one
> > moment?
> >
> > For example I have DEV/STAGE servers and want to be able use password
> auth
> > for ssh, but for PROD servers I want to use OTP auth for same user.
>
> Authentication indicators can be used for this. If you add
>
> ipa host-mod --auth-ind=otp prod.server
>
> Only 2-factor authentication should be possible on prod.server. But
> please note that e.g. ssh-key based authentication will still be
> possible as well.
>
> HTH
>
> bye,
> Sumit
>
> > --
> > Manage your subscription for the Freeipa-users mailing list:
> > https://www.redhat.com/mailman/listinfo/freeipa-users
> > Go to http://freeipa.org for more info on the project
>
> --
> Manage your subscription for the Freeipa-users mailing list:
> https://www.redhat.com/mailman/listinfo/freeipa-users
> Go to http://freeipa.org for more info on the project
>



-- 
С уважением Дудин Андрей
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] IPA Compat + ID Views + AIX 7.1

[Luiz Fernando Vianna da Silva]

As far as I found out, it is not possible to integrate sudo rules from IPA into 
AIX. sudo on aix does not support that.
You will have to maintain /etc/sudoers by som other means.
Thats where you are mistaken. It is possible to integrate sudo rules into AIX, 
I've done it and have documented it here: 
https://www.freeipa.org/page/SUDO_Integration_for_AIX

Give it a try, its a fairly simple procedure.

P.S.

IBM has recently pimped the AIX toolbox RPMs and even implemented it as a YUM 
server. I haven't tried using these new RPMs yet to see if they work with sudo 
integration.

If you want to keep it safe, user perzl RPMs as I describe on the 
documentation. If you want, and I would appreciate it if you would, give the 
new RPMs from toolbox a go and if it works please update the documentaion, or 
send me your notes and I'll update it.
Atenciosamente/Best Regards
__
Luiz Fernando Vianna da Silva
Em 15-05-2017 02:53, Bjarne Blichfeldt escreveu:
We have a working setup on three aix servers and by comparing our config with 
yours, I see the following differences:

LDAP:
/etc/security/ldap/ldap.cfg :
userattrmappath:/etc/security/ldap/FreeIPAuser.map
groupattrmappath:/etc/security/ldap/FreeIPAgroup.map
userclasses:posixaccount

/etc/security/ldap/FreeIPAuser.map:

#FreeIPAuser.map file

# 
https://docs.fedoraproject.org/en-US/Fedora/15/html/FreeIPA_Guide/Configuring_an_IPA_Client_on_AIX.html





keyobjectclass  SEC_CHARposixaccounts



# The following attributes are required by AIX to be functional

usernameSEC_CHARuid s

id  SEC_INT uidnumber   s

pgrpSEC_CHARgidnumber   s

homeSEC_CHARhomedirectory   s

shell   SEC_CHARloginshell  s

gecos   SEC_CHARgecos   s

spassword   SEC_CHARuserpasswords

lastupdate  SEC_INT shadowlastchanges


/etc/security/ldap/FreeIPAgroup.map:
#FreeIPAgroup.map file
# 
https://docs.fedoraproject.org/en-US/Fedora/15/html/FreeIPA_Guide/Configuring_an_IPA_Client_on_AIX.html

groupname   SEC_CHARcn  s
id  SEC_INT gidNumber   s
users   SEC_LISTmember  m


To test if the ldap is working:
ls-secldapclntd
lsldap -a passwd
lsuser -R LDAP ALL

KERBEROS:

/etc/methods.cfg:
KRB5:
program = /usr/lib/security/KRB5
program_64 = /usr/lib/security/KRB5_64
options = 
authonly,is_kadmind_compat=no,tgt_verify=no,allow_expired_pwd=yes



Add Kerberos to authorized authentication entities and verify:
chauthent -k5 -std
#Verify
lsauthent
Kerberos 5
Standard Aix

To test:
lsuser -R KRB5LDAP 

Configure aix to create homedir during login:
/etc/security/login.cfg:
mkhomeatlogin = true

usw:
shells = 
/bin/sh,/bin/bsh,/bin/csh,/bin/ksh,/bin/tsh,/bin/ksh93,/usr/bin/sh,/usr/bin/bsh,/usr/bin/csh,/usr/bin/ksh,/usr/bin/tsh,/usr/bin/ksh93,/
usr/bin/rksh,/usr/bin/rksh93,/usr/sbin/sliplogin,/usr/sbin/uucp/uucico,/usr/sbin/snappd
maxlogins = 32767
logintimeout = 30
maxroles = 8
auth_type = STD_AUTH
mkhomeatlogin = true


Also remember: user can be locked in AIX so use smitty to unlock user and reset 
login attempts.

As far as I found out, it is not possible to integrate sudo rules from IPA into 
AIX. sudo on aix does not support that.
You will have to maintain /etc/sudoers by som other means.

Hope that helps, good luck.





Regards
Bjarne Blichfeldt.

From: wouter.hummel...@kpn.com 
[mailto:wouter.hummel...@kpn.com]
Sent: 12. maj 2017 16:03
To: iulian.ro...@gmail.com
Cc: freeipa-users@redhat.com
Subject: Re: [Freeipa-users] IPA Compat + ID Views + AIX 7.1

Yes, kinit works with IPA users. GSSAPI authentication is not keeping it 
simple, since we want passwords to work before trying TGS based logins over 
GSSAPI.
The keytab works sinds lsuser is still able to get user data. (Documentation 
specifies that enabling krb5 in ldap.cfg makes the bind user and password moot, 
secldapclntd uses krb5 to identify itself to IPA)

Also we are able to kinit 
host/aixlpar.example@example.org
 -kt /etc/krb5/krb5.keytab

We van try using su from an unprivileged user, but su has some different issues 
altogether, it doesn’t like @ in usernames which we need at the next stage 
(integrating AD Trust)


From: Iulian Roman [mailto:iulian.ro...@gmail.com]
Sent: vrijdag 12 mei 2017 15:56
To: Hummelink, Wouter
Cc: luiz.via...@tivit.com.br; 
freeipa-users@redhat.com
Subject: Re: [Freeipa-users] IPA Compat + ID Views + AIX 7.1



On Fri, May 12, 2017 at 3:31 PM, 
> wrote:
The shell is shown correctly as ksh in 

Re: [Freeipa-users] Password and OTP auth

[Sumit Bose]

On Tue, May 16, 2017 at 04:48:42PM +0300, Andrey Dudin wrote:
> Hello all.
> 
> tell me please. Is it possible to use password and otp auth at the one
> moment?
> 
> For example I have DEV/STAGE servers and want to be able use password auth
> for ssh, but for PROD servers I want to use OTP auth for same user.

Authentication indicators can be used for this. If you add

ipa host-mod --auth-ind=otp prod.server

Only 2-factor authentication should be possible on prod.server. But
please note that e.g. ssh-key based authentication will still be
possible as well.

HTH

bye,
Sumit

> -- 
> Manage your subscription for the Freeipa-users mailing list:
> https://www.redhat.com/mailman/listinfo/freeipa-users
> Go to http://freeipa.org for more info on the project

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

[Freeipa-users] Freeipa and limiting access by group (memberOf)

[Janet Houser]

Hi Folks,

Last week I deployed freeipa on a CentOS7 VM.   The installation went 
very smoothly using:


yum install ipa-server

and

ipa-server-install


My issue is with connecting a CentOS 7 client.  On my client, I yum 
installed  ipa-client and ipa-admintools.
I than ran  "ipa-client-install"  and answered the setup questions (very 
easy and smooth).


The "getent passwd" command didn't return any users, but the "getent 
passwd jdoe" does give the information
for the user.   I found in the archives that I can set "enumerate=True" 
so I get a complete user listing.   That
seems to be working, and I was able to login with the account "jdoe" 
(brilliant!).


Problem 1:


I created a user group on the ipa server  with the following attributes:

   name = xyx,  gid = 1000

I changed the user "jdoe" to have gid = 1000, but when I ssh into the 
ipa client, I get the following message after

logging in:

/usr/bin/id: cannot find name for group ID 1000

A "getent group" command does list the group: xyz:*:1000:

A "groups" command issued by the user shows:   xyz

files created by the user show the correct ownership and group.

Problem 2:
===

I've been looking through the freeipa groups and literature and I can't 
figure out how to limit user login access to

an ipa client by a memberOf group.

When I was using CentOS 6 and 7 I could use the nslcd.conf file to put 
in a group filter like:


passwd 
(&(objectClass=posixAccount)(memberOf=CN=test,OU=Groups,DC=abc,DC=xyx,DC=edu))



I tried changing the access_provider to simple and using the 
"simply_allow_groups = test", but that didn't work.
However, using "access_provider = ipa" and "filter_users" did allow me 
to filter out a user from the "getent passwd" command.


I tried changing the access_provider to ldap and using the filter 
"ldap_access_filter = memberOf=cn=test=OU=Groups,DC=abc,DC=xyx,DC=edu

but that failed too.


I'd appreciate any suggestions

Thanks,

- signed an "ipa newbie"
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

[Freeipa-users] Password and OTP auth

[Andrey Dudin]

Hello all.

tell me please. Is it possible to use password and otp auth at the one
moment?

For example I have DEV/STAGE servers and want to be able use password auth
for ssh, but for PROD servers I want to use OTP auth for same user.
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] is ipa-cert-manage safe to use?

[Harald Dunkel]

On 05/15/17 16:44, Rob Crittenden wrote:
> 
> I'm confused. You mention replacing some "externally signed certificate"
> and yet then ask switching to externally signed certificates. What is
> the current configuration? What is signing the existing server certs? Or
> do you have an external CA signing the IPA CA?
> 

The current servers have been installed with --external-ca. freeipa
created a csr, it was signed by an external CA and handed off back
to the freeipa server.

The question was if I should drop the whole certificate support
in freeipa. Its called "CA-less install", if I got this correctly.
I am not sure if it is possible to switch from external-ca to
CA-less.

> ipa-cacert-manage is for managing the CA certificate, not service
> certificates.
> 

Sure. Point is that I don't see how a problem on replacing freeipa's
(externally signed) CA certificate by a new one affects freeipa.

Sorry to say, but at install time I did not had the impression,
that "ipa-server-install --external-ca" was thoroughly tested
before. I ran straight into a problem, but fortunately that didn't
matter, cause freeipa was not in production use, yet. (Look for
"ipa-server-install --external-ca failed" on this mailing list,
thread started 2015-12-15.)

Today it is in production use. If I brick freeipa today, then I
have a huge problem, so I am concerned.


Regards
Harri

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] SSSD Cache and Service Tickets

[Ronald Wimmer]

On 2017-05-15 21:27, Jakub Hrozek wrote:

[...]

On Mon, May 15, 2017 at 03:54:22PM +0200, Ronald Wimmer wrote:

Hi,

I am confronted with a behaviour for which I do not have an explanation for.

I am using NFS4 Kerberos automounted homeshares and and recently I got a
permission denied (reproducible when I restart autofs on the server I want
to connect to) from the Windows Domain. So here's what I tried:

1) Connected via PuTTY from a Windows Machine in the windows domain
 Kerberos-based login works but I get a "Permission Denied" on my home
directory; klist shows no tickets

No tickets at all? Not even an expired ticket?

Unfortunately no tickets.

Does running klist in cmd.exe show anything?

Yes, it does:
-bash-4.2$ klist
klist: Credentials cache keyring 'persistent:1073895519:1073895519' not 
found


And again... If I connect from my linux machine (within the ipa domain), 
tickets are there:


-bash-4.2$ klist
Ticket cache: KEYRING:persistent:1073895519:1073895519
Default principal: myu...@mywindowdomain.at

Valid starting   Expires  Service principal
2017-05-16 11:29:04  2017-05-16 15:43:45 
nfs/ipanfs.myipadomain...@myipadomain.at
2017-05-16 11:25:09  2017-05-16 15:43:45 
krbtgt/mywindowdomain...@mywindowdomain.at

renew until 2017-05-16 15:43:45

From this point on login from windows (AD domain) does - of course - work.

Any ideas how to bring some light into this?

--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project