[Freeipa-users] problem in ipa trust with AD
hi
i install centos 6.7 trust with Windows 2008 r2 (User AD can not Login)
and get log in IPA SERVER file: /var/log/krb5kdc.log
domain IPA: l.infotechpsp.net
++
Sep 09 15:09:20 ipareplica.l.infotechpsp.net krb5kdc[1518](info): AS_REQ (4
etypes {18 17 16 23}) 10.30.120.20: NEEDED_PREAUTH: host/
ussddm.l.infotechpsp@l.infotechpsp.net for krbtgt/
l.infotechpsp@l.infotechpsp.net, Additional pre-authentication required
IS it correct? l.infotechpsp@l.infotechpsp.net
--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] user AD not login but user freeipa can login
error in file /var/log/sssd/sssd_l.test.com +++ [ipa_s2n_exop_done] (0x0040): ldap_extended_operation result: Operations error(1), Failed to handle the request. [ipa_s2n_get_user_done] (0x0040): s2n exop request failed. +++ Also in Server IPA insert in file /etc/sssd/sssd.conf debug_level = 6 and Error /var/log/sssd/sssd_l.test.com ++ [ipa_s2n_exop_done] (0x0040): ldap_extended_operation result: Operations error(1), Failed to handle the request. [ipa_s2n_get_user_done] (0x0040): s2n exop request failed. +++ On Sat, Sep 5, 2015 at 10:34 AM, alireza baghery <baghery.j...@gmail.com> wrote: > hi > i have centos 6.7 (ipa server) and TRUST with windows 2008 r2 (AD) > clients centos 6.7 (ipa client sssd 1.12.4) > kinit userAD on linux execute successful > but users AD not login > > -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
[Freeipa-users] user AD not login but user freeipa can login
hi i have centos 6.7 (ipa server) and TRUST with windows 2008 r2 (AD) clients centos 6.7 (ipa client sssd 1.12.4) kinit userAD on linux execute successful but users AD not login -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
[Freeipa-users] User AD can not Login Client Linux
Hi i install Centos 7.1 (IDM Server) and integrate with Windows SERVER 2008 R2 Trust USER AD can not Login on client (OLE 6.6) but User create idm can login name IDM SERVER= ipasrv.l.infotechpsp.net domain Windows = infotechpsp.net i execute [ kinit abagh...@infotechpsp.net] on IDM Server and klist and show keytab abagheri but execute kvno abag...@infotechpsp.net get ERROR kvno Server not found in kerberos database please help me and thank you KLIST Valid starting ExpiresService principal 08/23/15 17:09:53 08/24/15 03:11:34 krbtgt/infotechpsp@infotechpsp.net renew until 08/24/15 17:09:53 == Tail LOG /var/log/secure == Aug 23 17:08:19 ussd7 sshd[10280]: Invalid user abagh...@infotechpsp.net from 172.26.26.34 Aug 23 17:08:19 ussd7 sshd[10281]: input_userauth_request: invalid user abagh...@infotechpsp.net Aug 23 17:08:27 ussd7 sshd[10280]: pam_unix(sshd:auth): check pass; user unknown Aug 23 17:08:27 ussd7 sshd[10280]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=172.26.26.34 Aug 23 17:08:28 ussd7 sshd[10280]: pam_succeed_if(sshd:auth): error retrieving information about user abagh...@infotechpsp.net Aug 23 17:08:30 ussd7 sshd[10280]: Failed password for invalid user abagh...@infotechpsp.net from 172.26.26.34 port 63552 ssh2 = Tail LOG /var/log/sssd/ssd_l.infotechpsp.net debug_level = 6 = sssd_l.infotechpsp.net (Sun Aug 23 17:12:45 2015) [sssd[be[l.infotechpsp.net]]] [be_get_subdomains] (0x0400): Got get subdomains [forced][infotechpsp.net] (Sun Aug 23 17:12:45 2015) [sssd[be[l.infotechpsp.net]]] [fo_resolve_service_send] (0x0100): Trying to resolve service 'IPA' (Sun Aug 23 17:12:45 2015) [sssd[be[l.infotechpsp.net]]] [resolve_srv_send] (0x0200): The status of SRV lookup is neutral (Sun Aug 23 17:12:45 2015) [sssd[be[l.infotechpsp.net]]] [resolve_srv_send] (0x0400): SRV resolution of service 'IPA'. Will use DNS discovery domain ' l.infotechpsp.net' (Sun Aug 23 17:12:45 2015) [sssd[be[l.infotechpsp.net]]] [resolve_srv_cont] (0x0100): Searching for servers via SRV query '_ldap._tcp.l.infotechpsp.net' (Sun Aug 23 17:12:45 2015) [sssd[be[l.infotechpsp.net]]] [resolv_getsrv_send] (0x0100): Trying to resolve SRV record of '_ldap._ tcp.l.infotechpsp.net' (Sun Aug 23 17:12:45 2015) [sssd[be[l.infotechpsp.net]]] [request_watch_destructor] (0x0400): Deleting request watch (Sun Aug 23 17:12:45 2015) [sssd[be[l.infotechpsp.net]]] [resolve_srv_done] (0x0400): Inserted server 'ipasrv.l.infotechpsp.net:389' for service IPA (Sun Aug 23 17:12:45 2015) [sssd[be[l.infotechpsp.net]]] [set_srv_data_status] (0x0100): Marking SRV lookup of service 'IPA' as 'resolved' (Sun Aug 23 17:12:45 2015) [sssd[be[l.infotechpsp.net]]] [resolv_gethostbyname_files_send] (0x0100): Trying to resolve A record of ' ipasrv.l.infotechpsp.net' in files (Sun Aug 23 17:12:45 2015) [sssd[be[l.infotechpsp.net]]] [set_server_common_status] (0x0100): Marking server ' ipasrv.l.infotechpsp.net' as 'resolving name' (Sun Aug 23 17:12:45 2015) [sssd[be[l.infotechpsp.net]]] [resolv_gethostbyname_files_send] (0x0100): Trying to resolve record of 'ipasrv.l.infotechpsp.net' in files (Sun Aug 23 17:12:45 2015) [sssd[be[l.infotechpsp.net]]] [resolv_gethostbyname_next] (0x0200): No more address families to retry (Sun Aug 23 17:12:45 2015) [sssd[be[l.infotechpsp.net]]] [resolv_gethostbyname_dns_query] (0x0100): Trying to resolve A record of ' ipasrv.l.infotechpsp.net' in DNS (Sun Aug 23 17:12:45 2015) [sssd[be[l.infotechpsp.net]]] [request_watch_destructor] (0x0400): Deleting request watch (Sun Aug 23 17:12:45 2015) [sssd[be[l.infotechpsp.net]]] [set_server_common_status] (0x0100): Marking server ' ipasrv.l.infotechpsp.net' as 'name resolved' (Sun Aug 23 17:12:45 2015) [sssd[be[l.infotechpsp.net]]] [be_resolve_server_process] (0x0200): Found address for server ipasrv.l.infotechpsp.net: [10.30.160.19] TTL 1200 (Sun Aug 23 17:12:45 2015) [sssd[be[l.infotechpsp.net]]] [ipa_resolve_callback] (0x0400): Constructed uri 'ldap:// ipasrv.l.infotechpsp.net' (Sun Aug 23 17:12:45 2015) [sssd[be[l.infotechpsp.net]]] [sss_ldap_init_send] (0x0400): Setting 6 seconds timeout for connecting (Sun Aug 23 17:12:45 2015) [sssd[be[l.infotechpsp.net]]] [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with [(objectclass=*)][]. (Sun Aug 23 17:12:45 2015) [sssd[be[l.infotechpsp.net]]] [sdap_get_generic_ext_done] (0x0400): Search result: Success(0), no errmsg set (Sun Aug 23 17:12:45 2015) [sssd[be[l.infotechpsp.net]]] [sdap_kinit_send] (0x0400): Attempting kinit (default, host/ussd7.l.infotechpsp.net, L.INFOTECHPSP.NET, 86400) (Sun Aug 23 17:12:45 2015) [sssd[be[l.infotechpsp.net]]] [fo_resolve_service_send] (0x0100): Trying to resolve service 'IPA' (Sun Aug 23 17:12:45 2015) [sssd[be[l.infotechpsp.net]]] [resolve_srv_send]
[Freeipa-users] not login users AD (2008R2 ) on linux
hi i install CentOS 6.5 and IPA 3.0.0..37 and Trust with Windows 2008 R2 everyting OK and user AD Login on Linux but i install replicator ipa three week ago and two days User AD can not login on Linux but User IPA can Login on Linux ===Error on '/var/log/secure Aug 17 14:48:20 dwn1 sshd[51694]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost= rdpadmin_34.infotechpsp.net user=abagh...@infotechpsp.net Aug 17 14:48:20 dwn1 sshd[51694]: pam_sss(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost= rdpadmin_34.infotechpsp.net user=abagh...@infotechpsp.net Aug 17 14:48:20 dwn1 sshd[51694]: pam_sss(sshd:auth): received for user abagh...@infotechpsp.net: 4 (System error) Aug 17 14:48:22 dwn1 sshd[51694]: Failed password for abagh...@infotechpsp.net from 172.26.26.34 port 51168 ssh2 = and configure sssd not change -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] problem with reinstall ipa client
thanks i remove /etc/ipa/ca.cert and problem solved On Sat, Apr 25, 2015 at 4:26 PM, alireza baghery baghery.j...@gmail.com wrote: thanks i remove /etc/ipa/ca.cert and problem solved On Sat, Apr 25, 2015 at 4:16 PM, Dmitri Pal d...@redhat.com wrote: On 04/25/2015 01:27 AM, alireza baghery wrote: hi i REMOVE server ipa-server (3.0.0 centos 6.5) with HOSTNAME (ipasrv.linux) and REINSTALL server ipa with same hostname and OS (centos 6.5) server IPA integrate with AD windows (2008) and on Clients first Uninstall IPa-Client with Command ipa-client-install --uninstall but when i want INSTALL ipa-client -install --mkhomedir get ERROR LDAP Error: Connect error: TLS error -8054:You are attempting to import a cert with the same issuer/serial as an existing cert, but that is not the same cert. thnks every body When you install the client IPA issues a cert that is tracked by certmonger on the client. If you uninstall the client the cert might still be there. When then you reinstall the client it tries to get the cert again and since it is a different server but client with the same name you get a mismatch of the cert. The error is about that. Please try this: https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Identity_Management_Guide/manually-unconfig-machines.html However I thought that this was fixed quite some time ago but may be it did not make 6.5. -- Thank you, Dmitri Pal Sr. Engineering Manager IdM portfolio Red Hat, Inc. -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
[Freeipa-users] problem with reinstall ipa client
hi i REMOVE server ipa-server (3.0.0 centos 6.5) with HOSTNAME (ipasrv.linux) and REINSTALL server ipa with same hostname and OS (centos 6.5) server IPA integrate with AD windows (2008) and on Clients first Uninstall IPa-Client with Command ipa-client-install --uninstall but when i want INSTALL ipa-client -install --mkhomedir get ERROR LDAP Error: Connect error: TLS error -8054:You are attempting to import a cert with the same issuer/serial as an existing cert, but that is not the same cert. thnks every body -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
[Freeipa-users] problem with sssd in centos 6.5
hi i install centos 6.5 (sssd client 1.9) when i execute any command process sssd_be on 100 percentage and when sssd_client update 1.11 ipa-client do not work how to solve this problem -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
[Freeipa-users] ipa replication not working
i install IPA on CENTOS 6.5 with Replication when configure every role in IPA, role Copy to Replica but Conversely, it does not work (role from Replica DO not copy to IPA) i do the following: *on server IPA:* #ipa-replica-manage list ipa... master ipareplica...master #ipa-replica-manage list ipa ipareplica.replica #ipa-replica-masnage list ipareplica ipa...replica *on server ipareplica* #ipa-replica-manage list ipa... master ipareplica...master #ipa-replica-manage list ipa Failed get data from ipa... Can not Contact LDAP Server -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
Re: [Freeipa-users] error install replication
ipasrv# Service SSSD status sssd is runing nevertheless i restart service sssd but problem do not solved On Mon, Feb 9, 2015 at 11:19 AM, Martin Kosek mko...@redhat.com wrote: On 02/09/2015 07:42 AM, alireza baghery wrote: i check on both server ssh each other's name and ssh successful and resolve name was also correct on each server but i can not login with user admin from ipareplica via ssh (root@ipareplica]# ssh admin@ipasrv === failed) [root@ipareplica ~]# ssh ipasrv root@ipasrv's password: Last login: Mon Feb 9 09:49:54 2015 from 10.30.160.20 =log /var/secure Feb 9 09:50:29 ipasrv sshd[12076]: Accepted password for root from 10.30.160.20 port 52110 ssh2 Feb 9 09:50:29 ipasrv sshd[12076]: pam_unix(sshd:session): session opened for user root by (uid=0) = [root@ipasrv ~]# ssh ipareplica root@ipareplica's password: Last login: Mon Feb 9 09:50:20 2015 from 10.30.160.19 == [root@ipareplica ~]# nslookup ipasrv Server: 10.30.160.19 Address:10.30.160.19#53 Name: ipasrv Address: 10.30.160.19 [root@ipasrv ~]# nslookup ipareplica Server: 127.0.0.1 Address:127.0.0.1#53 Name: ipareplica Address: 10.30.160.20 = Ok, so ssh is running, you can log in with root. I think that by 99% chance, your SSSD service is not running on the IPA server. Please check if this is the case and if yes, please try to (re)start it. If that helped, it would be also useful to see *why* the SSSD is not running (crash, misconfiguration, ...) Martin -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
Re: [Freeipa-users] error install replication
yes try ssh admin@hostname but do not work log secure- Feb 9 15:42:20 ipasrv sshd[13414]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=10.30.160.20 user=admin Feb 9 15:42:20 ipasrv sshd[13414]: pam_sss(sshd:auth): authentication success; logname= uid=0 euid=0 tty=ssh ruser= rhost=10.30.160.20 user=admin Feb 9 15:42:20 ipasrv sshd[13414]: pam_sss(sshd:account): Access denied for user admin: 6 (Permission denied) Feb 9 15:42:20 ipasrv sshd[13414]: Failed password for admin from 10.30.160.20 port 52123 ssh2 Feb 9 15:42:20 ipasrv sshd[13415]: fatal: Access denied for user admin by PAM account configuration On Mon, Feb 9, 2015 at 3:20 PM, Martin Kosek mko...@redhat.com wrote: Did you try the ssh admin@`hostname` command? It should show if ssh to admin via SSSDFreeIPA really works. On 02/09/2015 11:18 AM, alireza baghery wrote: account admin recognize and show uid gid and groups On Feb 9, 2015 1:42 PM, Martin Kosek mko...@redhat.com wrote: Ok. When on the server, does # id admin or ssh admin@`hostname` work? Maybe it does not recognize the admin user. On 02/09/2015 09:29 AM, alireza baghery wrote: ipasrv# Service SSSD status sssd is runing nevertheless i restart service sssd but problem do not solved On Mon, Feb 9, 2015 at 11:19 AM, Martin Kosek mko...@redhat.com wrote: On 02/09/2015 07:42 AM, alireza baghery wrote: i check on both server ssh each other's name and ssh successful and resolve name was also correct on each server but i can not login with user admin from ipareplica via ssh (root@ipareplica]# ssh admin@ipasrv === failed) [root@ipareplica ~]# ssh ipasrv root@ipasrv's password: Last login: Mon Feb 9 09:49:54 2015 from 10.30.160.20 =log /var/secure Feb 9 09:50:29 ipasrv sshd[12076]: Accepted password for root from 10.30.160.20 port 52110 ssh2 Feb 9 09:50:29 ipasrv sshd[12076]: pam_unix(sshd:session): session opened for user root by (uid=0) = [root@ipasrv ~]# ssh ipareplica root@ipareplica's password: Last login: Mon Feb 9 09:50:20 2015 from 10.30.160.19 == [root@ipareplica ~]# nslookup ipasrv Server: 10.30.160.19 Address:10.30.160.19#53 Name: ipasrv Address: 10.30.160.19 [root@ipasrv ~]# nslookup ipareplica Server: 127.0.0.1 Address:127.0.0.1#53 Name: ipareplica Address: 10.30.160.20 = Ok, so ssh is running, you can log in with root. I think that by 99% chance, your SSSD service is not running on the IPA server. Please check if this is the case and if yes, please try to (re)start it. If that helped, it would be also useful to see *why* the SSSD is not running (crash, misconfiguration, ...) Martin -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
Re: [Freeipa-users] error install replication
account admin recognize and show uid gid and groups On Feb 9, 2015 1:42 PM, Martin Kosek mko...@redhat.com wrote: Ok. When on the server, does # id admin or ssh admin@`hostname` work? Maybe it does not recognize the admin user. On 02/09/2015 09:29 AM, alireza baghery wrote: ipasrv# Service SSSD status sssd is runing nevertheless i restart service sssd but problem do not solved On Mon, Feb 9, 2015 at 11:19 AM, Martin Kosek mko...@redhat.com wrote: On 02/09/2015 07:42 AM, alireza baghery wrote: i check on both server ssh each other's name and ssh successful and resolve name was also correct on each server but i can not login with user admin from ipareplica via ssh (root@ipareplica]# ssh admin@ipasrv === failed) [root@ipareplica ~]# ssh ipasrv root@ipasrv's password: Last login: Mon Feb 9 09:49:54 2015 from 10.30.160.20 =log /var/secure Feb 9 09:50:29 ipasrv sshd[12076]: Accepted password for root from 10.30.160.20 port 52110 ssh2 Feb 9 09:50:29 ipasrv sshd[12076]: pam_unix(sshd:session): session opened for user root by (uid=0) = [root@ipasrv ~]# ssh ipareplica root@ipareplica's password: Last login: Mon Feb 9 09:50:20 2015 from 10.30.160.19 == [root@ipareplica ~]# nslookup ipasrv Server: 10.30.160.19 Address:10.30.160.19#53 Name: ipasrv Address: 10.30.160.19 [root@ipasrv ~]# nslookup ipareplica Server: 127.0.0.1 Address:127.0.0.1#53 Name: ipareplica Address: 10.30.160.20 = Ok, so ssh is running, you can log in with root. I think that by 99% chance, your SSSD service is not running on the IPA server. Please check if this is the case and if yes, please try to (re)start it. If that helped, it would be also useful to see *why* the SSSD is not running (crash, misconfiguration, ...) Martin -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
Re: [Freeipa-users] error install replication
thanks On Mon, Feb 9, 2015 at 6:42 PM, Martin Kosek mko...@redhat.com wrote: On 02/09/2015 03:31 PM, Dmitri Pal wrote: On 02/09/2015 08:34 AM, alireza baghery wrote: yes try ssh admin@hostname but do not work log secure- Feb 9 15:42:20 ipasrv sshd[13414]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=10.30.160.20 user=admin Feb 9 15:42:20 ipasrv sshd[13414]: pam_sss(sshd:auth): authentication success; logname= uid=0 euid=0 tty=ssh ruser= rhost=10.30.160.20 user=admin Feb 9 15:42:20 ipasrv sshd[13414]: pam_sss(sshd:account): Access denied for user admin: 6 (Permission denied) Feb 9 15:42:20 ipasrv sshd[13414]: Failed password for admin from 10.30.160.20 port 52123 ssh2 Feb 9 15:42:20 ipasrv sshd[13415]: fatal: Access denied for user admin by PAM account configuration Do you have HBAC rules? Does admin have the rights to log via SSH? If you changed the default rules it might be that admin is not allowed to log via ssh. Good questions. Also note, that if for some special reasons, you do not want to make admins log in to your FreeIPA servers, you can always pass --skip-conncheck to the replica and go straight to the installation, skipping the firewall check. Of course, no guarantees that the installation won't get stuck or crash because of closed ports in that case. Martin -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
[Freeipa-users] error install replication
hi i install ipa on centos 6.5 and want install replica for purpose i do the following task: ipa-install-prepare --ip-address (replica) replica (replica) namserver ipa (replica) ipa-replica-install but in Connetcon Check get ERROR ===message stdout replica=== Connection from replica to master is OK. Start listening on required ports for remote master check Get credentials to log in to remote master admin@* password: Execute check on remote master Remote master check failed with following error message(s): Connection check failed! Please fix your network settings according to error messages above. If the check results are not valid it can be skipped with --skip-conncheck parameter. =message log in /var/log/ipa-replication-connection-check = 2015-02-08T07:41:30Z DEBUG args=/usr/bin/kinit admin@IPA* 2015-02-08T07:41:30Z DEBUG stdout=Password for admin@IPA*: 2015-02-08T07:41:30Z DEBUG stderr= 2015-02-08T07:41:30Z DEBUG args=/usr/bin/kvno host/ipa 2015-02-08T07:41:30Z DEBUG stdout=host/ipa*@IPA**: kvno = 2 2015-02-08T07:41:30Z DEBUG stderr= 2015-02-08T07:41:30Z DEBUG args=/usr/bin/ssh -q -o StrictHostKeychecking=no -o UserKnownHostsFile=/dev/null admin@ipa /usr/sbin/ipa-replica-conncheck --replica replica*** 2015-02-08T07:41:30Z DEBUG stdout= 2015-02-08T07:41:30Z DEBUG stderr= = tnx -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
Re: [Freeipa-users] error install replication
i check on both server ssh each other's name and ssh successful and resolve name was also correct on each server but i can not login with user admin from ipareplica via ssh (root@ipareplica]# ssh admin@ipasrv === failed) [root@ipareplica ~]# ssh ipasrv root@ipasrv's password: Last login: Mon Feb 9 09:49:54 2015 from 10.30.160.20 =log /var/secure Feb 9 09:50:29 ipasrv sshd[12076]: Accepted password for root from 10.30.160.20 port 52110 ssh2 Feb 9 09:50:29 ipasrv sshd[12076]: pam_unix(sshd:session): session opened for user root by (uid=0) = [root@ipasrv ~]# ssh ipareplica root@ipareplica's password: Last login: Mon Feb 9 09:50:20 2015 from 10.30.160.19 == [root@ipareplica ~]# nslookup ipasrv Server: 10.30.160.19 Address:10.30.160.19#53 Name: ipasrv Address: 10.30.160.19 [root@ipasrv ~]# nslookup ipareplica Server: 127.0.0.1 Address:127.0.0.1#53 Name: ipareplica Address: 10.30.160.20 = -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
[Freeipa-users] ipa replica (centos 6.5) integrate with AD 2008
hi i integrated ipa (centos 6.5) with AD windows server 2008 and anything do work i install replica server as follow: #(ipaserve ipa): replica- prepare ipareplica. example. com - - ip- address 192. 168. 1. 2 scp /var/lib/ipa/replica- info- ipareplica. example. com. gpg root@ipareplica: /var/lib/ipa/ ipa- replica- install --setup- dns - -forwarder=IP-AD /var/lib/ipa/replica- info- ipareplica. example. com. gpg but ipareplica do not work i turn off ipa sserver (master) but clients do not work with replica. -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
[Freeipa-users] problem users AD can not sudo in centos 6.6
hi i integrated AD windows 208 R2 with IPA server (centos 6.5) i write policy for user test execute any command on any host user test can execute sudo on cetnos 6.5 but on centos 6.6 can not (sudo get error) confige sssd.conf = [domain/l.example.com] debug_level = 6 cache_credentials = True krb5_store_password_if_offline = True ipa_domain = l.example.com id_provider = ipa ipa_server = _srv_,ipaserver.l.example.com dap_tls_cacert = /etc/ipa/ca.crt sudo_provider = ldap ldap_uri = ldap://ipasrv.l.example.com ldap://ipadevel.example.com ldap_sudo_search_base = ou=sudoers,dc=l, dc=example,dc=com ldap_sasl_mech = GSSAPI ldap_sasl_authid = host/ipadevel.l.example.com ldap_sasl_realm = L.EXAMPLE.COM krb5_server = ipadevel.l.example.com [sssd] config_file_version = 2 services = nss, pam,ssh,sudo how to solve this problem -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
[Freeipa-users] Fwd: problem users AD can not sudo in centos 6.6
hi i integrated AD windows 208 R2 with IPA server (centos 6.5) i write policy for user test execute any command on any host user test can execute sudo on cetnos 6.5 but on centos 6.6 can not (sudo get error) confige sssd.conf = [domain/l.example.com] debug_level = 6 cache_credentials = True krb5_store_password_if_offline = True ipa_domain = l.example.com id_provider = ipa ipa_server = _srv_,ipaserver.l.example.com dap_tls_cacert = /etc/ipa/ca.crt sudo_provider = ldap ldap_uri = ldap://ipasrv.l.example.com ldap_sudo_search_base = ou=sudoers,dc=l, dc=example,dc=com ldap_sasl_mech = GSSAPI ldap_sasl_authid = host/ipadevel.l.example.com ldap_sasl_realm = L.EXAMPLE.COM krb5_server = ipadevel.l.example.com [sssd] config_file_version = 2 services = nss, pam,ssh,sudo how to solve this problem -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
[Freeipa-users] syslog
hi i have configured ipa (ipa on centos 6.5) and configure rsyslog for send log to syslog server (juniper strm) in strm get error unknown generic log event or log linux (on server install ipa client) but with another server linux not problem -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
[Freeipa-users] problem with log in ipa
hi i have configured ipa (ipa on centos 6.5) and configure rsyslog for send log to syslog server (juniper strm) in strm get error unknown generic log event (log's ipa clients ) but with another server linux not problem -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
[Freeipa-users] log activity users ipa
hi i have configured ipa (ipa on centos 6.5) but the problesm is i dont know where the logs activity users stored? i meens logs activity users must stored in ipa server, but where? thanks every body -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
Re: [Freeipa-users] log activity users ipa
activity that users perform on client (ipa client) On Mon, Sep 1, 2014 at 11:12 AM, Dmitri Pal d...@redhat.com wrote: On 09/01/2014 08:29 AM, alireza baghery wrote: hi i have configured ipa (ipa on centos 6.5) but the problesm is i dont know where the logs activity users stored? i meens logs activity users must stored in ipa server, but where? thanks every body Which activity you are looking for? The administrating activity will be stored in the apache httpd logs, authentication activity will be stored in Kerberos logs, DS binds and changes will be stored in the DS logs, etc.. There is no consolidated logging yet. There are plans to normalize components to start logging into journald but this will take some time to materialize. -- Thank you, Dmitri Pal Sr. Engineering Manager IdM portfolio Red Hat, Inc. -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
Re: [Freeipa-users] users AD can not sudo in centos 6.5
sorry for delay file sssd.conf: == domain/example.com] debug_level = 6 cache_credentials = True krb5_store_password_if_offline = True ipa_domain = l.example.com id_provider = ipa auth_provider = ipa access_provider = ipa ipa_hostname = client1.l.example.com chpass_provider = ipa ipa_server = ipaserver.l.example.com ldap_tls_cacert = /etc/ipa/ca.crt [sssd] config_file_version = 2 services = nss, pam,ssh,sudo domains = l.example.com [nss] [pam] [ssh] On Mon, Aug 25, 2014 at 4:49 PM, Jakub Hrozek jhro...@redhat.com wrote: On Mon, Aug 25, 2014 at 01:58:41PM +0200, Jakub Hrozek wrote: For sudo logs, something like: Debug sudo /tmp/sudo_debug all@debug Should produce pretty verbose logs Sorry, I should have said the Debug directive belongs to /etc/sudo.conf -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
[Freeipa-users] users AD can not sudo in centos 6.5
hi i integrated AD windows 208 R2 with IPA server (centos 6.5) i write a sudo policy and access for specified user and host with allow any command. user can execute sudo in centos 7 but when user loggin on centos 6.5 can not execute sudo and get error below user@AD is not in sudoers file. i configure /etc/nsswitch.conf --sudoers: file sss /etc/sss/sss.confservice nss, pam,ssh,sudo /etc/sysconfig/network - NISDOMAIN=ad.com -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
[Freeipa-users] i inetgrated ipa server with AD but users AD can not loggin on server linux?
hi Having a particularly weird problem. We have moved from AD(windows 2008 R2) to ipa server(centos 6.5). and i integrated ipa with AD machine linux joined with ipa and machine windowse joined with AD. users AD can loggin in cli mode in system linux (centos 6.5) but can not in GUI mod loggin error message in file /var/log/security -- pam: gdm-password[2685]: pam_unix(gdm-password:auth): authentication failure: logname= uid=0 euid=0 tty=:0 ruser= rhost= rhost= user=sallea@AD pam: gdm-password[2685]: pam_sss(gdm-password:auth): user info message: your password will expire in 40 day pam: gdm-password[2685]:pam_sss( gdm-password:auth): authenticate success: logname= uid=0 euid=0 tty=:0 ruser= rhost= rhost= user=sallea@AD pam: gdm-password[2685]:pam_unix (gdm-password:session): session opened for user sallea@AD by (uid=0) polkitd(authority=local): Unregistered Authentication Agent for session /org/freedesktop/ConsoleKit/Session4 (system bus name :1.116 , object path /org/gnome/PolcyKit1/AuthenticationAgent, - Ignored: local en_US) (disconnected from bus) pam: gdm-password[2685]: pam_unix (gdm-password:session): session closed for user sallea@AD -- and context file /etc/pam.d/password-auth --- authrequired pam_env.so authsufficientpam_unix.so nullok try_first_pass authrequisite pam_succeed_if.so uid = 500 quiet authsufficientpam_sss.so use_first_pass authrequired pam_deny.so account required pam_unix.so account sufficientpam_localuser.so account sufficientpam_succeed_if.so uid 500 quiet account [default=bad success=ok user_unknown=ignore] pam_sss.so account required pam_permit.so passwordrequisite pam_cracklib.so try_first_pass retry=3 type= passwordsufficientpam_unix.so sha512 shadow nullok try_first_pass use_authtok passwordsufficientpam_sss.so use_authtok passwordrequired pam_deny.so session optional pam_keyinit.so revoke session required pam_limits.so session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid session required pam_unix.so session require pam_sss.so -- how to solve this problem? thanks -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
Re: [Freeipa-users] i inetgrated ipa server with AD but users AD can not loggin on server linux?
yes right. ipa trust relation with AD and subdomain AD. yes gde produce log On Wed, Aug 20, 2014 at 5:27 PM, Dmitri Pal d...@redhat.com wrote: On 08/20/2014 01:45 PM, alireza baghery wrote: hi Having a particularly weird problem. We have moved from AD(windows 2008 R2) to ipa server(centos 6.5). and i integrated ipa with AD machine linux joined with ipa and machine windowse joined with AD. users AD can loggin in cli mode in system linux (centos 6.5) but can not in GUI mod loggin Do I get it right: User from AD walks to a desktop console of the Linux system joined into IPA that is in trust relations with AD and the GDE produces the following log? error message in file /var/log/security -- pam: gdm-password[2685]: pam_unix(gdm-password:auth): authentication failure: logname= uid=0 euid=0 tty=:0 ruser= rhost= rhost= user=sallea@AD pam: gdm-password[2685]: pam_sss(gdm-password:auth): user info message: your password will expire in 40 day pam: gdm-password[2685]:pam_sss( gdm-password:auth): authenticate success: logname= uid=0 euid=0 tty=:0 ruser= rhost= rhost= user=sallea@AD pam: gdm-password[2685]:pam_unix (gdm-password:session): session opened for user sallea@AD by (uid=0) polkitd(authority=local): Unregistered Authentication Agent for session /org/freedesktop/ConsoleKit/Session4 (system bus name :1.116 , object path /org/gnome/PolcyKit1/AuthenticationAgent, - Ignored: local en_US) (disconnected from bus) pam: gdm-password[2685]: pam_unix (gdm-password:session): session closed for user sallea@AD -- and context file /etc/pam.d/password-auth --- authrequired pam_env.so authsufficientpam_unix.so nullok try_first_pass authrequisite pam_succeed_if.so uid = 500 quiet authsufficientpam_sss.so use_first_pass authrequired pam_deny.so account required pam_unix.so account sufficientpam_localuser.so account sufficientpam_succeed_if.so uid 500 quiet account [default=bad success=ok user_unknown=ignore] pam_sss.so account required pam_permit.so passwordrequisite pam_cracklib.so try_first_pass retry=3 type= passwordsufficientpam_unix.so sha512 shadow nullok try_first_pass use_authtok passwordsufficientpam_sss.so use_authtok passwordrequired pam_deny.so session optional pam_keyinit.so revoke session required pam_limits.so session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid session required pam_unix.so session require pam_sss.so -- how to solve this problem? thanks -- Thank you, Dmitri Pal Sr. Engineering Manager IdM portfolio Red Hat, Inc. -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
