[Freeipa-users] Re: Single Sign On (SSO) SSH via IP Address

On Wed, Dec 19, 2018 at 09:18:35PM -0600, Bryan Mesich via FreeIPA-users wrote: > On Thu, Dec 20, 2018 at 01:08:14AM +, Theese, David C wrote: > > Bryan, > > > > Thank you very much for the response. > > > > I have double-checked that I do have both A and PTR records configured for > > all h

[Freeipa-users] Re: Single Sign On (SSO) SSH via IP Address

On Thu, Dec 20, 2018 at 01:08:14AM +, Theese, David C wrote: > Bryan, > > Thank you very much for the response. > > I have double-checked that I do have both A and PTR records configured for > all hosts, and I even have an automated test that runs daily to check both > forward and reverse c

[Freeipa-users] Re: Single Sign On (SSO) SSH via IP Address

Bryan, Thank you very much for the response. I have double-checked that I do have both A and PTR records configured for all hosts, and I even have an automated test that runs daily to check both forward and reverse consistency of all DNS records specifically to avoid DNS-related authentication

[Freeipa-users] Re: Single Sign On (SSO) SSH via IP Address

On Thu, Dec 20, 2018 at 12:10:37AM +, Theese, David C via FreeIPA-users wrote: > Hello FreeIPA Community, > > I am using FreeIPA version 4.4.0 on CentOS Linux 7.3.1611. > > Via FreeIPA's use of Kerberos, I have no problem SSHing among hosts in a > passwordless manner (Single Sign On (SSO))

[Freeipa-users] Single Sign On (SSO) SSH via IP Address

Hello FreeIPA Community, I am using FreeIPA version 4.4.0 on CentOS Linux 7.3.1611. Via FreeIPA's use of Kerberos, I have no problem SSHing among hosts in a passwordless manner (Single Sign On (SSO)) as long as I use their hostnames. Example relevant output from the SSH client verbose mode is:

[Freeipa-users] Re: Limits exceeded for this query

Hello Florence. Going to check that tomorrow and add these lines. Thanks for this first answer. Lune Le mer. 19 déc. 2018 à 20:27, Florence Blanc-Renaud a écrit : > On 12/19/18 12:15 PM, lune voo via FreeIPA-users wrote: > > Hello everyone. > > > > I send you this mail because I have a proble

[Freeipa-users] new replica does not post properly in ipa_check_consistency

-idm03:~[20181219-11:35][#103]$ ipa-replica-manage list ef-idm03.production.efilm.com: master ef-idm02.production.efilm.com: master ef-idm01.production.efilm.com: master grant@ef-idm03:~[20181219-11:35][#104]$ ipa_check_consistency -d PRODUCTION.EFILM.COM -W FreeIPA servers:ef-idm01

[Freeipa-users] Re: Limits exceeded for this query

On 12/19/18 12:15 PM, lune voo via FreeIPA-users wrote: Hello everyone. I send you this mail because I have a problem with an ipa group-remove-member command which ends up with the following error message : "Limits exceeded for this query". I'm using IPA 3.0.0. The group for which I want to r

[Freeipa-users] Re: freeIPA Host certs

On 12/13/18 4:04 PM, Azim Siddiqui via FreeIPA-users wrote: Hello, Hope you are doing good. I have a question regarding freeIPA host certificates. We are using FreeIPA as our LDAP. We have some certificates for hosts ex :- http/uat.com . And we deploying the certs in Haproxy i

[Freeipa-users] Re: Insufficient access: SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (Ticket expired)

Thanks Rob. Hm, thinking about this, this problem occured only when I use the python code for ipa api. When I begin my script, I perform the following : api.bootstrap_with_global_options(context='cli') api.finalize() api.Backend.xmlclient.connect() When I end my script, I just do a kdestroy com

[Freeipa-users] Re: freeipa server removed from DNS at seemingly random intervals

Hi Rob, thanks for taking a look. Re: sanity check I meant: 13-Dec-2018 00:31:34.398 client 10.30.10.27#53265/key host/mdc-ipa-01.idm.planetrisk.com\(a)IDM.PLANETRISK.COM: updating zone 'idm.planetrisk.com/IN': update rejected: post update name server sanity check failed 13-Dec-2018 00:31:34.

[Freeipa-users] Re: freeipa server removed from DNS at seemingly random intervals

James Richard via FreeIPA-users wrote: > how about about if I change the question to: > > Why does a "sanity check" seems to happen before an A record delete is > processed, the sanity check seems to fail BUT, the system goes right and > deletes the record anyways ??? What do you mean by sanity

[Freeipa-users] Re: Upgrading from 4.2.4 (FC23)

Brian Topping via FreeIPA-users wrote: > Hi Roberto, my skills here are weaker than the actual team here but they > are busy so I thought I might be able kick in a little.  > > Please do be careful. I recently had a situation where I had a machine > crash during initial replication due to a bad CP

[Freeipa-users] Re: Insufficient access: SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (Ticket expired)

lune voo via FreeIPA-users wrote: > Hello everyone. > > I had this problem again but forgot to perform a klist -ef. :( > > I was wondering if my problem was coming from the session I had > established with Freeipa. > So I was wondering if I could reinitialize the session, maybe by > removing the

[Freeipa-users] freeIPA Host certs

Hello, Hope you are doing good. I have a question regarding freeIPA host certificates. We are using FreeIPA as our LDAP. We have some certificates for hosts ex :- http/uat.com. And we deploying the certs in Haproxy in PEM format. But the certificates for this host has been expired. Can you please

[Freeipa-users] FreeIPA with Radius Server (Cisco ISE)

Dear Community, thank you for joining the Community! I am struggeling on connecting my FreeIPA with an Cisco ISE Radius Server. I want to use MsChapV2 for Authentication. But I can't find a real manual on how to connect a radius server with freeIPA. Just the FreeRadius manuals which I can't apply

[Freeipa-users] Re: Insufficient access: SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (Ticket expired)

Hello everyone. I had this problem again but forgot to perform a klist -ef. :( I was wondering if my problem was coming from the session I had established with Freeipa. So I was wondering if I could reinitialize the session, maybe by removing the cookie ? When we use the ipa command, I can see t

[Freeipa-users] OpenShift Commons Briefing on FreeIPA in an OKD deployment

Fellow FreeIPAers, We're doing a webinar with Red Hat this afternoon about a complex customer deployment where FreeIPA's great integration with AD and Kerberos is a big reason for its success. Thought it would be of interest to the folks on this list: https://commons.openshift.org/events.html#ev

[Freeipa-users] Limits exceeded for this query

Hello everyone. I send you this mail because I have a problem with an ipa group-remove-member command which ends up with the following error message : "Limits exceeded for this query". I'm using IPA 3.0.0. The group for which I want to remove a user contains other groups also (281). I was wonder

[Freeipa-users] Re: Moving IPA master to a new server fails to start krb5kdc

On 18-12-18 17:50, Florence Blanc-Renaud wrote: > On 12/17/18 1:40 PM, Kees Bakker via FreeIPA-users wrote: >> Hello, >> >> I want to move my IPA master to new hardware, but IPA does not >> want to start on that new hardware. >> >> /var/log/krb5kdc.log shows: >> krb5kdc: Server error - while fetchi

[Freeipa-users] Re: Moving IPA master to a new server fails to start krb5kdc

On 18-12-18 19:18, Robbie Harwood wrote: > Kees Bakker writes: > >> On 17-12-18 20:44, Robbie Harwood wrote: >>> Kees Bakker via FreeIPA-users >>> writes: >>> Sure I understand that, but this error in /var/log/krb5kdc.log is basically all I have. krb5kdc: Server error - while fetch

[Freeipa-users] Re: Add second hostname in FreeIPA CA

On 12/17/18 3:21 PM, Peter Tselios via FreeIPA-users wrote: Hello everyone, I have 2 FreeIPA servers in AWS and a LB in front of them to serve the UI and the LDAP (just the gui and just the LDAP. For Kerberos, we use DNS discovery). My problem is that I cannot use TLS with LDAP connections becau