Also make sure your pam configs are sorted and using sssd
grep -R sss /etc/pam.d/
/etc/pam.d/common-password:password sufficient
pam_sss.so use_authtok
/etc/pam.d/common-auth:auth [success=1 default=ignore] pam_sss.so
use_first_pass
/etc/pam.d/common-account:acc
I forgot we configured or /etc/ssh/sshd_config as well. You need to have the
authorizedkeys command. Here is what ours looks like.
AcceptEnv LANG LC_*
AuthorizedKeysCommandUser nobody
AuthorizedKeysCommand /usr/bin/sss_ssh_authorizedkeys
Banner /etc/issue.net
ChallengeResponseAuthentication no
Thanks for the tip. I made the nsswitch.conf just like yours. I also look at
the files on a CentOS7 client and make changes on the Ubuntu. But it is still
no good. As more suggestion?
The test user ID are on the system, I can su to them. However I cant' ssh it.
I also notice when I try `
I can install freeipa with ipa-server-install and no parameters fine. However I
want to be able to use IPA as a sub-CA. I have created root and intermediate
CAs using openssl and attempt to install ipa server with:
/usr/sbin/ipa-server-install
--external-cert-file=/root/thisserver.domain.dev.ce
On pe, 08 maalis 2019, Callum Smith via FreeIPA-users wrote:
Dear FreeIPA Gurus,
I was wondering if it's possible to configure `sshd` such that for OTP
based authentication the first factor could be passed as a ssh key or
certificate.
So specifically: The user's password would not be required f
Dear FreeIPA Gurus,
I was wondering if it's possible to configure `sshd` such that for OTP based
authentication the first factor could be passed as a ssh key or certificate.
So specifically: The user's password would not be required for auth, only the
key and OTP token. Is there a magic combina
On Fri, Mar 8, 2019 at 4:48 PM Rob van Halteren via FreeIPA-users
wrote:
>
> Oke may have found a probable cause for the stall of the the applications.
>
> I have 1 fileserver that has a ipa-client installed and is enroled on the
> ipa-server. It serves 3 nfs shares, one of them are home-director
Hello Everyone,
Is there a command line method to get a list of users and their password
expiration date?
Thanks!
-Anthony
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.
Oke may have found a probable cause for the stall of the the applications.
I have 1 fileserver that has a ipa-client installed and is enroled on the
ipa-server. It serves 3 nfs shares, one of them are home-directories.
In the logs at times that the old replica is switched off , I see al lot of:
On Thu, Mar 07, 2019 at 04:10:09PM +0100, Morgan Marodin wrote:
> Another strange behaviour ...
>
> From 1st IPA server:
>
>
> *[root@mlv-ipa01 ~]# id morgan.maro...@mydomain.com
> uid=1143802726(morgan.maro...@mydomain.com
> ) gid=1143802726(morgan.maro...@mydomain.com
> )
> groups=1143802726(m
Hi Vivek,
On Fri, Mar 8, 2019 at 9:09 AM Vivek Aggarwal via FreeIPA-users
wrote:
>
> ok thanks but we're kind of new to DNS zone deployment . Though i will
> search on google but thought of getting any direct pointers from your end
> that how to configure/setup
There is the upstream documenta
Today I was reading the documentation on
https://www.freeipa.org/page/Using_3rd_part_certificates_for_HTTP/LDAP
Is the Prerequisite step necessary if the CA (Digicert) is already
trusted by the OS?
Regards,
Ronald
___
FreeIPA-users mailing list -- f
ok thanks but we're kind of new to DNS zone deployment . Though i will search
on google but thought of getting any direct pointers from your end that how to
configure/setup
Many thanks for responding & helping us...it means a lot.
___
FreeIPA-users ma
13 matches
Mail list logo
