Strangely, it's correct. I also just did another ipa-client-install
--request-cert and it joined correctly and placed the IPA cert in that
location. Here is the krb5.conf file
[root@gs6069-ld-i014 ~]# cat /etc/krb5.conf
#File modified by ipa-client-install
includedir /etc/krb5.conf.d/
On Fri, May 24, 2019 at 07:30:53PM -, Khurrum Maqb via FreeIPA-users wrote:
> And if I specify the card LABEL:
>
>
>
>
> # KRB5_TRACE=/dev/stdout kinit -X
> X509_user_identity='PKCS11:opensc-pkcs11.so:certlabel=Certificate for PIV
> Authentication' username
> [22278] 1558726069.978962:
And if I specify the card LABEL:
# KRB5_TRACE=/dev/stdout kinit -X
X509_user_identity='PKCS11:opensc-pkcs11.so:certlabel=Certificate for PIV
Authentication' username
[22278] 1558726069.978962: Getting initial credentials for username@DOMAIN
[22278] 1558726069.978964: Sending unauthenticated
All,
Just a head's up for users that land on this thread.
Make sure that you do not create any groups whose names are actual AD
usernames, i.e. "amber12" and "amber12". If you do, client look-ups
will stall and fail.
As a result of this find, we'll make sure to add a prefix/suffix to
the group
Thank you very much for the response, Sumit.
> Can you send the full output of
>
> KRB5_TRACE=/dev/stdout kinit -X
> X509_user_identity='PKCS11:opensc-pkcs11.so'
> username
Here it is. There are indeed 9 certs on the smartcard and the card auth cert is
at location 01
#
On Fri, May 24, 2019 at 04:12:20PM -, Khurrum Maqb via FreeIPA-users wrote:
> We're running IPA 4.6.4-10.el7 with a CA over 4 replicas on Centos7 and would
> like to properly configure smartcard authentication. The smartcards that
> we're using have been signed by an External CA controlled
We're running IPA 4.6.4-10.el7 with a CA over 4 replicas on Centos7 and would
like to properly configure smartcard authentication. The smartcards that we're
using have been signed by an External CA controlled by a different entity. So
to get that working, I've added the required CA certs using
Turn up the dial on debug logging on SSSD to find out more.
John
> On 24 May 2019, at 13:00, Rob Verduijn via FreeIPA-users
> wrote:
>
> Hello,
>
> I'm trying to figure out why an ad-domain user cannot use sudo.
>
> When I test with
>
> ipa hbactest --user=ansible --host
Hello,
I'm trying to figure out why an ad-domain user cannot use sudo.
When I test with
ipa hbactest --user=ansible --host ipa01.linux.example.com --service sudo-i
It says access granted: True
however if I issue the command 'sudo -l -U ansible' on the ipa01 host it
says:User
Wow!
I haven't had the time yet to get on with it, but you sure saved me a
lot of time fiddling with this.
Thanks Geert.
/tony
On Fri, 2019-05-24 at 08:38 +, Geert Geurts via FreeIPA-users
wrote:
> Hi Tony,
> The solution of Neal Harrington works perfectly!
> Here the full steps to
Hi Tony,
The solution of Neal Harrington works perfectly!
Here the full steps to implement his solution:
1) open with an editor on ipa server /etc/sudoers.d/zabbix and fill with:
## Allow zabix to query ipa status
Defaults:zabbix !requiretty
zabbix ALL = (root) NOPASSWD: /usr/sbin/ipactl status
Hi all,
I just bought a Nitrokey HSM and trying to set it up with the Freeipa; I'm
not sure it's quite supported yet.
`ipa-server-install` aborted everytime during CA configuration, reported
error was "pkihelper : ERRORServer unreachable due to SSL error:
[SSL:
12 matches
Mail list logo
