[Freeipa-users] Re: Authentication indicators smartcard, ssh and sudo

Hi Sumit, Actually, I just got it working without forwarding card: yum install -y pam_ssh_agent_auth ~/.ssh/config: ForwardAgent yes /etc/sudoers: Defaultsenv_keep += "SSH_AUTH_SOCK" /etc/pam.d/sudo: #%PAM-1.0 auth sufficient pam_ssh_agent_auth.so

[Freeipa-users] Re: Help in understanding multiple KVNO versions in keytab file

Kevin Vasko via FreeIPA-users writes: > Hello, > > I’m trying to understand when/how the different KVNO versions in a > file should or shouldn’t work. We have a Dell EMC Unity box that’s > giving us fits on what it will accept for a keytab file with different > KVNO versions. I’m not sure if

[Freeipa-users] Re: Authentication indicators smartcard, ssh and sudo

On Fri, Feb 14, 2020 at 07:36:14PM -, Leon Castellano via FreeIPA-users wrote: > Hi, > > Linking works for listing tokens: > > [root@ipaclient 0]# env|grep RUNTIME > [root@ipaclient 0]# pwd > /run/user/0 > [root@ipaclient 0]# ls -l > total 0 > lrwxrwxrwx. 1 root root 22 Feb 14 14:28 p11-kit

[Freeipa-users] Re: Authentication indicators smartcard, ssh and sudo

Hi, Linking works for listing tokens: [root@ipaclient 0]# env|grep RUNTIME [root@ipaclient 0]# pwd /run/user/0 [root@ipaclient 0]# ls -l total 0 lrwxrwxrwx. 1 root root 22 Feb 14 14:28 p11-kit -> /run/user//p11-kit [root@ipaclient 0]# p11tool --provider=/usr/lib64/pkcs11/p11-kit-client.so

[Freeipa-users] Re: Authentication indicators smartcard, ssh and sudo

On Fri, Feb 14, 2020 at 06:27:40PM -, Leon Castellano via FreeIPA-users wrote: > Sumit, > > If I manually set the XDG_RUNTIME_DIR for root pointing to my user's one it > works: Hi, what about linking /run/user/0/p11-kit to /run/user/p11-kit, does this make p11tool work as well? And if

[Freeipa-users] Re: Authentication indicators smartcard, ssh and sudo

Sumit, If I manually set the XDG_RUNTIME_DIR for root pointing to my user's one it works: [user@ipaclient][~]$ env|grep RUNTIME XDG_RUNTIME_DIR=/run/user/ [user@ipaclient][~]$ su - Password: [root@ipaclient ~]# export XDG_RUNTIME_DIR=/run/user/ [root@ipaclient ~]# p11tool

[Freeipa-users] Re: Authentication indicators smartcard, ssh and sudo

Hi Sumit, Ya, root doesn't see it. Here's the result: [user@ipaclient][~]$ p11tool --list-tokens Token 0: URL: pkcs11:model=p11-kit-trust;manufacturer=PKCS%2311%20Kit;serial=1;token=System%20Trust Label: System Trust Type: Trust module Flags: uPIN uninitialized

[Freeipa-users] Re: Authentication indicators smartcard, ssh and sudo

On Fri, Feb 14, 2020 at 03:27:40PM -, Leon Castellano via FreeIPA-users wrote: > Hi Alexander, > > Here's what I'm seeing over Console: > > ipaclient login: user > PIN for PIV_II: > ipaclient$ p11tool --list-tokens > Token 0: > URL: >

[Freeipa-users] Re: Authentication indicators smartcard, ssh and sudo

Hi Alexander, Here's what I'm seeing over Console: ipaclient login: user PIN for PIV_II: ipaclient$ p11tool --list-tokens Token 0: URL: pkcs11:model=p11-kit-trust;manufacturer=PKCS%2311%20Kit;serial=1;token=System%20Trust Label: System Trust Type: Trust module

[Freeipa-users] Help in understanding multiple KVNO versions in keytab file

Hello, I’m trying to understand when/how the different KVNO versions in a file should or shouldn’t work. We have a Dell EMC Unity box that’s giving us fits on what it will accept for a keytab file with different KVNO versions. I’m not sure if I’m misunderstanding something, or there’s a bug

[Freeipa-users] Re: Issues with certificates: X509: KEY_VALUES_MISMATCH

Hi Rob, I was able to start my CA via instructions from here: https://www.redhat.com/archives/freeipa-users/2017-January/msg00215.html I also tried to set the clock back and restart certmonger. Still no luck: getcert list gives me the following: Number of certificates and requests being

[Freeipa-users] Re: ipa-adtrust-install --unattended | did not quite work?

On pe, 14 helmi 2020, lejeczek via FreeIPA-users wrote: hi everyone, I did something pretty vanilla: $ ipa-adtrust-install --unattended --admin-password=xxx Process showed first some warning about "unattended" but then this: Configuring CIFS   [1/24]: validate server hostname   [2/24]:

[Freeipa-users] ipa-adtrust-install --unattended | did not quite work?

hi everyone, I did something pretty vanilla: $ ipa-adtrust-install --unattended --admin-password=xxx Process showed first some warning about "unattended" but then this: Configuring CIFS   [1/24]: validate server hostname   [2/24]: stopping smbd   [3/24]: creating samba domain object   [4/24]:

[Freeipa-users] Re: external cert sign request - how to sign?

On pe, 14 helmi 2020, Florence Blanc-Renaud via FreeIPA-users wrote: On 2/14/20 9:39 AM, lejeczek via FreeIPA-users wrote: On 13/02/2020 14:46, Fraser Tweedale wrote: On Thu, Feb 13, 2020 at 11:59:34AM +, lejeczek via FreeIPA-users wrote: hi everyone, how, if possible at, to have IPA

[Freeipa-users] Re: external cert sign request - how to sign?

On 2/14/20 9:39 AM, lejeczek via FreeIPA-users wrote: On 13/02/2020 14:46, Fraser Tweedale wrote: On Thu, Feb 13, 2020 at 11:59:34AM +, lejeczek via FreeIPA-users wrote: hi everyone, how, if possible at, to have IPA sing a cert sign request which is not part of IPA's domain/realm? many

[Freeipa-users] Re: external cert sign request - how to sign?

On 13/02/2020 14:46, Fraser Tweedale wrote: > On Thu, Feb 13, 2020 at 11:59:34AM +, lejeczek via FreeIPA-users > wrote: >> hi everyone, >> >> how, if possible at, to have IPA sing a cert sign request which is >> not part of IPA's domain/realm? >> >> many thanks, L. >> > You sure can. Just add