[Freeipa-users] any reference for HA solution and backup /restore

2017-11-22 Thread barrykfl--- via FreeIPA-users
Hi all: setup two servers replicas want make HA and backup / restore ..any where have reference especially backup / restore is necessary. Regards Barry ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an

[Freeipa-users] Re: Expired passwords and generating an OTP token

2017-11-22 Thread Aaron Hicks via FreeIPA-users
Hello the list, The next bit of information is that the passwd command itself is broken when a user has a OTP token set. $ passwd Changing password for user otpuser1. Current Password: passwd: Authentication token manipulation error $ passwd Changing password for user otpuser1.

[Freeipa-users] Re: Creating a permission to manage OTP Tokens

2017-11-22 Thread Aaron Hicks via FreeIPA-users
Sadly no, another person had been creating OTP tokens with the helpagent. These were tokens owned by the helpagent, but with other user's names. From: Aaron Hicks [mailto:aaron.hi...@nesi.org.nz] Sent: Thursday, 23 November 2017 4:00 PM To: 'freeipa-users@lists.fedorahosted.org'

[Freeipa-users] Re: Expired passwords and generating an OTP token

2017-11-22 Thread Aaron Hicks via FreeIPA-users
Hello the list, We've kept at this today and this is what we think we are seeing: * Preauth is detecting that a user has an expired password and a token, so discards the token and just asks for password * Password check succeeds and hands to the password change process (maybe

[Freeipa-users] Re: Is it possible to put all replicas in a LAN (use mesh VPN) and selectively expose some nodes to internet?

2017-11-22 Thread James Swineson via FreeIPA-users
Thanks. So I guess it is assumed safe to expose FreeIPA to Internet? This would make everything easier. 2017-11-22 22:42 GMT+08:00 Michael ORourke via FreeIPA-users < freeipa-users@lists.fedorahosted.org>: > What I would do is perhaps replicate the zones onto dedicated DNS servers > (not

[Freeipa-users] Re: Expired passwords and generating an OTP token

2017-11-22 Thread Aaron Hicks via FreeIPA-users
Hello the List, A couple of new things to this problem, when a user has an expired password and a valid OTP token, the password reset process is broken on all machines at the ssh prompt. Even the ones that do not require 2FA. Feedback so far form Sumit indicates this is incorrect

[Freeipa-users] Re: upgrade to ubuntu 17.10 fails

2017-11-22 Thread David Harvey via FreeIPA-users
For anyone interested, I think I have it working properly after the following: Edit /etc/pki/pki.version to remove +12 (confused the postinstall script). Ensure you have kinit admin from the root session you're using to upgrade. If like me you find the rest API on 8443 dies when being hit and

[Freeipa-users] Re: Expired passwords and generating an OTP token

2017-11-22 Thread Aaron Hicks via FreeIPA-users
Hi Sumit, I sent those to you directly as I wasn’t comfortable posting them to the list. Regards, Aaron Get Outlook for iOS From: Sumit Bose Sent: Wednesday, November 22, 2017 10:19:34 PM To: Aaron Hicks Cc: 'FreeIPA

[Freeipa-users] Re: Is it possible to put all replicas in a LAN (use mesh VPN) and selectively expose some nodes to internet?

2017-11-22 Thread Michael ORourke via FreeIPA-users
What I would do is perhaps replicate the zones onto dedicated DNS servers (not FreeIPA), or run a "split-brain" DNS which has dedicated DNS servers that has a smaller subset of records that are exposed to the Internet. -Mike On 11/22/2017 4:21 AM, James Swineson via FreeIPA-users wrote:

[Freeipa-users] Is it possible to put all replicas in a LAN (use mesh VPN) and selectively expose some nodes to internet?

2017-11-22 Thread James Swineson via FreeIPA-users
Hi, I'm planning a FreeIPA fresh installation across multiple datacenters and offices. Concerned about the risk of DNS DDoS, I wanted to make most nodes in a mesh VPN so they can replicate without exposing ports to internet. However, I still need some services over internet. So can I set up every

[Freeipa-users] Re: Expired passwords and generating an OTP token

2017-11-22 Thread Sumit Bose via FreeIPA-users
On Wed, Nov 22, 2017 at 09:21:52PM +1300, Aaron Hicks wrote: > Hi Sumit, > > Here is /etc/pam.d/password-auth I missed that it was an include, an that you > wanted it too, again it's as installed bt CentOS 7.4 and ipa-client-install > ok, the PAM configuration looks good. Can you send me the

[Freeipa-users] Re: FreeIPA-users Digest, Vol 7, Issue 22

2017-11-22 Thread Alexander Bokovoy via FreeIPA-users
On ke, 22 marras 2017, Николай Савельев via FreeIPA-users wrote: I think the better reference in the documentation is https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/windows_integration_guide/trust-legacy If there is a trust to an AD forest and

[Freeipa-users] Re: Expired passwords and generating an OTP token

2017-11-22 Thread Aaron Hicks via FreeIPA-users
Hi Sumit, Here is /etc/pam.d/password-auth I missed that it was an include, an that you wanted it too, again it's as installed bt CentOS 7.4 and ipa-client-install [root@hpch2fa01 pam.d]# cat password-auth #%PAM-1.0 # This file is auto-generated. # User changes will be destroyed the next time

[Freeipa-users] Re: Expired passwords and generating an OTP token

2017-11-22 Thread Aaron Hicks via FreeIPA-users
Hi Sumit, The pam.d configuration is as configured by the CentOS 7.4 install and running ipa-client-install. Here's the content of /etc/pam.d/sshd [root@hpch2fa01 ~]# cd /etc/pam.d [root@hpch2fa01 pam.d]# cat sshd #%PAM-1.0 auth required pam_sepermit.so auth substack