[Freeipa-users] Re: 2FA and kinit

John Ratliff via FreeIPA-users writes: > I'm having problems with kinit and a 2FA enabled account. > > When I run kinit by itself, it says 'kinit: Generic preauthentication > failure while getting initial credentials'. > > I saw on the wiki where that problem is solved by doing one of two > thi

[Freeipa-users] Re: seeking advice, especially from universities....

On Tue, Feb 06, 2018 at 02:30:00PM -0600, Amos wrote: > On Tue, Feb 6, 2018 at 2:16 PM, Jakub Hrozek via FreeIPA-users < > freeipa-users@lists.fedorahosted.org> wrote: > > > > > If you don't want to bother with the POSIX attributes on the AD side, > > you can perhaps use ID overrides? See > > http

[Freeipa-users] 2FA and kinit

I'm having problems with kinit and a 2FA enabled account. When I run kinit by itself, it says 'kinit: Generic preauthentication failure while getting initial credentials'. I saw on the wiki where that problem is solved by doing one of two things. You can login with the admin account (or some

[Freeipa-users] Re: seeking advice, especially from universities....

On Tue, Feb 6, 2018 at 2:16 PM, Jakub Hrozek via FreeIPA-users < freeipa-users@lists.fedorahosted.org> wrote: > > If you don't want to bother with the POSIX attributes on the AD side, > you can perhaps use ID overrides? See > https://access.redhat.com/documentation/en-us/red_hat_ > enterprise_linu

[Freeipa-users] Re: seeking advice, especially from universities....

On Tue, Feb 06, 2018 at 10:56:24AM -0600, Amos via FreeIPA-users wrote: > 3. So that the UID/GID do not change across campus, do you recommend > populating the POSIX attributes in AD, and promoting those values to the > global catalog, then configure RH-IdM to use those POSIX values from AD? > (Tho

[Freeipa-users] Re: timed out waiting on keys?

Kat via FreeIPA-users wrote: > And now a new error if I just try to install as a simple replica with no > CA or DNS :-( > > Done configuring NTP daemon (ntpd). > Configuring directory server (dirsrv). Estimated time: 30 seconds >   [1/40]: creating directory server instance >   [error] RuntimeErro

[Freeipa-users] seeking advice, especially from universities....

Apologies if this post is slightly off-topic, but I'd really like to pick some brains Currently, we have two, main LDAP directory environments: AD and a cluster of Solaris LDAP servers. The accounts are unified, and are managed via Microsoft Identity Manager (with a connector for updating Sol

[Freeipa-users] Re: FreeIPA and AD trust

I have an open RFE for global catalogs for a while now. Last update for target release is 7.5/7.6 timeframe :( -- gracie mobile > On Feb 6, 2018, at 7:25 AM, Alexander Bokovoy via FreeIPA-users > wrote: > > > > - Original Message - >> Hi, >> >> Clearly my Google skills are lack

[Freeipa-users] Re: timed out waiting on keys?

The plot thickens - it has nothing to do with replication. If I try to install a brand new IPA Server instance, that too fails with the sam error of the dirsrv failure. Time to rebuild the instance to see what is going on. -K On 2/5/18 12:52, Simo Sorce wrote: I think this could be conside

[Freeipa-users] Re: timed out waiting on keys?

And now a new error if I just try to install as a simple replica with no CA or DNS :-( Done configuring NTP daemon (ntpd). Configuring directory server (dirsrv). Estimated time: 30 seconds   [1/40]: creating directory server instance   [error] RuntimeError: failed to create DS instance Command

[Freeipa-users] Re: FreeIPA and AD trust

- Original Message - > Hi, > > Clearly my Google skills are lacking, as I've not been able to find anything > definitive (mainly just old versions of IPA) > > We have a well used FreeIPA domain, but I have a few appliances and > applications that require Active Directory. I can find inf

[Freeipa-users] Re: something happened - unable to join new clients

Thank you for reply, Rob. I'm afraid it doesn't even get to 389-ds layer at least there is no log entries at the moment of failure. not access nor error. The only error i'm getting on the server side is [Tue Feb 06 02:35:30.637409 2018] [auth_gssapi:error] [pid 24222] [client 10.23.2.84:48966]

[Freeipa-users] Re: FreeIPA and AD trust

You could probably establish two-way trust between AD and IPA domains. Is seems such configuration is supported: https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html-single/windows_integration_guide/index#trust-one-two-way - Boris Sukhinin ___

[Freeipa-users] Re: IPA 4.5 with radius server

I'm not sure I completely understand your needs, but I can try. I use freeradius, on same host as freeipa. Just configure freeradius to use ldap (usually in /etc/raddb/sites-enabled/default): Auth-Type LDAP { ldap } Then configure ldap parameters (server, bind identity, bind password,

[Freeipa-users] FreeIPA and AD trust

Hi, Clearly my Google skills are lacking, as I've not been able to find anything definitive (mainly just old versions of IPA) We have a well used FreeIPA domain, but I have a few appliances and applications that require Active Directory. I can find information about configuring AD to trust free

[Freeipa-users] Re: IPA 4.5 with radius server

> On 6 Feb 2018, at 10:16, barrykfl--- via FreeIPA-users > > wrote: > > Hi : > > Anyone has exp to use freeipa 4.0 above as radius server ? e.g want wifi > use radius everyone carry ldap password. > How to implement ? need special plugin ? seem it ne

[Freeipa-users] IPA 4.5 with radius server

Hi : Anyone has exp to use freeipa 4.0 above as radius server ? e.g want wifi use radius everyone carry ldap password. How to implement ? need special plugin ? seem it need new attribute can generate harsh password and syn with LDAP together ? Thx and Regards Barry __