[Freeipa-users] Re: SSH Key auth with expired Kerberos password

On Wed, Nov 07, 2018 at 09:53:03PM +, Nathan Harper via FreeIPA-users wrote: > Hi all, > > We have noticed some behaviour that we are trying to work out if it is > expected or not (or if this is an SSSD thing). We have a pair of FreeIPA > replicas running on CentOS 7 (v4.5.x), with various C

[Freeipa-users] Re: smartcard yubikey opensc-pkcs11.so error

On Fri, Nov 09, 2018 at 08:02:05AM +0100, Natxo Asenjo via FreeIPA-users wrote: > hi, > > trying to get smart card authentication using a yubikey. > > I follow the > > $ opensc-tool --list-readers > # Detected readers (pcsc) > Nr. Card Features Name > 0Yes Yubico Yubikey NEO O

[Freeipa-users] Re: smartcard yubikey opensc-pkcs11.so error

On Fri, Nov 09, 2018 at 10:56:31AM +0100, Natxo Asenjo via FreeIPA-users wrote: > On Fri, Nov 9, 2018 at 9:29 AM Sumit Bose via FreeIPA-users < > freeipa-users@lists.fedorahosted.org> wrote: > > > On Fri, Nov 09, 2018 at 08:02:05AM +0100, Natxo Asenjo via FreeIPA-user

[Freeipa-users] Re: smartcard yubikey opensc-pkcs11.so error

On Fri, Nov 09, 2018 at 01:05:19PM +0100, Natxo Asenjo via FreeIPA-users wrote: > hi Sumit, > > > On Fri, Nov 9, 2018 at 12:53 PM Sumit Bose via FreeIPA-users < > freeipa-users@lists.fedorahosted.org> wrote: > > > > > I would suggest to first check if

[Freeipa-users] Re: smartcard auth + kerberos ticket?

On Thu, Nov 15, 2018 at 12:49:26PM +0200, Alexander Bokovoy via FreeIPA-users wrote: > On to, 15 marras 2018, Natxo Asenjo via FreeIPA-users wrote: > > hi, > > > > I can successfully login using a smartcard (fedora 29 client, centos 7 > > kdcs, latest patch level). > > > > However, when I try to

[Freeipa-users] Re: smartcard auth + kerberos ticket?

On Thu, Nov 15, 2018 at 01:23:37PM +0100, Natxo Asenjo wrote: > On Thu, Nov 15, 2018 at 11:49 AM Alexander Bokovoy > wrote: > > > > > >Am I doing something wrong or is this to be expected? > > Enable debug_level=9 in sssd configuration (domain section) and try to > > login with smartcard, then pr

[Freeipa-users] Re: smartcard auth + kerberos ticket?

On Thu, Nov 15, 2018 at 11:43:22AM +0100, Natxo Asenjo via FreeIPA-users wrote: > hi, > > I found this blog post: > > https://floblanc.wordpress.com/2017/06/02/troubleshooting-authentication-to-the-system-console-or-gnome-desktop-manager-of-an-idm-host-with-a-smartcard/ > > $ ipa certmap-match u

[Freeipa-users] Re: smartcard auth + kerberos ticket?

On Thu, Nov 15, 2018 at 04:17:20PM +0100, Natxo Asenjo via FreeIPA-users wrote: > hi, > > for posterity's sake, this appears to be a problem with kcm (whatever that > is, don't know yet, will look it up later). > > I turned it off in /etc/krb5.conf.d/kcm_default_ccache (just comment the > two not

[Freeipa-users] Re: FreeIPA 4.5.4 + OpenVPN 2.4.6 + OTP

On Thu, Nov 08, 2018 at 06:51:22PM -, Eric Fredrickson via FreeIPA-users wrote: > Hello everyone, > > I'm having an issue with OTP when logging into a vpn server that is a client > of FreeIPA. I can login with no issues when OTP is disabled. > > FreeIPA Setup: > CentOS 7.5 > FreeIPA 4.5.4

[Freeipa-users] Re: OTP sudo prompts

orry, try again. > First Factor: > Second Factor (optional): > sudo: 3 incorrect password attempts > > Both IPA-server and client are running on CentOS 7.5. > > > > > > Op 23-03-18 om 09:32 schreef Sumit Bose via FreeIPA-users: > > On Thu, Mar 22, 2018 at 10:28:1

[Freeipa-users] Re: OTP sudo prompts

ctor: > Second Factor (optional): > Sorry, try again. > First Factor: > Second Factor (optional): > sudo: 3 incorrect password attempts > > Both IPA-server and client are running on CentOS 7.5. > > > > > > Op 23-

[Freeipa-users] Re: kinit: Password incorrect while getting initial credentials

On Fri, Jan 11, 2019 at 04:38:15PM -0500, Robbie Harwood via FreeIPA-users wrote: > nandha kumar via FreeIPA-users > writes: > > > Hi Robbie, > > > > Yes, I am able to kinit the administrator account > > > > Yes. My password is correct and even I check for other 4 AD users, it > > gives the same

[Freeipa-users] Re: external ocsp ?

On Thu, Jan 31, 2019 at 03:20:04PM -, Jessie Floyd via FreeIPA-users wrote: > I've deployed a pre-production IPA environment which is similar to the > example domains above. I have a user signed smart-card which does not > share a CA with the IPA domain. I want to configure SSSD to fail > clo

[Freeipa-users] Re: IPA and legacy systems

On Tue, Jan 29, 2019 at 11:19:22AM +0100, Ronald Wimmer via FreeIPA-users wrote: > I sucessfully registered my server server5.mydomain.at. After setting up an > appropriate HBAC rule as well as setting the default domain in the sssd.conf > to a.mydomain.at I tried to connect to the server via SSH u

[Freeipa-users] Re: Issues with AD user ssh

On Mon, Feb 11, 2019 at 03:51:07PM +, D via FreeIPA-users wrote: > Hello, > > Would anyone mind helping me troubleshoot a problem? > > 1. Running a two-way trust between AD2016 and ipa-server 4.5.4-10.el7. > 2. Unable to log into an IPA client with an AD account via ssh. The client > has no

[Freeipa-users] Re: Issues with AD user ssh

different ccache type, e.g. FILE:, works any better? HTH bye, Sumit > > Thank you for your hard work, > D > > ‐‐‐ Original Message ‐‐‐ > On Tuesday, 12 February 2019 02:19, Sumit Bose via FreeIPA-users > wrote: > > > On Mon, Feb 11, 2019 at 03:51:

[Freeipa-users] Re: Issues with AD user ssh

> > might also want to try if a different ccache type, e.g. FILE:, > > > works any better? > > > > I can switch this in the kerberos config on the client right, sure > > > > D > > > > ‐‐‐ Original Message ‐‐‐ > > On Tuesday,

[Freeipa-users] Re: Issues with AD user ssh

rom the debug message and increased > > > krb5_auth_timeout in the [domain/] section of sssd.conf? The default > > > is 6 (seconds), I would suggest to try 30 for a start. And please set > > > debug_level=9 in the [domain/...] section as well. I extra o

[Freeipa-users] Re: getent group doesn't show private group on one IPA server, but does on another.

On Sun, Feb 17, 2019 at 07:43:33PM -0500, TomK via FreeIPA-users wrote: > On 2/17/2019 2:19 PM, Alexander Bokovoy via FreeIPA-users wrote: > > On Sun, 17 Feb 2019, TomK via FreeIPA-users wrote: > > > Hey All, > > > > > > Scenario: > > > > > > Two IPA clusters, both with a unique trust to the same

[Freeipa-users] Re: getent group doesn't show private group on one IPA server, but does on another.

On Mon, Feb 18, 2019 at 04:10:34PM -0500, TomK via FreeIPA-users wrote: > On 2/18/2019 4:25 AM, Sumit Bose via FreeIPA-users wrote: > > On Sun, Feb 17, 2019 at 07:43:33PM -0500, TomK via FreeIPA-users wrote: > > > On 2/17/2019 2:19 PM, Alexander Bokovoy via FreeIPA-users wrote:

[Freeipa-users] Re: Unable to login via ssh with AD credentials after upgrade FreeIPA

On Tue, Feb 19, 2019 at 06:19:18PM +0100, Morgan Marodin via FreeIPA-users wrote: > Hi everybody. > > I have just upgraded my cluster from FreeIPA 4.4.0-14 to 4.6.4-10. > All is good, logging via IPA credentials, HBAC and sudo rules are working. > I have only a issue logging via SSH with AD crede

[Freeipa-users] Re: Issues with AD user ssh

of SSSD are you using? bye, Sumit > > Many Thanks, > D > > ‐‐‐ Original Message ‐‐‐ > On Friday, 15 February 2019 15:46, Sumit Bose via FreeIPA-users > wrote: > > > (second try without the logs) > > On Fri, Feb 15, 2019 at 09:26:08PM +0100, Sumit

[Freeipa-users] Re: Issues with AD user ssh

ye, > > Sumit > > > > > Many Thanks, > > > D > > > ‐‐‐ Original Message ‐‐‐ > > > On Friday, 15 February 2019 15:46, Sumit Bose via FreeIPA-users > > > freeipa-users@lists.fedorahosted.org wrote: > > > > > > > (seco

[Freeipa-users] Re: ipaclient user unable to ssh with ProxyCommand

On Thu, Feb 21, 2019 at 10:06:31AM +0200, Alexander Bokovoy via FreeIPA-users wrote: > On to, 21 helmi 2019, Albert Szostkiewicz via FreeIPA-users wrote: > > Hi, > > > > I have decided to install freeIPA on my already fully working, small > > home network. After I have installed freeIpa Client o

[Freeipa-users] Re: ipaclient user unable to ssh with ProxyCommand

On Thu, Feb 21, 2019 at 09:32:16AM -, Albert Szostkiewicz via FreeIPA-users wrote: > Sorry, for some reason, strace is not creating output file :/ > I've tried printing it to console, here is tail of it. Let me know if you > need whole file, i will catch its output other way then. Yes, pleas

[Freeipa-users] Re: Unable to login via ssh with AD credentials after upgrade FreeIPA

step 'pam_sss(sshd:auth)' was successful. This is the step which does a similar operation as kinit. The failure was in the next step 'pam_sss(sshd:access)' which is access control. bye, Sumit > > Please let me know, thanks. > Morgan > > Il giorno ma

[Freeipa-users] Re: ipaclient user unable to ssh with ProxyCommand

On Thu, Feb 21, 2019 at 05:06:46PM -, Albert Szostkiewicz via FreeIPA-users wrote: > thx! got the files! (yeah I was looking for a single file which does not > exist) > > So I took a glance on what kind of info is within those files and i saw that > strace is outputting some of my aliases.

[Freeipa-users] Re: ipaclient user unable to ssh with ProxyCommand

On Fri, Feb 22, 2019 at 03:47:52PM -, Albert Szostkiewicz via FreeIPA-users wrote: > What is weird for me is this is not an issue without freeIPA client > installed. But I am happy that we have a solution. If freeIPA client is not installed I guess there is no ProxyCommand defined in ssh_con

[Freeipa-users] Re: Ad user password authentication doesn't work

On Sun, Feb 24, 2019 at 06:20:26AM -, Patrick Irish via FreeIPA-users wrote: > I've been fighting with this for 2 months. I've rebuilt both the ad and ip > server twice. Currently ipa and ad only contain a single unique user. AD and > ipa are on separate dns domains (ad.domain.com and int.d

[Freeipa-users] Re: Unable to login via ssh with AD credentials after upgrade FreeIPA

ver and send the logs covering the time of the id request. Please do not forget to set debug_level=9 in the [nss] and [domain/...] sections on the IPA server. bye, Sumit > > Il giorno gio 21 feb 2019 alle ore 16:01 Sumit Bose via FreeIPA-users < > freeipa-users@lists.fedorahosted.org

[Freeipa-users] Re: Unable to login via ssh with AD credentials after upgrade FreeIPA

mysite signat...@mydomain.com]. > > (Thu Feb 21 16:04:13 2019) [sssd[be[ipa.mydomain.com]]] > > [ipa_s2n_get_user_done] (0x0400): [mysite us...@mydomain.com]. > > (Thu Feb 21 16:04:13 2019) [sssd[be[ipa.mydomain.com]]] > > [ipa_s2n_get_user_done] (0x0400): [ipa

[Freeipa-users] Re: Fwd: [389-users] How to invalidate local cache after user changed their password

On Wed, Feb 27, 2019 at 03:28:08PM -0500, Mark Reynolds via FreeIPA-users wrote: > Forwarding to freeipa-users who have more knowledge on SSSD > > > > Forwarded Message > Subject: [389-users] How to invalidate local cache after user changed > their > password > Date:

[Freeipa-users] Re: Unable to login via ssh with AD credentials after upgrade FreeIPA

On Fri, Mar 01, 2019 at 09:07:26AM +0100, Morgan Marodin wrote: > Sorry, any news from my logs? sorry for the delay. What kind of server is 192.168.0.15? It looks like the client assumes it is a KDC for IPA.MYDOMAIN.COM but it returns 'Realm not local to KDC' when getting a request for this realm.

[Freeipa-users] Re: Ad user password authentication doesn't work

On Sat, Mar 02, 2019 at 04:53:28AM -, Patrick Irish via FreeIPA-users wrote: > Is there any more logs you guys would need? Yes, please send the full logs covering the login attempt, they might look similar that the logs are not repeating. bye, Sumit >

[Freeipa-users] Re: sss_ssh_authorizedkeys returns nothing on client

On Wed, Mar 06, 2019 at 11:24:20PM -, Charles Ulrich via FreeIPA-users wrote: > Hello, good people of FreeIPA-users, > > Short version: > > I've run into an issue where a SSH public key authentication doesn't work on > the FreeIPA client. When I run `sss_ssh_authorizedkeys > ` on the clien

[Freeipa-users] Re: Ad user password authentication doesn't work

On Thu, Mar 07, 2019 at 05:18:25AM -, Patrick Irish via FreeIPA-users wrote: > I tried to reply earlier but the reply was rejected because of length. Here > is the complete log https://pastebin.com/c34RJZB2 . Let me know what else I > can get you. Looks like SSSD cannot lookup global catalo

[Freeipa-users] Re: Unable to login via ssh with AD credentials after upgrade FreeIPA

On Thu, Mar 07, 2019 at 09:15:30AM +0100, Morgan Marodin wrote: > Sorry, could I try to delete and recreate the trust? > Or do you have other suggestions? > > Please let me know, thanks > > Il giorno ven 1 mar 2019 alle ore 15:13 Morgan Marodin > ha scritto: > > > It's one of our local Domain C

[Freeipa-users] Re: Ad user password authentication doesn't work

On Fri, Mar 08, 2019 at 03:11:22AM -, Patrick Irish via FreeIPA-users wrote: > You are a gentleman and a scholar, that was it. Thank you! I had only > checked the SRV records that was listed in the documentation. Glad I could help. Which documentation are you referring to, maybe it would be w

[Freeipa-users] Re: Unable to login via ssh with AD credentials after upgrade FreeIPA

On Thu, Mar 07, 2019 at 04:10:09PM +0100, Morgan Marodin wrote: > Another strange behaviour ... > > From 1st IPA server: > > > *[root@mlv-ipa01 ~]# id morgan.maro...@mydomain.com > uid=1143802726(morgan.maro...@mydomain.com > ) gid=1143802726(morgan.maro...@mydomain.com > ) > groups=1143802726(m

[Freeipa-users] Re: Ad user password authentication doesn't work

On Sun, Mar 10, 2019 at 05:28:15AM -, Patrick Irish via FreeIPA-users wrote: > I was following the documentation here > https://www.freeipa.org/page/Active_Directory_trust_setup Is there a > different doc I should have followed? Ok, thanks. The checks in this document are just trying to mak

[Freeipa-users] Re: sss_ssh_authorizedkeys returns nothing on client

On Thu, Mar 07, 2019 at 05:24:10PM -, Charles Ulrich via FreeIPA-users wrote: > For what it's worth, I have verified that I can run this on the client and it > returns the override object immediately: > > ldapsearch -x -H ldaps://arb-01.engipa.example.com -D 'cn=Directory Manager ' > -W -b

[Freeipa-users] Re: different security policy for login(password+otp) and screenlock (password only) for workstation

On Mon, Mar 18, 2019 at 06:14:16PM +0200, Alexander Bokovoy via FreeIPA-users wrote: > On ma, 18 maalis 2019, Jelle de Jong via FreeIPA-users wrote: > > Hello everybody, > > > > > > I am looking for a way to have different authentication policy for a > > freeia-client logout and screenlock on li

[Freeipa-users] Re: Can login with non-existing user

On Tue, Apr 16, 2019 at 09:06:44AM +0200, Ronald Wimmer via FreeIPA-users wrote: > I have managed to login to an IPA client with a non-existing user. > > My AD user is z123...@addomain.mydomain.at and I have created a similar user > called i123...@ipadomain.mydomain.at. What happened now is that I

[Freeipa-users] Re: Can login with non-existing user

On Tue, Apr 16, 2019 at 11:12:18AM +0200, Ronald Wimmer via FreeIPA-users wrote: > On 16.04.19 10:50, Sumit Bose via FreeIPA-users wrote: > > On Tue, Apr 16, 2019 at 09:06:44AM +0200, Ronald Wimmer via FreeIPA-users > > wrote: > > > I have managed to login to an IPA cl

[Freeipa-users] Re: ID-View for AD group to use GECOS umask

On Mon, Apr 15, 2019 at 03:11:13PM +0200, Ronald Wimmer via FreeIPA-users wrote: > Afaik it should be possible to set a users umask by putting something like > "umask=0007" in the GECOS field in combination with pam_umask.so. > > pam_umask.so seems to be present on our systems. What I do not know

[Freeipa-users] Re: Can login with non-existing user

On Tue, Apr 16, 2019 at 11:56:32AM +0200, Ronald Wimmer via FreeIPA-users wrote: > On 16.04.19 11:29, Sumit Bose via FreeIPA-users wrote: > > On Tue, Apr 16, 2019 at 11:12:18AM +0200, Ronald Wimmer via FreeIPA-users > > wrote: > > > On 16.04.19 10:50, Sumit Bose

[Freeipa-users] Re: KDE administration not working for freeipa user

On Tue, Apr 16, 2019 at 07:49:40PM -0700, Brian Watson | Watsontech.net via FreeIPA-users wrote: > Hello, > > I have freeipa server (centos7) setup. I installed freeipa-client on my KDE > Neon laptop. I can sign in with my freeipa user and am able to use sudo. > But when asked for password whilst

[Freeipa-users] Re: FreeIPA Client AD Trust user look-up latencies and results

On Thu, Apr 25, 2019 at 01:05:52PM -0400, John Desantis via FreeIPA-users wrote: > Hello all, > > So, for anyone following this thread, I've been able to make some > progress but not enough to consider the configuration production > ready. > > After watching sssd logs ([domain] debug_level = 10,

[Freeipa-users] Re: free-ipa-client with otp (sssd) on linux laptop how to keep working on different networks.

On Thu, May 02, 2019 at 05:38:27PM +0200, Jelle de Jong via FreeIPA-users wrote: > Hello everybody, > > What would be the way to configure a linux laptop free-ipa-client (sssd) > with freeipa users with otp (2fa) passwords, to keep working on other > networks then the local lan of the freeipa serv

[Freeipa-users] Re: input_userauth_request: invalid user on FreeIPA server

On Mon, May 06, 2019 at 02:24:00PM +0200, Milos Cuculovic via FreeIPA-users wrote: > We have one FreeIPA server and several clients. The ssh connection works well > on clients, however this is not working on the server itslef. > I can use the default ssh user (outside of the FreeIPA), however whe

[Freeipa-users] Re: Windows Integration - Using SSH Without Passwords

On Thu, May 23, 2019 at 04:17:08PM +0100, lejeczek via FreeIPA-users wrote: > On 23/05/2019 14:56, Rob Crittenden wrote: > > lejeczek via FreeIPA-users wrote: > >> hi guys, > >> > >> reading official guide one may assume - I do - that "Using SSH Without > >> Passwords" should work out-of-box (cento

[Freeipa-users] Re: Smartcard host login w/ Third-Party CA and PKINIT

On Fri, May 24, 2019 at 04:12:20PM -, Khurrum Maqb via FreeIPA-users wrote: > We're running IPA 4.6.4-10.el7 with a CA over 4 replicas on Centos7 and would > like to properly configure smartcard authentication. The smartcards that > we're using have been signed by an External CA controlled by

[Freeipa-users] Re: Smartcard host login w/ Third-Party CA and PKINIT

On Fri, May 24, 2019 at 07:30:53PM -, Khurrum Maqb via FreeIPA-users wrote: > And if I specify the card LABEL: > > > > > # KRB5_TRACE=/dev/stdout kinit -X > X509_user_identity='PKCS11:opensc-pkcs11.so:certlabel=Certificate for PIV > Authentication' username > [22278] 1558726069.978962: Ge

[Freeipa-users] Re: Smartcard host login w/ Third-Party CA and PKINIT

On Fri, May 24, 2019 at 10:30:15PM -, Khurrum Maqb via FreeIPA-users wrote: > Strangely, it's correct. I also just did another ipa-client-install > --request-cert and it joined correctly and placed the IPA cert in that > location. Here is the krb5.conf file > > [root@gs6069-ld-i014 ~]# cat /

[Freeipa-users] Re: Windows Integration - Using SSH Without Passwords

On Sun, May 26, 2019 at 01:42:32PM +0100, lejeczek via FreeIPA-users wrote: > On 23/05/2019 16:43, Sumit Bose via FreeIPA-users wrote: > > On Thu, May 23, 2019 at 04:17:08PM +0100, lejeczek via FreeIPA-users wrote: > >> On 23/05/2019 14:56, Rob Crittenden wrote: > >>&

[Freeipa-users] Re: Smartcard host login w/ Third-Party CA and PKINIT

On Tue, May 28, 2019 at 04:37:25PM -, Khurrum Maqb via FreeIPA-users wrote: > Thanks! > > So on the IPA server that is listed in the client's /etc/ipa/default file I > ran: > > # openssl verify -verbose -CAfile /var/lib/ipa-client/pki/kdc-ca-bundle.pem > /var/kerberos/krb5kdc/kdc.crt > /va

[Freeipa-users] Re: Smartcard host login w/ Third-Party CA and PKINIT

On Tue, May 28, 2019 at 08:43:33PM -, Khurrum Maqb via FreeIPA-users wrote: > I apologize for the successive emails. > > FYI, the OCSP + the Server Cert error goes away and the CA starts responding > after I turn NSSOCSP off in /etc/httpd/conf.d/nss.conf ah, iirc you mentioned earlier that

[Freeipa-users] Re: Smartcard host login w/ Third-Party CA and PKINIT

On Tue, May 28, 2019 at 08:27:41PM -, Khurrum Maqb via FreeIPA-users wrote: > Oh I see. I misunderstood the result. > > ]# ipa pkinit-status > - > 4 servers matched > - > Server name: server1.dom.ain > PKINIT status: enabled > > Server name: server2.dom.

[Freeipa-users] Re: Smartcard host login w/ Third-Party CA and PKINIT

On Wed, May 29, 2019 at 01:19:19PM -, Khurrum Maqb via FreeIPA-users wrote: > They are indeed all self signed: > > #openssl x509 -in /var/kerberos/krb5kdc/kdc.crt -issuer -subject -noout > issuer= /O=DOMAIN.COM/CN=server1.dom.ain > subject= /O=DOMAIN.COM/CN=server1.dom.ain > > #openssl x509 -

[Freeipa-users] Re: Windows Integration - Using SSH Without Passwords

egards, > JP > > El lun., 27 may. 2019 a las 4:30, Sumit Bose via FreeIPA-users (< > freeipa-users@lists.fedorahosted.org>) escribió: > > > On Sun, May 26, 2019 at 01:42:32PM +0100, lejeczek via FreeIPA-users wrote: > > > On 23/05/2019 16:43, Sumit Bose via

[Freeipa-users] Re: Smartcard host login w/ Third-Party CA and PKINIT

On Tue, Jun 04, 2019 at 09:54:45AM -0400, Robbie Harwood via FreeIPA-users wrote: > Khurrum Maqb via FreeIPA-users > writes: > > > That worked! Thanks so much! I can login and successfully receive a > > kerberos ticket when using a smartcard to login. > > I also added the following to /etc/krb5

[Freeipa-users] Re: krb5_child always reports going offline when trying to login

On Thu, Jun 06, 2019 at 04:38:03AM +, Robert Sturrock via FreeIPA-users wrote: > Hi All. > > I have a small test installation of IPA (RHEL7, > ipa-server-4.6.4-10.el7_6.3.x86_64) in a sync arrangement with our local AD > (passwords sync’d via Passsync). > > When trying to login to the IPA

[Freeipa-users] Re: krb5_child always reports going offline when trying to login

On Thu, Jun 06, 2019 at 11:36:34PM +, Robert Sturrock via FreeIPA-users wrote: > Hi. > > It appears to work ok when I run that command, returning this very quickly: > > # KRB5_TRACE=/dev/stdout kinit -k 'host/ipa-server.localdomain@LOCALREALM' > [19706] 1559864041.540056: Getting initial cre

[Freeipa-users] Re: AD's users ssh to IPA's client - should it work?

On Tue, Jun 18, 2019 at 05:17:31PM +0100, lejeczek via FreeIPA-users wrote: > hi guys > > I think it was asked on the list before but I still cannot find the thread. > > Should AD's users be able to login to IPA's clients(non-replica) in a > pretty vanilla setup? Those users can login to IPA mast

[Freeipa-users] Re: AD's users ssh to IPA's client - should it work?

On Wed, Jun 19, 2019 at 09:26:30AM +0100, lejeczek via FreeIPA-users wrote: > On 19/06/2019 07:46, Sumit Bose via FreeIPA-users wrote: > > On Tue, Jun 18, 2019 at 05:17:31PM +0100, lejeczek via FreeIPA-users wrote: > >> hi guys > >> > >> I think it was asked o

[Freeipa-users] Re: AD's users ssh to IPA's client - should it work?

On Wed, Jun 19, 2019 at 12:34:54PM +0100, lejeczek via FreeIPA-users wrote: > On 19/06/2019 10:09, Sumit Bose via FreeIPA-users wrote: > > On Wed, Jun 19, 2019 at 09:26:30AM +0100, lejeczek via FreeIPA-users wrote: > >> On 19/06/2019 07:46, Sumit Bose via FreeIPA-users wrote: &g

[Freeipa-users] Re: AD's users ssh to IPA's client - should it work?

On Wed, Jun 19, 2019 at 04:58:32PM +0100, lejeczek via FreeIPA-users wrote: > On 19/06/2019 16:20, Sumit Bose via FreeIPA-users wrote: > > On Wed, Jun 19, 2019 at 12:34:54PM +0100, lejeczek via FreeIPA-users wrote: > >> On 19/06/2019 10:09, Sumit Bose via FreeIPA-users wrote: &g

[Freeipa-users] Re: AD's users ssh to IPA's client - should it work?

On Thu, Jun 20, 2019 at 04:50:48PM +0100, lejeczek via FreeIPA-users wrote: > On 20/06/2019 14:40, Sumit Bose wrote: > >> Ok, the maybe to make it more bizzare, I've had it: > >> > >> includedir /etc/krb5.conf.d/ > >> includedir /var/lib/sss/pubconf/krb5.include.d/ > >>   > >> [libdefaults] > >>  

[Freeipa-users] Re: IPA's clients deny password auth to ssh - 6 (Permission denied) - but gssapi works.

On Fri, Jun 21, 2019 at 08:57:39AM +0100, lejeczek via FreeIPA-users wrote: > On 20/06/2019 13:47, lejeczek via FreeIPA-users wrote: > > hi guys > > > > A Putty ssh off a AD's Win10 client to IPA's client (non-master) works > > with gssapi but without it and when need to use password I see: > > > >

[Freeipa-users] Re: IPA Client failed login after screen lock

On Fri, Jun 21, 2019 at 01:14:33AM -, Boyd Ako via FreeIPA-users wrote: > So, I created a Red Hat ticket to assist and the support is pretty > non-productive. > > I have a RHEL 7 "Workstation" setup as an IPA client that most of the time > works. However, there are occasions when the screen

[Freeipa-users] Re: User in AD not found by IPA

On Mon, Jun 24, 2019 at 09:35:20AM -0400, Marc Boorshtein via FreeIPA-users wrote: > We added a new account to AD that has a domain trust with FreeIPA. This > one user is having an issue where IPA can't find him. The user is in the > same OU as other users that work fine. The user is unlocked >

[Freeipa-users] Re: User in AD not found by IPA

On Mon, Jun 24, 2019 at 10:20:13AM -0400, Marc Boorshtein via FreeIPA-users wrote: > > > > Since it is a new user I wonder if maybe the RID is larger than 20? > > For automatic id-mapping a range of 20 IDs is used by default and if > > the RIDs become higher a new range should be added. >

[Freeipa-users] Re: User in AD not found by IPA

On Mon, Jun 24, 2019 at 11:44:40AM -0400, Marc Boorshtein wrote: > > > > Since it is a new user I wonder if maybe the RID is larger than 20? > > For automatic id-mapping a range of 20 IDs is used by default and if > > the RIDs become higher a new range should be added. > > > > > I think we

[Freeipa-users] Re: rbac issue met trust users

On Fri, Jun 28, 2019 at 11:07:00AM +0200, Natxo Asenjo via FreeIPA-users wrote: > hi, > > I have successfully establised a one way cross realm trust between AD and > IDM realms. > > I can get info from AD users in the IDM hosts, and I created an external > group and added it to a posix group as i

[Freeipa-users] Re: Intermitent AD atribute fetch

On Mon, Jul 29, 2019 at 11:35:56AM -0400, Rob Crittenden via FreeIPA-users wrote: > Jo Domsic via FreeIPA-users wrote: > > Hi Rob, > > > > Does the error make any sense? > > AD isn't really my area, I merely knew which logs others would need for > evaluation. Hi, this sounds like an issue when

[Freeipa-users] Re: User in AD not found by IPA

On Mon, Jul 08, 2019 at 10:29:58AM -0400, Marc Boorshtein via FreeIPA-users wrote: > Thanks Sumit, > > > > But SSSD supports adding a new id-range with 'ipa idrange-add ' the > > name should be unique, e.g. the name of the other range of the AD domain > > with a '_2' suffix. The --base-id ca

[Freeipa-users] Re: mapping freeipa to local users and group

On Tue, Jul 09, 2019 at 05:41:05PM +, Andrew Meyer via FreeIPA-users wrote: > I want to map my freeipa users to local users on a particular server.  I have > read a few sites that say to do sss_override.  However I am running into a > problem: Hi, do you mean 'to a local user' or 'to a loca

[Freeipa-users] Re: trust AD - kerberos - how it works?

On Fri, Jul 12, 2019 at 12:03:42PM +0100, lejeczek via FreeIPA-users wrote: > On 11/07/2019 14:03, Simo Sorce wrote: > > On Thu, 2019-07-11 at 12:09 +0100, lejeczek via FreeIPA-users wrote: > >> hi guys > >> > >> I've been having my IPA deployment trusting AD for a while now and it's > >> been beha

[Freeipa-users] Re: `users` command shows `user user@domain` when logging in with a smartcard

On Fri, Jul 26, 2019 at 03:08:14PM -, Khurrum Maqb via FreeIPA-users wrote: > So I have anyconnect working now. > > In sssd.conf I added: > > [domain] > use_fully_qualified_names = True > full_name_format = %1$s@%2$s > > and now all users in `who` are user@domain > > However, setting it to

[Freeipa-users] Re: mapping freeipa to local users and group

On Tue, Jul 30, 2019 at 09:31:25AM -0400, John Petrini via FreeIPA-users wrote: > What I ended up doing to deal with this was write a script that checks if > any local users exist on the IPA server. If they do then it updates the UID > and GID and user's homedir permissions to match what's in IPA.

[Freeipa-users] Re: Unable to add external domain global groups

On Tue, Aug 20, 2019 at 07:30:23PM -, Martijn Bakkes via FreeIPA-users wrote: > Server side SSSD logs: Hi, can you send the corresponding sssd_nss.log as well? There are some odd delays in the backend log and since the NSS responder is sending those requests it would be good to know what the

[Freeipa-users] Re: Unable to add external domain global groups

On Wed, Aug 21, 2019 at 01:57:30PM -, Martijn Bakkes via FreeIPA-users wrote: > Adding logs with debug set to 6. > Below will be server and client from the same request. The difference in > timestamp between the request start on server and client corresponds to about > the amount of time it

[Freeipa-users] Re: Unable to add external domain global groups

On Wed, Aug 21, 2019 at 04:15:38PM -, Martijn Bakkes via FreeIPA-users wrote: > > On Wed, Aug 21, 2019 at 01:57:30PM -, Martijn Bakkes via FreeIPA-users > > wrote: > > ... > > SSSD_NSS SERVER logs > > ... > > ... > > > > Those are lookups in the local cache and there should be even an in

[Freeipa-users] Re: Unable to add external domain global groups

On Wed, Aug 21, 2019 at 04:29:36PM -, Martijn Bakkes via FreeIPA-users wrote: > > On Wed, Aug 21, 2019 at 04:15:38PM -, Martijn Bakkes via FreeIPA-users > > wrote: > > > > Can you send me the versions of some related packages: > > > > rpm -qa sssd > > rpm -qa libtalloc > > r

[Freeipa-users] Re: Unable to add external domain global groups

On Wed, Aug 21, 2019 at 07:10:50PM -, Martijn Bakkes via FreeIPA-users wrote: > SSSD_NSS SERVER log > > (Wed Aug 21 14:08:13 2019) [sssd[nss]] [setup_client_idle_timer] (0x4000): > Idle timer re-set for client [0x559f771f0e20][21] > (Wed Aug 21 14:08:28 2019) [sssd[nss]] [get_client_cred] (0

[Freeipa-users] Re: Unable to add external domain global groups

On Thu, Aug 22, 2019 at 01:11:28PM -, Martijn Bakkes via FreeIPA-users wrote: > > On Wed, Aug 21, 2019 at 07:10:50PM -, Martijn Bakkes via FreeIPA-users > > wrote: > > ... > > > > Hi, > > > > here everything happened in 14:08:28, so there is no visible delay in the > > logs. Did you see

[Freeipa-users] Re: Keys vs certificates

On Tue, Aug 27, 2019 at 02:43:22PM +, Patterson, David via FreeIPA-users wrote: > Hello, > > I followed the instructions from this page > (https://frasertweedale.github.io/blog-redhat/posts/2015-08-06-freeipa-custom-certprofile.html) > to create User Certificates. > While testing I noticed

[Freeipa-users] Re: [EXTERNAL] Re: Keys vs certificates

r/log/sssd which should explain what prevented SSSD from returning the ssh keys. bye, Sumit > > David Patterson > Sandia National Laboratories > Ground System Platforms, Infrastructures & Integration > Phone:(505) 284-3322 > Pager: (505) 951-8112 > > -----Original

[Freeipa-users] Re: Can login with non-existing user

On Mon, Sep 02, 2019 at 02:37:47PM +0200, Ronald Wimmer via FreeIPA-users wrote: > Sorry for asking. I might have missed to read that part of the official > documentation: > > https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/windows_integration_guide/short-names#config

[Freeipa-users] Re: Problems joining an Ubuntu client to IPA server and using AD Credentials

On Thu, Sep 05, 2019 at 01:11:44PM +, Jokinen Eemeli via FreeIPA-users wrote: > Hi! > > I have a problem I could use help on resolving: > > We have a working IPA Cluster and I try to join in with Ubuntu 16.04 > freeipa-client. Everything seems to go smoothly, it creates config files that >

[Freeipa-users] Re: Problems joining an Ubuntu client to IPA server and using AD Credentials

HTH bye, Sumit > > Eemeli > > -Original Message- > From: Sumit Bose via FreeIPA-users > Sent: torstai 5. syyskuuta 2019 16.36 > To: freeipa-users@lists.fedorahosted.org > Cc: Sumit Bose > Subject: [Freeipa-users] Re: Problems joining an Ubuntu client to IPA se

[Freeipa-users] Re: Problems joining an Ubuntu client to IPA server and using AD Credentials

gt; In the fact we're using RHEL 7 with ipa-server 4.6.4 > > > > Hi, > > in this case please try to add > > krb5_use_enterprise_principal = True > > to the [domain/...] section of sssd.conf on the Ubuntu client. > > HTH > > bye, > Sumit >

[Freeipa-users] Re: Problems joining an Ubuntu client to IPA server and using AD Credentials

;re using RHEL 7 with ipa-server 4.6.4 > > > > > > > Hi, > > > > in this case please try to add > > > > krb5_use_enterprise_principal = True > > > > to the [domain/...] section of sssd.conf on the Ubuntu client. > > > > HTH >

[Freeipa-users] Re: How to change the timeout of 60 seconds on the login with AD users

On Thu, Oct 03, 2019 at 10:48:40AM +, SOLER SANGUESA Miguel via FreeIPA-users wrote: > Hello, > > After a primary DNS server problem, I have realized that the IDM client has a > timeout of 60 s for the log in. > As the primary DNS was not working, server used the secondary DNS and it > take

[Freeipa-users] Re: Can't resolve external users on clients, but I can on servers

On Thu, Oct 10, 2019 at 10:21:12AM -, S Toulmonde via FreeIPA-users wrote: > Hi, I setup an IPA realm (under rhel7) with an trust relationship to a > Windows domain. All users in AD have an idoverride to override uid and gid. > Originally, everything was working like expected: servers could re

[Freeipa-users] Re: Can't resolve external users on clients, but I can on servers

On Fri, Oct 11, 2019 at 07:55:51AM -, S Toulmonde via FreeIPA-users wrote: > Hi Sumit, > > I've tried all options: > use_fully_qualified_names = False on server and client, a matrix of > true/false, same issue... Hi, I'm sorry I wasn't clear. use_fully_qualified_names must be 'True' (or uns

[Freeipa-users] Re: SSH Hostbased Authentication with FreeIPA

On Thu, Oct 17, 2019 at 04:32:05AM +, Vinícius Ferrão wrote: > > > On 16 Oct 2019, at 16:01, Rob Crittenden > mailto:rcrit...@redhat.com>> wrote: > > Vinícius Ferrão wrote: > > > On 15 Oct 2019, at 17:49, Rob Crittenden > mailto:rcrit...@redhat.com> > > wrote:

[Freeipa-users] Re: SSH Hostbased Authentication with FreeIPA

On Fri, Oct 18, 2019 at 05:57:40AM +, Vinícius Ferrão wrote: > > > On 17 Oct 2019, at 03:52, Sumit Bose > mailto:sb...@redhat.com>> wrote: > > On Thu, Oct 17, 2019 at 04:32:05AM +, Vinícius Ferrão wrote: > > > On 16 Oct 2019, at 16:01, Rob Crittenden > mailto:rcrit...@redhat.com>

[Freeipa-users] Re: FreeIPA: Cannot login to AD User from IPA client, login from server works

On Mon, Oct 28, 2019 at 03:56:56PM -, Danijel Bojic via FreeIPA-users wrote: > Hi Alexander > > Thanks for clarifying. > > I don't see anything in the sssd_domain.log > I see something though in the sssd_nss.log file. > I crosschecked my sssd.conf file and corrected some spelling error and >

[Freeipa-users] Re: Can't resolve external users on clients, but I can on servers

On Tue, Oct 29, 2019 at 01:26:32PM +, TOULMONDE Sébastien (SPC/DCS) via FreeIPA-users wrote: > Ok, so here’s the solution I found almost by accident… > > If I specify the domain search order to ‘ad.domain:ipa.domain’ -> the clients > can now resolve the external users > If, for whatever reas

  1   2   3   4   5   >