If you have SSSD 1.9.6 or newer all the sudo configuration boils down to
including 'sss' for 'sudoers' in nsswitch.conf and sudo_provider=ipa in
sssd.conf.
You also need a reasonably recent sudo itself. Posting versions of SSSD and
sudo would help.
- Original Message -
From: Gonzalo
When I look at the SPEC file for freeipa-4.1.3, I see requirements
around Systemd. Is that really a hard requirement, or is it possible to
run newer FreeIPA (that is to say 4.x) on a host that hasn't been
infested by systemd
From an SELinux standpoint systemd is far superior to initd as it
Hi,
We are getting error while trying to ssh using users created in IPA server.
root@yogesh-ubuntu-pc:~# ssh -vvv cm8158@52.74.84.94
OpenSSH_6.6.1, OpenSSL 1.0.1f 6 Jan 2014
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: /etc/ssh/ssh_config line 19: Applying options for *
debug2:
On Wed, Mar 25, 2015 at 08:01:36PM -0400, Dmitri Pal wrote:
On 03/25/2015 11:44 AM, Simo Sorce wrote:
On Wed, 2015-03-25 at 14:46 +, Guertin, David S. wrote:
Follow-up: today I tried clearing the sssd cache and restarting sssd on all
three clients, and all three lost their AD users:
#
When digging around I see this documentation:
http://docs.fedoraproject.org/en-US/Fedora/17/html/FreeIPA_Guide/load-balancing.html
I would except that server.example.com is not going to be accepted by
IPA when you visit the webgui like that ?
2015-03-26 1:57 GMT+01:00 Matt .
Hello Jorgen and list,
On 26.3.2015 01:25, Jorgen Lundman wrote:
Thanks for your email, (I have included the ML in this reply)
We run Solaris with bind+DLZ+ldap on the DNS servers, and are looking at
better performance. Which means evaluating bind-dyndb-ldap. I did some
minor tweaks to
Quoting Andrew Holway andrew.hol...@gmail.com:
When I look at the SPEC file for freeipa-4.1.3, I see requirements
around Systemd. Is that really a hard requirement, or is it possible to
run newer FreeIPA (that is to say 4.x) on a host that hasn't been
infested by systemd
From an SELinux
On Thu, Mar 26, 2015 at 10:49:22AM +0100, Andrew Holway wrote:
From an SELinux standpoint systemd is far superior to initd as it allows
far more graceful domain transitions.
Have you got a link which would demonstrate how systemd helps
with domain transitions?
--
Jan Pazdziora
Principal
great, thanks.
On a related note: the server still doesn't get a (client) kerberos ticket,
which means I can't kinit as a user and then log into a client machine
without a password. Going the other way works fine, however.
thx
anthony
On Thu, Mar 26, 2015 at 7:14 AM, Martin Kosek
Anthony Lanni wrote:
I'm referring to the host certificate; I was looking at the web UI,
under Identity-Hosts in the server details page. The Host Certificate
section says 'No Valid Certificate'.
The server has a /etc/krb5.keytab file, and on the same page the
Enrollment section says
On 03/26/2015 05:52 PM, Anthony Lanni wrote:
kinit USER works perfectly; but I can't ssh into the client machine from
the server without it requesting a password.
I think this is a DNS issue, actually. The server isn't resolving the name
of the client, so I'm ssh'ing with the IP address, and
I am not sure what you mean. So are you saying that kinit USER done on server
fails? With what error?
On 03/26/2015 05:28 PM, Anthony Lanni wrote:
great, thanks.
On a related note: the server still doesn't get a (client) kerberos ticket,
which means I can't kinit as a user and then log into
I'm referring to the host certificate; I was looking at the web UI, under
Identity-Hosts in the server details page. The Host Certificate section
says 'No Valid Certificate'.
The server has a /etc/krb5.keytab file, and on the same page the Enrollment
section says 'Kerberos Key Present, Host
All,
This for anyone using AIX clients with freeipa. I have the client up and
running just fine (No KRB5, AIX Bug); however I cannot seem to get the client
to load the groups attributes properly. The users primary group shows up in
the groups attribute from lsuser but not any subsequent
On Thu, 26 Mar 2015, David Beck wrote:
All,
This for anyone using AIX clients with freeipa. I have the client up
and running just fine (No KRB5, AIX Bug); however I cannot seem to get
If you mean inability to use GSSAPI authentication against LDAP, it is not
a bug in AIX. Rather, it is a bug
kinit USER works perfectly; but I can't ssh into the client machine from
the server without it requesting a password.
I think this is a DNS issue, actually. The server isn't resolving the name
of the client, so I'm ssh'ing with the IP address, and that's not going to
work since it's not in the
On Mar 26, 2015, at 11:42 AM, Martin Kosek mko...@redhat.com wrote:
On 03/26/2015 07:37 PM, Timothy Worman wrote:
Thanks everyone for the input.
I do agree that I don’t like the sound of option 1. I don’t want to be
sending CLI commands from a remote host. And option 3 sounds sounds a bit
Hello,
I followed
https://www.freeipa.org/page/NIS_accounts_migration_preserving_Passwords in
order to migrate our NIS installation, and for the most part it worked. The
server responds to ypcat from the NIS clients, and users can log in.
However, I'm seeing a couple of weird issues. Normally,
On 03/26/2015 07:37 PM, Timothy Worman wrote:
Thanks everyone for the input.
I do agree that I don’t like the sound of option 1. I don’t want to be sending
CLI commands from a remote host. And option 3 sounds sounds a bit brittle to me.
2 sounds like the most solid option available right now.
Yogesh Sharma wrote:
Hi,
We are getting error while trying to ssh using users created in IPA server.
root@yogesh-ubuntu-pc:~# ssh -vvv cm8158@52.74.84.94
You don't have a Kerberos ticket and you don't have ssh keys for this
user. kinit cm8158 first or get the ssh keys.
You'll need to use
On Thu, 2015-03-26 at 15:42 +0530, Yogesh Sharma wrote:
Hi,
We are getting error while trying to ssh using users created in IPA
server.
root@yogesh-ubuntu-pc:~# ssh -vvv cm8158@52.74.84.94
You should use the machine's fully qualified name if you want to login
using GSSAPI/Krb5, an IP
Matt . wrote:
When digging around I see this documentation:
http://docs.fedoraproject.org/en-US/Fedora/17/html/FreeIPA_Guide/load-balancing.html
I would except that server.example.com is not going to be accepted by
IPA when you visit the webgui like that ?
These are SRV records for the
HI Rob,
Yes something is wrong there I guess.
But still, I actually need to add a SAN to the webserver cert, which
is different I think than the services at least.
So the question there is... how ?
Cheers,
Matt
2015-03-26 14:50 GMT+01:00 Rob Crittenden rcrit...@redhat.com:
Matt . wrote:
On 03/26/2015 02:29 PM, Prasun Gera wrote:
Hello,
I followed
https://www.freeipa.org/page/NIS_accounts_migration_preserving_Passwords
in order to migrate our NIS installation, and for the most part it
worked. The server responds to ypcat from the NIS clients, and users
can log in. However,
On 03/26/2015 05:37 PM, Matt . wrote:
Hi Guys,
I'm facing every day a fast filling log of:
/var/log/krb5kdc.log
/var/log/dirsrv/slapd-DOMAIN/access*
I need to remove the files and restart ipa. The kerberos log is
filling up most, the access logs are quite fast on 100MB and a new one
is
On 03/26/2015 03:19 PM, Timothy Worman wrote:
On Mar 26, 2015, at 11:42 AM, Martin Kosek mko...@redhat.com wrote:
On 03/26/2015 07:37 PM, Timothy Worman wrote:
Thanks everyone for the input.
I do agree that I don’t like the sound of option 1. I don’t want to be sending
CLI commands from a
On 03/26/2015 08:18 AM, Coy Hile wrote:
Quoting Andrew Holway andrew.hol...@gmail.com:
When I look at the SPEC file for freeipa-4.1.3, I see requirements
around Systemd. Is that really a hard requirement, or is it
possible to
run newer FreeIPA (that is to say 4.x) on a host that hasn't
Hi Rob,
Thank you very much!
I think this will work out as it's only https traffic.
I will report back!
Thanks a lot!
Matt
2015-03-26 16:48 GMT+01:00 Rob Crittenden rcrit...@redhat.com:
Matt . wrote:
HI Rob,
Yes something is wrong there I guess.
In any case, it doesn't apply to what
Hi Guys,
I'm facing every day a fast filling log of:
/var/log/krb5kdc.log
/var/log/dirsrv/slapd-DOMAIN/access*
I need to remove the files and restart ipa. The kerberos log is
filling up most, the access logs are quite fast on 100MB and a new one
is created.
Now I do some LDAP loging/logout per
Hi,
This should be it and worked for generating the cert with the altname
ldap.domain.tld
When I login and I go to services I get the following:
cannot connect to
'https://ldap-01.domain.tld:443/ca/agent/ca/displayBySerial':
(SSL_ERROR_BAD_CERT_DOMAIN) Unable to communicate securely with peer:
OK some new update:
When I do a curl -k https://ldap.domain.tld/ipa/config/ca.crt I get a
301 to https://ldap-01.core.prod.msp.cullie.local/ipa/config/ca.crt
But when I visit the https://ldap.domain.tld/ipa/config/ca.crt with my
browser it just works fine.
2015-03-26 22:11 GMT+01:00 Matt .
ah, ok. So I'm going to assume the problem with my server not being able to
get a DNS record for any of the clients is why the user can't ssh into the
clients.
Thanks for the help, everyone!
thx
anthony
On Thu, Mar 26, 2015 at 10:44 AM, Rob Crittenden rcrit...@redhat.com
wrote:
Anthony Lanni
I'm trying to specify a subject name in a cert request like this:
ipa-getcert request -K HTTP/web.test.org -N *cn=www.test.org
http://www.test.org,o=TEST.ORG http://TEST.ORG* -f /tmp/webserver.crt
-k /tmp/webprivate.key -r
or like this
ipa-getcert request -K HTTP/web.test.org -D www.test.org -f
Thanks everyone for the input.
I do agree that I don’t like the sound of option 1. I don’t want to be sending
CLI commands from a remote host. And option 3 sounds sounds a bit brittle to
me.
2 sounds like the most solid option available right now. I like the fact that
there’s an
We have been using FreeIPA since two years and were more than happy. But since
two weeks we are facing unexpected crashed and can not really debug the strange
behaviours. The crashes are definitely not caused by connecting a new system or
changing the LDAP schema heavily. Following IPA is used:
Hi Dimitri,
I can do, we already analyzed it once.
There is a loadbalancer checking the ldap protocol which seems to be
seen as fail.
Is there a check I can perform on the ldap ports to see if the service
is available without generating the errors ?
I will post a snippet later on if you have
Yes, that is right. I added the users with ipa user-add [username]
--setattr userpassword={crypt}yourencryptedpass
Actually, the authentication does work for the users added this way. i.e.
Without making any changes to NIS clients. I just repurposed the NIS server
to be the IPA server, turned off
Petr Spacek wrote:
Perfect! I can merge your changes upstream if you send me a patch with your
changes. It would make your life easier later when you need to pick new code.
Not a problem, I need to figure out why Solaris mkdir returns -1, with
errno = 0. Goes against the manpage and all
- Original Message -
We have been using FreeIPA since two years and were more than happy. But
since two weeks we are facing unexpected crashed and can not really debug
the strange behaviours. The crashes are definitely not caused by connecting
a new system or changing the LDAP schema
- Original Message -
Hi Dimitri,
I can do, we already analyzed it once.
There is a loadbalancer checking the ldap protocol which seems to be
seen as fail.
Is there a check I can perform on the ldap ports to see if the service
is available without generating the errors ?
If
On Thu, Mar 26, 2015 at 07:47:34PM +0530, Yogesh Sharma wrote:
Once I manually initialize the user Ticket on IPA Server using kinit
username, I am able to login with and without FQDN.
It's expected that IPA users are created with expired password. But SSSD
should have prompted you for a
On Thu, Mar 26, 2015 at 3:12 PM, Yogesh Sharma yks0...@gmail.com wrote:
Thanks, but when I trying to use admin user (default user created by IPA),
I am able to login. The issue is happening only with new users we are
trying to create.
(Thu Mar 26 19:30:52 2015) [[sssd[krb5_child[13625
Hi Jakub,
SSSD prompted to change the password. After changing the password, when we
try to ssh again using the new password, it failed.
*Best Regards,__*
*Yogesh Sharma*
*Email: yks0...@gmail.com yks0...@gmail.com | Web: www.initd.in
I would like to just clarify tis a bit. The support to lookup up secondary
groups
(the group list the id command shows) for user which never authenticated
was added in 7.1/6.7.
Thanks. This makes sense, and indeed with Client 1 I can indeed log in, and id
'MIDD\juser' shows all the groups
Matt . wrote:
HI Rob,
Yes something is wrong there I guess.
In any case, it doesn't apply to what you're trying to do.
But still, I actually need to add a SAN to the webserver cert, which
is different I think than the services at least.
So the question there is... how ?
What webserver
This message is coming as user is trying to login for first time. IPA Admin
has set a password and when user try to login it will prompt to change.
sssd log it as password expired.
*Best Regards,__*
*Yogesh Sharma*
*Email: yks0...@gmail.com
On Thu, Mar 26, 2015 at 08:05:03PM +0530, Yogesh Sharma wrote:
Hi Jakub,
SSSD prompted to change the password. After changing the password, when we
try to ssh again using the new password, it failed.
And what do the logs say then, with the new password?
--
Manage your subscription for the
I have tried with FQDN of host also as registered, but error remain same:
(Thu Mar 26 19:43:01 2015) [[sssd[krb5_child[13730 [unpack_buffer]
(0x0100): cmd [241] uid [131284] gid [131284] validate [true]
enterprise principal [false] offline [false] UPN [te...@sd.int]
(Thu Mar 26
Thanks, but when I trying to use admin user (default user created by IPA),
I am able to login. The issue is happening only with new users we are
trying to create.
===
TEST user Login Logs:
(Thu Mar 26 19:30:51 2015) [sssd[nss]] [nss_cmd_getpwnam_search] (0x0100):
Requesting info for
Ok, thanks for reaching back. BTW, next RHEL-6 minor release should have the
keyutils dependency fixed anyway :-)
Martin
On 03/25/2015 06:59 PM, Anthony Lanni wrote:
keyutils is already installed but /bin/keyctl was 0 length (!). Anyway I
reinstalled keyutils and then ran the
50 matches
Mail list logo
