Hi,
Dne 30.3.2015 v 19:42 Gould, Joshua napsal(a):
On 3/30/15, 11:56 AM, Dmitri Pal d...@redhat.com wrote:
# auth_to_local =
RULE:[1:$1@$0](^.*@TEST.OSUWMC$)s/@TEST.OSUWMC/@test.osuwmc/
auth_to_local = RULE:[1:$1 $0](^ *
TEST.OSUWMC$)s/@TEST.OSUWMC/@test.osuwmc/
If you use the plugin
On 30.3.2015 14:58, Gokulnath wrote:
Thanks for the update.
The reason for weigh in the Kerberos option is to have that as an option to
disable if needed, security is more important. I had to say this because
there was a question on why I would disable it.
I would argue that by using
On 30.3.2015 11:23, Yogesh Sharma wrote:
Hi Jakub:
FreeIPA package is not available in Amazon Linux running on EC2 Instance.
We tried to install individually packages but it is breaking at many place.
BTW if you want FreeIPA support in Amazon Linux then please contact Amazon
support and tell
On 30.3.2015 18:00, Dmitri Pal wrote:
On 03/30/2015 11:12 AM, Srdjan Dutina wrote:
Hi,
I'm testing FreeIPA (v4.1.3, Centos 7) - AD (2012 R2) trust on branch site
where only AD read-only domain controller (RODC) exists.
I'm aware that for initial establishing of trust I need access to
Yes Petr. Support Case has already been opened with them.
*Best Regards,__*
*Yogesh Sharma*
*Email: yks0...@gmail.com yks0...@gmail.com | Web: www.initd.in
http://www.initd.in*
RHCE, VCE-CIA, RackSpace Cloud U
[image: My LinkedIn Profile]
On Tue, 31 Mar 2015, Petr Spacek wrote:
On 30.3.2015 18:00, Dmitri Pal wrote:
On 03/30/2015 11:12 AM, Srdjan Dutina wrote:
Hi,
I'm testing FreeIPA (v4.1.3, Centos 7) - AD (2012 R2) trust on branch site
where only AD read-only domain controller (RODC) exists.
I'm aware that for initial
The idea is that you tel lall the users to either login via migration page
or via SSSD.
If your server is in a migration mode the migration page should be
available and SSSD should detect that server is in migration mode.
In this case any authentication via SSSD will end up creating proper
On my client I still see:
03/31/2015 11:00:08 04/01/2015 11:00:07 krbtgt/DOMAIN.LOCAL@DOMAIN.LOCAL
03/31/2015 11:00:09 04/01/2015 11:00:07 HTTP/ldap-01.domain.local@DOMAIN.LOCAL
Should ldap-01 not be ldap as I go through my loadbalancer ?
Do I need to merge keytabs or so ?
2015-03-31 7:54
On Tue, Mar 31, 2015 at 07:56:53AM +0200, Jan Cholasta wrote:
Hi,
Dne 30.3.2015 v 19:42 Gould, Joshua napsal(a):
On 3/30/15, 11:56 AM, Dmitri Pal d...@redhat.com wrote:
# auth_to_local =
RULE:[1:$1@$0](^.*@TEST.OSUWMC$)s/@TEST.OSUWMC/@test.osuwmc/
auth_to_local = RULE:[1:$1 $0](^
On Tue, Mar 31, 2015 at 11:02:24AM +0200, Matt . wrote:
On my client I still see:
03/31/2015 11:00:08 04/01/2015 11:00:07 krbtgt/DOMAIN.LOCAL@DOMAIN.LOCAL
03/31/2015 11:00:09 04/01/2015 11:00:07
HTTP/ldap-01.domain.local@DOMAIN.LOCAL
Should ldap-01 not be ldap as I go through my
Yes I would assume too, but it's just kicking out possibilities what
could make it not working.
I cannot figure out why it only logs the 401 after the known 301's in
the access_log and nothing further, apache really blocks, so kerberos
should be in the way for sure, but how.
2015-03-31 11:09
Here some extra logging from the kerberos log:
Mar 31 11:34:51 ldap-01.domain.local krb5kdc[2764](info): AS_REQ (6
etypes {18 17 16 23 25 26}) 10.10.0.121: NEEDED_PREAUTH:
kinituser@DOMAIN.LOCAL for krbtgt/DOMAIN.LOCAL@DOMAIN.LOCAL,
Additional pre-authentication required
Mar 31 11:34:51
On Tue, Mar 31, 2015 at 11:38:30AM +0200, Matt . wrote:
Here some extra logging from the kerberos log:
Mar 31 11:34:51 ldap-01.domain.local krb5kdc[2764](info): AS_REQ (6
etypes {18 17 16 23 25 26}) 10.10.0.121: NEEDED_PREAUTH:
kinituser@DOMAIN.LOCAL for krbtgt/DOMAIN.LOCAL@DOMAIN.LOCAL,
hi,
I try to set the sudo password but I get a message : GSSAPI Error
What's mean this kind of message ?
ldappasswd -Y GSSAPI -S -h my_server
uid=sudo,cn=sysaccounts,cn=etc,dc=my_domain,dc=com
New password:
Re-enter new password:
SASL/GSSAPI authentication started
ldap_sasl_interactive_bind_s:
OK, also understood.
Next item why I don't get any logging or it's not working as espected.
I'm actually out of options to be honest.
2015-03-31 11:54 GMT+02:00 Sumit Bose sb...@redhat.com:
On Tue, Mar 31, 2015 at 11:38:30AM +0200, Matt . wrote:
Here some extra logging from the kerberos log:
On Tue, Mar 31, 2015 at 11:26:53AM +0200, Benoit Rousselle wrote:
hi,
I try to set the sudo password but I get a message : GSSAPI Error
What's mean this kind of message ?
ldappasswd -Y GSSAPI -S -h my_server
uid=sudo,cn=sysaccounts,cn=etc,dc=my_domain,dc=com
New password:
Re-enter
On 31.3.2015 14:35, Matt . wrote:
Hi Petr,
As this is not my topic it's for me quite simple.
I need to post to /ipa/json through a loadbalancer, nothing more.
i have
ldap-01.domain.tld (ipa1)
ldap-01.domain.tld (ipa2)
and my loadbalancer is ldap.domain.tld
ldap requests over a
HI Phasant,
Check my mailings about it, it's not easy at least the kerberos part
not, SRV records are used for that normally.
Are you talking about the webgui or the ldap part ?
Cheers,
Matt
2015-03-31 13:56 GMT+02:00 Prashant Bapat prash...@apigee.com:
Hi,
I'm trying to get 2 FreeIPA
On 31.3.2015 14:02, Matt . wrote:
HI Phasant,
Check my mailings about it, it's not easy at least the kerberos part
not, SRV records are used for that normally.
Are you talking about the webgui or the ldap part ?
I would recommend you to step back and describe use-case you have in mind. It
Hi,
I'm trying to get 2 FreeIPA servers in a replicated mode behind a load
balancer, specifically Amazon ELB.
I started with editing the /etc/httpd/conf.d/ipa-rewrite.conf but looks
like there is more to it than just this file.
Any suggestions ?
Thanks.
--Prashant
--
Manage your subscription
Hi Petr,
As this is not my topic it's for me quite simple.
I need to post to /ipa/json through a loadbalancer, nothing more.
i have
ldap-01.domain.tld (ipa1)
ldap-01.domain.tld (ipa2)
and my loadbalancer is ldap.domain.tld
ldap requests over a loadbalancer are quite simple and working, but
Hi ,
Is there a way of making the nsAccountLock attribute (User enable/disable)
to be anonymously readable ?
I'm trying to implement a SSH key lookup sshd authorized key command
script. Based on this attribute the user will be allowed to login. I need
this to be anonymously readable.
Tried
Janelle wrote:
Hello again...
Looking around, but probably just not in the right place. I would like
to be able to disable httpd on all but a pair of servers, so we kind of
force all updates to come from a master and slave pair. Just trying
to keep updates defined to 2 servers rather than
Hello again...
Looking around, but probably just not in the right place. I would like
to be able to disable httpd on all but a pair of servers, so we kind of
force all updates to come from a master and slave pair. Just trying
to keep updates defined to 2 servers rather than all of them in an
True, but we have some extra later between which does the cli command
not usable (at least for the moment)
I already know how to share the key's among all servers, that works
fine, IPA/Apache/Kerberos only doesn't like the other hostname
(loadbalancer), or the client doesn't understand it.
So
On Tue, 2015-03-31 at 11:07 -0400, Dmitri Pal wrote:
On 03/31/2015 10:38 AM, Matt . wrote:
True, but we have some extra later between which does the cli command
not usable (at least for the moment)
I already know how to share the key's among all servers, that works
fine,
Just the web UI.
Thanks.
--Prashant
On Mar 31, 2015 5:32 PM, Matt . yamakasi@gmail.com wrote:
HI Phasant,
Check my mailings about it, it's not easy at least the kerberos part
not, SRV records are used for that normally.
Are you talking about the webgui or the ldap part ?
Cheers,
On Tue, Mar 31, 2015 at 10:02:37AM -0400, Gould, Joshua wrote:
Klist in Windows showed one ticket for the IPA domain.
#0 Client: adm-faru03 @ test.osuwmc
Server: krbtgt/UNIX.TEST.OSUWMC @ TEST.OSUWMC
KerbTicket Encryption Type: AES-256-CTS-HMAC-SHA1-96
Ticket Flags
HI Petr,
We had a several of reasons why we did that. We wanted to use one
language for that, and also have formatted returns. There was also
some security issue which came up.
I could ask you, why does IPA json itself ? if you see what it posts
and what it gets back as result it makes it much
On 31.3.2015 16:10, Matt . wrote:
HI Petr,
We had a several of reasons why we did that. We wanted to use one
language for that, and also have formatted returns. There was also
some security issue which came up.
I would be very interested in the security reason. If you see any problem with
Putty error was:
Event Log: GSSAPI authentication initialisation failed
Event Log: No authority could be contacted for authentication.The domain
name of the authenticating party could be wrong, the domain could be
unreachable, or there might have been a trust relationship failure.
On
Dmitri Pal wrote:
On 03/31/2015 09:38 AM, Janelle wrote:
Hello again,
Is this a feature or a bug?
Migration mode - works fine the first time. However, if you need to
run it a second time because someone added either new users or groups
to your LDAP config and you want to bring those over,
On 03/31/2015 10:38 AM, Matt . wrote:
True, but we have some extra later between which does the cli command
not usable (at least for the moment)
I already know how to share the key's among all servers, that works
fine, IPA/Apache/Kerberos only doesn't like the other hostname
(loadbalancer), or
On 03/31/2015 10:50 AM, Janelle wrote:
On 3/31/15 6:49 AM, Dmitri Pal wrote:
On 03/31/2015 09:38 AM, Janelle wrote:
Hello again,
Is this a feature or a bug?
Migration mode - works fine the first time. However, if you need to
run it a second time because someone added either new users or
FreeIPA 4 is currently available in RHEL 7.1.
Josh
From: freeipa-users-boun...@redhat.com
[mailto:freeipa-users-boun...@redhat.com] On Behalf Of Steve Neuharth
Sent: Tuesday, March 31, 2015 10:02 AM
To: freeipa-users@redhat.com
Subject: [Freeipa-users] freeipa 4.x packages for RHEL?
Hello,
Hi,
Dne 1.4.2015 v 07:09 Prashant Bapat napsal(a):
Hi ,
Is there a way of making the nsAccountLock attribute (User
enable/disable) to be anonymously readable ?
I'm trying to implement a SSH key lookup sshd authorized key command
script. Based on this attribute the user will be allowed to
Hmm, that might be a challenge. bind-dyndb-ldap code implicitly assumes that
there is 1:1 mapping between DNS name-LDAP DN. This makes implementation of
dynamic updates much easier.
Well, you weren't wrong there. :) I did try a few different solutions,
first letting ARecord/NSRecord trickle
On Tue, 2015-03-31 at 17:51 +0200, Matt . wrote:
Hi Brendan,
Yes thanks for your great explanation, I have done that indeed. But in
some strange way, with only a 401 in access_log of apache I get a Non
valid ticket when I connect through my loadbalancer. I don't go by
my loadbalancer but
I've figured it out. You are right. SSSD triggers key generation. For
migrated clients though, since ypbind still runs and the NIS-plugin serves
maps, they authenticate first using NIS before SSSD. If ypbind is stopped,
it is forced to use SSSD, and then it triggers the migration. Thanks for
On Tue, 2015-03-31 at 11:41 -0400, Brendan Kearney wrote:
On Tue, 2015-03-31 at 11:07 -0400, Dmitri Pal wrote:
On 03/31/2015 10:38 AM, Matt . wrote:
True, but we have some extra later between which does the cli command
not usable (at least for the moment)
I already know how to share
Hi Brendan,
Yes thanks for your great explanation, I have done that indeed. But in
some strange way, with only a 401 in access_log of apache I get a Non
valid ticket when I connect through my loadbalancer. I don't go by
my loadbalancer but through it (NAT) or should it go by/next to it ?
I think
OK, that makes it even more clear.
an ldapwhoami might be an issue. As this client is known on a
different ldap server and I kinit to another ldap server. There is a
reason for this as we have out office network and our deployment
network. Users that manage are in the office ldap, user that are
On 03/31/2015 09:38 AM, Janelle wrote:
Hello again,
Is this a feature or a bug?
Migration mode - works fine the first time. However, if you need to
run it a second time because someone added either new users or groups
to your LDAP config and you want to bring those over, if you re-run
Klist in Windows showed one ticket for the IPA domain.
#0 Client: adm-faru03 @ test.osuwmc
Server: krbtgt/UNIX.TEST.OSUWMC @ TEST.OSUWMC
KerbTicket Encryption Type: AES-256-CTS-HMAC-SHA1-96
Ticket Flags 0x40a4 - forward able renewable pre_authent
ok_as_delegate
Hello,
We're currently running RHEL in production and would love to be using all
the goodness that is FreeIPA 4 including certmonger for certificate
management. I don't see any mention of 4.x packages available for RHEL in
the mailing lists and I have run into problems using the 3.3 client
On Tue, 31 Mar 2015, Steve Neuharth wrote:
Hello,
We're currently running RHEL in production and would love to be using all
the goodness that is FreeIPA 4 including certmonger for certificate
management. I don't see any mention of 4.x packages available for RHEL in
the mailing lists and I have
I try to set the sudo password but I get a message : GSSAPI Error
What's mean this kind of message ?
ldappasswd -Y GSSAPI -S -h my_server
uid=sudo,cn=sysaccounts,cn=etc,dc=my_domain,dc=com
New password:
Re-enter new password:
SASL/GSSAPI authentication started
OK, but we need to do this using IPA or (as IPA does some things
different it seems).
Anyone testing this perhaps ? (/me is multitasking atm)
2015-03-31 20:22 GMT+02:00 Rob Crittenden rcrit...@redhat.com:
Brendan Kearney wrote:
On Tue, 2015-03-31 at 13:54 -0400, Simo Sorce wrote:
On Tue,
OK, but as I say, without the loadbalancer, same domain it works.
My IPA server also sees the client name and ptr as I do nat.
So you create a keytab for your host you are doing the commands from ?
I was using a user keytab and run my commands as that user, that works
to ipa-01
It's getting
On 03/31/2015 01:54 PM, Markus Roth wrote:
Hi all,
I want setup freeipa 4.1.3 on a fresh installed fedora 21.
The ipa-server-install shows the following output:
configuring NTP daemon (ntpd)
[1/4]: stopping ntpd
[2/4]: writing configuration
[3/4]: configuring ntpd to start on boot
On Tue, 2015-03-31 at 13:54 -0400, Simo Sorce wrote:
On Tue, 2015-03-31 at 13:50 -0400, Simo Sorce wrote:
But IPA is more complex and some operations will be performed directly
against the specific server name, so you need to keep 2 sets of keys
(one for the server name and one for the load
Simo,
Yes that was where I was thinking of also, so you say faking by DNS ?
@Brendan, cnames are not that nice in networks indeed.
2015-03-31 20:10 GMT+02:00 Brendan Kearney bpk...@gmail.com:
On Tue, 2015-03-31 at 13:54 -0400, Simo Sorce wrote:
On Tue, 2015-03-31 at 13:50 -0400, Simo Sorce
On Tue, 2015-03-31 at 13:50 -0400, Simo Sorce wrote:
But IPA is more complex and some operations will be performed directly
against the specific server name, so you need to keep 2 sets of keys
(one for the server name and one for the load balancer name), but that
does not work right now.
One
Hi all,
I want setup freeipa 4.1.3 on a fresh installed fedora 21.
The ipa-server-install shows the following output:
configuring NTP daemon (ntpd)
[1/4]: stopping ntpd
[2/4]: writing configuration
[3/4]: configuring ntpd to start on boot
[4/4]: starting ntpd
Done configuring NTP daemon
On Tue, 2015-03-31 at 13:21 -0400, Brendan Kearney wrote:
On Tue, 2015-03-31 at 12:53 -0400, Simo Sorce wrote:
On Tue, 2015-03-31 at 11:41 -0400, Brendan Kearney wrote:
On Tue, 2015-03-31 at 11:07 -0400, Dmitri Pal wrote:
On 03/31/2015 10:38 AM, Matt . wrote:
True, but we have some
On Tue, 2015-03-31 at 19:36 +0200, Matt . wrote:
OK, but as I say, without the loadbalancer, same domain it works.
All the more reason to capture the session and review it in wireshark.
My IPA server also sees the client name and ptr as I do nat.
So you create a keytab for your host you
On 31.3.2015 15:23, Matt . wrote:
Hi Petr,
We discussed that before indeed, but SRV is not usable in this case.
My clients are just webservers (apache) doing some executes of CURL
commands to ipa/json, actually the same commands as the webgui does
using json, but we curl it.
Do you
On 3/31/15 6:49 AM, Dmitri Pal wrote:
On 03/31/2015 09:38 AM, Janelle wrote:
Hello again,
Is this a feature or a bug?
Migration mode - works fine the first time. However, if you need to
run it a second time because someone added either new users or groups
to your LDAP config and you want
Hi Petr,
We discussed that before indeed, but SRV is not usable in this case.
My clients are just webservers (apache) doing some executes of CURL
commands to ipa/json, actually the same commands as the webgui does
using json, but we curl it.
Do you have a better view now ?
Cheers,
Matt
Hello again,
Is this a feature or a bug?
Migration mode - works fine the first time. However, if you need to run
it a second time because someone added either new users or groups to
your LDAP config and you want to bring those over, if you re-run
migration, it indeed brings all the new users
Hello FreeIPA people,
I must say that FreeIPA v4 looks very pretty and I am looking forward to
trying out the new features.
I'm wondering what application and tools can be used to authenticate with
the OTP in freeipa. For instance, if we wanted to set up a VPN that uses it
how might we go about
On 03/31/2015 05:30 PM, Andrew Holway wrote:
Hello FreeIPA people,
I must say that FreeIPA v4 looks very pretty and I am looking forward
to trying out the new features.
I'm wondering what application and tools can be used to authenticate
with the OTP in freeipa. For instance, if we wanted
62 matches
Mail list logo