Re: [Freeipa-users] wbinfo cannot pull Active Directory domain users

On Fri, 10 Jul 2015, Angelo Pantano wrote: ok I managed to fix it by running: yum remove pam_ldap; sed -i '/pam_ldap/d' /etc/pam.d/* Thanks for pointing me to the dns problem though, that was the real deal. Is there a way to setup ipa-client without messing up with resolv.conf? like disabling t

Re: [Freeipa-users] wbinfo cannot pull Active Directory domain users

On Fri, 10 Jul 2015, Angelo Pantano wrote: I still had it because I am in the middle of a PoC for a migration, the legacy used pam_ldap and if I just remove it not only the error does not go away, but in the secure logs you also see this new error: Jul 10 14:08:17 ip-10-237-186-172 sshd[7361]: P

Re: [Freeipa-users] wbinfo cannot pull Active Directory domain users

I still had it because I am in the middle of a PoC for a migration, the legacy used pam_ldap and if I just remove it not only the error does not go away, but in the secure logs you also see this new error: Jul 10 14:08:17 ip-10-237-186-172 sshd[7361]: PAM unable to dlopen(/lib64/security/pam_ldap.

Re: [Freeipa-users] wbinfo cannot pull Active Directory domain users

On Fri, 10 Jul 2015, Angelo Pantano wrote: I removed the stanza, but anyway I found one problem was the DNS. I needed to setup the nameserver in resolv.conf with the ip of the ipa server. I can kinit now but ssh is still failing, connection gets closed instead of letting me in: secure.log says:

Re: [Freeipa-users] wbinfo cannot pull Active Directory domain users

I removed the stanza, but anyway I found one problem was the DNS. I needed to setup the nameserver in resolv.conf with the ip of the ipa server. I can kinit now but ssh is still failing, connection gets closed instead of letting me in: secure.log says: Jul 10 13:19:01 ip-10-237-186-172 sshd[5581]

Re: [Freeipa-users] ipa-replica-prepare error

On 07/08/2015 11:31 AM, Orion Poplawski wrote: > But then when I go to make a replica: > > # ipa-replica-prepare ipa1.nwra.com --dirsrv_pkcs12=nwra.com.p12 > --dirsrv_pin=XX --http_pkcs12=nwra.com.p12 --http_pin=XX > Directory Manager (existing master) password: > > (SEC_ERROR_LIBRARY_FA

Re: [Freeipa-users] wbinfo cannot pull Active Directory domain users

On Fri, 10 Jul 2015, Angelo Pantano wrote: I am using sssd and from ipa clients the authentication is not working (works fine if I ssh on the ipa-server). I thought it could be due to the external groups being empty and not mapping the AD users. Anyway this is the krb5.conf on the ipa client: #

Re: [Freeipa-users] wbinfo cannot pull Active Directory domain users

On Fri, 10 Jul 2015, Angelo Pantano wrote: and this is the error I see in krb5_child.log (Fri Jul 10 12:38:05 2015) [[sssd[krb5_child[13235 [main] (0x0400): Will perform online auth (Fri Jul 10 12:38:05 2015) [[sssd[krb5_child[13235 [get_and_save_tgt] (0x0400): Attempting kinit for realm

Re: [Freeipa-users] wbinfo cannot pull Active Directory domain users

I am using sssd and from ipa clients the authentication is not working (works fine if I ssh on the ipa-server). I thought it could be due to the external groups being empty and not mapping the AD users. Anyway this is the krb5.conf on the ipa client: #File modified by ipa-client-install included

Re: [Freeipa-users] wbinfo cannot pull Active Directory domain users

On Fri, 10 Jul 2015, Angelo Pantano wrote: I have a freeipa server trusting an active directory domain, if I ssh to the ipa server everything works, but if I try to ssh on an ipa client the authentication fails. I noticed on the server that the wbinfo -n 'AD\Domain Users' is failing: failed to

[Freeipa-users] wbinfo cannot pull Active Directory domain users

I have a freeipa server trusting an active directory domain, if I ssh to the ipa server everything works, but if I try to ssh on an ipa client the authentication fails. I noticed on the server that the wbinfo -n 'AD\Domain Users' is failing: failed to call wbcLookupName: WBC_ERR_DOMAIN_NOT_FOUND

Re: [Freeipa-users] Announcing FreeIPA 4.2.0

On 07/10/2015 04:51 PM, Jan Pazdziora wrote: On Fri, Jul 10, 2015 at 04:09:45PM +0200, Petr Vobornik wrote: Some of the dependencies are still in updates-testing repository. They have been added to the COPR repository. Now FreeIPA 4.2 could be installed even with the updates-testing repo disabl

Re: [Freeipa-users] Failed to start pki-tomcatd Service

> Le 30 juin 2015 à 10:16, Alexandre Ellert a écrit : > > >> Could you please provide the content of logfile: >> `/var/log/pki/pki-tomcat/ca/debug', around the time the error >> occurs? >> >> Thanks, >> Fraser > > When the pki-tomcatd service is trying to start, I see this message in > /var/

Re: [Freeipa-users] ipa client on ubuntu and sudo rules

On (10/07/15 16:19), Karl Forner wrote: >Hello, > >I setup an ubuntu client for freeIPA 4.1.4, and sudo rules do not seem to >work. >I then realized that I used ipa-client-install version 3.3.4. >Is this a plausible cause ? >And if so, where can I get a more recent version for ubuntu/debian ? Never

Re: [Freeipa-users] Announcing FreeIPA 4.2.0

On Fri, Jul 10, 2015 at 04:09:45PM +0200, Petr Vobornik wrote: > Some of the dependencies are still in updates-testing repository. They have > been added to the COPR repository. > > Now FreeIPA 4.2 could be installed even with the updates-testing repo > disabled. Sorry for your inconvenience. I c

Re: [Freeipa-users] Cannot find KDC for realm "MYDOMAIN.NET" - AD trust and UPN issues

On Thu, Jul 09, 2015 at 08:59:11PM -0700, Angelo Pantano wrote: > I have the exact same problem, have a windows AD that trusts IPA server and > an IPA client that connect to the IPA server via sssd.If I try to ssh on > the IPA client using an AD user it fails authentication. The same happens > if I

[Freeipa-users] OT: https://www.freeipa.org missing intermediate certificate

hi, earlier today I was reading a post about the new freeipa version on my mobile device and got plenty of warnings about an invalid certificate. On a fedora laptop no warnings, but this is the problem: $ curl -LIv https://www.freeipa.org * Rebuilt URL to: https://www.freeipa.org/ * Hostname was

[Freeipa-users] ipa client on ubuntu and sudo rules

Hello, I setup an ubuntu client for freeIPA 4.1.4, and sudo rules do not seem to work. I then realized that I used ipa-client-install version 3.3.4. Is this a plausible cause ? And if so, where can I get a more recent version for ubuntu/debian ? Thanks, Karl -- Manage your subscription for the F

Re: [Freeipa-users] Announcing FreeIPA 4.2.0

On 07/10/2015 02:55 PM, Jan Pazdziora wrote: On Fri, Jul 10, 2015 at 02:40:58PM +0200, Jan Pazdziora wrote: On Fri, Jul 10, 2015 at 10:26:11AM +0200, Petr Vobornik wrote: The FreeIPA team is proud to announce FreeIPA v4.2.0 release! It can be downloaded from http://www.freeipa.org/page/Downloa

Re: [Freeipa-users] Cannot find KDC for realm "MYDOMAIN.NET" - AD trust and UPN issues

I have the exact same problem, have a windows AD that trusts IPA server and an IPA client that connect to the IPA server via sssd.If I try to ssh on the IPA client using an AD user it fails authentication. The same happens if I try to su - ADuser. Basically IPA server is not correctly proxying the

Re: [Freeipa-users] Announcing FreeIPA 4.2.0

On Fri, Jul 10, 2015 at 02:40:58PM +0200, Jan Pazdziora wrote: > On Fri, Jul 10, 2015 at 10:26:11AM +0200, Petr Vobornik wrote: > > The FreeIPA team is proud to announce FreeIPA v4.2.0 release! > > > > It can be downloaded from http://www.freeipa.org/page/Downloads. The builds > > for Fedora 22 an

Re: [Freeipa-users] Announcing FreeIPA 4.2.0

On 07/10/2015 02:40 PM, Jan Pazdziora wrote: On Fri, Jul 10, 2015 at 10:26:11AM +0200, Petr Vobornik wrote: The FreeIPA team is proud to announce FreeIPA v4.2.0 release! It can be downloaded from http://www.freeipa.org/page/Downloads. The builds for Fedora 22 and Fedora Rawhide will be availabl

Re: [Freeipa-users] Announcing FreeIPA 4.2.0

On Fri, Jul 10, 2015 at 10:26:11AM +0200, Petr Vobornik wrote: > The FreeIPA team is proud to announce FreeIPA v4.2.0 release! > > It can be downloaded from http://www.freeipa.org/page/Downloads. The builds > for Fedora 22 and Fedora Rawhide will be available in the official COPR > repository

Re: [Freeipa-users] Announcing FreeIPA 4.2.0

On Fri, Jul 10, 2015 at 10:26:11AM +0200, Petr Vobornik wrote: > The FreeIPA team is proud to announce FreeIPA v4.2.0 release! > > It can be downloaded from http://www.freeipa.org/page/Downloads. The builds > for Fedora 22 and Fedora Rawhide will be available in the official COPR > repository

Re: [Freeipa-users] KRA? 4.2?

On Thu, 2015-07-09 at 17:56 -0700, Janelle wrote: > Hello, > > I see 4.2 is released today with lots of cool new features. I think I > understand the new Vault, but am not familiar with KRA? Wondering if > there might be some information on what this is? KRA is the name of the Dogtag project co

[Freeipa-users] Announcing FreeIPA 4.2.0

The FreeIPA team is proud to announce FreeIPA v4.2.0 release! It can be downloaded from http://www.freeipa.org/page/Downloads. The builds for Fedora 22 and Fedora Rawhide will be available in the official COPR repository . This announ