Re: [Freeipa-users] gssapi ssh works, pam user/password does not work

On Thu, Nov 5, 2015 at 10:03 AM, Natxo Asenjo wrote: > hi, > > since yesterday I have a strange situation in one of our joined hosts. > > i can login using a kerberos ticket, but not using name/password. > > In /var/log/secure I see this: > > sshd[29607]:

Re: [Freeipa-users] FreeIPA and Samba4

On Thu, Nov 05, 2015 at 09:33:48AM +0100, Troels Hansen wrote: > > - On Nov 4, 2015, at 4:03 PM, Sumit Bose sb...@redhat.com wrote: > > > > > do you see any more details if you run pdbedit with '-d 255' ? > > > > Not really: > > pdbedit -d 255 -Lv th > ... > check lock order 1

[Freeipa-users] gssapi ssh works, pam user/password does not work

hi, since yesterday I have a strange situation in one of our joined hosts. i can login using a kerberos ticket, but not using name/password. In /var/log/secure I see this: sshd[29607]: pam_sss(sshd:auth): received for user username: 4 (System error) -- -- Groeten, natxo -- Manage your

Re: [Freeipa-users] FreeIPA and Samba4

- On Nov 4, 2015, at 4:03 PM, Sumit Bose sb...@redhat.com wrote: > > do you see any more details if you run pdbedit with '-d 255' ? > Not really: pdbedit -d 255 -Lv th ... check lock order 1 for /var/lib/samba/private/secrets.tdb lock order: 1:/var/lib/samba/private/secrets.tdb

Re: [Freeipa-users] gssapi ssh works, pam user/password does not work

On Thu, Nov 05, 2015 at 10:05:19AM +0100, Natxo Asenjo wrote: > On Thu, Nov 5, 2015 at 10:03 AM, Natxo Asenjo > wrote: > > > hi, > > > > since yesterday I have a strange situation in one of our joined hosts. > > > > i can login using a kerberos ticket, but not using

Re: [Freeipa-users] gssapi ssh works, pam user/password does not work

hi, this is in a centos host running 6.7, by the way. -- Groeten, natxo -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] Upgrade from 4.1.4

Please ignore my mails about tomcat/pki. An update fixed the issue. On 5 November 2015 at 12:58, Prashant Bapat wrote: > Looks like there are issues with dogtag and tomcat8. > http://pki.fedoraproject.org/wiki/Tomcat_8 > > On 5 November 2015 at 11:32, Prashant Bapat

Re: [Freeipa-users] let's encrypt integration and best practices for mod_nss/mod_ssl

Yes, that's what I was planning to do. i.e. Convert cipher names from SSL to NSS. I wasn't sure about the other settings though. Is there an equivalent NSSHonorCipherOrder ? Is that implicit ? Similarly, are there equivalent configs for HSTS on the mozilla page? Does NSS allow using generated DH

Re: [Freeipa-users] gssapi ssh works, pam user/password does not work

hi, Fixed, /tmp had the wrong permissions, was not owned by root:root. Thanks for the debugging tips! -- -- Groeten, natxo -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the

Re: [Freeipa-users] gssapi ssh works, pam user/password does not work

hi Sumit, On Thu, Nov 5, 2015 at 10:14 AM, Sumit Bose wrote: > > how can I troubleshoot this issue? > > You should check the SSSD debug logs, see > https://fedorahosted.org/sssd/wiki/Troubleshooting for details about how > to enable debug logging and where to find the logs. >

Re: [Freeipa-users] IMPORTANT: FreeIPA upgrade broken in Fedora 23

On Thu, 05 Nov 2015, John Obaterspok wrote: Hi, I waited a couple of days and when "dnf list freeipa-server --releasever=23" said 4.2.3 I hit the upgrade. Unfortunately I noticed to late that I received 4.2.2 during "dnf system-upgrade". Any ideas how to get it going again? Or is it easier to

Re: [Freeipa-users] IMPORTANT: FreeIPA upgrade broken in Fedora 23

I just upgraded a test env from 4.1.4 (F21) to 4.2.3 (F23) without issues. I had to run a dnf upgrade freeipa-server AFTER upgrading to F23 and then run ipa-server-upgrade. On 5 November 2015 at 16:20, John Obaterspok wrote: > Hi, > > I waited a couple of days and

Re: [Freeipa-users] IMPORTANT: FreeIPA upgrade broken in Fedora 23

Hi, I waited a couple of days and when "dnf list freeipa-server --releasever=23" said 4.2.3 I hit the upgrade. Unfortunately I noticed to late that I received 4.2.2 during "dnf system-upgrade". Any ideas how to get it going again? Or is it easier to start from scratch if I only have ~ 10 IPA

Re: [Freeipa-users] Client enrolment user

I'm finding that the new client to be installed is not accepting the password of my new host enrolment user. This password is working fine with kinit on other hosts and also working in the GUI. Any ideas what I am doing wrong here? On 5 November 2015 at 16:42, Andrew Holway

Re: [Freeipa-users] Unable to import OpenLDAP users/groups with migrate-ds

Done and done, although imported users' membership in their OpenLDAP primary group wasn't preserved because a al catch22, that group could be made default until it was imported, but was easily rectified via the UI I can almost live with these gigantic UIDs set for new users but the default

[Freeipa-users] problems with NFS service principal

Hello everyone, I initially followed freeipa NFS documentation for setting up external stand alone NFS server ipa host-add mickey.corp.example.org ipa service-add nfs/mickey.corp.example.org ipa-getkeytab -s razoul.corp.example.org -p nfs/mickey.corp.example.org -k /tmp/nfs.keytab uploaded

Re: [Freeipa-users] unable to delete dead freeipa replica

The now dead IPA server is still seen as authoritative for the domain. [root@freeipa-prod-a-033 centos]# dig NS cloud.foo.com +short freeipa-prod-b-032.cloud.foo.com. freeipa-prod-a-033.cloud.foo.com. freeipa-prod-a-031.cloud.foo.com. On 5 November 2015 at 17:32, Andrew Holway

Re: [Freeipa-users] Client enrolment user

Is there documentation thst states explicitly which permissions are granted to the Various built in roles? Sent via the Samsung GALAXY S® 5, an AT 4G LTE smartphone Original message From: Rob Crittenden Date: 11/05/2015 10:18 (GMT-05:00) To:

[Freeipa-users] unable to delete dead freeipa replica

One of our FreeIPA replicas had its filesystem hosed so we want to remove it. Can someone show me the sequence of commands to remove a down replica? Thanks, Andrew [root@freeipa-prod-a-033 centos]# ipa-replica-manage list p11-kit: ipa.p11-kit: x-public-key-info: invalid or unsupported

Re: [Freeipa-users] unable to delete dead freeipa replica

Andrew Holway wrote: > Actually I'm starting to feel like this is a bug. Managed to get the old > IPA server back up and ran . > > "ipa-server-install --uninstall" > > Which completed successfully and gave the advice: > > Replication agreements with the following IPA masters found: freeipa- >

Re: [Freeipa-users] Client enrolment user

Thanks! On 5 November 2015 at 16:18, Rob Crittenden wrote: > Andrew Holway wrote: > > Some time ago I saw an article on how to set up a user that can only > > enrol clients into freeipa. > > > > Does anyone have information on how to do this because we're currently > >

Re: [Freeipa-users] unable to delete dead freeipa replica

Actually I'm starting to feel like this is a bug. Managed to get the old IPA server back up and ran . "ipa-server-install --uninstall" Which completed successfully and gave the advice: Replication agreements with the following IPA masters found: freeipa- prod-b-032.cloud.foo.com. Removing any

[Freeipa-users] FreeIPA Server with ECC certificate in LDAPS (389DS)

Hi! I've been fighting for the past week with FreeIPA and trying to make it work with my own CA certificate that is ECDSA_SHA256. Even though I somehow fixed /etc/httpd/conf.d/nss.conf to make it work (basically added correct NSSCipherSuite), LDAP (389DS) is a tough nut. The command I used is:

Re: [Freeipa-users] problems with NFS service principal

j...@use.startmail.com wrote: > Hello everyone, > > I initially followed freeipa NFS documentation for setting up external stand > alone NFS server > > ipa host-add mickey.corp.example.org > ipa service-add nfs/mickey.corp.example.org > ipa-getkeytab -s razoul.corp.example.org -p

Re: [Freeipa-users] Client enrolment user

Coy Hile wrote: > > > Is there documentation thst states explicitly which permissions are > granted to the Various built in roles? No but it is easy enough to determine using either the UI or cli. The provided roles are more of an example than anything. If there are specific role suggestions

Re: [Freeipa-users] problems with NFS service principal

On Thursday, November 5, 2015 1:54 PM, Rob Crittenden wrote: > j...@use.startmail.com wrote: >> Hello everyone, >> >> I initially followed freeipa NFS documentation for setting up external >> stand alone NFS server >> >> ipa host-add mickey.corp.example.org >> ipa

Re: [Freeipa-users] let's encrypt integration and best practices for mod_nss/mod_ssl

Thanks. After the changes, most things seem to be in order. I see two orange flags though: Secure Client-Initiated Renegotiation*Supported* *DoS DANGER* (more info )Session resumption

Re: [Freeipa-users] re-enrolling clients with --force-join getting /var/lib/sss/pubconf/known_hosts conflicts

On Wed, 2015-11-04 at 15:37 -0500, Brian J. Murrell wrote: > I am trying to re-enroll clients after re-installing their O/S (EL6) > using: > > # ipa-client-install --force-join ... > > Per http://www.freeipa.org/page/V3/Forced_client_re-enrollment but I > am > finding that after doing that for a

Re: [Freeipa-users] IMPORTANT: FreeIPA upgrade broken in Fedora 23

2015-11-05 12:26 GMT+01:00 Alexander Bokovoy : > On Thu, 05 Nov 2015, John Obaterspok wrote: > >> Hi, >> >> I waited a couple of days and when "dnf list freeipa-server >> --releasever=23" said 4.2.3 I hit the upgrade. Unfortunately I noticed to >> late that I received 4.2.2

Re: [Freeipa-users] re-enrolling clients with --force-join getting /var/lib/sss/pubconf/known_hosts conflicts

Brian J. Murrell wrote: > On Wed, 2015-11-04 at 15:37 -0500, Brian J. Murrell wrote: >> I am trying to re-enroll clients after re-installing their O/S (EL6) >> using: >> >> # ipa-client-install --force-join ... >> >> Per http://www.freeipa.org/page/V3/Forced_client_re-enrollment but I >> am >>

Re: [Freeipa-users] let's encrypt integration and best practices for mod_nss/mod_ssl

Prasun Gera wrote: > Thanks. After the changes, most things seem to be in order. I see two > orange flags though: > > Secure Client-Initiated Renegotiation *Supported* *DoS DANGER* (more > info >

Re: [Freeipa-users] let's encrypt integration and best practices for mod_nss/mod_ssl

On Thu, Nov 05, 2015 at 11:52:32PM -0500, Rob Crittenden wrote: > Prasun Gera wrote: > > Thanks. After the changes, most things seem to be in order. I see two > > orange flags though: > > > > Secure Client-Initiated Renegotiation *Supported* *DoS DANGER* (more > > info > >

[Freeipa-users] Can't contact LDAP Server

Hi All, We are having an issue where a client is showing sssd eatting up 100% cpu and cannot log into it via ssh. IE.. trying to ssh to it just hangs an never prompts for password. We have to get to the box from the console at that point. Top output on client 2365 root -30 0 89600

[Freeipa-users] Client enrolment user

Some time ago I saw an article on how to set up a user that can only enrol clients into freeipa. Does anyone have information on how to do this because we're currently using the admin user and this is a bit scary. Thanks, Andrew -- Manage your subscription for the Freeipa-users mailing list:

Re: [Freeipa-users] Client enrolment user

Andrew Holway wrote: > Some time ago I saw an article on how to set up a user that can only > enrol clients into freeipa. > > Does anyone have information on how to do this because we're currently > using the admin user and this is a bit scary. Create a role for enrolling hosts and add the

Re: [Freeipa-users] let's encrypt integration and best practices for mod_nss/mod_ssl

Prasun Gera wrote: > Yes, that's what I was planning to do. i.e. Convert cipher names from > SSL to NSS. I wasn't sure about the other settings though. Is there an > equivalent NSSHonorCipherOrder ? Is that implicit ? Similarly, are there > equivalent configs for HSTS on the mozilla page? Does NSS