IPA 4.2 hit the Centos 7 mirrors a day or two ago.
It looks like the behaviour of the installer has changed somewhat with
regards to the 2 phase --external-ca install
Previously, we ran:
command => "/sbin/ipa-server-install -U -a '${ipa_admin_pwd}' -p
'${ipa_admin_pwd}'
On Tue, Dec 15, 2015 at 11:38:08AM -0500, Alexander Bokovoy wrote:
>
>
> - Original Message -
> > Hi,
> >
> > If PAC is not being used using key, how is group membership determined?
> By asking IPA master to give list of groups AD user belongs to.
> The complexity of this process makes
- Original Message -
> Hi,
>
> If PAC is not being used using key, how is group membership determined?
By asking IPA master to give list of groups AD user belongs to.
The complexity of this process makes it hard to have full list of groups
available in advance in all cases.
MS-PAC
Hi all,
OK, using keys no pac responder is used.
No, both sssd-1.12 and sssd-1.13 using password login secondary
groups are missing. This particular user is member of 3 Posix
groups (by using external groups) Only the first one (it seems the
Hi,
If PAC is not being used using key, how is group membership
determined?
Also: it feels like the Linux client is contacting AD to obtain a
Kerberos ticket and not the IPA-server. (for AD users). Is that
true?
Winny
Op
On Mon, Dec 14, 2015 at 05:47:38PM +0100, Winfried de Heiden wrote:
> Using an EL7 client, lot's of times the IPA (posix) groups are missing,
> or partly missing. Doing some debugging, sssd_pac.log shows:
>
> (Mon Dec 14 17:19:08 2015) [sssd[pac]] [pac_user_get_grp_info] (0x2000):
> Group with
On 14.12.2015 19:32, Karl Forner wrote:
> Hello,
>
>>From what I understood, a freeipa replica server is a kind of backup of
> another freeipa server.
> Both are usable by clients, and they will dynamically update their
> information.
>
> But I do not understand how a client will make use of the
ipa-server-install asked me to get the csr signed and come back,
but then it refused to continue:
# ipa-server-install -n example.com -r EXAMPLE.COM --external-ca
--subject="C=DE,O=example AG" --setup-dns --forwarder=8.8.4.4
--forwarder=8.8.8.8
:
:
The next step is to get /root/ipa.csr signed
I’ve setup an IPA-Server with a handful of clients and AD-Trust.
The server is a CentOS7.1 with IPA4.1 and the clients are mostly Ubuntu Server
14.04 LTS.
Our IPA-Domain is like ipa-domain.com and our AD-Domain is like
ad-domain.local, but our user principals in AD are
== SSSD 1.13.3 ===
The SSSD team is proud to announce the release of version 1.13.3 of
the System Security Services Daemon.
As always, the source is available from https://fedorahosted.org/sssd
RPM packages will be made available for Fedora shortly.
== Feedback ==
In the Ubuntu krb5.conf are 2 lines more:
udp_preference_limit = 0
default_ccache_name = KEYRING:persistent:%{uid}
The nameservers on both system types are identical and pointing to our
AD-Domain Controller.
On the AD-Servers the ipa-domain.com is a conditional forwarder to the
IPA-Server.
I
Has anyone ever set Freeradius & IPA for network devices like Cisco and
Juniper.
Having the need to provide the network device back with the authorization level
e.g. for Cisco 1 to 15.
This seems similar to some extent to the following:
On Tue, 15 Dec 2015, Harald Dunkel wrote:
Hi folks,
apparently ipa-server-install (4.2) gets confused about the
attribute sequence in the DNs of the certificates. If I use
ipa-server-install --external-ca --subject="C=DE,O=example AG"
then ipa's csr contains
O=example AG,
On 15.12.2015 13:33, Karl Forner wrote:
>> All replicas should be listed in SRV records in DNS so clients will find them
>> automatically.
>
> But then I must add the freeIPA DNS of the master AND the replica in
> resolv.conf ?
No, it is not necessary as long as you follow usual DNS rules - add
On Tue, Dec 15, 2015 at 10:58:09AM +, Zoske, Fabian wrote:
> I’ve setup an IPA-Server with a handful of clients and AD-Trust.
> The server is a CentOS7.1 with IPA4.1 and the clients are mostly Ubuntu
> Server 14.04 LTS.
> Our IPA-Domain is like ipa-domain.com and our AD-Domain is like
>
Hi folks,
apparently ipa-server-install (4.2) gets confused about the
attribute sequence in the DNs of the certificates. If I use
ipa-server-install --external-ca --subject="C=DE,O=example AG"
then ipa's csr contains
O=example AG, C=DE, CN=Certificate Authority
The signed
On Mon, 2015-12-14 at 19:32 +0100, Karl Forner wrote:
> Hello,
>
> >From what I understood, a freeipa replica server is a kind of backup of
> another freeipa server.
> Both are usable by clients, and they will dynamically update their
> information.
>
> But I do not understand how a client will
Hi all,
Even more strange, logging in using SSH public/private keys the
problem disappears and all groups are available!
Strange.?!
RHEL 7.2 with IPA 4.2, sssd 1.13.0-40 last updated Friday December
11
RHEL 7.2 with sssd
On Tue, 15 Dec 2015, Harald Dunkel wrote:
On 12/15/2015 02:51 PM, Alexander Bokovoy wrote:
Could you please file a bug about it?
I tried, but trac refused my username/password for redhat.com.
Due to greylisting I haven't received the confirmation request
by EMail, either.
Anyway, I have to
On Mon, 2015-12-14 at 13:51 -0500, Simo Sorce wrote:
> There are a few ways to go about it.
>
> another way is to use a custom subtree + schema to store these emails
> only.
>
> It really depends on what kind of tools you want to use to manage the
> information too.
I ended up creating normal
On Tue, Dec 15, 2015 at 03:44:46PM +0100, Winfried de Heiden wrote:
> Hi all,
>
> Even more strange, logging in using SSH public/private keys the problem
> disappears and all groups are available!
>
> Strange.?!
this is expected, because if you use SSH keys no PAC is involved and hence the
On 12/15/2015 02:51 PM, Alexander Bokovoy wrote:
> Could you please file a bug about it?
I tried, but trac refused my username/password for redhat.com.
Due to greylisting I haven't received the confirmation request
by EMail, either.
Anyway, I have to continue getting ipa running. Filing a
bug
On 11/20/2015 10:44 AM, Martin Kosek wrote:
> Hello,
>
> As some of you noticed already, RHEL-7.2 with FreeIPA rebased to version 4.2
> was released yesterday! Let me just paste couple information sources if you
> want to know more:
>
> RHEL respective release notes chapter:
>
23 matches
Mail list logo
