Re: [Freeipa-users] unable to authenticate using freeipa client

For the error in the krb5_child.log (Tue Mar 15 04:35:51 2016) [[sssd[krb5_child[13708 [sss_child_krb5_trace_cb] (0x4000): [13708] 1458016551.87210: Received error from KDC: -1765328359/Additional pre-authentication required I deleted the sssd cache as well as the /tmp/krb5* and restarted

Re: [Freeipa-users] can migrate-ds be safely re-run if it failed...

lejeczek wrote: > with... > > ipa: ERROR: group LDAP search did not return any result (search base: > ou=groups,dc=ccnr,dc=biotechnology, objectclass: groupofuniquenames, > groupofnames) > > I see users went in but later I realized that current samba's ou was > "group" not groups. > Can I just

[Freeipa-users] can migrate-ds be safely re-run if it failed...

with... ipa: ERROR: group LDAP search did not return any result (search base: ou=groups,dc=ccnr,dc=biotechnology, objectclass: groupofuniquenames, groupofnames) I see users went in but later I realized that current samba's ou was "group" not groups. Can I just re-run migrations? many

[Freeipa-users] S4U2Self not working for multiple allowed targets

All, I am trying to setup delegation from OpenUnison to both the IPAWeb application and to Cockpit. I'm using a single reverse proxy for both and the same SPN and keytab for both. The integration with ipaweb went perfectly using these instructions I built:

Re: [Freeipa-users] ipa replica failed PR_DeleteSemaphore

On Mon, Mar 14, 2016 at 09:35:15AM +0100, Ludwig Krispenz wrote: > > On 03/12/2016 04:02 PM, Andrew E. Bruno wrote: > >On Wed, Mar 09, 2016 at 06:08:04PM +0100, Ludwig Krispenz wrote: > >>On 03/09/2016 05:51 PM, Andrew E. Bruno wrote: > >>>On Wed, Mar 09, 2016 at 05:21:50PM +0100, Ludwig Krispenz

Re: [Freeipa-users] sudo with OTP

I see that now, thanks for the link. Ill give those patches a whirl. On Mon, Mar 14, 2016 at 7:49 AM, Sumit Bose wrote: > On Mon, Mar 14, 2016 at 07:28:01AM -0700, Brad Bendy wrote: >> HI, >> >> I have OTP setup and working just fine for logging into any servers, >> when

Re: [Freeipa-users] sudo with OTP

On Mon, Mar 14, 2016 at 07:28:01AM -0700, Brad Bendy wrote: > HI, > > I have OTP setup and working just fine for logging into any servers, > when attempting to run any command with sudo I get a "First factor:" > prompt, I have entered my normal password but it fails. This only > happens when OTP

[Freeipa-users] sudo with OTP

HI, I have OTP setup and working just fine for logging into any servers, when attempting to run any command with sudo I get a "First factor:" prompt, I have entered my normal password but it fails. This only happens when OTP is on, with OTP off sudo works like you would think. The logs on the

Re: [Freeipa-users] ipa-replica-install IPA startup timing issue

Hi Daryl, Thanks for all the data. I will look at the pstacks. A first look shows that you capture import, bind... so may be a complete ipa-replica-install session. I will try to retrieve the specific startup time to see what was going on at that time. If you have the time to monitor only

Re: [Freeipa-users] krb5_server in sssd.conf after ipa-server-install

On 14/03/16 12:21, Alexander Bokovoy wrote: On Mon, 14 Mar 2016, Jan Pazdziora wrote: On Sun, Mar 13, 2016 at 03:34:27PM +0200, Alexander Bokovoy wrote: On Sun, 13 Mar 2016, lejeczek wrote: >IPA install process configured in sssd.conf: >[domain/new.Domain] >cache_credentials = True

Re: [Freeipa-users] krb5_server in sssd.conf after ipa-server-install

On Mon, 14 Mar 2016, Jan Pazdziora wrote: On Sun, Mar 13, 2016 at 03:34:27PM +0200, Alexander Bokovoy wrote: On Sun, 13 Mar 2016, lejeczek wrote: >IPA install process configured in sssd.conf: >[domain/new.Domain] >cache_credentials = True >krb5_store_password_if_offline = True >ipa_domain =

[Freeipa-users] unable to authenticate using freeipa client

I set up freeipa in my environment and works perfectly. But just on one host , I am not able to authenticate. I get a permission denied eror. The sssd version I have is 1.12 the krb5_child log does point to some error, krb5_child.log (Mon Mar 14 12:02:27 2016) [[sssd[krb5_child[11862

Re: [Freeipa-users] krb5_server in sssd.conf after ipa-server-install

On Sun, Mar 13, 2016 at 03:34:27PM +0200, Alexander Bokovoy wrote: > On Sun, 13 Mar 2016, lejeczek wrote: > >IPA install process configured in sssd.conf: > >[domain/new.Domain] > >cache_credentials = True > >krb5_store_password_if_offline = True > >ipa_domain = newDomain > >id_provider = ipa >

Re: [Freeipa-users] ipa-replica-install IPA startup timing issue

On Mon, 14 Mar 2016, thierry bordaz wrote: Hi Daryl, As soon as initialized with +15 users, DS instance starts in more than a minute. I guess a plugin startup may delay the DS startup itself and some pstack during that minute will give us some info. Regarding the krb authentication this

Re: [Freeipa-users] ipa-replica-install IPA startup timing issue

Hi Daryl, As soon as initialized with +15 users, DS instance starts in more than a minute. I guess a plugin startup may delay the DS startup itself and some pstack during that minute will give us some info. Regarding the krb authentication this is difficult to say if they are delayed by

[Freeipa-users] is error: sss_ssh_authorizedkeys returned status 1 ...

... expected when a non-member ssh connect to a domain member? hi everybody. or I missed something, I probably have, right? I see these in the logs and just after a successful ssh: sshd[17245]: Accepted publickey for root from. do I need to add non-member keys to IPA? Is this normal

Re: [Freeipa-users] ipa replica failed PR_DeleteSemaphore

On 03/12/2016 04:02 PM, Andrew E. Bruno wrote: On Wed, Mar 09, 2016 at 06:08:04PM +0100, Ludwig Krispenz wrote: On 03/09/2016 05:51 PM, Andrew E. Bruno wrote: On Wed, Mar 09, 2016 at 05:21:50PM +0100, Ludwig Krispenz wrote: [09/Mar/2016:11:33:03 -0500] NSMMReplicationPlugin - changelog

Re: [Freeipa-users] ipa-getcert and SELinux

Hi! On Mon, Mar 7, 2016 at 11:20 PM, Rob Crittenden wrote: > It may be preferable to label the /var/lib/puppet/ssl/* directories as > certmonger_var_lib_t but I don't know what would do to puppet. You could > trade one problem for another. A BZ against selinux might be