Re: [Freeipa-users] Why does a SAN field on a CSR require a host to be in IPA?

On Tue, Oct 25, 2016 at 11:02:44AM -0700, Fil Di Noto wrote: > On Mon, Oct 24, 2016 at 9:55 PM, Fraser Tweedale wrote: > > On Mon, Oct 24, 2016 at 12:30:10AM -0700, Fil Di Noto wrote: > >> On Sun, Oct 23, 2016 at 9:53 PM, Fraser Tweedale > >> wrote: >

Re: [Freeipa-users] Can't login with on client after password-auth modification

Works perfectly now! Thank you! On 10/25/2016 03:34 PM, Alexander Bokovoy wrote: pam_faillock.so preauth -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] Can't login with on client after password-auth modification

On ti, 25 loka 2016, Matthew Carter wrote: So a Gov't STIG has had me add to /etc/pam.d/password-auth: auth required pam_faillock.so preauth silent deny=3 unlock_time=604800 fail_interval=900 auth [default=die] pam_faillock.so authfail deny=3 unlock_time=604800 fail_interval=900 account

[Freeipa-users] Can't login with on client after password-auth modification

So a Gov't STIG has had me add to /etc/pam.d/password-auth: auth required pam_faillock.so preauth silent deny=3 unlock_time=604800 fail_interval=900 auth [default=die] pam_faillock.so authfail deny=3 unlock_time=604800 fail_interval=900 account required pam_faillock.so So that it

Re: [Freeipa-users] Why does a SAN field on a CSR require a host to be in IPA?

On Mon, Oct 24, 2016 at 9:55 PM, Fraser Tweedale wrote: > On Mon, Oct 24, 2016 at 12:30:10AM -0700, Fil Di Noto wrote: >> On Sun, Oct 23, 2016 at 9:53 PM, Fraser Tweedale wrote: >> > On Sun, Oct 23, 2016 at 08:37:15PM -0700, Fil Di Noto wrote: >> >>

Re: [Freeipa-users] Replica Problem (Errors)

Hello Ludwig, Thanks for the help. Am Dienstag, 25. Oktober 2016, 17:20:44 schrieb Ludwig Krispenz: > On 10/25/2016 04:41 PM, Günther J. Niederwimmer wrote: > > Hello Ludwig, > > > > Thanks for the answer and help, > - attrlist_replace errors: looks like you have recreated a replica on a

Re: [Freeipa-users] Impossible to renew certificate. pki-tomcat issue

- Mail original - > De: "Florence Blanc-Renaud" > À: "Bertrand Rétif" , freeipa-users@redhat.com > Envoyé: Jeudi 20 Octobre 2016 18:45:21 > Objet: Re: [Freeipa-users] Impossible to renew certificate. pki-tomcat issue > On 10/19/2016 08:18 PM,

Re: [Freeipa-users] Replica Problem (Errors)

Hello Ludwig, Thanks for the answer and help, Am Montag, 24. Oktober 2016, 14:16:23 schrieb Ludwig Krispenz: > On 10/24/2016 01:21 PM, Günther J. Niederwimmer wrote: > > Am Montag, 24. Oktober 2016, 09:53:21 schrieb Ludwig Krispenz: > >> On 10/23/2016 03:01 PM, Günther J. Niederwimmer wrote: >

Re: [Freeipa-users] free-ipa 389 own schema, cos, static and dynamic groups

On ti, 25 loka 2016, Frank Munsche wrote: Hi guys, we are currently evaluating free-ipa. We've used the sun one ds, sun / oracle dsee and 389 so far. All of those are easy to customize respective the schema, class of service, dynamic groups,... Unfortunately most applications like jenkins,

Re: [Freeipa-users] free-ipa 389 own schema, cos, static and dynamic groups

On Tue, 2016-10-25 at 15:49 +0200, Frank Munsche wrote: > Hi guys, > > we are currently evaluating free-ipa. We've used the sun one ds, sun / > oracle dsee and 389 so far. All of those are easy to customize > respective the schema, class of service, dynamic groups,... > Unfortunately most

Re: [Freeipa-users] PWM password self-service integration with FreeIPA

On Sun, 2016-10-23 at 12:22 -0500, Elwell, Jason wrote: > I posted this on the PWM boards, and figured I'd send this along here, > too. I'm looking for feedback on this. Let me know if you find this > accurate and/or valuable. Thanks! > > > PWM setup for FreeIPA >

[Freeipa-users] Is this a bigger Problem DNSSEC ?

Hello, FreeIPA 4.3.1 CentOS 7.2 I found today in /var/log/messages this entries Is the DNSSEC now broken ? Thanks for a answer ct 25 15:41:29 ipa ipa-dnskeysyncd: Traceback (most recent call last): Oct 25 15:41:29 ipa ipa-dnskeysyncd: File "/usr/libexec/ipa/ipa-dnskeysyncd", line 112, in

[Freeipa-users] free-ipa 389 own schema, cos, static and dynamic groups

Hi guys, we are currently evaluating free-ipa. We've used the sun one ds, sun / oracle dsee and 389 so far. All of those are easy to customize respective the schema, class of service, dynamic groups,... Unfortunately most applications like jenkins, jira, confluence, gitblit, bitbucket, nexus and

Re: [Freeipa-users] Why does a SAN field on a CSR require a host to be in IPA?

On Tue, 2016-10-25 at 09:02 +0300, Alexander Bokovoy wrote: > On ti, 25 loka 2016, Fraser Tweedale wrote: > >On Tue, Oct 25, 2016 at 08:01:59AM +0300, Alexander Bokovoy wrote: > >> On ti, 25 loka 2016, Fraser Tweedale wrote: > >> > On Mon, Oct 24, 2016 at 12:30:10AM -0700, Fil Di Noto wrote: > >>

Re: [Freeipa-users] Insufficient access: SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (Ticket expired)

Re. There is no time difference between client and server. I checked the httpd error log and saw no errors. Same with the dirsrv error logs. Any other idea ? By looking at the log, I'm wondering if this is a question of session ? See there : ### ipa: DEBUG: args=keyctl pipe 44063864 ipa:

Re: [Freeipa-users] Insufficient access: SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (Ticket expired)

On 10/25/2016 10:27 AM, bahan w wrote: Hello everyone ! I have an ipa server and an ipa client both in 3.0.0-47. In order to connect via SSH to the host of the ipa-client, I use root. When I'm connected to the ipa-client via ssh being root, I do a kinit of a user with a keytab : ### kinit -kt

Re: [Freeipa-users] Do expired passwords remain usable indefinitely?

On 25/10/2016 10:50, Prasun Gera wrote: When is principal expiration triggered ? I haven't set it explicitly for any user, and ipa user-show doesn't show that attribute either. I'm not very familiar with kerberos. It doesn't show it unless it has been set. You can set it like this: # ipa

Re: [Freeipa-users] Certmonger (or similar) for FreeBSD?

David Kupka wrote: On 24/10/16 19:26, Gilbert Wilson wrote: On Oct 24, 2016, at 5:51 AM, David Kupka wrote: On 22/10/16 00:15, Gilbert Wilson wrote: We have a lot of FreeBSD systems that I would like to streamline certificate issuance and renewal. Ideally, we could

Re: [Freeipa-users] Do expired passwords remain usable indefinitely?

> > There appears to be only one case where NAME_EXP is returned: when the > client.expiration field is passed (not client.pw_expiration) > > I think "expiration" must equate to the "principal expiration" in IPA. But > only regular password expiry would give you the option of changing it. > >

Re: [Freeipa-users] Do expired passwords remain usable indefinitely?

Looking in MIT krb5 source: $ grep -R ERR_NAME_EXP . ./src/include/k5-int.h:#define KDC_ERR_NAME_EXP1 /* Client's entry in DB expired */ ./src/kdc/kdc_util.c:return(KDC_ERR_NAME_EXP); ./src/lib/krb5/error_tables/krb5_err.et:error_code KRB5KDC_ERR_NAME_EXP,

Re: [Freeipa-users] Do expired passwords remain usable indefinitely?

David & Brian, I'm familiar with the usual password expiration message that shows up which forces you to change the password. I've seen that before. However, I didn't see it this time, which is odd. Since I was able to kinit, I reset the password, and it started working again. I don't have an

Re: [Freeipa-users] Do expired passwords remain usable indefinitely?

On 25/10/2016 08:29, David Kupka wrote: If I understood Brian correctly he was asking about expiration of NTLM password hashes. Partly. As long as the hash remains in the database and is readable via LDAP, I know it will continue to work for authentication. However I was also asking

[Freeipa-users] Insufficient access: SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (Ticket expired)

Hello everyone ! I have an ipa server and an ipa client both in 3.0.0-47. In order to connect via SSH to the host of the ipa-client, I use root. When I'm connected to the ipa-client via ssh being root, I do a kinit of a user with a keytab : ### kinit -kt /etc/security/keytabs/.headless.keytab

Re: [Freeipa-users] Do expired passwords remain usable indefinitely?

On 25/10/2016 00:02, Prasun Gera wrote: I've seen some different behaviour. I've had errors for users (including the admin user) trying to log in with possibly an expired password. Both webui and ssh would fail, but kinit would work. I'm not sure if this is related to the password's expiration

Re: [Freeipa-users] Do expired passwords remain usable indefinitely?

On 25/10/16 01:02, Prasun Gera wrote: I've seen some different behaviour. I've had errors for users (including the admin user) trying to log in with possibly an expired password. Both webui and ssh would fail, but kinit would work. I'm not sure if this is related to the password's expiration or

Re: [Freeipa-users] Why does a SAN field on a CSR require a host to be in IPA?

On ti, 25 loka 2016, Fraser Tweedale wrote: On Tue, Oct 25, 2016 at 08:01:59AM +0300, Alexander Bokovoy wrote: On ti, 25 loka 2016, Fraser Tweedale wrote: > On Mon, Oct 24, 2016 at 12:30:10AM -0700, Fil Di Noto wrote: > > On Sun, Oct 23, 2016 at 9:53 PM, Fraser Tweedale