Re: [Freeipa-users] Sudo rule implementation

2016-12-20 Thread Ben .T.George
HI, thanks for your information. I have validated logs. i destroyed the current kerberos ticket and re-initiated, then the issue solved. Regards, Ben On Tue, Dec 20, 2016 at 2:24 PM, Jakub Hrozek wrote: > On Tue, Dec 20, 2016 at 01:19:15PM +0300, Ben .T.George wrote: > >

Re: [Freeipa-users] ipa-dnskeysyncd ipa : ERROR Login to LDAP server failed: {'desc': 'Invalid credentials'}

2016-12-20 Thread Petr Spacek
On 20.12.2016 12:41, Brian J. Murrell wrote: > On Tue, 2016-12-20 at 11:55 +0100, Martin Basti wrote: >> >> So there are actually no issues with credentials, it needs more >> debugging, in past we have similar case but we haven't found the >> root >> cause why it doesn't have the right

[Freeipa-users] freeipa 4.1 replication conflict resolve issue

2016-12-20 Thread Ian Chen
hello list, I tried to search for answer, but not solution come up yet. please help. the setup with multiple nodes has IPA version: ipa-server-4.1.0-18.el7.centos.4.x86_64 after adding a replication with an old node, replicaiton conflict occured. node104 dn:

Re: [Freeipa-users] Valid Sender ? - Re: ipa-otpd: timeout from kerberos when talking to an external 'slow' RADIUS server

2016-12-20 Thread Jochen Hein
Alexander Bokovoy writes: >>* sssd has a default kerberos timeout of six seconds. >> Can be changed in /etc/sssd/sssd.conf: krb5_auth_timeout, >> which also seems to work for auth_provider = ipa, but is not >> documented in sssd-ipa(5). > sssd-ipa(5) says: > >

Re: [Freeipa-users] Valid Sender ? - Re: ipa-otpd: timeout from kerberos when talking to an external 'slow' RADIUS server

2016-12-20 Thread Alexander Bokovoy
On ti, 20 joulu 2016, Jochen Hein wrote: Alexander Bokovoy writes: 1. KDC to ipa-otd: this can be changed in /var/kerberos/krb5kdc/kdc.conf. I think the timeout should be larger then the (largest) second timeout - and I think retries=0 is best. This is for communication

Re: [Freeipa-users] Valid Sender ? - Re: ipa-otpd: timeout from kerberos when talking to an external 'slow' RADIUS server

2016-12-20 Thread Jochen Hein
Alexander Bokovoy writes: >>1. KDC to ipa-otd: this can be changed in >>/var/kerberos/krb5kdc/kdc.conf. I think the timeout should be larger >>then the (largest) second timeout - and I think retries=0 is best. >>This is for communication between KDC and ipa-otd. >> >>2.

[Freeipa-users] ipa-replica-install command failed

2016-12-20 Thread Gady Notrica
Hello, Need some help installing replica - FREEIPA on Centos 7. My networking is run, DNS is up on the master IPA all ports are opened. But I can't isolate the problem. Any help? -- Error: The ipa-replica-install command failed, exception: SystemExit: Connection check failed! Please fix

Re: [Freeipa-users] Asking for help with crashed freeIPA istance

2016-12-20 Thread Daniel Schimpfoessl
Thanks for getting back to me. getcert list | grep expires shows dates years in the future for all certificates [image: Inline-Bild 1] ipactl start --force Eventually the system started with: Forced start, ignoring pki-tomcatd Service, continuing normal operations. systemctl status ipa

Re: [Freeipa-users] Failed ipa-client-install with IPA Replica

2016-12-20 Thread Florence Blanc-Renaud
On 12/16/2016 03:54 PM, Florence Blanc-Renaud wrote: On 12/15/2016 08:01 PM, beeth beeth wrote: Hi Flo, That's a good point! I checked the dirsrv certificate and confirmed valid(good until later next year). Since I had no problem to enroll another new IPA client(RHEL7 box instead of RHEL6) to

Re: [Freeipa-users] ipa-dnskeysyncd ipa : ERROR Login to LDAP server failed: {'desc': 'Invalid credentials'}

2016-12-20 Thread Brian J. Murrell
On Tue, 2016-12-20 at 11:55 +0100, Martin Basti wrote: > > So there are actually no issues with credentials, it needs more  > debugging, in past we have similar case but we haven't found the > root  > cause why it doesn't have the right credentials after kinit. So, to be clear, all I did was

Re: [Freeipa-users] Sudo rule implementation

2016-12-20 Thread Jakub Hrozek
On Tue, Dec 20, 2016 at 01:19:15PM +0300, Ben .T.George wrote: > Hi List, > > please help me to implement sudo rules. > > i have did below steps and still not working for me. > > 1. created "Sudo Command Groups" > 2. Added some command (/bin/yum) and included in sudo group > 3. created "sudo

Re: [Freeipa-users] FreeIPA User Authorization Guidelines Required

2016-12-20 Thread Petr Vobornik
On 12/20/2016 10:58 AM, nirajkumar.si...@accenture.com wrote: > Hi FreeIPA Team, > > We have performed installation of FreeIPA Master Server and Client Server. We > are successful with user creation with home directory and sudo configuration. > > Regarding Authentication we have some questions:

Re: [Freeipa-users] ipa-dnskeysyncd ipa : ERROR Login to LDAP server failed: {'desc': 'Invalid credentials'}

2016-12-20 Thread Martin Basti
On 19.12.2016 21:24, Brian J. Murrell wrote: On Mon, 2016-12-19 at 17:26 +0100, Martin Basti wrote: On 19.12.2016 13:19, Brian J. Murrell wrote: On Mon, 2016-12-19 at 09:42 +0100, Martin Basti wrote: Hello, could you recheck with SElinux in permissive mode? Yeah, still happens even after

Re: [Freeipa-users] Asking for help with crashed freeIPA istance

2016-12-20 Thread Florence Blanc-Renaud
On 12/19/2016 07:15 PM, Daniel Schimpfoessl wrote: Good day and happy holidays, I have been running a freeIPA instance for a few years and been very happy. Recently the certificate expired and I updated it using the documented methods. At first all seemed fine. Added a Nagios monitor for the

[Freeipa-users] Sudo rule implementation

2016-12-20 Thread Ben .T.George
Hi List, please help me to implement sudo rules. i have did below steps and still not working for me. 1. created "Sudo Command Groups" 2. Added some command (/bin/yum) and included in sudo group 3. created "sudo Rule" on that * added sudo Option as "!authenticate" * Added User Group.

[Freeipa-users] FreeIPA User Authorization Guidelines Required

2016-12-20 Thread nirajkumar.singh
Hi FreeIPA Team, We have performed installation of FreeIPA Master Server and Client Server. We are successful with user creation with home directory and sudo configuration. Regarding Authentication we have some questions: 1. Can we implement authorized key authentication for these

Re: [Freeipa-users] Add text to web login page

2016-12-20 Thread Pavel Vomacka
Hello Mike, the safest way is to create a WebUI plugin. Several examples of plugins can be found here: https://pvoborni.fedorapeople.org/plugins/ . I recommend to look at loginauth. And here is documentation about plugins: https://pvoborni.fedorapeople.org/doc/#!/guide/Plugins On

[Freeipa-users] Asking for help with crashed freeIPA istance

2016-12-20 Thread Daniel Schimpfoessl
Good day and happy holidays, I have been running a freeIPA instance for a few years and been very happy. Recently the certificate expired and I updated it using the documented methods. At first all seemed fine. Added a Nagios monitor for the certificate expiration and restarted the server (single

Re: [Freeipa-users] Still unclear about relation between IPA DNS domain and company DNS domain.

2016-12-20 Thread Petr Spacek
On 8.12.2016 10:12, Pieter Nagel wrote: > On Thu, Dec 8, 2016 at 10:59 AM, Alexander Bokovoy > wrote: > >> It is really simply: your DNS domain named as your Kerberos realm must >> be under your control, one way or another, to allow automatic discovery >> of resources to