Re: [Freeipa-users] Cannot login after patching on LXC Container

2017-02-14 Thread Nuno Higgs
Hello all, I will reproduce the issue tomorrow morning on a fresh LXC container. For the sestatus: # sestatus SELinux status: disabled That isn’t surprising for the host is not se-enabled, or even a RHEL/CentOS. The underlining distro supports apparmor profiles. The crappy part

[Freeipa-users] Yubikey 4 Usage

2017-02-14 Thread William Graboyes
Hello all, I am very lost at the moment, I cannot seem to get a yubikey 4 to work with freeipa. Server information: CentOS Linux Release 7.3.1611 ipa-server-4.4.0-14.el7.centos.4.x86_64 I installed the IPA admin tools on my laptop and joined it to IPA, and have successfully ran the

Re: [Freeipa-users] Cannot login after patching on LXC Container

2017-02-14 Thread Lukas Slebodnik
On (14/02/17 18:52), Lukas Slebodnik wrote: >On (14/02/17 18:28), Alexander Bokovoy wrote: >>On ti, 14 helmi 2017, Nuno Higgs wrote: >>> Hello, >>> >>> It worked perfecty. >>> I am wondering why this just popped up now with this patch update. Almost >>> none of our containers hosts (and by

Re: [Freeipa-users] Cannot login after patching on LXC Container

2017-02-14 Thread Lukas Slebodnik
On (14/02/17 16:19), Nuno Higgs wrote: >Hello, > >It worked perfecty. >I am wondering why this just popped up now with this patch update. Almost >none of our containers hosts (and by inherence the containers) have SELINUX >enabled for they are primary for testing, and they are on a secure network.

Re: [Freeipa-users] Cannot login after patching on LXC Container

2017-02-14 Thread Lukas Slebodnik
On (14/02/17 18:28), Alexander Bokovoy wrote: >On ti, 14 helmi 2017, Nuno Higgs wrote: >> Hello, >> >> It worked perfecty. >> I am wondering why this just popped up now with this patch update. Almost >> none of our containers hosts (and by inherence the containers) have SELINUX >> enabled for

Re: [Freeipa-users] Cannot login after patching on LXC Container

2017-02-14 Thread Nuno Higgs
Hello, It worked perfecty. I am wondering why this just popped up now with this patch update. Almost none of our containers hosts (and by inherence the containers) have SELINUX enabled for they are primary for testing, and they are on a secure network. With this version of ipa-client, the host

Re: [Freeipa-users] Cannot login after patching on LXC Container

2017-02-14 Thread Alexander Bokovoy
On ti, 14 helmi 2017, Nuno Higgs wrote: Hello Alexander, Here are the logs. I have regenerated the error, because at the first time I hadn't the debug enabled on the domain part of the sssd.conf. After enabling the only thing reported on the sssd_domain.log on the time of the failure is: (Tue

Re: [Freeipa-users] Cannot login after patching on LXC Container

2017-02-14 Thread Nuno Higgs
Hello Alexander, Here are the logs. I have regenerated the error, because at the first time I hadn't the debug enabled on the domain part of the sssd.conf. After enabling the only thing reported on the sssd_domain.log on the time of the failure is: (Tue Feb 14 15:24:52 2017) [sssd[be[net.xpto]]]

Re: [Freeipa-users] Cannot login after patching on LXC Container

2017-02-14 Thread Alexander Bokovoy
On ti, 14 helmi 2017, Nuno Higgs wrote: Hello Lucas, No, the account is neither locked nor expired. That's the weird part. On other Centos7 / RHEL7 I can login without any issues. [root@ipa2 ~]# ipa user-status nuno --- Account disabled: False ---

Re: [Freeipa-users] Cannot login after patching on LXC Container

2017-02-14 Thread Nuno Higgs
Hello Lucas, No, the account is neither locked nor expired. That's the weird part. On other Centos7 / RHEL7 I can login without any issues. [root@ipa2 ~]# ipa user-status nuno --- Account disabled: False --- Server: ipa1 Failed logins: 0 Last

Re: [Freeipa-users] ipa-replica-install: Certificate operation cannot be completed: Unable to communicate with CMS (503)

2017-02-14 Thread Jens Timmerman
Hi Carlos, On 14/02/2017 15:11, Carlos Silva wrote: > It should be this problem: https://fedorahosted.org/freeipa/ticket/6613 Indeed this was the issue, changing in /etc/hosts ::1 localhost6.localdomain6 localhost6 to ::1 localhost localhost.localdomain

Re: [Freeipa-users] Cannot login after patching on LXC Container

2017-02-14 Thread Lukas Slebodnik
On (14/02/17 13:00), Nuno Higgs wrote: >Hello All, > > > >I have a LXC container running Centos7, fully patched that i can't login >into in a standard IPA usage configuration: > > >Feb 13 19:42:07 lxc1 sshd[1536]: pam_sss(sshd:account): Access denied for >user nuno 4 (System error) > System error

Re: [Freeipa-users] Cannot install 3rd party certificate

2017-02-14 Thread Matt .
Certs are valid, I will check what you mentioned. I'm also no fan of bundles, more the seperate files but this doesn't seem to work always. At least for the CAroot a bundle was required. Matt 2017-02-14 14:51 GMT+01:00 Sullivan, Daniel [CRI] : > Have you validated

[Freeipa-users] Cannot login after patching on LXC Container

2017-02-14 Thread Nuno Higgs
Hello All, I have a LXC container running Centos7, fully patched that i can't login into in a standard IPA usage configuration: Feb 13 19:42:07 lxc1 sshd[1536]: pam_sss(sshd:account): Access denied for user nuno 4 (System error) Feb 13 19:42:07 lxc1 sshd[1536]: Failed password for nuno

Re: [Freeipa-users] Cannot install 3rd party certificate

2017-02-14 Thread Matt .
Hi Dan, Ues i have tried that and I get the message that it misses the full chain for the certificate. My issue is more, why is the Server-Cert being removed on a certupdate ? Cheers, Matt 2017-02-14 2:18 GMT+01:00 Sullivan, Daniel [CRI] : > Is the chain in

Re: [Freeipa-users] FreeIPA sudo not working on ububtu xenial sssd version 1.13.4-1ubuntu1.1

2017-02-14 Thread James Harrison
Hi,Was there any out-come to this? I running: sudo1.8.12-1ubuntu3, which is well behind up to date releases. Many thanks,James Harrison From: James Harrison To: "freeipa-users@redhat.com" ; "pbrez...@redhat.com"