[Freeipa-users] ipa-client-install generates bad sssd.conf

Hi folks, running freeipa client 4.3.2-5 and sssd 1.15.0-3 on Debian Stretch ipa-client-install creates a bad sssd.conf file, e.g. [domain/example.com] cache_credentials = True krb5_store_password_if_offline = True ipa_domain = example.com id_provider =

[Freeipa-users] renewing cert and migrating free-ipa 3.1

After httpd failed to start even with "NSSEnforceValidCerts off" in /etc/httpd/conf.d/nss.conf It used to work for a while since we use this only for zimbra but today it won't start anymore. We are not using commercial certs, so which steps should I follow to renew certs? It seems CA has expired

[Freeipa-users] Push authentication policy using IPA

Hello, Is there currently any way one can force IPA clients (Gnome and KDE) to authenticate users before one can have Gnome based services like browser and such? I am looking for something similar to windows GPO that one can publish to force password authentication after restart or after a

Re: [Freeipa-users] LDAP based autofs map redundancy

On Thu, Mar 02, 2017 at 03:28:38PM -0500, William Muriithi wrote: > Afternoon, > > > I have noticed that even when a network has two IPA for redundancy, > autofs don't seem to be able to take advantage of the remaining IPA > should one of the IPA goes down. > > Is this a know issue with LDAP

[Freeipa-users] LDAP based autofs map redundancy

Afternoon, I have noticed that even when a network has two IPA for redundancy, autofs don't seem to be able to take advantage of the remaining IPA should one of the IPA goes down. Is this a know issue with LDAP based maps or is it a configuration that need to be adjusted. By the way, only about

[Freeipa-users] Kerberos autheticated NFS issue

Afternoon. I have noticed below errors on a RHEL 6.8 NFS client that is using a IPA 4.4 for authentication. On some system, this error show up a lot. The connection is fine according to nmap, but the logs imply there is issue with the connection. What are some of the reason that can trigger the

Re: [Freeipa-users] Switch sudoers to IPA

On Thu, Mar 02, 2017 at 09:50:41PM +0530, deepak dimri wrote: > Hi Jakub, Actually that is what i am doing. i am creating the user with > same UID in IPA and then if i delete the user locally then i can > authenticate via IPA. Is there anyway i can do this without deleting the > user? This is just

Re: [Freeipa-users] documentation or example of using S42U for NFS

The repo is https://github.com/clhedrick/kerberos.git. There’s a README.md, and man pages for the individual programs. While I’m currently using these programs, we haven’t fully rolled out Kerberos yet. As we do, I expect we’ll want to add more features. (E.g. kgetcred / credserv need to

Re: [Freeipa-users] documentation or example of using S42U for NFS

Thanks. That’s what I was originally looking for. However since asking it I realized that doing it without further limitations defeats the purpose of using Kerberos in the first place, since it means that anyone who becomes the user in Linux can access their files. I’m trying to make sure that

Re: [Freeipa-users] cannot connect to ldaps during replica install, port 636 not listening

On Thu, Mar 2, 2017 at 10:06 AM, Martin Basti wrote: > > > > On 02.03.2017 16:55, Chris Herdt wrote: > > > > On Thu, Mar 2, 2017 at 2:48 AM, Martin Basti wrote: > >> >> >> On 02.03.2017 01:07, Chris Herdt wrote: >> >> I am attempting to set up a FreeIPA

Re: [Freeipa-users] Switch sudoers to IPA

Hi Jakub, Actually that is what i am doing. i am creating the user with same UID in IPA and then if i delete the user locally then i can authenticate via IPA. Is there anyway i can do this without deleting the user? This is just to use the same GID and avoid recreation of home/directories. Many

[Freeipa-users] Issue with ipa-client-install v4.4.0

Hi, I seem to having some issue trying to install the IPA client (version 4.4.0) on Centos 7 using DNS. I can get a working install by issuing the —server flags, but I would rather do it using SRV so we can issue the command via salt to multiple servers, and should we add another replicant. We

Re: [Freeipa-users] cannot connect to ldaps during replica install, port 636 not listening

On 02.03.2017 16:55, Chris Herdt wrote: > > > On Thu, Mar 2, 2017 at 2:48 AM, Martin Basti > wrote: > > > > On 02.03.2017 01:07, Chris Herdt wrote: >> I am attempting to set up a FreeIPA 4.4.0 replica on CentOS 7.3 >> from a FreeIPA

[Freeipa-users] Mapping root user over kerberised NFS (with gssproxy replacing rpcsvcgssd)

Hi All, Kerberised NFS works well with gssproxy for IPA users, but I'm unable to map root user like I was with rpcsvcgssd. I understand gssproxy does not use idmapd anymore, and the mapping has to be done in krb5 directly (/etc/krb5.conf and/or ~/.k5login). It doesn't appear to work - any

Re: [Freeipa-users] cannot connect to ldaps during replica install, port 636 not listening

On Thu, Mar 2, 2017 at 2:48 AM, Martin Basti wrote: > > > On 02.03.2017 01:07, Chris Herdt wrote: > > I am attempting to set up a FreeIPA 4.4.0 replica on CentOS 7.3 from a > FreeIPA 3.0.0 master on CentOS 6.8 following the steps at >

Re: [Freeipa-users] Switch sudoers to IPA

On Thu, Mar 02, 2017 at 07:09:41PM +0530, deepak dimri wrote: > Hi List, > > I have sudo and normal users accessing linux systems using their private > key without IPA. I have IPA fully functioning and now i want to switch the > users from local file login to IPA. > > Any new user i create in

[Freeipa-users] Local users migration into IPA

Hello All, I have whole bunch of linux users that i want to migrate to IPA. All these users uses their ssh private keys (no passwords) to login into the linux system. What steps i should be following to migrate existing linux users seamlessly to IPA server? since the passwords are not involved i

Re: [Freeipa-users] Kerberos hanging

>> I have a problem using freeipa version 3.0.0-50 on CentOS release 6.8. The >> problem manifests itself as no authentication, and no DNS. >> It seems Kerberos just stops responding to requests and requests just >> get queued up # netstat -tuna | grep SYN_RECV Active Internet >> connections

Re: [Freeipa-users] IPA 4.4 CA Replications

Did you run ipa-ca-install on server2 ? On 02.03.2017 15:20, Matt Wells wrote: > Thank you for the response Martin. Server1 had no flags upon install > however CA, DNS were selected during the installation. Server2 was > joined and then the 'ipa-replica-install --skip-conn-check' used to >

Re: [Freeipa-users] IPA 4.4 CA Replications

Thank you for the response Martin. Server1 had no flags upon install however CA, DNS were selected during the installation. Server2 was joined and then the 'ipa-replica-install --skip-conn-check' used to join it. Manual tests of the ports showed all was good but not in the installation so I had

Re: [Freeipa-users] Can mount NFS, but user only gets the permission question marks

On 03/02/2017 08:43 AM, Kees Bakker wrote: On 02-03-17 13:34, Brendan Kearney wrote: On 03/02/2017 05:40 AM, Kees Bakker wrote: On 24-02-17 14:38, Brendan Kearney wrote: On 02/24/2017 03:33 AM, Kees Bakker wrote: On 23-02-17 15:39, Brendan Kearney wrote: On 02/23/2017 09:11 AM, Kees Bakker

Re: [Freeipa-users] Can mount NFS, but user only gets the permission question marks

On 02-03-17 13:34, Brendan Kearney wrote: > On 03/02/2017 05:40 AM, Kees Bakker wrote: >> On 24-02-17 14:38, Brendan Kearney wrote: >>> On 02/24/2017 03:33 AM, Kees Bakker wrote: On 23-02-17 15:39, Brendan Kearney wrote: > On 02/23/2017 09:11 AM, Kees Bakker wrote: >> On 23-02-17

[Freeipa-users] Switch sudoers to IPA

Hi List, I have sudo and normal users accessing linux systems using their private key without IPA. I have IPA fully functioning and now i want to switch the users from local file login to IPA. Any new user i create in IPA can SSH into ipa client jump boxes fine. I want to know how i can migrate

Re: [Freeipa-users] freeipa3.0.0 can't renew certificate

now I execute getcert list，all certificate status MONITORING,but there was an error ca-error: Internal error: no response to "http://ipaserver.xxx.io:9180/ca/ee/ca/profileSubmit?profileId=caServerCert_num=2=true=true; At 2017-03-02 11:34:10, "hao" wrote: Hi: I have

Re: [Freeipa-users] documentation or example of using S42U for NFS

I've been at this as well for a while now, and managed to make it work for my NFS needs (automounting user homes with password-less logons). Whether and how this would apply to cron or other services, I don't know yet, but presumably would/should work in a similar manner. My env: $ lsb_release

Re: [Freeipa-users] Kerberos hanging

Thanks for that. I have an issue with NTP but I have got around that and spent many a happy hour updating the times on my clients. The errors were in /var/log/krb5kdc.log as "clock skew too great". It's only when I got rid of them, and there were many, could I clearly see the normal operation

Re: [Freeipa-users] Can mount NFS, but user only gets the permission question marks

On 03/02/2017 05:40 AM, Kees Bakker wrote: On 24-02-17 14:38, Brendan Kearney wrote: On 02/24/2017 03:33 AM, Kees Bakker wrote: On 23-02-17 15:39, Brendan Kearney wrote: On 02/23/2017 09:11 AM, Kees Bakker wrote: On 23-02-17 13:51, Brendan Kearney wrote: On 02/23/2017 07:32 AM, Kees Bakker

[Freeipa-users] xrdp and free ipa

Has anyone on the list any experience or knowledge in setting up xrdp using freeipa as authentication on Centos 7? I have little to limited experience in both. -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to

Re: [Freeipa-users] Can mount NFS, but user only gets the permission question marks

On 24-02-17 14:38, Brendan Kearney wrote: > On 02/24/2017 03:33 AM, Kees Bakker wrote: >> On 23-02-17 15:39, Brendan Kearney wrote: >>> On 02/23/2017 09:11 AM, Kees Bakker wrote: On 23-02-17 13:51, Brendan Kearney wrote: > On 02/23/2017 07:32 AM, Kees Bakker wrote: >> On 22-02-17

Re: [Freeipa-users] cannot connect to ldaps during replica install, port 636 not listening

On 02.03.2017 01:07, Chris Herdt wrote: I am attempting to set up a FreeIPA 4.4.0 replica on CentOS 7.3 from a FreeIPA 3.0.0 master on CentOS 6.8 following the steps at

Re: [Freeipa-users] IPA 4.4 CA Replications

On 01.03.2017 22:00, Matt Wells wrote: I have two new IPA 4.4 servers on CentOS7 installed in a lab. I built the first, joined the second and promoted it to be a master. Thus far all went well. I then ran the ipa-ca-install and when I log back in I see that it has "domain,CA" attached to

Re: [Freeipa-users] replication breaks intermittently

On 03/01/2017 08:18 PM, pgb205 wrote: [01/Mar/2017:18:19:48 +] agmt="cn=meTo ipa2.internal.domain" (ipa2:389) - Can't locate CSN 582301c3000d0077 in the changelog (DB rc=-30988). If replication stops, the consumer may need to be reinitialized. [01/Mar/2017:18:19:48 +]