to be more precise, a few minutes after I post, and a few seconds after I
get the mail with my post from freeipa-users
From: Christopher Lamb/Switzerland/IBM@IBMCH
To: "freeipa-users@redhat.com" <Freeipa-users@redhat.com>
Date: 17/05/2017 06:26
Subject:Re: [Fre
:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project
--
С уважением Дудин Андрей[attachment "graycol.gif" deleted by Christopher
Lamb/Switzerland/IBM] --
Manage your subscription for the Freeipa-users mailing list:
https://www.r
/43786908/java-gss-api-service-ticket-not-saved-in-credentials-cache-using-java
thanks
Chris
From: Simo Sorce <s...@redhat.com>
To: Christopher Lamb/Switzerland/IBM@IBMCH,
freeipa-users@redhat.com
Date: 05/05/2017 11:40
Subject:Re: [Freeipa-users] Kerberos c
Hi All
Is the following statement correct?
"If a kerberos client (e.g. a FreeIPA client) holds a service ticket to a
service principal in its credentials cache, it no longer needs to interact
with the KDC to access the service (assuming the ticket is still valid).
i.e. if a kerberos client is
Habicht | D-30167 Hannover +49 511 76219662 habi...@ims.uni-hannover.de
+ Handy+49 172 5415752 ---
Am 16.06.2016 um 12:52 schrieb Christopher Lamb <
christopher.l...@ch.ibm.com>:
Hi Detlev
If I have understood you correctl
Hi Detlev
If I have understood you correctly, you want to let Windows users access
Samba "shares" using their IPA username/passwords?
If so it is possible. We have both Windows and OSX workstations accessing
unix fileshares like that.
We did it more or less along the lines described here:
LDAP
"tree" (and even if required to manually edit objects )
Chris
From: Jeff Goddard <jgodd...@emerlyn.com>
To: Christopher Lamb/Switzerland/IBM@IBMCH
Cc: freeipa-users@redhat.com
Date: 18.03.2016 16:43
Subject:Re: [Freeipa-users] Troub
Hi Jeff
When I last integrated FreeIPA and Samba I used ldapmodify to successfully
add sambaSAMAccount and sambaGroupMapping.
ldapmodify -Y GSSAPI <
To: freeipa-users@redhat.com
Date: 18.03.2016 16:11
Subject:[Freeipa-users] Trouble creating userobjectlass sambaSAMAccount
Sent
From: Alexander Bokovoy <aboko...@redhat.com>
To: Christopher Lamb/Switzerland/IBM@IBMCH
Cc: Petr Vobornik <pvobo...@redhat.com>, freeipa-users@redhat.com,
wodel youchi <wodel.you...@gmail.com>
Date: 02.02.2016 09:32
Subject:Re: [Freeipa
Hi Petr
I get exactly the same behaviour ever so often. We are running IPA server
4.2.0 15.0.1.el7_2.3, (though we got the same problem with earlier releases
too).
In my case the laptop running Firefox / FreeIPA WebUI, and the OEL Server
running the IPA server have time within seconds /
Sorry, Notes is playing up, and sent the last before I could type any text!
The POST /ipa/session/login_password is successful.
but the POST /ipa/session/json and GET /ipa/session/login_kerberos both
give 401 unathorized
Chris
- Forwarded by Christopher Lamb/Switzerland/IBM
p to date and there is
no (significant) clock skew (freeipa-users thread) --> no clock skew
Search for any related errors in /var/log/httpd/error_log --> no errors
today
Chris
From: Martin Kosek <mko...@redhat.com>
To: Christopher Lamb/Switzerland/IBM@IBMCH,
>From memory (and this may have changed since) Firefox is the only supported
browser for the FreeIPA WebUI. Having said that I would welcome other
common browsers working (Chrome, Safari etc)
From: Adam Kaczka
To: Martin Kosek ,
yees, user account predates LDAP" with such low ids.
Chris
From: Christopher Lamb/Switzerland/IBM@IBMCH
To: Sumit Bose <sb...@redhat.com>
Cc: freeipa-users@redhat.com
Date: 19.11.2015 11:20
Subject:Re: [Freeipa-users] Invalid UID in persistent keyring name
sfully login -->OK
The 2 other users I tested with yesterday (one application user, and one
real user) have ids < 1000, and therefore (on this host) cannot logon.
Now I need to google further to find where this rule is configured /
hidden.
Cheers
Chris
From: Christopher Lamb/Switzerland/IB
.
Maybe I need to do something else to change the value?
Chris
From: Sumit Bose <sb...@redhat.com>
To: Christopher Lamb/Switzerland/IBM@IBMCH
Cc: Jakub Hrozek <jhro...@redhat.com>, freeipa-users@redhat.com
Date: 19.11.2015 10:38
Subject:Re: [Freeipa-users]
. yamakasi@gmail.com
To: Youenn PIOLET piole...@gmail.com
Cc: Christopher Lamb/Switzerland/IBM@IBMCH,
freeipa-users@redhat.com freeipa-users@redhat.com
Date: 20.08.2015 08:12
Subject:Re: [Freeipa-users] Ubuntu Samba Server Auth against IPA
HI Guys,
Anyone still
The next route I will try - is the one Youeen took, using ipa-adtrust
From: Matt . yamakasi@gmail.com
To: Christopher Lamb/Switzerland/IBM@IBMCH,
freeipa-users@redhat.com freeipa-users@redhat.com
Date: 10.08.2015 10:03
Subject:Re: [Freeipa-users] Ubuntu Samba
--password
Results of this test tomorrow
Chris
From: Alexander Bokovoy aboko...@redhat.com
To: Rob Crittenden rcrit...@redhat.com
Cc: Christopher Lamb/Switzerland/IBM@IBMCH,
freeipa-users@redhat.com
Date: 20.07.2015 15:52
Subject:Re: [Freeipa
From: Alexander Bokovoy aboko...@redhat.com
To: Christopher Lamb/Switzerland/IBM@IBMCH
Cc: Matt . yamakasi@gmail.com, freeipa-users@redhat.com
freeipa-users@redhat.com
Date: 07.08.2015 23:09
Subject:Re: [Freeipa-users] Ubuntu Samba Server Auth against IPA
(unless I have got completely the wrong end
of the stick) requires Active Directory in the architecture.
Chris
From: Matt . yamakasi@gmail.com
To: Youenn PIOLET piole...@gmail.com
Cc: Christopher Lamb/Switzerland/IBM@IBMCH,
freeipa-users@redhat.com freeipa-users
If I'd asked my customers what they wanted, they'd have said
a faster horse - Henry Ford
[attachment smime.p7s deleted by Christopher Lamb/Switzerland/IBM] --
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go
: Christopher Lamb/Switzerland/IBM@IBMCH,
freeipa-users@redhat.com freeipa-users@redhat.com
Date: 05.08.2015 14:51
Subject:Re: [Freeipa-users] Ubuntu Samba Server Auth against IPA
Hi guys,
Thank you so much your previous answers.
I realised my SID were stored
powerful user, but it is conceivable that a lesser user may not see
all the required attributes, resulting in no such user errors.
Chris
From: Matt . yamakasi@gmail.com
To: Christopher Lamb/Switzerland/IBM@IBMCH
Cc: freeipa-users@redhat.com freeipa-users@redhat.com
Date
Markus
Have you checked both the cn=accounts and cn=compat trees?. Users and
groups are stored in both, and both would need manipulation...
Ciao
Chris
From: markus@mc.ingenico.com
To: freeipa-users@redhat.com
Date: 04.08.2015 11:14
Subject:[Freeipa-users] FreeIPA user ID
. yamakasi@gmail.com
To: Christopher Lamb/Switzerland/IBM@IBMCH
Cc: freeipa-users@redhat.com freeipa-users@redhat.com
Date: 04.08.2015 15:33
Subject:Re: [Freeipa-users] Ubuntu Samba Server Auth against IPA
Hi Chris,
A puppet run added another passdb backend, that was causing my
FreeIPA 4.x and Samba 4.x That will allow me to play around
more destructively.
Chris
From: Matt . yamakasi@gmail.com
To: Christopher Lamb/Switzerland/IBM@IBMCH
Cc: Youenn PIOLET piole...@gmail.com, freeipa-users@redhat.com
freeipa-users@redhat.com
Date: 05.08.2015
this cracked, we really must write a how-to on the FreeIPA
Wiki.
Chris
From: Christopher Lamb/Switzerland/IBM@IBMCH
To: Matt . yamakasi@gmail.com
Cc: freeipa-users@redhat.com freeipa-users@redhat.com
Date: 05.08.2015 07:31
Subject:Re: [Freeipa-users] Ubuntu Samba Server
on existing users / groups?
are the extensions missing on new users / groups?
Cheers
Chris
From: Youenn PIOLET piole...@gmail.com
To: Matt . yamakasi@gmail.com
Cc: Christopher Lamb/Switzerland/IBM@IBMCH,
freeipa-users@redhat.com freeipa-users@redhat.com
Date
to move because integration has been improved.
I try to keep IPA as native as I can.
So this is the best way to go for now, even when this thread is such
old ?
Thanks!
Matt
2015-08-01 9:48 GMT+02:00 Christopher Lamb christopher.l...@ch.ibm.com:
Hi Matt
For a how to of Samba FreeIPA
to move because integration has been improved.
I try to keep IPA as native as I can.
So this is the best way to go for now, even when this thread is such
old ?
Thanks!
Matt
2015-08-01 9:48 GMT+02:00 Christopher Lamb christopher.l...@ch.ibm.com:
Hi Matt
For a how to of Samba FreeIPA
Have you considered clock skew? It is probably not the cause here, but is
worth eliminating just in case. A difference as small as 5 minutes
between the clocks of the client and server can cause problems with
authentication.
Chris
From: Martin Kosek mko...@redhat.com
To: Matt .
again!
Matt
2015-08-03 9:53 GMT+02:00 Christopher Lamb christopher.l...@ch.ibm.com:
Hi Matt
Thankfully I saved the output from those ldapmodify commands (against
FreeIPA 4.1) and was able to find it again!
In our case sambagrouptype also seems to have already been present, so
that
should
Hi,
This is nice to have confirmed.
Is it possible for you to descrive what you do ? It might be handy to
add this to the IPA documentation also with some explanation why...
Cheers,
Matt
2015-07-31 16:55 GMT+02:00 Christopher Lamb christopher.l...@ch.ibm.com:
Hi
We use the Samba extensions
Hi
We use the Samba extensions for FreeIPA. Windows 7 users connect to the
shares using their FreeIPA credentials. The only password mgmt problem
that we have is, that the users get no notice of password expiry until
suddenly their Samba user (really the FreeIPA user) password is not
accepted
changed his password.
Chris
From: Alexander Bokovoy aboko...@redhat.com
To: Christopher Lamb/Switzerland/IBM@IBMCH
Date: 28.04.2015 20:37
Subject:Re: [Freeipa-users] FreeIPA and sambaPwdLastSet
On Tue, 28 Apr 2015, Christopher Lamb wrote:
Hi Alexander
one of those days?
I
Hi Rob
The users do have the sambaSamAccount ObjectClass.
Or to be more precise, some have sambasamaccount (all lower case), and some
have sambaSAMAccount (mixed case)
Are objectclasses case sensitive?
Chris
From: Rob Crittenden rcrit...@redhat.com
To: Christopher Lamb/Switzerland/IBM
by:freeipa-users-boun...@redhat.com
On 07/20/2015 07:56 AM, Christopher Lamb wrote:
Hi Rob
The users do have the sambaSamAccount ObjectClass.
Or to be more precise, some have sambasamaccount (all lower case), and
some
have sambaSAMAccount (mixed case)
Are objectclasses case sensitive?
No, unless
Consistency sounds good.
How would the name change affect yum update?
Chris
From: Petr Spacek pspa...@redhat.com
To: freeipa-users@redhat.com
Date: 17.07.2015 10:49
Subject:[Freeipa-users] Rename or not to rename (packages only)?
freeipa-server - ipa-server?
Sent
, GraphiSoft Park, Záhony utca 7, Budapest, Hungary, H-1031
Cell: +36704258964
From: Martin Kosek mko...@redhat.com
To: Christopher Lamb christopher.l...@ch.ibm.com,
freeipa-users@redhat.com
Sent: Wednesday, June 10, 2015 9:22:03 AM
Subject: Re: [Freeipa-users] LDAP authentication for JIRA using
To: Christopher Lamb/Switzerland/IBM@IBMCH, aboko...@redhat.com,
mko...@redhat.com
Cc: freeipa-users@redhat.com
Date: 06.07.2015 08:00
Subject:AW: AW: [Freeipa-users] FreeIPA mail object to use in 3rd party
tool
Hi Chris,
thanks for your help. Now we
Hi All
Is there any way on the FreeIPA side to log / debug / trace the LDAP
queries made by 3rd Party Tools against a FreeIPA Server?
In another thread we are trying to solve some problems with integration of
JIRA to FreeIPA. I think if I can see the exact LDAP queries JIRA is making
against
:Re: [Freeipa-users] Trace / Debug LDAP queries from 3rd Party
Tools against FreeIPA Server
Sent by:freeipa-users-boun...@redhat.com
On 07/07/2015 10:09 AM, Martin Basti wrote:
On 07/07/15 17:39, Christopher Lamb wrote:
Hi All
Is there any way on the FreeIPA side
=admins)
memberUid
Chris
From: markus@mc.ingenico.com
To: Christopher Lamb/Switzerland/IBM@IBMCH, aboko...@redhat.com,
mko...@redhat.com
Cc: freeipa-users@redhat.com
Date: 06.07.2015 08:00
Subject:AW: AW: [Freeipa-users] FreeIPA mail object to use in 3rd party
Hi Christoph
have you seen this earlier thread?
https://www.redhat.com/archives/freeipa-users/2015-May/msg00124.html
I guess as that solution adds some custom fields it would break your
requirement no schema extensions., but meet the requirement user
authenticates with password.
mfg
Chris
an anonymous
bind to a simple bind via user / pw to get one extra attribute: mail. This
raises the question: Is there some way to configure IPA to determine which
user attributes are returned to anonymous binds?
Cheers
Chris
From: markus@mc.ingenico.com
To: Christopher Lamb/Switzerland
Hi all
I am fighting this exact problem too.
We had setup Jira, integrated to FreeIPA with the option Internal
Directory with LDAP Authentication, using anonymous bind.
This integration path means that when a FreeIPA user attempts to logon to
Jira with his FreeIPA Credentials, his user is
on FreeIPA / JIRA integration you asked for
contributions to a How to Article. I think the solution above could be
the basis of such an article.
Cheers
Chris
From: Christopher Lamb/Switzerland/IBM@IBMCH
To: Alexander Bokovoy aboko...@redhat.com,
markus@mc.ingenico.com
Cc
Hi Harold
Perhaps you should not think of FreeIPA as a product. Perhaps a better
analogy is a Product Stack. Another example would be LAMP. And as far as I
can make out, the point of the FreeIPA project is to better integrate the
various products that build the stack.
A very important factor -
ldap.usermembership.use.for.groups: false
localUserStatusEnabled: false
Sándor Juhász
System Administrator
ChemAxon Ltd.
Building Hx, GraphiSoft Park, Záhony utca 7, Budapest, Hungary, H-1031
Cell: +36704258964
From: Martin Kosek mko...@redhat.com
To: Christopher Lamb christopher.l...@ch.ibm.com,
freeipa
Hi Tamas
I think the general advice is to replicate rather than to migrate. I am
sure Martin K will jump in on this.
However some weeks ago, when doing a very similar move to yours, we chose
to migrate (we were misled by some very old FreeIPA docus that have since
been archived).
In our case
Kosek mko...@redhat.com
To: Christopher Lamb/Switzerland/IBM@IBMCH, Tamas Papp
tom...@martos.bme.hu
Cc: freeipa-users@redhat.com
Date: 10.06.2015 15:35
Subject:Re: [Freeipa-users] migrating 3.0 - 4.1: passwords not
migrated?
On 06/10/2015 03:32 PM
, Alexander Bokovoy
aboko...@redhat.com wrote:
On Fri, 05 Jun 2015, Christopher Lamb wrote:
Hi Martin
Thanks for updating the documenation!
The suggested solution works not only my test servers, but also
in the
real world. This morning I
Hi All
we are interested to know if anybody has succeeded (or for that matter
failed) in using FreeIPA to provide user authentication for Atlassian
products such as JIRA or Confluence?
Somewhere in an Atlassian ticket I saw that FreeIPA is not officially
supported, so I guess that should set
on our EL 7.1 + ipa-client 4.1 boxes, but not on our older EL 6.5
+ ipa-client 3.3.3 machines?
Is the problem down to sssd? (on the EL 6.5 machines we are running sssd
1.9.2, while on EL 7.1 we have sssd 1.12.2
Cheers
Chris
From: Martin Kosek mko...@redhat.com
To: Christopher Lamb
that the
directory to be purged is /var/lib/sss/db/, not /var/lib/sssd/db/ as
suggested earlier in this thread.
Cheers
Chris
From: Martin Kosek mko...@redhat.com
To: Christopher Lamb/Switzerland/IBM@IBMCH,
freeipa-users@redhat.com
Cc: Jakub Hrozek jhro...@redhat.com, Rob Crittenden
mko...@redhat.com
To: Christopher Lamb/Switzerland/IBM@IBMCH,
freeipa-users@redhat.com, Jakub Hrozek jhro...@redhat.com
Date: 03.06.2015 09:34
Subject:Re: [Freeipa-users] Fw: ssh problem with migrated FreeIPA
client on EL7.1 --Not Solved
On 06/02/2015 06:15
:11PM +0200, Christopher Lamb wrote:
Hi All
Bad news.
Over the weekend I was able to get the original problem EL7.1 / FreeIPA
4.1
host (FreeIPA client) to authenticate FreeiPA users (my test being ssh
remote login with FreeIPA user and password).
Today I tried a second machine, and had
Hi Rob
Thanks
All those commands work, and give expected results.
I will send you the install logs direct.
Cheers
Chris
From: Rob Crittenden rcrit...@redhat.com
To: Christopher Lamb/Switzerland/IBM@IBMCH,
freeipa-users@redhat.com, Jakub Hrozek jhro...@redhat.com
Date
directly against the new 4.1
FreeIPA server authenticate properly.
b) EL 7.1 hosts with ipa-client 4.1 first registered against the old 3.3.3
FreeIPA server, then reregistered with the new 4.1 FreeIPA server do NOT
authenticate properly
Chris
- Forwarded by Christopher Lamb/Switzerland/IBM
+ ntpd + ipa-client, with nothing else extra.
Again I first registered against the old 3.3.3 FreeIPA Server, then
switched to the new 4.1 Server.
Once again my FreeIPA user does not authenticate.
Chris
- Forwarded by Christopher Lamb/Switzerland/IBM on 02.06.2015 18:38
-
From: Christopher
, and successfully authenticates FreeIPA users.
Any ideas?
Chris
- Forwarded by Christopher Lamb/Switzerland/IBM on 01.06.2015 19:17
-
From: Christopher Lamb/Switzerland/IBM@IBMCH
To: Alexander Bokovoy aboko...@redhat.com,
freeipa-users@redhat.com
Date: 30.05.2015 18:52
Subject
To: Christopher Lamb/Switzerland/IBM@IBMCH
Cc: freeipa-users@redhat.com
Date: 29.05.2015 18:04
Subject:Re: [Freeipa-users] ssh problem with migrated FreeIPA client on
EL7.1
On Fri, 29 May 2015, Christopher Lamb wrote:
Hi All
Some weeks ago I setup a new FreeIPA 4.1.0 on an OEL
Hi All
Some weeks ago I setup a new FreeIPA 4.1.0 on an OEL 7.1 server to replace
the existing FreeIPA 3.0.0 running on OEL 6.5, and successfully migrated
across the users.
We have 50 odd Servers that are FreeIPA clients. Today I started migrating
these one-by-one from the old FreeIPA 3.x
Hi
Yes, it's possible to operate freeIPA and Samba as you suggest, we have
been doing so for some years now (with several freeIPA and Samba versions).
Our end users use a mix of Windows and OSX laptops / workstations. These
are not members of any kind of domain. They access our file servers via
-skew.
From: Petr Vobornik pvobo...@redhat.com
To: Christopher Lamb/Switzerland/IBM@IBMCH,
freeipa-users@redhat.com
Date: 30.04.2015 12:52
Subject:Re: [Freeipa-users] Web ui error “Your session has expired.
Please re-login.” from a browser on a remote
the LDAP structure and content. I
don't see how that can play a role, but I mention it for completeness.
thanks
Chris
From: Simo Sorce s...@redhat.com
To: d...@redhat.com
Cc: Rob Crittenden rcrit...@redhat.com, Christopher
Lamb/Switzerland/IBM@IBMCH, freeipa-users@redhat.com
it right
8-)
Cheers
Chris
From: Craig White cwh...@skytouchtechnology.com
To: Christopher Lamb/Switzerland/IBM@IBMCH, Simo Sorce
s...@redhat.com
Cc: freeipa-users@redhat.com freeipa-users@redhat.com
Date: 29.04.2015 18:03
Subject:RE: [Freeipa-users] FreeIPA WebUI
might also want to repeat the hint that if the FreeIPA Server is
running in a VM, it must NEVER be a NTPD server for other servers, as VMs
are notorious for bad time keeping.
Cheers
Chris
From: Martin Kosek mko...@redhat.com
To: Christopher Lamb/Switzerland/IBM@IBMCH,
freeipa
Hi All
I wish to pick your brains on the attribute sambaPwdLastSet
We have a newly setup FreeIPA 4.1.0, with users and groups migrated from an
old 3.0.0 instance.
We are also running Samba to share files to Windows and OSX users. This
means that all the FreeIPA user accounts have the attribute
by:freeipa-users-boun...@redhat.com
On 04/27/2015 12:39 PM, Christopher Lamb wrote:
Hi All
When I use the logout dropdown the WebUI (top righthand corner of the
screen), it logs me out, then immediately reloads and logs me right back
in
again to the Users screen.
This prevents me from logging
Hi Martin
Thanks: I am glad others can benefit from my mistakes.
Cheers
Chrsi
From: Martin Kosek mko...@redhat.com
To: Alexander Bokovoy aboko...@redhat.com, Christopher
Lamb/Switzerland/IBM@IBMCH
Cc: freeipa-users@redhat.com, Robert Crittenden
rcrit
comes from the 2 hour
difference between UTC and European Summertime.
I think it would be great if the changes made by FreeIPA setup to ntp.conf
were optional - we care strongly about the content of that file!
Cheers
Chris
- Forwarded by Christopher Lamb/Switzerland/IBM on 27.04.2015 15:36
Hi All
When I use the logout dropdown the WebUI (top righthand corner of the
screen), it logs me out, then immediately reloads and logs me right back in
again to the Users screen.
This prevents me from logging in with a different user.
The FreeIPA Server is 4.1.0 on OEL 7.5.
I am using Web UI
...@redhat.com
To: d...@redhat.com, freeipa-users@redhat.com
Date: 25.04.2015 07:05
Subject:Re: [Freeipa-users] Web UI: Migrated Admins missing action
buttons
Sent by:freeipa-users-boun...@redhat.com
Dmitri Pal wrote:
On 04/24/2015 12:58 PM, Christopher Lamb wrote:
Hi
I
Hi All
I too am suffering from the infamous Web ui error “Your session has
expired. Please re-login.” using from browser(s) on remote client(s),
similar to the existing tickets:
https://www.redhat.com/archives/freeipa-users/2015-March/msg00211.html
using a mixture of Red-hat, Fedora and FreeIPA branded
documentation.
thanks for your help
Chris
From: Dmitri Pal d...@redhat.com
To: Christopher Lamb/Switzerland/IBM@IBMCH, Rob Crittenden
rcrit...@redhat.com
Cc: freeipa-users@redhat.com
Date: 25.04.2015 15:08
Subject
77 matches
Mail list logo