you please try to update the 389-ds-base from
>
> https://copr.fedoraproject.org/coprs/mkosek/freeipa/
>
> ? I rebuilt the latest F21 389-ds-base to the repo, there were some
> related fixes.
>
> Thanks,
> Martin
>
> On 09/23/2015 05:50 PM, Michael Lasevich wrote
Ok, something odd happened I would love some feedback/ideas on:
We had 4.1.2 running on Fedora that we used for, among other things, OTP
authentication. I have just upgraded these to CentOS 7 with 4.1.4 running
and our OTP setup suddenly became very unstable.
Things that have changed during
he sslscan is broken, but nmap and other scanners all
confirm that RC4 is still on.
-M
On Wed, Sep 23, 2015 at 3:35 AM, Martin Kosek <mko...@redhat.com> wrote:
> On 09/23/2015 11:00 AM, Michael Lasevich wrote:
> > OK, this is most bizarre issue,
> >
> > I am trying to di
@redhat.com>
wrote:
>
> On 09/23/2015 05:05 PM, Michael Lasevich wrote:
>
> Yes, I am talking about 389ds as is integrated in FreeIPA (would be silly
> to post completely non-IPA questions to this list...).
> I am running FreeIPA 4.1.4 on CentOS 7.1 and RC4 is enabled on po
Ok, I just went through process of migrating our IPA setup from 4.1.2
running on Fedora 20 (?? may have been 21) to 4.1.4 on CentOS 7 (MKosek
Copr version) and run into a nasty bug. The replica-install crashes during
CA configuration with something like:
''/usr/sbin/pkispawn' '-s' 'CA' '-f'
OK, this is most bizarre issue,
I am trying to disable RC4 based TLS Cipher Suites in LDAPs(port 636) and
for the life of me cannot get it to work
I have followed many nearly identical instructions to create ldif file and
change "nsSSL3Ciphers" in "cn=encryption,cn=config". Seems simple enough -
I actually just posted that in a previous email. The only thing I cut out
were nsSSLEnabledCiphers - but here is the complete listing:
# ldapsearch -x -D "cn=directory manager" -W -b "cn=encryption,cn=config"
Enter LDAP Password:
# extended LDIF
#
# LDAPv3
# base
Is SELinux on?
On Mar 13, 2015 7:46 AM, Andrew Holway andrew.hol...@gmail.com wrote:
Hallo
I have a quite odd situation. I am using saltstack to set up freeipa
servers on Centos 7 but I am getting the following error:
failed to create ds instance Command '/usr/sbin/setup-ds.pl --silent
wrote:
On Thu, 2015-02-12 at 02:20 -0500, Dmitri Pal wrote:
On 02/12/2015 01:25 AM, Michael Lasevich wrote:
Ok, after a few awkward questions from an auditor, I am starting to
face the uncomfortable truth that my understanding about how FreeIPA
works is a lot fuzzier than I would like
Ok, after a few awkward questions from an auditor, I am starting to face
the uncomfortable truth that my understanding about how FreeIPA works is a
lot fuzzier than I would like.
Specifically, the question I could not answer - where are the passwords
stored and how are they encrypted? My
To save a day of torture to those of you still on FC20 and using
mkosek-freeipa copr repo - it appears that the package (
http://copr-be.cloud.fedoraproject.org/results/mkosek/freeipa/fedora-20-x86_64/softhsm-2.0.0b1-8.fc20/softhsm-2.0.0b1-8.fc20.x86_64.rpm)
is somehow broken.
Once installed, you
in a form of password123456
correct (assuming my password is password and otp token is 123456)?
On Fri, Aug 15, 2014 at 2:29 AM, Michael Lasevich mlasev...@lasevich.net
wrote:
Thanks, glad I asked before wasting time.
On Fri, Aug 15, 2014 at 1:07 AM, Jakub Hrozek jhro...@redhat.com wrote
failure]
(Sat Nov 22 14:55:43 2014) [[sssd[krb5_child[2451 [map_krb5_error]
(0x0020): 1043: [-1765328174][Generic preauthentication failure]
=
On Sat, Nov 22, 2014 at 1:14 PM, Michael Lasevich mlasev...@lasevich.net
wrote:
Reviving this as I am still stuck with CentOS 6.
CentOS
Sending you logs directly. Thanks.
-M
On 11/11/14, 5:33 AM, Jakub Hrozek wrote:
On Mon, Nov 10, 2014 at 09:29:04AM -0800, Michael Lasevich wrote:
I can certainly try, it would need to be compatible with CentOS 6.6 though.
-M
Thank you very much, can you try these packages?
Please note
I can certainly try, it would need to be compatible with CentOS 6.6 though.
-M
So according to the logs, the create_ccache() function failed.
Unfortunately,
we don't do very good job at logging the failures there..
Michael, are you able to run a custom package with extra debugging? It
would
I am seeing somewhat similar behavior once upgrading from sssd 1.9 to 1.11
(centos 6.5 to 6.6)
I seem to be able to log in via ssh, but when I use http pam service, I get
inconsistent behavior - seems like sometimes it works and others it errors
out (success and failure can happen within a
perfectly well, so I’m
guessing it is an issue with the upgrade scripts.
Best regards
*David Taylor*
*From:* Michael Lasevich [mailto:mlasev...@gmail.com]
*Sent:* Friday, 7 November 2014 4:00 PM
*To:* Jakub Hrozek
*Cc:* David Taylor; freeipa-users@redhat.com
*Subject:* Re: [Freeipa
/10/14 19:18, Michael Lasevich wrote:
Makes sense. What is the solution here?
I have the latest 389-ds installed but still getting
allowWeakCipher error - how to I get around that?
-M
Sorry I don't know, I CCied Ludwig, he is DS guru.
I already asked to verify the schema files:
can you
What is the current best practice for backing up IPA servers? Especially
in AWS?
Given AWS strengths and weaknesses, I would love to be able to move all
of IPA data/state onto a separate drive and just snapshot it on regular
basis - but it seems that IPA data is all over the place, so it is hard
with exceptions
Description : 389 Directory Server is an LDAPv3 compliant server. The
base package includes
: the LDAP server and command line utilities for server
administration.
-M
On 10/30/14, 1:44 AM, Martin Basti wrote:
On 30/10/14 06:09, Michael Lasevich wrote:
Maybe I should
Makes sense. What is the solution here?
I have the latest 389-ds installed but still getting allowWeakCipher
error - how to I get around that?
-M
On 10/30/14, 11:12 AM, Martin Basti wrote:
On 24/10/14 05:17, Michael Lasevich wrote:
While upgrading from 4.0.1. to 4.1 on fedora 20 got
Maybe I should not be doing this late at night, but I cannot find
cn=IPK11 Unique IDs,cn=IPA UUID,cn=plugins,cn=config anywhere.
-M
On 10/29/14, 3:03 AM, Martin Basti wrote:
On 28/10/14 20:54, Michael Lasevich wrote:
I have a pair of servers that were both installed on clean Fedora20
4.0.1
/10/14 06:14, Michael Lasevich wrote:
Running into same thing, but running ipa-dnsinstall does not complete:
=
Configuring DNS (named)
[1/8]: generating rndc key file
WARNING: Your system is running out of entropy, you may experience
long delays
[2/8]: setting
Running into same thing, but running ipa-dnsinstall does not complete:
=
Configuring DNS (named)
[1/8]: generating rndc key file
WARNING: Your system is running out of entropy, you may experience long
delays
[2/8]: setting up our own record
[3/8]: adding NS
It was a clean install of 4.0.1(not 4.0.3, I was wrong). I have upgraded to
4.1 and have not yet seen the problem recur - though I have not tested it
much yet.
On Oct 24, 2014 12:53 AM, Jakub Hrozek jhro...@redhat.com wrote:
On Thu, Oct 23, 2014 at 05:19:38PM -0700, Michael Lasevich wrote
FreeIPA 4.0.3 server with SSSD 1.9.2 on CentOS6
Seems that group membership is completely inconsistent
Running id in shell as my user on:
* ipa server - I am a member of 2 groups
* Server that just came up and joined - 1 group
* Server that has been up for some time - 5 groups
Via UI:
Small update, it appears that once I run getent group groupname - my
user shows up in the group groupname. Odd.
(and yes, I have ran sss_cache -UG many a time)
-M
On Thu, Oct 23, 2014 at 5:15 PM, Michael Lasevich mlasev...@gmail.com
wrote:
FreeIPA 4.0.3 server with SSSD 1.9.2 on CentOS6
While upgrading from 4.0.1. to 4.1 on fedora 20 got following on one of the
two boxes:
Upgrade failed with attribute allowWeakCipher not allowed
IPA upgrade failed.
Unexpected error
DuplicateEntry: This entry already exists
It seems the ipa no longer starts up after this. The replica server
for those who will want to
follow the script, it is an essential part of the process.
Thank you so much,
-M
On Mon, Sep 15, 2014 at 7:53 AM, Martin Kosek mko...@redhat.com wrote:
On 09/12/2014 09:19 PM, Dmitri Pal wrote:
On 09/12/2014 02:43 PM, Michael Lasevich wrote:
That is awesome, but I
to figure out how to do it (only allows me to create service
prinicpals for existing hosts)
Any help or pointers would be greatly appreciated
-M
On Fri, Sep 12, 2014 at 4:12 AM, Dmitri Pal d...@redhat.com wrote:
On 09/11/2014 09:25 PM, Michael Lasevich wrote:
If I remember correctly, you could
If I remember correctly, you could not use SAN (Subject Alternate Names)
for certificates in FreeIPA 3.0 - is this still the case with 4?
I have hosts that automatically receive two hostnames, a long proper name
(like service-i-12345678) and a simpler cname based on an index for ease
of access
.
-M
On Fri, Aug 15, 2014 at 9:26 AM, Petr Viktorin pvikt...@redhat.com wrote:
On 08/15/2014 06:02 PM, James wrote:
On Fri, Aug 15, 2014 at 5:25 AM, Michael Lasevich
mlasev...@lasevich.net wrote:
Sorry, I did not intend to belittle your efforts - just misread the code
Didn't take
- there has got to be a better,
more direct way - but I found documentation too confusing to follow at 1
am - will be a project for another day.
Thanks for your help.
-M
On Thu, Aug 14, 2014 at 6:50 PM, James purplei...@gmail.com wrote:
On Thu, Aug 14, 2014 at 8:29 PM, Michael Lasevich
mlasev
Thanks, that was actually very helpful.
Host Enrollment privilege does not actually allow you to enroll hosts,
not sure what that is about. But Host Administrators worked just fine.
-M
On Fri, Aug 15, 2014 at 1:18 AM, Martin Kosek mko...@redhat.com wrote:
On 08/14/2014 10:23 PM, Michael
Thanks, glad I asked before wasting time.
On Fri, Aug 15, 2014 at 1:07 AM, Jakub Hrozek jhro...@redhat.com wrote:
On Thu, Aug 14, 2014 at 01:19:58PM -0700, Michael Lasevich wrote:
I did not dive into this yet, but before I waste too much time I wanted
to
ask if centos 6.5 default ipa
I am testing a simple setup with FreeIPA 4.0.1 server and a centos6.5 stock
ipa-client package and I can get the regular password to work, but not
otp login (otp login works in web ui).
As I understood this, kinit is not expected to work (requires FAST) but PAM
(which uses sssd, which supposed to
Is there somewhere a documented minimum set of permissions required to
create a special role/account/principal to auto-join machines to the domain?
I am not all too comfortable to run this as admin user and not quite ready
to set up the orchestration needed to pre-join the host.
Thanks,
-M
--
to join it. It is not that hard to throw together, but timing in this
process can be problematic. I prefer to avoid it for the moment if I can
and just create a non-admin account for this.
On Thu, Aug 14, 2014 at 2:07 PM, James purplei...@gmail.com wrote:
On Thu, Aug 14, 2014 at 4:23 PM, Michael
take way too much work and be generally counterproductive to switch to
Puppet).
-M
On Thu, Aug 14, 2014 at 2:07 PM, James purplei...@gmail.com wrote:
On Thu, Aug 14, 2014 at 4:23 PM, Michael Lasevich
mlasev...@lasevich.net wrote:
I am not all too comfortable to run this as admin user
Ok, I am trying to figure out how to use native OTP capabilities in
FreeIPA4 to authenticate users but I am not finding enough docs on how to
USE OTP.
Specifically I would like to force OTP authentication on specific servers
while allowing password auth in other cases. As I understand
Thanks for quick response, further questions inline.
On Mon, Aug 11, 2014 at 11:49 AM, Alexander Bokovoy aboko...@redhat.com
wrote:
On Mon, 11 Aug 2014, Michael Lasevich wrote:
Ok, I am trying to figure out how to use native OTP capabilities in
FreeIPA4 to authenticate users but I am
On Mon, Aug 11, 2014 at 12:30 PM, Alexander Bokovoy aboko...@redhat.com
wrote:
On Mon, 11 Aug 2014, Michael Lasevich wrote:
So, it is NOT intended to use for border-style 2FA authentication (i.e.
VPN) - which seems may be a common use case for 2FA?
You can always supplement authentication
into checking the tokens for changes, but that seems a bit more
complicated and error-prone.
-M
On Mon, Aug 11, 2014 at 1:04 PM, Alexander Bokovoy aboko...@redhat.com
wrote:
On Mon, 11 Aug 2014, Michael Lasevich wrote:
On Mon, Aug 11, 2014 at 12:30 PM, Alexander Bokovoy aboko...@redhat.com
wrote
43 matches
Mail list logo