Re: [Freeipa-users] Invalid UID in persistent keyring name while getting default cache. on OEL 7.1

On Thu, Nov 19, 2015 at 10:25:02AM +0100, Christopher Lamb wrote: > HI > > The plot thickens. I think I actually have 2 issues: > > The first issue is that in the title of this thread, and was caused by "the > wrong kernel". > > The second issue, that some ipa users cannot log on (but mine can),

Re: [Freeipa-users] gssapi ssh works, pam user/password does not work

On Thu, Nov 05, 2015 at 10:05:19AM +0100, Natxo Asenjo wrote: > On Thu, Nov 5, 2015 at 10:03 AM, Natxo Asenjo > wrote: > > > hi, > > > > since yesterday I have a strange situation in one of our joined hosts. > > > > i can login using a kerberos ticket, but not using name/password. > > > > In /var

Re: [Freeipa-users] FreeIPA and Samba4

On Thu, Nov 05, 2015 at 09:33:48AM +0100, Troels Hansen wrote: > > - On Nov 4, 2015, at 4:03 PM, Sumit Bose sb...@redhat.com wrote: > > > > > do you see any more details if you run pdbedit with '-d 255' ? > > > > Not really: > > pdbedit

Re: [Freeipa-users] FreeIPA and Samba4

h gid > > aroud > > 500, and current ID range i IPA sat to start at 2000, which was my start > > UID on > > the old LDAP. > > > > Is it possible to "reset" the base UID/GID that IPA assigns to the next > > user? I > > can't find it

Re: [Freeipa-users] FreeIPA and Samba4

ere is ticket https://fedorahosted.org/freeipa/ticket/3609 to fix this. HTH bye, Sumit > > - On Nov 3, 2015, at 1:36 PM, Sumit Bose sb...@redhat.com wrote: > > > On Tue, Nov 03, 2015 at 01:09:53PM +0100, Troels Hansen wrote: > >> Hi again, so I finally got time to look

Re: [Freeipa-users] FreeIPA and Samba4

On Tue, Nov 03, 2015 at 01:09:53PM +0100, Troels Hansen wrote: > Hi again, so I finally got time to look further into this. > > This task works: > > dn: cn=$TIME-$FQDN-$LIBARCH,cn=ipa-sidgen-task,cn=tasks,cn=config > add:objectclass:top,extensibleObject > add:cn:$TIME-$FQDN-$LIBARCH > add:nsslapd

Re: [Freeipa-users] FreeIPA dogtag pkinit

On Thu, Oct 29, 2015 at 03:55:45PM +0100, Jean 'clark' EYMERIT wrote: > Hello, > > I search a way to use pkinit > (http://web.mit.edu/kerberos/krb5-devel/doc/admin/pkinit.html) with > FreeIPA (even without dogtag). > > Can someone give me a howto for this ? I can follow the steps described in th

Re: [Freeipa-users] FreeIPA and Samba4

On Fri, Oct 30, 2015 at 10:53:47AM +0100, Troels Hansen wrote: > Well, I think the problem here being that I miss the attributes. > One "funny" thing being that apprently, some users have had ipantuserattrs > objectclass and a ipaNTSecurityIdentifier SID added. Some don't (including > mine). >

Re: [Freeipa-users] Why are some user's information not stored in the LDAP database?

On Fri, Oct 16, 2015 at 04:01:08PM +0200, Fujisan wrote: > Yes, sorry, you're right. It works. I was using the wrong command: > > $ ldapsearch -x -h localhost uid=smith > > instead of > > $ ldapsearch -x -h localhost -D cn=directory\ manager -W -b > cn=users,cn=accounts,dc=example,dc=test uid=sm

Re: [Freeipa-users] Slow SSH login for IPA users only

taken from a suitable LDAP attribute from AD. Since this happen in the common code for user lookup it is executed for IPA users as well. But I agree that this message is annoying and created https://fedorahosted.org/sssd/ticket/2830 to suppress it for IPA users. bye, Sumit > > ? > > Regards, >

Re: [Freeipa-users] Slow SSH login for IPA users only

On Wed, Oct 07, 2015 at 12:07:08PM +0200, Guillem Liarte wrote: > All, > > I have an IPA 4.1 installation that works perfectly. We just suffer from > slow logins ( this is also slow in other operations such invoking SUDO ) > > IPA user: > > 1st. login: 30 seconds > 2nd login: 8 seconds > 3rd lo

Re: [Freeipa-users] RedHat IdM Active Directory Integration

On Tue, Oct 06, 2015 at 01:48:21PM -0500, Lesley Kimmel wrote: > Hi all; > > I'm working an initiative to centralize user accounts in Active Directory. > We have a large RHEL (6+) footprint and want to manage these as well. I am > a Red Hat Engineer on the project and, while it is possible to inte

Re: [Freeipa-users] ssh and sudo password authentication not working with freeipa-client 3.3.4-0ubuntu3.1 on Ubuntu 14.04

On Tue, Oct 06, 2015 at 03:39:43PM +0200, Alexander Skwar wrote: > Hello Sumit > > ipa-client-install hasn't set krb5_realm. I did that. > > We're using Chef-Solo to manage our systems and I have /etc/sssd/sssd.conf > in chef. So it overwrote, whatever ipa-client-install put there. And that's > h

Re: [Freeipa-users] ssh and sudo password authentication not working with freeipa-client 3.3.4-0ubuntu3.1 on Ubuntu 14.04

ye, Sumit > > > > Thanks for your time and help ;) > > Cheers, > Alexander > > > > 2015-10-05 14:07 GMT+02:00 Sumit Bose : > > > On Mon, Oct 05, 2015 at 09:00:13AM +0200, Alexander Skwar wrote: > > > Hi > > > > > > Hm, the

Re: [Freeipa-users] ssh and sudo password authentication not working with freeipa-client 3.3.4-0ubuntu3.1 on Ubuntu 14.04

On Mon, Oct 05, 2015 at 09:00:13AM +0200, Alexander Skwar wrote: > Hi > > Hm, there's nothing at all in the /var/log/sssd/krb5_child.log when I try > to login with SSH and enter a password. Can you try to increase the debug_level to 0xFFF0? > > kinit doesn't work. > > $ kinit -k > kinit: Permi

Re: [Freeipa-users] ssh and sudo password authentication not working with freeipa-client 3.3.4-0ubuntu3.1 on Ubuntu 14.04

On Fri, Oct 02, 2015 at 04:28:57PM +0200, Alexander Skwar wrote: > Hello > > How do I get password authentication to work with freeipa-client > 3.3.4-0ubuntu3.1 on Ubuntu 14.04 for ssh and sudo? > > Long version follows :) > > We've got an IPA server with the Red Hat Identity Management server >

Re: [Freeipa-users] Using SSH from Active Directory machines for FreeIPA clients with kerberos tickets

On Mon, Sep 14, 2015 at 11:16:57AM +0200, Morgan Marodin wrote: > Ok, but now I've an other problem :) > > If I disable the default allow_all HBAC rule creating one custom HBAC rule > that enable ad_admins to access any host any service, kerberos ticket via > ssh does not works. > Username/passwor

Re: [Freeipa-users] Using SSH from Active Directory machines for FreeIPA clients with kerberos tickets

On Mon, Sep 14, 2015 at 09:24:15AM +0200, Morgan Marodin wrote: > The Pro edition. > > I've solved my connection problem, I have to specify manually the username ( > name.surname@ad_domain.com) with Microsoft SSPI. > In this mode is ok, but using Putty "Use system username" do not works for > me.

Re: [Freeipa-users] different EMail Addresses

On Sun, Aug 30, 2015 at 09:29:31PM +0300, Alexander Bokovoy wrote: > On Sun, 30 Aug 2015, Günther J. Niederwimmer wrote: > >Hello, > > > >what is the way to read a different EMail Address from freeIPA? > > > >My system is a centos 7 > > > >When I create a user "joe", on a system like ipa.example.co

Re: [Freeipa-users] ssh_exchange_identification: Connection closed by remote host

On Fri, Aug 28, 2015 at 05:10:31PM +0200, Roberto Cornacchia wrote: > Hi, > > I have two hosts, "photon" and "hadron", and an LDAP user "roberto". > The user can login successfully on both machines. > > The SSH pub key is uploaded > . > Running "sss_ssh_authorizedkeys roberto" from both clients r

Re: [Freeipa-users] Setting up Active Directory trusts in a secure environment

On Fri, Jul 31, 2015 at 09:23:53AM -0500, Dan Mossor wrote: > On 07/31/2015 02:52 AM, Sumit Bose wrote: > > > >Thank you for the detailed analysis. I guess the 'server was > >inaccessible' error is due to the fact that currently FreeIPA does not > >have a glob

Re: [Freeipa-users] Setting up Active Directory trusts in a secure environment

On Thu, Jul 30, 2015 at 05:35:53PM -0500, Dan Mossor wrote: > Greetings, folks. > > So, I've been fighting with getting a trust set up between FreeIPA 4.1 on > CentOS 7.1 and Windows Server 2008r2 for nearly a week. Today I finally came > to a conclusion as to what my issue is. > > I operate a se

Re: [Freeipa-users] Kerberos hanging approx. once a day

On Thu, Jul 23, 2015 at 10:21:41AM +0200, Marisa Sandhoff wrote: > Hi Sumit, > > > > > I'm not a 389ds expert but in my setup nsslapd-cachememsize is set to > > 10M and since I didn't do any tuning I would expect that this is some > > default. > > > > Perhaps we should start with increasing the

Re: [Freeipa-users] Kerberos hanging approx. once a day

On Thu, Jul 23, 2015 at 09:18:43AM +0200, Torsten Harenberg wrote: > Hi Sumit, > > > > The principal looks strange, I would at least expect the fully-qualified > > name of the ipa server here. What does the 'hostname' command return? It > > [root@ipa slapd-PLEIADES-UNI-WUPPERTAL-DE]# hostname >

Re: [Freeipa-users] Kerberos hanging approx. once a day

On Thu, Jul 23, 2015 at 08:35:45AM +0200, Torsten Harenberg wrote: > Huu.. situation is getting worse. > > Even after a full reboot, slapd does not start at all anymore on the > primary server. > > This is the full log (looks like the realm is missing suddenly?): > ... > [23/Jul/2015:08:25:09

Re: [Freeipa-users] Samba Failing to start (Causing FreeIPA to not start!)

On Wed, Jul 22, 2015 at 11:14:51AM -0700, William Graboyes wrote: > -BEGIN PGP SIGNED MESSAGE- > Hash: SHA512 > > Hi All, > > I have been messing around with AD trust installs mainly around doing > ntlm_auth for a radius server. > > However, as I was unable to see some of the needed reso

Re: [Freeipa-users] Kerberos hanging approx. once a day

On Wed, Jul 22, 2015 at 11:39:25AM +0200, Torsten Harenberg wrote: > Dear Alexander, dear Sumit, > > thank you very much indeed for the quick replies. > > Am 22.07.15 um 11:21 schrieb Sumit Bose: > > Looks like there are issues getting the needed data from the local LDAP &g

Re: [Freeipa-users] Kerberos hanging approx. once a day

On Wed, Jul 22, 2015 at 11:06:53AM +0200, Torsten Harenberg wrote: > Dear community, > > we just moved our infrastructure (about 200 node cluster plus about 30 > workstations) from NIS to FreeIPA (version 4.1.4 on FC 21). > > We have two IPA servers (called "ipa" and "ipa2" both paravirtualized o

Re: [Freeipa-users] UPN suffixes in AD trust

On Thu, Jul 09, 2015 at 12:36:53PM +0200, Giorgio Biacchi wrote: > On 06/29/2015 03:11 PM, Sumit Bose wrote: > > On Mon, Jun 29, 2015 at 11:24:00AM +0200, Giorgio Biacchi wrote: > >> On 06/29/2015 10:30 AM, Sumit Bose wrote: > >>> On Mon, Jun 29, 2015 at 10:04:04A

Re: [Freeipa-users] strange password error..

On Mon, Jul 06, 2015 at 02:25:56PM -0700, Janelle wrote: > On 7/6/15 10:44 AM, Simo Sorce wrote: > >On Mon, 2015-07-06 at 10:11 -0700, Janelle wrote: > >>Hello all, > >> > >>Is there any known bug that would cause: > >> > >>Password change failed. Server message: Current password's minimum life > >

Re: [Freeipa-users] sssd and ipa+ad trust, ssh login errors

On Fri, Jul 03, 2015 at 07:52:12PM +0300, l...@avc.su wrote: > OK, seems like I've found the cause. > > /etc/sssd/sssd.conf > default_domain_suffix = zone.local > > If I comment this out, I can login using password or publickey with ipa user > and using password with AD user, but I need to specif

Re: [Freeipa-users] IPA ERROR: non-public: TypeError -- ipa trust-add internal server error

On Fri, Jul 03, 2015 at 03:30:38PM +0100, David Fox wrote: > On 2015-07-02 12:47, Sumit Bose wrote: > >On Wed, Jul 01, 2015 at 02:37:44PM +0100, David Fox wrote: > >>I am encountering issues trying to integrate FreeIPA with AD, on *nix > >>promp > >>I get

Re: [Freeipa-users] IPA ERROR: non-public: TypeError -- ipa trust-add internal server error

On Wed, Jul 01, 2015 at 02:37:44PM +0100, David Fox wrote: > I am encountering issues trying to integrate FreeIPA with AD, on *nix promp > I get "internal server rror" and within I receive the following message in > httpd_errorlog. > It looks like we as AD if it already has a trust to a domain ca

Re: [Freeipa-users] username case sensitivity

On Wed, Jul 01, 2015 at 10:12:54AM +0200, Jakub Hrozek wrote: > On Tue, Jun 30, 2015 at 08:16:05PM +, Andy Thompson wrote: > > > > > > > > On Fri, May 15, 2015 at 09:44:31PM +0200, Lukas Slebodnik wrote: > > > > >On (15/05/15 17:27), Andy Thompson wrote: > > > > >>Is there a wa

Re: [Freeipa-users] Using FreeIPA OTP in a PAM module

On Tue, Jun 30, 2015 at 09:31:55AM +0200, Jakub Hrozek wrote: > On Tue, Jun 30, 2015 at 09:22:13AM +0200, Sumit Bose wrote: > > On Tue, Jun 30, 2015 at 09:09:19AM +0200, Jakub Hrozek wrote: > > > On Tue, Jun 30, 2015 at 11:34:55AM +0530, Prashant Bapat wrote: > > > &

Re: [Freeipa-users] Using FreeIPA OTP in a PAM module

On Tue, Jun 30, 2015 at 09:09:19AM +0200, Jakub Hrozek wrote: > On Tue, Jun 30, 2015 at 11:34:55AM +0530, Prashant Bapat wrote: > > Hi, > > > > I was able to set this up in a Fedora instance with SSSD and it works as > > expected. SSHD first uses the public key and then prompts for password > > wh

Re: [Freeipa-users] UPN suffixes in AD trust

On Mon, Jun 29, 2015 at 03:49:37PM +0200, Jakub Hrozek wrote: > On Mon, Jun 29, 2015 at 03:11:57PM +0200, Sumit Bose wrote: > > On Mon, Jun 29, 2015 at 11:24:00AM +0200, Giorgio Biacchi wrote: > > > On 06/29/2015 10:30 AM, Sumit Bose wrote: > > > > On Mon, Jun 29, 201

Re: [Freeipa-users] UPN suffixes in AD trust

On Mon, Jun 29, 2015 at 11:24:00AM +0200, Giorgio Biacchi wrote: > On 06/29/2015 10:30 AM, Sumit Bose wrote: > > On Mon, Jun 29, 2015 at 10:04:04AM +0200, Giorgio Biacchi wrote: > >> On 06/26/2015 08:06 PM, Sumit Bose wrote: > >>> On Fri, Jun 26, 2015 at 04:34:05P

Re: [Freeipa-users] UPN suffixes in AD trust

On Fri, Jun 26, 2015 at 04:34:05PM +0200, Giorgio Biacchi wrote: > > > On 06/26/2015 02:38 PM, Sumit Bose wrote: > > On Thu, Jun 25, 2015 at 07:00:34PM +0200, Giorgio Biacchi wrote: > >> On 06/25/2015 05:44 PM, Sumit Bose wrote: > >>> On Thu, Jun 25, 2015

Re: [Freeipa-users] UPN suffixes in AD trust

On Thu, Jun 25, 2015 at 07:00:34PM +0200, Giorgio Biacchi wrote: > On 06/25/2015 05:44 PM, Sumit Bose wrote: > > On Thu, Jun 25, 2015 at 04:29:37PM +0200, Giorgio Biacchi wrote: > >> On 06/25/2015 02:10 PM, Sumit Bose wrote: > >>> On Thu, Jun 25, 2015 at 01:06:22P

Re: [Freeipa-users] UPN suffixes in AD trust

On Thu, Jun 25, 2015 at 04:29:37PM +0200, Giorgio Biacchi wrote: > On 06/25/2015 02:10 PM, Sumit Bose wrote: > > On Thu, Jun 25, 2015 at 01:06:22PM +0200, Giorgio Biacchi wrote: > >> On 06/25/2015 12:56 PM, Sumit Bose wrote: > >>> On Thu, Jun 25, 2015 at 12:22:16P

Re: [Freeipa-users] UPN suffixes in AD trust

On Thu, Jun 25, 2015 at 01:06:22PM +0200, Giorgio Biacchi wrote: > On 06/25/2015 12:56 PM, Sumit Bose wrote: > > On Thu, Jun 25, 2015 at 12:22:16PM +0200, Giorgio Biacchi wrote: > >> On 06/24/2015 06:45 PM, Sumit Bose wrote: > >>> On Wed, Jun 24, 2015 at 05:11:07P

Re: [Freeipa-users] UPN suffixes in AD trust

On Thu, Jun 25, 2015 at 12:22:16PM +0200, Giorgio Biacchi wrote: > On 06/24/2015 06:45 PM, Sumit Bose wrote: > > On Wed, Jun 24, 2015 at 05:11:07PM +0200, Giorgio Biacchi wrote: > >> Hi everybody, > >> I established a bidirectional trust between an IPA server (versi

Re: [Freeipa-users] UPN suffixes in AD trust

On Wed, Jun 24, 2015 at 05:11:07PM +0200, Giorgio Biacchi wrote: > Hi everybody, > I established a bidirectional trust between an IPA server (version 4.1.0 on > CentOS 7.1), ipa.mydomain.local and an AD (Windows 2012 r2), mydomain.local. > Everything is working fine, and I'm able to authenticate an

Re: [Freeipa-users] Very Odd Fedora 21 Auth Issue (Server: IPA 4.1.0)

On Tue, Jun 23, 2015 at 05:24:32PM +1000, craig.red...@shakenautomotive.com.au wrote: > Hi, > This is one odd issue?! > > Red Hat Enterprise Linux 7.1 > > #Server Side > Red Hat Enterprise Linux Server release 7.1 (Maipo) > ipa-server-4.1.0-18.el7_1.3.x86_64 > > #Client side > Fedora release 2

Re: [Freeipa-users] Question for AD trust and Webservices

On Wed, Jun 17, 2015 at 08:21:22AM +, Henry Hofmann wrote: > -BEGIN PGP SIGNED MESSAGE- > Hash: SHA256 > > > It should be possible, yes - if you target web service/Red Mine to the > > compat tree, as it was done for example in this integration: > > > > http://www.freeipa.org/page/HowT

Re: [Freeipa-users] Cannot login with GSSAPI to IPA client

On Tue, Jun 16, 2015 at 04:32:31PM -0700, nat...@nathanpeters.com wrote: > I have 2 CentOS 6 clients both running FreeIPA client 3.0.0-42 and sssd > 1.11.6-30. The server is CentOS 7 / IPA 4.1.3 > > When I try to log in using MIT kerberos and a valid ticket it works on one > client, and fails on

Re: [Freeipa-users] How to handle users with multiple homedirs on different machines?

On Wed, Jun 03, 2015 at 08:29:20AM +0200, Lukas Slebodnik wrote: > On (02/06/15 17:07), swartz wrote: > >I have a environment that spans across multiple physical locations where > >there is a mix of Linux and Solaris workstations/servers. So far we've been > >managing accounts (/etc/password) via P

Re: [Freeipa-users] HBAC rules don't work with PAM - problem

On Mon, May 11, 2015 at 05:15:31PM +0200, Sumit Bose wrote: > On Mon, May 11, 2015 at 04:47:01PM +0200, Lukas Slebodnik wrote: > > On (11/05/15 14:57), Vangass wrote: > > >Hi, > > > > > >I try to access Cisco switch via ssh. Cisco has tacacs login configure

Re: [Freeipa-users] HBAC rules don't work with PAM - problem

On Mon, May 11, 2015 at 04:47:01PM +0200, Lukas Slebodnik wrote: > On (11/05/15 14:57), Vangass wrote: > >Hi, > > > >I try to access Cisco switch via ssh. Cisco has tacacs login configured. > > > ># tail /var/log/secure > >May 11 14:18:46 freeipa tac_plus[29096]: pam_sss(tac_plus:auth): > >authenti

Re: [Freeipa-users] Cannot find KDC for realm "MYDOMAIN.NET" - AD trust and UPN issues

On Wed, May 06, 2015 at 11:15:15AM -0700, nat...@nathanpeters.com wrote: > Ok, I have attempted to set this up by adding the AD domain to my > configuration and it still isn't working. > I just want to confirm what I'm trying to accomplish here before I list > what I've done to troubleshoot this. >

Re: [Freeipa-users] Cannot find KDC for realm "MYDOMAIN.NET" - AD trust and UPN issues

On Tue, May 05, 2015 at 09:14:52PM -0700, Nathan Peters wrote: > >From this link : > https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Identity_Management_Guide/active-directory-trust.html#comp-trust-krb > > The diagram in that section shows the client communicating wi

Re: [Freeipa-users] Cannot find KDC for realm "MYDOMAIN.NET" - AD trust and UPN issues

On Tue, May 05, 2015 at 09:53:38AM -0700, nat...@nathanpeters.com wrote: > Hmm, so if this is the [realms] section of my /etc/krb5.conf what do I > have to do ? > > [realms] > IPADOMAIN.NET = { > kdc = dc1.ipadomain.net:88 > master_kdc = dc1.ipadomain.net:88 > admin_server = dc1.ipadomain.n

Re: [Freeipa-users] Cannot find KDC for realm "MYDOMAIN.NET" - AD trust and UPN issues

On Tue, May 05, 2015 at 09:09:51AM -0700, nat...@nathanpeters.com wrote: > I am having some strange issues after upgrade from FreeIPA 4.1.2 to > 4.1.3/4.1.4 on CentOS 7. > > Here is my setup: > FreeIPA domain : ipadomain.net > Trusted AD domain : sub.addomain.net > > In my AD domain, we have our

Re: [Freeipa-users] LDAP bind failing on new IPA setup

On Fri, Apr 17, 2015 at 10:29:31AM -0400, Gould, Joshua wrote: > We setup our new IPA server (RHEL7) with a trust against our AD domain. The > trust and ID range look right in IPA > > [root sssd]# ipa trust-show > Realm name: example.com > Realm name: EXAMPLE.COM > Domain NetBIOS name: EXAMPL

Re: [Freeipa-users] posix ids not propgating

changes are available on all replicas. The DNA plugin has its own scheme to distribute the data, see e.g. https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Identity_Management_Guide/Managing-Unique_UID_and_GID_Attributes.html for details. bye, Sumit > On Apr 17, 2015 3

Re: [Freeipa-users] posix ids not propgating

On Thu, Apr 16, 2015 at 07:46:55PM -0400, Bryan Pearson wrote: > I ran this comand on each of my IPA servers and one returned usable > response: ipa idrange-find > > --- > 1 range matched > --- > Range name: HOSTNAME.LAN_id_range > First Posix ID of the range: 19202

Re: [Freeipa-users] ipactl start fails for no apparent reason

On Wed, Apr 01, 2015 at 01:20:44PM +0200, Martin Babinsky wrote: > On 04/01/2015 10:14 AM, Traiano Welcome wrote: > >Hi Martin > > > > Thanks for the response. Check results inline: > > > > > >On Wed, Apr 1, 2015 at 10:37 AM, Martin Babinsky wrote: > >>On 04/01/2015 09:20 AM, Traiano Welcome wrot

Re: [Freeipa-users] Troubleshooting SSO

ix.test.osu...@unix.test.OSUWMC = 2 > > Verbose logging in putty gave the following error: > Which errors do you see when using ssh in the IPA client after calling kinit? Or is it working in this case? bye, Sumit > > On 3/31/15, 3:30 AM, "Sumit Bose" wrote: >

Re: [Freeipa-users] generic failure: GSSAPI Error: Unspecified GSS failure

On Tue, Mar 31, 2015 at 11:26:53AM +0200, Benoit Rousselle wrote: > hi, > > I try to set the sudo password but I get a message : GSSAPI Error > > What's mean this kind of message ? > > ldappasswd -Y GSSAPI -S -h my_server > uid=sudo,cn=sysaccounts,cn=etc,dc=my_domain,dc=com > New password: > Re

Re: [Freeipa-users] Additional pre-authentication required, Ticket Wrong ?

t; > Yes I would assume too, but it's just kicking out possibilities what > > could make it not working. > > > > I cannot figure out why it only logs the 401 after the known 301's in > > the access_log and nothing further, apache really blocks, so kerberos > &

Re: [Freeipa-users] Additional pre-authentication required, Ticket Wrong ?

OST /ipa/json HTTP/1.1" 301 > > 258 > > 10.10.0.121 - - [30/Mar/2015:22:22:58 +0200] "POST /ipa/json HTTP/1.1" > > 301 259 "https://ldap.domain.local/ipa/json"; "-" > > 10.10.0.121 - - [30/Mar/2015:22:22:58 +0200] "POST /ipa/json HTT

Re: [Freeipa-users] Troubleshooting SSO

On Tue, Mar 31, 2015 at 07:56:53AM +0200, Jan Cholasta wrote: > Hi, > > Dne 30.3.2015 v 19:42 Gould, Joshua napsal(a): > > > >On 3/30/15, 11:56 AM, "Dmitri Pal" wrote: > > > >>># auth_to_local = > >>>RULE:[1:$1@$0](^.*@TEST.OSUWMC$)s/@TEST.OSUWMC/@test.osuwmc/ > >>>auth_to_local = RULE:[1:$1

Re: [Freeipa-users] Troubleshooting SSO

: mm_request_send > entering: type 12 [preauth] > Mar 30 09:57:23 mid-ipa-vp01 sshd[12793]: debug3: mm_auth_password: > waiting for MONITOR_ANS_AUTHPASSWORD [preauth] > Mar 30 09:57:23 mid-ipa-vp01 sshd[12793]: debug3: > mm_request_receive_expect entering: type 13 [preauth] > Ma

Re: [Freeipa-users] Troubleshooting SSO

On Mon, Mar 30, 2015 at 09:08:54AM -0400, Gould, Joshua wrote: > SSO works intermittently. I’m having trouble tracing the issue. Here is what > I see from /var/log/secure. Where should I look for more detail to figure out > why the SSO login is failing? assuming you have a valid Kerberos ticket

Re: [Freeipa-users] Additional pre-authentication required, Ticket Wrong ?

On Mon, Mar 30, 2015 at 04:56:11AM +0200, Matt . wrote: > Hi, > > I just tot home and typing from my cell so i'm suite short in words > > Create keytab for ldap-01.domain > Kinit with that to ldap.domain > Curl against ldap.domain > Get a 301 which I manage from curl (goes well) > Get kerberos ti

Re: [Freeipa-users] Clients are reading AD info inconsistently

On Fri, Mar 27, 2015 at 05:16:20PM +, Guertin, David S. wrote: > >The most likely reason for 'Protocol error' is that the server this client is > >connected to does not support the special LDAP extended operation used by > >SSSD on IPA clients to get the data for users and groups from trusted >

Re: [Freeipa-users] Clients are reading AD info inconsistently

On Fri, Mar 27, 2015 at 02:23:27PM +, Guertin, David S. wrote: > >To see why the login fails it would be good to > >know how you try to log in (I assume ssh) and which authentication method > >is used (password, ssh key, Kerberos ticket). > >Additionally the SSSD log files might be needed, most

Re: [Freeipa-users] Clients are reading AD info inconsistently

On Thu, Mar 26, 2015 at 03:24:06PM +, Guertin, David S. wrote: > >I would like to just clarify tis a bit. The support to lookup up secondary > >groups > >(the group list the id command shows) for user which never authenticated > >was added in 7.1/6.7. > > Thanks. This makes sense, and indeed

Re: [Freeipa-users] Clients are reading AD info inconsistently

On Wed, Mar 25, 2015 at 08:01:36PM -0400, Dmitri Pal wrote: > On 03/25/2015 11:44 AM, Simo Sorce wrote: > >On Wed, 2015-03-25 at 14:46 +, Guertin, David S. wrote: > >>Follow-up: today I tried clearing the sssd cache and restarting sssd on all > >>three clients, and all three lost their AD user

Re: [Freeipa-users] 'Preauthentication failed' with SSSD in ipa_server_mode

On Fri, Mar 20, 2015 at 11:44:43AM +0100, Bobby Prins wrote: > On Thu, Mar 19, 2015 at 04:46:44PM +0100, Bobby Prins wrote: > >> Hi there, > >> > >> I'm currently trying to use the 'AD Trust for Legacy Clients' freeIPA > >> setup (described here: > >> http://www.freeipa.org/images/0/0d/FreeIPA33

Re: [Freeipa-users] 'Preauthentication failed' with SSSD in ipa_server_mode

On Thu, Mar 19, 2015 at 04:46:44PM +0100, Bobby Prins wrote: > Hi there, > > I'm currently trying to use the 'AD Trust for Legacy Clients' freeIPA setup > (described here: > http://www.freeipa.org/images/0/0d/FreeIPA33-legacy-clients.pdf) to be able > to autenticate AIX 7.1 clients against an A

Re: [Freeipa-users] sssd options ignored?

On Wed, Mar 18, 2015 at 08:41:30AM +0100, Jakub Hrozek wrote: > On Wed, Mar 18, 2015 at 08:26:03AM +0200, Alexander Bokovoy wrote: > > On Tue, 17 Mar 2015, Gould, Joshua wrote: > > >I figured out that the ldap_idmap_range_min and ldap_idmap_range_size need > > >to match whats in ipa idrange-find --

Re: [Freeipa-users] Filter/Block/Limit Interaction with Multiple Domain Controllers

On Mon, Mar 09, 2015 at 08:27:05PM -0400, Dmitri Pal wrote: > On 03/09/2015 03:40 PM, Jakub Hrozek wrote: > >On Mon, Mar 09, 2015 at 02:58:14PM -0400, Dmitri Pal wrote: > >>On 03/09/2015 02:29 PM, Traiano Welcome wrote: > >>>Hi Alexander > >>> > >>> Thanks for the response: > >>> > >>>On Mon, Mar

Re: [Freeipa-users] Root overrides HBAC rules for the command su

On Tue, Feb 24, 2015 at 09:15:11AM +, Bloemen, Jurriën wrote: > Hi, > > In FreeIPA you can create users and restrict on which hosts the user can > login to. This is all great and works fine. > > If a user1 is logged in to a system. Knows the password of user2 and issues > the command "su" t

Re: [Freeipa-users] [Solved] Help with debugging HBACs

​'sourceHostCategory' attribute to rules. Though, I would imagine I would > > have to do this for *all* rules if I want them to work as intended. I'll > > report back my findings tomorrow. > > > > Thanks, > > -Andrew > > > > On Mon, Feb 16

Re: [Freeipa-users] Help with debugging HBACs

On Sat, Feb 14, 2015 at 12:52:10PM -0800, Andrew Egelhofer wrote: > Hi FreeIPA Users- > > I've deployed a FreeIPA instance in my Lab, and enrolled a single host, and > a single user ('testuser'). The only HBAC rule I currently have is the > stock allow_all. Yet, when I attempt to log into the host

Re: [Freeipa-users] one way AD trust relationship

On Fri, Feb 06, 2015 at 10:16:37AM +0200, Alexander Bokovoy wrote: > On Thu, 05 Feb 2015, Nicolas Zin wrote: > >Hi, > > > >is it possible to create a one way AD trust relationship with FreeIPA/IDM > >3.3? > No. > > >- From Windows I created an incoming one-way trust relationship, with a > >trust

Re: [Freeipa-users] freeipa authentication token manipulation error

On Tue, Jan 13, 2015 at 12:48:18PM +0530, Rakesh Rajasekharan wrote: > >>>Does it work for the same user from the client if you reset password on > the server, authenticate from the client and then force reset again on the > server? > When I force reset a user, he stil faces the same error "token

Re: [Freeipa-users] Kerberos Tickets/kinit using Cygwin on Windows

On Wed, Jan 07, 2015 at 01:22:36PM -0500, Brad House wrote: > I have a need to 'kinit' from within a cygwin environment in order to > perform an svn checkout over ssh. However, I can't figure out how to > get this to work properly with FreeIPA. We had a MIT kerberos/ > OpenLDAP authentication sys

Re: [Freeipa-users] How to check IPA <--> AD trust from command line

en.george > id: adm-ben.george: no such user > > Regards, > Ben > > On Tue, Jan 6, 2015 at 8:03 PM, Sumit Bose wrote: > > > On Tue, Jan 06, 2015 at 07:52:20PM +0300, Ben .T.George wrote: > > > Hi > > > > > > I Tried on IPA server and below is m

Re: [Freeipa-users] How to check IPA <--> AD trust from command line

ically the realm part is upper-case, if your user name contains upper-case letters as well you should use them here as well, if you don't know 'kinit -C' might be the better solution) HTH bye, Sumit > > Thanks & Regards, > Ben > > > On Tue, Jan 6, 2015 at 6:

Re: [Freeipa-users] How to check IPA <--> AD trust from command line

On Tue, Jan 06, 2015 at 07:19:15AM -0700, Rich Megginson wrote: > On 01/05/2015 08:35 PM, Ben .T.George wrote: > > > >Hi LIst, > > > >how to check IPA <-> Active directory trust relationship . i just want to > >confirm my ipa server is working fine. > > On an IPA server or client machine: > $ kini

Re: [Freeipa-users] Certificate Authorities requirement for Cross realm trust?

On Tue, Dec 16, 2014 at 11:28:47AM +0200, Genadi Postrilko wrote: > In the Windows Integration guide the need for CA is mentioned. > > "Both Active Directory and Identity Management must be configured with > integrated certificate services." > > https://access.redhat.com/documentation/en-US/Red_H

Re: [Freeipa-users] Forest trust and AD child domain

ch should be fixed in SSSD 1.12.2, which version of SSSD are you running on which platform? bye, Sumit > > 2014-12-15 17:03 GMT+01:00 Sumit Bose : > > > > On Mon, Dec 15, 2014 at 04:39:29PM +0100, Manuel Lopes wrote: > > > The file sssd_linux.com.log is empty. > &g

Re: [Freeipa-users] Forest trust and AD child domain

On Mon, Dec 15, 2014 at 04:39:29PM +0100, Manuel Lopes wrote: > The file sssd_linux.com.log is empty. please add debug_level = 10 to the [domain/...] section in sssd.conf to enable logging for this part of SSSD. bye, Sumit > > > > 2014-12-15 15:42 GMT+01:00 Sumit Bose : >

Re: [Freeipa-users] Forest trust and AD child domain

ed the sssd logs. Can you send the corresponding domain log file as well, it should be called sssd_linux.com.log or similar. bye, Sumit > > > > Regards > > 2014-12-12 21:51 GMT+01:00 Manuel Lopes : > > > > OK. > > > > Command successful > >

Re: [Freeipa-users] Forest trust and AD child domain

> > > > Number of entries returned 3 > > > > > > > > As we can see in the ouput of the command, the range type is "ad POSIX > > attributes". > > In our case, the gidNumber is not set in

Re: [Freeipa-users] Forest trust and AD child domain

ust-fetch-domains windows.com > --- > No new trust domains were found > --- > ---- > Number of entries returned 0 > > > Regards > Le 11 déc. 2014 20:08, "Sumit Bose" > a écrit : > > >

Re: [Freeipa-users] Forest trust and AD child domain

On Thu, Dec 11, 2014 at 06:45:49PM +0100, Manuel Lopes wrote: > Hello, > > > We have been following the AD integration guide for IPAv3: > http://www.freeipa.org/page/Howto/IPAv3_AD_trust_setup > > > > Our setup is: > > • 2 domain controllers with Windows 2008 R2 AD DC -> windows.com >

Re: [Freeipa-users] Kerberos error: PREAUTH_FAILED: KRB5KRB_AP_ERR_BAD_INTEGRITY

On Wed, Nov 26, 2014 at 06:04:21PM +0100, Petr Spacek wrote: > Hello, > > Simo, do you have an idea what may be causing the problem? Maybe there is a version mismatch between the keys on the server and on the client? On the IPA server you can check with #kadmin.local > getprinc imap/zimbrafreei

Re: [Freeipa-users] Mixing local FreeIPA users with active directory users

On Thu, Nov 20, 2014 at 07:42:30PM -0500, Dmitri Pal wrote: > On 11/20/2014 07:38 PM, William Muriithi wrote: > >?Hi guys, > > > >I am wondering how one would go about allowing both ad users and FreeIPA > >user to work in harmony. > > > >I recently was able to get FreeIPA to use trust to service un

Re: [Freeipa-users] buggered 389?

On Wed, Nov 19, 2014 at 09:55:51PM -0500, Richard Betel wrote: > I suddenly started getting errors when I try to use ipa-getkeytab: > > [root@ipa1 kerberize]# ipa-getkeytab -s jn01 -p hdfs/jn01 -k > jn01.hdfs.keytab > SASL Bind failed Can't contact LDAP server (-1) ! Please try to use the fully q

Re: [Freeipa-users] Possible trust issues

On Tue, Nov 11, 2014 at 07:52:22AM +0200, Alexander Bokovoy wrote: > On Mon, 10 Nov 2014, William Muriithi wrote: > >less /var/log/sssd/sssd_example.loc.log > > > >(Mon Nov 10 15:58:21 2014) [sssd[be[example.loc]]] [fo_set_port_status] > >(0x0100): Marking port 389 of server 'ipa3-yyz-int.example.

Re: [Freeipa-users] Kerberos for cronjoob

On Thu, Nov 06, 2014 at 10:28:34PM -0500, Dmitri Pal wrote: > On 11/06/2014 08:20 PM, Thomas Lau wrote: > >?Hi, > > > >Is it possible to renew ticket once in a while for cronjob to run on > >certain users? How do you guys run cronjob on Kerberos user without > >getting ticket expire? > > > >Sent fr

Re: [Freeipa-users] IPA+AD (transitive trust) - s2n exop request failed

On Thu, Oct 23, 2014 at 03:47:31PM +0200, crony wrote: > Hi All, > I've found another problem with my setup: > > What could be the reason of such errors on FreeIPA client side: > > /var/log/sssd/sssd_linux.acme.example.com.log:(Thu Oct 23 09:49:23 2014) > [sssd[be[linux.acme.example.com]]] [ipa_s

Re: [Freeipa-users] Woes adding a samba server to the ipa domain

On Tue, Oct 21, 2014 at 07:49:11AM -0430, Loris Santamaria wrote: > El lun, 20-10-2014 a las 21:19 -0400, Dmitri Pal escribió: > > On 10/20/2014 09:15 AM, Loris Santamaria wrote: > > [...] > > > > > > > Trying to join the server to the domain (net rpc join -U domainadmin -S > > > ipaserver) fail

Re: [Freeipa-users] IPA Trust AD and Illegal cross-realm ticket

On Wed, Oct 15, 2014 at 04:31:55PM +0200, crony wrote: > Alex, > thank you. Now it works, but not completely: > > 1. > > [leszek@ipa1 ~]$ ssh ipatst03.linux.acme.example.com -l > us...@acme.example.com > Password: > Last login: Wed Oct 15 16:11:27 2014 > > -sh-4.1$ id > uid=127283727(us...@acme.

Re: [Freeipa-users] domain trust linux to AD server not finding user profiles

On Tue, Oct 07, 2014 at 08:01:48PM -0400, Dmitri Pal wrote: > On 10/07/2014 05:03 PM, Licause, Al (CSC AMS BCS - UNIX/Linux Network > Support) wrote: > > > >I've been following the steps outlined in section 7.3.5 of the manual > >entitled > > > >Integrating OpenShift Enterprise > > > >with Identity

Re: [Freeipa-users] Error: invalid 'AD domain controller' when establishing trust

On Wed, Oct 08, 2014 at 02:42:47AM +0200, Genadi Postrilko wrote: > Hello. > > I am attempting to create trust between AD and IPA. > > I have deployed AD environment as follows: > > I have created domain RED.COM > Then i add new domain tree root - BLUE.COM. > > Now i would like to establish tru

<    1   2   3   4   5   >