On Tue, Sep 16, 2014 at 01:39:41AM +0300, Genadi Postrilko wrote:
> Hello all !
>
> I have deployed test environment for AD trust feature, the environment
> contains :
> Windows Server 2008 - AD Server.
> RHEL 7 - IPA 3.3 Server.
> RHEL 6.2 - IPA Client.
>
> I have established the trust as IPA i
nux.intern
> id_provider = ipa
> auth_provider = ipa
> access_provider = ipa
> ipa_hostname = linux1.linux.intern
> chpass_provider = ipa
> ipa_dyndns_update = True
> ipa_server = _srv_, ipa1.linux.intern
> ldap_tls_cacert = /etc/ipa/ca.crt
> use_fully_qualified_domains
On Sun, Sep 07, 2014 at 11:41:16PM +0200, Gregor Bregenzer wrote:
> Hi!
>
> I have an AD trust with FreeIPA 4.0.1 and defined a HBAC rule for a
> specific user group (=ad_users which is an posix group that has an
> external group as member) to login on a specific client
> (=linux1.linux.intern).
>
On Fri, Jun 27, 2014 at 02:23:47PM -0400, Mark Gardner wrote:
> Was trying to add an external ad group to IPA, it kept failing with unable
> to connect to server.
>
> Figured I'd reboot to clear things up. Oops.
>
> Now wbinfo --online-status shows are AD as offline.
> wbinfo -u shows blank
>
>
tps://lists.fedorahosted.org/pipermail/sssd-devel/2014-June/020384.html)
I'll try to find some time early next week to test if this will help
with your use-case.
bye,
Sumit
>
> Regards,
> Johan
>
> From: Dmitri Pal [d...@redhat.com]
> Sent: Thursday, June 05, 2014
On Wed, Jun 25, 2014 at 08:36:49AM -0400, Mark Gardner wrote:
> Since this information isn't in the Web Interface.
> How do I find query the ipa ldap server to proof that IPA is talking to
> our AD server in order to get identity and authorization information.
>
> Yes we know we've established a
On Wed, Jun 18, 2014 at 06:17:22PM +, Nordgren, Bryce L -FS wrote:
> Inconsistently managed AD user entries.
>
> Many accounts in my AD are posixAccounts, but I encountered one today
> (created in 2013) which had no posix information whatsoever. This crumpled my
> assumption that I could lev
On Mon, Jun 16, 2014 at 07:41:08PM +, Nordgren, Bryce L -FS wrote:
> [...talking about views...]
>
> > It's not only about AD, but use-case and examples in the design page
> > currently all refer to AD. The key is to find a unique reference to the
> > upstream object which in the AD case is ob
On Mon, Jun 16, 2014 at 12:28:09AM -0400, Dmitri Pal wrote:
> On 06/16/2014 12:20 AM, barry...@gmail.com wrote:
> >dear all:
> >
> >Is it possible to quiry freeipa 's account password and displan in plain
> >txt ?
> >
> >or convert krbExtraData to plaintxt. rather than reset it.
> >
> >Regards
> >
On Sat, Jun 07, 2014 at 09:21:29PM +, Nordgren, Bryce L -FS wrote:
> Dimitri, thanks for the reply! Pls forgive my lateness.
>
> I fear I am not currently up to fighting with MS Outlook to convince it to
> let me respond inline. It wants to block quote your entire message and if I
> type in
llen
> wrote:
>
> > Hi,
> > I didn't migrate the passwords. All users started with a new default on
> > IPA.
> > The new user foo doesn't exist on the AD system but can login successfully
> > using IPA credentials on a migrated system.
> >
> &g
ins.py on
> >>> restart? I'll add the relevant bits to /usr/share/ipa/wsgi/plugins.py
> >>> for the CLI as well.
> >>
> >>
> >> Should be automatically handled by the plugin.py wsgi handler and related
> >> logi
On Wed, Jun 04, 2014 at 12:24:11PM +, Johan Petersson wrote:
> Mail got posted before I was finished sorry.
>
> I found one clue to the issue after increasing autofs logging to debug and as
> i thought it has to do with id-mapping.
>
> >From /var/log/messages:
>
> Nfsidmap[1696]: nss_getpwn
On Fri, May 30, 2014 at 09:23:58PM -0300, tizo wrote:
> On Fri, May 30, 2014 at 6:40 PM, Dmitri Pal wrote:
>
> > On 05/30/2014 05:00 PM, tizo wrote:
> >
> >
> > From: Alexander Bokovoy
> > To: Sumit Bose
> > Cc: freeipa-users redhat com
On Thu, May 29, 2014 at 11:20:37AM -0700, Scott Allen wrote:
> Hi,
> Having a particularly weird problem. We have moved from AD to freeIPA
> recently and while there have been some bumps, most of the CentOS 6.2 boxes
> make the transition successfully. Some background.
>
> The Linux boxes were joi
On Wed, May 28, 2014 at 10:47:13AM -0300, tizo wrote:
> I would like to know, if having configured trusts services between FreeIPA
> and Active Directory, allow AD users to authenticate in services that are
> only configured to authenticate against FreeIPA.
>
> For example, having configured the t
On Tue, May 20, 2014 at 02:00:18PM +0100, Dylan Evans wrote:
> Hello,
>
> I need some help with getting Samba and FreeIPA working together.
>
> I’ve been following the guide at
> http://techslaves.org/2011/08/24/freeipa-and-samba-3-integration but
> that seems quite out of date for IPAv3 and I ne
10
bye,
Sumit
>
>
>
>
> On Tue, May 20, 2014 at 12:38 PM, Sumit Bose wrote:
>
> > On Mon, May 19, 2014 at 05:40:49PM +0530, Supratik Goswami wrote:
> > > Initially after configuring the setup I rebooted once and I was thinking
> > > that it worked
27;log level' is 10 or higher,
start winbind, call 'wbinfo -n 'ADDOMAIN\Domain Admins', stop winbind,
put all *winbind* and *wb* log files in a tar/zip archive and send the
archive. If you think the archive is too large for a mailing-list fell
free to send them to me directl
On Mon, May 19, 2014 at 04:29:24PM +0530, Supratik Goswami wrote:
> Hi
>
> Let me start from the beginning once again. Let me explain you what steps I
> followed during the setup.
>
> I am setting up the environment in Amazon AWS, both Windows AD server and
> Linux IPA configured in EC2.
> For co
On Fri, May 16, 2014 at 04:29:33PM +0530, Supratik Goswami wrote:
> Yes DNS is working fine and is able to return the IP address of the AD
> server.
>
> [root@master samba]# dig SRV _ldap._tcp.ad.idm.example.com
>
> ; <<>> DiG 9.8.2rc1-RedHat-9.8.2-0.23.rc1.el6_5.1 <<>> SRV _ldap._
> tcp.ad.idm.e
On Thu, May 15, 2014 at 11:57:46PM +0530, Supratik Goswami wrote:
> >
> > Does ipa trust-find and trust-show still show the trust relationship?
> >
>
> Yes, it is listing the AD domain.
>
> After setting the debug level to 10 I got the below message after running
> the command "wbinfo -n 'AD\Doma
upo
should show the numerial UID for the file and
id
will show yours.
HTH
bye,
Sumit
>
> Thank You,
> Rashard Kelly
> SITA Senior Linux Specialist
>
>
>
>
> From: Sumit Bose
> To: rashard.ke...@sita.aero
> Cc: Alexander Bokovoy , freeipa-u
)
(her you can send the output :-)
bye,
Sumit
>
>
> Thank You,
> Rashard Kelly
>
>
>
> From: Alexander Bokovoy
> To: rashard.ke...@sita.aero
> Cc: Sumit Bose , freeipa-users@redhat.com
> Date: 04/11/2014 09:06 AM
> Subject:Re:
cy in use. Possible values are:
> # targeted - Only targeted network daemons are protected.
> # strict - Full SELinux protection.
> SELINUXTYPE=targeted
>
>
> Thank You,
> Rashard Kelly
>
>
>
>
> From: Sumit Bose
> To: rashard.ke...@sita.aero
>
On Thu, Apr 10, 2014 at 11:55:05AM -0400, rashard.ke...@sita.aero wrote:
> I can run commands after changing the permissions on the files, but why is
> it generating files that are not world readable?
>
> [rkelly@replicahostname ~]$ ll
> total 84
> -rw-r--r-- 1 rootroot 2428 Apr 9 22:34
On Tue, Apr 08, 2014 at 08:27:01AM +0300, Alexander Bokovoy wrote:
> On Fri, 04 Apr 2014, Alexander Bokovoy wrote:
> >>tevent: Destroying timer event 0x7facb82e9d30
> >>"dcerpc_connect_timeout_handler"
> >^^ stopped just short of authenticating to smbd prior to ask it for
> >informational policy ab
On Thu, Apr 03, 2014 at 02:31:55PM +, Matthew W Hanley wrote:
> I'm in the midst of setting up a trust with FreeIPA and Active Directory and
> am receiving the following error:
>
> # ipa trust-add --type=ad ad.example.com --admin 'mwhanley' --password
> Active directory domain administrator's
On Mon, Mar 31, 2014 at 11:05:18PM +, Todd Maugh wrote:
>
> [root@black-62 sssd]# tail -f sssd_ops.boingo.com.log
> (Mon Mar 31 22:58:01 2014) [sssd[be[ops.boingo.com]]]
> [be_resolve_server_done] (4): Found address for server
> idm-master-els.ops.boingo.com: [172.22.170.46] TTL 7200
> (Mon
On Mon, Mar 10, 2014 at 11:09:48PM +0100, Jitse Klomp wrote:
> On 10-03-14 22:06, Sumit Bose wrote:
> >Thank you. Maybe there is a change in return codes between MIT Kerberos
> >1.10 (Centos 6) and 1.11 (F20, RHEL7). Can you try to run
> >
> >KRB5_TRACE=/dev/stdout kini
On Mon, Mar 10, 2014 at 09:10:01PM +0100, Jitse Klomp wrote:
> On 10-03-14 20:34, Sumit Bose wrote:
> >On Mon, Mar 10, 2014 at 07:56:07PM +0100, Jitse Klomp wrote:
> >>On 10-03-14 18:57, Sumit Bose wrote:
> >>>On Mon, Mar 10, 2014 at 05:23:59PM +0100, Jitse Klomp
On Mon, Mar 10, 2014 at 07:56:07PM +0100, Jitse Klomp wrote:
> On 10-03-14 18:57, Sumit Bose wrote:
> >On Mon, Mar 10, 2014 at 05:23:59PM +0100, Jitse Klomp wrote:
> >>On 10-03-14 17:03, Lukas Slebodnik wrote:
> >>>On (10/03/14 16:58), Lukas Slebodnik wrote:
> >
On Mon, Mar 10, 2014 at 05:23:59PM +0100, Jitse Klomp wrote:
> On 10-03-14 17:03, Lukas Slebodnik wrote:
> >On (10/03/14 16:58), Lukas Slebodnik wrote:
> >>On (10/03/14 16:35), Jitse Klomp wrote:
> >>>On 10-03-14 16:10, Lukas Slebodnik wrote:
> On (10/03/14 15:19), Jitse Klomp wrote:
> >On
On Thu, Mar 06, 2014 at 07:39:15AM -0500, Bret Wortman wrote:
> Strange behavior now with our passwords (and we still haven't solved
> our problem with the "ipa" command, but at least with script, we
> have a workaround):
>
> I noticed yesterday morning that my password, which has the
> following
On Mon, Feb 24, 2014 at 10:46:19AM -0500, Pavel Brezina wrote:
> Hi,
> I wasn't able to reproduce with membership setup exactly like this. I
> have already seen similar problem once, unfortunately the user stopped
> responding before we could reach the root cause. I think it is correct
> from th
On Fri, Feb 21, 2014 at 11:17:38PM +0200, Genadi Postrilko wrote:
> I would like to clarify myself, i wasn't accurate when i compared it to :
> https://bugzilla.redhat.com/show_bug.cgi?id=878564.
>
...
>
> *But kinit with AD users failed:*
>
> [root@ipaserver1 ~]# kinit gen...@adexample.com
>
Sumit
>
> Thank you.
>
>
>
>
> 2014-02-18 11:38 GMT+02:00 Sumit Bose :
>
> > On Tue, Feb 18, 2014 at 01:11:38AM +0200, Genadi Postrilko wrote:
> > > Thank you for the help!
> > > I have preformed downgrade:
> > >
> > > yum downgrade samba4*
&
On Tue, Feb 18, 2014 at 01:11:38AM +0200, Genadi Postrilko wrote:
> Thank you for the help!
> I have preformed downgrade:
>
> yum downgrade samba4*
>
> [root@ipaserver1 ~]# rpm -qa | grep samb
> samba4-python-4.0.0-58.el6.rc4.x86_64
> samba4-winbind-4.0.0-58.el6.rc4.x86_64
> samba4-common-4.0.0-5
On Sat, Feb 15, 2014 at 12:14:58AM +0200, Genadi Postrilko wrote:
> I have seen threads where opened on trust issues:
> "AD - Freeipa trust confusion"
> "Cross domain trust"
> "Cannot loging via SSH with AD user TO IPA Domain" - which I opened.
>
> It looks like after creation of trust, TGT ticket
On Mon, Feb 10, 2014 at 02:08:22PM -0500, Steve Dainard wrote:
> Sure:
>
...
> (0x0400): Attempting kinit for realm [MIOVISION.CORP]
> (Mon Feb 10 10:14:58 2014) [[sssd[krb5_child[9879 [validate_tgt]
> (0x0400): TGT verified using key for
> [host/snapshot-test.miolinux.c...@miolinux.corp].
>
On Wed, Feb 12, 2014 at 11:45:50AM +0100, Petr Spacek wrote:
> On 12.2.2014 11:32, Alexander Bokovoy wrote:
> >On Wed, 12 Feb 2014, Genadi Postrilko wrote:
> >>What about adding alias DNS record of hostname.ipa.zone.corp to all linux
> >>machines, so they will keep the old FQDM.
> >What would it gi
On Tue, Feb 11, 2014 at 08:29:43PM +0200, Genadi Postrilko wrote:
> I work in environment where the AD is the DC of the windows machines ,
> while the linux machines (RHEL 5\6) are not centrally managed.
> I would like to create an IPA server to manage the linux machines while
> creating a trust wi
On Mon, Feb 10, 2014 at 10:55:33AM -0500, Steve Dainard wrote:
> I've setup RHEL 7 beta IPA with a trust to an AD domain.
>
> When I use an AD domain login it takes roughly 9-14 seconds to get to a
> shell after entering a password. Is there any way to speed this process up?
> I thought supplement
On Thu, Feb 06, 2014 at 04:31:49PM +0800, barry...@gmail.com wrote:
> Hi:
>
> I can make it show on ldap browser or the ui but finding where to add it in
> command base.
>
> ipa user-mod ---employeenumber no such parameter.
There is no specific option for employeenumber, but you can set the
at
On Wed, Feb 05, 2014 at 01:44:13PM -0500, Mark Gardner wrote:
> Okay,
>
> Spent some time on this one...
> Some users can login SSO no problem, others have to put in their password.
>
> Strange as it seems, if the length of the username was greater than 4, the
> SSO worked.
> So markg@test.local
On Tue, Jan 28, 2014 at 02:29:07PM -0800, Steve Severance wrote:
> Hi Everyone,
>
> I have deployed freeipa inside our production network. I want to be able to
> access the web ui so I am attempting to add it to our nginx edge machine. I
> can pass the requests upstream just fine but I am unable t
On Fri, Jan 24, 2014 at 04:32:33PM +, Zulkifal Ahmad wrote:
> Hi List , I want an update on this bug .
>
> https://bugzilla.samba.org/show_bug.cgi?id=9618
I just re-tested with the python script from the ticket and Samba-4.1.3
and it seems to be fixed.
HTH
bye,
Sumit
>
> Thanks
>
>
> B
On Fri, Nov 29, 2013 at 12:03:58PM +0100, Martin Kosek wrote:
> On 11/29/2013 11:27 AM, Natxo Asenjo wrote:
> > hi,
> >
> > just came accross Erinn Looney-Triggs's excellent writeup on using
> > kerberos voor relaying e-mail
> > (https://stomp.colorado.edu/blog/blog/2013/07/09/on-freeipa-postfix-a
On Tue, Nov 26, 2013 at 03:07:30PM +1000, Matt Bryant wrote:
> OK so been running some tcpdumps on this issue and the wierd thing is ..
>
> can see the initial sasl bind request followed by ack from ldap ...
> then nothing ldap/gssapi related until the unbind request post the
> 6s timeout period .
On Mon, Nov 25, 2013 at 09:23:22AM +1000, Matt Bryant wrote:
> All,
>
> Was wondering if anyone can help out or point us the in right
> direction. Ever since we updated from IPA v2.1 to IPA v3.0 have been
> seeing some intermittent errors when trying to change passwords etc.
> Getting the error ca
On Wed, Nov 13, 2013 at 08:19:18PM +0100, Nicklas Björk wrote:
> On 2013-11-13 20:00, Simo Sorce wrote:
> > On Tue, 2013-11-12 at 21:50 +0100, Nicklas Björk wrote:
> >> On 2013-11-12 21:39, Simo Sorce wrote:
> >>> On Tue, 2013-11-12 at 21:11 +0100, Nicklas Björk wrote:
> In our evironment we h
On Mon, Sep 30, 2013 at 03:20:46PM +0100, Mohan Cheema wrote:
> Hi,
>
>
>
> We are trying to authenticate from Windows machine and getting below error.
>
>
>
>
> Sep 30 14:07:34 kdc1.domain.com krb5kdc[10105](info): AS_REQ (7 etypes {18
> 17 23 3 1 24 -135}) 10.43.2.45:
On Fri, Sep 27, 2013 at 10:27:30AM +0200, Martin Kosek wrote:
> On 09/27/2013 09:31 AM, Innes, Duncan wrote:
> >
> >
> >>-Original Message-
> >>From: freeipa-users-boun...@redhat.com
> >>[mailto:freeipa-users-boun...@redhat.com] On Behalf Of Su
On Thu, Sep 26, 2013 at 02:58:43PM +0100, Innes, Duncan wrote:
> Sorry,
>
> > -Original Message-
> > From: Martin Kosek [mailto:mko...@redhat.com]
> > Sent: 26 September 2013 14:29
> > To: Innes, Duncan
> > Cc: freeipa-users@redhat.com
> > Subject: Re: [Freeipa-users] Force IPA to accept
On Wed, Sep 25, 2013 at 12:01:38PM +0300, Alexander Bokovoy wrote:
> On Wed, 25 Sep 2013, Sumit Bose wrote:
> >On Wed, Sep 25, 2013 at 10:17:04AM +0200, Martin Kosek wrote:
> >>On 09/24/2013 04:40 PM, Alexander Bokovoy wrote:
> >>> On Tue, 24 Sep 2013, Ale
On Wed, Sep 25, 2013 at 10:17:04AM +0200, Martin Kosek wrote:
> On 09/24/2013 04:40 PM, Alexander Bokovoy wrote:
> > On Tue, 24 Sep 2013, Alexandre Ellert wrote:
> >> Hi,
> >>
> >> I've successfully setup a testing environment with an IPA server (RHEL 6.4)
> >> and a cross realm trust with my Activ
On Tue, Sep 24, 2013 at 01:39:28PM +0400, Михаил А wrote:
> Hello.
> freeipa-server-3.3fedora19
> ipa-replica1-fedora19
> ipa-replica2 ferdora19
>
> ssh auth with windows accounts on ipa-replica1-fedora19 is OK
> ssh auth with windows accounts on ipa-replica1-fedora19 is acces denied
>
>
> id
On Wed, Aug 14, 2013 at 09:19:17AM -0400, Brian Lee wrote:
> Hi All,
>
> Our current account management policy requires that users change their AD
> passwords via a special portal, however I've noticed that this can be
> bypassed by issuing passwd on a Linux system while logged in with AD
> creden
On Mon, Aug 12, 2013 at 11:24:03AM -0400, Brian Lee wrote:
> Hello everyone,
>
> I understand this is well documented that we need to block AD from
> establishing communication to the LDAP ports, but I've never heard an
> explanation on why this is needed.
>
> Additionally, In our environment, we
On Fri, Aug 02, 2013 at 12:55:12PM -0500, KodaK wrote:
> First, before we go any further: is it supported to use
> sssd when the client machines domain differs from
> the realm name? If not, then the rest of this is moot.
>
> Client box is a RHEL 5.something. I didn't do "ipa-client-install"
>
On Wed, Jul 31, 2013 at 03:03:04PM -0500, KodaK wrote:
> On Wed, Jul 31, 2013 at 1:28 PM, KodaK wrote:
> > On Wed, Jul 31, 2013 at 11:24 AM, Sumit Bose wrote:
> >>
> >> On Wed, Jul 31, 2013 at 11:12:47AM -0500, KodaK wrote:
> >> > On Wed,
On Wed, Jul 31, 2013 at 01:57:50PM -0500, KodaK wrote:
> On Wed, Jul 31, 2013 at 1:28 PM, KodaK wrote:
> > On Wed, Jul 31, 2013 at 11:24 AM, Sumit Bose wrote:
> >>
> >> On Wed, Jul 31, 2013 at 11:12:47AM -0500, KodaK wrote:
> >> > On Wed,
On Wed, Jul 31, 2013 at 11:12:47AM -0500, KodaK wrote:
> On Wed, Jul 31, 2013 at 11:09 AM, KodaK wrote:
>
> >
> >
> > On Wed, Jul 31, 2013 at 6:56 AM, Sumit Bose wrote:
> >
> > > I think that's the issue. You have to make sure that host.domain.com
On Wed, Jul 31, 2013 at 11:09:43AM -0500, KodaK wrote:
> On Wed, Jul 31, 2013 at 6:56 AM, Sumit Bose wrote:
>
> > I think that's the issue. You have to make sure that host.domain.com has
>
> > a DNS entry somewhere, it does not have to be the IPA DNS but the DNS
>
On Tue, Jul 30, 2013 at 03:01:18PM -0500, KodaK wrote:
> Ok, so, yeah -- my first question stands. This works when it falls
> back to LDAP, but it does not honor a kerberos ticket. Is there a way
> to do that in the same circumstances?
>
> Thanks again,
>
> --Jason
>
> On Tue, Jul 30, 2013 at
On Wed, Jul 03, 2013 at 10:17:19AM -0400, Michael Mercier wrote:
> Hello,
>
> I tried to login (ssh) to one (of three) freeipa systems running on CentOS
> yesterday without success.
>
> Running 'ssh root@service-2', the server would reply with a password prompt
> and then hang. I went to the s
On Tue, Jul 02, 2013 at 03:41:54PM +0300, Vitaly wrote:
> I already read
> https://www.redhat.com/archives/freeipa-users/2012-September/msg00026.htmlthread,
> but I am not sure I understand suggested solution.
> So my question - how I can change krbPasswordExpiration for certain account?
>
> ipa u
On Wed, Jun 26, 2013 at 12:28:57PM +0300, Vitaly wrote:
> How I should debug & fix "Decrypt integrity check failed" problem?
This typically means wrong password.
HTH
bye,
Sumit
>
> TIA,
> Vitaly
>
>
> Jun 26 09:06:10 serv02.prod.example.com krb5kdc[7748](info): AS_REQ (12
> etypes {18 17 16
On Thu, Jun 20, 2013 at 04:04:06PM +0200, Leah Zimmermann wrote:
> On 06/19/2013 03:01 PM, Sumit Bose wrote:
> >On Tue, Jun 18, 2013 at 08:00:02AM +0200, Leah Zimmermann wrote:
> >>On 06/14/2013 09:08 AM, Sumit Bose wrote:
> >>>On Thu, Jun 13, 2013 at 01:49:30P
On Tue, Jun 18, 2013 at 08:00:02AM +0200, Leah Zimmermann wrote:
> On 06/14/2013 09:08 AM, Sumit Bose wrote:
> >On Thu, Jun 13, 2013 at 01:49:30PM +0200, Leah Zimmermann wrote:
> >>Hello Sumit,
> >>Hello List Members,
> >>
> >>Am 13.06.2013 09:18, sch
On Mon, Jun 17, 2013 at 10:16:19AM -0400, Aly Khimji wrote:
> Hey guys,
> So I am getting ready to hopefully roll this out for a demo in our non-prod
> environment prior to going prod is all works. The purpose of this setup is
> to allow for elevated access via AD grouping through a trust. Please s
On Thu, Jun 13, 2013 at 01:49:30PM +0200, Leah Zimmermann wrote:
> Hello Sumit,
> Hello List Members,
>
> Am 13.06.2013 09:18, schrieb Sumit Bose:
> >On Wed, Jun 12, 2013 at 02:04:33PM +0200, Leah Zimmermann wrote:
> >>Am 12.06.2013 12:03, schrieb Sumit Bose:
> &g
On Wed, Jun 12, 2013 at 02:04:33PM +0200, Leah Zimmermann wrote:
> Am 12.06.2013 12:03, schrieb Sumit Bose:
> >On Wed, Jun 12, 2013 at 11:42:23AM +0200, Leah Zimmermann wrote:
> >>Dear List Members,
> >>
> >>I have a FreeIPA-Domain on a CentOS 6.4 machine. It is
On Wed, Jun 12, 2013 at 11:42:23AM +0200, Leah Zimmermann wrote:
> Dear List Members,
>
> I have a FreeIPA-Domain on a CentOS 6.4 machine. It is in a trusted
> relationship to an AD-Domain.
> The users of the AD-Domain can login via ssh- or console-login. Then
> they can start the gnome desktop ma
On Tue, Jun 04, 2013 at 09:40:21AM -0400, Aly Khimji wrote:
> I re-logged in this morning into the server and i see the following on the
> server
> Any thoughts?
>
> Thx again.
>
> SERVER:
> -sh-4.1$ id
> uid=59401108(akhi...@corpnonprd..com) gid=59401108(
> akhi...@corpnonprd..com) group
On Mon, Jun 03, 2013 at 04:30:19PM -0400, Dmitri Pal wrote:
> On 06/03/2013 02:23 PM, Aly Khimji wrote:
> > Quick questions guys,
> >
> > can you advise if there is a particular place(s) successful and failed
> > users authentication is logged? I know from local users I can go
> > through the 389
On Mon, Jun 03, 2013 at 09:22:21PM -0400, Aly Khimji wrote:
> Hey guys,
>
> Just wanted to say thank you for all your support with everything and
> answering all my questions.
>
> Just wanted to show you something, maybe you can shed some light..
> Below is my self running the ID command on 2 dif
On Fri, May 31, 2013 at 06:52:27AM +, Ondrej Valousek wrote:
> Hi List,
>
> I have a question - is it possible to use AD trust the way that:
> 1. All users are stored in AD
> 2. All Unix specific information (automount maps, sudo rules, HBAC rules) are
> stored in IPA?
Yes, sudo and HBAC for
On Thu, Apr 25, 2013 at 12:38:18PM +0200, Pavel Březina wrote:
> On 04/24/2013 07:20 PM, Aly Khimji wrote:
> >(Wed Apr 24 13:07:35 2013) [sssd[be[nix.corpnonprd..com]]]
> >[be_pam_handler_callback] (0x0100): Backend returned: (0, 0, )
> >[Success]
> >(Wed Apr 24 13:07:35 2013) [sssd[be[nix.co
On Fri, Apr 19, 2013 at 10:14:36PM +0200, Natxo Asenjo wrote:
> hi,
>
> a bit puzzled now. I have joined another 2k8r2 host to the AD domain that
> is trusted by the ipa domain.
>
> As AD\administrator I can ssh to the linux host.
>
> I create a bunch of AD users, standard members of 'Domain Use
On Fri, Apr 19, 2013 at 12:47:47PM +0200, Natxo Asenjo wrote:
> hi,
>
> just a little 'but'.
>
> when verifying the trust (point 12
> https://access.redhat.com/site/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Identity_Management_Guide/trust-diff-dns-domains.html)
>
>
> # kinit user
> Pa
r keytabs.
bye,
Sumit
>
> Thanks!
>
> --
> groet,
> natxo
>
>
> --
> Groeten,
> natxo
>
>
> On Fri, Apr 19, 2013 at 12:11 PM, Sumit Bose wrote:
>
> > On Fri, Apr 19, 2013 at 11:45:47AM +0200, Natxo Asenjo wrote:
> > &
On Fri, Apr 19, 2013 at 11:45:47AM +0200, Natxo Asenjo wrote:
> I saw there is a log in /var/log/samba/log.wb-IPA
>
> The log complains about missing keys for the spn for the hostname (not the
> fqdn, just the hostname):
>
> Connection to LDAP server failed for the 15 try!
> [2013/04/19 11:39:22
On Fri, Apr 19, 2013 at 11:03:02AM +0200, Natxo Asenjo wrote:
> hi,
>
> while following the instructions in
> https://access.redhat.com/site/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Identity_Management_Guide/trust-diff-dns-domains.html
>
> I run step 9:
>
> smbclient -L kdc.ipa.asenjo
On Wed, Mar 27, 2013 at 11:44:06AM +0100, Martin Kosek wrote:
> On 03/27/2013 11:36 AM, Sumit Bose wrote:
> > On Wed, Mar 27, 2013 at 10:44:53AM +0100, Martin Kosek wrote:
> >> On 03/27/2013 02:11 AM, David Redmond wrote:
> >>> Hi again,
> >>>
> >>
On Wed, Mar 27, 2013 at 10:44:53AM +0100, Martin Kosek wrote:
> On 03/27/2013 02:11 AM, David Redmond wrote:
> > Hi again,
> >
> > I've got a bit more information. I've found that I can successfully kinit on
> > the Solaris 9 clients if, on the server, I change the user's password by:
> >
> > ipa
On Tue, Mar 26, 2013 at 07:05:20PM -0400, Rob Crittenden wrote:
> David Redmond wrote:
> >Hi,
> >
> >I've setup FreeIPA for the first time and am using it successfully with
> >Linux and Solaris 10 clients. On 8 separate Solaris 9 clients I'm
> >running into an issue where 'kinit USER', for any user
On Fri, Mar 15, 2013 at 10:03:04PM -0400, Dmitri Pal wrote:
> On 03/15/2013 08:59 AM, Dale Macartney wrote:
> >
> > Any ideas what KDC returned error string: HANDLE_AUTHDATA means?
> >
>
> Sumit, can it be that the SSSD plugin into the SSH that processes MSPACs
> is not working properly?
ah, sorr
On Fri, Mar 15, 2013 at 09:38:04AM +, Dale Macartney wrote:
>
> -BEGIN PGP SIGNED MESSAGE-
> Hash: SHA1
>
> Morning all
>
> I have setup the domain trust set up and have errors when trying to map
> groups from AD to IPA
>
> Environment is IPA 3.0 on RHEL 6.4 and Windows 2012
>
> Wh
On Mon, Mar 11, 2013 at 01:21:26AM -0400, Tim Hildred wrote:
> It definately wasn't a policy problem. I couldn't even use ipa passwd as
> admin from the command line, there was a connection error. The upgrade meant
> my IPA server was straight borked. The solution? Revert to a previous
> snapsho
On Tue, Feb 19, 2013 at 03:29:03PM -0700, ninib...@worldd.org wrote:
>
>
> ?
> ?
> Actually
> i'd like to take that back now, it works fine when running kpasswd, but if
> user password is expired when SSH to client, during the reset it only
> tried UDP same if issuing passwd command as well.
Bo
On Mon, Feb 18, 2013 at 09:02:13PM -0800, Brian Cook wrote:
> This fixed in. That makes perfect sense, but nothing in the log made me
> think that this was the problem.
>
> There was an auth_to_local rule setup, which I saved, which did not work. Is
> this a bug that we need to open a ticket f
On Thu, Feb 07, 2013 at 01:12:03PM -0800, Brian Cook wrote:
> I know that syncing w/ AD has a limitation to one domain, or multiple but
> only if there are no overlapping accounts in the AD domains.
>
> Does the current AD trust implementation allow multiple domains, and does it
> have the same
On Sun, Jan 20, 2013 at 02:24:36PM -0500, Dmitri Pal wrote:
> On 01/20/2013 05:01 AM, MaSch wrote:
> > On 1/19/13 8:16 PM, Dmitri Pal wrote:
> >> What is the situation with the time on that box?
> >> Was the time and time zone set correctly?
> >> Is it a VM?
> >> Can it be that the time drifted in
On Mon, Jan 07, 2013 at 05:00:09PM +0100, Han Boetes wrote:
> I just had a long and fruitfull debugging session with Sumit and this is
> what we discovered.
Thank you for your patience and help to debug this issue.
>
> The default settings do run fine for linux machines but for windows hosts
> t
On Mon, Jan 07, 2013 at 09:56:42AM +0100, Han Boetes wrote:
> There was something going on with a firewall blocking something and that
> windows host didn't have a cert yet. But still:
>
> Using Kerberos authentication
> Using principal fh@REALM
> Got host ticket host/test-server-ipa.domain@REALM
On Mon, Jan 07, 2013 at 09:15:41AM +0100, Han Boetes wrote:
> On Fri, Jan 4, 2013 at 6:52 PM, Sumit Bose wrote:
>
> > About delegating credentials, you might need to set the ok_as_delegate
> > flag on the host/* service ticket. To do this you can call kadmin.local
> > on
FILE:/tmp/krb5cc_1554800011_JDgpIu5465
> Default principal: fh@REALM
>
> Valid starting ExpiresService principal
> 01/04/13 14:52:49 01/05/13 14:52:49 krbtgt/REALM@REALM
> [fh@test-server-ipa ~]$
>
> That's does provide a valid ticket but not a passw
On Fri, Jan 04, 2013 at 04:14:36PM +0100, Han Boetes wrote:
> You are absolutely right; the credentials aren't forwarded.
>
> I have enabled the option "allow gssapi credential delegation". So one
> would expect that it should work.
>
> I just installed the mit kerberos tools and I can see all th
On Fri, Dec 21, 2012 at 12:30:33PM +0100, James Findley wrote:
> Hi
>
> What permission level is needed for the AD user when creating an AD trust?
> Can a regular domain user account do it, or is a domain admin needed?
The account used here must be a member of the Domain Admins group.
>
> If
301 - 400 of 427 matches
Mail list logo