Re: [Freeipa-users] sudo su without password

Never mind, i got this working after i added /usr/bin/sudo <https://ipa.map.mandiant.com/ipa/ui/#/usr/bin/sudo> On Sat, Mar 4, 2017 at 8:24 PM, deepak dimri <deepak.dimri2...@gmail.com> wrote: > Hi All, > > In my IPA i have users authenticating using key + token and want

[Freeipa-users] sudo su without password

Hi All, In my IPA i have users authenticating using key + token and want to admin to switch to root without being prompted for the password. How can i do that in IPA? This is what i have tried - created a test user in IPA and did not give any password for this test user. I also have sudo rule

Re: [Freeipa-users] Switch sudoers to IPA

Thanks for your response! Regards, Deepak On Thu, Mar 2, 2017 at 8:40 PM, Jakub Hrozek <jhro...@redhat.com> wrote: > On Thu, Mar 02, 2017 at 07:09:41PM +0530, deepak dimri wrote: > > Hi List, > > > > I have sudo and normal users accessing linux systems using their pri

[Freeipa-users] Local users migration into IPA

Hello All, I have whole bunch of linux users that i want to migrate to IPA. All these users uses their ssh private keys (no passwords) to login into the linux system. What steps i should be following to migrate existing linux users seamlessly to IPA server? since the passwords are not involved i

[Freeipa-users] Switch sudoers to IPA

Hi List, I have sudo and normal users accessing linux systems using their private key without IPA. I have IPA fully functioning and now i want to switch the users from local file login to IPA. Any new user i create in IPA can SSH into ipa client jump boxes fine. I want to know how i can migrate

[Freeipa-users] VERSION: 4.4.0, IPA Replica DOES NOT Work

I am wondering Does IPA Replica as standalone without IPA Master being up works for you guys? Mine and my collogue IPA setup in our own Dev environment with VERSION: 4.2 works perfectly fine. but now when we are moving to staging env we are getting IPA version VERSION: 4.4.0, API_VERSION: 2.213

[Freeipa-users] IPA replica setup for version 4.4

I am trying to install ipa replica but getting below error when running ipa-replica-install i am following below link for ipa 4.4: https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Linux_Domain_Identity_Authentication_and_Policy_Guide/creating-the-replica.html Run

Re: [Freeipa-users] FreeIPA installation on centos 7

Thanks Rob Is there a place/link i can download the release for centos 7? ~Amit On Fri, Feb 3, 2017 at 3:03 PM, Rob Crittenden wrote: > amit bhatt wrote: > >> My QA development setup is running with IPA VERSION: 4.2.0 on centos 7 >> and I want to install the same version

Re: [Freeipa-users] Gateway_timeout Error

2, 2017 at 10:12 AM, deepak dimri <deepak.dimri2...@gmail.com> wrote: > Hey Martin, > > > Is gateway error has anything to do with --no-wait-for-dns flag that i > used when i created the replica image? i have another test IPA setup > working fine in the same env and t

Re: [Freeipa-users] Gateway_timeout Error

, Feb 1, 2017 at 10:52 PM, deepak dimri <deepak.dimri2...@gmail.com> wrote: > sorry for not replying to all! > > I have apache reverse proxy front ending the ipa servers. As i mentioned > if i try hitting ipa replica WebUI directly then i do get the objects > loaded on the

Re: [Freeipa-users] Gateway_timeout Error

04:26 PM, deepak dimri wrote: > >> Yes, Martin - i do see requests hitting >> replica.. /var/log/httpd/error_log shows: >> >> [Wed Feb 01 15:16:47.469766 2017] [:error] [pid 2464] ipa: INFO: >> ad...@xxx.xyz.com <mailto:ad...@xxx.xyz.com>: batch: >> host

[Freeipa-users] Gateway_timeout Error

Hi All, I have two IPA servers - primary and secondary running. the secondary ipa server is installed using ipa replica image of primary. While doing the testing i realised that when i manually shut down my primary ipa server making my secondary server to serve the UI. And now when i try to

Re: [Freeipa-users] Unable to uninstall and re-install ipa client on Ubuntu 14.04

=TEST.REALM.com -w --hostname= foo.test.com --unattended --no-ntp Would really appreciate if some one can help resolve the issue i have facing.. Thanks, Deepak On Sat, Jan 28, 2017 at 7:44 PM, Deepak Dimri <deepak_di...@hotmail.com> wrote: > Hi All, > > > I am trying to re-

[Freeipa-users] Unable to uninstall and re-install ipa client on Ubuntu 14.04

Hi All, I am trying to re-install ipa-client on ubuntu 14.04 but its not getting completed cleanly. Getting below errors when trying to uninstall ipa client: ipa-client-install --uninstall -U root: ERRORdbus failed to start: Command '/usr/sbin/service dbus start ' returned

[Freeipa-users] IPA Server & LDAP Replication Monitoring

Hi All, Has any one worked on IPA server integration with collectd for its and LDAP replication? I am newbie to collectd and still exploring its plug-ins option. Would be thankful if some one can share some insight on it.. Thanks, Deepak -- Manage your subscription for the Freeipa-users

Re: [Freeipa-users] IPA rewrite conf

Hi Jan, sorry to ask but where exactly i can modify the referer with RequestHeader on IPA Server? Many Thanks, Deepak From: Jan Pazdziora <jpazdzi...@redhat.com> Sent: Monday, November 28, 2016 8:09 AM To: Deepak Dimri Cc: deepak dimri; freeipa

Re: [Freeipa-users] IPA rewrite conf

? Regards, Deepak From: freeipa-users-boun...@redhat.com <freeipa-users-boun...@redhat.com> on behalf of Jan Pazdziora <jpazdzi...@redhat.com> Sent: Monday, November 28, 2016 3:04 AM To: deepak dimri Cc: freeipa-users@redhat.com Subject: Re: [Freeip

Re: [Freeipa-users] URL is changing on the browser

Adding Jan into the email thread. Hopefully Jan can help too Best Regards, Deepak From: Deepak Dimri <deepak_di...@hotmail.com> Sent: Sunday, November 27, 2016 8:08 PM To: Chris Dagdigian Subject: Re: [Freeipa-users] URL is changing on the browser

[Freeipa-users] IPA rewrite conf with AWS ELB

Hi All, I am posting my issue here with an hope that i get a response. I have AWS ELB configured to connect to FreeIPA servers on Ubuntu. My FreeIPA servers are in private subnets. I am able to access my test index.html page deployed on the FreeIPA server by hitting https:///index.html.

[Freeipa-users] IPA rewrite conf

Hi All, I am posting my issue here with an hope that i get a response. I have WS ELB configured to connect to FreeIPA servers on Ubuntu. My FreeIPA servers are in private subnets. I am able to access my test index.html page deployed on the FreeIPA server by hitting https:///index.html. However

[Freeipa-users] FreeIPA behind Apache Reverse Proxy and Load Balancer

Hi All, I want to configure Apache reverse proxy to load balance/failover between two IPA servers. I have referred *https://www.adelton.com/freeipa/freeipa-behind-proxy-with-different-name * to configure reverse proxy and

Re: [Freeipa-users] Getting "Your session has expired. Please re-login." when trying to access IPA Replica

Got it working, after uninstalling and reinstalling the replica. Not sure why it did not work at the first place... On Fri, Nov 18, 2016 at 7:15 PM, deepak dimri <deepak.dimri2...@gmail.com> wrote: > Hello All, > > I have IPA Master deployed in AWS US West region and replica in U

[Freeipa-users] Getting "Your session has expired. Please re-login." when trying to access IPA Replica

Hello All, I have IPA Master deployed in AWS US West region and replica in US East region. The replication installation went successfully however when i am trying to access the replication web UI (after making proxypass changes etc..) i am getting Error. I have ProxyPassReverseCookieDomain set

Re: [Freeipa-users] URL is changing on the browser

ot;IPA redirects to it's > internal FQDN" problem as well. Now that this appears to be a somewhat simple > tweak to the httpd.conf type files I may start playing around with putting > private IPA systems behind a private AWS load balancer > > Chris > > > > De

Re: [Freeipa-users] URL is changing on the browser

; >> On Mon, Nov 14, 2016 at 08:49:34AM +0100, Martin Basti wrote: >>> On 13.11.2016 16:33, Deepak Dimri wrote: >>> >>> I have my IPA servers hosted in the AWS private subnets and i can access >>> them using AWS elb URL from public internet just fine. T

Re: [Freeipa-users] URL is changing on the browser

Regards, Deepak On Mon, Nov 14, 2016 at 1:19 PM, Martin Basti <mba...@redhat.com> wrote: > > > On 13.11.2016 16:33, Deepak Dimri wrote: > > Hi All, > > > I have my IPA servers hosted in the AWS private subnets and i can access > them using AWS elb URL from public

[Freeipa-users] IPA UI not accessible behind the load blancer

Hi All, I have my IPA servers hosted in the AWS private subnets and i can access them using AWS elastic load balancer(elb) URL from public internet just fine. The problem is that when i enter https:///index.htl (dummy index.html hosted on IPA) i can access index.html just fine but when i try

[Freeipa-users] IPA UI not working behind Load Balancer

Hi All, I have my IPA servers hosted in the AWS private subnets and i can access them using AWS elb URL from public internet just fine. The problem is that when i enter https:///index.htl (dummy index.html hosted on IPA) i can access index.html just fine but when i try https:///ipa/ui then

[Freeipa-users] URL is changing on the browser

Hi All, I have my IPA servers hosted in the AWS private subnets and i can access them using AWS elb URL from public internet just fine. The problem is that when i enter https:///index.htl (dummy index.html hosted on IPA) i can access index.html just fine but when i try https:///ipa/ui then

[Freeipa-users] Getting Minimum SSF not met.

Hi All, I wanted to enable secure LDAP connection on freeIPA but alas after changing cn=config nsslapd-minssf from 0 to 128 i am getting below error: ipactl restart Failed to read data from Directory Service: Unknown error when retrieving list of services from LDAP: Server is unwilling to

Re: [Freeipa-users] Not able to pass through ipa-replica-install on centos 7

uesday, October 18, 2016 8:40 AM To: Deepak Dimri; Martin Babinsky; freeipa-users@redhat.com Subject: Re: [Freeipa-users] Not able to pass through ipa-replica-install on centos 7 On 18.10.2016 13:52, Deepak Dimri wrote: Thanks Martin, I had to run ipa-server-install --uninstall -U to get rid of IPA

Re: [Freeipa-users] Not able to pass through ipa-replica-install on centos 7

Monday, October 17, 2016 1:29 AM To: Deepak Dimri; Martin Basti; freeipa-users@redhat.com Subject: Re: [Freeipa-users] Not able to pass through ipa-replica-install on centos 7 On 10/15/2016 12:41 PM, Deepak Dimri wrote: > Thanks Martin for the reply. > > when i try 'ipa-client-install --unins

Re: [Freeipa-users] Not able to pass through ipa-replica-install on centos 7

tried ipa domainlevel-set 1 but i am getting ipa: ERROR: unknown command 'domainlevel-set' Thanks again for your help on this. Best Regards, Deepak From: Martin Basti <mba...@redhat.com> Sent: Saturday, October 15, 2016 4:54 AM To: Deepak Dimri; freeipa

[Freeipa-users] Not able to pass through ipa-replica-install on centos 7

Hi All, I am trying to configure replication between two FreeIPA centos 7 servers. As per the document i need same FreeIPA version running on both the machines, which i have, and run ipa-replica-prepare on the master and then simply run ipa-replica-install on the replica server along with

Re: [Freeipa-users] FreeIPA Server installation on ubuntu 14.0

dont find any good response to this issue either.. Thanks Much, Deepak From: Alexander Bokovoy <aboko...@redhat.com> Sent: Wednesday, October 12, 2016 1:40 PM To: Deepak Dimri Cc: freeipa-users@redhat.com Subject: Re: [Freeipa-users] FreeIPA Server instal

[Freeipa-users] FreeIPA Server installation on unbuntu 14.0

Hi All, I am trying to install freeIPA server on ubuntu 14.0 but i am getting Error "Unable to locate package freeipa-server" below is what i am trying: apt-get install freeipa-server -y Reading package lists... Done Building dependency tree Reading state information... Done E: Unable to

Re: [Freeipa-users] FreeIPA Server Hosting - Public Cloud vs Private Cloud

oun...@redhat.com> on behalf of Petr Spacek <pspa...@redhat.com> Sent: Thursday, October 6, 2016 3:33 AM To: freeipa-users@redhat.com Subject: Re: [Freeipa-users] FreeIPA Server Hosting - Public Cloud vs Private Cloud On 5.10.2016 11:16, Deepak Dimri wrote: > Hi All, > >

Re: [Freeipa-users] Install IPA Servers with third-party certificate(external CA)

Thanks, Florence It works now.. my /etc/sssd/sssd.conf was missing with sudo service.. adding below line fixed the issue services = nss, sudo, pam, ssh" Many Thanks Again! Best Regards, Deepak From: freeipa-users-boun...@redhat.com

[Freeipa-users] Sudo Rule not working

Hi All, I have added sudo rule having allowed command for sudo su for a test user. When i login with this test user to my IPA client (ubuntu). I am getting a message that "the user is not in the sudoers file. This incident will be reported." and it works fine if i add the user to sudoers

[Freeipa-users] SSH key based login for the users

Hi All, Can i have my IPA server pre-configured with RSA and public key authentication enabled (passwordauthentication no) for its users and at the same time have users to automatically register with their ssh key pair during first time login process so that they can login with the keys? i am

Re: [Freeipa-users] key + 2FA (password+OTP) is not working

tember 23, 2016 3:25 AM To: Deepak Dimri Cc: freeipa-users@redhat.com Subject: Re: [Freeipa-users] key + 2FA (password+OTP) is not working On Fri, 23 Sep 2016, Deepak Dimri wrote: > >Hi All, > > >I am trying hard to get my 2FA working with FreeIPA but every effort of >mine goin

Re: [Freeipa-users] key + 2FA (password+OTP) is not working

ps i should be following to make it work assuming i am trying on centos or fedora regards, Deepak From: Alexander Bokovoy <aboko...@redhat.com> Sent: Friday, September 23, 2016 3:25 AM To: Deepak Dimri Cc: freeipa-users@redhat.com Subject: Re: [Freeipa-

Re: [Freeipa-users] key + 2FA (password+OTP) is not working

Hi All, I am trying hard to get my 2FA working with FreeIPA but every effort of mine going waste! I have referred earlier forum emails but could not find any good reply on the issue i am facing. This is what i am trying I have a test user created in my IPA server enabled with Two factor

[Freeipa-users] key + 2FA (password+OTP) is not working

Hi All, I am trying hard to get my 2FA working with FreeIPA but every effort of mine going waste! I have referred earlier forum emails but could not find any good reply on the issue i am facing. This is what i am trying I have a test user created in my IPA server enabled with Two factor

Re: [Freeipa-users] FreeIPA client installation on ubuntu 14.04

t; To: deepak_di...@hotmail.com; freeipa-users@redhat.com > From: tjaal...@ubuntu.com > Date: Wed, 21 Sep 2016 14:40:17 +0300 > > On 21.09.2016 11:34, Deepak Dimri wrote: > > Thanks Timo, > > > > The "DEBIAN_FRONTEND=noninteractive apt-get install freeipa-client -y&qu

Re: [Freeipa-users] 2FA using FreeIPA

i, 16 Sep 2016 10:43:26 +0200 > From: lsleb...@redhat.com > To: deepak_di...@hotmail.com > CC: freeipa-users@redhat.com > Subject: Re: [Freeipa-users] 2FA using FreeIPA > > On (13/09/16 03:49), Deepak Dimri wrote: > >Hi All, > >I have below lines added to my ssh

Re: [Freeipa-users] FreeIPA client installation on ubuntu 14.04

again,Deepak > Subject: Re: [Freeipa-users] FreeIPA client installation on ubuntu 14.04 > To: deepak_di...@hotmail.com; freeipa-users@redhat.com > From: tjaal...@ubuntu.com > Date: Wed, 21 Sep 2016 10:26:41 +0300 > > On 21.09.2016 09:41, Deepak Dimri wrote: > > Hi

[Freeipa-users] FreeIPA client installation on ubuntu 14.04

Hi All, I am trying to install freeipa client on my ubuntu client via ansible script. I have "apt-get update" and "apt-get install freeipa-client -y" these basic commands added in my playbook but the problem is when i run "apt-get install freeipa-client" with or without -y option it opens up

[Freeipa-users] IPA Server is not coming backup

Hi All, My IPA Server was working all fine until i tried restarting it using "ipactl restart" and now i am ended with these errors :( [root@ip-172-31-25-165 plugins]# ipactl restartStarting Directory ServiceRestarting krb5kdc ServiceRestarting kadmin ServiceStarting named ServiceJob

[Freeipa-users] IPA Server is not coming backup

Hi All, My IPA Server was working all fine until i tried restarting it using "ipactl restart" and now i am ended with these errors :( [root@ip-172-31-25-165 plugins]# ipactl restartStarting Directory ServiceRestarting krb5kdc ServiceRestarting kadmin ServiceStarting named ServiceJob

Re: [Freeipa-users] Want to extend schema for ipahost

Thank You Flo This helped!!! Best regards,Deepak > Subject: Re: [Freeipa-users] Want to extend schema for ipahost > To: deepak_di...@hotmail.com; freeipa-users@redhat.com > From: f...@redhat.com > Date: Mon, 19 Sep 2016 13:41:00 +0200 > > On 09/19/2016 01:31 PM, Deepak Dimri

[Freeipa-users] 2FA using FreeIPA

Hi All, I have below lines added to my sshd_config file for testuser. Match User testuser AuthenticationMethods publickey,password:pam publickey,keyboard-interactive:pam I have OTP enable for tapuser in IPA and i am able to login to GUI using the password + OTP. However when i try

Re: [Freeipa-users] General query regarding nameserver enrtry

enrtry To: deepak_di...@hotmail.com; freeipa-users@redhat.com From: mba...@redhat.com Date: Mon, 5 Sep 2016 09:12:08 +0200 On 02.09.2016 20:06, Deepak Dimri wrote: Hi All, My ipa-client-install fails until

[Freeipa-users] General query regarding nameserver enrtry

Hi All, My ipa-client-install fails until etc/resolve.conf gets updated with IPA nameserver entry. I want to avoid a task of updating resolve.conf in my automation script. Is there a way i can get my IPA client installation successful without updating resolve.conf? what options do i have?

Re: [Freeipa-users] Getting ACL Syntax Error(-5)

Syntax Error(-5) To: deepak_di...@hotmail.com; freeipa-users@redhat.com From: mba...@redhat.com Date: Wed, 31 Aug 2016 12:06:02 +0200 On 31.08.2016 11:49, Deepak Dimri wrote: Hi All, I am

[Freeipa-users] Getting ACL Syntax Error(-5)

Hi All,I am getting ACL Syntax Error(-5) when trying to add ACI to my freeIPA server. Any idea why i am getting this error? This is the error i am getting: ldap_modify: Invalid syntax (21) additional info: ACL Syntax

Re: [Freeipa-users] Permission not working as expected

an member attribute other than AWS EC2 instance name... Best Regards,Deepak > Date: Tue, 30 Aug 2016 18:36:21 +0300 > From: aboko...@redhat.com > To: deepak_di...@hotmail.com > CC: freeipa-users@redhat.com > Subject: Re: [Freeipa-users] Permission not working as expected > >

Re: [Freeipa-users] Permission not working as expected

Permission not working as expected > > On Tue, 30 Aug 2016, Deepak Dimri wrote: > >Hi Alexander, > >i did try adding the "member" effective attribute in GUI and also from > >the command prompt But the error is not going away when i try to delete > >the host

Re: [Freeipa-users] Permission not working as expected

: freeipa-users@redhat.com > Subject: Re: [Freeipa-users] Permission not working as expected > > On Tue, 30 Aug 2016, Deepak Dimri wrote: > >I did try the exact steps from the blog but alas still it did not work. > >getting same error :( > I don't give rights to write to 'memb

Re: [Freeipa-users] Permission not working as expected

om > CC: freeipa-users@redhat.com > Subject: Re: [Freeipa-users] Permission not working as expected > > On Tue, 30 Aug 2016, Deepak Dimri wrote: > >I did try the exact steps from the blog but alas still it did not work. > >getting same error :( > I don't give rights to

Re: [Freeipa-users] Permission not working as expected

=compute,dc=amazonaws,dc=com'. Regards,Deepak > Date: Tue, 30 Aug 2016 13:04:07 +0300 > From: aboko...@redhat.com > To: deepak_di...@hotmail.com > CC: freeipa-users@redhat.com > Subject: Re: [Freeipa-users] Permission not working as expected > > On Tue, 30 Aug 2016, Deep

Re: [Freeipa-users] Permission not working as expected

gt; Subject: Re: [Freeipa-users] Permission not working as expected > > On Tue, 30 Aug 2016, Alexander Bokovoy wrote: > >On Mon, 29 Aug 2016, Deepak Dimri wrote: > >>Hi All, > >>I have created below permission for my "testhostgroup" with the > >>e

[Freeipa-users] Permission not working as expected

Hi All, I have created below permission for my "testhostgroup" with the expectation that this permission will only allow write permission to the members of "testhostgroup" but, then it allows me to add/delete other hostgroup members as well. I tried changing the effective attribute to

Re: [Freeipa-users] Delegated Administration in IPA

are part of the hostgroup Thanks in advance Best Regards,Deepak > Date: Mon, 8 Aug 2016 11:54:23 +0300 > From: aboko...@redhat.com > To: deepak_di...@hotmail.com > CC: freeipa-users@redhat.com > Subject: Re: [Freeipa-users] Delegated Administration in IPA > > On Mon, 08 Aug 2016, Deepa

[Freeipa-users] Delegated administration use case

My IPA server has bunch of IPA-clients registered with it, i have done department/product wise grouping of my ipa clients and users. Example: for business unit1 (BU1) i have "BU1UserGroup" and "BU1HostGroup" similarly for BU2 its "BU2UserGroup" & "BU2HostGroup". Now i want to have department

[Freeipa-users] Admin password no more working

Hi All, While trying to automate IPA client registration programatically, i seems have made my admin password out of sync between KDC and /etc/krb5.keytab. Now when i try login into ipa GUI via admin i am getting "The password or username is incorrect" - though i am trying with the

[Freeipa-users] Ansible Playbook

Hi All, I am looking to write ansible playbook to automatically register my EC2 instances as freeIPA clients to my IPA Server and then add the client(s) to a particular hostgroup based on EC2 tag value. For example EC2 tag key value= prod will add the client to prod hostgroup. I am wondering if

[Freeipa-users] 2FA with Sudo not working

Hi All, I have 2FA (Password +OTP) enabled for a user in freeIPA console. I am able to SSH into my Linux system using Google Authenticator + SSH key but when i do sudo su i am getting into below loop even when i am entering valid credential: -sh-4.2$ sudo su First Factor: Sorry, try

[Freeipa-users] key+OTP to SSH into publicly exposed redHat instances

Hi All, I want to protect my publicly exposed AWS EC2 instances with SSH key and OTP. I have my freeIPA v4 all up and running. I am able to SSH in to my IPA clients with my private key however i want to include OTP into this login process. I have enabled OTP for one test user in my FreeIPA and

Re: [Freeipa-users] FreeIPA LDAP Directory Extenion

nd the schema with CLI tools (ldapmodify) as indicated in the > presentation that Martin Basti shared. > > Martin > > On 08/09/2016 11:06 AM, Deepak Dimri wrote: > > Thanks Martin, This helps! > > > > i also like this > > link > > https://access.redhat.

Re: [Freeipa-users] FreeIPA LDAP Directory Extenion

its given in this document Regards,Deepak Subject: Re: [Freeipa-users] FreeIPA LDAP Directory Extenion To: deepak_di...@hotmail.com; freeipa-users@redhat.com From: mba...@redhat.com Date: Tue, 9 Aug 2016 10:15:47 +0200 On 09.08.2016 10:08, Deepak Dimri

[Freeipa-users] FreeIPA LDAP Directory Extenion

Hi All, I want to extend my FreeIPA Directory Scheme - want to add a new ObjectClass and add few attributes to existing person ObjectClass. I see lot of places it is mentioned i can do it through 389-console command but i dont find it in my freeIPA server. I am getting ObjectClass not found

[Freeipa-users] Delegated Administration in IPA

Hi List, I want some help here! i have 100 of linux servers and ec2 instances used by various teams/departments. I want to have group wise clubbing of these servers so that i can delegate administration access to manager of that particular group. For example lets say out of those 100