Re: [Freeipa-users] How to unset a user's kerberos principal expiration date?

On 29/06/16 19:05, Roderick Johnstone wrote: Hi If I set a kerberos principal for a user to expire on a given date using: ipa user-mod --principal-expiration=DATE is it possible to later remove this expiration date rather than just set it to a time far in the future? Thanks Roderick Johnstone

[Freeipa-users] FreeIPA (directory service) Crash several times a day

Hi, The Directory Services crashes several times a day. It's installed on CentOS 7 VM : Installed Packages Name: ipa-server Arch: x86_64 Version : 4.2.0 # ipactl status Directory Service: STOPPED krb5kdc Service: RUNNING kadmin Service: RUNNING ipa_memcached Service: RUNNI

Re: [Freeipa-users] Freeipa and spacewalk integration.

On Wed, Jun 29, 2016 at 03:33:34PM -0400, Danila Ladner wrote: > Hello Folks. > > I am stuck at this task integrating spacewalk freeipa authorization. > > I have followed this docs from spacewalk to enable web authentication with > FreeIPA: > > https://fedorahosted.org/spacewalk/wiki/SpacewalkAn

Re: [Freeipa-users] Multiple issues (weblogin, DNS) with 4.3.1

On Wed, Jun 22, 2016 at 10:26:16AM -0400, Rob Crittenden wrote: > Tomasz Torcz wrote: > > On Tue, Jun 21, 2016 at 01:38:19PM -0400, Rob Crittenden wrote: > > > > > > [Sat Jun 18 18:59:11.337717 2016] [wsgi:error] [pid 748083] > > > > > > CertificateOperationError: Certificate operation cannot be

Re: [Freeipa-users] FreeIPA (directory service) Crash several times a day

can you get a core file ? http://www.port389.org/docs/389ds/FAQ/faq.html#debug_crashes On 06/30/2016 11:28 AM, d...@mdfive.dz wrote: Hi, The Directory Services crashes several times a day. It's installed on CentOS 7 VM : Installed Packages Name: ipa-server Arch: x86_64 Versi

Re: [Freeipa-users] FreeIPA (directory service) Crash several times a day

Hi, There is no 389-ds-base-debuginfo in repos # yum search debug-info | sort | head 0install-debuginfo.x86_64 : Debug information for package 0install 2048-cli-debuginfo.x86_64 : Debug information for package 2048-cli 389-admin-debuginfo.x86_64 : Debug information for package 389-admin 389-adm

Re: [Freeipa-users] FreeIPA (directory service) Crash several times a day

Ok, for centos 7 i installed it with : yum install -y --enablerepo=base-debuginfo 389-ds-base-debuginfo I'll be back since i get core file Regards On 2016-06-30 12:34, d...@mdfive.dz wrote: Hi, There is no 389-ds-base-debuginfo in repos # yum search debug-info | sort | head 0install-debugin

[Freeipa-users] what is the best way to create a search account

Hello, What would be the most appropriate way to create a search account so that a third party tool (wildfly) can use it to search the ipa domain for credentials ? Cheers Rob -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go

Re: [Freeipa-users] what is the best way to create a search account

On Thu, Jun 30, 2016 at 01:22:34PM +0200, Rob Verduijn wrote: > Hello, > > > What would be the most appropriate way to create a search account so that a > third party tool (wildfly) can use it to search the ipa domain for > credentials ? I guess http://www.freeipa.org/page/HowTo/LDAP#System_Ac

Re: [Freeipa-users] FreeIPA (directory service) Crash several times a day

Hi, Please find strace on a core file : http://pastebin.com/v9cUzau4 Regards On 2016-06-30 12:13, Ludwig Krispenz wrote: can you get a core file ? http://www.port389.org/docs/389ds/FAQ/faq.html#debug_crashes On 06/30/2016 11:28 AM, d...@mdfive.dz wrote: Hi, The Directory Services crashes

Re: [Freeipa-users] what is the best way to create a search account

hi Rob, On Thu, Jun 30, 2016 at 1:22 PM, Rob Verduijn wrote: > Hello, > > > What would be the most appropriate way to create a search account so that > a third party tool (wildfly) can use it to search the ipa domain for > credentials ? > I just create a normal account. We rotate passwords on a

Re: [Freeipa-users] FreeIPA (directory service) Crash several times a day

On 06/30/2016 02:27 PM, d...@mdfive.dz wrote: Hi, Please find strace on a core file : http://pastebin.com/v9cUzau4 the crash is in an IPA plugin, ipa_pwd_extop, to get a better stack you would have to install also the debuginfo for ipa-server. and then someone familiar with this plugin shoul

[Freeipa-users] FreeIPAv3 and SSSD // Disable automatic Kerberos authentication

Hello, We are using FreeIPAv3 with SSSD with Hortonworks Cluster : - ipa-admintools-3.0.0-47 - ipa-client-3.0.0-47 - sssd-ipa-1.11.6-30 According with the following documentation, our users are automatically authenticated to Kerberos at every login : https://www.fr

Re: [Freeipa-users] 7.x replica install from 6.x master fails

I too ran into this issue of certificate serial mismatch. Just wanted to shoot a note thanking the two of you for helping. Your questions and answers were very well articulated and very detailed. I used the info in this thread to get my replica installed. Thank you! =)

[Freeipa-users] FreeIPA doesnt start

Hi, i upgraded from Fedora 22 to 23 and now iam working with IPA 4.2 When i want to start IPA with ipactl start i run into the situation starting pki-tomcat take a long time and ipactl aborts the starting process and shutdown services. So IPA doesnt start. ipactl start: Starting Directory Servi

Re: [Freeipa-users] Freeipa and spacewalk integration.

Thank you for reaching out. The problem has been fixed. I have forgotten to restart tomcat6 to disable tomcat auth. User error!!! On Thu, Jun 30, 2016 at 6:09 AM, Jan Pazdziora wrote: > On Wed, Jun 29, 2016 at 03:33:34PM -0400, Danila Ladner wrote: > > Hello Folks. > > > > I am stuck at this tas

Re: [Freeipa-users] FreeIPA (directory service) Crash several times a day

On 06/30/2016 02:45 PM, Ludwig Krispenz wrote: On 06/30/2016 02:27 PM, d...@mdfive.dz wrote: Hi, Please find strace on a core file : http://pastebin.com/v9cUzau4 the crash is in an IPA plugin, ipa_pwd_extop, to get a better stack you would have to install also the debuginfo for ipa-server.

Re: [Freeipa-users] How to unset a user's kerberos principal expiration date?

David Kupka wrote: On 29/06/16 19:05, Roderick Johnstone wrote: Hi If I set a kerberos principal for a user to expire on a given date using: ipa user-mod --principal-expiration=DATE is it possible to later remove this expiration date rather than just set it to a time far in the future? Thanks

Re: [Freeipa-users] FreeIPA doesnt start

Here are some more infos. journal -xe tells me some error: INFO: Initializing ProtocolHandler ["http-bio-8443"] Error: SSL cipher "TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA" not recognized by tomcatjss Error: SSL cipher "TLS_ECDH_RSA_WITH_AES_128_CBC_SHA" not recognized by tomcatjss Error: SSL cipher "T

Re: [Freeipa-users] How to migrate users with md5 and sha512 passwords

Joanna Delaporte wrote: I am migrating an NIS domain to IPA. I have attempted to follow the instructions for NIS account crypted password migration, but I haven't yet successfully used password authentication to log in to r

[Freeipa-users] AES reverse encryption plugin on userPassword attribute

Hi All, I need to store user passwords with reverse encryption for an application. I know the AES plugin is enabled and available : # AES, Password Storage Schemes, plugins, config dn: cn=AES,cn=Password Storage Schemes,cn=plugins,cn=config cn: AES nsslapd-pluginDescription: AES storage scheme p

Re: [Freeipa-users] FreeIPA doesnt start

On Thu, Jun 30, 2016 at 02:51:02PM +0200, Andreas Ladanyi wrote: > Hi, > > i upgraded from Fedora 22 to 23 and now iam working with IPA 4.2 > > When i want to start IPA with ipactl start i run into the situation > starting pki-tomcat take a long time and ipactl aborts the starting > process and s

Re: [Freeipa-users] FreeIPAv3 and SSSD // Disable automatic Kerberos authentication

On Wed, Jun 29, 2016 at 09:04:47AM +, tstorai@orange.com wrote: > Hello, > > We are using FreeIPAv3 with SSSD with Hortonworks Cluster : > > - ipa-admintools-3.0.0-47 > > - ipa-client-3.0.0-47 > > - sssd-ipa-1.11.6-30 > > > According with the following docum

Re: [Freeipa-users] How to deactivate automatic kinit at ssh login ?

On Thu, Jun 30, 2016 at 08:54:16AM +0200, bahan w wrote: > Hello ! > > I'm using freeipa 3.0.0-47. > > I send you this mail concerning the automatic kinit at ssh login ? I wanted > to know if it was possible to deactivate it on a specific server ? > > The reason is that I have some of my users w

Re: [Freeipa-users] FreeIPA doesnt start

> > org.apache.catalina.startup.ClassLoaderFactory validateFile > WARNING: Problem with JAR file > [/var/lib/pki/pki-tomcat/lib/tomcat-servlet-3.0-api.jar], exists: > [false], canRead: [false] > org.apache.catalina.startup.ClassLoaderFactory validateFile > roblem with JAR file > [/var/lib/pki/pki-t

[Freeipa-users] Best practices on enrolling existing hosts.

Hello folks. What are the best practices on enrolling existing hosts in infrastructure into FreeIPA What do we do with local users which are present on the hosts and overlap with users in FreeIPA, should we remove local users? What happens to the files, directories owned by them? Is it usually a ma

Re: [Freeipa-users] Best practices on enrolling existing hosts.

On Thu, 2016-06-30 at 10:32 -0400, Danila Ladner wrote: > Hello folks. > What are the best practices on enrolling existing hosts in infrastructure > into FreeIPA > What do we do with local users which are present on the hosts and overlap > with users in FreeIPA, should we remove local users? What h

Re: [Freeipa-users] what is the best way to create a search account

thanx 2016-06-30 13:59 GMT+02:00 Tomasz Torcz : > On Thu, Jun 30, 2016 at 01:22:34PM +0200, Rob Verduijn wrote: > > Hello, > > > > > > What would be the most appropriate way to create a search account so > that a > > third party tool (wildfly) can use it to search the ipa domain for > > credentia

[Freeipa-users] how to make fIPA stick to only...

... its own FQHN and its IP ? hi users, I'm fiddling with rewrites but being an amateur cannot figure it out, it's on a multi/home-IP box. Is it possible? many thanks, L. -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go

Re: [Freeipa-users] Where should the CA Location

Hi, it looks like the NSS db for slapd-ABX-com does not contain the full cert chain. You can run certutil -L -d /etc/dirsv/slapd-ABX-com and check if there is a certificate for your issuer, and if it has the C,, flags at least. For instance, in my setup I am using ca2/server certificate for

[Freeipa-users] Fwd: How to migrate users with md5 and sha512 passwords

My first time posting. I didn't realize I needed to reply-all to include the group. Oops! -- Forwarded message -- From: Joanna Delaporte Date: Thu, Jun 30, 2016 at 10:21 AM Subject: Re: [Freeipa-users] How to migrate users with md5 and sha512 passwords To: Rob Crittenden Hi Rob

[Freeipa-users] SRV records?

Hi, I am getting a bit confused about what is possible / advised to do and how to setup SRV records for our existing setup. Currently, it looks like his: ipa1.domain.ltd ipa2.domain.ltd ipa3.domain.ltd I believe the installed domain and realm is domain.ltd (we added some other realm domains l

Re: [Freeipa-users] How to reisnatll the ca or the dogtag system

Hi, the message "LDAP Server Down" seems to indicate that the LDAP server is not started. You can restart it using: systemctl restart dirsrv@REALM.service Flo. On 06/29/2016 03:58 AM, Barry wrote: Hi: Errors occur ...cert ni problem ..seem ca error and cannot tract cert. thx ipa-replica-pr

Re: [Freeipa-users] FreeIPAv3 and SSSD // Disable automatic Kerberos authentication

On (30/06/16 15:38), Sumit Bose wrote: >On Wed, Jun 29, 2016 at 09:04:47AM +, tstorai@orange.com wrote: >> Hello, >> >> We are using FreeIPAv3 with SSSD with Hortonworks Cluster : >> >> - ipa-admintools-3.0.0-47 >> >> - ipa-client-3.0.0-47 >> >> - sssd-ipa-1.1

Re: [Freeipa-users] FreeIPAv3 and SSSD // Disable automatic Kerberos authentication

On Thu, 2016-06-30 at 18:16 +0200, Lukas Slebodnik wrote: > On (30/06/16 15:38), Sumit Bose wrote: > >On Wed, Jun 29, 2016 at 09:04:47AM +, tstorai@orange.com wrote: > >> Hello, > >> > >> We are using FreeIPAv3 with SSSD with Hortonworks Cluster : > >> > >> - ipa-admintools-3.0.0

Re: [Freeipa-users] FreeIPAv3 and SSSD // Disable automatic Kerberos authentication

On Thu, Jun 30, 2016 at 06:16:37PM +0200, Lukas Slebodnik wrote: > On (30/06/16 15:38), Sumit Bose wrote: > >On Wed, Jun 29, 2016 at 09:04:47AM +, tstorai@orange.com wrote: > >> Hello, > >> > >> We are using FreeIPAv3 with SSSD with Hortonworks Cluster : > >> > >> - ipa-admintool

Re: [Freeipa-users] How to migrate users with md5 and sha512 passwords

I figured it out. The problem was the user's UID being too low. In the client's /var/log/secure log, I found this: sshd[25010]: pam_succeed_if(sshd:auth): requirement "uid >= 1000" not met by user "user1" The user that was failing to authenticate via password had a UID lower than 1000. When I all

Re: [Freeipa-users] ipa trust-fetch-domains failing.

Ben, do you mind sharing your solution as I am affected by the exact same error when fetching AD domains. thanks On Sat, Apr 30, 2016 at 9:16 AM, Ben .T.George  wrote: when i am running ipa trust-fetch-domains "kwttestdc.com.kw" , i am getting below error in error_log [Sat Apr 30 09:14:25.107449

Re: [Freeipa-users] How to give directory permissions on a specific client to FreeIPA users.

Dear Christian Thanks for your explanation about shell builtin. I changed directory permissions and now it works! Mitra On Tue, Jun 28, 2016 at 4:17 PM, Christian Heimes wrote: > On 2016-06-28 09:08, Mitra Dehghan wrote: > > > > Hello, > > > > I want to know how can I give directory permissions

[Freeipa-users] IPA and NFSv4 with krb5 security

I need some pointers for getting NFSv4 to use krb5 authorization in my IPA realm. My realm is new. I have just migrated some users from an NIS domain to the IPA realm. The numerical UIDs and GIDs do not all match. I set up NFS server and client, and automaps using the recommended methods in the RH

Re: [Freeipa-users] IPA and NFSv4 with krb5 security

Hi, First questions (sorry if it's obvious): - Do you have a valid token on the client? (obtained with kinit) - Did you import the keytab for NFS service on the server? - Did you put "domain = yourdomain.tld" in your NFS server config file? On your client? - Depending on your (ipa? nfs?) version yo

Re: [Freeipa-users] FreeIPA doesnt start

On Thu, Jun 30, 2016 at 03:36:22PM +0200, Tomasz Torcz wrote: > On Thu, Jun 30, 2016 at 02:51:02PM +0200, Andreas Ladanyi wrote: > > Hi, > > > > i upgraded from Fedora 22 to 23 and now iam working with IPA 4.2 > > > > When i want to start IPA with ipactl start i run into the situation > > startin