Re: [Freeipa-users] FreeIPA sudo not working on ububtu xenial sssd version 1.13.4-1ubuntu1.1

All,debian 1.8.19-1 doesnt work, but Ubuntu 1.8.12-1ubuntu3 does. James From: Lukas Slebodnik To: James Harrison Cc: "freeipa-users@redhat.com" Sent: Saturday, 7 January 2017, 15:34 Subject: Re:

Re: [Freeipa-users] ipa replica installation help

On 01/09/2017 01:27 PM, Ben .T.George wrote: Hi LIst, is there anyone faces/fixed this issue? Regards, BEn Hi Ben, the directory server fails to restart on the replica. Are there any specific error message in /var/log/dirsrv/slapd-$DOMAIN/errors and access log files? If you are hitting

Re: [Freeipa-users] freeipa 4.4.0 and Ubuntu 14.04

Hey there, I got the same issue after upgrading my servers to 4.4.0 The problem comes from duplicate entries in : cn=permissions,cn=pbac,dc=example,dc=com I think FreeIPA upgrade fails to create ACL on pbac specific entries, resulting in a conflict entry creation. The problem is that SSSD on

Re: [Freeipa-users] sshd[22490]: Failed password for invalid user

On Mon, Jan 09, 2017 at 11:21:00AM +0100, rajat gupta wrote: > Hi, > > Error message is changed today. but same some are able to login but most of > the user are not. Please find the below logs form ipa2 server. > > /var/log/secure > > Jan 9 11:02:59 ilt-gif-ipa02 sshd[18942]:

Re: [Freeipa-users] FreeIpa client can't execute any command

On 01/09/2017 02:56 PM, Андрей Ривкин wrote: > Hello everyone! > > I'm new to FreeIpa, so if my question is very simple just point me to the > documentation. > > I've installed FreeIpa on host demo3.xxx.com . > Then registred some other host demo5.xxx.com

Re: [Freeipa-users] FreeIPA + /etc/named.conf

On 06.01.2017 18:14, TomK wrote: On 1/5/2017 2:17 PM, Martin Basti wrote: On 05.01.2017 20:03, TomK wrote: Hey All, QQ. Should the DNS forwarders be updated in /etc/named.conf? Until I manually change /etc/named.conf, can't ping the windows AD cluster: mds.xyz. Nor can I get dig to

Re: [Freeipa-users] Kerberos Clock Skew too great

On Mon, Jan 09, 2017 at 02:07:21PM +0530, Rakesh Rajasekharan wrote: > yes on the IPA server as well.. the offset isn't that high > > remote refid st t when poll reach delay offset > jitter > == >

Re: [Freeipa-users] [sssd[pam]] [pam_reply] (0x0200): pam_reply called with result [6]: Permission denied.

On (08/01/17 17:13), TomK wrote: >On 1/8/2017 12:22 AM, TomK wrote: >> Hey All, >> >> Wanted to tap your experience a bit. Do you recall under which >> conditions this error can be triggered under? >> >> (Sun Jan 8 00:15:17 2017) [sssd[pam]] [pam_dp_process_reply] (0x0200): >> received: [6

Re: [Freeipa-users] Getting error "Permission denied (publickey, gssapi-with-mic, password)" when running below ssh command

On Sat, Jan 07, 2017 at 02:14:45AM +, Chen Lufan wrote: > Dear Team, > > I am new to freeIPA and GSS authentication so maybe someone can shed a light > on where the issue is when I perform below ssh? Your help will be greatly > appreciated! > > > host2$ ssh -F /home/user/config

Re: [Freeipa-users] sshd[22490]: Failed password for invalid user

On Mon, Jan 09, 2017 at 09:48:50AM +0100, rajat gupta wrote: > few user are able to login. ipa ad-trust setup. > > == > Jan 6 10:48:36 ilt-gif-ipa02 sshd[22490]: reverse mapping checking > getaddrinfo for ilp-noatun.man.cosng.net [146.213.128.135] failed - > POSSIBLE

Re: [Freeipa-users] ipa_server and ipa_backup_server failover time

(please keep CC-ing the list..) On Mon, Jan 09, 2017 at 04:39:04PM +0800, Matrix wrote: > Sorry, i did not trigger authentication at all. Just to check sssd logs. > around 15 minutes later, I saw below messages shown: > > (Mon Jan 9 01:46:35 2017) [sssd[be[fwmrm.net]]] [fo_set_port_status] >

Re: [Freeipa-users] FreeIPA sudo not working on ububtu xenial sssd version 1.13.4-1ubuntu1.1

On (09/01/17 12:44), James Harrison wrote: >All,debian 1.8.19-1 doesnt work, but Ubuntu 1.8.12-1ubuntu3 does. > Could you provide sudo logs with 1.8.19-1 https://fedorahosted.org/sssd/wiki/HOWTO_Troubleshoot_SUDO sssd log files will be helpfull as well. LS -- Manage your subscription for the

[Freeipa-users] FreeIpa client can't execute any command

Hello everyone! I'm new to FreeIpa, so if my question is very simple just point me to the documentation. I've installed FreeIpa on host demo3.xxx.com. Then registred some other host demo5.xxx.com. I've used ipa add host command. Then installed ipa-client and ipa-admin-tools demo5. Checked that

[Freeipa-users] SLAPD stops answering

Hi, we have a IPA installation, which obviously needs upgrading. Its a single server running RHEL7.1 running IPA 4.1 However, it have been running smooth untill now: Rebooting makes everything running again, but only for a few days. It looks like everything fails around 0:17:47 and comes up

Re: [Freeipa-users] SLAPD stops answering

Hi, there seem to be to issues here, maybe related: a hanging slapd process and the retro CL errors. If the slapd process is not responding can we get a pstack or gdb backtrace (http://www.port389.org/docs/389ds/FAQ/faq.html#debug_crashes) of the process ? About the Retro CL messages, is it

Re: [Freeipa-users] FreeIPA sudo not working on ububtu xenial sssd version 1.13.4-1ubuntu1.1

All,1.8.19-1 from Debian does not appear to work too. James From: Lukas Slebodnik To: James Harrison Cc: "freeipa-users@redhat.com" Sent: Saturday, 7 January 2017, 15:34 Subject: Re: [Freeipa-users] FreeIPA

[Freeipa-users] FreeIPA, Duo Security integration

Hi, As of now, we have FreeIPA with OTP working perfectly. Now, I am looking at possibly integrating Duo security instead of FreeIPA's 2FA. I am concerned about how it will fit in with FreeIPA... Has anyone else tried this before? If so, are there any pitfalls or problems you have

Re: [Freeipa-users] SLAPD stops answering

On 9 Jan 2017, at 13:06, Troels Hansen wrote: > Anyone with some thoughts about this, other that "Just upgrade". This sounds similar to the behaviour I'm seeing on my standalone instance; though I don't have anything in the error log:

Re: [Freeipa-users] disable inactive accounts and delete old accounts

I should add that I do not have the "disable last success" option enabled for the IPA server Justean From: Justean Giger > Date: Friday, January 6, 2017 at 9:10 AM To: "freeipa-users@redhat.com"

[Freeipa-users] documentation or example of using S42U for NFS

Various documentation suggests that it is possible for Gssproxy to get tickets for users who need to use NFS. This is a possible way to handle things like cron jobs. However while a gssproxy.conf example is given, there’s no sign of what needs to be done in freeipa to authorize it. I tried

Re: [Freeipa-users] Getting error "Permission denied (publickey, gssapi-with-mic, password)" when running below ssh command

On Mon, 9 Jan 2017 10:55:05 +0100 Sumit wrote: SB> There are older reports that a similar audit message was triggered by SB> wrong SELinux labels on $HOME/.ssh and the files within. Although none SB> of the typical files in this directory are needed by GSSAPI SB> authentication it might worth to

Re: [Freeipa-users] SLAPD stops answering

- On Jan 9, 2017, at 3:37 PM, Adam Bishop adam.bis...@jisc.ac.uk wrote: > If you attach strace to the slapd process, do you see repeated (failing) calls > to getpeername()? > Actually, just tried attaching a running dirsrv (which responds to requests): This also spawns lots of failing

Re: [Freeipa-users] freeipa 4.4.0 and Ubuntu 14.04

On Fri, Jan 06, 2017 at 11:48:07AM -0500, Andy Brittingham wrote: > Sorry for the delay, was doing some troubleshooting. > > Here is what I know now: > > The problem is on Ubuntu hosts using older sssd versions 1.11.8 (Ubuntu > 14.04). > > SSSD versions 1.13.4 (Ubuntu 16.04) and 1.13.3 (CentOS

Re: [Freeipa-users] Kerberos Clock Skew too great

On Mon, Jan 09, 2017 at 01:07:06PM +0530, Rakesh Rajasekharan wrote: > Hi, > > I am using a Freeipa 4.2.0 server. > > I sometimes see, "clock skew too great" errors in /var/log/krb5kdc.log. And > when this happens, usually logins or new ipa-cleint-install fails. > > When I checked on one of the

Re: [Freeipa-users] Kerberos Clock Skew too great

yes on the IPA server as well.. the offset isn't that high remote refid st t when poll reach delay offset jitter == *ip-10-10-1-150.e 132.163.4.1012 u 119 128 3770.431 -0.279 0.348

[Freeipa-users] sshd[22490]: Failed password for invalid user

few user are able to login. ipa ad-trust setup. == Jan 6 10:48:36 ilt-gif-ipa02 sshd[22490]: reverse mapping checking getaddrinfo for ilp-noatun.man.cosng.net [146.213.128.135] failed - POSSIBLE BREAK-IN ATTEMPT! Jan 6 10:48:48 ilt-gif-ipa02 sshd[22490]: Invalid user

Re: [Freeipa-users] Kerberos Clock Skew too great

Rakesh Rajasekharan writes: > There were about 1500 hosts that were alerting for "clock skew" and the > issue went away only after I did a resync using ntpdate on all those hosts Great, glad it's fixed! Are these VMs? If not, you may wish to (re?)configure