Re: [Freeipa-users] zeroconf/bonjour & FreeIPA
On 25.9.2013 08:20, Christian Horn wrote: On Tue, Sep 24, 2013 at 11:23:29AM -0600, Erinn Looney-Triggs wrote: I wanted to bring up the idea of integrating TLSA records into FreeIPA so that a host that is issued a certificate for say the web server (via dogtag) would also publish that information in DNS using a TLSA record. This is very much like how SSHFP records are handled now in FreeIPA. Has this been considered at all? Hm.. another nice idea would be to announce services via zeroconf/bonjour. I guess effectively its the same as having clients search in DNS "who offers service XYZ" which we already do for ker- beros, ldap etc. Interesting idea. Do you know any real use cases? I have not seen Bonjour in real use except for network printers. Please create RFE ticket (request for enhancement) to prevent it from falling through the cracks: https://fedorahosted.org/freeipa/newticket I would recommend you to add your e-mail address to Cc field in the ticket to get latest updates. We can continue with discussion about use cases here and copy conclusions to the ticket later. -- Petr^2 Spacek ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] TLSA records in FreeIPA
On Tue, Sep 24, 2013 at 11:23:29AM -0600, Erinn Looney-Triggs wrote: > I wanted to bring up the idea of integrating TLSA records into FreeIPA > so that a host that is issued a certificate for say the web server (via > dogtag) would also publish that information in DNS using a TLSA record. > This is very much like how SSHFP records are handled now in FreeIPA. > > Has this been considered at all? Hm.. another nice idea would be to announce services via zeroconf/bonjour. I guess effectively its the same as having clients search in DNS "who offers service XYZ" which we already do for ker- beros, ldap etc. Christian ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] TLSA records in FreeIPA
On 24.9.2013 19:23, Erinn Looney-Triggs wrote: I wanted to bring up the idea of integrating TLSA records into FreeIPA so that a host that is issued a certificate for say the web server (via dogtag) would also publish that information in DNS using a TLSA record. This is very much like how SSHFP records are handled now in FreeIPA. Has this been considered at all? I am more than happy to write up some more info about this, I just wanted to get a preliminary idea of whether this had been considered at all... You definitely have my +1! I'm working on DNSSEC support in FreeIPA, but we didn't went so far in our plans :-) Please create RFE ticket (request for enhancement): https://fedorahosted.org/freeipa/newticket You will need an Fedora Account, please follow this: https://fedoraproject.org/wiki/Account_System/NewAccount I would recommend you to add your e-mail address to Cc field in the ticket to get latest updates. We can continue with discussion here, of course! -- Petr^2 Spacek ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
[Freeipa-users] TLSA records in FreeIPA
I wanted to bring up the idea of integrating TLSA records into FreeIPA so that a host that is issued a certificate for say the web server (via dogtag) would also publish that information in DNS using a TLSA record. This is very much like how SSHFP records are handled now in FreeIPA. Has this been considered at all? I am more than happy to write up some more info about this, I just wanted to get a preliminary idea of whether this had been considered at all... -Erinn signature.asc Description: OpenPGP digital signature ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] access denied ssh
On Tue, Sep 24, 2013 at 03:00:22PM +0400, Михаил А wrote: > [sssd] > services = nss, pam, ssh > config_file_version = 2 > debug_level = 5 > domains = ipa.sys.local Please put the debug_level directive to the [domain] section and then attach /var/log/sssd/sssd_$domain.log ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] access denied ssh
[sssd] services = nss, pam, ssh config_file_version = 2 debug_level = 5 domains = ipa.sys.local 2013/9/24 Sumit Bose > On Tue, Sep 24, 2013 at 01:39:28PM +0400, Михаил А wrote: > > Hello. > > freeipa-server-3.3fedora19 > > ipa-replica1-fedora19 > > ipa-replica2 ferdora19 > > > > ssh auth with windows accounts on ipa-replica1-fedora19 is OK > > ssh auth with windows accounts on ipa-replica1-fedora19 is acces denied > > > > > > id winuser@windomain OK > > > > var/log/secure > > > > > > selinux disabled > > firewaldd disabled > > > > help me please > > Please send the sssd log files from /var/log/sssd with a high debug > level from the host where auth is failing. > > bye, > Sumit > > > > ___ > > Freeipa-users mailing list > > Freeipa-users@redhat.com > > https://www.redhat.com/mailman/listinfo/freeipa-users > > ___ > Freeipa-users mailing list > Freeipa-users@redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-users sssd.log Description: Binary data ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Cross-realm trust with AD and ssh keys management
On Tue, 24 Sep 2013, Alexandre Ellert wrote: Hi, I've successfully setup a testing environment with an IPA server (RHEL 6.4) and a cross realm trust with my Active Directory (Win2008 R2). Authentication works both with AD passwords and Kerberos GSS-API. Now, I'm trying to find the way to manage ssh key which belong to AD users. It seems that I can do that only with users declared on IPA domain. Can you confirm that ? Yes. AD users do not exist physically in IPA LDAP, therefore there is no object to assign attributes into. Does winsync method provide a way to add ssh key to an AD user ? Under winsync AD users would become 'normal' LDAP objects in IPA, therefore you can assign additional values/attributes to them. -- / Alexander Bokovoy ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
[Freeipa-users] Cross-realm trust with AD and ssh keys management
Hi, I've successfully setup a testing environment with an IPA server (RHEL 6.4) and a cross realm trust with my Active Directory (Win2008 R2). Authentication works both with AD passwords and Kerberos GSS-API. Now, I'm trying to find the way to manage ssh key which belong to AD users. It seems that I can do that only with users declared on IPA domain. Can you confirm that ? Does winsync method provide a way to add ssh key to an AD user ? Your suggestions are welcome. Thanks. Alexandre. ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Changing the WebUI idiom
On 23/09/13 13:57, John Dennis wrote: Oh by the way, you could help us and file a bug on the spanish translation so we can get the translation fixed. Of course, thanks! -- Arturo Borrero González Departamento de Seguridad Informática (n...@cica.es) Centro Informático Científico de Andalucía (CICA) Avda. Reina Mercedes s/n - 41012 - Sevilla (Spain) Tfno.: +34 955 056 600 / FAX: +34 955 056 650 Consejería de Economía, Innovación, Ciencia y Empleo Junta de Andalucía smime.p7s Description: S/MIME Cryptographic Signature ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] access denied ssh
On Tue, Sep 24, 2013 at 01:39:28PM +0400, Михаил А wrote: > Hello. > freeipa-server-3.3fedora19 > ipa-replica1-fedora19 > ipa-replica2 ferdora19 > > ssh auth with windows accounts on ipa-replica1-fedora19 is OK > ssh auth with windows accounts on ipa-replica1-fedora19 is acces denied > > > id winuser@windomain OK > > var/log/secure > > > selinux disabled > firewaldd disabled > > help me please Please send the sssd log files from /var/log/sssd with a high debug level from the host where auth is failing. bye, Sumit > ___ > Freeipa-users mailing list > Freeipa-users@redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-users ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
[Freeipa-users] access denied ssh
Hello. freeipa-server-3.3fedora19 ipa-replica1-fedora19 ipa-replica2 ferdora19 ssh auth with windows accounts on ipa-replica1-fedora19 is OK ssh auth with windows accounts on ipa-replica1-fedora19 is acces denied id winuser@windomain OK var/log/secure selinux disabled firewaldd disabled help me please secure Description: Binary data ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users