[Freeipa-users] anonymous binds limits?

Hello, Just wondering if there is an easy way to increase anonymous binds on the back end for non Kerberos clients? I have seen some mention of it, and that IPA has limits, can't can't find a lot of detail? Thank you ~J -- Manage your subscription for the Freeipa-users mailing list: https://

Re: [Freeipa-users] subjectAlternitiveName for webservice

Hi Rob, Thanks for the explanation. I understand your solution, I just thought that was "the dirty" way :) Thanks for your effort! Cheers, Matt 2015-03-27 18:57 GMT+01:00 Rob Crittenden : > Matt . wrote: >> I'm almost there but what happens when I regenerate a certificate for >> the ldap serve

Re: [Freeipa-users] Need to replace cert for ipa servers

Rob, thank you,you have been so helpful. This appears to have worked in my sandbox environment. I was able to get the new certs for the directory server and apache, stop tracking and remove the old Go Daddy certs, put my original CA certs in the correct locations and import into the databases, t

Re: [Freeipa-users] using dogtag outside of freeIPA?

On 03/27/2015 04:52 PM, Steve Neuharth wrote: Hello, Is it possible or perhaps not recommended to use the dogtag API and/or UI on a FreeIPA system without using the freeIPA CLI or UI? I have a requirement to submit a certificate to a service without kerberos and without client software instal

Re: [Freeipa-users] Understanding the migration mode

On 03/27/2015 01:20 PM, Prasun Gera wrote: Keys can be generated in migration in two ways: by the migration web UI or by sssd. I'm guessing you were unaware of this second method and that is how the keys are being created. That's what I suspected too. But it doesn't look l

[Freeipa-users] using dogtag outside of freeIPA?

Hello, Is it possible or perhaps not recommended to use the dogtag API and/or UI on a FreeIPA system without using the freeIPA CLI or UI? I have a requirement to submit a certificate to a service without kerberos and without client software installed using a RESTful API. Dogtag API is very well do

Re: [Freeipa-users] Fwd: Unexpected IPA Crashes

On 03/27/2015 11:32 AM, Sankar Ramlingam wrote: On 03/27/2015 01:42 PM, David Kreuter wrote: No, there are no entries with "segfaulter" neither in /var/log/messags nor in journalctr. Meanwhile we encountered several directory server hangs and I was able to produce the stacktrace. Perhpas you

Re: [Freeipa-users] How to add 'generic' service?

On Fri, 2015-03-27 at 15:33 -0400, Coy Hile wrote: > I’m rebuilding my existing heimdal realm using FreeIPA, and right now > I’m having difficulty creating the service principal > afs/realm-name@REALM. When I use ipa service-add, I get output thusly: > > [root@ipa-us-east-2 ~]# ipa service-add afs

Re: [Freeipa-users] How to add 'generic' service?

Coy Hile wrote: > I’m rebuilding my existing heimdal realm using FreeIPA, and right now I’m > having difficulty creating the service principal afs/realm-name@REALM. When I > use ipa service-add, I get output thusly: > > [root@ipa-us-east-2 ~]# ipa service-add afs/coyhile@coyhile.com > ipa: E

[Freeipa-users] How to add 'generic' service?

I’m rebuilding my existing heimdal realm using FreeIPA, and right now I’m having difficulty creating the service principal afs/realm-name@REALM. When I use ipa service-add, I get output thusly: [root@ipa-us-east-2 ~]# ipa service-add afs/coyhile@coyhile.com ipa: ERROR: The host 'coyhile.com'

Re: [Freeipa-users] subjectAlternitiveName for webservice

Matt . wrote: > I'm almost there but what happens when I regenerate a certificate for > the ldap server I get the following when I visit it through the > loadbalancer: > > no alternative certificate subject name matches target host name > 'ldap-01.domain' > > I think this is strange as the ce

Re: [Freeipa-users] Clients are reading AD info inconsistently

On Fri, Mar 27, 2015 at 05:16:20PM +, Guertin, David S. wrote: > >The most likely reason for 'Protocol error' is that the server this client is > >connected to does not support the special LDAP extended operation used by > >SSSD on IPA clients to get the data for users and groups from trusted >

Re: [Freeipa-users] Understanding the migration mode

> > Keys can be generated in migration in two ways: by the migration web UI > or by sssd. I'm guessing you were unaware of this second method and that > is how the keys are being created. > > That's what I suspected too. But it doesn't look like SSSD is generating keys. At least not right away. I S

Re: [Freeipa-users] Clients are reading AD info inconsistently

>The most likely reason for 'Protocol error' is that the server this client is >connected to does not support the special LDAP extended operation used by >SSSD on IPA clients to get the data for users and groups from trusted >domains. And the most likely reason for this is that ipa-adtrust-install

Re: [Freeipa-users] Active Directory Kerberos authentication on older versions of IPA clients

On Fri, Mar 27, 2015 at 05:00:43PM +, Srdjan Dutina wrote: > Hi, > > I created the following test environment: > > 1. IPA server: v4.1.3 on Centos 7 > 2. Two-way trust with Active directory domain - Windows server 2012 R2 > 3. Connected multiple IPA clients: > - Fedora 21 - v4.1.3 > - Centos

[Freeipa-users] Active Directory Kerberos authentication on older versions of IPA clients

Hi, I created the following test environment: 1. IPA server: v4.1.3 on Centos 7 2. Two-way trust with Active directory domain - Windows server 2012 R2 3. Connected multiple IPA clients: - Fedora 21 - v4.1.3 - Centos 7 - v3.3.3 - Centos 6.6 v.3.0.0 to IPA domain. Using Kerberos ticket for AD use

Re: [Freeipa-users] subjectAlternitiveName for webservice

I'm almost there but what happens when I regenerate a certificate for the ldap server I get the following when I visit it through the loadbalancer: no alternative certificate subject name matches target host name 'ldap-01.domain' I think this is strange as the certificate shows the ldap under

Re: [Freeipa-users] passwordStorageScheme

On 03/27/2015 06:21 PM, Andy Thompson wrote: Relative newb here :) I'm doing some research trying to sort out the password storage scheme being used on the freeipa LDAP instance. From everything I can find it uses ssha but can be changed to ssha-512. But when I try to change that attribute o

Re: [Freeipa-users] Fwd: Unexpected IPA Crashes

On 03/27/2015 01:42 PM, David Kreuter wrote: No, there are no entries with "segfaulter" neither in /var/log/messags nor in journalctr. Meanwhile we encountered several directory server hangs and I was able to produce the stacktrace. Perhpas you can have a look. Hi David, You seem to have

Re: [Freeipa-users] Clients are reading AD info inconsistently

On Fri, Mar 27, 2015 at 02:23:27PM +, Guertin, David S. wrote: > >To see why the login fails it would be good to > >know how you try to log in (I assume ssh) and which authentication method > >is used (password, ssh key, Kerberos ticket). > >Additionally the SSSD log files might be needed, most

Re: [Freeipa-users] Clients are reading AD info inconsistently

>To see why the login fails it would be good to >know how you try to log in (I assume ssh) and which authentication method >is used (password, ssh key, Kerberos ticket). >Additionally the SSSD log files might be needed, most important here are the >logs from the PAM and PAC responders and the domai

Re: [Freeipa-users] Understanding the migration mode

Prasun Gera wrote: > > The passwords will only show if they are in {crypt} format. If the > password is changed in IPA it will use the default 389-ds password > scheme which is a salted SHA. > > > Yes, that's right. If the password is changed in IPA afterwards, it will > stop working

[Freeipa-users] config sudo with ipa

hi, I setup a sudo config in client ipa and set rule in ipa server. sudo rules from ipa are not found : it return 0 rules for the user This config is ambiguous. Is there a method to check if everything is OK ? The best way for this moment is to set debug_level on sssd. But I'm not sure that the p

Re: [Freeipa-users] config sudo with ipa

On (27/03/15 14:56), Benoit Rousselle wrote: >hi, > >I setup a sudo config in client ipa and set rule in ipa server. >sudo rules from ipa are not found : it return 0 rules for the user > >This config is ambiguous. Is there a method to check if everything is OK ? >The best way for this moment is to

[Freeipa-users] passwordStorageScheme

Relative newb here :) I'm doing some research trying to sort out the password storage scheme being used on the freeipa LDAP instance. From everything I can find it uses ssha but can be changed to ssha-512. But when I try to change that attribute on the cn=config object like referenced here ht

Re: [Freeipa-users] Unexpired pw?

On 03/27/2015 01:52 PM, Janelle wrote: > > Hi all, > > Found an odd issue and a question. If you change user pw with "ipa user-mod > -password" and the client is configured for LDAP, then the user is not forced > to change the pw on initial login. This is something we would like to fix eventu

Re: [Freeipa-users] Unexpired pw?

On Fri, 27 Mar 2015, Janelle wrote: Hi all, Found an odd issue and a question. If you change user pw with "ipa user-mod -password" and the client is configured for LDAP, then the user is not forced to change the pw on initial login. We have three different cases depending on who changes userP

[Freeipa-users] Unexpired pw?

Hi all, Found an odd issue and a question. If you change user pw with "ipa user-mod -password" and the client is configured for LDAP, then the user is not forced to change the pw on initial login. However, my other question is, can you set a user pw WITHOUT pre-expiring?! ~J -- Manage your

Re: [Freeipa-users] LDAP/IPA pw - not pre-expired

On 03/27/2015 06:23 AM, Janelle wrote: > Hi again, > > I can't seem to find it. Is there a way to create a new user with a > non-expired > PW? No clean way, by design. You can check our reasoning on this page: https://www.freeipa.org/page/New_Passwords_Expired There is a way (setting some DN as

Re: [Freeipa-users] can't specify DNS name or subject in cert request in FreeIPA 3.3

You are doing it correctly. However, the DNS SubjectAltName only works with FreeIPA 4.0+. The CA profile before this version does not allow them. This is the upstream ticket: https://fedorahosted.org/freeipa/ticket/3977 On 03/26/2015 07:09 PM, Steve Neuharth wrote: > I'm trying to specify a subje

Re: [Freeipa-users] Understanding the migration mode

> > > The passwords will only show if they are in {crypt} format. If the > password is changed in IPA it will use the default 389-ds password > scheme which is a salted SHA. Yes, that's right. If the password is changed in IPA afterwards, it will stop working for NIS clients. This is the expected

Re: [Freeipa-users] bind-dyndb-ldap vs DLZ

On 27.3.2015 02:02, Jorgen Lundman wrote: > Petr Spacek wrote: >> Perfect! I can merge your changes upstream if you send me a patch with your >> changes. It would make your life easier later when you need to pick new code. > > Not a problem, I need to figure out why Solaris mkdir returns -1, with

Re: [Freeipa-users] Not able to SSH with User Created in IPA Server

On Fri, Mar 27, 2015 at 5:58 AM, Yogesh Sharma wrote: > (Fri Mar 27 10:19:57 2015) [sssd[be[sd.int]]] [sss_krb5_cc_verify_ccache] > (0x0020): 1078: [-1765328190][Credentials cache permissions incorrect] > (Fri Mar 27 10:19:57 2015) [sssd[be[sd.int]]] [check_old_ccache] > (0x0040): Cannot check if

Re: [Freeipa-users] Not able to SSH with User Created in IPA Server

On Fri, Mar 27, 2015 at 12:34:57PM +0530, Yogesh Sharma wrote: > No. This is the second attempt after changing the password on first login. > > If you want I can re-send you the logs but this is the second login logs of > this user. Then it would be most interesting to see the logs of the passwor

Re: [Freeipa-users] IPA Client Install on Amazon Linux

Gonzalo, We have some running servers on Amazon Linux and it would be difficult to migrate all those to CentOS or RHEL as of now. Hence If you can provide the package's version then it would really help us till the time we do migration. For sure all over new Servers are going to be CentOS or RHEL

Re: [Freeipa-users] IPA Client Install on Amazon Linux

Yogesh My personal experience using AWS Linux and LDAP is not a good one and mostly an utter nightmare in relation to packages. Personally I would recommend you to keep away from AWS Linux and get a Centos, Fedora or Redhat. Still, if you want to go ahead, I can give you the right versions for

[Freeipa-users] IPA Client Install on Amazon Linux

Hello, Is there any repo available for Amazon Linux to install IPA Client OR below is the only way to do as found from freeipa-user mail archive. http://www.redhat.com/archives/freeipa-users/2013-October/msg00058.html Thanks for the help. *Best Regards,___

Re: [Freeipa-users] Not able to SSH with User Created in IPA Server

No. This is the second attempt after changing the password on first login. If you want I can re-send you the logs but this is the second login logs of this user. *Best Regards,__* *Yogesh Sharma* *Email: yks0...@gmail.com | Web: www.initd.in

Re: [Freeipa-users] Not able to SSH with User Created in IPA Server

On Fri, Mar 27, 2015 at 10:28:13AM +0530, Yogesh Sharma wrote: > Hi Jakub, > > Please find the logs for the user "test" created in IPA. > > (Fri Mar 27 10:19:52 2015) [sssd[nss]] [nss_cmd_getbynam] (0x0100): > Requesting info for [test] from [] > (Fri Mar 27 10:19:52 2015) [sssd[nss]] [nss_cmd_ge

Re: [Freeipa-users] bind-dyndb-ldap vs DLZ

> Hmm, that stinks! I would be happy to look into it if you can provide me with > output from a profiler of your choice. (It might be a good idea to profile > bind-dyndb-ldap together with whole named process to see all the > interactions.) > Hold those horses. I must admit this timing didn't si