[Freeipa-users] Old FreeIPA upstream guides removed (WAS: Re: Web UI: Migrated Admins missing action buttons)
On 04/26/2015 08:23 AM, Alexander Bokovoy wrote: - Original Message - Hi Rob and Dimitri Migrating via Replica is the obvious way that I would have gone, had the FreeIPA /RedHat documentation not suggested the replicas must have the same version. I think the link that put me off from replicating was: http://www.freeipa.org/docs/1.2/Installation_Deployment_Guide/en-US/html/sect-Installation_and_Deployment_Guide-Setting_up_Multi_Master_Replication-Creating_the_Replica_Information_File.html Looking at the link more closely I now see this applies to version 1.2 ., but from the page itself that was not obvious. it would be great if the version to which the IPA documentation applies was more obvious I am sure I am not the only user who enters the documentation via a search engine. We really need to remove this version 1.x documentation, it is giving too much confusion. I agree, this was the last straw. I just did an update to FreeIPA.org mediawiki and (besides upgrading to new Mediawiki) replaced the deprecated FreeIPA 1.2.1 and 2.0.0 guides with a redirection to: http://www.freeipa.org/page/Upstream_User_Guide which contains the reasoning and updated list of deprecated guides and a link to the current documentations. HTH. If anyone needs the old guides, I can zip them and add as a download to Documentation section. Martin Use documentation at the Red Hat Customer Portal: - versions 3.3 and onwards: https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Linux_Domain_Identity_Authentication_and_Policy_Guide/index.html https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Windows_Integration_Guide/index.html - version 3.0: https://access.redhat.com/knowledge/docs/en-US/Red_Hat_Enterprise_Linux/6/html/Identity_Management_Guide/index.html We have all proper links gathered at http://www.freeipa.org/page/Documentation, it has these links and even more, including HOWTOs for integration with other software. -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] default e-mail address and aliases from LDAP
On 04/27/2015 07:49 AM, Ivars Strazdiņš wrote: Hi there, I am preparing to move our site e-mail authentication backend to FreeIPA. That is, integrate Postfix with FreeIPA. Let's suppose user has two or more e-mail addresses, j...@site.com mailto:j...@site.com joe.u...@site.com mailto:joe.u...@site.com Currently we use smtp_generic_maps on Postfix side to ensure that mail always leaves site as joe.u...@site.com mailto:joe.u...@site.com Is there a way to ensure in FreeIPA that user's default address is joe.u...@site.com mailto:joe.u...@site.com so that Postfix could do a smtp_generic_maps lookup in LDAP server and get the default address? And another question - is it possible to maintain e-mail aliases in FreeIPA? Say, to expand address l...@site.com mailto:l...@site.com to users j...@site.com mailto:j...@site.com, j...@site.com mailto:j...@site.com and m...@site.com mailto:m...@site.com? Any suggestions are welcome, I am just beginning to work with LDAP. I myself don't know. However, there are some email howto's on the 389 site: http://www.port389.org/docs/389ds/tech-docs.html#mail Hopefully someone with actual experience integrating Postfix and LDAP will chime in on this thread. If not, try the 389-us...@lists.fedoraproject.org list - there are some email server operators there. Thanks for you time and kind regards, Ivars -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] FreeIPA 4.1.4 and Windows Groups
On Mon, 27 Apr 2015, Zach McNeilly wrote: Hi all, First I'd like to say thank you for the fantastic product. We've been using FreeIPA since v 1 and it's been fantastic. Recently we've hit a slight snag, however. We used this document (https://www.freeipa.org/page/Windows_authentication_against_FreeIPA) to setup Windows to use FreeIPA for it's back end authentication. This works really well and we are really happy with it. You know that it is not a supported configuration, right? To integrate a CIFS server with FreeIPA we ran 'ipa-adtrust-install' on our FreeIPA servers, this added several attributes to every user as expected. However, now when users try to log on to a Windows machine with their FreeIPA credentials they can log on but they are no longer in any Windows groups (Administrators or Remote Desktop Users in this case). This was working before running ipa-adtrust-install. If you remove the following attributes from the user Windows works again but samba no longer does: objectclass=ipantuserattrs ipantsecurityidentifier=SID I've been banging my head against the wall on this for a while, and can't seem to get everything to mesh. Can anyone make any recommendations? I don't think we can do anything here. Windows takes list of SIDs from Kerberos ticket's MS-PAC which is filled by IPA KDC. The format of MS-PAC includes group list in form of RIDs, i.e. relative identifiers, relative to the domain SID. -- / Alexander Bokovoy -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] default e-mail address and aliases from LDAP
On 04/27/2015 04:51 PM, Rich Megginson wrote: On 04/27/2015 07:49 AM, Ivars Strazdin,s( wrote: Hi there, I am preparing to move our site e-mail authentication backend to FreeIPA. That is, integrate Postfix with FreeIPA. Let's suppose user has two or more e-mail addresses, j...@site.com mailto:j...@site.com joe.u...@site.com mailto:joe.u...@site.com Currently we use smtp_generic_maps on Postfix side to ensure that mail always leaves site as joe.u...@site.com mailto:joe.u...@site.com Is there a way to ensure in FreeIPA that user's default address is joe.u...@site.com mailto:joe.u...@site.com so that Postfix could do a smtp_generic_maps lookup in LDAP server and get the default address? And another question - is it possible to maintain e-mail aliases in FreeIPA? Say, to expand address l...@site.com mailto:l...@site.com to users j...@site.com mailto:j...@site.com, j...@site.com mailto:j...@site.com and m...@site.com mailto:m...@site.com? Any suggestions are welcome, I am just beginning to work with LDAP. I myself don't know. However, there are some email howto's on the 389 site: http://www.port389.org/docs/389ds/tech-docs.html#mail Hopefully someone with actual experience integrating Postfix and LDAP will chime in on this thread. If not, try the 389-us...@lists.fedoraproject.org list - there are some email server operators there. Here is one of the pointers: https://www.dalemacartney.com/2013/03/14/deploying-postfix-with-ldap-freeipa-virtual-aliases-and-kerberos-authentication/ Thanks for you time and kind regards, Ivars -- Thank you, Dmitri Pal Sr. Engineering Manager IdM portfolio Red Hat, Inc. -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
[Freeipa-users] FYI: Fedora 22 and trusts
Hi, if you are playing with Fedora 22 beta, your experience with FreeIPA may be rough. When installing freeipa-server-trust-ad make sure to also install samba-common-tools package. Samba packaging was split to allow samba-common to be an architecture-independent package but samba package didn't get dependency to samba-common-tools subpackage which contains /usr/bin/net utility. This utility is used by FreeIPA when you run ipa-adtrust-install. I've submitted update which fixes this issue [1] but until it reaches stable updates of Fedora 22, simply install samba-common-tools in addition to freeipa-server-trust-ad. As with any pre-release software, it is recommended to always run up-to-date system as bugs get fixed almost every day before release. [1] https://admin.fedoraproject.org/updates/samba-4.2.1-5.fc22 -- / Alexander Bokovoy -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] Old FreeIPA upstream guides removed (WAS: Re: Web UI: Migrated Admins missing action buttons)
Hi Martin Thanks: I am glad others can benefit from my mistakes. Cheers Chrsi From: Martin Kosek mko...@redhat.com To: Alexander Bokovoy aboko...@redhat.com, Christopher Lamb/Switzerland/IBM@IBMCH Cc: freeipa-users@redhat.com, Robert Crittenden rcrit...@redhat.com, Simo Sorce sso...@redhat.com, Dmitri Pal d...@redhat.com Date: 27.04.2015 12:51 Subject:Old FreeIPA upstream guides removed (WAS: Re: [Freeipa-users] Web UI: Migrated Admins missing action buttons) We really need to remove this version 1.x documentation, it is giving too much confusion. I agree, this was the last straw. I just did an update to FreeIPA.org mediawiki and (besides upgrading to new Mediawiki) replaced the deprecated FreeIPA 1.2.1 and 2.0.0 guides with a redirection to: http://www.freeipa.org/page/Upstream_User_Guide which contains the reasoning and updated list of deprecated guides and a link to the current documentations. HTH. If anyone needs the old guides, I can zip them and add as a download to Documentation section. Martin -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
[Freeipa-users] default e-mail address and aliases from LDAP
Hi there, I am preparing to move our site e-mail authentication backend to FreeIPA. That is, integrate Postfix with FreeIPA. Let's suppose user has two or more e-mail addresses, j...@site.com mailto:j...@site.com joe.u...@site.com mailto:joe.u...@site.com Currently we use smtp_generic_maps on Postfix side to ensure that mail always leaves site as joe.u...@site.com mailto:joe.u...@site.com Is there a way to ensure in FreeIPA that user's default address is joe.u...@site.com mailto:joe.u...@site.com so that Postfix could do a smtp_generic_maps lookup in LDAP server and get the default address? And another question - is it possible to maintain e-mail aliases in FreeIPA? Say, to expand address l...@site.com mailto:l...@site.com to users j...@site.com mailto:j...@site.com, j...@site.com mailto:j...@site.com and m...@site.com mailto:m...@site.com? Any suggestions are welcome, I am just beginning to work with LDAP. Thanks for you time and kind regards, Ivars -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] Old FreeIPA upstream guides removed (WAS: Re: Web UI: Migrated Admins missing action buttons)
On Mon, 2015-04-27 at 12:51 +0200, Martin Kosek wrote: On 04/26/2015 08:23 AM, Alexander Bokovoy wrote: - Original Message - Hi Rob and Dimitri Migrating via Replica is the obvious way that I would have gone, had the FreeIPA /RedHat documentation not suggested the replicas must have the same version. I think the link that put me off from replicating was: http://www.freeipa.org/docs/1.2/Installation_Deployment_Guide/en-US/html/sect-Installation_and_Deployment_Guide-Setting_up_Multi_Master_Replication-Creating_the_Replica_Information_File.html Looking at the link more closely I now see this applies to version 1.2 ., but from the page itself that was not obvious. it would be great if the version to which the IPA documentation applies was more obvious I am sure I am not the only user who enters the documentation via a search engine. We really need to remove this version 1.x documentation, it is giving too much confusion. I agree, this was the last straw. I just did an update to FreeIPA.org mediawiki and (besides upgrading to new Mediawiki) replaced the deprecated FreeIPA 1.2.1 and 2.0.0 guides with a redirection to: http://www.freeipa.org/page/Upstream_User_Guide which contains the reasoning and updated list of deprecated guides and a link to the current documentations. HTH. If anyone needs the old guides, I can zip them and add as a download to Documentation section. Yes please, leave the guides available for download. People may need them for historical reasons. Simo. -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] Fw: Web ui error “Your session has expired. Please re-login.” from a browser on a remote client.
Hello, comments inline Martin On 27/04/15 18:09, Christopher Lamb wrote: Hi All I may have found a possible cause of our instance of the Your session has expired Web UI error on our new FreeIPA 4.1.0 Server By chance I checked the date on the server hosting FreeIPA 4.1.0. To my surprise, despite running ntpd it was 2 hours in the future! Yes, time is important for successful kerberos login. Some moons ago we suffering from clock-skew problems, and had spent a lot of time understanding ntp, and setting up an optimal ntp architecture /config. We were able to completely eliminate clock-skew across all our servers. Digging into the /etc/ntp.conf file I saw that FreeIPA had replaced our 4 NTPD servers with 4 RedHat NTPD servers. We plan fix this in new version Therefore I returned the /etc/ntp.conf file to our default, restarted ntpd, and time was correct again. Subsequent to this (at least at various points today) I have been able to successfully log into the Web UI from Firefox and Safari on OSX, and Firefox on Windows. On both platforms Chrome (not supported) does not work. I confess I have not had the time to return to the FreeIPA ntp config to see if the 2 hour offset + Web UI session problem can be reproduced, so at the moment this remains a credible, but not proven hypothesis. However I guess that 2 hour offset probably comes from the 2 hour difference between UTC and European Summertime. I think it would be great if the changes made by FreeIPA setup to ntp.conf were optional - we care strongly about the content of that file! ipa-server-install -N, --no-ntpdo not configure ntp Cheers Chris - Forwarded by Christopher Lamb/Switzerland/IBM on 27.04.2015 15:36 - From: Christopher Lamb/Switzerland/IBM@IBMCH To: freeipa-users@redhat.com Date: 26.04.2015 01:29 Subject:[Freeipa-users] Web ui error “Your session has expired. Please re-login.” from a browser on a remote client. Sent by:freeipa-users-boun...@redhat.com Hi All I too am suffering from the infamous Web ui error “Your session has expired. Please re-login.” using from browser(s) on remote client(s), similar to the existing tickets: https://www.redhat.com/archives/freeipa-users/2015-March/msg00211.html https://www.redhat.com/archives/freeipa-users/2015-February/msg00315.html https://www.redhat.com/archives/freeipa-users/2015-April/msg00047.html We have 2 FreeIPA installations: An “Old”, soon to be decommissioned v3.0.0, on OEL 6.5 The “new” instance, v4.1.0, on a fresh install of OEL 7.0 The error occurs on both instances. I get the error from OSX and Windows clients (Firefox, Chrome, Safar,i IE etc) Very sporadically one of the above browsers will “let me in” - If I cycle through all the browsers on various workstations / laptops on my desk somtimes I get lucky and one will work. kinit in a ssh session works. SELinux is disabled. All IPA Services are running. I can find no error(s) in /var/log/httpd/error_log In /var/log/krb5kdc.log I get entries like: Apr 25 02:17:44 ldap2.xxx-xx.xx.xx.com krb5kdc[1933](info): TGS_REQ (6 etypes {18 17 16 23 25 26}) 9.159.8.200: ISSUE: authtime 1429921064, etypes {rep=18 tkt=18 ses=18}, y...@xxx-xx.xx.xx.com for HTTP/bsc-ldap2.xxx-xx.xx.xxx@xxx-xx.xx.xxx.com Apr 25 02:17:44 ldap2.xxx-xx.xx.xxx.com krb5kdc[1933](info): closing down fd 12 If I enter a wrong password, I correctly get “The password or username you entered is incorrect. “, + errors in /var/log/httpd/error_log None of the browsers have a krb5 ticket installed. I get the error with both my user, and the default admin user. From the same browsers I can successfully access the Web UI of the public demo on https://ipa.demo1.freeipa.org/ipa/ui/ -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project -- Martin Basti -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] Access to IPA Web-UI with different domain names
On 04/27/2015 06:06 PM, David Dimovski wrote: Hi Folks, does somebody have a best practice, how to access the IPA Web-UI with different domain names? Example: Our IPA 4.1 have two different IPs (extern and intern) with two domain names. The web gui is only accessible from the domain name, which IPA was registered with (intern domain name). When trying to access with the extern domain name, IPA is rewriting to the intern domain name. After disabling the rewriting, the web ui is accessible from the two domain names, but the login is not possible from the extern domain name (only intern domain name), getting the following error: Logout session expired. Does sombody has a idea or a clue? Many thanks in advance! Best regards David Hello! IIUC this is not something FreeIPA supports. When you deploy FreeInPA server it is tied to a domain specified during installation. I think you need to decide whether your FreeIPA domain is internal or external. If it's internal it is inaccessible from outside and you need to first connect to the internal network (e.g. use VPN) and then connect to FreeIPA server. If it's external then everything works as expected. -- David Kupka -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
[Freeipa-users] Fw: Web ui error “Your session has expired. Please re-login.” from a browser on a remote client.
Hi All I may have found a possible cause of our instance of the Your session has expired Web UI error on our new FreeIPA 4.1.0 Server By chance I checked the date on the server hosting FreeIPA 4.1.0. To my surprise, despite running ntpd it was 2 hours in the future! Some moons ago we suffering from clock-skew problems, and had spent a lot of time understanding ntp, and setting up an optimal ntp architecture /config. We were able to completely eliminate clock-skew across all our servers. Digging into the /etc/ntp.conf file I saw that FreeIPA had replaced our 4 NTPD servers with 4 RedHat NTPD servers. Therefore I returned the /etc/ntp.conf file to our default, restarted ntpd, and time was correct again. Subsequent to this (at least at various points today) I have been able to successfully log into the Web UI from Firefox and Safari on OSX, and Firefox on Windows. On both platforms Chrome (not supported) does not work. I confess I have not had the time to return to the FreeIPA ntp config to see if the 2 hour offset + Web UI session problem can be reproduced, so at the moment this remains a credible, but not proven hypothesis. However I guess that 2 hour offset probably comes from the 2 hour difference between UTC and European Summertime. I think it would be great if the changes made by FreeIPA setup to ntp.conf were optional - we care strongly about the content of that file! Cheers Chris - Forwarded by Christopher Lamb/Switzerland/IBM on 27.04.2015 15:36 - From: Christopher Lamb/Switzerland/IBM@IBMCH To: freeipa-users@redhat.com Date: 26.04.2015 01:29 Subject:[Freeipa-users] Web ui error “Your session has expired. Please re-login.” from a browser on a remote client. Sent by:freeipa-users-boun...@redhat.com Hi All I too am suffering from the infamous Web ui error “Your session has expired. Please re-login.” using from browser(s) on remote client(s), similar to the existing tickets: https://www.redhat.com/archives/freeipa-users/2015-March/msg00211.html https://www.redhat.com/archives/freeipa-users/2015-February/msg00315.html https://www.redhat.com/archives/freeipa-users/2015-April/msg00047.html We have 2 FreeIPA installations: An “Old”, soon to be decommissioned v3.0.0, on OEL 6.5 The “new” instance, v4.1.0, on a fresh install of OEL 7.0 The error occurs on both instances. I get the error from OSX and Windows clients (Firefox, Chrome, Safar,i IE etc) Very sporadically one of the above browsers will “let me in” - If I cycle through all the browsers on various workstations / laptops on my desk somtimes I get lucky and one will work. kinit in a ssh session works. SELinux is disabled. All IPA Services are running. I can find no error(s) in /var/log/httpd/error_log In /var/log/krb5kdc.log I get entries like: Apr 25 02:17:44 ldap2.xxx-xx.xx.xx.com krb5kdc[1933](info): TGS_REQ (6 etypes {18 17 16 23 25 26}) 9.159.8.200: ISSUE: authtime 1429921064, etypes {rep=18 tkt=18 ses=18}, y...@xxx-xx.xx.xx.com for HTTP/bsc-ldap2.xxx-xx.xx.xxx@xxx-xx.xx.xxx.com Apr 25 02:17:44 ldap2.xxx-xx.xx.xxx.com krb5kdc[1933](info): closing down fd 12 If I enter a wrong password, I correctly get “The password or username you entered is incorrect. “, + errors in /var/log/httpd/error_log None of the browsers have a krb5 ticket installed. I get the error with both my user, and the default admin user. From the same browsers I can successfully access the Web UI of the public demo on https://ipa.demo1.freeipa.org/ipa/ui/ -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
[Freeipa-users] Access to IPA Web-UI with different domain names
Hi Folks, does somebody have a best practice, how to access the IPA Web-UI with different domain names? Example: Our IPA 4.1 have two different IPs (extern and intern) with two domain names. The web gui is only accessible from the domain name, which IPA was registered with (intern domain name). When trying to access with the extern domain name, IPA is rewriting to the intern domain name. After disabling the rewriting, the web ui is accessible from the two domain names, but the login is not possible from the extern domain name (only intern domain name), getting the following error: Logout session expired. Does sombody has a idea or a clue? Many thanks in advance! Best regards David -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
[Freeipa-users] FreeIPA WebUI Logout logs back in
Hi All When I use the logout dropdown the WebUI (top righthand corner of the screen), it logs me out, then immediately reloads and logs me right back in again to the Users screen. This prevents me from logging in with a different user. The FreeIPA Server is 4.1.0 on OEL 7.5. I am using Web UI from an OSX workstation (Firefox and Safari). We did not have this behaviour with FreeIPA 3.0.0 Thanks for your help Chris -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] IPA Web UI behind proxy
Hi Fraser, I actually attempted that procedure ( https://www.freeipa.org/page/Using_3rd_part_certificates_for_HTTP/LDAP) but it completely broke my IPA install. I could no longer log in with any users including admin, enrollment/client auth broke, etc. Unfortunately I couldn't find any way to roll back to the self-signed CA cert so I ended up having to do a full re-provision and reinstall. Needless to say, I'm a bit reticent to try that again. On Sun, Apr 26, 2015 at 5:32 PM, Fraser Tweedale ftwee...@redhat.com wrote: On Fri, Apr 24, 2015 at 11:45:23AM -0700, Benjamen Keroack wrote: Hi, Does anybody have any experience putting the IPA web UI behind a reverse proxy? In an attempt to allow our users to access the UI without browser warnings and without having to add the root CA certificate to their trusted store (there was some resistance to that idea), I set up an nginx server as a simple reverse proxy. Every request returns an Unable to verify your Kerberos credentials error page. The headers returned: $ http -h GET https://proxy/ipa HTTP/1.1 401 Unauthorized Accept-Ranges: bytes Connection: keep-alive Content-Length: 1474 Content-Type: text/html; charset=UTF-8 Date: Fri, 24 Apr 2015 18:43:06 GMT Last-Modified: Thu, 19 Mar 2015 18:38:36 GMT Server: nginx/1.4.6 (Ubuntu) WWW-Authenticate: Negotiate I saw this thread from 2013: https://www.redhat.com/archives/freeipa-users/2013-August/thread.html#00065 I'm sending the proper Host and Referer headers by the proxy as specified, and I modified the Apache rewriting rules to not redirect to the hostname of the backend IPA server. Any ideas how this can be done? Hi Benjamen, You could use a 3rd-party certificate (signed by trusted, public CA) for the Web UI; see the guide: https://www.freeipa.org/page/Using_3rd_part_certificates_for_HTTP/LDAP If you decide to continue with the Web UI behind a reverse proxy, Simo recent blogged about Kerberos authentication issues with this sort of setup; you may find inspiration here: https://ssimo.org/blog/id_019.html Cheers, Fraser Thanks, -- Benjamen Keroack *Infrastructure/DevOps Engineer* benja...@dollarshaveclub.com -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project -- Benjamen Keroack *Infrastructure/DevOps Engineer* benja...@dollarshaveclub.com -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
[Freeipa-users] FreeIPA 4.1.4 and Windows Groups
Hi all, First I'd like to say thank you for the fantastic product. We've been using FreeIPA since v 1 and it's been fantastic. Recently we've hit a slight snag, however. We used this document (https://www.freeipa.org/page/Windows_authentication_against_FreeIPA) to setup Windows to use FreeIPA for it's back end authentication. This works really well and we are really happy with it. To integrate a CIFS server with FreeIPA we ran 'ipa-adtrust-install' on our FreeIPA servers, this added several attributes to every user as expected. However, now when users try to log on to a Windows machine with their FreeIPA credentials they can log on but they are no longer in any Windows groups (Administrators or Remote Desktop Users in this case). This was working before running ipa-adtrust-install. If you remove the following attributes from the user Windows works again but samba no longer does: objectclass=ipantuserattrs ipantsecurityidentifier=SID I've been banging my head against the wall on this for a while, and can't seem to get everything to mesh. Can anyone make any recommendations? Best, Zach -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
[Freeipa-users] Password expiration not updated with password change
I'm currently experimenting with Red Had Identity Management 6.0, and I've noticed that when I create a user, and have them change their password using the passwd command, the password is changed in IdM, but the password expiration date is not updated, so that their password remains expired. Furthermore, the expired state of the password only seems to apply to logging into the IdM Web UI (these users are members of the admins group); users are able to log into any RHEL machine configured as an IdM client, using their updated password, even though the password is supposedly expired. Any advice on what I'm doing wrong? Is the passwd command a valid way for a user to update their own password? Thanks. Tony -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
[Freeipa-users] How to renew an expired admin certificate
Dear All, I'm in the process of regaining one of the old CA systems which was not being used for a long time. In the root CA, administrator certificate is expired and cannot access the agent interface. In order to renew it, i would need the access to the agent interface. Please help me to proceed with the login in to the agent interface. Regards, Kamal -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] Password expiration not updated with password change
On 04/27/2015 01:08 PM, Tony Izzo wrote: I'm currently experimenting with Red Had Identity Management 6.0, This version does not make sense. Did you mean 7.0? and I've noticed that when I create a user, and have them change their password using the passwd command, the password is changed in IdM, but the password expiration date is not updated, so that their password remains expired. Are you sure that the password is actually changed in the central server? How does your PAM stack look like? Do you use SSSD? Furthermore, the expired state of the password only seems to apply to logging into the IdM Web UI (these users are members of the admins group); users are able to log into any RHEL machine configured as an IdM client, using their updated password, even though the password is supposedly expired. Are you sure you do not have an overlapping local user? Any advice on what I'm doing wrong? Is the passwd command a valid way for a user to update their own password? Thanks. If this is the consistent behavior then I suggest you look at the server logs and see what is going on on the KDC and LDAP side at the moment of the password change. See the troubleshooting guide on the IPA wiki for more hints. Tony -- Thank you, Dmitri Pal Sr. Engineering Manager IdM portfolio Red Hat, Inc. -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] FreeIPA WebUI Logout logs back in
On 04/27/2015 12:39 PM, Christopher Lamb wrote: Hi All When I use the logout dropdown the WebUI (top righthand corner of the screen), it logs me out, then immediately reloads and logs me right back in again to the Users screen. This prevents me from logging in with a different user. The FreeIPA Server is 4.1.0 on OEL 7.5. I am using Web UI from an OSX workstation (Firefox and Safari). We did not have this behaviour with FreeIPA 3.0.0 Thanks for your help Chris Try kdestroy and then logout. I am not sure it worked differently in 3.0 may be you tried 3.0 when your Kerberis ticket already expired. -- Thank you, Dmitri Pal Sr. Engineering Manager IdM portfolio Red Hat, Inc. -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project