Re: [Freeipa-users] Automatic IPA CA cert generation

On 23/09/15 11:03, Fraser Tweedale wrote: On Wed, Sep 23, 2015 at 09:09:25AM +0200, David Kupka wrote: On 22/09/15 17:02, James Masson wrote: Hi, we're building IPAs in an automated fashion, for environments that get created and destroyed a lot. At the moment, the CA certs used inside these

Re: [Freeipa-users] How to turn off RC4 in 389ds???

On 09/23/2015 11:00 AM, Michael Lasevich wrote: > OK, this is most bizarre issue, > > I am trying to disable RC4 based TLS Cipher Suites in LDAPs(port 636) and > for the life of me cannot get it to work > > I have followed many nearly identical instructions to create ldif file and > change

Re: [Freeipa-users] Automatic IPA CA cert generation

On Wed, Sep 23, 2015 at 09:09:25AM +0200, David Kupka wrote: > On 22/09/15 17:02, James Masson wrote: > > > >Hi, > > > >we're building IPAs in an automated fashion, for environments that get > >created and destroyed a lot. At the moment, the CA certs used inside > >these IPAs are self-signed, as

Re: [Freeipa-users] [Import existing CA Cert]

Hi Martin, thanks for your reply. On 09/23/2015 09:07 AM, Martin Kosek wrote: On 09/22/2015 12:41 PM, Michael Anderson wrote: Hi All, we're evaluation freeipa/dogtag as a pki management service and hoping to replace our existing menagerie of bash/openssl scripts. I'm trying to establish a

Re: [Freeipa-users] [Import existing CA Cert]

On Wed, Sep 23, 2015 at 09:07:31AM +0200, Martin Kosek wrote: > On 09/22/2015 12:41 PM, Michael Anderson wrote: > > Hi All, > > > > we're evaluation freeipa/dogtag as a pki management service and hoping to > > replace our existing menagerie of bash/openssl scripts. I'm trying to > > establish >

[Freeipa-users] OTP unstable/non functional after upgrade?

Ok, something odd happened I would love some feedback/ideas on: We had 4.1.2 running on Fedora that we used for, among other things, OTP authentication. I have just upgraded these to CentOS 7 with 4.1.4 running and our OTP setup suddenly became very unstable. Things that have changed during

Re: [Freeipa-users] Automatic IPA CA cert generation

David Kupka wrote: > On 22/09/15 17:02, James Masson wrote: >> >> Hi, >> >> we're building IPAs in an automated fashion, for environments that get >> created and destroyed a lot. At the moment, the CA certs used inside >> these IPAs are self-signed, as part of the normal "ipa-server-install" >>

[Freeipa-users] User, keytab, password and ldap

Hello ! I'm using IPA 3.0.0 and I have a problem with one of the user I created. user3 I created this user with the command ipa user-add without specifying any password. Then I performed an ipa-getkeytab command with the -P option to have a keytab and a password. When I check the ldap server

Re: [Freeipa-users] How to turn off RC4 in 389ds???

On 09/23/2015 05:05 PM, Michael Lasevich wrote: Yes, I am talking about 389ds as is integrated in FreeIPA (would be silly to post completely non-IPA questions to this list...). I am running FreeIPA 4.1.4 on CentOS 7.1 and RC4 is enabled on port 636 no matter what I do. I am running "CentOS

Re: [Freeipa-users] How to turn off RC4 in 389ds???

Yes, I am talking about 389ds as is integrated in FreeIPA (would be silly to post completely non-IPA questions to this list...). I am running FreeIPA 4.1.4 on CentOS 7.1 and RC4 is enabled on port 636 no matter what I do. I am running "CentOS Linux release 7.1.1503 (Core)" Relevant Packages:

[Freeipa-users] When changing passwords gui displays Login screen is showing

Hi, When a user changes their password the ipa gui briefly redirects to a login page. The user often has an impulse to click on the login button which, on occasion, can seem to cause a mess with the password change. Anyone else aware of this behaviour? ta Andrew -- Manage your subscription

Re: [Freeipa-users] How to turn off RC4 in 389ds???

No difference. It is as if this setting is being overwritten somewhere deep in 389ds, because the "error" log correctly reflects the changes, but the actual process does not. (and yes, I verified that the process actually shuts down and start up again when I restart it) ldapsearch -x -D

[Freeipa-users] Ghost user?

I have a user I created for testing, but now shows as both "there" but not there.. *ipa user-show jtest* ipa: ERROR: jtest: user not found *ipa user-find jtest* -- 1 user matched -- User login: jtest First name: janelle Last name: test Home directory:

Re: [Freeipa-users] Ghost user?

On 09/23/2015 07:15 PM, Janelle wrote: I have a user I created for testing, but now shows as both "there" but not there.. *ipa user-show jtest* ipa: ERROR: jtest: user not found *ipa user-find jtest* -- 1 user matched -- User login: jtest First name:

[Freeipa-users] sssd public socket error

On one of my servers I'm getting Sep 23 13:35:07 mdhixuatisamw03 sshd[8136]: pam_unix(sshd:session): session opened for user user by (uid=0) Sep 23 13:35:07 mdhixuatisamw03 sshd[8164]: pam_sss(sshd:setcred): Request to sssd failed. Public socket has wrong ownership or permissions.

Re: [Freeipa-users] Ghost user?

Janelle wrote: > On 9/23/15 10:36 AM, Martin Basti wrote: >> >> >> On 09/23/2015 07:15 PM, Janelle wrote: >>> I have a user I created for testing, but now shows as both "there" >>> but not there.. >>> >>> *ipa user-show jtest* >>> >>> ipa: ERROR: jtest: user not found >>> >>> *ipa

Re: [Freeipa-users] How to turn off RC4 in 389ds???

On 09/23/2015 05:05 PM, Michael Lasevich wrote: Yes, I am talking about 389ds as is integrated in FreeIPA (would be silly to post completely non-IPA questions to this list...). You would not be the first to do it :-) I am running FreeIPA 4.1.4 on CentOS 7.1 and RC4 is enabled on port 636 no

[Freeipa-users] dns_lookup_kdc question

Hey guys, Quick question. Just running through a poc and ran into a question. I have a simple AD DC (win2k8r2 box) with a trust setup to our IPA server. Trust and all is setup properly and I can see users on the client/ipa server and on the ipa server I can ssh into it with the AD user. I am

Re: [Freeipa-users] [Import existing CA Cert]

On 09/22/2015 12:41 PM, Michael Anderson wrote: > Hi All, > > we're evaluation freeipa/dogtag as a pki management service and hoping to > replace our existing menagerie of bash/openssl scripts. I'm trying to > establish > a migration path for our existing pki solution and have a few questions:

Re: [Freeipa-users] otp issue: can't log in with password+otp

On a related point to this note - Duncan, did you try to run your setup with RPM version of FreeIPA? FreeIPA 4.2 is included both in RHEL-7.2 Beta or in Fedora 23 Beta updates-testing repo, so you can try the latest and greatest version there and thus find out if the problems you are seeing are

[Freeipa-users] Possible bug in ipa-replica-install/pkispawn - or maybe lib mismatch

Ok, I just went through process of migrating our IPA setup from 4.1.2 running on Fedora 20 (?? may have been 21) to 4.1.4 on CentOS 7 (MKosek Copr version) and run into a nasty bug. The replica-install crashes during CA configuration with something like: ''/usr/sbin/pkispawn' '-s' 'CA' '-f'

Re: [Freeipa-users] [Import existing CA Cert]

On 09/23/2015 10:05 AM, Michael Anderson wrote: > Hi Martin, > > thanks for your reply. > > On 09/23/2015 09:07 AM, Martin Kosek wrote: >> On 09/22/2015 12:41 PM, Michael Anderson wrote: >>> Hi All, >>> >>> we're evaluation freeipa/dogtag as a pki management service and hoping to >>> replace

[Freeipa-users] How to turn off RC4 in 389ds???

OK, this is most bizarre issue, I am trying to disable RC4 based TLS Cipher Suites in LDAPs(port 636) and for the life of me cannot get it to work I have followed many nearly identical instructions to create ldif file and change "nsSSL3Ciphers" in "cn=encryption,cn=config". Seems simple enough -

Re: [Freeipa-users] Ghost user?

On 9/23/15 10:36 AM, Martin Basti wrote: On 09/23/2015 07:15 PM, Janelle wrote: I have a user I created for testing, but now shows as both "there" but not there.. *ipa user-show jtest* ipa: ERROR: jtest: user not found *ipa user-find jtest* -- 1 user matched

Re: [Freeipa-users] How to turn off RC4 in 389ds???

I actually just posted that in a previous email. The only thing I cut out were nsSSLEnabledCiphers - but here is the complete listing: # ldapsearch -x -D "cn=directory manager" -W -b "cn=encryption,cn=config" Enter LDAP Password: # extended LDIF # # LDAPv3 # base

Re: [Freeipa-users] dns_lookup_kdc question

Excellent, Thank you for the quick response. I will look further into your suggestions Aly On Wed, Sep 23, 2015 at 3:50 PM, Alexander Bokovoy wrote: > On Wed, 23 Sep 2015, Aly Khimji wrote: > >> Hey guys, >> >> Quick question. Just running through a poc and ran into a

Re: [Freeipa-users] sudo not work in linux

On Wed, Sep 23, 2015 at 12:48:47PM +0330, alireza baghery wrote: > hi > i have centos 6.7 (ipa server) > and i have centos 6.5 (client) I would advise to upgrade, 6.5 is old. I'm not sure if 6.5 already supported sudo_provider=ipa, but I'm pretty sure 6.6 did. That would simplify the

Re: [Freeipa-users] sssd public socket error

On Wed, Sep 23, 2015 at 06:03:45PM +, Andy Thompson wrote: > On one of my servers I'm getting > > Sep 23 13:35:07 mdhixuatisamw03 sshd[8136]: pam_unix(sshd:session): session > opened for user user by (uid=0) > Sep 23 13:35:07 mdhixuatisamw03 sshd[8164]: pam_sss(sshd:setcred): Request to >

Re: [Freeipa-users] dns_lookup_kdc question

On Wed, 23 Sep 2015, Aly Khimji wrote: Hey guys, Quick question. Just running through a poc and ran into a question. I have a simple AD DC (win2k8r2 box) with a trust setup to our IPA server. Trust and all is setup properly and I can see users on the client/ipa server and on the ipa server I

Re: [Freeipa-users] V6 and v4

On 9/13/15 11:46 PM, Alexander Bokovoy wrote: On Sun, 13 Sep 2015, Janelle wrote: Hello, I read something recently that if ip v6 is disable on a server this hurts performance in some way? Is there more info on this or did I misread it? Do not disable IPv6 stack on your machines. By disabling

Re: [Freeipa-users] Ubuntu Samba Server Auth against IPA

Hi Guys, Please keep this topic updated as many people seem to have this question. What's the status at your side ? Cheers, Matt 2015-09-04 15:27 GMT+02:00 Matt . : > Hi, > > Does everyone have this working or gived up on it ? > > Chers, > > Matt > > 2015-08-26 20:07

[Freeipa-users] Generic preauthentication failure while getting initial credentials using kinit -k -t

I've put a kerberos principle into a keytab: # klist -k asterisk.keytab Keytab name: FILE:asterisk.keytab KVNO Principal -- 8 aster...@example.com using: # ipa-getkeytab -s server.example.com -p asterisk -k

Re: [Freeipa-users] Automatic IPA CA cert generation

On Wed, Sep 23, 2015 at 11:16:27AM +0100, James Masson wrote: > > On 23/09/15 11:03, Fraser Tweedale wrote: > >On Wed, Sep 23, 2015 at 09:09:25AM +0200, David Kupka wrote: > >>On 22/09/15 17:02, James Masson wrote: > >>> > >>>Hi, > >>> > >>>we're building IPAs in an automated fashion, for

[Freeipa-users] IPA server failover

I've got all of my environments setup with two IPA servers. I'm fighting intermittent problems with krb5kdc crashing on them in all of my environments and I've opened a ticket with Redhat on that. What I can't figure out though is why the clients will not fail over to the second functioning

Re: [Freeipa-users] IPA server failover

On Wed, 23 Sep 2015, Andy Thompson wrote: I've got all of my environments setup with two IPA servers. I'm fighting intermittent problems with krb5kdc crashing on them in all of my environments and I've opened a ticket with Redhat on that. What I can't figure out though is why the clients will

Re: [Freeipa-users] Generic preauthentication failure while getting initial credentials using kinit -k -t

On Wed, 23 Sep 2015, Brian J. Murrell wrote: I've put a kerberos principle into a keytab: # klist -k asterisk.keytab Keytab name: FILE:asterisk.keytab KVNO Principal -- 8 aster...@example.com using: # ipa-getkeytab