Re: [Freeipa-users] Failed to setup replica, slapi_ldap_bind fails

Thank you, this information helped. I have found related bugs: FreeIPA: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=786411 OpenLDAP switch to NSS: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=725153 389ds ticket: https://fedorahosted.org/389/ticket/47536 It doesn't seem there's some

Re: [Freeipa-users] Question about ldap proxy/AD + sudo + HBAC

Jakub, I am very interested in your standalone HBAC PAM module if you think it would apply in this situation. I would be happy to test it out if helpful. Thanks again for you help, Warren Birnbaum ___ Warren Birnbaum : Infrastructure Services Digital Linux Infrastructure

Re: [Freeipa-users] Question about ldap proxy/AD + sudo + HBAC

Jakub, We want to use password stored in AD and get a yes/no from the AD side. My understanding (which is very limited) is that if we use the IPA authentication then it resides in the local kerberos database. Is that not correct? If I am completely off, how would I setup type of authentication

Re: [Freeipa-users] IPA inaccessable after adding service principle

On 02/15/2016 04:41 PM, Sumit Bose wrote: On Mon, Feb 15, 2016 at 04:27:15PM +0100, Martin Juhl wrote: Hi guys I've just installed a RHEL7 server with ipa-server 4.2.0... Everything seems to work fine, until I add a service principle: (Running on a client, after a kinit) [root@dantooine ~]#

Re: [Freeipa-users] Question about ldap proxy/AD + sudo + HBAC

On Mon, Feb 15, 2016 at 03:58:15PM +, Birnbaum, Warren (ETW) wrote: > Jakub, > > We want to use password stored in AD and get a yes/no from the AD side. OK, I see. Yes, with IPA provider you would authenticate the IPA user against the IPA KDC. > My understanding (which is very limited) is

Re: [Freeipa-users] Disable IPA Web UI auto-login

Hello, On 02/15/2016 02:12 PM, Wanderley Mayhé wrote: Hello Rob Regarding the thread https://www.redhat.com/archives/freeipa-users/2010-July/msg00022.html I have tested to set KrbMethodK5Passwd to “on” and restarted httpd but IPA Web UI was still trying to auto-login user through a browser

Re: [Freeipa-users] Connection closed by UNKNOWN

On Mon, Feb 15, 2016 at 06:59:57PM +0530, Rakesh Rajasekharan wrote: > this is what I have in /var/log/secure > > Feb 15 12:22:33 ipa-xyz sshd[13499]: pam_unix(sshd:auth): authentication > failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=x.x.x.x user=tempuser > Feb 15 12:22:33 ipa-xyz

Re: [Freeipa-users] IPA inaccessable after adding service principle

On Mon, Feb 15, 2016 at 04:27:15PM +0100, Martin Juhl wrote: > Hi guys > > I've just installed a RHEL7 server with ipa-server 4.2.0... > > Everything seems to work fine, until I add a service principle: > > (Running on a client, after a kinit) > > [root@dantooine ~]# ipa-getkeytab -s

[Freeipa-users] IPA inaccessable after adding service principle

Hi guys I've just installed a RHEL7 server with ipa-server 4.2.0... Everything seems to work fine, until I add a service principle: (Running on a client, after a kinit) [root@dantooine ~]# ipa-getkeytab -s naboo.outerrim.lan -p HTTP/naboo.outerrim@outerrim.lan -k /etc/krb5.keytab Keytab

Re: [Freeipa-users] Question about ldap proxy/AD + sudo + HBAC

On Mon, Feb 15, 2016 at 11:24:08AM +, Birnbaum, Warren (ETW) wrote: > Hi Jakub, > > Thanks but I have sudo working OK. I'm sorry, my fault.. > What I am trying make work is HBAC. > That I can¹t get to work with the proxy hack. Is there a way to do that? I haven't tested that use-case,

Re: [Freeipa-users] Failed to setup replica, slapi_ldap_bind fails

Filip Pytloun wrote: > I am using Ubuntu 16.04 (Xenial), there's no /etc/openldap That's the problem right there. I don't believe Ubuntu supports setting up replication agreements yet due to gnutls vs NSS issues. An effort is being made upstream to eliminate the need for TLS during agreement

[Freeipa-users] SOLUTION to Failed replica install with /32 netmask

I tried creating a FreeIPA replica in GCE. GCE is a little weird in that it's DHCP assigns a /32 netmask to VMs. There does not seem to be any way to disable that specific behavior in GCE since as a user you have no control of the DHCP server. As a user you can create your own networks but it

Re: [Freeipa-users] client/authentication inside a docker container

On Thu, Feb 04, 2016 at 12:37:07PM -0500, Prasun Gera wrote: > On Thu, Feb 4, 2016 at 10:56 AM, Jan Pazdziora > wrote: > > > > The goal is to run the > > > docker container such that when the user calls docker run, > > > > Is any user allowed to run docker run? That seems

Re: [Freeipa-users] Connection closed by UNKNOWN

this is what I have in /var/log/secure Feb 15 12:22:33 ipa-xyz sshd[13499]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=x.x.x.x user=tempuser Feb 15 12:22:33 ipa-xyz sshd[13499]: pam_sss(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh

[Freeipa-users] Disable IPA Web UI auto-login

Hello Rob Regarding the thread https://www.redhat.com/archives/freeipa-users/2010-July/msg00022.html I have tested to set KrbMethodK5Passwd to “on” and restarted httpd but IPA Web UI was still trying to auto-login user through a browser dialog. In order to effectively disable this browser

Re: [Freeipa-users] How to reference to IPA Server in Multi-Master Setup ?

On 26.1.2016 13:18, Zeal Vora wrote: > Thanks David. > > Generally for Operating systems like Amazon Linux etc which does not have a > IPA-Client, we generally use SSSD to get things working. > > In such cases, what would be optimal way to configure the SRV records as > --domain parameter won't

Re: [Freeipa-users] Question about ldap proxy/AD + sudo + HBAC

On Mon, 15 Feb 2016, Birnbaum, Warren (ETW) wrote: Alexander, Thanks for letting me know this. Is it true then that my only option is to have the IPA AD trust to achieve AD authentication (proxy style), HBAC and sudo? I'm not sure using 'proxy' term is actually helpful here. IPA does not work

Re: [Freeipa-users] Question about ldap proxy/AD + sudo + HBAC

On (15/02/16 11:45), Birnbaum, Warren (ETW) wrote: >Thanks Lukas. > >Unfortunately setting up a IPA Ad Trust is something not possible within >our organization. Is it then fair to say that waiting for Ticket #4623 is >our only option? https://fedorahosted.org/freeipa/ticket/4634 > As I wrote

Re: [Freeipa-users] Question about ldap proxy/AD + sudo + HBAC

Alexander, Thanks for letting me know this. Is it true then that my only option is to have the IPA AD trust to achieve AD authentication (proxy style), HBAC and sudo? Thanks ___ Warren Birnbaum : Infrastructure Services Digital Linux Infrastructure Services Europe CDT Techn.

Re: [Freeipa-users] Question about ldap proxy/AD + sudo + HBAC

On Mon, 15 Feb 2016, Birnbaum, Warren (ETW) wrote: Thanks Lukas. Unfortunately setting up a IPA Ad Trust is something not possible within our organization. Is it then fair to say that waiting for Ticket #4623 is our only option? https://fedorahosted.org/freeipa/ticket/4634 This ticket is not

Re: [Freeipa-users] Question about ldap proxy/AD + sudo + HBAC

Thanks Lukas. Unfortunately setting up a IPA Ad Trust is something not possible within our organization. Is it then fair to say that waiting for Ticket #4623 is our only option? https://fedorahosted.org/freeipa/ticket/4634 Thanks, Warren ___ Warren Birnbaum : Infrastructure

Re: [Freeipa-users] Question about ldap proxy/AD + sudo + HBAC

On (15/02/16 09:34), Birnbaum, Warren (ETW) wrote: >Hello, > >I would like to get freeipa to work with a proxy solution ( I currently have >this working with an active directory/no trust authentication and sudo but no >HBAC) including HBAC. I can get sudo to work but not HBAC. I see there is a

Re: [Freeipa-users] BIND apparently not loading ldap.so

On 12.2.2016 20:49, Chris Lajoie wrote: > On 02/12/2016 12:53 AM, Petr Spacek wrote: >> On 11.2.2016 19:32, Chris Lajoie wrote: >>> On 02/11/2016 02:46 AM, Petr Spacek wrote: What version of BIND and bind-dyndb-ldap packages are you using? $ rpm -q bind bind-dyndb-ldap >>>

Re: [Freeipa-users] Question about ldap proxy/AD + sudo + HBAC

Hi Jakub, Thanks but I have sudo working OK. What I am trying make work is HBAC. That I can¹t get to work with the proxy hack. Is there a way to do that? Thanks, Warren ___ Warren Birnbaum : Infrastructure Services Digital Linux Infrastructure Services Europe CDT Techn.

Re: [Freeipa-users] Question about ldap proxy/AD + sudo + HBAC

On Mon, Feb 15, 2016 at 09:34:33AM +, Birnbaum, Warren (ETW) wrote: > Hello, > > I would like to get freeipa to work with a proxy solution ( I currently have > this working with an active directory/no trust authentication and sudo but no > HBAC) including HBAC. I can get sudo to work but

Re: [Freeipa-users] Failed to setup replica, slapi_ldap_bind fails

I am using Ubuntu 16.04 (Xenial), there's no /etc/openldap Here's complete debug log of replica install: http://pastebin.com/38zi5MWd Now I noticed following, don't know if it can directly relate to this issue: ipa : DEBUGstderr=ldap_initialize( ldap://idm02.tcpcloud.eu:389/??base

Re: [Freeipa-users] Connection closed by UNKNOWN

On Mon, Feb 15, 2016 at 10:24:23AM +0530, Rakesh Rajasekharan wrote: > hbac seems to be fine > > > ipa hbactest --user=q-temp --host=x.x.x.x --service=sshd > > Access granted: True > > Matched rules: allow_all > > > I see this in the sssd.log > >

Re: [Freeipa-users] Failed to setup replica, slapi_ldap_bind fails

On 02/12/2016 06:22 PM, Filip Pytloun wrote: Following is in /etc/ldap/ldap.conf on both servers (only URI differs): what is your OS, do you also have a /etc/openldap/ldap.conf ldapsearch and the replication connection shoudl use the same openldap libraries and so it is strange that -ZZ

Re: [Freeipa-users] Active Directory Trust = filter users

On Mon, Feb 15, 2016 at 11:10:41AM +0200, Alexander Bokovoy wrote: > On Mon, 15 Feb 2016, Sumit Bose wrote: > >On Fri, Feb 12, 2016 at 10:49:36PM +0200, Alexander Bokovoy wrote: > >>On Fri, 12 Feb 2016, Jakub Hrozek wrote: > >>>On Fri, Feb 12, 2016 at 01:29:47PM +0200, Alexander Bokovoy wrote: >

[Freeipa-users] Question about ldap proxy/AD + sudo + HBAC

Hello, I would like to get freeipa to work with a proxy solution ( I currently have this working with an active directory/no trust authentication and sudo but no HBAC) including HBAC. I can get sudo to work but not HBAC. I see there is a ticket for this as a new enhancement #4634 but wanted

Re: [Freeipa-users] Active Directory Trust = filter users

On Mon, 15 Feb 2016, Sumit Bose wrote: On Fri, Feb 12, 2016 at 10:49:36PM +0200, Alexander Bokovoy wrote: On Fri, 12 Feb 2016, Jakub Hrozek wrote: >On Fri, Feb 12, 2016 at 01:29:47PM +0200, Alexander Bokovoy wrote: >>On Fri, 12 Feb 2016, w...@dds.nl wrote: >>>Hi all, >>> >>>Yes, you can filter

Re: [Freeipa-users] Active Directory Trust = filter users

On Fri, Feb 12, 2016 at 10:49:36PM +0200, Alexander Bokovoy wrote: > On Fri, 12 Feb 2016, Jakub Hrozek wrote: > >On Fri, Feb 12, 2016 at 01:29:47PM +0200, Alexander Bokovoy wrote: > >>On Fri, 12 Feb 2016, w...@dds.nl wrote: > >>>Hi all, > >>> > >>>Yes, you can filter out certain SIDs--> I tried,