Re: [Freeipa-users] [FreeIPA 4.3.0] CentOS 6.8 sudo fails

On Tue, Jun 07, 2016 at 08:21:21PM +, Nathan Peters wrote: > I have a fresh installation of CentOS 6.8 joined to a FreeIPA 4.3.0 domain on > Fedora 23. > > When I try to sudo on this host, it fails. Here are the log entries from > /var/log/secure. Note that we have several hundred CentOS

[Freeipa-users] [FreeIPA 4.3.0] CentOS 6.8 sudo fails

I have a fresh installation of CentOS 6.8 joined to a FreeIPA 4.3.0 domain on Fedora 23. When I try to sudo on this host, it fails. Here are the log entries from /var/log/secure. Note that we have several hundred CentOS 6.5-6.7 machines where this works fine. Is this a new bug in CentOS

Re: [Freeipa-users] [FreeIPA 4.3.0] Limits exceeded for this query

Nathan Peters wrote: I get this when doing almost anything on only one of my Fedora 23 FreeIPA 4.3.0 servers. The rest work fine. This server also tends to crash quite a bit and the others do not. What crashes? Any tips on what I should be looking for or how to fix that ? I'd look in the

[Freeipa-users] [FreeIPA 4.3.0] Limits exceeded for this query

I get this when doing almost anything on only one of my Fedora 23 FreeIPA 4.3.0 servers. The rest work fine. This server also tends to crash quite a bit and the others do not. Any tips on what I should be looking for or how to fix that ? Some operations failed. Hide

Re: [Freeipa-users] replica +dns +ca -> ERROR Unable to retrieve CA chain

lejeczek wrote: On 25/05/16 14:19, Rob Crittenden wrote: lejeczek wrote: hi there, I'm trying to set up a replica with: --setup-dns --no-forwarders --setup-ca installer fails at: [10/23]: importing CA chain to RA certificate database [error] RuntimeError: Unable to retrieve CA chain:

Re: [Freeipa-users] IPA 2.2 Certificate Renewal issue

Kay Zhou Y wrote: Hi Rob, Actually certmonger service is failed after restart it, but without its active the two 389-ds and apache certs could be renewed as well.. it's weird.. root@ecnshlx3039-test2(SH):~ #systemctl status certmonger certmonger.service - Certificate monitoring and PKI

Re: [Freeipa-users] FreeIPA 4.2 on CentOS 7.2 restricts an access to krb* attributes

Thanks a ton Alexander, this permission fixed everything :) 2016-06-07 17:08 GMT+03:00 Alexander Bokovoy : > On Tue, 07 Jun 2016, Konstantin M. Khankin wrote: > >> Hi Alexander! >> >> Here's the config (mostly auto-generated by ipa-client-install): >> >>

[Freeipa-users] replication - ruv errors

Hello, I'm having issues with freeipa replication. Currently we have 4 Freeipa servers, in a master - master relationship with replication agreements between all servers. I noticed the replication failure messages in the logs late last week and upon investigation found stale replication

[Freeipa-users] AD one-way trust error ---

Greetings all … I’m trying to pinpoint a problem when creating the AD trust using the following command below. The error message and related details provided below. There is a Bugzilla on it, however, I cannot locate any updated versions from RHEL/Oracle Linux channels. That gives me the

Re: [Freeipa-users] FreeIPA 4.2.0 on CentOS 7.2 as replica of FreeIPA 3.0.0 on CentOS 6.8; cannot install CA components as replica, cannot promote to master

dan.finkelst...@high5games.com wrote: This advice has gotten me much further, thanks. We didn't have an HBAC rule for admin and, now with it in place, connection checks and other commands appear to be working that haven't worked before. I'm still getting caught on the CA portion of the replica

Re: [Freeipa-users] Using our IPA CA as a trusted CA to sign ssl certificates

Bret Wortman wrote: On 06/03/2016 01:04 PM, Rob Crittenden wrote: Bret Wortman wrote: On 06/03/2016 11:02 AM, Rob Crittenden wrote: Bret Wortman wrote: I'm not sure I'd call what we have "success" just yet. ;-) You're right -- F21, IPA 4.1.4-1. I'll try the steps you outlined and see

Re: [Freeipa-users] FreeOTP

No, neither HOTP works... Op 07-06-16 om 17:09 schreef Prashant Bapat: Do HOTP tokens work fine ? On 7 June 2016 at 20:37, Winfried de Heiden wrote:

[Freeipa-users] How to get FreeIPA feature requests ack'd?

Hello The RH Bugzilla is pretty much unnavigable by anyone who doesn't know the magic words, so i'm asking here. Apologies in advance if misdirected. The Web UI has a couple of fairly annoying (sorry) deficiencies: - unable to sort on columns, eg: In DNS Zones, the sort is on hostname,

[Freeipa-users] IPA to supply radius with a special user name - how?

hi users, some network devices need and look up special type of a user, in my case it's dell powerconnect switch which - when uses radius - needs,eg: $enable5$. I this something that IPA will be ok with? will have no problems if I create such a user? I don't suppose IPA have full support

Re: [Freeipa-users] DNA Ranges

Michael Rainey (Contractor) wrote: Greetings Community, I have a question about restoring the DNA Ranges on my IPA servers. A couple of weeks ago I took down one of my servers which involved a few issues I had created for myself, but luckily I managed to recover. Today I noticed that the DNA

Re: [Freeipa-users] FreeOTP

Do HOTP tokens work fine ? On 7 June 2016 at 20:37, Winfried de Heiden wrote: > Hi all, > > > Yes I check that one also. The IPA-server is running ntp and is is sync. > The FreeOTP app is running on my phone which is synced by network, all > looks fine > > > Forgot to mention;

Re: [Freeipa-users] FreeOTP

Hi all, Yes I check that one also. The IPA-server is running ntp and is is sync. The FreeOTP app is running on my phone which is synced by network, all looks fine Forgot to mention; this IPA-server is running on Fedora ARM on a

Re: [Freeipa-users] how to setup apache reverse https proxy for freeipa web UI

Apparently removing the GSSAPI AuthType breaks foreman-proxy, so I had to do this: AuthType GSSAPI AuthName "Kerberos Login" GssapiCredStore keytab:/etc/httpd/conf/ipa.keytab GssapiCredStore client_keytab:/etc/httpd/conf/ipa.keytab GssapiDelegCcacheDir

Re: [Freeipa-users] FreeOTP

​If this is TOTP (time based) you want to double check the time is properly set in both the server (NTP) and the device that is generating the OTP tokens. I have had issues with this with my users couple of times. ​ On 7 June 2016 at 19:43, Alexander Bokovoy wrote: > On

Re: [Freeipa-users] question about automount config

>From your errors, it looks like sssd is not able to find the autofs entries. In order to confirm that, you can add the autofs mapping manually to your config file (under /etc/auto.* depending on your config), and test if that works. If you can get that to work, the problem lies in freeipa/sssd

Re: [Freeipa-users] FreeOTP

On Tue, 07 Jun 2016, Winfried de Heiden wrote: Hi all, I tried the FreeIPA webUI, ssh and "su - otpuser", all the same result. Ok. Jun 07 14:44:37 ipa.blabla.bla krb5kdc[5887](info): AS_REQ (6 etypes {18 17 16 23 25 26}) 192.168.1.251: NEEDED_PREAUTH:

Re: [Freeipa-users] Replica without CA: implications?

For the benefit, or added confusion, of future generations, some observations ipa-ca-install, run successful replica instantiation w/o --setup-ca fails consistently with the errors in my orig post. Never figured out what the script was finding that needed purging. After a multitude of

Re: [Freeipa-users] FreeIPA 4.2 on CentOS 7.2 restricts an access to krb* attributes

On Tue, 07 Jun 2016, Konstantin M. Khankin wrote: Hi Alexander! Here's the config (mostly auto-generated by ipa-client-install): - [domain/gsk.loc]

Re: [Freeipa-users] how to setup apache reverse https proxy for freeipa web UI

One thing I noticed was that once I had set up the proxy as per the document from Jan, I was getting access denied to /ipa until I disabled the Kerberos authentication stuff: # Protect /ipa and everything below it in webspace with Apache Kerberos auth # AuthType GSSAPI # AuthName "Kerberos

Re: [Freeipa-users] FreeOTP

Hi all, I tried the FreeIPA webUI, ssh and "su - otpuser", all the same result. Winny Op 07-06-16 om 15:02 schreef Alexander Bokovoy: On Tue, 07 Jun 2016, Winfried de Heiden wrote: Hi all, I am

Re: [Freeipa-users] FreeIPA 4.2 on CentOS 7.2 restricts an access to krb* attributes

Hi Alexander! Here's the config (mostly auto-generated by ipa-client-install): - [domain/gsk.loc] cache_credentials = True krb5_store_password_if_offline = True

Re: [Freeipa-users] question about automount config

I have done like You said. Here is output: [root@nfsclient ~]# automount -vvvf 1 Starting automounter version 5.1.1-3.fc23, master map auto.master 2 using kernel protocol version 5.02 3 mounted indirect on /misc with timeout 300, freq 75 seconds 4 mounted indirect on /net with timeout 300,

Re: [Freeipa-users] FreeOTP

On Tue, 07 Jun 2016, Winfried de Heiden wrote: Hi all, I am trying to setup Freeipa with otp using the freeotp app. All looks fine, adding the user to the FreeOTP app also works fine. The users looks like: ipa user-show otpuser   User login: otpuser   First name: otp   Last name: user   Home

[Freeipa-users] FreeOTP

Hi all, I am trying to setup Freeipa with otp using the freeotp app. All looks fine, adding the user to the FreeOTP app also works fine. The users looks like: ipa user-show otpuser   User login: otpuser   First name: otp   Last

Re: [Freeipa-users] Using our IPA CA as a trusted CA to sign ssl certificates

On 06/03/2016 01:04 PM, Rob Crittenden wrote: Bret Wortman wrote: On 06/03/2016 11:02 AM, Rob Crittenden wrote: Bret Wortman wrote: I'm not sure I'd call what we have "success" just yet. ;-) You're right -- F21, IPA 4.1.4-1. I'll try the steps you outlined and see how we go. Rob, would