Re: [Freeipa-users] Can I migrate group password hashes from NIS?

Joanna Delaporte wrote: I have successfully migrated some user password hashes from an NIS domain. I am wondering if there is a similar method for migrating group passwords. I haven't found any discussion or documentation on it. You do it the same way as users. Note that there are no IPA

Re: [Freeipa-users] k5login not working?

Oh wow, I see. I did some playing around with /var/lib/sss/pubconf/krb5.include.d/localauth_plugin in search of a minimum-change scenario and found that this: [plugins] localauth = { module = sssd:/usr/lib64/sssd/modules/sssd_krb5_localauth_plugin.so # enable_only = sssd } seems to get me

[Freeipa-users] NFS automount - doesn't update UID/GID info on client after chown on nfs server

Hi there, I am still working on migrating my users from NIS to IPA. I have a lot of it working. However, the issue I am dealing with now is that NFS UID ownership on nfs/ipa-client machine is not updating when I change the owner's UID and update the files ownership on the NFS server. I refreshed

Re: [Freeipa-users] k5login not working?

On Wed, Jul 06, 2016 at 03:30:56PM -0400, Jeffery Harrell wrote: > I must be missing something really obvious. > > Our IPA server is set up in the usual way on CentOS 7.2, just a “yum > install ipa-server” and then an “ipa-server-install.” DNS is set up > correctly and is working. > > I’ve got a

[Freeipa-users] k5login not working?

I must be missing something really obvious. Our IPA server is set up in the usual way on CentOS 7.2, just a “yum install ipa-server” and then an “ipa-server-install.” DNS is set up correctly and is working. I’ve got a handful of CentOS 7.2 servers configured as IPA clients — “yum install

Re: [Freeipa-users] FreeIPA 4.2.0 and Windows XP

On Wed, 06 Jul 2016, Konstantin M. Khankin wrote: Yes, I had a look at the eventlog, but there are no failures and no events at all related to failed login. Maybe I can increase verbosity level somehow? Try to intercept network traffic between Windows XP and IPA master. May be it tries to use

Re: [Freeipa-users] FreeIPA 4.2.0 and Windows XP

Yes, I had a look at the eventlog, but there are no failures and no events at all related to failed login. Maybe I can increase verbosity level somehow? 2016-07-06 20:58 GMT+03:00 Alexander Bokovoy : > On Wed, 06 Jul 2016, Konstantin M. Khankin wrote: > >> Hi! >> >> I'm

Re: [Freeipa-users] FreeIPA 4.2.0 and Windows XP

On Wed, 06 Jul 2016, Konstantin M. Khankin wrote: Hi! I'm trying to set up Windows XP to get a Kerberos ticket for the user on login using the following docs: * http://www.freeipa.org/page/Windows_authentication_against_FreeIPA *

[Freeipa-users] FreeIPA 4.2.0 and Windows XP

Hi! I'm trying to set up Windows XP to get a Kerberos ticket for the user on login using the following docs: * http://www.freeipa.org/page/Windows_authentication_against_FreeIPA * http://www.freeipa.org/page/Implementing_FreeIPA_in_a_mixed_Environment_(Windows/Linux)_-_Step_by_step * Discussion

[Freeipa-users] Can I migrate group password hashes from NIS?

I have successfully migrated some user password hashes from an NIS domain. I am wondering if there is a similar method for migrating group passwords. I haven't found any discussion or documentation on it. Thanks! Joanna -- Joanna Delaporte Linux Systems Administrator | Parkland College

[Freeipa-users] Deny bind for external LDAP if password is expired

Hi, We are using FreeIPA's LDAP as the base for user authentication in a different application. So far I have created a sysaccount which does the lookup etc for a user and things are working as expected. I'm even able to use OTP from the external app. One problem I'm struggling to fix is the

Re: [Freeipa-users] Freeipa and sudo

Yeah, please enable logging in [sudo] section of sssd. On Wed, Jul 6, 2016 at 11:03 AM, Jakub Hrozek wrote: > On Wed, Jul 06, 2016 at 03:22:34PM +0200, Tomas Simecek wrote: > > Hi Danila and other freeipa gurus, > > sorry for my late answer, there is a bank holiday in CZ and

Re: [Freeipa-users] Freeipa and sudo

On Wed, Jul 06, 2016 at 03:22:34PM +0200, Tomas Simecek wrote: > Hi Danila and other freeipa gurus, > sorry for my late answer, there is a bank holiday in CZ and I am off work > these two days. > Yes, /etc/nsswitch.conf is fine, see: > > [root@spcss-2t-www ~]# cat /etc/nsswitch.conf |grep sudo >

Re: [Freeipa-users] Replace with 3rd part certificates

Hi Rob, Hi, is it possible that ipa-server-certinstall couldnt handle private keys without password ? You can file an RFE at https://fedorahosted.org/freeipa/newticket It seems that ipa-server-certinstall couldnt handle private keys with passwort, too. See my result below. i would test

[Freeipa-users] dns zone forward - no valid signature found

hi everybody I think this was working some time ago, but for while queries IPA's DNS forwards wound up like this: validating @0x7f85dc00f9a0: swir.my.dom A: no valid signature found validating @0x7f85dc00f9a0: swir.my.dom A: bad cache hit (swir.my.dom/DS) error (broken trust chain)

Re: [Freeipa-users] Freeipa and sudo

Hi Danila and other freeipa gurus, sorry for my late answer, there is a bank holiday in CZ and I am off work these two days. Yes, /etc/nsswitch.conf is fine, see: [root@spcss-2t-www ~]# cat /etc/nsswitch.conf |grep sudo sudoers: files sss I think it is set up as part of freeipa-client package. I

Re: [Freeipa-users] ipa server(master) and alternative name

On 06/07/16 13:57, Rob Crittenden wrote: lejeczek wrote: hi users, I'd like to ask if it possible to add (after deployment is finished) an AltSubjectName to fIPA master? I don't see why not, they are just certs after all. You would need to be careful to get the certmonger tracking

Re: [Freeipa-users] ipa-client-install --ssh-trust-dns and user ssh key query

Neal Harrington | i-Neda Ltd wrote: Hi Rob, Thank you very much for your message. Unfortunately/fortunately after rebooting or restarting the ssh server this morning it is all working as I would expect. I'm not sure what I was missing yesterday but suspect a combination of sssd caching may

Re: [Freeipa-users] Replace with 3rd part certificates

Andreas Ladanyi wrote: Hi, is it possible that ipa-server-certinstall couldnt handle private keys without password ? You can file an RFE at https://fedorahosted.org/freeipa/newticket i would test it with a self-signed certificate and test private key file secured with password, but i dont

Re: [Freeipa-users] ipa server(master) and alternative name

lejeczek wrote: hi users, I'd like to ask if it possible to add (after deployment is finished) an AltSubjectName to fIPA master? I don't see why not, they are just certs after all. You would need to be careful to get the certmonger tracking right but it should be doable. I shall say what

Re: [Freeipa-users] Using 3rd party certificates for HTTP/LDAP (again) (SOLVED)

The solution was to add to root certificate to tomcat: /var/lib/pki/pki-tomcat/alias/ Now everything seems to work. Regards Bjarne From: freeipa-users-boun...@redhat.com [mailto:freeipa-users-boun...@redhat.com] On Behalf Of Bjarne Blichfeldt Sent: 23. juni 2016 13:40 To:

Re: [Freeipa-users] ipa-client-install --ssh-trust-dns and user ssh key query

Hi Rob, Thank you very much for your message. Unfortunately/fortunately after rebooting or restarting the ssh server this morning it is all working as I would expect. I'm not sure what I was missing yesterday but suspect a combination of sssd caching may have been confusing me as I'm sure I'd

Re: [Freeipa-users] Replace with 3rd part certificates

Hi, is it possible that ipa-server-certinstall couldnt handle private keys without password ? i would test it with a self-signed certificate and test private key file secured with password, but i dont know whats happen after entering a valid private key unlock password. Could i stop the

Re: [Freeipa-users] how to make fIPA stick to only...

On 05/07/16 18:20, Rob Crittenden wrote: Alexander Bokovoy wrote: On Mon, 04 Jul 2016, lejeczek wrote: On 04/07/16 07:59, Petr Spacek wrote: On 1.7.2016 16:29, lejeczek wrote: On 01/07/16 12:41, Petr Vobornik wrote: On 06/30/2016 04:56 PM, lejeczek wrote: ... its own FQHN and its IP ?

[Freeipa-users] ipa server(master) and alternative name

hi users, I'd like to ask if it possible to add (after deployment is finished) an AltSubjectName to fIPA master? I shall say what I'm hoping to achieve - having 3 servers I hope to have in IPA's DNS a host, A record that will be resolving to three server's IPs. Like eg. ipa-ca which seems

[Freeipa-users] +dnssec in vendor repos - when?

seems like official repos, centos at least lags a bit behind, currently it's 4.2.0 - question - does this support fully secure dns ? if not would devel know when we might be able to feed new/latest stable off the official repos? many thanks, L -- Manage your subscription for the

Re: [Freeipa-users] AD PDC change

On Wed, 06 Jul 2016, Lachlan Musicman wrote: Can I just confirm - the IT team are about to migrate our PDC across town. I presume that the trust relationship is with the domain, not the actual machine itself. So our IPA server will just see the new PDC and everything will be smooth? No need to

[Freeipa-users] AD PDC change

Can I just confirm - the IT team are about to migrate our PDC across town. I presume that the trust relationship is with the domain, not the actual machine itself. So our IPA server will just see the new PDC and everything will be smooth? No need to change any config or create a new trust?