On 3/18/15, 3:55 AM, Sumit Bose sb...@redhat.com wrote:
On Wed, Mar 18, 2015 at 08:41:30AM +0100, Jakub Hrozek wrote:
On Wed, Mar 18, 2015 at 08:26:03AM +0200, Alexander Bokovoy wrote:
On Tue, 17 Mar 2015, Gould, Joshua wrote:
/etc/sssd/sssd.conf:
[domain/test.osuwmc
FWIW, we have IPA working with AD managed DNS. As Alexander mentioned,
you¹ll need to have DNS properly configured. What I¹ve found is the most
critical is having the SRV records properly defined for the AD domain and
the IPA domains. I kind of wish the docs were a bit clearer on which of
the SRV
On 3/18/15, 9:48 AM, Alexander Bokovoy aboko...@redhat.com wrote:
On Wed, 18 Mar 2015, Gould, Joshua wrote:
On 3/18/15, 4:28 AM, Alexander Bokovoy aboko...@redhat.com wrote:
On Wed, 18 Mar 2015, Gould, Joshua wrote:
I¹ll be happy to remove the AD section from the sssd.conf file and test
I’ve been getting messages like these when I try the id command for a test AD
domain user:
(Tue Mar 17 17:10:34 2015) [sssd[be[unix.test.osuwmc]]] [sdap_get_primary_name]
(0x0400): Processing object farus@test.osuwmc
(Tue Mar 17 17:10:34 2015) [sssd[be[unix.test.osuwmc]]] [sdap_save_user]
Directory domain range
/etc/sssd/sssd.conf:
[domain/test.osuwmc]
ldap_idmap_range_min = 10
ldap_idmap_range_size = 90
From: Gould, Joshua Gould joshua.go...@osumc.edu
Date: Tuesday, March 17, 2015 at 6:08 PM
To: freeipa-users@redhat.com freeipa-users@redhat.com
Subject: [Freeipa
David,
I had a very similar issue which I posted to the list today. Your notes
indirectly helped me. I think we both had two ends to the same puzzle.
It looks like the range for your AD domain defined in ³ipa idrange-find
‹all² needs to match whats in for your domain in /etc/sssd/sssd.conf.
For
60170 ssh2
Mar 20 09:38:48 mid-ipa-vp01 sshd[3081]: pam_unix(sshd:session): session
opened for user gould by (uid=0)
On 3/20/15, 4:18 AM, Jakub Hrozek jhro...@redhat.com wrote:
On Thu, Mar 19, 2015 at 05:29:39PM -0400, Gould, Joshua wrote:
Thank you!
You're welcome, please try these builds
We¹re trying to setup IPA with it acting as an intermediate CA against our
test Active Directory environment.
The first part goes well:
# ipa-server-install -a admin-pass ‹hostname=server.domain.com -n
unix.test.osuwmc -p password -P password -r UNIX.TEST.OSUWMC
--external-ca
We’re trying to setup RHEL7 with the latest updates. Our ipa-server shows
ipa-server-4.1.0-18.el7.x86_64.
On 3/11/15, 12:39 PM, Dmitri Pal d...@redhat.com wrote:
On 03/11/2015 11:13 AM, Gould, Joshua wrote:
We¹re trying to setup IPA with it acting as an intermediate CA against
our
test Active
I followed the directions from https://access.redhat.com/solutions/1354543
pretty much to the letter.
Everything was successful and seems to work well aside from the last step
of trying to resolve an AD user with the ID command on an IPA client.
[gould@mid-ipa-vp02 ~]$ id farus@test.osuwmc
id:
SSO works intermittently. I’m having trouble tracing the issue. Here is what I
see from /var/log/secure. Where should I look for more detail to figure out why
the SSO login is failing?
Mar 30 08:47:39 mid-ipa-vp01 sshd[9317]: Starting session: shell on pts/0 for
root from 10.34.149.105 port
I configured the .k5login per the RH docs.
$ cat .k5login
adm-faru03@TEST.OSUWMC
TEST.OSUWMC\adm-faru03
$
I upped the debugging to DEBUG3 but I can¹t make sense of the error. Can
you help? I¹m getting better but I can¹t get this one yet.
Mar 30 09:57:20 mid-ipa-vp01 sshd[12793]: Connection
It¹s actually my IPA server which is also a client, so both are 7.1. My
memory is fuzzy as far as the client on the server. Isn¹t it setup already
as part of the server install?
On 3/30/15, 10:45 AM, Jan Pazdziora jpazdzi...@redhat.com wrote:
On Mon, Mar 30, 2015 at 09:08:54AM -0400, Gould
uid=1398410(adm-faru03@test.osuwmc) gid=1398410(adm-faru03@test.osuwmc)
groups=1398410(adm-faru03@test.osuwmc), 23368(citrix_users)
#
On 3/30/15, 10:55 AM, Jan Pazdziora jpazdzi...@redhat.com wrote:
On Mon, Mar 30, 2015 at 10:50:11AM -0400, Gould, Joshua wrote:
It¹s actually my IPA server
...@redhat.com wrote:
On Mon, Mar 30, 2015 at 11:04:58AM -0400, Gould, Joshua wrote:
We¹re trying SSO from the test domain conroller via ssh (putty) to the
test IPA server.
Unix.test.osuwmc is the IPA realm. Test.osuwmc is the AD realm.
IPA server is RHEL 7.1
Windows AD DC is Windows Server
On 3/30/15, 11:56 AM, Dmitri Pal d...@redhat.com wrote:
# auth_to_local =
RULE:[1:$1@$0](^.*@TEST.OSUWMC$)s/@TEST.OSUWMC/@test.osuwmc/
auth_to_local = RULE:[1:$1 $0](^ *
TEST.OSUWMC$)s/@TEST.OSUWMC/@test.osuwmc/
If you use the plugin then this RULE should not be needed.
Have you tried
, 10:02 AM, Gould, Joshua joshua.go...@osumc.edu wrote:
Klist in Windows showed one ticket for the IPA domain.
#0Client: adm-faru03 @ test.osuwmc
Server: krbtgt/UNIX.TEST.OSUWMC @ TEST.OSUWMC
KerbTicket Encryption Type: AES-256-CTS-HMAC-SHA1-96
Ticket Flags 0x40a4
Klist in Windows showed one ticket for the IPA domain.
#0 Client: adm-faru03 @ test.osuwmc
Server: krbtgt/UNIX.TEST.OSUWMC @ TEST.OSUWMC
KerbTicket Encryption Type: AES-256-CTS-HMAC-SHA1-96
Ticket Flags 0x40a4 - forward able renewable pre_authent
ok_as_delegate
I¹m seeing ssh logins for AD users take MUCH longer when using SID mapping
vs. POSIX attributes. Both myself and our AD admin would prefer to use SID
mapping. It appears tied to the group lookup at login. There seem to be
many posts about it, but I haven¹t found anything to help much. sssd pegs
-58.el7.x86_64
sssd-common-pac-1.12.2-58.el7.x86_64
sssd-proxy-1.12.2-58.el7.x86_64
On 3/19/15, 11:23 AM, Jakub Hrozek jhro...@redhat.com wrote:
On Thu, Mar 19, 2015 at 11:05:45AM -0400, Gould, Joshua wrote:
I¹m seeing ssh logins for AD users take MUCH longer when using SID
mapping
vs. POSIX
You are correct. 7.1.
Sent with Good (www.good.com)
-Original Message-
From: Jakub Hrozek [jhro...@redhat.commailto:jhro...@redhat.com]
Sent: Thursday, March 19, 2015 11:37 AM Eastern Standard Time
To: Gould, Joshua
Cc: freeipa-users@redhat.com
Subject: Re: [Freeipa-users] Really slow
We have the option to deploy our production IPA environment on either
x86_64/VMWare or IBM Power. The RHEL7 IDM doc states that only x86_64 is
supported.
We’re using IPA Server 4.1.0-18. We have a trust between IPA and AD with SID
mapping. In our setup, AD would be example.com and IPA would be say
ipa.example.com.
I’m having some issues configuring both RHEL5 and AIX to work with the compat
tree. In both cases, kerberos works with IPA and AD
:16 AM, Martin Kosek mko...@redhat.com wrote:
On 05/12/2015 10:48 PM, Gould, Joshua wrote:
Hopefully I¹m missing something simple.
For an IPA user:
$ ldapsearch -x ³((uid=ipa_user)(objectclass=posixAccount))² -b
dc=ipa,dc=example,dc=com
This returns a match.
For an AD user:
$ ldapsearch
with
[((sAMAccountName=ad_user)(objectclass=user)(sAMAccountName=*)(objectSID=*
))][dc=example,dc=com].
On 5/12/15, 5:24 PM, Dmitri Pal d...@redhat.com wrote:
On 05/12/2015 04:48 PM, Gould, Joshua wrote:
Hopefully I¹m missing something simple.
For an IPA user:
$ ldapsearch -x ³((uid=ipa_user)(objectclass
Hopefully I¹m missing something simple.
For an IPA user:
$ ldapsearch -x ³((uid=ipa_user)(objectclass=posixAccount))² -b
dc=ipa,dc=example,dc=com
This returns a match.
For an AD user:
$ ldapsearch -x ³((uid=ad_user)(objectclass=posixAccount))² -b
cn=compat,dc=ipa,dc=example,dc=com
Does not
For the NOPASSWD option, I found that using !authenticate in the sudo option
is what IPA wants instead.
$ ipa sudorule-add-option readfiles
Sudo Option: !authenticate
-
Added option !authenticate to Sudo rule readfiles
Thank you. I had originally went with the RH documentation. I followed the
guide and was able to get my RHEL5 client working. AIX6 is closer to
working as well.
On 5/13/15, 9:31 AM, Alexander Bokovoy aboko...@redhat.com wrote:
Have you actually read the definitive guide we have?
We setup our new IPA server (RHEL7) with a trust against our AD domain. The
trust and ID range look right in IPA
[root sssd]# ipa trust-show
Realm name: example.com
Realm name: EXAMPLE.COM
Domain NetBIOS name: EXAMPLE
Domain Security Identifier: S-1-5-21-
Trust direction: Two-way trust
On 4/13/15, 11:37 AM, Alexander Bokovoy aboko...@redhat.com wrote:
Through external users' groups mechanism we use for any other AD users
mapping in HBAC and SUDO. These are not local (not defined in IPA but
defined on the host) groups and users but rather AD groups and users.
ipa group-add
I’ve looked at the docs and it looks as if I can specify an external user who
can have sudo rights via IPA.
https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Linux_Domain_Identity_Authentication_and_Policy_Guide/defining-sudorules.html#about-external-sudo
The issue
On 4/6/15, 2:26 PM, Gould, Joshua joshua.go...@osumc.edu wrote:
On 4/4/15, 9:57 AM, Sumit Bose sb...@redhat.com wrote:
Really strange but SSO is working from the test Windows box to both the
IPA server and client. No changes were made other than I added the linux
client to the IPA domain
32 matches
Mail list logo
