Re: [Freeipa-users] nss unrecognized name alert with SAN name

2016-06-27 11:05 GMT+02:00 Lukas Slebodnik <lsleb...@redhat.com>: > On (26/06/16 20:37), John Obaterspok wrote: > >Hi, > > > >I've been running F23 + mod_nss 1.0.14-1 for months to get SubjectAltName > >to work. > >F24 update brings back mod_nss to 1.0.12-4

Re: [Freeipa-users] nss unrecognized name alert with SAN name

+02:00 John Obaterspok <john.obaters...@gmail.com>: > Thanks Rob! > > I rebuilt the mod_nss-1.0.14-1 version from rawhide for my F23 IPA server > and it works like a charm. > > Thanks, > >john > > 2016-04-25 16:47 GMT+02:00 Rob Crittenden <rcrit...@

Re: [Freeipa-users] nss unrecognized name alert with SAN name

Thanks Rob! I rebuilt the mod_nss-1.0.14-1 version from rawhide for my F23 IPA server and it works like a charm. Thanks, john 2016-04-25 16:47 GMT+02:00 Rob Crittenden <rcrit...@redhat.com>: > John Obaterspok wrote: > >> >> 2016-02-11 1:34 GMT+01:00 Fraser Tweed

Re: [Freeipa-users] nss unrecognized name alert with SAN name

2016-02-11 1:34 GMT+01:00 Fraser Tweedale <ftwee...@redhat.com>: > On Sun, Feb 07, 2016 at 12:05:19PM +0100, John Obaterspok wrote: > > 2016-02-06 23:29 GMT+01:00 Rob Crittenden <rcrit...@redhat.com>: > > > > > John Obaterspok wrote: > > > > > &

Re: [Freeipa-users] nss unrecognized name alert with SAN name

2016-02-06 23:29 GMT+01:00 Rob Crittenden <rcrit...@redhat.com>: > John Obaterspok wrote: > >> Hi, >> >> I have a ipa.my.lan and a cname gitserver.my.lan pointing to ipa.my.lan >> >> I recently started to get nss error "SSL peer has no certificate fo

[Freeipa-users] nss unrecognized name alert with SAN name

Hi, I have a ipa.my.lan and a cname gitserver.my.lan pointing to ipa.my.lan I recently started to get nss error "SSL peer has no certificate for the requested DNS name." when I'm accesing my https://gitserver.my.lan Previously this worked fine if I had set "git config --global http.sslVerify

[Freeipa-users] Samba crashes with recent F23 update

Hello, I'm running F23 and now IPA fails to start due to crash in smb: -- Unit smb.service has begun starting up. jan 22 08:38:52 ipa.win.lan audit[7037]: ANOM_ABEND auid=4294967295 uid=0 gid=0 ses=4294967295 subj=system_u:system_r:smbd_t:s0 pid=7037 comm="smbd" exe="/usr/sbin/smbd" sig=6 jan

Re: [Freeipa-users] Samba Authentication progres

Hi Matt, It already works fine to use kerberos ticket to access samba shares. -- john 2015-12-28 14:01 GMT+01:00 Matt . : > Hi guys, > > > How is the progres on the Samba (Share) Authentication for FreeIpa ? > > I hope we already have some work around to use the FreeIPA

Re: [Freeipa-users] OS X Yosemite unable to authenticate

/15 07:57, Nicola Canepa wrote: > > Hello, I tried 2 weeks ago from Mavericks (OSX 10.9), but I had the > opposite problem: kinit works fine, while I'm unable to see users with > Directory Admin ((it always says it cant' connect, either with or without > SSL) > I disabled anonymous se

Re: [Freeipa-users] OS X Yosemite unable to authenticate

Hi Cal, Does a kinit work from a terminal? Does it work if you use "kinit user" or just if you use "kinit user@REALM.suffix" -- john 2015-12-20 15:09 GMT+01:00 Cal Sawyer : > Hi, all > > I'm attempting to set up LDAP auth (against IPA server 4.10) from a OSX > 10.10.5

Re: [Freeipa-users] SSO Git http smart server and freeipa group authentication

ards, -- john 2015-11-08 23:55 GMT+01:00 Simo Sorce <s...@redhat.com>: > On 08/11/15 08:07, John Obaterspok wrote: > >> Hello, >> >> Anyone got git-http-backend working with freeipa group auhentication and >> would like to share their apache .conf file? &g

[Freeipa-users] SSO Git http smart server and freeipa group authentication

Hello, Anyone got git-http-backend working with freeipa group auhentication and would like to share their apache .conf file? I've tried this on the IPA server with a dummy git repository setup in /opt/gitrepos/test1.git gitserver.my.lan is a CNAME for ipaserver.my.lan First, "git clone

Re: [Freeipa-users] IMPORTANT: FreeIPA upgrade broken in Fedora 23

2015-11-05 17:07 GMT+01:00 John Obaterspok <john.obaters...@gmail.com>: > > > 2015-11-05 12:26 GMT+01:00 Alexander Bokovoy <aboko...@redhat.com>: > >> On Thu, 05 Nov 2015, John Obaterspok wrote: >> >>> Hi, >>> >>> I waited a coupl

Re: [Freeipa-users] IMPORTANT: FreeIPA upgrade broken in Fedora 23

Hi, I waited a couple of days and when "dnf list freeipa-server --releasever=23" said 4.2.3 I hit the upgrade. Unfortunately I noticed to late that I received 4.2.2 during "dnf system-upgrade". Any ideas how to get it going again? Or is it easier to start from scratch if I only have ~ 10 IPA

Re: [Freeipa-users] IMPORTANT: FreeIPA upgrade broken in Fedora 23

2015-11-05 12:26 GMT+01:00 Alexander Bokovoy <aboko...@redhat.com>: > On Thu, 05 Nov 2015, John Obaterspok wrote: > >> Hi, >> >> I waited a couple of days and when "dnf list freeipa-server >> --releasever=23" said 4.2.3 I hit the upgrade. Unfortunat

Re: [Freeipa-users] IDM/ipa slow login

Hi Seli, In /etc/sssd/sssd.conf add below: selinux_provider=none to the domain section. Then restart sssd. -- john 2015-08-13 16:23 GMT+02:00 seli irithyl seli.irit...@gmail.com: Here's the sssd_domain log part during an ssh (Thu Aug 13 15:22:31 2015) [sssd[be[bioinf.local]]]

Re: [Freeipa-users] login delay with sssd

2015-06-02 12:11 GMT+02:00 Jakub Hrozek jhro...@redhat.com: On Tue, Jun 02, 2015 at 10:28:29AM +0100, Ivars Strazdiņš wrote: Ar laipniem sveicieniem, Ivars Strazdiņš On 2. jūn. 2015, at 07:21, Lukas Slebodnik lsleb...@redhat.com wrote: How many groups does problematic user

[Freeipa-users] OSX login very slow

Hello, I'm using OSX 10.10.3 (Yosemite) and I've followed the Freeipa/OSX guide at linsec.ca. I can do the following with very fast response time: - id ipauser on osx host - klist/kdestroy/kinit a ticket - ssh via SSO to ipaserver with this ticket - ping osxhost osxhost.local from ipaserver -

Re: [Freeipa-users] freeipa-samba integration and windows clients

I have about the same setup: This is the setup (everything is up-to-date): - ipa-server: F21, ipa-server 4.1, samba 4.1 - win-client: Windows 7 Home Premium I tried to enroll the win-client in the domain but failed on the windows side due to home editions not being able to join a domain. But I

Re: [Freeipa-users] Ticket delegation

2015-04-24 17:47 GMT+02:00 Rob Crittenden rcrit...@redhat.com: John Obaterspok wrote: Hello, I'm on F21 and if I login to my workstation I can then sso using ssh to host X. But then I'm also able to sso from x - y. If I'm on x and issue klist I see this: klist: No credentials cache

Re: [Freeipa-users] Slow user logon with IPA

2015-04-15 15:08 GMT+02:00 Lukas Slebodnik lsleb...@redhat.com: On (15/04/15 08:53), Jakub Hrozek wrote: I pushed the selinux performance patches upstream yesterday. They will make their way to 7.2, 6.7 and I guess Lukas might also cherry-pick them for Fedora. Packages for fedora 21,22

Re: [Freeipa-users] Slow logins on FreeIPA 4.1.2 (F21)

Hi Dan, I had a problem that login time increased by ~ 15 seconds from F20 - F21. That was worked around by adding selinux_provider = none to the domain section in /etc/sssd/sssd.conf Have you checked that dns lookups + reverse lookups work on the ipa server? Is id -G the_user_name and is the

Re: [Freeipa-users] Fedora 20 upstream repo ipa-server-install fails

Hi Jan, See: https://www.redhat.com/archives/freeipa-users/2015-February/msg00131.html https://www.redhat.com/archives/freeipa-users/2014-October/msg00362.html -- john 2015-03-24 17:58 GMT+01:00 Jan Pazdziora jpazdzi...@redhat.com: Hello, after enabling

Re: [Freeipa-users] F21 update fails to start dirsrv due to missing libdes

in the dse.ldif should be changed. There have been cases where the postinstall scripts were not propeerly executed. Could you stop your DS and run: setup-ds.pl --update if it still is not corrected, try setup-ds.pl -ddd --update On 02/27/2015 01:07 PM, John Obaterspok wrote: Hello, Anyone

[Freeipa-users] F21 update fails to start dirsrv due to missing libdes

Hello, Anyone seen this after updating to 389-ds-base-1.3.3.8-1.fc21.x86_64 Netscape Portable Runtime error -5977: /usr/lib64/dirsrv/plugins/libdes-plugin.so: cannot open shared object file: No such file or directory Could not open library /usr/lib64/dirsrv/plugins/libdes-plugin.so for plugin

Re: [Freeipa-users] Mount cifs share using kerberos

2015-01-12 10:13 GMT+01:00 Alexander Bokovoy aboko...@redhat.com: On Mon, 12 Jan 2015, John Obaterspok wrote: 2015-01-11 16:33 GMT+01:00 Jakub Hrozek jhro...@redhat.com: On Sun, Jan 11, 2015 at 11:00:16AM +0100, John Obaterspok wrote: 2015-01-10 13:32 GMT+01:00 Gianluca Cecchi

Re: [Freeipa-users] Mount cifs share using kerberos

2015-01-11 16:33 GMT+01:00 Jakub Hrozek jhro...@redhat.com: On Sun, Jan 11, 2015 at 11:00:16AM +0100, John Obaterspok wrote: 2015-01-10 13:32 GMT+01:00 Gianluca Cecchi gianluca.cec...@gmail.com: To get the whole root environment you have to run su - root did you try

Re: [Freeipa-users] Mount cifs share using kerberos

2015-01-10 13:32 GMT+01:00 Gianluca Cecchi gianluca.cec...@gmail.com: To get the whole root environment you have to run su - root did you try with it? ahh... that works fine Gianluca! Final question, if I have a file on the share like: [john@ipaserver mountpoint]$ ll test.txt

Re: [Freeipa-users] Mount cifs share using kerberos

2015-01-09 10:11 GMT+01:00 Alexander Bokovoy aboko...@redhat.com: On Fedora 21 we have /etc/request-key.d/cifs.upcall.conf and /etc/request-key.d/cifs.idmap.conf to allow kernel to properly fetch Kerberos keys and map IDs of CIFS identities. These configurations are part of cifs-utils

Re: [Freeipa-users] Mount cifs share using kerberos

2015-01-09 18:12 GMT+01:00 Alexander Bokovoy aboko...@redhat.com So if you have all these configs right, can you add --verbose to mount.cifs arguments _before_ -o options? mount -t cifs //ipaserver.MY.LAN/TheShare --verbose -o sec=krb5 and you can enable debugging before mounting in

Re: [Freeipa-users] Mount cifs share using kerberos

2015-01-09 10:11 GMT+01:00 Alexander Bokovoy aboko...@redhat.com: On Thu, 08 Jan 2015, John Obaterspok wrote: Hello, I've tried to do the following on the client (and also on the ipaserver itself) where I want to the the ipaserver share mounted. [root@ipaserver mnt]# mount -t cifs

[Freeipa-users] Mount cifs share using kerberos

Hello, I have a samba share on the freeipa 4.1 server that I want to mount from another client that is part of the ipa domain I've tried: mount -t cifs //ipaserver.DOMAIN.LAN/share /mnt/point -o sec=krb5 Shouldn't I be able to do the mount this way? -- john -- Manage your subscription for the

Re: [Freeipa-users] Problem starting IPA after reboot

okay, I see. the below line caused a *new* keytab to be created and caused smb from starting. 1) ipa-getkeytab -s ipaserver -p cifs/ipaserver.my.lan -k /etc/krb5.keytab I've fixed this and now ipa starts fine again. 2015-01-08 20:31 GMT+01:00 John Obaterspok john.obaters...@gmail.com: Hello

Re: [Freeipa-users] Mount cifs share using kerberos

) manual page (e.g. man mount.cifs) (root has an admin ticket aquired) Any hints for a newbie? -- john 2015-01-08 18:51 GMT+01:00 Simo Sorce s...@redhat.com: On Thu, 8 Jan 2015 10:01:50 +0100 John Obaterspok john.obaters...@gmail.com wrote: Hello, I have a samba share on the freeipa 4.1

Re: [Freeipa-users] Woes adding a samba server to the ipa domain

: El mié, 29-10-2014 a las 21:40 +0100, John Obaterspok escribió: Hello, I've tried this as well. My IPA is not connected to an AD. My smb.conf looks almost the same. The differences are: - I got the default workgroup set (MY or something) - No FILE:/ prefix for keytab file I had

Re: [Freeipa-users] Woes adding a samba server to the ipa domain

2014-11-02 21:51 GMT+01:00 Loris Santamaria lo...@lgs.com.ve: El dom, 02-11-2014 a las 19:54 +0100, John Obaterspok escribió: I have still not been able to logon to Win7 PC with my IPA user. Currently I get No mapping between account names and security IDs was done when I try to login

Re: [Freeipa-users] Woes adding a samba server to the ipa domain

Hello, I might be interested in this as well. Does this mean it would be possible for a windows client to access samba FS through IPA provided credentials? Currently my Windows PC gets IPA ticket (through MIT kerberos application) and can use this ticket to login to Linux server via putty. I

Re: [Freeipa-users] Woes adding a samba server to the ipa domain

Hello, I've tried this as well. My IPA is not connected to an AD. My smb.conf looks almost the same. The differences are: - I got the default workgroup set (MY or something) - No FILE:/ prefix for keytab file I had the samba and ipserver on the same box so I just had to add the cifs server and

Re: [Freeipa-users] F20 Problem upgrading to 4.1

2014-10-27 12:19 GMT+01:00 Martin Basti mba...@redhat.com: On 26/10/14 21:39, John Obaterspok wrote: Hi, I enabled mkosek-freeipa repo for F20 and updated freeipa-server from 3.3.5 to 4.1. The yum update reported just a single error: Could not load host key: /etc/ssh/ssh_host_dsa_key

Re: [Freeipa-users] F20 Problem upgrading to 4.1

:35 softhsm_pin Any ideas? -- john 2014-10-27 19:05 GMT+01:00 Martin Basti mba...@redhat.com: On 27/10/14 18:53, John Obaterspok wrote: 2014-10-27 12:19 GMT+01:00 Martin Basti mba...@redhat.com: On 26/10/14 21:39, John Obaterspok wrote: Hi, I enabled mkosek-freeipa repo for F20

Re: [Freeipa-users] F20 Problem upgrading to 4.1

:09 GMT+01:00 Martin Basti mba...@redhat.com: On 27/10/14 19:57, John Obaterspok wrote: Hello Martin, Still no go. I installed the softhsm-devel package (that only contains header files), removed the token directory, reinstalled the bind bind-pkcs11, did ipa-dns-install that completed

Re: [Freeipa-users] F20 Problem upgrading to 4.1

Martin Basti mba...@redhat.com: On 27/10/14 20:34, John Obaterspok wrote: hmm... Could not connect to the Directory Server So I started it with start-dirsrv since systemctl start ipa failed. Then it was a breeze, ipa-dns-install worked fine. # systemctl --failed 0 loaded units listed. I'm

Re: [Freeipa-users] dns stops working after upgrade

Hello Rob, Did systemd report any failed services? (systemctl --failed) -- john 2014-10-25 16:40 GMT+02:00 Rob Verduijn rob.verdu...@gmail.com: Hello all, I'm running freeipa 3.3.0 on fedora 20 x86_65 and it is set up as my main dns server. I've tried the upgrade to 4.1 using the copr

[Freeipa-users] F20 Problem upgrading to 4.1

Hi, I enabled mkosek-freeipa repo for F20 and updated freeipa-server from 3.3.5 to 4.1. The yum update reported just a single error: Could not load host key: /etc/ssh/ssh_host_dsa_key After reboot I had 3 services that failed to start: ipa, kadmin, named-pkcs11 Doing strace -f named-pkcs11 -u

[Freeipa-users] DogTag memory usage. Alternatives?

Hello, I'm using FreeIPA for my home network and it works really great. FreeIPA is running on NAS server where hw isn't latest greatest. I've noticed the dogtag java/tomcat process is using up to 1 gig of RAM and the java process is usually in the top spot for powertop wakeups. Is it normal

Re: [Freeipa-users] kerberized vsftpd login problem

2014-03-23 19:45 GMT-04:00 Dmitri Pal d...@redhat.com 2014-03-23 9:01 GMT+01:00 John Obaterspok john.obaters...@gmail.com: Hello, How do I get vsftpd login to work with an existing ticket? I've added ftp as an identity service (ftp/ipaserver.my@my.lan) Is there anything else I

[Freeipa-users] kerberized vsftpd login problem

Hello, How do I get vsftpd login to work with an existing ticket? I've added ftp as an identity service (ftp/ipaserver.my@my.lan) Is there anything else I need to do to allow ftp login to vsftpd? -- john ___ Freeipa-users mailing list

[Freeipa-users] Win7 machine occasionally not able to lookup ipa hosts

Hello, A couple of times each day the win 7 machine is not able to lookup hosts on the ipa domain. A ipconfig /renew always allows ipa hosts to be resolvable again. Any ideas why this happens? -- john ___ Freeipa-users mailing list

Re: [Freeipa-users] Win7 machine occasionally not able to lookup ipa hosts

:09 Any other suggestions? -- john 2014-03-23 18:52 GMT+01:00 Will Sheldon m...@willsheldon.com: What is the difference in the output of ipconfig /all before and after the ipconfig /renew? Kind regards, Will Sheldon On Sunday, March 23, 2014 at 1:21 AM, John Obaterspok wrote: Hello