[Freeipa-users] ipa: ERROR: did not receive Kerberos credentials
Hello all When I try to execute and commands from the an ipa-replica I get [rkelly@replicahostname ~]$ ipa user-find ipa: ERROR: did not receive Kerberos credentials [rkelly@replicahostname ~]$ kinit Password for rke...@ipa2.dc.sita.aero: [rkelly@replicahostname ~]$ ipa user-find ipa: ERROR: did not receive Kerberos credentials [rkelly@replicahostname ~]$ klist klist: Credentials cache permissions incorrect while setting cache flags (ticket cache FILE:/tmp/krb5cc_159910_qojy7v) I thought perhaps the two are out of sync [root@replicahostname ~]# ipa-replica-manage re-initialize --from liipaxs010p.ipa2.dc.sita.aero Invalid password ipa-replica-conncheck says communication is ok. I looked at the httpd, secure,and krb log and none show any activity when I execute the commands above. Im lost any clues as to where I can look for answers? Thank You, Rashard Kelly This document is strictly confidential and intended only for use by the addressee unless otherwise stated. If you are not the intended recipient, please notify the sender immediately and delete it from your system. See you at 2014 Air Transport IT Summit, 17-19 June 2014 Click here to register http://www.sitasummit.aero ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] ipa: ERROR: did not receive Kerberos credentials
The krb5 files are not readable by everyone. There are multiple krb5 files in tmp, should they automatically be readable by all? BTW our users do not have home directories if that makes a difference. [rkelly@replicahostname ~]$ ls -lZ /tmp |grep krb -rw--- rootroot?krb5cc_0 -rw--- xs05144 xs05144 ? krb5cc_159920_u5RRhd -rw--- rkelly rkelly ? krb5cc_159910_oKtZFE -rw--- rkelly rkelly ? krb5cc_159910_ZekyY0 -rw--- apache apache ?krb5cc_48 ipa-server-selinux-3.0.0-37.el6.x86_64 ipa-client-3.0.0-37.el6.x86_64 ipa-server-3.0.0-37.el6.x86_64 ipa-pki-common-theme-9.0.3-7.el6.noarch libipa_hbac-python-1.9.2-129.el6_5.4.x86_64 ipa-python-3.0.0-37.el6.x86_64 ipa-admintools-3.0.0-37.el6.x86_64 ipa-pki-ca-theme-9.0.3-7.el6.noarch libipa_hbac-1.9.2-129.el6_5.4.x86_64 python-iniparse-0.3.1-2.1.el6.noarch [rkelly@replicahostname ~]$ cat /proc/mounts | grep /tmp /dev/mapper/system-tmp_vol /tmp ext4 rw,relatime,barrier=1,data=ordered 0 0 [rkelly@replicahostname ~]$ echo $KRB5CCNAME FILE:/tmp/krb5cc_159910_oKtZFE [rkelly@replicahostname ~]$ ls -lZ /tmp/krb5cc_159910_oKtZFE -rw--- rkelly rkelly ? /tmp/krb5cc_159910_oKtZFE [rkelly@replicahostname ~]$ KRB5_TRACE=/dev/stderr kinit [14559] 1397132474.221287: Getting initial credentials for rkelly@DOMAIN [14559] 1397132474.221510: Sending request (191 bytes) to DOMAIN [14559] 1397132474.221677: Sending initial UDP request to dgram 10.228.20.25:88 [14559] 1397132474.225248: Received answer from dgram 10.228.20.25:88 [14559] 1397132474.225287: Response was from master KDC [14559] 1397132474.225306: Received error from KDC: -1765328359/Additional pre-authentication required [14559] 1397132474.225331: Processing preauth types: 136, 19, 2, 133 [14559] 1397132474.225343: Selected etype info: etype aes256-cts, salt "IPA2.DC.SITA.AEROrkelly", params "" [14559] 1397132474.225346: Received cookie: MIT Password for rkelly@DOMAIN: [14559] 1397132484.255381: AS key obtained for encrypted timestamp: aes256-cts/DBF7 [14559] 1397132484.255432: Encrypted timestamp (for 1397132484.255390): plain 301AA011180F32303134303431303132323132345AA105020303E59E, encrypted 321A6A1E297880D1E2D1BF069D6D44136D7A2A0D3AAFC3209CB9B4E5BAAE59E928559E47FD0A140F68D377A8398D7CAB4B735D0612247A7C [14559] 1397132484.255453: Preauth module encrypted_timestamp (2) (flags=1) returned: 0/Success [14559] 1397132484.255457: Produced preauth for next request: 133, 2 [14559] 1397132484.255474: Sending request (286 bytes) to DOMAIN (master) [14559] 1397132484.255560: Sending initial UDP request to dgram 10.228.20.25:88 [14559] 1397132484.262563: Received answer from dgram 10.228.20.25:88 [14559] 1397132484.262593: Processing preauth types: 19 [14559] 1397132484.262600: Selected etype info: etype aes256-cts, salt "DOMAINrkelly", params "" [14559] 1397132484.262603: Produced preauth for next request: (empty) [14559] 1397132484.262609: AS key determined by preauth: aes256-cts/DBF7 [14559] 1397132484.262650: Decrypted AS reply; session key is: aes256-cts/B097 [14559] 1397132484.262664: FAST negotiation: available [14559] 1397132484.262681: Initializing FILE:/tmp/krb5cc_159910_oKtZFE with default princ rkelly@DOMAIN [rkelly@replicahostname ~]$ KRB5_TRACE=/dev/stderr klist klist: Credentials cache permissions incorrect while setting cache flags (ticket cache FILE:/tmp/krb5cc_159910_oKtZFE) -- Thank You, Rashard Kelly From: Alexander Bokovoy To: rashard.ke...@sita.aero Cc: freeipa-users@redhat.com Date: 04/10/2014 03:25 AM Subject:Re: [Freeipa-users] ipa: ERROR: did not receive Kerberos credentials On Thu, 10 Apr 2014, rashard.ke...@sita.aero wrote: >Hello all > > >When I try to execute and commands from the an ipa-replica I get > >[rkelly@replicahostname ~]$ ipa user-find >ipa: ERROR: did not receive Kerberos credentials >[rkelly@replicahostname ~]$ kinit >Password for rke...@ipa2.dc.sita.aero: >[rkelly@replicahostname ~]$ ipa user-find >ipa: ERROR: did not receive Kerberos credentials >[rkelly@replicahostname ~]$ klist >klist: Credentials cache permissions incorrect while setting cache flags >(ticket cache FILE:/tmp/krb5cc_159910_qojy7v) > >I thought perhaps the two are out of sync >[root@replicahostname ~]# ipa-replica-manage re-initialize --from >liipaxs010p.ipa2.dc.sita.aero >Invalid password > > >ipa-replica-conncheck says communication is ok. > >I looked at the httpd, secure,and krb log and none show any activity when >I execute the commands above. Im lost any clues as to where I can look for >answers? Let's put IPA commands aside and first find out what's wrong with your Kerberos infra. Looking at your ticket cache file name (FILE:/tmp/krb5cc_159910_qojy7v) I assume you have come to this machine via S
Re: [Freeipa-users] ipa: ERROR: did not receive Kerberos credentials
I can run commands after changing the permissions on the files, but why is it generating files that are not world readable? [rkelly@replicahostname ~]$ ll total 84 -rw-r--r-- 1 rootroot 2428 Apr 9 22:34 krb5cc_0 -rw-r--r-- 1 xs05144 xs05144 1146 Apr 3 16:10 krb5cc_159920_u5RRhd -rw-r--r-- 1 rkelly rkelly569 Apr 10 15:14 krb5cc_159910_CUkupo -rw-r--r-- 1 rkelly rkelly 1873 Apr 9 23:40 krb5cc_159910_ZekyY0 -rw-r--r-- 1 apache apache662 Apr 10 06:02 krb5cc_48 [rkelly@replicahostname ~]$ klist Ticket cache: FILE:/tmp/krb5cc_159910_CUkupo Default principal: rkelly@DOMAIN Valid starting ExpiresService principal 04/10/14 15:14:40 04/11/14 15:14:40 krbtgt/IPA2.DC.SITA.AERO@DOMAIN [rkelly@replicahostname ~]$ ipa user-find kelly -- 1 user matched -- User login: rkelly First name: Rashard Last name: KElly Home directory: /home/rkelly Login shell: /bin/sh Email address: rkelly@domain UID: 159910 GID: 159910 Account disabled: False Password: True Kerberos keys available: True Number of entries returned 1 Thank You, Rashard Kelly From: rashard.ke...@sita.aero To: Alexander Bokovoy Cc: freeipa-users@redhat.com Date: 04/10/2014 08:42 AM Subject:Re: [Freeipa-users] ipa: ERROR: did not receive Kerberos credentials Sent by:freeipa-users-boun...@redhat.com The krb5 files are not readable by everyone. There are multiple krb5 files in tmp, should they automatically be readable by all? BTW our users do not have home directories if that makes a difference. [rkelly@replicahostname ~]$ ls -lZ /tmp |grep krb -rw--- rootroot?krb5cc_0 -rw--- xs05144 xs05144 ? krb5cc_159920_u5RRhd -rw--- rkelly rkelly ? krb5cc_159910_oKtZFE -rw--- rkelly rkelly ? krb5cc_159910_ZekyY0 -rw--- apache apache ?krb5cc_48 ipa-server-selinux-3.0.0-37.el6.x86_64 ipa-client-3.0.0-37.el6.x86_64 ipa-server-3.0.0-37.el6.x86_64 ipa-pki-common-theme-9.0.3-7.el6.noarch libipa_hbac-python-1.9.2-129.el6_5.4.x86_64 ipa-python-3.0.0-37.el6.x86_64 ipa-admintools-3.0.0-37.el6.x86_64 ipa-pki-ca-theme-9.0.3-7.el6.noarch libipa_hbac-1.9.2-129.el6_5.4.x86_64 python-iniparse-0.3.1-2.1.el6.noarch [rkelly@replicahostname ~]$ cat /proc/mounts | grep /tmp /dev/mapper/system-tmp_vol /tmp ext4 rw,relatime,barrier=1,data=ordered 0 0 [rkelly@replicahostname ~]$ echo $KRB5CCNAME FILE:/tmp/krb5cc_159910_oKtZFE [rkelly@replicahostname ~]$ ls -lZ /tmp/krb5cc_159910_oKtZFE -rw--- rkelly rkelly ? /tmp/krb5cc_159910_oKtZFE [rkelly@replicahostname ~]$ KRB5_TRACE=/dev/stderr kinit [14559] 1397132474.221287: Getting initial credentials for rkelly@DOMAIN [14559] 1397132474.221510: Sending request (191 bytes) to DOMAIN [14559] 1397132474.221677: Sending initial UDP request to dgram 10.228.20.25:88 [14559] 1397132474.225248: Received answer from dgram 10.228.20.25:88 [14559] 1397132474.225287: Response was from master KDC [14559] 1397132474.225306: Received error from KDC: -1765328359/Additional pre-authentication required [14559] 1397132474.225331: Processing preauth types: 136, 19, 2, 133 [14559] 1397132474.225343: Selected etype info: etype aes256-cts, salt "IPA2.DC.SITA.AEROrkelly", params "" [14559] 1397132474.225346: Received cookie: MIT Password for rkelly@DOMAIN: [14559] 1397132484.255381: AS key obtained for encrypted timestamp: aes256-cts/DBF7 [14559] 1397132484.255432: Encrypted timestamp (for 1397132484.255390): plain 301AA011180F32303134303431303132323132345AA105020303E59E, encrypted 321A6A1E297880D1E2D1BF069D6D44136D7A2A0D3AAFC3209CB9B4E5BAAE59E928559E47FD0A140F68D377A8398D7CAB4B735D0612247A7C [14559] 1397132484.255453: Preauth module encrypted_timestamp (2) (flags=1) returned: 0/Success [14559] 1397132484.255457: Produced preauth for next request: 133, 2 [14559] 1397132484.255474: Sending request (286 bytes) to DOMAIN (master) [14559] 1397132484.255560: Sending initial UDP request to dgram 10.228.20.25:88 [14559] 1397132484.262563: Received answer from dgram 10.228.20.25:88 [14559] 1397132484.262593: Processing preauth types: 19 [14559] 1397132484.262600: Selected etype info: etype aes256-cts, salt "DOMAINrkelly", params "" [14559] 1397132484.262603: Produced preauth for next request: (empty) [14559] 1397132484.262609: AS key determined by preauth: aes256-cts/DBF7 [14559] 1397132484.262650: Decrypted AS reply; session key is: aes256-cts/B097 [14559] 1397132484.262664: FAST negotiation: available [14559] 1397132484.262681: Initializing FILE:/tmp/krb5cc_159910_oKtZFE with default princ rkelly@DOMAIN [rkelly@replicahostname ~]$ KRB5_TRACE=/dev/stderr klist klist: Credentials cache permissions incorrect while sett
Re: [Freeipa-users] ipa: ERROR: did not receive Kerberos credentials
SELinux is disabled, I changed the permissions back to the old ones and I have the problem again, although as root I can kinit as myself and can run commands. But not as the regular user. Do you have any strace examples to share? [root@replicahostname /tmp]# ll -Za drwxrwxrwt. rootrootsystem_u:object_r:tmp_t:s0 . dr-xr-xr-x. rootrootsystem_u:object_r:root_t:s0 .. -rw--- rkelly rkelly ?.bash_history drwxrwxrwt rootroot?.ICE-unix drwxrwxr-x rkelly rkelly ?.ipa -r rootroot?krb5cc_0 -r xs05144 xs05144 ? krb5cc_159920_u5RRhd -r rkelly rkelly ? krb5cc_159910_CUkupo -r rkelly rkelly ? krb5cc_159910_ZekyY0 -r apache apache ?krb5cc_48 = [root@replicahostname /tmp]# klist klist: Credentials cache permissions incorrect while setting cache flags (ticket cache FILE:/tmp/krb5cc_159910_CUkupo) [root@liipaxs007p /tmp]# cat /etc/sysconfig/selinux # This file controls the state of SELinux on the system. # SELINUX= can take one of these three values: # enforcing - SELinux security policy is enforced. # permissive - SELinux prints warnings instead of enforcing. # disabled - SELinux is fully disabled. SELINUX=disabled # SELINUXTYPE= type of policy in use. Possible values are: # targeted - Only targeted network daemons are protected. # strict - Full SELinux protection. SELINUXTYPE=targeted Thank You, Rashard Kelly From: Sumit Bose To: rashard.ke...@sita.aero Cc: freeipa-users@redhat.com Date: 04/10/2014 12:31 PM Subject:Re: [Freeipa-users] ipa: ERROR: did not receive Kerberos credentials On Thu, Apr 10, 2014 at 11:55:05AM -0400, rashard.ke...@sita.aero wrote: > I can run commands after changing the permissions on the files, but why is > it generating files that are not world readable? > > [rkelly@replicahostname ~]$ ll > total 84 > -rw-r--r-- 1 rootroot 2428 Apr 9 22:34 krb5cc_0 > -rw-r--r-- 1 xs05144 xs05144 1146 Apr 3 16:10 krb5cc_159920_u5RRhd > -rw-r--r-- 1 rkelly rkelly569 Apr 10 15:14 krb5cc_159910_CUkupo > -rw-r--r-- 1 rkelly rkelly 1873 Apr 9 23:40 krb5cc_159910_ZekyY0 > -rw-r--r-- 1 apache apache662 Apr 10 06:02 krb5cc_48 Please don't do this, the credential cache files are similar to your password, only the user itself should be allowed to read it. When you use ls with the -Z option there is a '?' where the SELinux context should be printed. Maybe there are issues with your SELinux setup which prevent access to the ccache files? Can you try SELinux in permissive mode? If there are still issues running klist which strace might give some more details why the ccache file cannot be read. HTH bye, Sumit > > [rkelly@replicahostname ~]$ klist > Ticket cache: FILE:/tmp/krb5cc_159910_CUkupo > Default principal: rkelly@DOMAIN > > Valid starting ExpiresService principal > 04/10/14 15:14:40 04/11/14 15:14:40 krbtgt/IPA2.DC.SITA.AERO@DOMAIN > > [rkelly@replicahostname ~]$ ipa user-find kelly > -- > 1 user matched > -- > User login: rkelly > First name: Rashard > Last name: KElly > Home directory: /home/rkelly > Login shell: /bin/sh > Email address: rkelly@domain > UID: 159910 > GID: 159910 > Account disabled: False > Password: True > Kerberos keys available: True > ---- > Number of entries returned 1 > > Thank You, > Rashard Kelly > > > > From: rashard.ke...@sita.aero > To: Alexander Bokovoy > Cc: freeipa-users@redhat.com > Date: 04/10/2014 08:42 AM > Subject:Re: [Freeipa-users] ipa: ERROR: did not receive Kerberos > credentials > Sent by:freeipa-users-boun...@redhat.com > > > > The krb5 files are not readable by everyone. There are multiple krb5 files > in tmp, should they automatically be readable by all? BTW our users do not > have home directories if that makes a difference. > > [rkelly@replicahostname ~]$ ls -lZ /tmp |grep krb > -rw--- rootroot?krb5cc_0 > -rw--- xs05144 xs05144 ? krb5cc_159920_u5RRhd > -rw--- rkelly rkelly ? krb5cc_159910_oKtZFE > -rw--- rkelly rkelly ? krb5cc_159910_ZekyY0 > -rw--- apache apache ?krb5cc_48 > > ipa-server-selinux-3.0.0-37.el6.x86_64 > ipa-client-3.0.0-37.el6.x86_64 > ipa-server-3.0.0-37.el6.x86_64 > ipa-pki-common-theme-9.0.3-7.el6.noarch > libipa_hbac-python-1.9.2-129.el6_5.4.x86_64 >
Re: [Freeipa-users] ipa: ERROR: did not receive Kerberos credentials
[root@replicahostname ~]# sestatus SELinux status: disabled [root@replicahostname ~]# audit2why -b -w -t avc [root@replicahostname ~]# Nothing in the audit log after audit2why came back either. Thank You, Rashard Kelly From: Alexander Bokovoy To: rashard.ke...@sita.aero Cc: Sumit Bose , freeipa-users@redhat.com Date: 04/11/2014 09:06 AM Subject:Re: [Freeipa-users] ipa: ERROR: did not receive Kerberos credentials On Fri, 11 Apr 2014, rashard.ke...@sita.aero wrote: >futex(0x7f0e2e1462c0, FUTEX_WAKE_PRIVATE, 2147483647) = 0 >open("/tmp/krb5cc_159910_CUkupo", O_RDONLY) = -1 EACCES (Permission >denied) Are you sure you don't have SELinux really running and enabled? Because the following output makes me really worry: >> [root@replicahostname /tmp]# ll -Za >> drwxrwxrwt. rootrootsystem_u:object_r:tmp_t:s0 . >> dr-xr-xr-x. rootrootsystem_u:object_r:root_t:s0 .. >> -rw--- rkelly rkelly ? .bash_history >> drwxrwxrwt rootroot?.ICE-unix >> drwxrwxr-x rkelly rkelly ?.ipa >> -r rootroot?krb5cc_0 >> -r xs05144 xs05144 ? krb5cc_159920_u5RRhd >> -r rkelly rkelly ? krb5cc_159910_CUkupo >> -r rkelly rkelly ? krb5cc_159910_ZekyY0 These rkelly:rkelly krb5cc_* files have no SELinux label and should be readable to the owner. Can you show: [root] # sestatus [root] # audit2why -b -w -t avc -- / Alexander Bokovoy This document is strictly confidential and intended only for use by the addressee unless otherwise stated. If you are not the intended recipient, please notify the sender immediately and delete it from your system. See you at 2014 Air Transport IT Summit, 17-19 June 2014 Click here to register http://www.sitasummit.aero ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] ipa: ERROR: did not receive Kerberos credentials
I changed the permissions to world readable to test, afterward I changed it back to be readable only by the owner. The problem then reappeared. [rkelly@replicahostname ~]$ ls -lZa| grep krb -r rootroot?krb5cc_0 -r xs05144 xs05144 ? krb5cc_159920_u5RRhd -r rkelly rkelly ? krb5cc_159910_CUkupo -r rkelly rkelly ? krb5cc_159910_ZekyY0 -r apache apache ?krb5cc_48 [rkelly@replicahostname ~]$ od /tmp/krb5cc_159910_CUkupo od: /tmp/krb5cc_159910_CUkupo: Permission denied Thank You, Rashard Kelly SITA Senior Linux Specialist From: Sumit Bose To: rashard.ke...@sita.aero Cc: Alexander Bokovoy , freeipa-users@redhat.com Date: 04/11/2014 09:54 AM Subject:Re: [Freeipa-users] ipa: ERROR: did not receive Kerberos credentials On Fri, Apr 11, 2014 at 09:42:41AM -0400, rashard.ke...@sita.aero wrote: > [root@replicahostname ~]# sestatus > SELinux status: disabled > [root@replicahostname ~]# audit2why -b -w -t avc > [root@replicahostname ~]# > > > Nothing in the audit log after audit2why came back either. That's odd. Can you read the file with od? od /tmp/krb5cc_159910_CUkupo don't send the output just check if it is readable of if od returns an error as well? Are there any odd filesystem permission on your klist binary like s-bit set? ls -alZ $(which klist) (her you can send the output :-) bye, Sumit > > > Thank You, > Rashard Kelly > > > > From: Alexander Bokovoy > To: rashard.ke...@sita.aero > Cc: Sumit Bose , freeipa-users@redhat.com > Date: 04/11/2014 09:06 AM > Subject:Re: [Freeipa-users] ipa: ERROR: did not receive Kerberos > credentials > > > > On Fri, 11 Apr 2014, rashard.ke...@sita.aero wrote: > >futex(0x7f0e2e1462c0, FUTEX_WAKE_PRIVATE, 2147483647) = 0 > >open("/tmp/krb5cc_159910_CUkupo", O_RDONLY) = -1 EACCES (Permission > >denied) > > Are you sure you don't have SELinux really running and enabled? > > Because the following output makes me really worry: > >> [root@replicahostname /tmp]# ll -Za > >> drwxrwxrwt. rootrootsystem_u:object_r:tmp_t:s0 . > >> dr-xr-xr-x. rootrootsystem_u:object_r:root_t:s0 .. > >> -rw--- rkelly rkelly ? .bash_history > >> drwxrwxrwt rootroot? .ICE-unix > >> drwxrwxr-x rkelly rkelly ?.ipa > >> -r rootroot?krb5cc_0 > >> -r xs05144 xs05144 ? krb5cc_159920_u5RRhd > >> -r rkelly rkelly ? krb5cc_159910_CUkupo > >> -r rkelly rkelly ? krb5cc_159910_ZekyY0 > These rkelly:rkelly krb5cc_* files have no SELinux label and should be > readable to the owner. > > Can you show: > > [root] # sestatus > [root] # audit2why -b -w -t avc > > > -- > / Alexander Bokovoy > > > This document is strictly confidential and intended only for use by the > addressee unless otherwise stated. If you are not the intended recipient, > please notify the sender immediately and delete it from your system. > See you at 2014 Air Transport IT Summit, 17-19 June 2014 > > Click here to register http://www.sitasummit.aero > > This document is strictly confidential and intended only for use by the addressee unless otherwise stated. If you are not the intended recipient, please notify the sender immediately and delete it from your system. See you at 2014 Air Transport IT Summit, 17-19 June 2014 Click here to register http://www.sitasummit.aero ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] ipa: ERROR: did not receive Kerberos credentials (SOLVED)
Thank you so much, it was the user id. There was an account with the same user name leftover from a previous effort. Thanks to everyone for the time. Thank You, Rashard Kelly From: Sumit Bose To: rashard.ke...@sita.aero Cc: Alexander Bokovoy , freeipa-users@redhat.com Date: 04/11/2014 11:58 AM Subject:Re: [Freeipa-users] ipa: ERROR: did not receive Kerberos credentials On Fri, Apr 11, 2014 at 11:22:55AM -0400, rashard.ke...@sita.aero wrote: > I changed the permissions to world readable to test, afterward I changed > it back to be readable only by the owner. The problem then reappeared. > > [rkelly@replicahostname ~]$ ls -lZa| grep krb > -r rootroot?krb5cc_0 > -r xs05144 xs05144 ? krb5cc_159920_u5RRhd > -r rkelly rkelly ? krb5cc_159910_CUkupo > -r rkelly rkelly ? krb5cc_159910_ZekyY0 > -r apache apache ?krb5cc_48 > [rkelly@replicahostname ~]$ od /tmp/krb5cc_159910_CUkupo > od: /tmp/krb5cc_159910_CUkupo: Permission denied hm, either your filesystem is broken or there is an issue with duplicate UIDs. Can you check if the filesystem UID matches yours: stat krb5cc_159910_CUkupo should show the numerial UID for the file and id will show yours. HTH bye, Sumit > > Thank You, > Rashard Kelly > SITA Senior Linux Specialist > > > > > From: Sumit Bose > To: rashard.ke...@sita.aero > Cc: Alexander Bokovoy , freeipa-users@redhat.com > Date: 04/11/2014 09:54 AM > Subject:Re: [Freeipa-users] ipa: ERROR: did not receive Kerberos > credentials > > > > On Fri, Apr 11, 2014 at 09:42:41AM -0400, rashard.ke...@sita.aero wrote: > > [root@replicahostname ~]# sestatus > > SELinux status: disabled > > [root@replicahostname ~]# audit2why -b -w -t avc > > [root@replicahostname ~]# > > > > > > Nothing in the audit log after audit2why came back either. > > That's odd. Can you read the file with od? > > od /tmp/krb5cc_159910_CUkupo > > don't send the output just check if it is readable of if od returns an > error as well? > > Are there any odd filesystem permission on your klist binary like s-bit > set? > > ls -alZ $(which klist) > > (her you can send the output :-) > > bye, > Sumit > > > > > > Thank You, > > Rashard Kelly > > > > > > > > From: Alexander Bokovoy > > To: rashard.ke...@sita.aero > > Cc: Sumit Bose , freeipa-users@redhat.com > > Date: 04/11/2014 09:06 AM > > Subject:Re: [Freeipa-users] ipa: ERROR: did not receive Kerberos > > > credentials > > > > > > > > On Fri, 11 Apr 2014, rashard.ke...@sita.aero wrote: > > >futex(0x7f0e2e1462c0, FUTEX_WAKE_PRIVATE, 2147483647) = 0 > > >open("/tmp/krb5cc_159910_CUkupo", O_RDONLY) = -1 EACCES (Permission > > >denied) > > > > Are you sure you don't have SELinux really running and enabled? > > > > Because the following output makes me really worry: > > >> [root@replicahostname /tmp]# ll -Za > > >> drwxrwxrwt. rootrootsystem_u:object_r:tmp_t:s0 . > > >> dr-xr-xr-x. rootrootsystem_u:object_r:root_t:s0 .. > > >> -rw--- rkelly rkelly ? .bash_history > > >> drwxrwxrwt rootroot? .ICE-unix > > >> drwxrwxr-x rkelly rkelly ?.ipa > > >> -r rootroot? krb5cc_0 > > >> -r xs05144 xs05144 ? krb5cc_159920_u5RRhd > > >> -r rkelly rkelly ? krb5cc_159910_CUkupo > > >> -r rkelly rkelly ? krb5cc_159910_ZekyY0 > > These rkelly:rkelly krb5cc_* files have no SELinux label and should be > > readable to the owner. > > > > Can you show: > > > > [root] # sestatus > > [root] # audit2why -b -w -t avc > > > > > > -- > > / Alexander Bokovoy > > > > > > This document is strictly confidential and intended only for use by the > > addressee unless otherwise stated. If you are not the intended > recipient, > > please notify the sender immediately and delete it from your system. > > See you at 2014 Air Transport IT Summit, 17-19 June 2014 > > > > Click here to register http://www.sitasummit.aero > > > > > > > This document is strictly confidential and intended only for use by the > addressee unless otherwise stated. If you are not the intended recipient, > please notify th
[Freeipa-users] Postponing IPA 3 upgrade
I was wondering if I need to be concerned about IPA 2 being updated automatically to IPA 3? We have a working IPA 2 environment in place now and wanted to know if IPA needed to be added to an exclude list. We are afraid of breaking our current setup. When IPA 3 is released will yum automatically upgrade it to 3 or will that be something that we have to manually issue? Thanks, Rashard This document is strictly confidential and intended only for use by the addressee unless otherwise stated. If you are not the intended recipient, please notify the sender immediately and delete it from your system. ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Postponing IPA 3 upgrade
Thanks for all the replies, We are using Red Hat Satellite Server to handle Yum updates but I am still getting a grasp on how it works. After talking to one of our admins, I was told that it should not do a major version upgrade without being explicitly told to. The servers are virtual so I will clone them off before the next patch cycles. Is there an official go-live date for IPA3 in RHEL? Thanks, Rashard From: Jorick Astrego To: Christian Horn Cc: freeipa-users@redhat.com Date: 02/12/2013 01:04 PM Subject:Re: [Freeipa-users] Postponing IPA 3 upgrade Sent by:freeipa-users-boun...@redhat.com On 02/12/2013 08:30 AM, Christian Horn wrote: > On Mon, Feb 11, 2013 at 09:05:40PM +, Steven Jones wrote: >> Personally Im very worried, 6.2 to 6.3 went badly and this looks like a bigger upgrade > I might miss something.. but cant one create a "throw away replica" > of the old environment, use that then separatedly and try out the > upgrade with it? > > Christian > He could if he has spare hardware laying around. Or if he is running it virtulized you could clone the vm easily and test it on a virtual network not connected to the rest. But if you read Rashard's post correctly, he is afraid of yum automatically updating freeIPA and breaking it. @ Rashard You should not be letting yum update automatically but use Katello, Red Hat Network Satellite or Spacewalk to install updates. Still I would like to know the same. Some other projects use version dependant repo's so you can choose to switch by changing repo, others put the version number in the package name. -- Kind Regards, Jorick Astrego Netbulae B.V. Site: http://www.netbulae.eu ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users This document is strictly confidential and intended only for use by the addressee unless otherwise stated. If you are not the intended recipient, please notify the sender immediately and delete it from your system. ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
[Freeipa-users] How IPA handles AD computer groups
I am working on a team to plan a migration to IPA on our UNIX based systems. One thing I was seeking information on is Computer groups. If a trust is established with our campus AD infrasturcture, will its computer groups be shared with IPA or just users? If computer groups are transferred to host groups this will make managing permissions easier without having to recreate all the groups on the IPA side I could not find any info in this document http://www.freeipa.org/page/IPAv3_testing_AD_trust. If someone could point me to some documentation about the subject it would be really helpful. Thank You, Rashard Kelly Senior Linux Specialist From: Martin Kosek To: Sumit Bose Cc: freeipa-users@redhat.com Date: 05/31/2013 06:41 AM Subject:Re: [Freeipa-users] IPA & AD trust question Sent by:freeipa-users-boun...@redhat.com On 05/31/2013 09:37 AM, Sumit Bose wrote: > On Fri, May 31, 2013 at 06:52:27AM +, Ondrej Valousek wrote: >> Hi List, >> >> I have a question - is it possible to use AD trust the way that: >> 1. All users are stored in AD >> 2. All Unix specific information (automount maps, sudo rules, HBAC rules) are stored in IPA? > > Yes, sudo and HBAC for sure, I haven't tested automount maps but so far > I can see no issues. > >> >> If yes then: >> 1. Will this scenario honour the RFC2307 user attributes in AD? > > We are trying to support RFC2307 attributes in AD with the next releases > for SSSD and FreeIPA. Currently only algorithmic IP mapping based on the > AD user's RID is available. Ondreji, this is by the way the upstream ticket under which this feature is being implemented (in case you want to follow it): https://fedorahosted.org/freeipa/ticket/2904 There are other tickets targeted on AD cooperation in FreeIPA 3.3 release (https://fedorahosted.org/freeipa/report/3), you may also want to check that they address your needs (and provide comments if they don't). We are still in a design phase, so some amendments are possible. Thanks, Martin ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users This document is strictly confidential and intended only for use by the addressee unless otherwise stated. If you are not the intended recipient, please notify the sender immediately and delete it from your system. ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
[Freeipa-users] Joining realm failed: SASL Bind failed Local error (-2)
Hello all!! I cannot get a RHEL5.10 client to install! [root@hostname ~]# ipa-client-install --hostname=hostname.domain.com --no-ntp --ca-cert-file=/etc/ipa/ca.crt DNS domain 'doman.com' is not configured for automatic KDC address lookup. KDC address will be set to fixed value. Discovery was successful! Hostname:hostname.com Realm:DOMAIN.COM DNS Domain: domain.com IPA Server: ipaserver.com BaseDN: dc=ipa,dc=dc,dc=sita,dc=com Joining realm failed: SASL Bind failed Local error (-2) ! child exited with 9 Installation failed. Rolling back changes. This is what the krb log had to say Mar 08 06:24:00 ipaser...@domain.com krb5kdc[29358](info): TGS_REQ (1 etypes {18}) 10.226.124.10: ISSUE: authtime 1394259840, etypes {rep=18 tkt=18 ses=18}, rke...@domain.com for krbtgt/domain@domain.com Mar 08 06:24:00 ipaser...@domain.com krb5kdc[29357](info): TGS_REQ (4 etypes {18 17 16 23}) 10.226.20.31: ISSUE: authtime 1394259840, etypes {rep=18 tkt=18 ses=18}, rke...@domain.com for ldap/ipaserver.domain@domain.com krb5kdc: Cannot determine realm for numeric host address - unable to find realm of host Mar 08 06:24:00 ipaser...@domain.como krb5kdc[29358](info): TGS_REQ (7 etypes {18 17 16 23 1 3 2}) 10.22.22.10: UNKNOWN_SERVER: authtime 0, rke...@ipa2.dc.sita.aero for ldap/10.226.20...@domain.com, Server not found in Kerberos database Mar 08 06:24:00 ipaser...@domain.com krb5kdc[29357](info): TGS_REQ (7 etypes {18 17 16 23 1 3 2}) 10.22.22.10: UNKNOWN_SERVER: authtime 0, rke...@ipa2.dc.sita.aero for ldap/10.226.20...@domain.com, Server not found in Kerberos database After reviewing the https://access.redhat.com/site/solutions/231543 post IPA: Joining realm failed: SASL Bind failed Local error (-2) ! child exited with 9. I checked all my DNS info via dig and took a working DNS config from another server. Everything appears to be setup right. What could I be overlooking? Thank You, Rashard Kelly SITA Senior Linux Specialist From: Dmitri Pal To: Trey Dockendorf Cc: freeipa-users@redhat.com Date: 03/07/2014 05:43 PM Subject:Re: [Freeipa-users] Using external KDC Sent by:freeipa-users-boun...@redhat.com On 03/07/2014 05:26 PM, Trey Dockendorf wrote: > On Thu, Mar 6, 2014 at 7:20 PM, Dmitri Pal wrote: >> On 03/05/2014 06:24 PM, Trey Dockendorf wrote: >>> Correction from my email, the condition that sets if a 389DS user is >>> proxied to pam_krb5 is the "pamFilter", sorry. >>> >>> On Wed, Mar 5, 2014 at 5:22 PM, Trey Dockendorf >>> wrote: >>>> On Mon, Mar 3, 2014 at 7:29 PM, Dmitri Pal wrote: >>>>> On 03/03/2014 07:47 PM, Simo Sorce wrote: >>>>>> On Mon, 2014-03-03 at 18:42 -0600, Trey Dockendorf wrote: >>>>>>> Is it possible with FreeIPA to use an external KDC or pass some or all >>>>>>> authentication to an external KDC? The KDC at our University may give >>>>>>> me a one way trust if I describe my implementation plan for FreeIPA. >>>>>>> Currently I use 389DS with PAM pass through using untrusted pam_krb5. >>>>>>> I'd like to fully utilize FreeIPA without managing passwords since all >>>>>>> my users already have University accounts. I just want to manage >>>>>>> authorization for my systems, not authentication. >>>>>> You could set up a kerberos trust manually but at the moment we do not >>>>>> support it in the code or the utilities. >>>>>> >>>>>> SSSD in particular will have no place to find identity information if >>>>>> all you have is a kerberos trust, you'd need also an external identity >>>>>> store to point to, but there is no builtin code in SSSD to link the 2 >>>>>> domain at this point. >>>>>> >>>>>> We are planning on working on IPA-to-IPA trust, and possibly >>>>>> IPA-to-*other* so any requirements you can throw at us will be made >>>>>> part >>>>>> of the consideration and planning to add this kind of functionality in >>>>>> the future. >>>>>> >>>>>> NM B HTH, >>>>>> Simo. >>>>>> >>>>> Can you describe your workflows because I have some idea in mind? >>>> Right now the workflow I have with 389ds using PAM Pass Through Auth >>>> is the following: >>>> >>>> For users with the proper attribute defined in 'pamIDAttr' >>>> >>>> client ---> 389DS ---> 389DS server's pam_krb5 ---> Campus KDC >>>> >>>> For users lacking the at
[Freeipa-users] Joining realm failed: SASL Bind failed Local error (-2)
Hello all!! I cannot get a RHEL5.10 client to install! [root@hostname ~]# ipa-client-install --hostname=hostname.domain.com --no-ntp --ca-cert-file=/etc/ipa/ca.crt DNS domain 'doman.com' is not configured for automatic KDC address lookup. KDC address will be set to fixed value. Discovery was successful! Hostname:hostname.com Realm:DOMAIN.COM DNS Domain: domain.com IPA Server: ipaserver.com BaseDN: dc=ipa,dc=dc,dc=sita,dc=com Joining realm failed: SASL Bind failed Local error (-2) ! child exited with 9 Installation failed. Rolling back changes. This is what the krb log had to say Mar 08 06:24:00 ipaser...@domain.com krb5kdc[29358](info): TGS_REQ (1 etypes {18}) 10.226.124.10: ISSUE: authtime 1394259840, etypes {rep=18 tkt=18 ses=18}, rke...@domain.com for krbtgt/domain@domain.com Mar 08 06:24:00 ipaser...@domain.com krb5kdc[29357](info): TGS_REQ (4 etypes {18 17 16 23}) 10.226.20.31: ISSUE: authtime 1394259840, etypes {rep=18 tkt=18 ses=18}, rke...@domain.com for ldap/ipaserver.domain@domain.com krb5kdc: Cannot determine realm for numeric host address - unable to find realm of host Mar 08 06:24:00 ipaser...@domain.como krb5kdc[29358](info): TGS_REQ (7 etypes {18 17 16 23 1 3 2}) 10.22.22.10: UNKNOWN_SERVER: authtime 0, rke...@ipa2.dc.sita.aero for ldap/10.226.20...@domain.com, Server not found in Kerberos database Mar 08 06:24:00 ipaser...@domain.com krb5kdc[29357](info): TGS_REQ (7 etypes {18 17 16 23 1 3 2}) 10.22.22.10: UNKNOWN_SERVER: authtime 0, rke...@ipa2.dc.sita.aero for ldap/10.226.20...@domain.com, Server not found in Kerberos database After reviewing the https://access.redhat.com/site/solutions/231543 post IPA: Joining realm failed: SASL Bind failed Local error (-2) ! child exited with 9. I checked all my DNS info via dig and took a working DNS config from another server. Everything appears to be setup right. What could I be overlooking? Thank You, Rashard Kelly SITA Senior Linux Specialist This document is strictly confidential and intended only for use by the addressee unless otherwise stated. If you are not the intended recipient, please notify the sender immediately and delete it from your system. ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Joining realm failed: SASL Bind failed Local error (-2)
Thanks for the response Martin. The DNS info is configured the same as it is on other clients. I did run the install in debug mode and failed at... Starting nscd: [ OK ] root: DEBUGstderr= root: DEBUGargs=/sbin/chkconfig nscd on root: DEBUGstdout= root: DEBUGstderr= root: DEBUGargs=/sbin/service nslcd status root: DEBUGstdout= root: DEBUGstderr=nslcd: unrecognized service root: INFO nslcd daemon is not installed, skip configuration what could this mean? Ldap is instslled Thank You, Rashard Kelly This document is strictly confidential and intended only for use by the addressee unless otherwise stated. If you are not the intended recipient, please notify the sender immediately and delete it from your system. ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Joining realm failed: SASL Bind failed Local error (-2) (SOLVED)
Thanks, after a little digging I found that the reverse DNS records were not configured for the masters. Thank You, Rashard Kelly From: Martin Kosek To: rashard.ke...@sita.aero Cc: freeipa-users@redhat.com Date: 03/10/2014 10:17 AM Subject:Re: [Freeipa-users] Joining realm failed: SASL Bind failed Local error (-2) This service should be needed at all in default installation, did you maybe try to run ipa-client-install with --no-sssd option and do not have nss-pam-ldapd package installed? Martin On 03/10/2014 03:11 PM, rashard.ke...@sita.aero wrote: > Thanks for the response Martin. The DNS info is configured the same as it > is on other clients. I did run the install in debug mode and failed at... > > Starting nscd: [ OK ] > > root: DEBUGstderr= > root: DEBUGargs=/sbin/chkconfig nscd on > root: DEBUGstdout= > root: DEBUGstderr= > root: DEBUGargs=/sbin/service nslcd status > root: DEBUGstdout= > root: DEBUGstderr=nslcd: unrecognized service > > root: INFO nslcd daemon is not installed, skip configuration > > what could this mean? Ldap is instslled > > > Thank You, > Rashard Kelly > > > This document is strictly confidential and intended only for use by the > addressee unless otherwise stated. If you are not the intended recipient, > please notify the sender immediately and delete it from your system. > > This document is strictly confidential and intended only for use by the addressee unless otherwise stated. If you are not the intended recipient, please notify the sender immediately and delete it from your system. ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
[Freeipa-users] Sudo Rule Command Line Option Arguments
What is the correct way to add a flag inside a sudo command that will be added to a command group? When adding commands with no flags I have no issue such as "/usr/bin/yum info example*" but when I try to add options to the command like this "/usr/bin/yum --disableexcludes=all localinstall example*", It does not work even when escaping items like --. How does IPA handle a request like that? ipa-client-3.0.0-37.el6.x86_64 [rkelly@hostname /]$ ipa sudocmdgroup-add-member --sudocmds "/usr/bin/yum --disableexcludes=all localinstall example*" yumsita Sudo Command Group: yumexample Description: Yum install Priviledges for example.com specific packages Member Sudo commands: /usr/bin/yum info example*, /usr/bin/yum update example*, /usr/bin/yum remove example*, /usr/bin/yum install example*, /usr/bin/yum localinstall example*, /usr/bin/yum localupdate example* Failed members: member sudo command: /usr/bin/yum --disableexcludes=all localinstall example*: no such entry - Number of members added 0 --------- Thank You, Rashard Kelly This document is strictly confidential and intended only for use by the addressee unless otherwise stated. If you are not the intended recipient, please notify the sender immediately and delete it from your system. ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Sudo Rule Command Line Option Arguments (Solved)
The command had not been added into the sudocmd database. member sudo command: /usr/bin/yum --disableexcludes=all localinstall example*: no such entry I think this error should point to someone checking to make sure the sudo command had been created, something along the lines of "no sudocmd entry defined yet" vs "no such entry" would improve workflow for people stuck using the CMD. Thank You, Rashard Kelly From: Rashard Kelly/Atlanta/SITA/WW To: freeipa-users@redhat.com Date: 03/12/2014 11:47 AM Subject:Sudo Rule Command Line Option Arguments What is the correct way to add a flag inside a sudo command that will be added to a command group? When adding commands with no flags I have no issue such as "/usr/bin/yum info example*" but when I try to add options to the command like this "/usr/bin/yum --disableexcludes=all localinstall example*", It does not work even when escaping items like --. How does IPA handle a request like that? ipa-client-3.0.0-37.el6.x86_64 [rkelly@hostname /]$ ipa sudocmdgroup-add-member --sudocmds "/usr/bin/yum --disableexcludes=all localinstall example*" yumsita Sudo Command Group: yumexample Description: Yum install Priviledges for example.com specific packages Member Sudo commands: /usr/bin/yum info example*, /usr/bin/yum update example*, /usr/bin/yum remove example*, /usr/bin/yum install example*, /usr/bin/yum localinstall example*, /usr/bin/yum localupdate example* Failed members: member sudo command: /usr/bin/yum --disableexcludes=all localinstall example*: no such entry - Number of members added 0 ----- Thank You, Rashard Kelly This document is strictly confidential and intended only for use by the addressee unless otherwise stated. If you are not the intended recipient, please notify the sender immediately and delete it from your system. See you at 2014 Air Transport IT Summit, 17-19 June 2014 Click here to register http://www.sitasummit.aero ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Sudo Rule Command Line Option Arguments (Solved)
I would be happy to open a ticket, where do I go to do that? Thank You, Rashard Kelly From: Rob Crittenden To: rashard.ke...@sita.aero, freeipa-users@redhat.com Date: 03/13/2014 09:52 AM Subject:Re: [Freeipa-users] Sudo Rule Command Line Option Arguments (Solved) rashard.ke...@sita.aero wrote: > The command had not been added into the sudocmd database. > > member sudo command: /usr/bin/yum --disableexcludes=all localinstall > example*: no such entry > > I think this error should point to someone checking to make sure the > sudo command had been created, something along the lines of "no sudocmd > entry defined yet" vs "no such entry" would improve workflow for people > stuck using the CMD. Yes, having more specific "not found" errors might be nice. I believe we percolate this error up directly from LDAP. Can you open a trac ticket on this? rob > > > Thank You, > *Rashard Kelly** > * > > > > From: Rashard Kelly/Atlanta/SITA/WW > To: freeipa-users@redhat.com > Date: 03/12/2014 11:47 AM > Subject: Sudo Rule Command Line Option Arguments > > > > What is the correct way to add a flag inside a sudo command that will be > added to a command group? When adding commands with no flags I have no > issue such as "/usr/bin/yum info example*" but when I try to add options > to the command like this "/usr/bin/yum --disableexcludes=all > localinstall example*", It does not work even when escaping items like > --. How does IPA handle a request like that? > > ipa-client-3.0.0-37.el6.x86_64 > > [rkelly@hostname /]$ ipa sudocmdgroup-add-member --sudocmds > "/usr/bin/yum --disableexcludes=all localinstall example*" yumsita >Sudo Command Group: yumexample >Description: Yum install Priviledges for example.com specific packages >Member Sudo commands: /usr/bin/yum info example*, /usr/bin/yum update > example*, > /usr/bin/yum remove example*, /usr/bin/yum install > example*, /usr/bin/yum localinstall example*, /usr/bin/yum > localupdate example* >Failed members: > member sudo command: /usr/bin/yum --disableexcludes=all > localinstall example*: no such entry > - > Number of members added 0 > - > > > Thank You, > *Rashard Kelly** > * > > This document is strictly confidential and intended only for use by the > addressee unless otherwise stated. If you are not the intended > recipient, please notify the sender immediately and delete it from your > system. See you at 2014 Air Transport IT Summit, 17-19 June 2014 Click > here to register http://www.sitasummit.aero > > > > ___ > Freeipa-users mailing list > Freeipa-users@redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-users > This document is strictly confidential and intended only for use by the addressee unless otherwise stated. If you are not the intended recipient, please notify the sender immediately and delete it from your system. See you at 2014 Air Transport IT Summit, 17-19 June 2014 Click here to register http://www.sitasummit.aero ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
[Freeipa-users] Disadantages of using external DNS
What are the disadvantages of using an external DNS source? My three options are install DNS services on the IPA server, use the local Active Directory DNS, or connect to a linux based DNS appliance. Is it common not to use DNS at all if so what are the drawbacks? My goal is consolidating all local administration of users to a centralized place in our environment. I have been reading the documentation and the mailing list archives, forgive me If I have overlooked this answer. Thanks, Rashard This document is strictly confidential and intended only for use by the addressee unless otherwise stated. If you are not the intended recipient, please notify the sender immediately and delete it from your system. ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Disadantages of using external DNS
Thank everyone for the ideas. We will be adding the DNS service to the IPA server. This seems like the best solution. Thanks again, Rashard This document is strictly confidential and intended only for use by the addressee unless otherwise stated. If you are not the intended recipient, please notify the sender immediately and delete it from your system. ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users