Re: [Freeipa-users] Fedora 19 upgrading mod_nss

2013-11-22 Thread Simo Sorce
otocol SSLv3,TLSv1.0,TLSv1.1". > +NSSProtocol SSLv3,TLSv1.0,TLSv1.1 > > # SSL Certificate Nickname: > # The nickname of the RSA server certificate you are going to use. > @@ -214,6 +223,5 @@ > #CustomLog /home/rcrit/redhat/apache/logs/ssl_request_log \ > #

Re: [Freeipa-users] Pure Kerberos login on Windows stopped working

2013-11-13 Thread Simo Sorce
On Tue, 2013-11-12 at 21:50 +0100, Nicklas Björk wrote: > On 2013-11-12 21:39, Simo Sorce wrote: > > On Tue, 2013-11-12 at 21:11 +0100, Nicklas Björk wrote: > >> In our evironment we have very limited amount of shared virtual Windows > >> 7 machines. We haven't rea

Re: [Freeipa-users] 2 question on passsync

2013-11-12 Thread Simo Sorce
gt; password. > > Without this then when a new password is synced from AD it would require > a reset, which sort of defeats the point of syncing passwords. > > I like your idea of a group, can you file an RFE on this? > > rob > > > > ___ > Freeipa-users mailing list > Freeipa-users@redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-users -- Simo Sorce * Red Hat, Inc * New York ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] Pure Kerberos login on Windows stopped working

2013-11-12 Thread Simo Sorce
tting the MS-PAC on tickets, but I fear it is only for TGS requests and not for the TGT. Have you added SIDs because you are using a trust relationship with an AD domain, and you just wish not to use them for these few Windows machines ? Simo. -- Simo Sorce * Red Hat, Inc * New York ___

Re: [Freeipa-users] reboot required after ipa-client-install?

2013-11-11 Thread Simo Sorce
start > file for Fedora 19 and 20 seems to produce the desired result. Thanks for the analysis Dean, however I would say it is a bug in authconfig. Authconfig should not removed the sss lines by default. Simo. -- Simo Sorce * Red Hat, Inc * New York ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] FreeIPA and AD, pass sync, different cn

2013-11-05 Thread Simo Sorce
you may read on it here: http://docs.fedoraproject.org/en-US/Fedora/18/html-single/FreeIPA_Guide/index.html#active-directory Simo. -- Simo Sorce * Red Hat, Inc * New York ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] DNS views: request for comments

2013-10-22 Thread Simo Sorce
On Tue, 2013-10-22 at 18:14 +0200, Petr Spacek wrote: > On 22.10.2013 16:44, Martin Kosek wrote: > > On 10/21/2013 10:57 PM, Simo Sorce wrote: > >> Comments inline. > >> > >> On Mon, 2013-10-21 at 18:48 +0200, Petr Spacek wrote: > >>> On 1.10.2013 1

Re: [Freeipa-users] DNS views: request for comments

2013-10-21 Thread Simo Sorce
== > Do not implement it in bind-dyndb-ldap and wait if Martin Basti succeeds with > his thesis. He is trying to design and implement some generic/pluggable > LDAP<->DNS synchronization mechanism. > > Personally, I think that vari

Re: [Freeipa-users] IPA, Samba and AD

2013-09-22 Thread Simo Sorce
xes and rely entirely on winbindd to provide trusted domain users. However at this point you can as well use the solution I proposed you above. > AD(OTHERCOMP.EDU) <--trusts-- AD(MYCOMP.EDU) <--nt-4-trusts-- > NT4(MYCOMP-SAMBA) > > > > Now, giving correct g

Re: [Freeipa-users] slapi-nis bypass Password Policies

2013-09-19 Thread Simo Sorce
sible to bypass the Password Policies from this client server? I am not sure I understand in what way you'd want to bypass them. You'd like to be able to continue to authenticate even if the passwords are expired ? Or you just want to avoid being sent password expiration messages ? Simo

Re: [Freeipa-users] Elliptic curves with the CA

2013-09-16 Thread Simo Sorce
ostly just > inconvenient, but it's legal). I gave the CA ECC CSR (generated by > openSSL on one of the servers), and to my amazement it failed to sign > it properly complaining about the type not being RSA. > -- Simo Sorce * Red Hat, Inc * New York ___

Re: [Freeipa-users] IE or Firefox & Apache Kerberos authentication

2013-09-16 Thread Simo Sorce
msnet.de/kerbtut/firefox.html > > > Christian > > ___ > Freeipa-users mailing list > Freeipa-users@redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-users > >

Re: [Freeipa-users] IE or Firefox & Apache Kerberos authentication

2013-09-16 Thread Simo Sorce
> > > Odesláno ze Samsung Mobile > > > > Původní zpráva > Od: Simo Sorce > Datum: > Komu: Ondrej Valousek > Kopie: ch...@fluxcoil.net,freeipa-users@redhat.com > Předmět: Re: [Freeipa-users] IE or Firefox & Apache Kerberos > authe

Re: [Freeipa-users] Date of last access attribute

2013-09-16 Thread Simo Sorce
On Mon, 2013-09-16 at 08:44 -0400, Rob Crittenden wrote: > Dmitri Pal wrote: > > On 09/13/2013 01:46 PM, Rob Crittenden wrote: > >> Simo Sorce wrote: > >>> On Fri, 2013-09-13 at 10:58 -0400, Rob Crittenden wrote: > >>>> Dmitri Pal wrote: > &

Re: [Freeipa-users] Incorrect user information

2013-09-15 Thread Simo Sorce
blom (Smith) > Assistant Director > Research Computing, University of South Florida > 4202 E. Fowler Ave. SVC4010 > Office Phone: +1 813 974-1467 > Organization URL: http://rc.usf.edu > > > > > -- > Brian Lindblom (Smith) > Assistant Director > Research Computing, University of South Florida > 4202 E. Fowler Ave. SVC4010 > Office Phone: +1 813 974-1467 > Organization URL: http://rc.usf.edu > ___ > Freeipa-users mailing list > Freeipa-users@redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-users -- Simo Sorce * Red Hat, Inc * New York ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] Date of last access attribute

2013-09-13 Thread Simo Sorce
ific activity attribute. I think about the closest > you could get is last successful Kerberos authentication > (krblastsuccessfulauth), but again this isn't specific to mail activity > (unless that is all the users can do). > > Note too that this attribute is by default not

Re: [Freeipa-users] Permission Denied

2013-09-13 Thread Simo Sorce
On Thu, 2013-09-12 at 15:34 -0500, Dean Hunter wrote: > On Thu, 2013-09-12 at 13:59 -0400, Simo Sorce wrote: > > On Thu, 2013-09-12 at 11:27 -0500, Dean Hunter wrote: > > > On Thu, 2013-09-12 at 09:09 -0400, Simo Sorce wrote: > > > > > > > Yes it is, but

Re: [Freeipa-users] Is kerberos DB import to IPA possible?

2013-09-13 Thread Simo Sorce
in text binds as you would not generate the userPassword hash, not sure what else, and I cannot guarantee it really works all the way. Simo. -- Simo Sorce * Red Hat, Inc * New York ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] Permission Denied

2013-09-13 Thread Simo Sorce
On Thu, 2013-09-12 at 16:16 -0500, Dean Hunter wrote: > On Thu, 2013-09-12 at 16:59 -0400, Simo Sorce wrote: > > On Thu, 2013-09-12 at 15:34 -0500, Dean Hunter wrote: > > > On Thu, 2013-09-12 at 13:59 -0400, Simo Sorce wrote: > > > > On Thu, 2013-09-12 at

Re: [Freeipa-users] Permission Denied

2013-09-12 Thread Simo Sorce
On Thu, 2013-09-12 at 11:27 -0500, Dean Hunter wrote: > On Thu, 2013-09-12 at 09:09 -0400, Simo Sorce wrote: > > > Yes it is, but I need to see also what you get on the successfull ssh > > case, klist is all I need to see, no other output. > > > > Also does it wo

Re: [Freeipa-users] Permission Denied

2013-09-12 Thread Simo Sorce
On Thu, 2013-09-12 at 13:59 -0400, Simo Sorce wrote: > ticket, but once you alnd of the cmahine there are no credentials this meant to be 'land on the machine', sorry for my typing impairment. Simo. -- Simo Sorce * Red Hat, I

Re: [Freeipa-users] Permission Denied

2013-09-12 Thread Simo Sorce
On Wed, 2013-09-11 at 19:49 -0500, Dean Hunter wrote: > On Wed, 2013-09-11 at 11:49 -0400, Simo Sorce wrote: > > On Wed, 2013-09-11 at 10:39 -0500, Dean Hunter wrote: > > > On Wed, 2013-09-11 at 11:20 -0400, Simo Sorce wrote: > > > > On Wed, 2013-09-11 at

Re: [Freeipa-users] FreeIPA integrating samba4 + AD

2013-09-11 Thread Simo Sorce
t; > 2013/9/11 Simo Sorce > On Wed, 2013-09-11 at 14:06 -0300, Christovam Paynes Silva > wrote: > > Hello! > > > > > > First I apologize if this topic is redundant. > > > > >

Re: [Freeipa-users] FreeIPA integrating samba4 + AD

2013-09-11 Thread Simo Sorce
ou mean by integrating here. Is your intent to use Samba4 as an AD domain controller for your Windows client s and IPA for your servers ? If that's the case unfortunately this is not possible at the moment as samba4 does not yet support Forest level trusts. A Micr

Re: [Freeipa-users] Permission Denied

2013-09-11 Thread Simo Sorce
On Wed, 2013-09-11 at 12:08 -0400, Dmitri Pal wrote: > On 09/11/2013 11:49 AM, Simo Sorce wrote: > > On Wed, 2013-09-11 at 10:39 -0500, Dean Hunter wrote: > >> On Wed, 2013-09-11 at 11:20 -0400, Simo Sorce wrote: > >>> On Wed, 2013-09-11 at 08:39 -0500, Dean Hunte

Re: [Freeipa-users] Permission Denied

2013-09-11 Thread Simo Sorce
On Wed, 2013-09-11 at 10:39 -0500, Dean Hunter wrote: > On Wed, 2013-09-11 at 11:20 -0400, Simo Sorce wrote: > > On Wed, 2013-09-11 at 08:39 -0500, Dean Hunter wrote: > > > > > I do NOT believe this: > > > [dean@ipa2 ~]$ ssh dean@desktop2 > > &g

Re: [Freeipa-users] Permission Denied

2013-09-11 Thread Simo Sorce
rpc.gssd cannot find your ticket, ssh may be doing something "wrong" in this case. Simo. -- Simo Sorce * Red Hat, Inc * New York ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] IPA, Named and DHCP

2013-09-07 Thread Simo Sorce
use the script to call 'nsupdate' and issue GSS-TSIG signed dns update requests. Simo. -- Simo Sorce * Red Hat, Inc * New York ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] Exporting data?

2013-09-04 Thread Simo Sorce
. I have no idea how it works with > > shadow map/password. Try to ask sssd-us...@lists.fedorahosted.org. > > > And to add to it: > IPA does not keep password in clear or the hashes that are used in > passwd and shadow files for security reasons so it can't generate these &

Re: [Freeipa-users] Fwd: Scorched earth

2013-08-29 Thread Simo Sorce
On Thu, 2013-08-29 at 09:14 -0400, Bret Wortman wrote: > On Thu, Aug 29, 2013 at 9:09 AM, Simo Sorce wrote: > On Thu, 2013-08-29 at 08:07 -0400, Bret Wortman wrote: > > Okay, I have a replica built and running. My original, > "sick" server >

Re: [Freeipa-users] Fwd: Scorched earth

2013-08-29 Thread Simo Sorce
rything. Is this what you did in your old setup ? > After the replica install is done: > > > 7. Shut down and delete the ipamaster2 VM. Do not forget to ipa-replica-manage remove it first. > 8. Upgrade existing "replicas" to F18 and latest IPA version. > 9. Estab

Re: [Freeipa-users] FreeIPA Replica ports

2013-08-26 Thread Simo Sorce
the CA, it always uses startTLS on port 7389. We should also probably note that in newer versions of FreeIPA we have consolidated all instances in one, so only port 389 is used. Simo. -- Simo Sorce * Red Hat, Inc * New York ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] Replication woes

2013-08-19 Thread Simo Sorce
issue? > > That suggests a DNS problem, > and it might explain ssh as > well depending >

Re: [Freeipa-users] Restrict AD users from passwd

2013-08-14 Thread Simo Sorce
let me > know. Do you also block the 'net user' command on Windows clients ? It's the same as 'passwd' on Linux clients. I would address the problem by using proper password policies as I (now) see Petr recommended i another emai

Re: [Freeipa-users] IPA Server UI Behind Proxy

2013-08-14 Thread Simo Sorce
an pass -k /etc/httpd/conf/ipa.keytab directly. ipa-getkeytab will properly append the fetched keys to the keytab and no further, error prone, manual merging will be necessary. Simo. -- Simo Sorce * Red Hat, Inc * New York ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] disable forms-based login

2013-07-22 Thread Simo Sorce
While > this is better than sending them with each request, it still presents > an opportunity where credentials can be intercepted, no? Your's is a valid concern. Please open a RFE ticket to make the form-based login page/mechanism disableable. Simo. -- Simo Sorce * Red Hat, Inc * New

Re: [Freeipa-users] deleting password history?

2013-07-15 Thread Simo Sorce
bPwdHistory attribute from the user's entry the user will have no history. That should be sufficient to allow you to change 'back' his password. Other means are: change the password as many times as krbPwdHistoryLength says and finally you'll be able to start agai

Re: [Freeipa-users] Problem with Kerberised NFS mount

2013-07-15 Thread Simo Sorce
ytab > is /var/lib/gssproxy? no the default keytab is always /etc/krb5.keytab > Simo. > > > Odesláno ze Samsung Mobile > > > > ---- Původní zpráva > Od: Simo Sorce > Datum: > Komu: "Adamson, Andy" > Kopie: and...@wasielewski.co.

Re: [Freeipa-users] Problem with Kerberised NFS mount

2013-07-15 Thread Simo Sorce
On Mon, 2013-07-15 at 08:50 -0500, Dean Hunter wrote: > On Mon, 2013-07-15 at 09:33 -0400, Simo Sorce wrote: > > On Fri, 2013-07-12 at 17:15 -0500, Dean Hunter wrote: > > > On Fri, 2013-07-12 at 16:52 -0400, Dmitri Pal wrote: > > > > F19 has GSS proxy. I encourag

Re: [Freeipa-users] Problem with Kerberised NFS mount

2013-07-15 Thread Simo Sorce
cket, then the problem still exists. I'm working on a set of > GSS expiry patches and I'll make sure this problem is solved in the kernel. Just to avoid confusion. GSS-Proxy doesn't really handle renews at this stage (except as a a possible side effect of GSSAPI doing it und

Re: [Freeipa-users] Problem with Kerberised NFS mount

2013-07-15 Thread Simo Sorce
ek and should be able to > > help. > > Is the GSS proxy configured by ipa-client-automount? No, gssproxy is quite new and we do not configure it by default at this stage. It has been tested only with NFS (both server and client) on Fedora 19. Simo. -- Sim

Re: [Freeipa-users] Is GSSAPI secure without TLS?

2013-07-15 Thread Simo Sorce
full SSL verification is on. But Clients usually do not have X509 certificates, so there is no mutual authentication at the SSL level in that case and MITM becomes much easier. Now the question would be: why postfix doesn't do channel bindings? I guess it maybe because GSSAPI is behind the SASL layer, but I haven't checked. Simo. -- Simo Sorce * Red Hat, Inc * New York ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] Instructions for using Postfix SMTP Client Relay with FreeIPA

2013-07-12 Thread Simo Sorce
On Fri, 2013-07-12 at 10:04 -0500, Anthony Messina wrote: > On Wednesday, July 10, 2013 05:00:53 PM Dmitri Pal wrote: > > On 07/10/2013 12:12 PM, Simo Sorce wrote: > > > On Wed, 2013-07-10 at 11:45 -0400, Erinn Looney-Triggs wrote: > > >> Folks, > > >> I

Re: [Freeipa-users] Problem with Kerberised NFS mount

2013-07-12 Thread Simo Sorce
r AES is available since quite a few fedora release and RHEL6 Simo. -- Simo Sorce * Red Hat, Inc * New York ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] Instructions for using Postfix SMTP Client Relay with FreeIPA

2013-07-10 Thread Simo Sorce
not clear. Very nice write up Erinn. Thanks, Simo. -- Simo Sorce * Red Hat, Inc * New York ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] FreeIPA as Samba 4 Backend

2013-06-28 Thread Simo Sorce
ross-realm trusts that would with Active Directory. In the future this should work also with Samba4, but Samba4 code base currently lacks support for cross-forest trusts. Simo. -- Simo Sorce * Red Hat, Inc * New York ___ Freeipa-users mailing list Fr

Re: [Freeipa-users] IPA privileges question

2013-06-03 Thread Simo Sorce
tr.collmedia.net krb5kdc[4190](info): ... > CONSTRAINED-DELEGATION s4u-client=DNS/ipadevmstr.collmedia@collmedia.net > > Do I need to add DNS too? No, and you shouldn;t have added ldap/fqdn either as you are not hosting an LDAP server. Just FYI: there is no error in the snippet above, the

Re: [Freeipa-users] Limiting Host access by UID/GID

2013-05-31 Thread Simo Sorce
_id parameters. Could that be > the case? Can you check if after removing the cache the entry still shows up? > > I think that the fact that the entry is returned from cache even if it > should be filtered out is a bug: > https://fedorahosted.org/sssd/ticket/1954 So far we always maintained that if you consistently change configuration (and a change of ranges is a big change) then it's on the admin to wipe the cache file. Simo. -- Simo Sorce * Red Hat, Inc * New York ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] FreeIPA - Help ...

2013-05-24 Thread Simo Sorce
On Fri, 2013-05-24 at 16:18 +0200, Martin Kosek wrote: > On 05/24/2013 03:34 PM, Simo Sorce wrote: > > On Fri, 2013-05-24 at 07:44 -0400, Ainsworth, Thomas wrote: > >> Greetings, > >> > >> I was told to bring my issue to this distribution. > >> > &

Re: [Freeipa-users] FreeIPA - Help ...

2013-05-24 Thread Simo Sorce
and all suggestions are greatly appreciated... I would look at the migration pages. You can probably use migration mode to migrate user data from one FreeIPa install to the other and then the migration mode of sssd to validate and recompute the kerberos keys. See this for some guidance:

Re: [Freeipa-users] Replicas

2013-05-14 Thread Simo Sorce
d performance I'd start with the 389-ds documentation. > > rob > > ___ > Freeipa-users mailing list > Freeipa-users@redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-users > -- Simo Sorce * Red Hat, Inc. * New York _

Re: [Freeipa-users] Two kerberos realms for same domainname?

2013-05-09 Thread Simo Sorce
s to slowly move machines by putting CNAMEs in the AD DNS that point the old company.tld names to the new ipa domain names. This allows a slow smooth transition one machine at a time for those which you need to keep visible at the old address. CNAMEs do the correct thing KErberos wise t

Re: [Freeipa-users] Two kerberos realms for same domainname?

2013-05-08 Thread Simo Sorce
ey can and instead delegate (or just forward on both sides) a subdomain (like ipa.foo.bar) to ipa for all the ipa hosts (server.ipa.foo.bar, clientX.ipa.foo.bar ...) Simo. -- Simo Sorce * Red Hat, Inc * New York ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] Samba 4 with IPA

2013-04-30 Thread Simo Sorce
On Tue, 2013-04-30 at 22:37 +0300, Alexander Bokovoy wrote: > > We need to add some smart logic to ipasam module to handle it. > The logic for trusted users needs to go into winbindd or sssd, ipasam is only about our own domain. Simo. -- Simo Sorce * Red Hat, Inc *

Re: [Freeipa-users] Dynamic DNS

2013-04-30 Thread Simo Sorce
086.sig-ipadevmstr.collmedia.net ANY TKEY -T (192.168.8.111) > Apr 30 11:52:32 ipadevmstr named[9349]: client 192.168.8.111#37000: > updating zone 'collmedia.net/IN': update failed: rejected by secure > update (REFUSED) Something seem wrong with the Access Control policy ... Simo.

Re: [Freeipa-users] LDAP authentication for 3rd party

2013-04-11 Thread Simo Sorce
s your 3rd party app is certified > against. Ad supports simple binds with a username instead of a DN ... yeah not standard but we might want to support it, we have a pre-bind plugin after all, so we could if we want to, just a matter of creating a RFE ticket. Simo. -- Simo Sorce * Red Hat,

Re: [Freeipa-users] Replication Issue

2013-04-05 Thread Simo Sorce
On Fri, 2013-04-05 at 09:51 -0600, Rich Megginson wrote: > On 04/05/2013 08:41 AM, Simo Sorce wrote: > > On Fri, 2013-04-05 at 08:30 -0600, Brent Clark wrote: > >> You were correct, my reverse DNS entries for the master and replica > >> were missing. Odd, since the

Re: [Freeipa-users] Replication Issue

2013-04-05 Thread Simo Sorce
On Fri, 2013-04-05 at 09:51 -0600, Rich Megginson wrote: > On 04/05/2013 08:41 AM, Simo Sorce wrote: > > On Fri, 2013-04-05 at 08:30 -0600, Brent Clark wrote: > >> You were correct, my reverse DNS entries for the master and replica > >> were missing. Odd, since the

Re: [Freeipa-users] Replication Issue

2013-04-05 Thread Simo Sorce
and intended > solely for the use of the individual or entity to whom they are addressed. > If you have received this email in error please notify the sender. > Please note that any views or opinions presented in this email are solely > those of the author and do not necessari

Re: [Freeipa-users] IPA branding

2013-03-29 Thread Simo Sorce
then hope people forget. :) The only we we do this is visible in the RHEL src.rpm packages if I remember correctly. I think that's the only 'official' way we do it for now. Simo. -- Simo Sorce * Red Hat, Inc * New York ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] kinit seg-fault for Solaris 9

2013-03-27 Thread Simo Sorce
t file.keytab on the keytab you get after you run ipa-getkeytab ? What enctypes do you see available ? I suspect your solaris 9 kinit is choking on a request that do not include des enctypes somehow ? Can solaris 9 use any other encryption algorythm than des ? Simo. > On Wed, Mar 27, 2013

Re: [Freeipa-users] kinit seg-fault for Solaris 9

2013-03-27 Thread Simo Sorce
and change the > password via ipa-getkeytab the kinit command on the Solaris client > works normally. > > The ipa-getkeytab command must somehow be referencing > "allow_weak_crypto" and storing the password differently depending on > it. > > On Wed, Mar 27, 201

Re: [Freeipa-users] kinit seg-fault for Solaris 9

2013-03-27 Thread Simo Sorce
y change the password of the user (as the user no as an admin), and then kinit again with the new credentials on Solaris, does it 'solve' your segfault issue ? In any case a segfault in a client command is something you need to report to your OS vendor, even if it is indirectly caused by t

Re: [Freeipa-users] Account Expiration

2013-03-25 Thread Simo Sorce
t; conversion in update and save methods. Register the new widget to widget > repository. Then, one has to modify spec of appropriate facets to use it. > > HTH Should we open a ticket with this RFE ? Simo. -- Simo Sorce * Red Hat, Inc * New York ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] Getting Samba to authenticate against FreeIPA

2013-03-24 Thread Simo Sorce
On Sun, 2013-03-24 at 10:03 +0600, Arthur Fayzullin wrote: > 24.03.2013 04:27, Martin пишет: > > Hello, apologize if this is a faq. > > > > We're trying to set up a file server that authenticate all users against > > a FreeIPA-server. The systems are up to date CentOS 6 machines and > > everything

Re: [Freeipa-users] ldap-filter, LDAP_MATCHING_RULE_IN_CHAIN, apache 2.2

2013-03-22 Thread Simo Sorce
ormation about privileges a user may have it was decided to block memberof for unauthenticated binds. The reasoning was that clients that can take correctly advantage of freeipa's memberof can also authenticate in a secure way. Simo. -- Simo Sorce * Red Hat, Inc * New York

Re: [Freeipa-users] Mail Challenge Password Reset

2013-03-20 Thread Simo Sorce
could share your notes or write up a how-to the community > would certainly appreciate it. It would be very nice. Simo. -- Simo Sorce * Red Hat, Inc * New York ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] Realm distrubuted across data centers

2013-03-14 Thread Simo Sorce
On Wed, 2013-03-13 at 21:10 -0430, Loris Santamaria wrote: > El mié, 13-03-2013 a las 15:57 -0400, Simo Sorce escribió: > > On Wed, 2013-03-13 at 14:36 -0430, Loris Santamaria wrote: > > > El mié, 13-03-2013 a las 14:44 +0100, Petr Spacek escribió: > > > > On 13.3.20

Re: [Freeipa-users] Realm distrubuted across data centers

2013-03-13 Thread Simo Sorce
DAP on first connection... The problem with this is that you need to explicitly configure the client, and invent these new things in SSSD. In our new proposal you do not need to do anything on the client, except pointing it to ... itself! So I am a bit confused about why you say the new proposal would be more complicated ... Simo. -- Simo Sorce * Red Hat, Inc * New York ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] add ldap group to local group

2013-03-13 Thread Simo Sorce
On Wed, 2013-03-13 at 16:12 +0100, Natxo Asenjo wrote: > hi, > > is it possible to do that? If by local group you mean /etc/group then it is not possible. Posix does not understand nested groups. Simo. -- Simo Sorce * Red Hat, Inc *

Re: [Freeipa-users] Realm distrubuted across data centers

2013-03-13 Thread Simo Sorce
f ipa-client-install you can add multiple, > hardcoded servers and still have failover. Basically you configure > things to ignore the SRV records, so you shouldn't have to mess with the > resolver at all. Just want to note that we are working on a more manageable solution for the fut

Re: [Freeipa-users] Postfix and FreeIPA in a secure setup

2013-03-13 Thread Simo Sorce
arsh but I want to make it very clear for our uses that keytabs are *secrets* and should *never* be made available to the whole system, It is exactly like putting a password in the clear in a file and making it accessible to everyone. In your case I guess you want to use 660 or 640. Simo. -- S

Re: [Freeipa-users] FreeIPA 3.0 transitive trust, multiple domains

2013-03-12 Thread Simo Sorce
functional level > > Any help would be greatly appreciated! Sorry Mark-Jan we do not support transitive trusts yet. We are working on it, stay tuned. Simo. -- Simo Sorce * Red Hat, Inc * New York ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] Generate wildcard cert with FreeIPA CA

2013-02-27 Thread Simo Sorce
s there anyway around this to generate a wildcard cert for my local domain? > > Not using the IPA interfaces, no. There might be a way to do this by > calling out to the underlying dogtag CA directly but we don't provide > any mechanism to do that. You'd be on your own there

Re: [Freeipa-users] Transferring "mastership" to a new server

2013-02-27 Thread Simo Sorce
On Wed, 2013-02-27 at 09:31 -0500, Matthew Barr wrote: > How about fixing up all the replication relationships, if you're looking at > this from a (old) master w/ multiple replica's? Look at the documentation of ipa-replica-manage on how to change replication topology. Simo.

Re: [Freeipa-users] Transferring "mastership" to a new server

2013-02-27 Thread Simo Sorce
master as DNS server you may want to change your clients (or DHCP) configuration first to point them all at the new master, and wait to remove the former until all machines has switched to use the new DNS server. Simo. -- Simo Sorce * Red Hat, Inc * Ne

Re: [Freeipa-users] Trouble creating replica

2013-02-20 Thread Simo Sorce
an clone > this box and get healthy again? > Healthy will be, but with no data, don't do it. (and I suggest you make a full backup just in case) Simo. -- Simo Sorce * Red Hat, Inc * New York ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] Certificate Issues

2013-02-19 Thread Simo Sorce
by a public authority ? When we say external we generally think of another "Internal CA" that you already use for your own services. Simo. -- Simo Sorce * Red Hat, Inc * New York ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] Non-human users

2013-02-17 Thread Simo Sorce
> Charlie > For this we should be able to use a service principal, not a full account. Unless for some reason you need this principal to show up as a user in the system (full posixAccount). Simo. -- Simo Sorce * Red Hat, Inc * New York ___ Freeipa-us

Re: [Freeipa-users] Non-human users

2013-02-15 Thread Simo Sorce
>> > >> filter="(&(objectClass=person)(|(mail=*apac*)(cn=*apac*)(givenName=*apac*)(sn=*apac*)))" > >> > >> > > > > O.K. I presume it's obvious the consequence of this little experiment > > is that if we do an an RFE that results in removing the person > > objectclass from non-human users you'll have to configure a custom > > LDAP search filter in every client in your enterprise if you don't > > want them to see non-human users in their search results. > > > Can it be managed via Puppet? Unlikely, thunderbird preferences are per user and stored in user preference files, which cannot be arbitrarily overridden. Simo. -- Simo Sorce * Red Hat, Inc * New York ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] Non-human users

2013-02-15 Thread Simo Sorce
On Fri, 2013-02-15 at 16:06 -0700, Orion Poplawski wrote: > On 02/15/2013 04:03 PM, Simo Sorce wrote: > > On Fri, 2013-02-15 at 17:12 -0500, John Dennis wrote: > >> On 02/15/2013 04:54 PM, Orion Poplawski wrote: > >>> On 02/15/2013 02:34 PM, John Dennis wrote: > &

Re: [Freeipa-users] Non-human users

2013-02-15 Thread Simo Sorce
ers you'll have to configure a custom LDAP search > filter in every client in your enterprise if you don't want them to see > non-human users in their search results. Not really, without the person objectclass none of the attributes thunderbird searches by default would be part of the user object, so the user would *not* show up. So the RFE would perfectly solve also the requirement these 'non-person' users do not show up in thunderbird. Simo. -- Simo Sorce * Red Hat, Inc * New York ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] Adding other users to a user's created default group

2013-02-15 Thread Simo Sorce
AP operations, or you can also simply delete the UPG and then recreate a new group with the same gid number. Just make sure you are comfortable with the security consequences for the original user when doing so. Simo. -- Simo Sorce * Red Hat, Inc * New York ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] Non-human users

2013-02-15 Thread Simo Sorce
hat > not working unless the system user was in LDAP. This may have been before I > started using SSSD on the servers so I'll need to retest this. This is an interesting use case, it would probably be appropriate to have a RFE filed to allow to create ipa users marked as 'non-pers

Re: [Freeipa-users] RHEL6 IPA and Active Directory synchronisation and Solaris RBAC

2013-02-14 Thread Simo Sorce
ep. Besides, integration in IPA probably won't happen > without RBAC support in Fedora/RHEL, right ? We can consider code contributions for this kind of features. Of course not being able to test them in our default distro would make them fragile and more subject to regressions, but I think t

Re: [Freeipa-users] Granting rights temporarily

2013-02-14 Thread Simo Sorce
On Thu, 2013-02-14 at 08:30 -0700, Rich Megginson wrote: > On 02/14/2013 06:54 AM, Simo Sorce wrote: > > On Thu, 2013-02-14 at 10:02 +0100, Dag Wieers wrote: > >> Hi, > >> > >> Another interesting recommendation from security is that all granted > >

Re: [Freeipa-users] Granting rights temporarily

2013-02-14 Thread Simo Sorce
oup, however no client will respect that for now, so it would be a bit pointless if not misguiding. Simo. -- Simo Sorce * Red Hat, Inc * New York ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] Logging of Who does What on IPA Server

2013-02-14 Thread Simo Sorce
rberos credentials (-Y GSSAPI tells ldapsearch to use them to auth to the server). Simo. -- Simo Sorce * Red Hat, Inc * New York ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] Python Client

2013-02-13 Thread Simo Sorce
d strange back and forth with temporary objects and so on. It Meme, if you are interested in helping in this direction please subscribe to freeipa-devel and follow this thread: https://www.redhat.com/archives/freeipa-devel/2013-February/msg00149.html Simo. -- Simo Sorce * Red Hat, Inc * New York ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] Adding an ipa-client behind NAT

2013-02-07 Thread Simo Sorce
On Fri, 2013-02-08 at 00:57 +0530, Rajnesh Kumar Siwal wrote: > Does IPA server 2.2 supports the ipa clients authentication behind the NAT ? Authentication works, password changes using kpasswd protocol do not. Simo. -- Simo Sorce * Red Hat, Inc * New Y

Re: [Freeipa-users] Account Expiration

2013-02-07 Thread Simo Sorce
ys. If you want to consistently have a different expiration time you should change the password policy. Simo. -- Simo Sorce * Red Hat, Inc * New York ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] ipa replica install fails

2013-02-05 Thread Simo Sorce
; $ kinit -kt DNS/ipa2.xyz@xyz.dmz > $ klist > > Simo, is it possible to do something like "kadmin -p admin" and "getprinc > DNS/ipa2.xyz@xyz.dmz"? you could use kadmin.local on the KDC > It fails: > > kadmin: getprinc DNS/host.redhat@e.test > get_principal: Operation requires ``get'' privilege while retrieving > "DNS/host.redhat@e.test". Interesting, this shouldn't happen, can you open a bug ? (only if on 3.x) > How it is possible to retrieve kvno and other details for IPA principals? Use kvno command for now. Simo. -- Simo Sorce * Red Hat, Inc * New York ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] SOLVED: Re: sudo rule working even after the user has been removed from the sudo rule

2013-02-05 Thread Simo Sorce
kend returned: (0, 0, ) > > [Success] > > > > I disabled that allow_all rule, now it is fine. > > I don't know why that would make any difference. HBAC != sudo. sudo uses pam so HBAC may be involved during auth Simo. -- Simo Sorce * Red Hat, Inc * New York ___

Re: [Freeipa-users] Errors with Configuring GitHub

2013-02-03 Thread Simo Sorce
trying to configure our internal GitHub server to > > > > > > use > > > > > > Our > > > > > > IPA > > > > > > server's LDAP for user logins. > > > > > > > > > > &

Re: [Freeipa-users] Howto re-deploy an IPA-client using kickstart

2013-01-24 Thread Simo Sorce
d you cannot reset the OTP password as that would effectively mean destroying the hosts credentials while the host is enrolled. Currently the IPA workflow expects you unenroll the client first. Simo. -- Simo Sorce * Red Hat, Inc * New York ___ Freeipa-

[Freeipa-users] Announcing FreeIPA 3.1.2

2013-01-23 Thread Simo Sorce
and hostname validation. Don't initialize NSS if we don't have to, clean up unused cert refs Update anonymous access ACI to protect secret attributes. Become IPA 3.1.2 Simo Sorce (1): Upload CA cert in the directory

Re: [Freeipa-users] using wildcard or other external CA certs

2013-01-23 Thread Simo Sorce
cert signed by a "well known" CA was to be > able to avoid installing the IPA CA in clients like Thunderbird and Firefox. > Thoughts, comments, suggestions? Sharing the same cert key between many machines is never a good idea. Simo. -- Simo Sorce * Red Hat, Inc * New York __

Re: [Freeipa-users] missing objects during migration steps

2013-01-23 Thread Simo Sorce
to retrieve cn=schema. > > I'd have sworn that openldap already did online schema this way. Please open a bug, we should no depend on the remote schema being readable. Simo. -- Simo Sorce * Red Hat, Inc * New York ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] SSO page FreeIPAv3

2013-01-21 Thread Simo Sorce
the details. As for integration of Zimbra instances this is probably not the right list to ask. Simo. -- Simo Sorce * Red Hat, Inc * New York ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] Fedora 18 - FreeIPA + AD

2013-01-20 Thread Simo Sorce
for the previous email. > Hit wrong button. > > We have not fully tried AD 2012 so that might be a bug in our code > somewhere. > I am currently not aware of any issue with 2012 which is what I use in my testing. If anything specific to 2012 is found it would be nice to know. Simo.

<    1   2   3   4   5   6   7   8   9   >