otocol SSLv3,TLSv1.0,TLSv1.1".
> +NSSProtocol SSLv3,TLSv1.0,TLSv1.1
>
> # SSL Certificate Nickname:
> # The nickname of the RSA server certificate you are going to use.
> @@ -214,6 +223,5 @@
> #CustomLog /home/rcrit/redhat/apache/logs/ssl_request_log \
> #
On Tue, 2013-11-12 at 21:50 +0100, Nicklas Björk wrote:
> On 2013-11-12 21:39, Simo Sorce wrote:
> > On Tue, 2013-11-12 at 21:11 +0100, Nicklas Björk wrote:
> >> In our evironment we have very limited amount of shared virtual Windows
> >> 7 machines. We haven't rea
gt; password.
>
> Without this then when a new password is synced from AD it would require
> a reset, which sort of defeats the point of syncing passwords.
>
> I like your idea of a group, can you file an RFE on this?
>
> rob
>
>
>
> ___
> Freeipa-users mailing list
> Freeipa-users@redhat.com
> https://www.redhat.com/mailman/listinfo/freeipa-users
--
Simo Sorce * Red Hat, Inc * New York
___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users
tting the MS-PAC on tickets, but I fear it
is only for TGS requests and not for the TGT.
Have you added SIDs because you are using a trust relationship with an
AD domain, and you just wish not to use them for these few Windows
machines ?
Simo.
--
Simo Sorce * Red Hat, Inc * New York
___
start
> file for Fedora 19 and 20 seems to produce the desired result.
Thanks for the analysis Dean, however I would say it is a bug in
authconfig.
Authconfig should not removed the sss lines by default.
Simo.
--
Simo Sorce * Red Hat, Inc * New York
___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users
you may read on it here:
http://docs.fedoraproject.org/en-US/Fedora/18/html-single/FreeIPA_Guide/index.html#active-directory
Simo.
--
Simo Sorce * Red Hat, Inc * New York
___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users
On Tue, 2013-10-22 at 18:14 +0200, Petr Spacek wrote:
> On 22.10.2013 16:44, Martin Kosek wrote:
> > On 10/21/2013 10:57 PM, Simo Sorce wrote:
> >> Comments inline.
> >>
> >> On Mon, 2013-10-21 at 18:48 +0200, Petr Spacek wrote:
> >>> On 1.10.2013 1
==
> Do not implement it in bind-dyndb-ldap and wait if Martin Basti succeeds with
> his thesis. He is trying to design and implement some generic/pluggable
> LDAP<->DNS synchronization mechanism.
>
> Personally, I think that vari
xes and rely entirely on winbindd to provide trusted
domain users. However at this point you can as well use the solution I
proposed you above.
> AD(OTHERCOMP.EDU) <--trusts-- AD(MYCOMP.EDU) <--nt-4-trusts--
> NT4(MYCOMP-SAMBA)
>
>
>
> Now, giving correct g
sible to bypass the Password Policies from this client server?
I am not sure I understand in what way you'd want to bypass them.
You'd like to be able to continue to authenticate even if the passwords
are expired ?
Or you just want to avoid being sent password expiration messages ?
Simo
ostly just
> inconvenient, but it's legal). I gave the CA ECC CSR (generated by
> openSSL on one of the servers), and to my amazement it failed to sign
> it properly complaining about the type not being RSA.
>
--
Simo Sorce * Red Hat, Inc * New York
___
msnet.de/kerbtut/firefox.html
>
>
> Christian
>
> ___
> Freeipa-users mailing list
> Freeipa-users@redhat.com
> https://www.redhat.com/mailman/listinfo/freeipa-users
>
>
>
>
> Odesláno ze Samsung Mobile
>
>
>
> Původní zpráva
> Od: Simo Sorce
> Datum:
> Komu: Ondrej Valousek
> Kopie: ch...@fluxcoil.net,freeipa-users@redhat.com
> Předmět: Re: [Freeipa-users] IE or Firefox & Apache Kerberos
> authe
On Mon, 2013-09-16 at 08:44 -0400, Rob Crittenden wrote:
> Dmitri Pal wrote:
> > On 09/13/2013 01:46 PM, Rob Crittenden wrote:
> >> Simo Sorce wrote:
> >>> On Fri, 2013-09-13 at 10:58 -0400, Rob Crittenden wrote:
> >>>> Dmitri Pal wrote:
> &
blom (Smith)
> Assistant Director
> Research Computing, University of South Florida
> 4202 E. Fowler Ave. SVC4010
> Office Phone: +1 813 974-1467
> Organization URL: http://rc.usf.edu
>
>
>
>
> --
> Brian Lindblom (Smith)
> Assistant Director
> Research Computing, University of South Florida
> 4202 E. Fowler Ave. SVC4010
> Office Phone: +1 813 974-1467
> Organization URL: http://rc.usf.edu
> ___
> Freeipa-users mailing list
> Freeipa-users@redhat.com
> https://www.redhat.com/mailman/listinfo/freeipa-users
--
Simo Sorce * Red Hat, Inc * New York
___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users
ific activity attribute. I think about the closest
> you could get is last successful Kerberos authentication
> (krblastsuccessfulauth), but again this isn't specific to mail activity
> (unless that is all the users can do).
>
> Note too that this attribute is by default not
On Thu, 2013-09-12 at 15:34 -0500, Dean Hunter wrote:
> On Thu, 2013-09-12 at 13:59 -0400, Simo Sorce wrote:
> > On Thu, 2013-09-12 at 11:27 -0500, Dean Hunter wrote:
> > > On Thu, 2013-09-12 at 09:09 -0400, Simo Sorce wrote:
> > >
> > > > Yes it is, but
in
text binds as you would not generate the userPassword hash, not sure
what else, and I cannot guarantee it really works all the way.
Simo.
--
Simo Sorce * Red Hat, Inc * New York
___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users
On Thu, 2013-09-12 at 16:16 -0500, Dean Hunter wrote:
> On Thu, 2013-09-12 at 16:59 -0400, Simo Sorce wrote:
> > On Thu, 2013-09-12 at 15:34 -0500, Dean Hunter wrote:
> > > On Thu, 2013-09-12 at 13:59 -0400, Simo Sorce wrote:
> > > > On Thu, 2013-09-12 at
On Thu, 2013-09-12 at 11:27 -0500, Dean Hunter wrote:
> On Thu, 2013-09-12 at 09:09 -0400, Simo Sorce wrote:
>
> > Yes it is, but I need to see also what you get on the successfull ssh
> > case, klist is all I need to see, no other output.
> >
> > Also does it wo
On Thu, 2013-09-12 at 13:59 -0400, Simo Sorce wrote:
> ticket, but once you alnd of the cmahine there are no credentials
this meant to be 'land on the machine', sorry for my typing impairment.
Simo.
--
Simo Sorce * Red Hat, I
On Wed, 2013-09-11 at 19:49 -0500, Dean Hunter wrote:
> On Wed, 2013-09-11 at 11:49 -0400, Simo Sorce wrote:
> > On Wed, 2013-09-11 at 10:39 -0500, Dean Hunter wrote:
> > > On Wed, 2013-09-11 at 11:20 -0400, Simo Sorce wrote:
> > > > On Wed, 2013-09-11 at
t;
> 2013/9/11 Simo Sorce
> On Wed, 2013-09-11 at 14:06 -0300, Christovam Paynes Silva
> wrote:
> > Hello!
> >
> >
> > First I apologize if this topic is redundant.
> >
> >
>
ou mean by integrating here.
Is your intent to use Samba4 as an AD domain controller for your Windows
client s and IPA for your servers ?
If that's the case unfortunately this is not possible at the moment as
samba4 does not yet support Forest level trusts.
A Micr
On Wed, 2013-09-11 at 12:08 -0400, Dmitri Pal wrote:
> On 09/11/2013 11:49 AM, Simo Sorce wrote:
> > On Wed, 2013-09-11 at 10:39 -0500, Dean Hunter wrote:
> >> On Wed, 2013-09-11 at 11:20 -0400, Simo Sorce wrote:
> >>> On Wed, 2013-09-11 at 08:39 -0500, Dean Hunte
On Wed, 2013-09-11 at 10:39 -0500, Dean Hunter wrote:
> On Wed, 2013-09-11 at 11:20 -0400, Simo Sorce wrote:
> > On Wed, 2013-09-11 at 08:39 -0500, Dean Hunter wrote:
> >
> > > I do NOT believe this:
> > > [dean@ipa2 ~]$ ssh dean@desktop2
> > &g
rpc.gssd cannot
find your ticket, ssh may be doing something "wrong" in this case.
Simo.
--
Simo Sorce * Red Hat, Inc * New York
___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users
use
the script to call 'nsupdate' and issue GSS-TSIG signed dns update
requests.
Simo.
--
Simo Sorce * Red Hat, Inc * New York
___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users
. I have no idea how it works with
> > shadow map/password. Try to ask sssd-us...@lists.fedorahosted.org.
> >
> And to add to it:
> IPA does not keep password in clear or the hashes that are used in
> passwd and shadow files for security reasons so it can't generate these
&
On Thu, 2013-08-29 at 09:14 -0400, Bret Wortman wrote:
> On Thu, Aug 29, 2013 at 9:09 AM, Simo Sorce wrote:
> On Thu, 2013-08-29 at 08:07 -0400, Bret Wortman wrote:
> > Okay, I have a replica built and running. My original,
> "sick" server
>
rything. Is this what you did in your old setup ?
> After the replica install is done:
>
>
> 7. Shut down and delete the ipamaster2 VM.
Do not forget to ipa-replica-manage remove it first.
> 8. Upgrade existing "replicas" to F18 and latest IPA version.
> 9. Estab
the CA, it always uses startTLS on port 7389.
We should also probably note that in newer versions of FreeIPA we have
consolidated all instances in one, so only port 389 is used.
Simo.
--
Simo Sorce * Red Hat, Inc * New York
___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users
issue?
>
> That suggests a DNS problem,
> and it might explain ssh as
> well depending
>
let me
> know.
Do you also block the 'net user' command on Windows clients ?
It's the same as 'passwd' on Linux clients.
I would address the problem by using proper password policies as I (now)
see Petr recommended i another emai
an pass -k /etc/httpd/conf/ipa.keytab
directly.
ipa-getkeytab will properly append the fetched keys to the keytab and no
further, error prone, manual merging will be necessary.
Simo.
--
Simo Sorce * Red Hat, Inc * New York
___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users
While
> this is better than sending them with each request, it still presents
> an opportunity where credentials can be intercepted, no?
Your's is a valid concern.
Please open a RFE ticket to make the form-based login page/mechanism
disableable.
Simo.
--
Simo Sorce * Red Hat, Inc * New
bPwdHistory attribute from the user's entry the user
will have no history.
That should be sufficient to allow you to change 'back' his password.
Other means are: change the password as many times as
krbPwdHistoryLength says and finally you'll be able to start agai
ytab
> is /var/lib/gssproxy?
no the default keytab is always /etc/krb5.keytab
>
Simo.
>
>
> Odesláno ze Samsung Mobile
>
>
>
> ---- Původní zpráva
> Od: Simo Sorce
> Datum:
> Komu: "Adamson, Andy"
> Kopie: and...@wasielewski.co.
On Mon, 2013-07-15 at 08:50 -0500, Dean Hunter wrote:
> On Mon, 2013-07-15 at 09:33 -0400, Simo Sorce wrote:
> > On Fri, 2013-07-12 at 17:15 -0500, Dean Hunter wrote:
> > > On Fri, 2013-07-12 at 16:52 -0400, Dmitri Pal wrote:
> > > > F19 has GSS proxy. I encourag
cket, then the problem still exists. I'm working on a set of
> GSS expiry patches and I'll make sure this problem is solved in the kernel.
Just to avoid confusion.
GSS-Proxy doesn't really handle renews at this stage (except as a a
possible side effect of GSSAPI doing it und
ek and should be able to
> > help.
>
> Is the GSS proxy configured by ipa-client-automount?
No, gssproxy is quite new and we do not configure it by default at this
stage.
It has been tested only with NFS (both server and client) on Fedora 19.
Simo.
--
Sim
full SSL verification is on. But Clients usually do not
have X509 certificates, so there is no mutual authentication at the SSL
level in that case and MITM becomes much easier.
Now the question would be: why postfix doesn't do channel bindings? I
guess it maybe because GSSAPI is behind the SASL layer, but I haven't
checked.
Simo.
--
Simo Sorce * Red Hat, Inc * New York
___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users
On Fri, 2013-07-12 at 10:04 -0500, Anthony Messina wrote:
> On Wednesday, July 10, 2013 05:00:53 PM Dmitri Pal wrote:
> > On 07/10/2013 12:12 PM, Simo Sorce wrote:
> > > On Wed, 2013-07-10 at 11:45 -0400, Erinn Looney-Triggs wrote:
> > >> Folks,
> > >> I
r AES is available since quite a few fedora release and RHEL6
Simo.
--
Simo Sorce * Red Hat, Inc * New York
___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users
not clear.
Very nice write up Erinn.
Thanks,
Simo.
--
Simo Sorce * Red Hat, Inc * New York
___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users
ross-realm trusts that would with Active Directory. In the
future this should work also with Samba4, but Samba4 code base currently
lacks support for cross-forest trusts.
Simo.
--
Simo Sorce * Red Hat, Inc * New York
___
Freeipa-users mailing list
Fr
tr.collmedia.net krb5kdc[4190](info): ...
> CONSTRAINED-DELEGATION s4u-client=DNS/ipadevmstr.collmedia@collmedia.net
>
> Do I need to add DNS too?
No, and you shouldn;t have added ldap/fqdn either as you are not hosting
an LDAP server.
Just FYI: there is no error in the snippet above, the
_id parameters. Could that be
> the case? Can you check if after removing the cache the entry still shows up?
>
> I think that the fact that the entry is returned from cache even if it
> should be filtered out is a bug:
> https://fedorahosted.org/sssd/ticket/1954
So far we always maintained that if you consistently change
configuration (and a change of ranges is a big change) then it's on the
admin to wipe the cache file.
Simo.
--
Simo Sorce * Red Hat, Inc * New York
___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users
On Fri, 2013-05-24 at 16:18 +0200, Martin Kosek wrote:
> On 05/24/2013 03:34 PM, Simo Sorce wrote:
> > On Fri, 2013-05-24 at 07:44 -0400, Ainsworth, Thomas wrote:
> >> Greetings,
> >>
> >> I was told to bring my issue to this distribution.
> >>
> &
and all suggestions are greatly appreciated...
I would look at the migration pages. You can probably use migration mode
to migrate user data from one FreeIPa install to the other and then the
migration mode of sssd to validate and recompute the kerberos keys.
See this for some guidance:
d performance I'd start with the 389-ds documentation.
>
> rob
>
> ___
> Freeipa-users mailing list
> Freeipa-users@redhat.com
> https://www.redhat.com/mailman/listinfo/freeipa-users
>
--
Simo Sorce * Red Hat, Inc. * New York
_
s to slowly move machines by
putting CNAMEs in the AD DNS that point the old company.tld names to the
new ipa domain names. This allows a slow smooth transition one machine
at a time for those which you need to keep visible at the old address.
CNAMEs do the correct thing KErberos wise t
ey can and instead
delegate (or just forward on both sides) a subdomain (like ipa.foo.bar)
to ipa for all the ipa hosts (server.ipa.foo.bar,
clientX.ipa.foo.bar ...)
Simo.
--
Simo Sorce * Red Hat, Inc * New York
___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users
On Tue, 2013-04-30 at 22:37 +0300, Alexander Bokovoy wrote:
>
> We need to add some smart logic to ipasam module to handle it.
>
The logic for trusted users needs to go into winbindd or sssd, ipasam is
only about our own domain.
Simo.
--
Simo Sorce * Red Hat, Inc *
086.sig-ipadevmstr.collmedia.net ANY TKEY -T (192.168.8.111)
> Apr 30 11:52:32 ipadevmstr named[9349]: client 192.168.8.111#37000:
> updating zone 'collmedia.net/IN': update failed: rejected by secure
> update (REFUSED)
Something seem wrong with the Access Control policy ...
Simo.
s your 3rd party app is certified
> against.
Ad supports simple binds with a username instead of a DN ... yeah not
standard but we might want to support it, we have a pre-bind plugin
after all, so we could if we want to, just a matter of creating a RFE
ticket.
Simo.
--
Simo Sorce * Red Hat,
On Fri, 2013-04-05 at 09:51 -0600, Rich Megginson wrote:
> On 04/05/2013 08:41 AM, Simo Sorce wrote:
> > On Fri, 2013-04-05 at 08:30 -0600, Brent Clark wrote:
> >> You were correct, my reverse DNS entries for the master and replica
> >> were missing. Odd, since the
On Fri, 2013-04-05 at 09:51 -0600, Rich Megginson wrote:
> On 04/05/2013 08:41 AM, Simo Sorce wrote:
> > On Fri, 2013-04-05 at 08:30 -0600, Brent Clark wrote:
> >> You were correct, my reverse DNS entries for the master and replica
> >> were missing. Odd, since the
and intended
> solely for the use of the individual or entity to whom they are addressed.
> If you have received this email in error please notify the sender.
> Please note that any views or opinions presented in this email are solely
> those of the author and do not necessari
then hope people forget. :)
The only we we do this is visible in the RHEL src.rpm packages if I
remember correctly.
I think that's the only 'official' way we do it for now.
Simo.
--
Simo Sorce * Red Hat, Inc * New York
___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users
t file.keytab on the keytab you get after you
run ipa-getkeytab ?
What enctypes do you see available ?
I suspect your solaris 9 kinit is choking on a request that do not
include des enctypes somehow ?
Can solaris 9 use any other encryption algorythm than des ?
Simo.
> On Wed, Mar 27, 2013
and change the
> password via ipa-getkeytab the kinit command on the Solaris client
> works normally.
>
> The ipa-getkeytab command must somehow be referencing
> "allow_weak_crypto" and storing the password differently depending on
> it.
>
> On Wed, Mar 27, 201
y change the
password of the user (as the user no as an admin), and then kinit again
with the new credentials on Solaris, does it 'solve' your segfault
issue ?
In any case a segfault in a client command is something you need to
report to your OS vendor, even if it is indirectly caused by t
t; conversion in update and save methods. Register the new widget to widget
> repository. Then, one has to modify spec of appropriate facets to use it.
>
> HTH
Should we open a ticket with this RFE ?
Simo.
--
Simo Sorce * Red Hat, Inc * New York
___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users
On Sun, 2013-03-24 at 10:03 +0600, Arthur Fayzullin wrote:
> 24.03.2013 04:27, Martin пишет:
> > Hello, apologize if this is a faq.
> >
> > We're trying to set up a file server that authenticate all users against
> > a FreeIPA-server. The systems are up to date CentOS 6 machines and
> > everything
ormation about privileges a user may have it was decided to
block memberof for unauthenticated binds.
The reasoning was that clients that can take correctly advantage of
freeipa's memberof can also authenticate in a secure way.
Simo.
--
Simo Sorce * Red Hat, Inc * New York
could share your notes or write up a how-to the community
> would certainly appreciate it.
It would be very nice.
Simo.
--
Simo Sorce * Red Hat, Inc * New York
___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users
On Wed, 2013-03-13 at 21:10 -0430, Loris Santamaria wrote:
> El mié, 13-03-2013 a las 15:57 -0400, Simo Sorce escribió:
> > On Wed, 2013-03-13 at 14:36 -0430, Loris Santamaria wrote:
> > > El mié, 13-03-2013 a las 14:44 +0100, Petr Spacek escribió:
> > > > On 13.3.20
DAP on first connection...
The problem with this is that you need to explicitly configure the
client, and invent these new things in SSSD.
In our new proposal you do not need to do anything on the client, except
pointing it to ... itself!
So I am a bit confused about why you say the new proposal would be more
complicated ...
Simo.
--
Simo Sorce * Red Hat, Inc * New York
___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users
On Wed, 2013-03-13 at 16:12 +0100, Natxo Asenjo wrote:
> hi,
>
> is it possible to do that?
If by local group you mean /etc/group then it is not possible.
Posix does not understand nested groups.
Simo.
--
Simo Sorce * Red Hat, Inc *
f ipa-client-install you can add multiple,
> hardcoded servers and still have failover. Basically you configure
> things to ignore the SRV records, so you shouldn't have to mess with the
> resolver at all.
Just want to note that we are working on a more manageable solution for
the fut
arsh but I want to make it very clear for our uses that
keytabs are *secrets* and should *never* be made available to the whole
system, It is exactly like putting a password in the clear in a file and
making it accessible to everyone.
In your case I guess you want to use 660 or 640.
Simo.
--
S
functional level
>
> Any help would be greatly appreciated!
Sorry Mark-Jan we do not support transitive trusts yet.
We are working on it, stay tuned.
Simo.
--
Simo Sorce * Red Hat, Inc * New York
___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users
s there anyway around this to generate a wildcard cert for my local domain?
>
> Not using the IPA interfaces, no. There might be a way to do this by
> calling out to the underlying dogtag CA directly but we don't provide
> any mechanism to do that. You'd be on your own there
On Wed, 2013-02-27 at 09:31 -0500, Matthew Barr wrote:
> How about fixing up all the replication relationships, if you're looking at
> this from a (old) master w/ multiple replica's?
Look at the documentation of ipa-replica-manage on how to change
replication topology.
Simo.
master as DNS server you may want
to change your clients (or DHCP) configuration first to point them all
at the new master, and wait to remove the former until all machines has
switched to use the new DNS server.
Simo.
--
Simo Sorce * Red Hat, Inc * Ne
an clone
> this box and get healthy again?
>
Healthy will be, but with no data, don't do it. (and I suggest you make
a full backup just in case)
Simo.
--
Simo Sorce * Red Hat, Inc * New York
___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users
by a public authority ?
When we say external we generally think of another "Internal CA" that
you already use for your own services.
Simo.
--
Simo Sorce * Red Hat, Inc * New York
___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users
> Charlie
>
For this we should be able to use a service principal, not a full
account. Unless for some reason you need this principal to show up as a
user in the system (full posixAccount).
Simo.
--
Simo Sorce * Red Hat, Inc * New York
___
Freeipa-us
>>
> >> filter="(&(objectClass=person)(|(mail=*apac*)(cn=*apac*)(givenName=*apac*)(sn=*apac*)))"
> >>
> >>
> >
> > O.K. I presume it's obvious the consequence of this little experiment
> > is that if we do an an RFE that results in removing the person
> > objectclass from non-human users you'll have to configure a custom
> > LDAP search filter in every client in your enterprise if you don't
> > want them to see non-human users in their search results.
> >
> Can it be managed via Puppet?
Unlikely, thunderbird preferences are per user and stored in user
preference files, which cannot be arbitrarily overridden.
Simo.
--
Simo Sorce * Red Hat, Inc * New York
___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users
On Fri, 2013-02-15 at 16:06 -0700, Orion Poplawski wrote:
> On 02/15/2013 04:03 PM, Simo Sorce wrote:
> > On Fri, 2013-02-15 at 17:12 -0500, John Dennis wrote:
> >> On 02/15/2013 04:54 PM, Orion Poplawski wrote:
> >>> On 02/15/2013 02:34 PM, John Dennis wrote:
> &
ers you'll have to configure a custom LDAP search
> filter in every client in your enterprise if you don't want them to see
> non-human users in their search results.
Not really, without the person objectclass none of the attributes
thunderbird searches by default would be part of the user object, so the
user would *not* show up.
So the RFE would perfectly solve also the requirement these 'non-person'
users do not show up in thunderbird.
Simo.
--
Simo Sorce * Red Hat, Inc * New York
___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users
AP
operations, or you can also simply delete the UPG and then recreate a
new group with the same gid number.
Just make sure you are comfortable with the security consequences for
the original user when doing so.
Simo.
--
Simo Sorce * Red Hat, Inc * New York
___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users
hat
> not working unless the system user was in LDAP. This may have been before I
> started using SSSD on the servers so I'll need to retest this.
This is an interesting use case, it would probably be appropriate to
have a RFE filed to allow to create ipa users marked as 'non-pers
ep. Besides, integration in IPA probably won't happen
> without RBAC support in Fedora/RHEL, right ?
We can consider code contributions for this kind of features.
Of course not being able to test them in our default distro would make
them fragile and more subject to regressions, but I think t
On Thu, 2013-02-14 at 08:30 -0700, Rich Megginson wrote:
> On 02/14/2013 06:54 AM, Simo Sorce wrote:
> > On Thu, 2013-02-14 at 10:02 +0100, Dag Wieers wrote:
> >> Hi,
> >>
> >> Another interesting recommendation from security is that all granted
> >
oup, however no client
will respect that for now, so it would be a bit pointless if not
misguiding.
Simo.
--
Simo Sorce * Red Hat, Inc * New York
___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users
rberos credentials (-Y GSSAPI tells
ldapsearch to use them to auth to the server).
Simo.
--
Simo Sorce * Red Hat, Inc * New York
___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users
d strange back and forth with temporary
objects and so on.
It Meme,
if you are interested in helping in this direction please subscribe to
freeipa-devel and follow this thread:
https://www.redhat.com/archives/freeipa-devel/2013-February/msg00149.html
Simo.
--
Simo Sorce * Red Hat, Inc * New York
___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users
On Fri, 2013-02-08 at 00:57 +0530, Rajnesh Kumar Siwal wrote:
> Does IPA server 2.2 supports the ipa clients authentication behind the NAT ?
Authentication works, password changes using kpasswd protocol do not.
Simo.
--
Simo Sorce * Red Hat, Inc * New Y
ys.
If you want to consistently have a different expiration time you should
change the password policy.
Simo.
--
Simo Sorce * Red Hat, Inc * New York
___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users
; $ kinit -kt DNS/ipa2.xyz@xyz.dmz
> $ klist
>
> Simo, is it possible to do something like "kadmin -p admin" and "getprinc
> DNS/ipa2.xyz@xyz.dmz"?
you could use kadmin.local on the KDC
> It fails:
>
> kadmin: getprinc DNS/host.redhat@e.test
> get_principal: Operation requires ``get'' privilege while retrieving
> "DNS/host.redhat@e.test".
Interesting, this shouldn't happen, can you open a bug ?
(only if on 3.x)
> How it is possible to retrieve kvno and other details for IPA principals?
Use kvno command for now.
Simo.
--
Simo Sorce * Red Hat, Inc * New York
___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users
kend returned: (0, 0, )
> > [Success]
> >
> > I disabled that allow_all rule, now it is fine.
>
> I don't know why that would make any difference. HBAC != sudo.
sudo uses pam so HBAC may be involved during auth
Simo.
--
Simo Sorce * Red Hat, Inc * New York
___
trying to configure our internal GitHub server to
> > > > > > use
> > > > > > Our
> > > > > > IPA
> > > > > > server's LDAP for user logins.
> > > > >
> > > >
> &
d you cannot reset the OTP password as that would
effectively mean destroying the hosts credentials while the host is
enrolled. Currently the IPA workflow expects you unenroll the client
first.
Simo.
--
Simo Sorce * Red Hat, Inc * New York
___
Freeipa-
and hostname validation.
Don't initialize NSS if we don't have to, clean up unused cert
refs
Update anonymous access ACI to protect secret attributes.
Become IPA 3.1.2
Simo Sorce (1):
Upload CA cert in the directory
cert signed by a "well known" CA was to be
> able to avoid installing the IPA CA in clients like Thunderbird and Firefox.
> Thoughts, comments, suggestions?
Sharing the same cert key between many machines is never a good idea.
Simo.
--
Simo Sorce * Red Hat, Inc * New York
__
to retrieve cn=schema.
>
> I'd have sworn that openldap already did online schema this way.
Please open a bug, we should no depend on the remote schema being
readable.
Simo.
--
Simo Sorce * Red Hat, Inc * New York
___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users
the details.
As for integration of Zimbra instances this is probably not the right
list to ask.
Simo.
--
Simo Sorce * Red Hat, Inc * New York
___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users
for the previous email.
> Hit wrong button.
>
> We have not fully tried AD 2012 so that might be a bug in our code
> somewhere.
>
I am currently not aware of any issue with 2012 which is what I use in
my testing.
If anything specific to 2012 is found it would be nice to know.
Simo.
301 - 400 of 896 matches
Mail list logo
