On Thu, 2012-03-29 at 08:58 +0200, Natxo Asenjo wrote:
On Wed, Mar 28, 2012 at 11:36 PM, Simo Sorce s...@redhat.com wrote:
CNAMEs should work just fine with the host's HTTP/A-name@REALM
key.
In fact I just tested a virtual host on my ipa server using
On Thu, 2012-03-29 at 20:43 +0200, Natxo Asenjo wrote:
On Thu, Mar 29, 2012 at 8:25 PM, Simo Sorce s...@redhat.com wrote:
Your configuration looks right, but I went back and looked at
your logs
and I saw a permission denied error.
I would check
as the client
will not have the right name to get a ticket against, and, if I
understand the scenario, it will not even have access to the KDC to get
a ticket from.
Once 2.2 is released and form-based auth will be available you should be
able to make it work with that.
Simo.
--
Simo Sorce * Red
://www.redhat.com/mailman/listinfo/freeipa-users
--
Simo Sorce * Red Hat, Inc * New York
___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users
or the WebUI tools.
Simo.
--
Simo Sorce * Red Hat, Inc * New York
___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users
of
the master (just the specific CA files needed)?
If you are using the dogtag CA it wouldn't as it uses a DS instance as
well. If you are using the selfsigned CA well, I guess you have no other
option.
Simo.
--
Simo Sorce * Red Hat, Inc * New York
(LDAP, KRB, DNS).
Simo.
--
Simo Sorce * Red Hat, Inc * New York
___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users
Solaris 11 in production as per today.
Do you see anything special on the KDC side when you get that error in
the console ?
Do you play with enctypes when you obtain the system keytab ?
Simo.
--
Simo Sorce * Red Hat, Inc * New York
___
Freeipa-users
logs. And yes, I did try to limit the enc
types to 3des and below, it still did not work.
Depending on how this was done it may be the issue.
I will have to visit this again later.
Ok, let me know if we can help somehow.
Simo.
--
Simo Sorce * Red Hat, Inc * New York
environment,
MIT Kerberos libraries are thread safe, this has been the case for a
long while now. If you have specific questions or doubts feel free to
ask.
Simo.
--
Simo Sorce * Red Hat, Inc * New York
___
Freeipa-users mailing list
Freeipa-users
trust support.
Simo.
--
Simo Sorce * Red Hat, Inc * New York
___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users
?
Is this after IPA is fully installed ? Or does the installer fail ?
Simo.
--
Simo Sorce * Red Hat, Inc * New York
___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users
On Fri, 2012-05-04 at 16:44 +0200, David Juran wrote:
On fre, 2012-05-04 at 10:25 -0400, Simo Sorce wrote:
On Fri, 2012-05-04 at 16:04 +0200, David Juran wrote:
[04/May/2012:15:22:27 +0200] conn=8 fd=66 slot=66 connection from
local to /var/run/slapd-SRV-VOLVO-COM.socket
[04/May
.
--
Simo Sorce * Red Hat, Inc * New York
___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users
on adjustment? Thanks.
See above.
Simo.
--
Simo Sorce * Red Hat, Inc * New York
___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users
was replicating to before you rebuild a replica with the
exact same name.
This is because krb tickets are cached but you will change the long term
key with a full reinstall, so the current master will have a ticket the
replica cannot decrypt.
Simo.
--
Simo Sorce * Red Hat, Inc * New York
passwords for a while.
Password policies are applied at password change time, if you want to
change the password expiration time of a specific user w/o forcing a
password change then you need to change the krbPasswordExpiration
attribute on the user.
Simo.
--
Simo Sorce * Red Hat, Inc * New York
this exercise will be
helpful to someone else, and thanks Rob for responding so quickly the
other day.
Chris,
thanks a lot for getting back with your solution, it is very valuable
for all users that may end up in the same weird situation.
Simo.
--
Simo Sorce * Red Hat, Inc * New York
to handle that automatically in 389ds, but
for now you have to go that route.
Simo.
--
Simo Sorce * Red Hat, Inc * New York
___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users
expiration entries.
It would be nice if you could open a ticket so we can track this RFE and
not forget about it.
Thanks.
Simo.
--
Simo Sorce * Red Hat, Inc * New York
___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman
.
--
Simo Sorce * Red Hat, Inc * New York
___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users
version of the
sssd-client package.
Simo.
--
Simo Sorce * Red Hat, Inc * New York
___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users
of
the supported mechs and punts.
Simo.
--
Simo Sorce * Red Hat, Inc * New York
___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users
part is still a weak point of the Web UI, if you want you can
open a RFE ticket to ask for better support for these flags, we need to
do it at some point we simply haven't yet as we concentrated on more
important and pressing issue this far.
Simo.
--
Simo Sorce * Red Hat, Inc * New York
is coming from 389-ds, not from the KDC ACLs.
For whatever it's worth I tried this in 2.2.0 and it worked.
In 2.2 we do not restrict kadmin/kdc as much as we did in 2.1
Simo.
--
Simo Sorce * Red Hat, Inc * New York
___
Freeipa-users mailing list
On Wed, 2012-05-16 at 15:08 -0700, Thomas Jackson wrote:
On Tue, May 15, 2012 at 3:24 PM, Simo Sorce s...@redhat.com wrote:
On Tue, 2012-05-15 at 14:21 -0700, Thomas Jackson wrote:
So going through the documentation it's clearly laid out not
to use
kadmin
according to this
page: http://www.freeipa.org/page/PasswordSynchronization
I think we do hat automatically when the agreement is created, but
checking won't hurt.
Simo.
--
Simo Sorce * Red Hat, Inc * New York
___
Freeipa-users mailing list
Freeipa
/index.html
Thanks - any help would be appreciated!
--
Simo Sorce * Red Hat, Inc * New York
___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users
to explicitly request a set of enctypes on a new keytab.
Please remember that running ipa-getkeytab will invalidate your previous
keys.
HTH.
Simo.
--
Simo Sorce * Red Hat, Inc * New York
___
Freeipa-users mailing list
Freeipa-users@redhat.com
https
On Thu, 2012-05-31 at 15:13 +0100, Dale Macartney wrote:
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
On 31/05/12 15:10, Simo Sorce wrote:
On Thu, 2012-05-31 at 07:55 +0100, Dale Macartney wrote:
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
On 31/05/12 00:13, Dmitri Pal
the replication topology is 1-3) and replication
will commence.
This is an issue with re-install of a replica that we are going to
address as soon as possible, meanwhile the workaround is to restart the
master you are going to replicate from after you run a
ipa-replica-manage del
Simo.
--
Simo Sorce
logs, if you are having replication errors they should
show up in the logs.
Simo.
--
Simo Sorce * Red Hat, Inc * New York
___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users
after 3.0 at least.
Simo.
--
Simo Sorce * Red Hat, Inc * New York
___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users
to migrate from ?
rfc2309/rfc2309bis ? other ?
Simo.
--
Simo Sorce * Red Hat, Inc * New York
___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users
(for
example HTTP/fqdn@REALM for http servers).
If your scripts are arbitrary you may decide to create your own script
principal (useful if you want to assign special ACIs to it in IPA as you
can reference the service account under cn=services in ACIs in theory.
Simo.
--
Simo Sorce * Red Hat, Inc
it to true ? The 'isInitiator=false' may be
necessary in AD where servicePrincipals and userPrincipals are
considered distinct entities and AD forbids servicePrincipals to perform
AS Requests, but this is not limited in IPA, by default you should be
able to initiate just fine.
HTH,
Simo.
--
Simo Sorce
be able to delete the outgoing
trust right after it is created, it should cause trouble for win users
that want to access ipa hosts.
We may take an RFE about creating only a one way trust, but it won't be
there by 3.0 I think.
Simo.
--
Simo Sorce * Red Hat, Inc * New York
/o that collaboration there isn't much you can really do in any case.
Simo.
--
Simo Sorce * Red Hat, Inc * New York
___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users
On Tue, 2012-06-19 at 09:28 -0700, Stephen Ingram wrote:
On Fri, Jun 15, 2012 at 6:09 AM, Simo Sorce s...@redhat.com wrote:
On Fri, 2012-06-15 at 00:10 -0700, Stephen Ingram wrote:
Is it possible for accounts in cn=etc,cn=sysaccounts to have kerberos
principals or must you use the cn
writeup!
I see you use mod_ssl, can this configuration be obtained with mod_nss
as well ?
I was going to try it but on an ipa server we use mod_nss and would like
to avoid having to find out how to reconfigure stuff to use mod_ssl.
Simo.
--
Simo Sorce * Red Hat, Inc * New York
On Wed, 2012-06-20 at 10:01 +0100, Darran Lofthouse wrote:
On 06/19/2012 07:12 PM, Stephen Ingram wrote:
On Tue, Jun 19, 2012 at 9:55 AM, Simo Sorce s...@redhat.com wrote:
On Tue, 2012-06-19 at 09:15 -0700, Stephen Ingram wrote:
On Tue, Jun 19, 2012 at 2:54 AM, Dmitri Pal d...@redhat.com
in
migration mode, a bind will check if the password is valid, and if it is
it will generate the kerberos keys out of it.
Simo.
--
Simo Sorce * Red Hat, Inc * New York
___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman
and a couple substitutions.
However this is a possible solution.
Simo.
--
Simo Sorce * Red Hat, Inc * New York
___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users
/Libvirt_with_VNC_Consoles
Kind regards,
James,
excellent write up.
Thanks a lot!
Simo.
--
Simo Sorce * Red Hat, Inc * New York
___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users
.
--
Simo Sorce * Red Hat, Inc * New York
___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users
used.
Simo.
--
Simo Sorce * Red Hat, Inc * New York
___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users
On Mon, 2012-06-25 at 15:39 -0400, Dmitri Pal wrote:
On 06/25/2012 02:36 PM, Simo Sorce wrote:
On Mon, 2012-06-25 at 13:51 -0400, Dmitri Pal wrote:
Simo are you sure simple bind is enough? I thought that it should be a
bind over SSL with some specific ext op. Do I recall it wrong?
A bind
at a git tree with some work.
Maybe you can coordinate to do some testing, that would be useful.
I'm CCing him.
Simo.
--
Simo Sorce * Red Hat, Inc * New York
___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman
the new keytab to the
machine in a temporary (but protected) location like /root/nfs.keytab
Then use the ktutil tool to merge the 2 keytab files
into /etc/krb5.keytab
ktutil is not the most intuitive tool, but the documentation should be
good enough to sort out what you need to do.
Simo.
--
Simo
.
Simo.
--
Simo Sorce * Red Hat, Inc * New York
___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users
even if the whole sssd dies.
Simo.
--
Simo Sorce * Red Hat, Inc * New York
___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users
= true
Why does ipa-getkeytab fail here. Using both des-cbc-crc:normal and
des-cbc-crc:afs3 works, but OpenAFS
does not like them.
You need to change the supported enc types in LDAP for ipa to care.
these attributes are in the cn=REALM_NAME,cn=kerberos,$suffix entry in
ldap.
Simo.
--
Simo
=
As I mentioned, I can create keytabs with des-cbc-crc:normal and
des-cbc-crc:afs3,
but not with des-cbc-crc:v4, which is what OpenAFS uses.
Qing
On 11/07/2012 8:28 AM, Simo Sorce wrote:
On Tue, 2012-07-10 at 15:53 -0400, Qing Chang wrote:
please forgive me if this is a question that has
to obtain a
new keytab.
Simo.
--
Simo Sorce * Red Hat, Inc * New York
___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users
keep in mind we discourage using ipausers as a posix group
for performance reasons in domain with many users and recommend instead
to create smaller targeted groups.
Simo.
--
Simo Sorce * Red Hat, Inc * New York
___
Freeipa-users mailing list
Freeipa
On Thu, 2012-07-12 at 15:14 -0400, Qing Chang wrote:
On 11/07/2012 5:46 PM, Dmitri Pal wrote:
On 07/11/2012 04:01 PM, Qing Chang wrote:
On 11/07/2012 3:23 PM, Simo Sorce wrote:
On Wed, 2012-07-11 at 15:21 -0400, Qing Chang wrote:
Because the integration of Kerberos in IPA
/YubiRadius_integration_with_group-validated_FreeIPA_Users_using_LDAPS
Have a great weekend all.
Thanks Dale,
great stuff.
Simo.
--
Simo Sorce * Red Hat, Inc * New York
___
Freeipa-users mailing list
Freeipa-users@redhat.com
https
/ipa.server.fqdn in
the krb5kdc.log ?
Simo.
--
Simo Sorce * Red Hat, Inc * New York
___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users
them to be able to su - anybody...
In a way before I could do that with the wheel group and pam.
I think you want to look at sudo -i
Simo.
--
Simo Sorce * Red Hat, Inc * New York
___
Freeipa-users mailing list
Freeipa-users@redhat.com
https
This was probably meant for thew freeipa-users mailing list.
Simo.
--
Simo Sorce * Red Hat, Inc * New York
---BeginMessage---
sudo -i su - oracle
No, you would run sudo -i oracle. -i = simulate initial login.
Alternately, you can use sudo -s oracle for run shell as oracle
Or you can run
from letting that
happen.
Simo.
--
Simo Sorce * Red Hat, Inc * New York
___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users
configuration centrally.
Simo.
--
Simo Sorce * Red Hat, Inc * New York
___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users
tell me what operation was being performed by sssd when you
caught that error ?
Can you check if immediately before another identical operation had been
performed ?
Simo.
--
Simo Sorce * Red Hat, Inc * New York
___
Freeipa-users mailing list
Freeipa
of Firefox and restarting see me looged back in as my adm account...
So what do I need to do to flush? reboot my workstation?
logout or manually run kdestroy
Simo.
--
Simo Sorce * Red Hat, Inc * New York
___
Freeipa-users mailing list
Freeipa-users
such a problem if so what needs to be done to
resolve it ?
IPA server version 2.1.3. API version 2.13
Was this server upgraded from a 2.0.x one ?
Simo.
--
Simo Sorce * Red Hat, Inc * New York
___
Freeipa-users mailing list
Freeipa-users@redhat.com
https
attributes to allow zone transfers.
Can you check the ipaserver-upgrade.log file and see if there are any
errors in there ?
Simo.
Regards,
Robert..
On 27 July 2012 17:29, Simo Sorce s...@redhat.com wrote:
On Thu, 2012-07-26 at 09:47 +0200, Robert Bowell wrote:
Hi
, but the structure of the drivers
is not much different, so I am surprised it would be much slower,
however it is possible, I would like to find out what is going on with
your help.
Simo.
--
Simo Sorce * Red Hat, Inc * New York
___
Freeipa-users
On Tue, 2012-07-31 at 21:08 +0200, Sigbjorn Lie wrote:
On 07/31/2012 01:50 PM, Simo Sorce wrote:
On Tue, 2012-07-31 at 10:50 +0200, Sigbjorn Lie wrote:
On Tue, July 31, 2012 10:20, Petr Spacek wrote:
On 07/30/2012 10:37 PM, Sigbjorn Lie wrote:
Hi,
I've been having performance
you please provide the command you are running to re-join the
machine ?
Simo.
--
Simo Sorce * Red Hat, Inc * New York
___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users
though, I can use this command on other systems just fine,
it is just this one system that it is failing on.
Thanks,
Sara Kline
-Original Message-
From: Simo Sorce [mailto:s...@redhat.com]
Sent: Thursday, August 02, 2012 8:26 AM
To: Kline, Sara
Cc: freeipa-users@redhat.com
if there is any error in the https error log on the ipa
server related to this error when running ipa host-del ?
Simo.
--
Simo Sorce * Red Hat, Inc * New York
___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa
/Red_Hat_Directory_Server/9.0/html/Deployment_Guide/Designing_the_Directory_Tree.html#Designing_the_Directory_Tree-Virtual_Directory_Information_Tree_Views
--
Simo Sorce * Red Hat, Inc * New York
___
Freeipa-users mailing list
Freeipa-users@redhat.com
https
, and a
kerberos level trust between 2 IPA servers can be done with some manual
work, but there are some details when it comes to providing identity to
the other domain that are missing. (Although SSSD can be configured
easily enough to use 2 separate FreeIPA domains if really needed).
Simo.
--
Simo
memberships will work better.
Simo.
--
Simo Sorce * Red Hat, Inc * New York
___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users
.
The CNAME trick works better for load balancing (using DNS round robin)
in active/active solutions.
Simo.
--
Simo Sorce * Red Hat, Inc * New York
___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa
you cannot acquire tickets for it.
So if your host ovm-c19-db does not have a DNS entry (either using IPA's
DNS server or an external DNS server) you can't get tickets.
also name resolution generally must match the hostname as that is what
is used to register a client into ipa.
Simo.
--
Simo
On Tue, 2012-08-07 at 13:35 -0700, Rob Ogilvie wrote:
On Tue, Aug 7, 2012 at 1:24 PM, Simo Sorce s...@redhat.com wrote:
Kerberos depends on proper name resolution. If a hostname cannot be
resolved you cannot acquire tickets for it.
So if your host ovm-c19-db does not have a DNS entry
that they need to ask the AD KDC for the hosts under
mydomain.com
So ultimately, I would put as many machines as you can under
UNIX.MYDOMAIN.COM, to minimize confusion in case later on you want to
establish a trust between the AD domain and the IPA domain.
Simo.
--
Simo Sorce * Red Hat, Inc * New
zone to be
useful.
Simo.
--
Simo Sorce * Red Hat, Inc * New York
___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users
On Wed, 2012-08-08 at 12:16 -0700, Rob Ogilvie wrote:
On Wed, Aug 8, 2012 at 11:52 AM, Simo Sorce s...@redhat.com wrote:
On Wed, 2012-08-08 at 11:23 -0700, Rob Ogilvie wrote:
-I'm going to set up the IPA server with a new realm;
UNIX.MYCOMPANY.COM (do I need to have our DNS folks put
- Original Message -
Hi,
Let us assume just the two systems directly connected to the
internet. I am specifically interested in what the security
implications would be, not ways to get around them (e.g. point-to-
point tunnel). I have read that kerberos was designed for untrusted
- Original Message -
OK - thanks.
But is there any way IPA can be tweaked to do this without an
external
product (albeit a Red Hat one)? Is it possible for the sssd clients
to
round-robin their requests between 2 or more servers?
At the monment only by using _srv_ records you
primary serves of ipa1, ipa2, while client 2 has ipa2,
ipa1, and so on.
Without control of name resolution on the server side at the moment we do not
have other ways to do load balancing.
Simo.
Thanks
Duncan Innes | Linux Architect
-Original Message-
From: Simo Sorce
- Original Message -
Hello,
I'm trying to build trust between FreeIPA and Windows Server 2008R2.
It is said that FreeIPA uses samba as the AD server, but I found
that 389 Directory Server is also installed. So which is used as the
directory service for FreeIPA. If it is samba, why 389
- Original Message -
I think I'll raise a ticket then. Not that the _srv_ records don't
do
the right job. It's just that in my scenario they are unusable. I
can't be alone in deploying IPA in a network already dominated by
AD.
For now (as I said in another reply), I'll randomly
/conf/ipa.keytab HTTP/ipaserver.lafayette.edu
Does this command work ?
Simo.
--
Simo Sorce * Red Hat, Inc. * New York
___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users
forward.
Simo.
--
Simo Sorce * Red Hat, Inc * New York
___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users
only once in a while.
Simo.
--
Simo Sorce * Red Hat, Inc * New York
___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users
offline if no reachable KDC can be found and
updates
or deletes the info file for the locator plugin..
This leave us with the question how to ping a KDC properly, but this
we
have to find out for either case.
I am not a fan of generating load for the KDC unnecessarily.
Simo.
--
Simo Sorce
On Mon, 2012-09-10 at 11:11 -0400, Rob Crittenden wrote:
Simo Sorce wrote:
On Mon, 2012-09-10 at 16:36 +0200, Sumit Bose wrote:
What about defining a task in the SSSD krb5 provider instead of
pinging
it from the locator plugin. The task can run at a configurable
interval
or never
is a good idea, and have the nice side
effect of automatically locking new accounts if the user never use them.
Simo.
--
Simo Sorce * Red Hat, Inc * New York
___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman
.
If selinux is not completely disable this shouldn't happen anymore, however,
should it happen you can simply remove the file, it is not vital and will
get recreated after you restart named.
Simo.
--
Simo Sorce * Red Hat, Inc. * New York
___
Freeipa
that may cause shell expansion.
Hope this helps.
Simo.
--
Simo Sorce * Red Hat, Inc. * New York
___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users
not happen ?
Simo.
--
Simo Sorce * Red Hat, Inc * New York
___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users
?
If you can describe the flow of operations we might be able guide you
to the right solution.
Also would be nice to understand what OS OpenVPN is running on.
If the PAM stack is used fully (account phase at least) then HBAC may be
a better way to do this sort of check.
Simo.
--
Simo Sorce * Red
that).
Create 2 services openvpn1 and openvpn2 and the use HBAC to assign
appropriate access control to those service for the openvpn
concentrator.
Simo.
--
Simo Sorce * Red Hat, Inc * New York
___
Freeipa-users mailing list
Freeipa-users@redhat.com
https
service.
If not pam_sss will return a suitable error in the account phase and
openvpn should return an authentication error.
HTH,
Simo.
--
Simo Sorce * Red Hat, Inc * New York
___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com
password does not meet policy?
Steven,
I think this is a bug in RHEL, and should be fixed in the next update.
Simo.
--
Simo Sorce * Red Hat, Inc * New York
___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo
= Only' ? If you do not
use this setting that is most likely the problem.
If you do then it may be a bug in samba.
Have you given samba access for writing to the sambaNTPassword
attribute ?
(you shouldn't samba should be allowed only to read).
Simo.
--
Simo Sorce * Red Hat, Inc * New York
On Thu, 2012-10-11 at 09:43 +0200, Marc Grimme wrote:
On Mi 10 Okt 2012 17:54:22 CEST, Simo Sorce wrote:
On Wed, 2012-10-10 at 17:11 +0200, Marc Grimme wrote:
Hello together,
we are running IPA on RHEL6.3 for quite some time.
We are also using IPA to provide the LDAP backend for our samba
201 - 300 of 707 matches
Mail list logo