On Fri, 2015-02-20 at 10:53 +0100, Petr Vobornik wrote:
> >> [Fri Feb 20 00:45:35.603016 2015] [auth_kerb:error] [pid 1173]
> [client
> >> 10.1.1.17:54157] gss_accept_sec_context() failed: An unsupported
> >> mechanism was
> >> requested (, Unknown error), referer: https://vader.dom.net/ipa/ui/
>
On Fri, 2015-02-20 at 11:44 +0100, Gianluca Cecchi wrote:
> On Fri, Feb 20, 2015 at 10:53 AM, Petr Vobornik wrote:
>
> > On 02/20/2015 09:44 AM, Martin Kosek wrote:
> >
> >> On 02/20/2015 02:00 AM, Dan Mossor wrote:
> >>
> >>> I just installed a new server on Fedora 21 Server, using the rolekit
>
should I configure freeipa to do host lookups for aliases like NIS does?
While NIS supports hosts maps, FreeIPA strongly encourages the use of
DNS, as such we do not have direct means of providing or querying hosts
maps.
Simo.
--
Simo Sorce * Red Hat, Inc * New York
--
Manage your subscrip
On Fri, 2015-02-27 at 18:59 +, Roderick Johnstone wrote:
> On 27/02/15 18:33, Simo Sorce wrote:
> > On Fri, 2015-02-27 at 18:19 +, Roderick Johnstone wrote:
> >> Hi
> >>
> >> I'm trying to migrate of my NIS databases to freeipa and have got to th
On Mon, 2015-03-02 at 12:29 +, Roderick Johnstone wrote:
> On 27/02/15 20:04, Simo Sorce wrote:
> > On Fri, 2015-02-27 at 18:59 +, Roderick Johnstone wrote:
> >> On 27/02/15 18:33, Simo Sorce wrote:
> >>> On Fri, 2015-02-27 at 18:19 +, Roder
David Guertin
>
An IPA server is always also a client of itself.
Simo.
--
Simo Sorce * Red Hat, Inc * New York
--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go To http://freeipa.org for more info on the project
he priority in the SRV records as replicas come and go?
Not yet.
> Is there more to it than this?
See above.
HTH,
Simo.
--
Simo Sorce * Red Hat, Inc * New York
--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go To http://freeipa.org for more info on the project
a loadbalancer in front of my ipa servers.
> >>>>>
> >>>>> Are you talking about FreeIPA web interface? It is technically possible
> >>>>> to use
> >>>>> load-balancer but it will be really hacky. You would have to solve
> >>>>> certificates and also distribute shared keytabs and so on.
> >>>>>
> >>>>> I would recommend you to use "something" which issues HTTP redirect to
> >>>>> ipa
> >>>>> server 1/2/3/4/5 according to current state instead of using classical
> >>>>> load
> >>>>> balancer on the network level. Normal HTTP redirect will not force you
> >>>>> to mess
> >>>>> with certs and keytabs.
> >>>>>
> >>>>> --
> >>>>> Petr^2 Spacek
> >
> >
> > --
> > Petr Spacek @ Red Hat
--
Simo Sorce * Red Hat, Inc * New York
--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project
to at least userPassword and krbPrincipalKey.
Simo.
P.S. David, please do not start a new thread by replying to old mails.
--
Simo Sorce * Red Hat, Inc * New York
___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users
On Thu, 2012-12-27 at 10:11 -0500, Michael B. Trausch wrote:
> On 12/26/2012 10:23 AM, Simo Sorce wrote:
> > It's missing the sasl library's debug info.
> >
> > Could you install cyrus-sasl-debuginfo and regenerate the stack trace
> > from the core file ?
>
On Wed, 2013-01-02 at 08:00 -0500, Stephen Gallagher wrote:
> On 12/28/2012 10:23 AM, Michael B. Trausch wrote:
> > On 12/28/2012 08:56 AM, Simo Sorce wrote:
> >> However re-reading the ticket made me wonder. Is this happening on the
> >> F18 machine or on the Cento
ambaNTpassword or ipaNThash attributes.
None of these attributes are readable, so you will not see them. Only
'cn=Directory Manager' can retrieve them, because that account has super
powers.
Simo.
--
Simo Sorce * Red Hat, Inc * New York
___
Fre
ations.
Set ChallengeResponseAuthentication yes in sshd_config, this should
allow conversations and proper errors to show up.
Simo.
--
Simo Sorce * Red Hat, Inc * New York
___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users
ted me a day trying to fix it. I had to
> reinstall my test machine to make it work properly.
>
Thanks a lot, I added a note to the page.
Simo.
--
Simo Sorce * Red Hat, Inc * New York
___
Freeipa-users mailing list
Freeipa-users@redhat.com
h
On Tue, 2013-01-08 at 19:31 +, Steven Jones wrote:
> HI,
>
> I assume RHEL 6.4 is GA shortly just how straigh forward is the upgrade from
> one IPA version to another please?
> regards
Should just require an rpm upgrade and a restart and nothing else.
Simo.
--
Simo Sorce
;> The windows team at my place of work will want to know exactly what
> >>> >>> the tool will do before they grant permission.
> >>> >
> >>> I have added this information to the AD trusts wiki page:
> >>> http://www.freeipa.org/page/IPAv3_AD_trust_setup#Add_trust_with_AD_domain
> >>
> >> That link only gets me to an empty wiki page...
> > It is moved to HOWTOs:
> > http://www.freeipa.org/page/Howto/IPAv3_AD_trust_setup#Add_trust_with_AD_domain
>
> Should we create a redirection? At least for users digging in archives?
I actually explicitly removed it to avoid clutter in the root :)
Simo.
--
Simo Sorce * Red Hat, Inc * New York
___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users
httpd:[ OK ]
> Starting httpd: [Tue Jan 15 09:10:03 2013] [warn] worker
> ajp://localhost:9447/ already used by another worker
> [Tue Jan 15 09:10:03 2013] [warn] worker ajp://localhost:9447/ already used
> by another worker
work in the
> real world.
>
We haven;t resumed work to integrate radius as a full feature component
of FreeIPA yet, sorry.
Simo.
--
Simo Sorce * Red Hat, Inc * New York
___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redha
f for those client.
Simo.
--
Simo Sorce * Red Hat, Inc * New York
___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users
On Wed, 2013-01-16 at 17:44 +0100, Han Boetes wrote:
> +- entering group Kerberos {...}
> rlm_krb5: [hb] krb5_sname_to_principal failed: Hostname cannot be
> canonicalized
Something's wrong in your configuration
Probably the host name is not a fqdn or similar
Simo.
--
Simo S
for the previous email.
> Hit wrong button.
>
> We have not fully tried AD 2012 so that might be a bug in our code
> somewhere.
>
I am currently not aware of any issue with 2012 which is what I use in
my testing.
If anything specific to 2012 is found it would be nice to know.
Simo.
the details.
As for integration of Zimbra instances this is probably not the right
list to ask.
Simo.
--
Simo Sorce * Red Hat, Inc * New York
___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users
to retrieve cn=schema.
>
> I'd have sworn that openldap already did online schema this way.
Please open a bug, we should no depend on the remote schema being
readable.
Simo.
--
Simo Sorce * Red Hat, Inc * New York
___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users
cert signed by a "well known" CA was to be
> able to avoid installing the IPA CA in clients like Thunderbird and Firefox.
> Thoughts, comments, suggestions?
Sharing the same cert key between many machines is never a good idea.
Simo.
--
Simo Sorce * Red Hat, Inc * New York
__
and hostname validation.
Don't initialize NSS if we don't have to, clean up unused cert
refs
Update anonymous access ACI to protect secret attributes.
Become IPA 3.1.2
Simo Sorce (1):
Upload CA cert in the directory
d you cannot reset the OTP password as that would
effectively mean destroying the hosts credentials while the host is
enrolled. Currently the IPA workflow expects you unenroll the client
first.
Simo.
--
Simo Sorce * Red Hat, Inc * New York
___
Freeipa-
trying to configure our internal GitHub server to
> > > > > > use
> > > > > > Our
> > > > > > IPA
> > > > > > server's LDAP for user logins.
> > > > >
> > > >
> &
kend returned: (0, 0, )
> > [Success]
> >
> > I disabled that allow_all rule, now it is fine.
>
> I don't know why that would make any difference. HBAC != sudo.
sudo uses pam so HBAC may be involved during auth
Simo.
--
Simo Sorce * Red Hat, Inc * New York
___
; $ kinit -kt DNS/ipa2.xyz@xyz.dmz
> $ klist
>
> Simo, is it possible to do something like "kadmin -p admin" and "getprinc
> DNS/ipa2.xyz@xyz.dmz"?
you could use kadmin.local on the KDC
> It fails:
>
> kadmin: getprinc DNS/host.redhat@e.test
> get_principal: Operation requires ``get'' privilege while retrieving
> "DNS/host.redhat@e.test".
Interesting, this shouldn't happen, can you open a bug ?
(only if on 3.x)
> How it is possible to retrieve kvno and other details for IPA principals?
Use kvno command for now.
Simo.
--
Simo Sorce * Red Hat, Inc * New York
___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users
ys.
If you want to consistently have a different expiration time you should
change the password policy.
Simo.
--
Simo Sorce * Red Hat, Inc * New York
___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users
On Fri, 2013-02-08 at 00:57 +0530, Rajnesh Kumar Siwal wrote:
> Does IPA server 2.2 supports the ipa clients authentication behind the NAT ?
Authentication works, password changes using kpasswd protocol do not.
Simo.
--
Simo Sorce * Red Hat, Inc * New Y
d strange back and forth with temporary
objects and so on.
It Meme,
if you are interested in helping in this direction please subscribe to
freeipa-devel and follow this thread:
https://www.redhat.com/archives/freeipa-devel/2013-February/msg00149.html
Simo.
--
Simo Sorce * Red Hat, Inc * New York
___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users
rberos credentials (-Y GSSAPI tells
ldapsearch to use them to auth to the server).
Simo.
--
Simo Sorce * Red Hat, Inc * New York
___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users
oup, however no client
will respect that for now, so it would be a bit pointless if not
misguiding.
Simo.
--
Simo Sorce * Red Hat, Inc * New York
___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users
On Thu, 2013-02-14 at 08:30 -0700, Rich Megginson wrote:
> On 02/14/2013 06:54 AM, Simo Sorce wrote:
> > On Thu, 2013-02-14 at 10:02 +0100, Dag Wieers wrote:
> >> Hi,
> >>
> >> Another interesting recommendation from security is that all granted
> >
ep. Besides, integration in IPA probably won't happen
> without RBAC support in Fedora/RHEL, right ?
We can consider code contributions for this kind of features.
Of course not being able to test them in our default distro would make
them fragile and more subject to regressions, but I think t
hat
> not working unless the system user was in LDAP. This may have been before I
> started using SSSD on the servers so I'll need to retest this.
This is an interesting use case, it would probably be appropriate to
have a RFE filed to allow to create ipa users marked as 'non-pers
AP
operations, or you can also simply delete the UPG and then recreate a
new group with the same gid number.
Just make sure you are comfortable with the security consequences for
the original user when doing so.
Simo.
--
Simo Sorce * Red Hat, Inc * New York
___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users
ers you'll have to configure a custom LDAP search
> filter in every client in your enterprise if you don't want them to see
> non-human users in their search results.
Not really, without the person objectclass none of the attributes
thunderbird searches by default would be part of the user object, so the
user would *not* show up.
So the RFE would perfectly solve also the requirement these 'non-person'
users do not show up in thunderbird.
Simo.
--
Simo Sorce * Red Hat, Inc * New York
___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users
On Fri, 2013-02-15 at 16:06 -0700, Orion Poplawski wrote:
> On 02/15/2013 04:03 PM, Simo Sorce wrote:
> > On Fri, 2013-02-15 at 17:12 -0500, John Dennis wrote:
> >> On 02/15/2013 04:54 PM, Orion Poplawski wrote:
> >>> On 02/15/2013 02:34 PM, John Dennis wrote:
> &
>>
> >> filter="(&(objectClass=person)(|(mail=*apac*)(cn=*apac*)(givenName=*apac*)(sn=*apac*)))"
> >>
> >>
> >
> > O.K. I presume it's obvious the consequence of this little experiment
> > is that if we do an an RFE that results in removing the person
> > objectclass from non-human users you'll have to configure a custom
> > LDAP search filter in every client in your enterprise if you don't
> > want them to see non-human users in their search results.
> >
> Can it be managed via Puppet?
Unlikely, thunderbird preferences are per user and stored in user
preference files, which cannot be arbitrarily overridden.
Simo.
--
Simo Sorce * Red Hat, Inc * New York
___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users
> Charlie
>
For this we should be able to use a service principal, not a full
account. Unless for some reason you need this principal to show up as a
user in the system (full posixAccount).
Simo.
--
Simo Sorce * Red Hat, Inc * New York
___
Freeipa-us
by a public authority ?
When we say external we generally think of another "Internal CA" that
you already use for your own services.
Simo.
--
Simo Sorce * Red Hat, Inc * New York
___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users
an clone
> this box and get healthy again?
>
Healthy will be, but with no data, don't do it. (and I suggest you make
a full backup just in case)
Simo.
--
Simo Sorce * Red Hat, Inc * New York
___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users
master as DNS server you may want
to change your clients (or DHCP) configuration first to point them all
at the new master, and wait to remove the former until all machines has
switched to use the new DNS server.
Simo.
--
Simo Sorce * Red Hat, Inc * Ne
On Wed, 2013-02-27 at 09:31 -0500, Matthew Barr wrote:
> How about fixing up all the replication relationships, if you're looking at
> this from a (old) master w/ multiple replica's?
Look at the documentation of ipa-replica-manage on how to change
replication topology.
Simo.
s there anyway around this to generate a wildcard cert for my local domain?
>
> Not using the IPA interfaces, no. There might be a way to do this by
> calling out to the underlying dogtag CA directly but we don't provide
> any mechanism to do that. You'd be on your own there
functional level
>
> Any help would be greatly appreciated!
Sorry Mark-Jan we do not support transitive trusts yet.
We are working on it, stay tuned.
Simo.
--
Simo Sorce * Red Hat, Inc * New York
___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users
arsh but I want to make it very clear for our uses that
keytabs are *secrets* and should *never* be made available to the whole
system, It is exactly like putting a password in the clear in a file and
making it accessible to everyone.
In your case I guess you want to use 660 or 640.
Simo.
--
S
f ipa-client-install you can add multiple,
> hardcoded servers and still have failover. Basically you configure
> things to ignore the SRV records, so you shouldn't have to mess with the
> resolver at all.
Just want to note that we are working on a more manageable solution for
the fut
On Wed, 2013-03-13 at 16:12 +0100, Natxo Asenjo wrote:
> hi,
>
> is it possible to do that?
If by local group you mean /etc/group then it is not possible.
Posix does not understand nested groups.
Simo.
--
Simo Sorce * Red Hat, Inc *
DAP on first connection...
The problem with this is that you need to explicitly configure the
client, and invent these new things in SSSD.
In our new proposal you do not need to do anything on the client, except
pointing it to ... itself!
So I am a bit confused about why you say the new proposal would be more
complicated ...
Simo.
--
Simo Sorce * Red Hat, Inc * New York
___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users
On Wed, 2013-03-13 at 21:10 -0430, Loris Santamaria wrote:
> El mié, 13-03-2013 a las 15:57 -0400, Simo Sorce escribió:
> > On Wed, 2013-03-13 at 14:36 -0430, Loris Santamaria wrote:
> > > El mié, 13-03-2013 a las 14:44 +0100, Petr Spacek escribió:
> > > > On 13.3.20
could share your notes or write up a how-to the community
> would certainly appreciate it.
It would be very nice.
Simo.
--
Simo Sorce * Red Hat, Inc * New York
___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users
ormation about privileges a user may have it was decided to
block memberof for unauthenticated binds.
The reasoning was that clients that can take correctly advantage of
freeipa's memberof can also authenticate in a secure way.
Simo.
--
Simo Sorce * Red Hat, Inc * New York
On Sun, 2013-03-24 at 10:03 +0600, Arthur Fayzullin wrote:
> 24.03.2013 04:27, Martin пишет:
> > Hello, apologize if this is a faq.
> >
> > We're trying to set up a file server that authenticate all users against
> > a FreeIPA-server. The systems are up to date CentOS 6 machines and
> > everything
t; conversion in update and save methods. Register the new widget to widget
> repository. Then, one has to modify spec of appropriate facets to use it.
>
> HTH
Should we open a ticket with this RFE ?
Simo.
--
Simo Sorce * Red Hat, Inc * New York
___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users
y change the
password of the user (as the user no as an admin), and then kinit again
with the new credentials on Solaris, does it 'solve' your segfault
issue ?
In any case a segfault in a client command is something you need to
report to your OS vendor, even if it is indirectly caused by t
and change the
> password via ipa-getkeytab the kinit command on the Solaris client
> works normally.
>
> The ipa-getkeytab command must somehow be referencing
> "allow_weak_crypto" and storing the password differently depending on
> it.
>
> On Wed, Mar 27, 201
t file.keytab on the keytab you get after you
run ipa-getkeytab ?
What enctypes do you see available ?
I suspect your solaris 9 kinit is choking on a request that do not
include des enctypes somehow ?
Can solaris 9 use any other encryption algorythm than des ?
Simo.
> On Wed, Mar 27, 2013
then hope people forget. :)
The only we we do this is visible in the RHEL src.rpm packages if I
remember correctly.
I think that's the only 'official' way we do it for now.
Simo.
--
Simo Sorce * Red Hat, Inc * New York
___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users
and intended
> solely for the use of the individual or entity to whom they are addressed.
> If you have received this email in error please notify the sender.
> Please note that any views or opinions presented in this email are solely
> those of the author and do not necessari
On Fri, 2013-04-05 at 09:51 -0600, Rich Megginson wrote:
> On 04/05/2013 08:41 AM, Simo Sorce wrote:
> > On Fri, 2013-04-05 at 08:30 -0600, Brent Clark wrote:
> >> You were correct, my reverse DNS entries for the master and replica
> >> were missing. Odd, since the
On Fri, 2013-04-05 at 09:51 -0600, Rich Megginson wrote:
> On 04/05/2013 08:41 AM, Simo Sorce wrote:
> > On Fri, 2013-04-05 at 08:30 -0600, Brent Clark wrote:
> >> You were correct, my reverse DNS entries for the master and replica
> >> were missing. Odd, since the
s your 3rd party app is certified
> against.
Ad supports simple binds with a username instead of a DN ... yeah not
standard but we might want to support it, we have a pre-bind plugin
after all, so we could if we want to, just a matter of creating a RFE
ticket.
Simo.
--
Simo Sorce * Red Hat,
086.sig-ipadevmstr.collmedia.net ANY TKEY -T (192.168.8.111)
> Apr 30 11:52:32 ipadevmstr named[9349]: client 192.168.8.111#37000:
> updating zone 'collmedia.net/IN': update failed: rejected by secure
> update (REFUSED)
Something seem wrong with the Access Control policy ...
Simo.
On Tue, 2013-04-30 at 22:37 +0300, Alexander Bokovoy wrote:
>
> We need to add some smart logic to ipasam module to handle it.
>
The logic for trusted users needs to go into winbindd or sssd, ipasam is
only about our own domain.
Simo.
--
Simo Sorce * Red Hat, Inc *
ey can and instead
delegate (or just forward on both sides) a subdomain (like ipa.foo.bar)
to ipa for all the ipa hosts (server.ipa.foo.bar,
clientX.ipa.foo.bar ...)
Simo.
--
Simo Sorce * Red Hat, Inc * New York
___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users
s to slowly move machines by
putting CNAMEs in the AD DNS that point the old company.tld names to the
new ipa domain names. This allows a slow smooth transition one machine
at a time for those which you need to keep visible at the old address.
CNAMEs do the correct thing KErberos wise t
d performance I'd start with the 389-ds documentation.
>
> rob
>
> ___
> Freeipa-users mailing list
> Freeipa-users@redhat.com
> https://www.redhat.com/mailman/listinfo/freeipa-users
>
--
Simo Sorce * Red Hat, Inc. * New York
_
and all suggestions are greatly appreciated...
I would look at the migration pages. You can probably use migration mode
to migrate user data from one FreeIPa install to the other and then the
migration mode of sssd to validate and recompute the kerberos keys.
See this for some guidance:
On Fri, 2013-05-24 at 16:18 +0200, Martin Kosek wrote:
> On 05/24/2013 03:34 PM, Simo Sorce wrote:
> > On Fri, 2013-05-24 at 07:44 -0400, Ainsworth, Thomas wrote:
> >> Greetings,
> >>
> >> I was told to bring my issue to this distribution.
> >>
> &
_id parameters. Could that be
> the case? Can you check if after removing the cache the entry still shows up?
>
> I think that the fact that the entry is returned from cache even if it
> should be filtered out is a bug:
> https://fedorahosted.org/sssd/ticket/1954
So far we always maintained that if you consistently change
configuration (and a change of ranges is a big change) then it's on the
admin to wipe the cache file.
Simo.
--
Simo Sorce * Red Hat, Inc * New York
___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users
tr.collmedia.net krb5kdc[4190](info): ...
> CONSTRAINED-DELEGATION s4u-client=DNS/ipadevmstr.collmedia@collmedia.net
>
> Do I need to add DNS too?
No, and you shouldn;t have added ldap/fqdn either as you are not hosting
an LDAP server.
Just FYI: there is no error in the snippet above, the
ross-realm trusts that would with Active Directory. In the
future this should work also with Samba4, but Samba4 code base currently
lacks support for cross-forest trusts.
Simo.
--
Simo Sorce * Red Hat, Inc * New York
___
Freeipa-users mailing list
Fr
not clear.
Very nice write up Erinn.
Thanks,
Simo.
--
Simo Sorce * Red Hat, Inc * New York
___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users
r AES is available since quite a few fedora release and RHEL6
Simo.
--
Simo Sorce * Red Hat, Inc * New York
___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users
On Fri, 2013-07-12 at 10:04 -0500, Anthony Messina wrote:
> On Wednesday, July 10, 2013 05:00:53 PM Dmitri Pal wrote:
> > On 07/10/2013 12:12 PM, Simo Sorce wrote:
> > > On Wed, 2013-07-10 at 11:45 -0400, Erinn Looney-Triggs wrote:
> > >> Folks,
> > >> I
full SSL verification is on. But Clients usually do not
have X509 certificates, so there is no mutual authentication at the SSL
level in that case and MITM becomes much easier.
Now the question would be: why postfix doesn't do channel bindings? I
guess it maybe because GSSAPI is behind the SASL layer, but I haven't
checked.
Simo.
--
Simo Sorce * Red Hat, Inc * New York
___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users
ek and should be able to
> > help.
>
> Is the GSS proxy configured by ipa-client-automount?
No, gssproxy is quite new and we do not configure it by default at this
stage.
It has been tested only with NFS (both server and client) on Fedora 19.
Simo.
--
Sim
cket, then the problem still exists. I'm working on a set of
> GSS expiry patches and I'll make sure this problem is solved in the kernel.
Just to avoid confusion.
GSS-Proxy doesn't really handle renews at this stage (except as a a
possible side effect of GSSAPI doing it und
On Mon, 2013-07-15 at 08:50 -0500, Dean Hunter wrote:
> On Mon, 2013-07-15 at 09:33 -0400, Simo Sorce wrote:
> > On Fri, 2013-07-12 at 17:15 -0500, Dean Hunter wrote:
> > > On Fri, 2013-07-12 at 16:52 -0400, Dmitri Pal wrote:
> > > > F19 has GSS proxy. I encourag
ytab
> is /var/lib/gssproxy?
no the default keytab is always /etc/krb5.keytab
>
Simo.
>
>
> Odesláno ze Samsung Mobile
>
>
>
> ---- Původní zpráva
> Od: Simo Sorce
> Datum:
> Komu: "Adamson, Andy"
> Kopie: and...@wasielewski.co.
bPwdHistory attribute from the user's entry the user
will have no history.
That should be sufficient to allow you to change 'back' his password.
Other means are: change the password as many times as
krbPwdHistoryLength says and finally you'll be able to start agai
While
> this is better than sending them with each request, it still presents
> an opportunity where credentials can be intercepted, no?
Your's is a valid concern.
Please open a RFE ticket to make the form-based login page/mechanism
disableable.
Simo.
--
Simo Sorce * Red Hat, Inc * New
an pass -k /etc/httpd/conf/ipa.keytab
directly.
ipa-getkeytab will properly append the fetched keys to the keytab and no
further, error prone, manual merging will be necessary.
Simo.
--
Simo Sorce * Red Hat, Inc * New York
___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users
let me
> know.
Do you also block the 'net user' command on Windows clients ?
It's the same as 'passwd' on Linux clients.
I would address the problem by using proper password policies as I (now)
see Petr recommended i another emai
issue?
>
> That suggests a DNS problem,
> and it might explain ssh as
> well depending
>
the CA, it always uses startTLS on port 7389.
We should also probably note that in newer versions of FreeIPA we have
consolidated all instances in one, so only port 389 is used.
Simo.
--
Simo Sorce * Red Hat, Inc * New York
___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users
rything. Is this what you did in your old setup ?
> After the replica install is done:
>
>
> 7. Shut down and delete the ipamaster2 VM.
Do not forget to ipa-replica-manage remove it first.
> 8. Upgrade existing "replicas" to F18 and latest IPA version.
> 9. Estab
On Thu, 2013-08-29 at 09:14 -0400, Bret Wortman wrote:
> On Thu, Aug 29, 2013 at 9:09 AM, Simo Sorce wrote:
> On Thu, 2013-08-29 at 08:07 -0400, Bret Wortman wrote:
> > Okay, I have a replica built and running. My original,
> "sick" server
>
. I have no idea how it works with
> > shadow map/password. Try to ask sssd-us...@lists.fedorahosted.org.
> >
> And to add to it:
> IPA does not keep password in clear or the hashes that are used in
> passwd and shadow files for security reasons so it can't generate these
&
use
the script to call 'nsupdate' and issue GSS-TSIG signed dns update
requests.
Simo.
--
Simo Sorce * Red Hat, Inc * New York
___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users
rpc.gssd cannot
find your ticket, ssh may be doing something "wrong" in this case.
Simo.
--
Simo Sorce * Red Hat, Inc * New York
___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users
On Wed, 2013-09-11 at 10:39 -0500, Dean Hunter wrote:
> On Wed, 2013-09-11 at 11:20 -0400, Simo Sorce wrote:
> > On Wed, 2013-09-11 at 08:39 -0500, Dean Hunter wrote:
> >
> > > I do NOT believe this:
> > > [dean@ipa2 ~]$ ssh dean@desktop2
> > &g
On Wed, 2013-09-11 at 12:08 -0400, Dmitri Pal wrote:
> On 09/11/2013 11:49 AM, Simo Sorce wrote:
> > On Wed, 2013-09-11 at 10:39 -0500, Dean Hunter wrote:
> >> On Wed, 2013-09-11 at 11:20 -0400, Simo Sorce wrote:
> >>> On Wed, 2013-09-11 at 08:39 -0500, Dean Hunte
ou mean by integrating here.
Is your intent to use Samba4 as an AD domain controller for your Windows
client s and IPA for your servers ?
If that's the case unfortunately this is not possible at the moment as
samba4 does not yet support Forest level trusts.
A Micr
t;
> 2013/9/11 Simo Sorce
> On Wed, 2013-09-11 at 14:06 -0300, Christovam Paynes Silva
> wrote:
> > Hello!
> >
> >
> > First I apologize if this topic is redundant.
> >
> >
>
On Wed, 2013-09-11 at 19:49 -0500, Dean Hunter wrote:
> On Wed, 2013-09-11 at 11:49 -0400, Simo Sorce wrote:
> > On Wed, 2013-09-11 at 10:39 -0500, Dean Hunter wrote:
> > > On Wed, 2013-09-11 at 11:20 -0400, Simo Sorce wrote:
> > > > On Wed, 2013-09-11 at
On Thu, 2013-09-12 at 13:59 -0400, Simo Sorce wrote:
> ticket, but once you alnd of the cmahine there are no credentials
this meant to be 'land on the machine', sorry for my typing impairment.
Simo.
--
Simo Sorce * Red Hat, I
301 - 400 of 896 matches
Mail list logo