Re: [Freeipa-users] HBAC and AD users

On Mon, Jul 11, 2016 at 04:55:37PM +1000, Lachlan Musicman wrote: > On 11 July 2016 at 16:44, Alexander Bokovoy wrote: > > > On Mon, 11 Jul 2016, Lachlan Musicman wrote: > > > >> Hola, > >> > >> Centos 7, up to date. > >> > >> [root@linuxidm ~]# ipa --version > >> VERSION:

Re: [Freeipa-users] Unable to ssh after establishing trust

On Mon, Jul 11, 2016 at 03:46:57AM +, pgb205 wrote: > I have successfully established trust and am able to obtain ticket granting > ticketkinit user@AD_DOMAIN.COMI can also do kinit admin@IPA_DOMAIN.COMssh > admin@IPA_DOMAIN.COM also works > however, ssh user@AD_DOMAIN.COM or

Re: [Freeipa-users] k5login not working?

file on restart, so you still might want to use chattr +i to keep your changes. > > Thank you very, very much for the help. You're welcome. bye, Sumit > > > > > On July 6, 2016 at 1:00:53 PM, Sumit Bose (sb...@redhat.com) wrote: > > On Wed, Jul 06, 2016 at 03:30:56PM

Re: [Freeipa-users] k5login not working?

On Wed, Jul 06, 2016 at 03:30:56PM -0400, Jeffery Harrell wrote: > I must be missing something really obvious. > > Our IPA server is set up in the usual way on CentOS 7.2, just a “yum > install ipa-server” and then an “ipa-server-install.” DNS is set up > correctly and is working. > > I’ve got a

Re: [Freeipa-users] How to deactivate automatic kinit at ssh login ?

On Thu, Jun 30, 2016 at 08:54:16AM +0200, bahan w wrote: > Hello ! > > I'm using freeipa 3.0.0-47. > > I send you this mail concerning the automatic kinit at ssh login ? I wanted > to know if it was possible to deactivate it on a specific server ? > > The reason is that I have some of my users

Re: [Freeipa-users] FreeIPAv3 and SSSD // Disable automatic Kerberos authentication

On Wed, Jun 29, 2016 at 09:04:47AM +, tstorai@orange.com wrote: > Hello, > > We are using FreeIPAv3 with SSSD with Hortonworks Cluster : > > - ipa-admintools-3.0.0-47 > > - ipa-client-3.0.0-47 > > - sssd-ipa-1.11.6-30 > > > According with the following

Re: [Freeipa-users] freeIPA 4.2: Smart Card Issues

On Tue, Jun 28, 2016 at 04:41:39PM -0500, Michael Rainey (Contractor) wrote: > Greetings, > > Back in March I contacted the mailing list in regard to a problem I was > having with smartcards and screen locking. At that time I was provided a > patch to implement to lock the screen when the

Re: [Freeipa-users] Kinit with 2-Factor not working

On Wed, Jun 22, 2016 at 11:54:10AM -0400, Geordie Grindle wrote: > > Hello, > > On our current IPA realm where we have not used 2-factor, we’ve been able to > kinit to our FreeIPA realm from our laptops. All a Mac user needed to do, > for example was to configure a ‘krb5.conf’ file and then

Re: [Freeipa-users] Ghost ipaSshPubKey in sss_ssh_authorizedkeys or 'Error looking up public keys'

On Tue, Jun 21, 2016 at 01:23:11PM +0200, Martin Štefany wrote: > On 6/21/2016 1:16 PM, Sumit Bose wrote: > > On Tue, Jun 21, 2016 at 12:43:23PM +0200, Martin Štefany wrote: > > > Hello Sumit, > > > > > > putting SELinux to permissive mode and/or enablin

Re: [Freeipa-users] Ghost ipaSshPubKey in sss_ssh_authorizedkeys or 'Error looking up public keys'

sd_ssh.log with the sequence from above (if you prefer directly to me) so that I can check why it failed in the first attempt and later succeeds. bye, Sumit > > > RH bug for selinux-policy: > https://bugzilla.redhat.com/show_bug.cgi?id=1348447 > > Thank you! > Martin > >

Re: [Freeipa-users] Ghost ipaSshPubKey in sss_ssh_authorizedkeys or 'Error looking up public keys'

On Mon, Jun 20, 2016 at 10:46:13PM +0200, Martin Štefany wrote: > Hello all, > > I've ran into strange issue with IPA/SSSD/SSH/SELinux which started when I > figured out that I cannot ssh with pubkey auth to Fedora 23 (ipa-client) > systems > while I can to CentOS 7.2 (ipa-client and ipa-server)

Re: [Freeipa-users] FreeOTP

early next week. Btw, so far I would say it is an issue in libkrad. bye, Sumit > > Winny > > > Op 09-06-16 om 18:51 schreef Sumit Bose: > > On Thu, Jun 09, 2016 at 08:42:59AM -0400, Nathaniel McCallum wrote: > > > On Thu, 2016-06-09 at 10:46 +0200, Sumit Bose wro

Re: [Freeipa-users] it's a weird one - how AD users get into IPA ?

On Fri, Jun 10, 2016 at 09:54:19AM +0100, lejeczek wrote: > hi everyone > > there is a master IPA which in some weird way puts AD users into its ldap > catalog. I say weird cause there is no trust nor other sync established, > there was a trust agreement, one way type, but now 'trust-find' shows

Re: [Freeipa-users] FreeOTP

On Thu, Jun 09, 2016 at 08:42:59AM -0400, Nathaniel McCallum wrote: > On Thu, 2016-06-09 at 10:46 +0200, Sumit Bose wrote: > > On Thu, Jun 09, 2016 at 08:16:13AM +0200, Winfried de Heiden wrote: > > > Hi all, > > > > > > I can install libvert-libev but removi

Re: [Freeipa-users] SSH login to client

On Thu, Jun 09, 2016 at 08:43:57AM -0400, Pavel Picka wrote: > > > - Original Message - > From: "David Kupka" > To: "Pavel Picka" , freeipa-users@redhat.com > Sent: Thursday, June 9, 2016 1:45:26 PM > Subject: Re: [Freeipa-users] SSH login to client

Re: [Freeipa-users] SSH login to client

On Thu, Jun 09, 2016 at 07:18:19AM -0400, Pavel Picka wrote: > Hi, > > Have anyone experience, when create user on ipa-server, and want to login on > client with this user I get : > > Permission denied, please try again. > Permission denied, please try again. > Permission denied

Re: [Freeipa-users] FreeOTP

On Thu, Jun 09, 2016 at 08:16:13AM +0200, Winfried de Heiden wrote: > Hi all, > > I can install libvert-libev but removing libverto-tevent will remove 123 > dependencies also. (wget, tomcat and much more...) > > Hence, I installed libverto-libev, but dit not remove libverto-tevent to give > it a

Re: [Freeipa-users] after a server reebot no more login for korora users

On Wed, Jun 08, 2016 at 04:54:44PM +0200, Przemysław Orzechowski wrote: > Hi i enroled > Centos 7 box into IPA (also stock centos 7 server) > for some time everything was working ok but now i can't ssh to the client > after client reboot > On every ssh login attempt i get such lines in sshd.log on

Re: [Freeipa-users] a bit off topic- samba + sssd => AD

On Fri, Jun 03, 2016 at 02:39:00PM +0100, lejeczek wrote: > hi users, > > I have a samba and sssd trying AD, it's 7.2 Linux. > > That linux box is via sssd and samba talking to AD DC and win10 clients get > to samba shares, getent pass sees AD users, samba can get to DC's shares and > win10's

Re: [Freeipa-users] Is the krb5.conf no longer used?

On Thu, Jun 02, 2016 at 08:29:15AM +0300, Alexander Bokovoy wrote: > On Wed, 01 Jun 2016, Geordie Grindle wrote: > > Does IPA only use ‘sssd.conf’ for kerberos authentication? Is there another > > file used to configure kerberos? > > > > I’ve built a host using Foreman and our puppet

Re: [Freeipa-users] dns location based discovery

On Mon, May 30, 2016 at 05:13:35PM +0200, Winfried de Heiden wrote: > Hi all, > > The sssd-ipa man page will tell: > >    ipa_enable_dns_sites (boolean) >    Enables DNS sites - location based service discovery. > >    If true and service discovery (see Service Discovery

Re: [Freeipa-users] AD membership realmd way + samba?

On Thu, May 19, 2016 at 05:42:27PM +0100, lejeczek wrote: > hi users/devs > > I've poked around samba list but was suggested to ask sssd people, I thought > IPA's might know as well. > > Having joined AD with realm - can samba take advantage of this membership? > And if so then to what extent?

Re: [Freeipa-users] a user delegated to control a OU and realmd join - how..

On Mon, May 16, 2016 at 09:34:28AM +0100, lejeczek wrote: > > > On 13/05/16 14:14, Sumit Bose wrote: > > On Wed, May 11, 2016 at 05:17:03PM +0100, lejeczek wrote: > > > .. if possible, would you know? > > > hi everybody, > > > I'm trying, and

Re: [Freeipa-users] a user delegated to control a OU and realmd join - how..

On Wed, May 11, 2016 at 05:17:03PM +0100, lejeczek wrote: > .. if possible, would you know? > hi everybody, > I'm trying, and hoping it is possible to realm join an AD but is such a > way so I tap my IPA into specific OU within that AD. I'm not exactly sure what you mean here. Do you want to join

Re: [Freeipa-users] FreeIPA with smart card using LightDM

On Thu, Apr 28, 2016 at 04:09:16PM -0500, Michael Rainey (Contractor) wrote: > I am wondering if anyone out there is currently using freeIPA with smart > cards along with LightDM. I have systems running SL7.2 with GDM and I have > users that prefer to use XFCE or KDE over the default GNOME-Shell.

Re: [Freeipa-users] ca-error: Error setting up ccache for local "host" service using default keytab: Clock skew too great.

On Wed, Apr 27, 2016 at 07:54:57PM +, Anthony Cheng wrote: > Hi list, > > I am trying to renew expired certificates following the manual renewal > procedure here (http://www.freeipa.org/page/IPA_2x_Certificate_Renewal) but > even with resetting the system/hardware clock to a time before

Re: [Freeipa-users] Servers intermittently losing connection to IPA

om > > Engineering Support: supp...@bloomip.com > Billing Support: bill...@bloomip.com > Customer Support Portal: https://my.bloomip.com <http://my.bloomip.com/> > > On Thu, Apr 21, 2016 at 7:47 AM, Sumit Bose <sb...@redhat.com> wrote: > > > On Wed, Apr 20

Re: [Freeipa-users] Servers intermittently losing connection to IPA

n.com.log. Thanks for your help! > > > > Jeff > > > > Jeff Hallyburton > > Strategic Systems Engineer > > Bloomip Inc. > > Web: http://www.bloomip.com > > > > Engineering Support: supp...@bloomip.com > > Billing Support: bill...@bloomip

Re: [Freeipa-users] NEEDED_PREAUTH: Additional pre-authentication required - User can't access any centos server

On Mon, Apr 18, 2016 at 03:08:28PM +, Gady Notrica wrote: > Hi guys, > > >From the ipa server, I am having issue with the single user. Everyone else > >is fine, just this one single user and no help anywhere online. > > Please help! > > Thank you > > Apr 15 15:43:36 ipa.domain.com

Re: [Freeipa-users] Unable to setup FreeIPA and MIT kerberos cross domain trust

On Tue, Apr 12, 2016 at 06:56:51PM -0700, Vivek Shrivastava wrote: > Hi, > > > I am trying to setup cross domain trust between FreeIPA and MIT Kerberos. I > have already created krbtgt in the both FreeIPA and MIT Kerberos. I can > successfully get Kerberos ticket from the both domains.However

Re: [Freeipa-users] AD Integration change propagation timing

On Thu, Apr 07, 2016 at 10:28:22PM -0400, Michael ORourke wrote: > I have a question regarding AD Integration with FreeIPA (CentOS 7.1/freeipa > 4.2.0) and Windows Server 2008 R2 with a Functional Level forest of 2008 R2. > Given a simple scenario of a group in active directory that is mapped to a

Re: [Freeipa-users] Lock screen when Smart Card is removed.

> Computer Support Group > Building 1009, Room C156 > Stennis Space Center, MS 39529 > On 03/22/2016 07:25 AM, Sumit Bose wrote: > >On Fri, Mar 18, 2016 at 10:53:08AM -0500, Michael Rainey (Contractor) wrote: > >>Hi Sumit, > >> > >>It has been a week

Re: [Freeipa-users] Lock screen when Smart Card is removed.

Any feedback, good or bad, is welcome. bye, Sumit > > Thanks, > > *Michael Rainey* > > On 03/11/2016 02:32 AM, Sumit Bose wrote: > >On Thu, Mar 10, 2016 at 01:36:15PM -0600, Michael Rainey (Contractor) wrote: > >>Greetings, > >> > >>I have been a

Re: [Freeipa-users] Trouble creating userobjectlass sambaSAMAccount

On Fri, Mar 18, 2016 at 12:08:04PM -0400, Jeff Goddard wrote: > Found the syntax error. Apparently the DN is: > dn:cn=ipaconfig,cn=etc,dc=internal,dc=emerlyn,dc=com rather than > dn:cn=etc,cn=ipaconfig,dc=internal,dc=emerlyn,dc=com > > > > On Fri, Mar 18, 2016 at 11:35 AM, Christopher Lamb < >

Re: [Freeipa-users] unable to authenticate using freeipa client

On Mon, Mar 14, 2016 at 05:50:34PM +0530, Rakesh Rajasekharan wrote: > I set up freeipa in my environment and works perfectly. > > But just on one host , I am not able to authenticate. I get a permission > denied eror. > > The sssd version I have is 1.12 > > the krb5_child log does point to

Re: [Freeipa-users] sudo with OTP

On Mon, Mar 14, 2016 at 07:28:01AM -0700, Brad Bendy wrote: > HI, > > I have OTP setup and working just fine for logging into any servers, > when attempting to run any command with sudo I get a "First factor:" > prompt, I have entered my normal password but it fails. This only > happens when OTP

Re: [Freeipa-users] Lock screen when Smart Card is removed.

On Fri, Mar 11, 2016 at 09:20:06AM +0100, Martin Kosek wrote: > On 03/10/2016 08:36 PM, Michael Rainey (Contractor) wrote: > > Greetings, > > > > I have been adding systems to my new domain and utilizing the smart card > > login > > feature. To date the smart card login feature is working very

Re: [Freeipa-users] Lock screen when Smart Card is removed.

On Thu, Mar 10, 2016 at 01:36:15PM -0600, Michael Rainey (Contractor) wrote: > Greetings, > > I have been adding systems to my new domain and utilizing the smart card > login feature. To date the smart card login feature is working very well. > However, my group has been trying to implement

Re: [Freeipa-users] Adding RID base to existing range

RROR: This command can not be used to change ID allocation for local > >IPA domain. Run `ipa help idrange` for more information > > > > > >Thanks, > > > >Darren. > > > > > >On 3/9/16, 9:45 AM, "freeipa-users-boun...@redhat.com on behalf of Sumit >

Re: [Freeipa-users] Adding RID base to existing range

elp idrange` for more information 'ipa idrange-find' should show a second idrange with 'Range type: local domain range'. Can you try if you can add the RID bases there? bye, Sumit > > > Thanks, > > Darren. > > > On 3/9/16, 9:45 AM, "freeipa-users-boun...@redhat.

Re: [Freeipa-users] Adding RID base to existing range

On Wed, Mar 09, 2016 at 01:29:14AM +, Darren Poulson wrote: > Hi, > > We¹re currently trying to set up an AD domain (great fun for a bunch of > linux adminsŠ not) so that we can get authentication working with various > bits of hardware that only support AD. We want this domain to trust our >

Re: [Freeipa-users] user certificate ldap EXTERNAL authentication

On Mon, Mar 07, 2016 at 09:58:20AM +0100, Natxo Asenjo wrote: > On Mon, Mar 7, 2016 at 9:14 AM, Martin Kosek wrote: > > > On 03/05/2016 06:00 AM, Rob Crittenden wrote: > > > Natxo Asenjo wrote: > > >> > > >> By the way, revoking the certificate does not block applications

Re: [Freeipa-users] installation of ipa-server successful but sssd fails..

On Thu, Feb 25, 2016 at 11:58:04AM +, lejeczek wrote: > On 25/02/16 09:32, Sumit Bose wrote: > >On Thu, Feb 25, 2016 at 09:21:06AM +, lejeczek wrote: > >>On 25/02/16 08:21, Sumit Bose wrote: > >>>On Wed, Feb 24, 2016 at 05:20:30PM +, lejeczek wrote: >

Re: [Freeipa-users] installation of ipa-server successful but sssd fails..

On Thu, Feb 25, 2016 at 09:21:06AM +, lejeczek wrote: > On 25/02/16 08:21, Sumit Bose wrote: > >On Wed, Feb 24, 2016 at 05:20:30PM +, lejeczek wrote: > >>On 24/02/16 14:22, Sumit Bose wrote: > >>>On Wed, Feb 24, 2016 at 12:45:55PM +, lejeczek wrote: >

Re: [Freeipa-users] installation of ipa-server successful but sssd fails..

On Wed, Feb 24, 2016 at 10:27:36PM +, lejeczek wrote: > > > On 24/02/16 17:20, lejeczek wrote: > >On 24/02/16 14:22, Sumit Bose wrote: > >>On Wed, Feb 24, 2016 at 12:45:55PM +, lejeczek wrote: > >>>On 24/02/16 11:26, Sumit Bose wrote: > >&

Re: [Freeipa-users] installation of ipa-server successful but sssd fails..

On Wed, Feb 24, 2016 at 05:20:30PM +, lejeczek wrote: > On 24/02/16 14:22, Sumit Bose wrote: > >On Wed, Feb 24, 2016 at 12:45:55PM +, lejeczek wrote: > >>On 24/02/16 11:26, Sumit Bose wrote: > >>>On Wed, Feb 24, 2016 at 11:21:13AM +, lejeczek wrote: >

Re: [Freeipa-users] FreeIPA problem with AD trust setup

On Wed, Feb 24, 2016 at 01:30:11PM +0100, Daniel wrote: > Hello, > > I'm trying to setup trust with our AD domain in test environment, but I've > got an error: > ipa trust-add --type=ad test.local --two-way=1 --admin Administrator > --password > > ipa: ERROR: CIFS server communication error:

Re: [Freeipa-users] installation of ipa-server successful but sssd fails..

On Wed, Feb 24, 2016 at 12:45:55PM +, lejeczek wrote: > On 24/02/16 11:26, Sumit Bose wrote: > >On Wed, Feb 24, 2016 at 11:21:13AM +, lejeczek wrote: > >>he everybody, > >>my first tampering with install gets me: > >> > >>Feb 24 11:04:22 my.host

Re: [Freeipa-users] installation of ipa-server successful but sssd fails..

On Wed, Feb 24, 2016 at 11:21:13AM +, lejeczek wrote: > he everybody, > my first tampering with install gets me: > > Feb 24 11:04:22 my.host.fake sssd[be[host.fake]][17425]: Starting up > Feb 24 11:04:22 my.host.fake sssd[be[host.fake]][17425]: Failed to read > keytab [default]: Bad address >

Re: [Freeipa-users] ID Views without AD

to be seeing my UID changing like I'd expect, and I seem > > to no longer be able to run sudo on my client... > > > > If I unapply the view from my client's host, though, sudo again works as > > expected. So, it's picking up... something... just not quite everything yet. >

Re: [Freeipa-users] ID Views without AD

On Thu, Feb 18, 2016 at 11:26:58AM +0100, Sumit Bose wrote: > On Tue, Feb 16, 2016 at 04:23:10PM +, Mike Kelly wrote: > > >> Thanks. Here's what is hopefully the relevant lines: > > > > > > I'm sorry, but these logs only capture how the original entry was >

Re: [Freeipa-users] ID Views without AD

On Tue, Feb 16, 2016 at 04:23:10PM +, Mike Kelly wrote: > >> Thanks. Here's what is hopefully the relevant lines: > > > > I'm sorry, but these logs only capture how the original entry was > searched, not the overrides. Can you capture the full logs since the sssd > startup? Also please make

Re: [Freeipa-users] FreeIPA 4.3.0 Kerberos client referrals not working?

On Tue, Feb 16, 2016 at 10:23:30PM +, Nathan Peters wrote: > I have created a trust between my FreeIPA domain and an active directory > domain. I can get a kerberos ticket properly from the other domain at the > command line on the IPA server. > I have also created sudo and HBAC rules to

Re: [Freeipa-users] IPA inaccessable after adding service principle

On Mon, Feb 15, 2016 at 04:27:15PM +0100, Martin Juhl wrote: > Hi guys > > I've just installed a RHEL7 server with ipa-server 4.2.0... > > Everything seems to work fine, until I add a service principle: > > (Running on a client, after a kinit) > > [root@dantooine ~]# ipa-getkeytab -s

Re: [Freeipa-users] Active Directory Trust = filter users

On Mon, Feb 15, 2016 at 11:10:41AM +0200, Alexander Bokovoy wrote: > On Mon, 15 Feb 2016, Sumit Bose wrote: > >On Fri, Feb 12, 2016 at 10:49:36PM +0200, Alexander Bokovoy wrote: > >>On Fri, 12 Feb 2016, Jakub Hrozek wrote: > >>>On Fri, Feb 12, 2016 at 01:29:47PM

Re: [Freeipa-users] Active Directory Trust = filter users

On Fri, Feb 12, 2016 at 10:49:36PM +0200, Alexander Bokovoy wrote: > On Fri, 12 Feb 2016, Jakub Hrozek wrote: > >On Fri, Feb 12, 2016 at 01:29:47PM +0200, Alexander Bokovoy wrote: > >>On Fri, 12 Feb 2016, w...@dds.nl wrote: > >>>Hi all, > >>> > >>>Yes, you can filter out certain SIDs--> I tried,

Re: [Freeipa-users] PKINIT support in FreeIPA 4.2.0

On Thu, Feb 11, 2016 at 11:16:14AM +1100, Nik Lam wrote: > On Thu, Feb 11, 2016 at 1:42 AM, Sumit Bose <sb...@redhat.com> wrote: > > > On Wed, Feb 10, 2016 at 11:07:14PM +1100, Nik Lam wrote: > > > On Wed, Feb 10, 2016 at 7:43 PM, Sumit Bose <sb...@redhat.com> wr

Re: [Freeipa-users] smart cards caintaining multiple certificates

On Wed, Feb 10, 2016 at 04:05:20PM -0600, Michael Rainey (Contractor) wrote: > Greetings, > > I'm curious as to how IPA handles smart cards containing multiple > certificates. When I follow the steps listed at > https://fedorahosted.org/sssd/wiki/DesignDocs/SmartcardAuthenticationStep1 > when

Re: [Freeipa-users] PKINIT support in FreeIPA 4.2.0

On Wed, Feb 10, 2016 at 11:07:14PM +1100, Nik Lam wrote: > On Wed, Feb 10, 2016 at 7:43 PM, Sumit Bose <sb...@redhat.com> wrote: > > > On Wed, Feb 10, 2016 at 12:07:45PM +1100, Nik Lam wrote: > > > On Wed, Feb 10, 2016 at 3:04 AM, Sumit Bose <sb...@redhat.com> wr

Re: [Freeipa-users] PKINIT support in FreeIPA 4.2.0

On Wed, Feb 10, 2016 at 12:07:45PM +1100, Nik Lam wrote: > On Wed, Feb 10, 2016 at 3:04 AM, Sumit Bose <sb...@redhat.com> wrote: > > > On Wed, Feb 10, 2016 at 02:08:55AM +1100, Nik Lam wrote: > > > On Mon, Feb 8, 2016 at 11:53 PM, Sumit Bose <sb...@redhat.com> wr

Re: [Freeipa-users] Migrating NIS host to freeIPA host with smart card

On Tue, Feb 09, 2016 at 04:54:55PM -0600, Michael Rainey (Contractor) wrote: > Greetings, > > I have a question about migrating a system from NIS to freeIPA. In my > efforts of setting up a host on freeIPA I would normally use a fresh install > to setup the system. I'm now at a point where I'm

Re: [Freeipa-users] Active Directory Trust = filter users

On Wed, Feb 10, 2016 at 09:42:28AM +0100, Jakub Hrozek wrote: > On Tue, Feb 09, 2016 at 11:58:46AM +0100, Winfried de Heiden wrote: > >Hi all, > > > >Using an Active Directory Trust with IPA all works fine but there's an > >disadvantage: it might brong in lots and lots of groups I am

Re: [Freeipa-users] PKINIT support in FreeIPA 4.2.0

On Wed, Feb 10, 2016 at 02:08:55AM +1100, Nik Lam wrote: > On Mon, Feb 8, 2016 at 11:53 PM, Sumit Bose <sb...@redhat.com> wrote: > > > On Thu, Feb 04, 2016 at 07:25:29PM +1100, Nik Lam wrote: > > > On Wed, Feb 3, 2016 at 8:08 PM, Sumit Bose <sb...@redhat.com> wr

Re: [Freeipa-users] PKINIT support in FreeIPA 4.2.0

On Thu, Feb 04, 2016 at 07:25:29PM +1100, Nik Lam wrote: > On Wed, Feb 3, 2016 at 8:08 PM, Sumit Bose <sb...@redhat.com> wrote: > > > On Wed, Feb 03, 2016 at 10:29:49AM +1100, Nik Lam wrote: > > > Hello, > > > > > > I installed ipa-server on Centos 7

Re: [Freeipa-users] FreeIPA / AD Trust Relationship

On Wed, Feb 03, 2016 at 11:17:46AM -0600, Josh Pospisil wrote: > I have successfully set up a trust between AD (windows server 2012) and > freeIPA following this guide: > http://www.freeipa.org/page/Active_Directory_trust_setup > > My hope in doing this was to allow the users I have created on

Re: [Freeipa-users] PKINIT support in FreeIPA 4.2.0

On Wed, Feb 03, 2016 at 10:29:49AM +1100, Nik Lam wrote: > Hello, > > I installed ipa-server on Centos 7.1 and later did and upgrade of the whole > system to Centos 7.2. > > I think the FreeIPA version changed from 4.1.0 to 4.2.0 between these > Centos/RHEL minor releases. > > We'd now like to

Re: [Freeipa-users] Enabling smart card on GDM manually.

On Wed, Feb 03, 2016 at 01:14:20PM -0600, Michael Rainey (Contractor) wrote: > Please disregard this message. I discovered the answer after the message > was sent. > > There is a locks file in /etc/dconf/db/distro.d/locks. I edited the > /etc/dconf/db/distro.d/10-authconfig and rebooted. It is

Re: [Freeipa-users] freeipa client in DMZ

On Tue, Feb 02, 2016 at 02:12:58PM +, Baird, Josh wrote: > I believe the sssd clients will need to communicate directly with your AD > domain controllers, unfortunately. I wish there was a clean way around this, > since we have a ton of DC's in our HUB site, and I don't really want to poke

Re: [Freeipa-users] Kerberos process coredump | authentication fails

est build with the patch. bye, Sumit > > On 28 January 2016 at 16:53, Sumit Bose <sb...@redhat.com> wrote: > > > On Thu, Jan 28, 2016 at 04:42:20PM +0530, Prashant Bapat wrote: > > > gdb stacktrace attached. > > > > Can you install the debuginfo with > >

Re: [Freeipa-users] Active Directory users are not controlled by HBAC

On Wed, Jan 27, 2016 at 06:53:43PM +, Birnbaum, Warren (ETW) wrote: > I started this post with a simple question: ³is it possible to have HBAC > work with AD authenticated users². I was not able from the tips provided > to get any further with this. > > What I have not been able to have

Re: [Freeipa-users] ERROR: missing attribute "ipaNTSecurityIdentifier" required by object class "ipaNTUserAttrs"

On Wed, Jan 27, 2016 at 02:51:07PM -0600, Anil Kommareddy wrote: > Hi All, > > > > I have an ipa-server-4.2.0-15.el7_2.3.x86_64 on which I installed > ipa-server-trust-ad-4.2.0-15.el7_2.3.x86_64 and ran "ipa-adtrust-install > --add-sids" command. After some initial issues it started working

Re: [Freeipa-users] Kerberos process coredump | authentication fails

On Thu, Jan 28, 2016 at 10:25:53AM +0530, Prashant Bapat wrote: > Hi, > > We have a FreeIPA 4.1.4 setup on F21 servers. There is 1 master and 7 > replicas in different regions. Earlier there was only 1 replica. Since I > added new replicas, on the master node, once in a while the kerberos >

Re: [Freeipa-users] Kerberos process coredump | authentication fails

the crash. bye, Sumit > found this one line odd though. > > *Jan 26 03:15:58 ipa.example.net <http://ipa.example.net> > krb5kdc[4471](Error): worker 4473 exited with status 134* > > > Let me try to get the full BT. > > On 28 January 2016 at 13:54, Sumit Bose <s

Re: [Freeipa-users] Active Directory and IPA Client

On Mon, Jan 25, 2016 at 10:15:42AM -0700, Cameron Christensen wrote: > Hello, > > I have a trust established between Windows Active Directory and IPA. > From the IPA server I can get details about AD users but not from a > server configured as an IPA client. > > [root@ipa_server ~]# getent

Re: [Freeipa-users] changing password on user using ldappasswd

On Wed, Jan 06, 2016 at 08:59:22AM +, FE9817 FE-DDIS.DK wrote: > Hi, > > Im trying to change password for a user, using ldap, but it hangs. Here is > what is done. > > :~$ ldappasswd -h idm.com -ZZ -p 636 -x -D > "uid=admin,cn=users,cn=accounts,dc=com" -W -S >

Re: [Freeipa-users] IPA, AD Trust and Domain Local Groups

On Wed, Jan 06, 2016 at 08:56:27AM +0100, w...@dds.nl wrote: > Hi all, > > Using an AD trust with IPA 4.2 all works well, but on the IPA/Linux site > we're just not able to see AD "Domain Local Groups". > > Is that just not possible (a limitation of the current version that is), is > some extra

Re: [Freeipa-users] Two Factor = SSHKeys + OTP or Password

On Tue, Dec 22, 2015 at 06:51:25PM +0530, Yogesh Sharma wrote: > Hi List, > > Did not see any options for SSH Keys + OTP or Password, However would like > to know if it is possible with FreeIPA user. > > With Generic SSH , We can use use AuthenticationMethods, but not sure where > to check in

Re: [Freeipa-users] Active Directory Sites and IPA-AD-Trust

On Wed, Dec 16, 2015 at 10:33:17AM +, wouter.hummel...@kpn.com wrote: > Hi All, > > While TCPdumping logins on an IPA client using an AD account I found out that > SSSD doesn't take AD Sites into account. I see a DNS lookup for > _kerberos._udp. and _kerberos._tcp. and then a Kerberos >

Re: [Freeipa-users] AD group members

On Wed, Dec 16, 2015 at 09:46:37AM +0100, Winfried de Heiden wrote: > Hi all, > > Adding AD-users to an IPA external group seems to be problematic. However, > adding AD-groups (with AD-users as members) to a IPA external groups seems to > work well. Four group were created and all are shown.

Re: [Freeipa-users] AD group members

On Tue, Dec 15, 2015 at 11:38:08AM -0500, Alexander Bokovoy wrote: > > > - Original Message - > > Hi, > > > > If PAC is not being used using key, how is group membership determined? > By asking IPA master to give list of groups AD user belongs to. > The complexity of this process makes

Re: [Freeipa-users] AD group members

On Mon, Dec 14, 2015 at 05:47:38PM +0100, Winfried de Heiden wrote: > Using an EL7 client, lot's of times the IPA (posix) groups are missing, > or partly missing. Doing some debugging, sssd_pac.log shows: > > (Mon Dec 14 17:19:08 2015) [sssd[pac]] [pac_user_get_grp_info] (0x2000): > Group with

Re: [Freeipa-users] Cross Domain Trust

On Tue, Dec 15, 2015 at 10:58:09AM +, Zoske, Fabian wrote: > I’ve setup an IPA-Server with a handful of clients and AD-Trust. > The server is a CentOS7.1 with IPA4.1 and the clients are mostly Ubuntu > Server 14.04 LTS. > Our IPA-Domain is like ipa-domain.com and our AD-Domain is like >

Re: [Freeipa-users] AD group members

correctly that with 1.12.4-47 the groups are always correct while with 1.13.0-40 the groups are missing when not using SSH keys? bye, Sumit > > Winny > > Op 15-12-15 om 09:59 schreef Sumit Bose: > > On Mon, Dec 14, 2015 at 05:47:38PM +0100, Winfried de Heiden wrote: > >

Re: [Freeipa-users] .k5login and auth_to_local_names principal -> account mapping and localauth plugin not working on 6.7

On Sat, Dec 12, 2015 at 01:34:53PM +0100, Stefano Cortese wrote: > > > This is expected because if either the principal or the user name is > known to SSSD the localauth plugin will take control because by default > the added modules are registered first (see [plugins] section of man >

Re: [Freeipa-users] .k5login and auth_to_local_names principal -> account mapping and localauth plugin not working on 6.7

On Tue, Dec 08, 2015 at 02:33:40PM +0100, Stefano Cortese wrote: > Hi Sumit > yes it works commenting out the line 'enable_only = sssd' and making > the file immutable , namely the .k5login file is read and enforced. > But respect to the solution emptying completely the snippet, it is lost > the

Re: [Freeipa-users] .k5login and auth_to_local_names principal -> account mapping and localauth plugin not working on 6.7

On Mon, Dec 07, 2015 at 06:04:30PM +0100, Stefano Cortese wrote: > >> So the questions are: > >> - is there another cleaner way to exclude the localauth sssd plugin > >> (considering that the configuration snippet is recreated at every sssd > >> restart)? > > > >Can you test if this hack would

Re: [Freeipa-users] Problem with AD authentication after updating to 7.2 OS server

On Fri, Nov 27, 2015 at 04:31:49PM +0100, Morgan Marodin wrote: > Hi everyone. > > After updating my FreeIPA server to 7.2 OS version (it's a RHEL like > distribution) I've some problems authenticating with Active Directory > credentials. > > Testing it on 6.7 OS clients it works using Windows

Re: [Freeipa-users] Problem with AD authentication after updating to 7.2 OS server

On Fri, Nov 27, 2015 at 05:35:42PM +0100, Morgan Marodin wrote: > Hi Sumit. > > I don't know why, but now kerberos ticket authentication is working on 6.7 > clients. > On 7.2 clients now password authetications with Active Directory > credentials is working ... but not with kerberos ticket. This

Re: [Freeipa-users] Problem with AD authentication after updating to 7.2 OS server

ease set LogLevel to DEBUG3 in /etc/ssh/sshd_config (please note that the log might contain confidential keys or passwords). bye, Sumit > Thanks, Morgan > > 2015-11-27 17:47 GMT+01:00 Sumit Bose <sb...@redhat.com>: > > > On Fri, Nov 27, 2015 at 05:35:42PM +0100, Morgan Marodin

Re: [Freeipa-users] hbac service allowed despite not listed

On Mon, Nov 23, 2015 at 05:16:26PM +0100, Jakub Hrozek wrote: > On Mon, Nov 23, 2015 at 04:55:31PM +0100, Winfried de Heiden wrote: > >Hi all, > > > >I created some hbac rule on freeipa-server 4.1.4 on Fedora 22 > > > ># ipa hbacrule-show testuser > >  Rule name: testuser > > 

Re: [Freeipa-users] Invalid UID in persistent keyring name while getting default cache. on OEL 7.1

On Thu, Nov 19, 2015 at 10:25:02AM +0100, Christopher Lamb wrote: > HI > > The plot thickens. I think I actually have 2 issues: > > The first issue is that in the title of this thread, and was caused by "the > wrong kernel". > > The second issue, that some ipa users cannot log on (but mine

Re: [Freeipa-users] Invalid UID in persistent keyring name while getting default cache. on OEL 7.1

ch low ids. > > Chris > > > > From: Christopher Lamb/Switzerland/IBM@IBMCH > To: Sumit Bose <sb...@redhat.com> > Cc: freeipa-users@redhat.com > Date: 19.11.2015 11:20 > Subject: Re: [Freeipa-users] Invalid UID in persistent keyring name >

Re: [Freeipa-users] FreeIPA and Samba4

On Thu, Nov 05, 2015 at 09:33:48AM +0100, Troels Hansen wrote: > > - On Nov 4, 2015, at 4:03 PM, Sumit Bose sb...@redhat.com wrote: > > > > > do you see any more details if you run pdbedit with '-d 255' ? > > > > Not really: > > pdbedit -d 255 -L

Re: [Freeipa-users] gssapi ssh works, pam user/password does not work

On Thu, Nov 05, 2015 at 10:05:19AM +0100, Natxo Asenjo wrote: > On Thu, Nov 5, 2015 at 10:03 AM, Natxo Asenjo > wrote: > > > hi, > > > > since yesterday I have a strange situation in one of our joined hosts. > > > > i can login using a kerberos ticket, but not using

Re: [Freeipa-users] FreeIPA and Samba4

ttps://fedorahosted.org/freeipa/ticket/3609 to fix this. HTH bye, Sumit > > ----- On Nov 3, 2015, at 1:36 PM, Sumit Bose sb...@redhat.com wrote: > > > On Tue, Nov 03, 2015 at 01:09:53PM +0100, Troels Hansen wrote: > >> Hi again, so I finally got time to look further into th

Re: [Freeipa-users] FreeIPA and Samba4

On Fri, Oct 30, 2015 at 10:53:47AM +0100, Troels Hansen wrote: > Well, I think the problem here being that I miss the attributes. > One "funny" thing being that apprently, some users have had ipantuserattrs > objectclass and a ipaNTSecurityIdentifier SID added. Some don't (including > mine). >

Re: [Freeipa-users] FreeIPA dogtag pkinit

On Thu, Oct 29, 2015 at 03:55:45PM +0100, Jean 'clark' EYMERIT wrote: > Hello, > > I search a way to use pkinit > (http://web.mit.edu/kerberos/krb5-devel/doc/admin/pkinit.html) with > FreeIPA (even without dogtag). > > Can someone give me a howto for this ? I can follow the steps described in

Re: [Freeipa-users] Why are some user's information not stored in the LDAP database?

On Fri, Oct 16, 2015 at 04:01:08PM +0200, Fujisan wrote: > Yes, sorry, you're right. It works. I was using the wrong command: > > $ ldapsearch -x -h localhost uid=smith > > instead of > > $ ldapsearch -x -h localhost -D cn=directory\ manager -W -b > cn=users,cn=accounts,dc=example,dc=test

Re: [Freeipa-users] Slow SSH login for IPA users only

DAP attribute from AD. Since this happen in the common code for user lookup it is executed for IPA users as well. But I agree that this message is annoying and created https://fedorahosted.org/sssd/ticket/2830 to suppress it for IPA users. bye, Sumit > > ? > > Regards, > > Gui

Re: [Freeipa-users] ssh and sudo password authentication not working with freeipa-client 3.3.4-0ubuntu3.1 on Ubuntu 14.04

On Tue, Oct 06, 2015 at 03:39:43PM +0200, Alexander Skwar wrote: > Hello Sumit > > ipa-client-install hasn't set krb5_realm. I did that. > > We're using Chef-Solo to manage our systems and I have /etc/sssd/sssd.conf > in chef. So it overwrote, whatever ipa-client-install put there. And that's >

<    1   2   3   4   >