On Mon, Jul 11, 2016 at 04:55:37PM +1000, Lachlan Musicman wrote:
> On 11 July 2016 at 16:44, Alexander Bokovoy wrote:
>
> > On Mon, 11 Jul 2016, Lachlan Musicman wrote:
> >
> >> Hola,
> >>
> >> Centos 7, up to date.
> >>
> >> [root@linuxidm ~]# ipa --version
> >> VERSION:
On Mon, Jul 11, 2016 at 03:46:57AM +, pgb205 wrote:
> I have successfully established trust and am able to obtain ticket granting
> ticketkinit user@AD_DOMAIN.COMI can also do kinit admin@IPA_DOMAIN.COMssh
> admin@IPA_DOMAIN.COM also works
> however, ssh user@AD_DOMAIN.COM or
file on restart, so you still
might want to use chattr +i to keep your changes.
>
> Thank you very, very much for the help.
You're welcome.
bye,
Sumit
>
>
>
>
> On July 6, 2016 at 1:00:53 PM, Sumit Bose (sb...@redhat.com) wrote:
>
> On Wed, Jul 06, 2016 at 03:30:56PM
On Wed, Jul 06, 2016 at 03:30:56PM -0400, Jeffery Harrell wrote:
> I must be missing something really obvious.
>
> Our IPA server is set up in the usual way on CentOS 7.2, just a “yum
> install ipa-server” and then an “ipa-server-install.” DNS is set up
> correctly and is working.
>
> I’ve got a
On Thu, Jun 30, 2016 at 08:54:16AM +0200, bahan w wrote:
> Hello !
>
> I'm using freeipa 3.0.0-47.
>
> I send you this mail concerning the automatic kinit at ssh login ? I wanted
> to know if it was possible to deactivate it on a specific server ?
>
> The reason is that I have some of my users
On Wed, Jun 29, 2016 at 09:04:47AM +, tstorai@orange.com wrote:
> Hello,
>
> We are using FreeIPAv3 with SSSD with Hortonworks Cluster :
>
> - ipa-admintools-3.0.0-47
>
> - ipa-client-3.0.0-47
>
> - sssd-ipa-1.11.6-30
>
>
> According with the following
On Tue, Jun 28, 2016 at 04:41:39PM -0500, Michael Rainey (Contractor) wrote:
> Greetings,
>
> Back in March I contacted the mailing list in regard to a problem I was
> having with smartcards and screen locking. At that time I was provided a
> patch to implement to lock the screen when the
On Wed, Jun 22, 2016 at 11:54:10AM -0400, Geordie Grindle wrote:
>
> Hello,
>
> On our current IPA realm where we have not used 2-factor, we’ve been able to
> kinit to our FreeIPA realm from our laptops. All a Mac user needed to do,
> for example was to configure a ‘krb5.conf’ file and then
On Tue, Jun 21, 2016 at 01:23:11PM +0200, Martin Štefany wrote:
> On 6/21/2016 1:16 PM, Sumit Bose wrote:
> > On Tue, Jun 21, 2016 at 12:43:23PM +0200, Martin Štefany wrote:
> > > Hello Sumit,
> > >
> > > putting SELinux to permissive mode and/or enablin
sd_ssh.log with the sequence from
above (if you prefer directly to me) so that I can check why it failed
in the first attempt and later succeeds.
bye,
Sumit
>
>
> RH bug for selinux-policy:
> https://bugzilla.redhat.com/show_bug.cgi?id=1348447
>
> Thank you!
> Martin
>
>
On Mon, Jun 20, 2016 at 10:46:13PM +0200, Martin Štefany wrote:
> Hello all,
>
> I've ran into strange issue with IPA/SSSD/SSH/SELinux which started when I
> figured out that I cannot ssh with pubkey auth to Fedora 23 (ipa-client)
> systems
> while I can to CentOS 7.2 (ipa-client and ipa-server)
early next week.
Btw, so far I would say it is an issue in libkrad.
bye,
Sumit
>
> Winny
>
>
> Op 09-06-16 om 18:51 schreef Sumit Bose:
> > On Thu, Jun 09, 2016 at 08:42:59AM -0400, Nathaniel McCallum wrote:
> > > On Thu, 2016-06-09 at 10:46 +0200, Sumit Bose wro
On Fri, Jun 10, 2016 at 09:54:19AM +0100, lejeczek wrote:
> hi everyone
>
> there is a master IPA which in some weird way puts AD users into its ldap
> catalog. I say weird cause there is no trust nor other sync established,
> there was a trust agreement, one way type, but now 'trust-find' shows
On Thu, Jun 09, 2016 at 08:42:59AM -0400, Nathaniel McCallum wrote:
> On Thu, 2016-06-09 at 10:46 +0200, Sumit Bose wrote:
> > On Thu, Jun 09, 2016 at 08:16:13AM +0200, Winfried de Heiden wrote:
> > > Hi all,
> > >
> > > I can install libvert-libev but removi
On Thu, Jun 09, 2016 at 08:43:57AM -0400, Pavel Picka wrote:
>
>
> - Original Message -
> From: "David Kupka"
> To: "Pavel Picka" , freeipa-users@redhat.com
> Sent: Thursday, June 9, 2016 1:45:26 PM
> Subject: Re: [Freeipa-users] SSH login to client
On Thu, Jun 09, 2016 at 07:18:19AM -0400, Pavel Picka wrote:
> Hi,
>
> Have anyone experience, when create user on ipa-server, and want to login on
> client with this user I get :
>
> Permission denied, please try again.
> Permission denied, please try again.
> Permission denied
On Thu, Jun 09, 2016 at 08:16:13AM +0200, Winfried de Heiden wrote:
> Hi all,
>
> I can install libvert-libev but removing libverto-tevent will remove 123
> dependencies also. (wget, tomcat and much more...)
>
> Hence, I installed libverto-libev, but dit not remove libverto-tevent to give
> it a
On Wed, Jun 08, 2016 at 04:54:44PM +0200, Przemysław Orzechowski wrote:
> Hi i enroled
> Centos 7 box into IPA (also stock centos 7 server)
> for some time everything was working ok but now i can't ssh to the client
> after client reboot
> On every ssh login attempt i get such lines in sshd.log on
On Fri, Jun 03, 2016 at 02:39:00PM +0100, lejeczek wrote:
> hi users,
>
> I have a samba and sssd trying AD, it's 7.2 Linux.
>
> That linux box is via sssd and samba talking to AD DC and win10 clients get
> to samba shares, getent pass sees AD users, samba can get to DC's shares and
> win10's
On Thu, Jun 02, 2016 at 08:29:15AM +0300, Alexander Bokovoy wrote:
> On Wed, 01 Jun 2016, Geordie Grindle wrote:
> > Does IPA only use ‘sssd.conf’ for kerberos authentication? Is there another
> > file used to configure kerberos?
> >
> > I’ve built a host using Foreman and our puppet
On Mon, May 30, 2016 at 05:13:35PM +0200, Winfried de Heiden wrote:
> Hi all,
>
> The sssd-ipa man page will tell:
>
> ipa_enable_dns_sites (boolean)
> Enables DNS sites - location based service discovery.
>
> If true and service discovery (see Service Discovery
On Thu, May 19, 2016 at 05:42:27PM +0100, lejeczek wrote:
> hi users/devs
>
> I've poked around samba list but was suggested to ask sssd people, I thought
> IPA's might know as well.
>
> Having joined AD with realm - can samba take advantage of this membership?
> And if so then to what extent?
On Mon, May 16, 2016 at 09:34:28AM +0100, lejeczek wrote:
>
>
> On 13/05/16 14:14, Sumit Bose wrote:
> > On Wed, May 11, 2016 at 05:17:03PM +0100, lejeczek wrote:
> > > .. if possible, would you know?
> > > hi everybody,
> > > I'm trying, and
On Wed, May 11, 2016 at 05:17:03PM +0100, lejeczek wrote:
> .. if possible, would you know?
> hi everybody,
> I'm trying, and hoping it is possible to realm join an AD but is such a
> way so I tap my IPA into specific OU within that AD.
I'm not exactly sure what you mean here. Do you want to join
On Thu, Apr 28, 2016 at 04:09:16PM -0500, Michael Rainey (Contractor) wrote:
> I am wondering if anyone out there is currently using freeIPA with smart
> cards along with LightDM. I have systems running SL7.2 with GDM and I have
> users that prefer to use XFCE or KDE over the default GNOME-Shell.
On Wed, Apr 27, 2016 at 07:54:57PM +, Anthony Cheng wrote:
> Hi list,
>
> I am trying to renew expired certificates following the manual renewal
> procedure here (http://www.freeipa.org/page/IPA_2x_Certificate_Renewal) but
> even with resetting the system/hardware clock to a time before
om
>
> Engineering Support: supp...@bloomip.com
> Billing Support: bill...@bloomip.com
> Customer Support Portal: https://my.bloomip.com <http://my.bloomip.com/>
>
> On Thu, Apr 21, 2016 at 7:47 AM, Sumit Bose <sb...@redhat.com> wrote:
>
> > On Wed, Apr 20
n.com.log. Thanks for your help!
> >
> > Jeff
> >
> > Jeff Hallyburton
> > Strategic Systems Engineer
> > Bloomip Inc.
> > Web: http://www.bloomip.com
> >
> > Engineering Support: supp...@bloomip.com
> > Billing Support: bill...@bloomip
On Mon, Apr 18, 2016 at 03:08:28PM +, Gady Notrica wrote:
> Hi guys,
>
> >From the ipa server, I am having issue with the single user. Everyone else
> >is fine, just this one single user and no help anywhere online.
>
> Please help!
>
> Thank you
>
> Apr 15 15:43:36 ipa.domain.com
On Tue, Apr 12, 2016 at 06:56:51PM -0700, Vivek Shrivastava wrote:
> Hi,
>
>
> I am trying to setup cross domain trust between FreeIPA and MIT Kerberos. I
> have already created krbtgt in the both FreeIPA and MIT Kerberos. I can
> successfully get Kerberos ticket from the both domains.However
On Thu, Apr 07, 2016 at 10:28:22PM -0400, Michael ORourke wrote:
> I have a question regarding AD Integration with FreeIPA (CentOS 7.1/freeipa
> 4.2.0) and Windows Server 2008 R2 with a Functional Level forest of 2008 R2.
> Given a simple scenario of a group in active directory that is mapped to a
> Computer Support Group
> Building 1009, Room C156
> Stennis Space Center, MS 39529
> On 03/22/2016 07:25 AM, Sumit Bose wrote:
> >On Fri, Mar 18, 2016 at 10:53:08AM -0500, Michael Rainey (Contractor) wrote:
> >>Hi Sumit,
> >>
> >>It has been a week
Any feedback, good or bad, is welcome.
bye,
Sumit
>
> Thanks,
>
> *Michael Rainey*
>
> On 03/11/2016 02:32 AM, Sumit Bose wrote:
> >On Thu, Mar 10, 2016 at 01:36:15PM -0600, Michael Rainey (Contractor) wrote:
> >>Greetings,
> >>
> >>I have been a
On Fri, Mar 18, 2016 at 12:08:04PM -0400, Jeff Goddard wrote:
> Found the syntax error. Apparently the DN is:
> dn:cn=ipaconfig,cn=etc,dc=internal,dc=emerlyn,dc=com rather than
> dn:cn=etc,cn=ipaconfig,dc=internal,dc=emerlyn,dc=com
>
>
>
> On Fri, Mar 18, 2016 at 11:35 AM, Christopher Lamb <
>
On Mon, Mar 14, 2016 at 05:50:34PM +0530, Rakesh Rajasekharan wrote:
> I set up freeipa in my environment and works perfectly.
>
> But just on one host , I am not able to authenticate. I get a permission
> denied eror.
>
> The sssd version I have is 1.12
>
> the krb5_child log does point to
On Mon, Mar 14, 2016 at 07:28:01AM -0700, Brad Bendy wrote:
> HI,
>
> I have OTP setup and working just fine for logging into any servers,
> when attempting to run any command with sudo I get a "First factor:"
> prompt, I have entered my normal password but it fails. This only
> happens when OTP
On Fri, Mar 11, 2016 at 09:20:06AM +0100, Martin Kosek wrote:
> On 03/10/2016 08:36 PM, Michael Rainey (Contractor) wrote:
> > Greetings,
> >
> > I have been adding systems to my new domain and utilizing the smart card
> > login
> > feature. To date the smart card login feature is working very
On Thu, Mar 10, 2016 at 01:36:15PM -0600, Michael Rainey (Contractor) wrote:
> Greetings,
>
> I have been adding systems to my new domain and utilizing the smart card
> login feature. To date the smart card login feature is working very well.
> However, my group has been trying to implement
RROR: This command can not be used to change ID allocation for local
> >IPA domain. Run `ipa help idrange` for more information
> >
> >
> >Thanks,
> >
> >Darren.
> >
> >
> >On 3/9/16, 9:45 AM, "freeipa-users-boun...@redhat.com on behalf of Sumit
>
elp idrange` for more information
'ipa idrange-find' should show a second idrange with 'Range type: local
domain range'. Can you try if you can add the RID bases there?
bye,
Sumit
>
>
> Thanks,
>
> Darren.
>
>
> On 3/9/16, 9:45 AM, "freeipa-users-boun...@redhat.
On Wed, Mar 09, 2016 at 01:29:14AM +, Darren Poulson wrote:
> Hi,
>
> We¹re currently trying to set up an AD domain (great fun for a bunch of
> linux admins not) so that we can get authentication working with various
> bits of hardware that only support AD. We want this domain to trust our
>
On Mon, Mar 07, 2016 at 09:58:20AM +0100, Natxo Asenjo wrote:
> On Mon, Mar 7, 2016 at 9:14 AM, Martin Kosek wrote:
>
> > On 03/05/2016 06:00 AM, Rob Crittenden wrote:
> > > Natxo Asenjo wrote:
> > >>
> > >> By the way, revoking the certificate does not block applications
On Thu, Feb 25, 2016 at 11:58:04AM +, lejeczek wrote:
> On 25/02/16 09:32, Sumit Bose wrote:
> >On Thu, Feb 25, 2016 at 09:21:06AM +, lejeczek wrote:
> >>On 25/02/16 08:21, Sumit Bose wrote:
> >>>On Wed, Feb 24, 2016 at 05:20:30PM +, lejeczek wrote:
>
On Thu, Feb 25, 2016 at 09:21:06AM +, lejeczek wrote:
> On 25/02/16 08:21, Sumit Bose wrote:
> >On Wed, Feb 24, 2016 at 05:20:30PM +, lejeczek wrote:
> >>On 24/02/16 14:22, Sumit Bose wrote:
> >>>On Wed, Feb 24, 2016 at 12:45:55PM +, lejeczek wrote:
>
On Wed, Feb 24, 2016 at 10:27:36PM +, lejeczek wrote:
>
>
> On 24/02/16 17:20, lejeczek wrote:
> >On 24/02/16 14:22, Sumit Bose wrote:
> >>On Wed, Feb 24, 2016 at 12:45:55PM +, lejeczek wrote:
> >>>On 24/02/16 11:26, Sumit Bose wrote:
> >&
On Wed, Feb 24, 2016 at 05:20:30PM +, lejeczek wrote:
> On 24/02/16 14:22, Sumit Bose wrote:
> >On Wed, Feb 24, 2016 at 12:45:55PM +, lejeczek wrote:
> >>On 24/02/16 11:26, Sumit Bose wrote:
> >>>On Wed, Feb 24, 2016 at 11:21:13AM +, lejeczek wrote:
>
On Wed, Feb 24, 2016 at 01:30:11PM +0100, Daniel wrote:
> Hello,
>
> I'm trying to setup trust with our AD domain in test environment, but I've
> got an error:
> ipa trust-add --type=ad test.local --two-way=1 --admin Administrator
> --password
>
> ipa: ERROR: CIFS server communication error:
On Wed, Feb 24, 2016 at 12:45:55PM +, lejeczek wrote:
> On 24/02/16 11:26, Sumit Bose wrote:
> >On Wed, Feb 24, 2016 at 11:21:13AM +, lejeczek wrote:
> >>he everybody,
> >>my first tampering with install gets me:
> >>
> >>Feb 24 11:04:22 my.host
On Wed, Feb 24, 2016 at 11:21:13AM +, lejeczek wrote:
> he everybody,
> my first tampering with install gets me:
>
> Feb 24 11:04:22 my.host.fake sssd[be[host.fake]][17425]: Starting up
> Feb 24 11:04:22 my.host.fake sssd[be[host.fake]][17425]: Failed to read
> keytab [default]: Bad address
>
to be seeing my UID changing like I'd expect, and I seem
> > to no longer be able to run sudo on my client...
> >
> > If I unapply the view from my client's host, though, sudo again works as
> > expected. So, it's picking up... something... just not quite everything yet.
>
On Thu, Feb 18, 2016 at 11:26:58AM +0100, Sumit Bose wrote:
> On Tue, Feb 16, 2016 at 04:23:10PM +, Mike Kelly wrote:
> > >> Thanks. Here's what is hopefully the relevant lines:
> > >
> > > I'm sorry, but these logs only capture how the original entry was
>
On Tue, Feb 16, 2016 at 04:23:10PM +, Mike Kelly wrote:
> >> Thanks. Here's what is hopefully the relevant lines:
> >
> > I'm sorry, but these logs only capture how the original entry was
> searched, not the overrides. Can you capture the full logs since the sssd
> startup? Also please make
On Tue, Feb 16, 2016 at 10:23:30PM +, Nathan Peters wrote:
> I have created a trust between my FreeIPA domain and an active directory
> domain. I can get a kerberos ticket properly from the other domain at the
> command line on the IPA server.
> I have also created sudo and HBAC rules to
On Mon, Feb 15, 2016 at 04:27:15PM +0100, Martin Juhl wrote:
> Hi guys
>
> I've just installed a RHEL7 server with ipa-server 4.2.0...
>
> Everything seems to work fine, until I add a service principle:
>
> (Running on a client, after a kinit)
>
> [root@dantooine ~]# ipa-getkeytab -s
On Mon, Feb 15, 2016 at 11:10:41AM +0200, Alexander Bokovoy wrote:
> On Mon, 15 Feb 2016, Sumit Bose wrote:
> >On Fri, Feb 12, 2016 at 10:49:36PM +0200, Alexander Bokovoy wrote:
> >>On Fri, 12 Feb 2016, Jakub Hrozek wrote:
> >>>On Fri, Feb 12, 2016 at 01:29:47PM
On Fri, Feb 12, 2016 at 10:49:36PM +0200, Alexander Bokovoy wrote:
> On Fri, 12 Feb 2016, Jakub Hrozek wrote:
> >On Fri, Feb 12, 2016 at 01:29:47PM +0200, Alexander Bokovoy wrote:
> >>On Fri, 12 Feb 2016, w...@dds.nl wrote:
> >>>Hi all,
> >>>
> >>>Yes, you can filter out certain SIDs--> I tried,
On Thu, Feb 11, 2016 at 11:16:14AM +1100, Nik Lam wrote:
> On Thu, Feb 11, 2016 at 1:42 AM, Sumit Bose <sb...@redhat.com> wrote:
>
> > On Wed, Feb 10, 2016 at 11:07:14PM +1100, Nik Lam wrote:
> > > On Wed, Feb 10, 2016 at 7:43 PM, Sumit Bose <sb...@redhat.com> wr
On Wed, Feb 10, 2016 at 04:05:20PM -0600, Michael Rainey (Contractor) wrote:
> Greetings,
>
> I'm curious as to how IPA handles smart cards containing multiple
> certificates. When I follow the steps listed at
> https://fedorahosted.org/sssd/wiki/DesignDocs/SmartcardAuthenticationStep1
> when
On Wed, Feb 10, 2016 at 11:07:14PM +1100, Nik Lam wrote:
> On Wed, Feb 10, 2016 at 7:43 PM, Sumit Bose <sb...@redhat.com> wrote:
>
> > On Wed, Feb 10, 2016 at 12:07:45PM +1100, Nik Lam wrote:
> > > On Wed, Feb 10, 2016 at 3:04 AM, Sumit Bose <sb...@redhat.com> wr
On Wed, Feb 10, 2016 at 12:07:45PM +1100, Nik Lam wrote:
> On Wed, Feb 10, 2016 at 3:04 AM, Sumit Bose <sb...@redhat.com> wrote:
>
> > On Wed, Feb 10, 2016 at 02:08:55AM +1100, Nik Lam wrote:
> > > On Mon, Feb 8, 2016 at 11:53 PM, Sumit Bose <sb...@redhat.com> wr
On Tue, Feb 09, 2016 at 04:54:55PM -0600, Michael Rainey (Contractor) wrote:
> Greetings,
>
> I have a question about migrating a system from NIS to freeIPA. In my
> efforts of setting up a host on freeIPA I would normally use a fresh install
> to setup the system. I'm now at a point where I'm
On Wed, Feb 10, 2016 at 09:42:28AM +0100, Jakub Hrozek wrote:
> On Tue, Feb 09, 2016 at 11:58:46AM +0100, Winfried de Heiden wrote:
> >Hi all,
> >
> >Using an Active Directory Trust with IPA all works fine but there's an
> >disadvantage: it might brong in lots and lots of groups I am
On Wed, Feb 10, 2016 at 02:08:55AM +1100, Nik Lam wrote:
> On Mon, Feb 8, 2016 at 11:53 PM, Sumit Bose <sb...@redhat.com> wrote:
>
> > On Thu, Feb 04, 2016 at 07:25:29PM +1100, Nik Lam wrote:
> > > On Wed, Feb 3, 2016 at 8:08 PM, Sumit Bose <sb...@redhat.com> wr
On Thu, Feb 04, 2016 at 07:25:29PM +1100, Nik Lam wrote:
> On Wed, Feb 3, 2016 at 8:08 PM, Sumit Bose <sb...@redhat.com> wrote:
>
> > On Wed, Feb 03, 2016 at 10:29:49AM +1100, Nik Lam wrote:
> > > Hello,
> > >
> > > I installed ipa-server on Centos 7
On Wed, Feb 03, 2016 at 11:17:46AM -0600, Josh Pospisil wrote:
> I have successfully set up a trust between AD (windows server 2012) and
> freeIPA following this guide:
> http://www.freeipa.org/page/Active_Directory_trust_setup
>
> My hope in doing this was to allow the users I have created on
On Wed, Feb 03, 2016 at 10:29:49AM +1100, Nik Lam wrote:
> Hello,
>
> I installed ipa-server on Centos 7.1 and later did and upgrade of the whole
> system to Centos 7.2.
>
> I think the FreeIPA version changed from 4.1.0 to 4.2.0 between these
> Centos/RHEL minor releases.
>
> We'd now like to
On Wed, Feb 03, 2016 at 01:14:20PM -0600, Michael Rainey (Contractor) wrote:
> Please disregard this message. I discovered the answer after the message
> was sent.
>
> There is a locks file in /etc/dconf/db/distro.d/locks. I edited the
> /etc/dconf/db/distro.d/10-authconfig and rebooted. It is
On Tue, Feb 02, 2016 at 02:12:58PM +, Baird, Josh wrote:
> I believe the sssd clients will need to communicate directly with your AD
> domain controllers, unfortunately. I wish there was a clean way around this,
> since we have a ton of DC's in our HUB site, and I don't really want to poke
est build with the patch.
bye,
Sumit
>
> On 28 January 2016 at 16:53, Sumit Bose <sb...@redhat.com> wrote:
>
> > On Thu, Jan 28, 2016 at 04:42:20PM +0530, Prashant Bapat wrote:
> > > gdb stacktrace attached.
> >
> > Can you install the debuginfo with
> >
On Wed, Jan 27, 2016 at 06:53:43PM +, Birnbaum, Warren (ETW) wrote:
> I started this post with a simple question: ³is it possible to have HBAC
> work with AD authenticated users². I was not able from the tips provided
> to get any further with this.
>
> What I have not been able to have
On Wed, Jan 27, 2016 at 02:51:07PM -0600, Anil Kommareddy wrote:
> Hi All,
>
>
>
> I have an ipa-server-4.2.0-15.el7_2.3.x86_64 on which I installed
> ipa-server-trust-ad-4.2.0-15.el7_2.3.x86_64 and ran "ipa-adtrust-install
> --add-sids" command. After some initial issues it started working
On Thu, Jan 28, 2016 at 10:25:53AM +0530, Prashant Bapat wrote:
> Hi,
>
> We have a FreeIPA 4.1.4 setup on F21 servers. There is 1 master and 7
> replicas in different regions. Earlier there was only 1 replica. Since I
> added new replicas, on the master node, once in a while the kerberos
>
the crash.
bye,
Sumit
> found this one line odd though.
>
> *Jan 26 03:15:58 ipa.example.net <http://ipa.example.net>
> krb5kdc[4471](Error): worker 4473 exited with status 134*
>
>
> Let me try to get the full BT.
>
> On 28 January 2016 at 13:54, Sumit Bose <s
On Mon, Jan 25, 2016 at 10:15:42AM -0700, Cameron Christensen wrote:
> Hello,
>
> I have a trust established between Windows Active Directory and IPA.
> From the IPA server I can get details about AD users but not from a
> server configured as an IPA client.
>
> [root@ipa_server ~]# getent
On Wed, Jan 06, 2016 at 08:59:22AM +, FE9817 FE-DDIS.DK wrote:
> Hi,
>
> Im trying to change password for a user, using ldap, but it hangs. Here is
> what is done.
>
> :~$ ldappasswd -h idm.com -ZZ -p 636 -x -D
> "uid=admin,cn=users,cn=accounts,dc=com" -W -S
>
On Wed, Jan 06, 2016 at 08:56:27AM +0100, w...@dds.nl wrote:
> Hi all,
>
> Using an AD trust with IPA 4.2 all works well, but on the IPA/Linux site
> we're just not able to see AD "Domain Local Groups".
>
> Is that just not possible (a limitation of the current version that is), is
> some extra
On Tue, Dec 22, 2015 at 06:51:25PM +0530, Yogesh Sharma wrote:
> Hi List,
>
> Did not see any options for SSH Keys + OTP or Password, However would like
> to know if it is possible with FreeIPA user.
>
> With Generic SSH , We can use use AuthenticationMethods, but not sure where
> to check in
On Wed, Dec 16, 2015 at 10:33:17AM +, wouter.hummel...@kpn.com wrote:
> Hi All,
>
> While TCPdumping logins on an IPA client using an AD account I found out that
> SSSD doesn't take AD Sites into account. I see a DNS lookup for
> _kerberos._udp. and _kerberos._tcp. and then a Kerberos
>
On Wed, Dec 16, 2015 at 09:46:37AM +0100, Winfried de Heiden wrote:
> Hi all,
>
> Adding AD-users to an IPA external group seems to be problematic. However,
> adding AD-groups (with AD-users as members) to a IPA external groups seems to
> work well. Four group were created and all are shown.
On Tue, Dec 15, 2015 at 11:38:08AM -0500, Alexander Bokovoy wrote:
>
>
> - Original Message -
> > Hi,
> >
> > If PAC is not being used using key, how is group membership determined?
> By asking IPA master to give list of groups AD user belongs to.
> The complexity of this process makes
On Mon, Dec 14, 2015 at 05:47:38PM +0100, Winfried de Heiden wrote:
> Using an EL7 client, lot's of times the IPA (posix) groups are missing,
> or partly missing. Doing some debugging, sssd_pac.log shows:
>
> (Mon Dec 14 17:19:08 2015) [sssd[pac]] [pac_user_get_grp_info] (0x2000):
> Group with
On Tue, Dec 15, 2015 at 10:58:09AM +, Zoske, Fabian wrote:
> I’ve setup an IPA-Server with a handful of clients and AD-Trust.
> The server is a CentOS7.1 with IPA4.1 and the clients are mostly Ubuntu
> Server 14.04 LTS.
> Our IPA-Domain is like ipa-domain.com and our AD-Domain is like
>
correctly that with 1.12.4-47 the groups are always
correct while with 1.13.0-40 the groups are missing when not using SSH
keys?
bye,
Sumit
>
> Winny
>
> Op 15-12-15 om 09:59 schreef Sumit Bose:
>
> On Mon, Dec 14, 2015 at 05:47:38PM +0100, Winfried de Heiden wrote:
>
>
On Sat, Dec 12, 2015 at 01:34:53PM +0100, Stefano Cortese wrote:
>
>
> This is expected because if either the principal or the user name is
> known to SSSD the localauth plugin will take control because by default
> the added modules are registered first (see [plugins] section of man
>
On Tue, Dec 08, 2015 at 02:33:40PM +0100, Stefano Cortese wrote:
> Hi Sumit
> yes it works commenting out the line 'enable_only = sssd' and making
> the file immutable , namely the .k5login file is read and enforced.
> But respect to the solution emptying completely the snippet, it is lost
> the
On Mon, Dec 07, 2015 at 06:04:30PM +0100, Stefano Cortese wrote:
> >> So the questions are:
> >> - is there another cleaner way to exclude the localauth sssd plugin
> >> (considering that the configuration snippet is recreated at every sssd
> >> restart)?
> >
> >Can you test if this hack would
On Fri, Nov 27, 2015 at 04:31:49PM +0100, Morgan Marodin wrote:
> Hi everyone.
>
> After updating my FreeIPA server to 7.2 OS version (it's a RHEL like
> distribution) I've some problems authenticating with Active Directory
> credentials.
>
> Testing it on 6.7 OS clients it works using Windows
On Fri, Nov 27, 2015 at 05:35:42PM +0100, Morgan Marodin wrote:
> Hi Sumit.
>
> I don't know why, but now kerberos ticket authentication is working on 6.7
> clients.
> On 7.2 clients now password authetications with Active Directory
> credentials is working ... but not with kerberos ticket.
This
ease set LogLevel to
DEBUG3 in /etc/ssh/sshd_config (please note that the log might contain
confidential keys or passwords).
bye,
Sumit
> Thanks, Morgan
>
> 2015-11-27 17:47 GMT+01:00 Sumit Bose <sb...@redhat.com>:
>
> > On Fri, Nov 27, 2015 at 05:35:42PM +0100, Morgan Marodin
On Mon, Nov 23, 2015 at 05:16:26PM +0100, Jakub Hrozek wrote:
> On Mon, Nov 23, 2015 at 04:55:31PM +0100, Winfried de Heiden wrote:
> >Hi all,
> >
> >I created some hbac rule on freeipa-server 4.1.4 on Fedora 22
> >
> ># ipa hbacrule-show testuser
> > Rule name: testuser
> >
On Thu, Nov 19, 2015 at 10:25:02AM +0100, Christopher Lamb wrote:
> HI
>
> The plot thickens. I think I actually have 2 issues:
>
> The first issue is that in the title of this thread, and was caused by "the
> wrong kernel".
>
> The second issue, that some ipa users cannot log on (but mine
ch low ids.
>
> Chris
>
>
>
> From: Christopher Lamb/Switzerland/IBM@IBMCH
> To: Sumit Bose <sb...@redhat.com>
> Cc: freeipa-users@redhat.com
> Date: 19.11.2015 11:20
> Subject: Re: [Freeipa-users] Invalid UID in persistent keyring name
>
On Thu, Nov 05, 2015 at 09:33:48AM +0100, Troels Hansen wrote:
>
> - On Nov 4, 2015, at 4:03 PM, Sumit Bose sb...@redhat.com wrote:
>
> >
> > do you see any more details if you run pdbedit with '-d 255' ?
> >
>
> Not really:
>
> pdbedit -d 255 -L
On Thu, Nov 05, 2015 at 10:05:19AM +0100, Natxo Asenjo wrote:
> On Thu, Nov 5, 2015 at 10:03 AM, Natxo Asenjo
> wrote:
>
> > hi,
> >
> > since yesterday I have a strange situation in one of our joined hosts.
> >
> > i can login using a kerberos ticket, but not using
ttps://fedorahosted.org/freeipa/ticket/3609 to fix this.
HTH
bye,
Sumit
>
> ----- On Nov 3, 2015, at 1:36 PM, Sumit Bose sb...@redhat.com wrote:
>
> > On Tue, Nov 03, 2015 at 01:09:53PM +0100, Troels Hansen wrote:
> >> Hi again, so I finally got time to look further into th
On Fri, Oct 30, 2015 at 10:53:47AM +0100, Troels Hansen wrote:
> Well, I think the problem here being that I miss the attributes.
> One "funny" thing being that apprently, some users have had ipantuserattrs
> objectclass and a ipaNTSecurityIdentifier SID added. Some don't (including
> mine).
>
On Thu, Oct 29, 2015 at 03:55:45PM +0100, Jean 'clark' EYMERIT wrote:
> Hello,
>
> I search a way to use pkinit
> (http://web.mit.edu/kerberos/krb5-devel/doc/admin/pkinit.html) with
> FreeIPA (even without dogtag).
>
> Can someone give me a howto for this ?
I can follow the steps described in
On Fri, Oct 16, 2015 at 04:01:08PM +0200, Fujisan wrote:
> Yes, sorry, you're right. It works. I was using the wrong command:
>
> $ ldapsearch -x -h localhost uid=smith
>
> instead of
>
> $ ldapsearch -x -h localhost -D cn=directory\ manager -W -b
> cn=users,cn=accounts,dc=example,dc=test
DAP attribute from AD. Since this happen
in the common code for user lookup it is executed for IPA users as well.
But I agree that this message is annoying and created
https://fedorahosted.org/sssd/ticket/2830 to suppress it for IPA users.
bye,
Sumit
>
> ?
>
> Regards,
>
> Gui
On Tue, Oct 06, 2015 at 03:39:43PM +0200, Alexander Skwar wrote:
> Hello Sumit
>
> ipa-client-install hasn't set krb5_realm. I did that.
>
> We're using Chef-Solo to manage our systems and I have /etc/sssd/sssd.conf
> in chef. So it overwrote, whatever ipa-client-install put there. And that's
>
101 - 200 of 373 matches
Mail list logo