:account): Access denied for user
joe: 6 (Permission denied)
Feb 28 16:48:32 nyx su[26394]: pam_acct_mgmt: Permission denied
Feb 28 16:48:32 nyx su[26394]: FAILED su for joe by karl
This computer is setup exactly like a dozen of others that work fine.
What could be the problem ?
Thanks,
Karl Forner
Thank you ! This is at last crystal clear for me !
Thank you also for the VPN/tunneling suggestion, I'll look into it.
On Mon, Oct 17, 2016 at 12:12 PM, Alexander Bokovoy
wrote:
> On ma, 17 loka 2016, Karl Forner wrote:
>
>> On Mon, Oct 17, 2016 at 10:33 AM, Alexander
On Mon, Oct 17, 2016 at 10:33 AM, Alexander Bokovoy
wrote:
> On ma, 17 loka 2016, Karl Forner wrote:
>
>> Thanks Alexander, unfortunately I could only find outdated documentation.
>> I just realized that my question is not precise enough.
>>
> The documentation I l
ote:
> On ke, 12 loka 2016, Karl Forner wrote:
>
>> Hello,
>>
>> A very simple question, but I could not find the answer. I'd like to setup
>> a replica on another network than my master. Is it possible to setup the
>> replication using only https, or othe
Hello,
A very simple question, but I could not find the answer. I'd like to setup
a replica on another network than my master. Is it possible to setup the
replication using only https, or other ports must be available ?
Thanks,
Karl
--
Manage your subscription for the Freeipa-users mailing list:
Thanks a lot Jan. It works perfectly, and it is crystal-clear.
Best,
Karl
On Mon, Jun 6, 2016 at 11:13 AM, Jan Pazdziora wrote:
> On Fri, Jun 03, 2016 at 10:42:59PM +0200, Jan Pazdziora wrote:
>>
>> Hope this helps. I will likely do another writeup about this setup.
>
> https://www.adelton.com/fr
Hi,
My problem is:
I have an ipa.example.com server on the internal network, with
self-signed certificates.
I'd like to be able to connect to the UI from the internet, using
https with other certificates (e.g. let's encrypt certificates).
So I tried to setup an SNI apache reverse proxy, but I cou
Very good idea indeed. Disabling the apparmor profile for cups solved the
problem.
Thanks a lot !
Just an idea:
> You probably have AppArmor running and its default policy might prevent
> cupsd to talk to sssd socket.
>
> --
> / Alexander Bokovoy
>
--
Manage your subscription for the Freeipa-use
r 8 15:14:58 pyro cupsd: pam_sss(cups:auth): Request to sssd failed.
Permission denied
M
I added many local groups to my freeIPA user:
(sys),4(adm),7(lp),27(sudo),109(lpadmin),
If I enter the credentials of a local account (non managed by freeIPA), it
works.
What's wrong ?
Thanks,
Karl Forn
>
> The docs you are referring to are quite old: 5 full Fedora releases,
> several IPA releases.
>
You're right, sorry. I found this documentation
https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Linux_Domain_Identity_Authentication_and_Policy_Guide/pwd-expiration.html
I forgot to say that I did a "kinit admin" before the ipa user-mod.
On Tue, Feb 23, 2016 at 2:31 PM, Karl Forner wrote:
> Hello,
>
> I tried to postpone a password expiration date, as indicated here:
>
> https://docs.fedoraproject.org/en-US/Fedora/18/html/FreeIPA_
Hello,
I tried to postpone a password expiration date, as indicated here:
https://docs.fedoraproject.org/en-US/Fedora/18/html/FreeIPA_Guide/pwd-expiration.html
% ipa user-mod myuser --setattr=krbpasswordexpiration=20170301121443Z
ipa: ERROR: Insufficient access: Insufficient 'write' privilege to
TIFICATION="C"
LC_ALL=
I confirm it works using LC_ALL=en_US.utf8 ipa user-find --login=$login
I'm using the adelton docker. Maybe the default locale should be set to
en_US.utf8 ? Are there any expected downsides ?
Thanks.
On Thu, Jan 14, 2016 at 3:43 PM, Martin Basti wrote:
&g
On Thu, Jan 14, 2016 at 3:12 PM, Rob Crittenden wrote:
> '(nsAccountLock=TRUE)' dn
thanks
--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project
Hello,
I just realized that "ipa user-find" would list all matching users,
disregarding their status, i.e. if they are enabled or disabled.
I could not find a suitable option in "ipa help user-find".
Is there a way ?
Thanks
Karl
--
Manage your subscription for the Freeipa-users mailing list:
htt
Hello,
When I do:
ipa user-find --login=$login
I get:
ipa: ERROR: UnicodeEncodeError: 'ascii' codec can't encode character
u'\xf1' in position 25: ordinal not in range(128)
Traceback (most recent call last):
File "/usr/lib/python2.7/site-packages/ipalib/cli.py", line 1340, in run
sys.exit(
> >
> > I am not sure to follow. The default used my master is
> > 13400-13420 right ?
> > So I could set 13500-13520 for instance. Or did I miss something
> ?
> >
> >
>
> My example was based on the ldif you proposed.
>
> What the DNA plugin would have done is split the original ra
>
> I purposely used rather weak working in my blog to ensure that one
> thinks carefully about making this kind of change. If your original
> master can be brought back up that is definitely the best way to resolve
> it.
>
ok, I'll try this first.
>
> If it was nuked from orbit then yeah the yo
onsider it as a
work-around, or should it be avoided at all means ?
On Fri, Jan 8, 2016 at 5:17 PM, Alexander Bokovoy
wrote:
> On Fri, 08 Jan 2016, Karl Forner wrote:
>
>> If you never added users through this IPA server, it has no subset of ID
>>> range
>>> allo
> If you never added users through this IPA server, it has no subset of ID
> range
> allocated to IDs issued on this server. To obtain this subset, it needs
> to talk back to the master on first allocation. Master is missing, thus
> it couldn't talk to it.
>
thanks.
But if I understand, I just ca
Hello,
If I go to active users, click Add, fill in log, first and last name, then
click "Add", I get the error message:
Operations error: Allocation of a new value for range cn=posix
ids,cn=distributed numeric assignment plugin,cn=plugins,cn=config failed!
Unable to proceed.
I also tried to add a
Hello,
I have some web applications that use LDAP for
authentication/authorization, and which do not support LDAP auto-discovery.
I'm wondering if it's possible to fake the auto-discovery of server.
For instance, I could imagine using a DNS CNAME ldap_current.example.com
which should point to a c
Thanks a lot, that works if I comment out the explicit reference to a
server name, and that I switch dns_lookup_kdc to true.
I think I understand why it was not working from the install:
I used the ipa-client-install with the option --server.
According to the man page, in the "Failover" section, I
.
Did I miss any critical option ?
What should the /etc/krb5.conf be like ?
Thanks.
On Tue, Jan 5, 2016 at 7:06 PM, Karl Forner wrote:
> Another piece of information:
>
> the linux boxes are running ubuntu too, with the same configuration.
> I have configured 2 dns servers, the
o discovery should still happen.
Is that so ?
Thanks.
On Tue, Jan 5, 2016 at 12:16 AM, Karl Forner wrote:
> Hello,
>
> My freeipa master has crashed, and I have a replica running.
> The problem is that I can not use anymore the webapps on my main server
> which use a kerberos au
On Tue, Jan 5, 2016 at 8:14 AM, Jakub Hrozek wrote:
> On Tue, Jan 05, 2016 at 12:16:48AM +0100, Karl Forner wrote:
> > Hello,
> >
> > My freeipa master has crashed, and I have a replica running.
> > The problem is that I can not use anymore the webapps on my main serv
>
> > It hangs forever.
>
> How long is forever?
>
officially it's about 15 mns. Do you mean that this delay could be expected
?
>
> > If I run it using the --cleanup option, it seems to work.
>
> That does other things.
>
and actually it did not really work.
>
> >
> > But when I try to run a
Hello,
My freeipa master has crashed, and I have a replica running.
The problem is that I can not use anymore the webapps on my main server
which use a kerberos authentication since my server will not switch to the
kdc on my replica.
I remember that someone replied me on this list about that prob
> There is no need to have a CA on every ipa server, so a CA is not
> installed by default.
What is the downside of having every replica as a CA ?
Because in case of big trouble with your master, if your replica is not a
CA you can not replace your master from this replica right ?
In particular yo
the docker image
on my computers.
Thanks,
Karl
On Tue, Dec 22, 2015 at 2:46 AM, Fraser Tweedale
wrote:
> On Mon, Dec 21, 2015 at 01:57:02PM +0100, Karl Forner wrote:
> > Hello,
> >
> > Running:
> > ipa-replica-prepare ipa-h3s1.example.com --ip-address xx.xx.xx.xx -d
It's quite a problem for me.
Would upgrading to a more recent version solve the problem ?
How does freeIPA knows that a host is a freeIPA host ? From the LDAP ?
Thanks
On Fri, Dec 18, 2015 at 3:45 PM, Karl Forner wrote:
> I am running a master freeIPA called "ipa" in an adel
Hello,
Running:
ipa-replica-prepare ipa-h3s1.example.com --ip-address xx.xx.xx.xx -d -v
fails
with
ipa: DEBUG: Protocol: TLS1.2
ipa: DEBUG: Cipher: TLS_RSA_WITH_AES_128_CBC_SHA
ipa: DEBUG: request status 200
ipa: DEBUG: request reason_phrase u'OK'
ipa: DEBUG: request headers {'date': 'Mon, 21 Dec
I am running a master freeIPA called "ipa" in an adelton/freeipa-server
(freeIPA 4.1.4).
I am able to create a replica server "ipa2", still in an
adelton/freeipa-server.
If I stop my ipa2 replica, and try to delete the replication agreement:
%ipa-replica-manage del ipa2.example.com --force -v
I
>
> Unfortunately it is, it is a bug in the way we update the krb5 libraries
> to point to a KDC.
>
> SSSD updates this information in a file under /var/lib/sss/pubconf and
> krb5 libraries read from it, however kinit cannot force sssd to
> re-evaluate if the file needs updating.
>
Is there a work
Hello,
Since we use freeIPA, every ubuntu client experiences some sporadic freezes
with bash completion. It seems far-fetched but the other ubuntu not using
sssd/freeipa do not experience these problems.
Could it be related ? How to troubleshoot ?
Regards,
Karl
--
Manage your subscription for t
>
> If you do a local login instead of a kinit, you will see that SSSD will
> switch to the new server and subsequent kinit will start using it.
>
Ok, I checked and it works just fine for me, thanks.
This dynamic discovery of freeipa servers by sssd is very elegant and
smart;
but I still do not u
> SSSD mostly manages discovery of servers, it is normally configure with
> the name _srv_ + an actual name as fallback.
> SSSD also feeds the information to kerberos libraries via a plugin.
ok, I have this line in my /etc/sssd/sssd.conf:
ipa_server = _srv_, ipa.example.com
How do I check the cur
>All replicas should be listed in SRV records in DNS so clients will find them
>automatically.
But then I must add the freeIPA DNS of the master AND the replica in
resolv.conf ?
Thanks,
Karl
--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/
Hello,
>From what I understood, a freeipa replica server is a kind of backup of
another freeipa server.
Both are usable by clients, and they will dynamically update their
information.
But I do not understand how a client will make use of the replica if the
master server is down.
Naively I would i
ion on its own dedicated appliance.
On Fri, Nov 20, 2015 at 6:29 PM, Martin Basti wrote:
>
>
> On 20.11.2015 16:47, Karl Forner wrote:
>
> Hello,
>
> Could you recommend me a mini appliance/server to use as a freeIPA server
> ?
> I guess the main points are an e
eboot ?
Thanks,
Karl Forner
--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project
Hello,
Could you recommend me a mini appliance/server to use as a freeIPA server ?
I guess the main points are an ethernet port, minimal consumption,
robustness.
Thanks,
Karl Forner
--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa
___
> From: Karl Forner [karl.for...@gmail.com]
> Sent: Thursday, October 15, 2015 16:24
> To: Zoske, Fabian
> Cc: freeipa-users@redhat.com
> Subject: Re: [Freeipa-users] freeIPA user can not use cron
>
> Yes it works !!! Maybe this should be documented somewhere ?
> T
> Fabian
>
> -Ursprüngliche Nachricht-
> Von: freeipa-users-boun...@redhat.com
> [mailto:freeipa-users-boun...@redhat.com] Im Auftrag von Karl Forner
> Gesendet: Donnerstag, 15. Oktober 2015 15:53
> An: freeipa-users@redhat.com
> Betreff: [Freeipa-users] freeIPA user ca
%ipa hbactest
User name: qbuser
Target host: asgard
Service: crond
Access granted: True
On Thu, Oct 15, 2015 at 3:53 PM, Karl Forner wrote:
> Hi,
>
> cron jobs do no work using a freeIPA user account.
>
> the cron job:
> */1 * * * * echo coucou
>
> i
denied)
in freeIPA I setup an hbac rule for this user and host that allow the services:
ftp
login
sshd
gdm-password
crond
gdm
What did I miss ?
Thanks.
Karl Forner
--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http
an easy way to upgrade sssd right now with
ubuntu 14.04.
Is-it possible to set sudo_inverse_order = true with my current
version, i.e. even if it is not yet recognized ?
>
>
>>
>>
>> On Thu, Oct 8, 2015 at 5:26 PM, Pavel Březina wrote:
>>>
>>&
, Pavel Březina wrote:
> On 10/08/2015 04:26 PM, Karl Forner wrote:
>>
>> Hi,
>>
>>
>>> you are prompted for password because (ALL) ALL rule is applied because
>>> of last-match rule. > > > See:
>>> http://www.sudo.ws/man/1.8.13/sudoers.lda
Hi,
> you are prompted for password because (ALL) ALL rule is applied because of
> last-match rule. > > > See:
> http://www.sudo.ws/man/1.8.13/sudoers.ldap.man.html sudoOrder.
Ok. I updated the rules to use a sudoorder attribute of 100 for the
/usr/bin/less sudo rule.
Now, if I type in a termi
Sorry I had disabled the emailing, just was your answers in the archives.
>> How can I debug this ?
>Pavel (CC) has a nice sudo debug howto, maybe it would be helpful?
Where is it ? Do you mean the slide
"FreeIPA Training Series: Obtaining debugging information" from
https://www.freeipa.org/ima
Hello,
I had assumed sudo rules worked because I have an "allow_all for admins"
sudo rule that seemed to work, but I wonder if there is an implicit rule
for the special group admins ?
Because I have tried to replicate this allow_all rule for for other user
groups, and it does not seem to work at
Sorry, my mistake.
The following works fine:
% ldapsearch -x -D
'uid=ldap_gitlab,cn=users,cn=accounts,dc=quartzbio,dc=com' -W uid=karl
cn ipaSshPubKey
Karl
On Fri, Sep 18, 2015 at 3:13 PM, Karl Forner wrote:
> Hello,
>
> I'm trying to integrate the freeIPA SS
Hello,
I'm trying to integrate the freeIPA SSH public key with gitlab
Enterprise Edition.
They have a configuration setting **ldap_sync_ssh_keys** that I tried
to set to 'ipaSshPubKey'
but it does not work.
While trying to understand the problem, I realized that I don't even
know how to retrieve
done:
Ticket #2785 <https://fedorahosted.org/sssd/ticket/2785>
On Fri, Sep 11, 2015 at 10:17 AM, Alexander Bokovoy
wrote:
> On Fri, 11 Sep 2015, Karl Forner wrote:
>
>> Hi,
>>
>> I kind of fixed my problem, but I share it there in case it can help
>&g
So I just edited my /etc/default/locale to permanently fix my problem.
Nonetheless, I'd be curious the understand why the setlocale() call fails
when sss_ssh_knownhostsproxy is called via git via sparkleshare (via mono).
Regards,
Karl Forner
--
Manage your subscription for the Freeipa-users
For reference:
I could not make the sudo rules on ubuntu 12.04, I tried many many things.
Worked like a charm on ubuntu 14.04: as simple as adding sudo to services
in [sssd] section of nsssd.conf.
On Fri, Jul 10, 2015 at 5:18 PM, Lukas Slebodnik
wrote:
> On (10/07/15 16:19), Karl Forner wr
Hello,
I setup an ubuntu client for freeIPA 4.1.4, and sudo rules do not seem to
work.
I then realized that I used ipa-client-install version 3.3.4.
Is this a plausible cause ?
And if so, where can I get a more recent version for ubuntu/debian ?
Thanks,
Karl
--
Manage your subscription for the F
/etc/hosts on all internal
computers, but I had hoped to benefit from the freeIPA DNS a more elegant
solution.
On Wed, Jul 8, 2015 at 4:50 PM, Petr Spacek wrote:
> On 8.7.2015 16:32, Karl Forner wrote:
> > Thanks Petr.
> >
> > My use case is: we have scripts that connect to
Petr Spacek wrote:
> On 8.7.2015 15:07, Karl Forner wrote:
> > On Wed, Jul 8, 2015 at 2:32 PM, Jan Pazdziora
> wrote:
> >
> >> On Wed, Jul 08, 2015 at 02:26:02PM +0200, Karl Forner wrote:
> >>>
> >>> When using my freeIPA DNS name server for my domain
nks
>
> Martin
>
>
>
>
>
>
> On Wed, Jul 8, 2015 at 4:09 PM, Martin Basti wrote:
>
>> On 08/07/15 14:26, Karl Forner wrote:
>>
>>Hello,
>>
>> When using my freeIPA DNS name server for my domain example.test, I need
>> to exclu
09 PM, Martin Basti wrote:
> On 08/07/15 14:26, Karl Forner wrote:
>
>Hello,
>
> When using my freeIPA DNS name server for my domain example.test, I need
> to exclude some names from the server( to be forwarded to the DNS forwarder
> for instance.
>
> For example, I
On Wed, Jul 8, 2015 at 2:32 PM, Jan Pazdziora wrote:
> On Wed, Jul 08, 2015 at 02:26:02PM +0200, Karl Forner wrote:
> >
> > When using my freeIPA DNS name server for my domain example.test, I need
> to
> > exclude some names from the server( to be forwarded to the DNS fo
Hello,
When using my freeIPA DNS name server for my domain example.test, I need to
exclude some names from the server( to be forwarded to the DNS forwarder
for instance.
For example, I'd like foo.example.test not to be resolved, but forwarded.
How could I implement this ?
Thanks.
Karl F
63 matches
Mail list logo