Re: [Freeipa-users] Ploblem with default user group

2017-05-07 Thread Simo Sorce
On Sat, 2017-05-06 at 16:43 +0300, Markovich wrote: > Hello everyone! > We are unable to delete ipausers group: The default users group > cannot be removed > But we can rename it! > After this, if u'd like to add new user u are going to get: > { >     "error": { >         "code": 4001,  >        

Re: [Freeipa-users] Kerberos clients, service tickets, and client to KDC interaction

2017-05-05 Thread Simo Sorce
On Thu, 2017-05-04 at 18:02 +0200, Christopher Lamb wrote: > Hi All > > Is the following statement correct? > > "If a kerberos client (e.g. a FreeIPA client) holds a service ticket > to a service principal in its credentials cache, it no longer needs > to interact with the KDC to access the

Re: [Freeipa-users] any tips or horror stories about automating dynamic enrollment and removal of IPA clients?

2017-04-13 Thread Simo Sorce
On Thu, 2017-04-13 at 17:16 +0300, Alexander Bokovoy wrote: > On to, 13 huhti 2017, Simo Sorce wrote: > >On Thu, 2017-04-13 at 08:05 -0400, Chris Dagdigian wrote: > >> Hi folks, > >> > >> I've got a high performance computing (HPC) use case that will need A

Re: [Freeipa-users] any tips or horror stories about automating dynamic enrollment and removal of IPA clients?

2017-04-13 Thread Simo Sorce
option could also be to keep a (set of) keytab(s) you can copy on the elastic hosts and preconfigure their sssd daemon. At boot you copy the keytab in the host and start sssd and everything should magically work. They all are basically the same identity so using the same key for all of them may be acceptable.

Re: [Freeipa-users] user keytab retrieval

2017-04-07 Thread Simo Sorce
On Thu, 2017-04-06 at 22:18 +0200, Stijn De Weirdt wrote: > hi rob, > > > > i'm a bit puzzled by the following: i want to retrieve a user > > > keytab > > > using ipa-getkeytab -r (since the keytab for the same user was > > > already > > > retrieved on another host). > > > > > > when doing so, i

Re: [Freeipa-users] Padding Scheme used in Fedora Dogtag

2017-03-09 Thread Simo Sorce
some light on this > > requirement. > > > > Padding scheme for what exactly ? > > > > Simo. > > > > -- > > Simo Sorce * Red Hat, Inc * New York > > > > > > -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] What is the next free IP address for a DNS record

2017-03-09 Thread Simo Sorce
On Thu, 2017-03-09 at 13:33 +0100, Kees Bakker wrote: > On 09-03-17 13:26, Tomas Krizek wrote: > > On 03/09/2017 01:19 PM, Kees Bakker wrote: > > > On 09-03-17 12:08, Martin Basti wrote: > > > > On 09.03.2017 11:12, Kees Bakker wrote: > > > > > Hey, > > > > > > > > > > Is there an easy way to

Re: [Freeipa-users] Padding Scheme used in Fedora Dogtag

2017-03-07 Thread Simo Sorce
On Tue, 2017-03-07 at 12:38 +0530, Kaamel Periora wrote: > Dear All, > > It is required to identify the padding scheme used by the Fedora dogtag > system. Appreciate of someone could shed some light on this requirement. Padding scheme for what exactly ? Simo. -- Simo Sorce *

Re: [Freeipa-users] sssd doesn't cache, as it seems

2017-01-20 Thread Simo Sorce
th sssd 1.13.4. > > > sssd.conf is attached, of course. Every helpful comment is highly > appreciated. > > Harri > -- > Manage your subscription for the Freeipa-users mailing list: > https://www.redhat.com/mailman/listinfo/freeipa-users > Go to http://freeipa.

Re: [Freeipa-users] NTLM SASL?

2016-12-22 Thread Simo Sorce
and none of that is set up by default. We are planning to enable the integrated Samba server (which is used for trusts only at the moment) to provide NTLM services for radius servers, but it is not ready yet, although you may try to experiment with it. Simo. -- Simo Sorce * Red Hat, Inc * New York -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] ipa-dnskeysyncd ipa : ERROR Login to LDAP server failed: {'desc': 'Invalid credentials'}

2016-12-22 Thread Simo Sorce
restingly the LDAP > server should use the ds.keytab file instead of krb5.keytab. > > We need someone from DS team of with deep Kerberos/gssproxy knowledge to look > into it. > > Simo, Ludwig, how can this happen? As Martin said, incorrect configuration of DS makes it fall back to

Re: [Freeipa-users] FreeIPA and vSphere

2016-12-14 Thread Simo Sorce
se backend in a separate 389-ds > instance. Yes it is definitely a bug, but not an easy fix, please do file a bug, however it will take some time before we can fix it. Simo. -- Simo Sorce * Red Hat, Inc * New York -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] Change in list archives accessibility

2016-12-14 Thread Simo Sorce
On Mon, 2016-12-12 at 05:04 -0500, Simo Sorce wrote: > Dear freeipa-users, > in an attempt to identify how the recent wave of spamming activity > targets mailing list posters, I have temporarily disabled free access to > the archives. > This is not a permanent change an

[Freeipa-users] Change in list archives accessibility

2016-12-12 Thread Simo Sorce
Dear freeipa-users, in an attempt to identify how the recent wave of spamming activity targets mailing list posters, I have temporarily disabled free access to the archives. This is not a permanent change and public access will be restored shortly. Regards, Simo. -- Simo Sorce * Red Hat, Inc

Mailing list probe - 8ea5b442e62392e06c5557b2d17219ea

2016-12-08 Thread Simo Sorce
This is an automated message to probe our subscribers email address, in order to pinpoint the bot harvesting our emails. Please disregard. Freeipa-users list administrators.

Re: [Freeipa-users] FreeIPA behind Apache Reverse Proxy and Load Balancer

2016-12-08 Thread Simo Sorce
Sorry David, it is not clear to me what you are objecting to, please be more specific or quote the specific part of my previous reply that you find questionable. Simo. -- Simo Sorce * Red Hat, Inc * New York -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat

[Freeipa-users] Reverting anonymous posting

2016-12-07 Thread Simo Sorce
Enough people complained they cannot cope with the change I made recently. So I am reverting this change and will try to find a better solution for the spam issue the list user's are subject to. Thanks for your understanding, Simo. -- Simo Sorce * Red Hat, Inc * New York -- Manage your

Re: [Freeipa-users] FreeIPA, Ipsilon, Duo Security integration

2016-12-01 Thread Simo Sorce
in with Ipsilon and > FreeIPA... Has anyone else tried this before? If so, are there any > pitfalls or problems you have encountered or any general advise? I think there are issues with the workflow Duo requires and the latency (sending token via SMS and waiting for user to input). Simo. -- Simo Sorce

Re: [Freeipa-users] How to enable anonymous pkinit on FreeIPA 4.3.1 on Ubuntu ?

2016-11-29 Thread Simo Sorce
N/anonym...@pan-net.eu". > kadmin.local: Whether the principal has keys or not doesn't matter, pkinit pre-authentication ignores the keys anyway. > I've also tried all the above when the user's krb5.conf "realm" > section was set with the following options > pkinit_e

Re: [Freeipa-users] Clonning VM

2016-11-28 Thread Simo Sorce
all --uninstall) and then re-join after. Simo. -- Simo Sorce * Red Hat, Inc * New York -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] FreeIPA behind Apache Reverse Proxy and Load Balancer

2016-11-28 Thread Simo Sorce
istribute it to both server's http keytab so they can decrypt incoming requests. However your load balancer then also needs to stick with one server for all requests coming from the same client, because we use session cookies to maintain authentication and we do not share them between servers. Simo

Re: [Freeipa-users] where to put computer accounts... ?

2016-11-24 Thread Simo Sorce
r its own computer account I would think of adding it to the local user database, if you have to distribute it via LDAP you'll have to create actual user accounts ion the directory I guess. Simo. -- Simo Sorce * Red Hat, Inc * New York -- Manage your subscription for the Freeipa-users m

Re: [Freeipa-users] Would fixing hosts file break kerberos

2016-11-18 Thread Simo Sorce
ond should "fix" them ... unless you depended on the incorrect configuration in some way ... -- Simo Sorce * Red Hat, Inc * New York -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] free-ipa 389 own schema, cos, static and dynamic groups

2016-10-25 Thread Simo Sorce
ex product but > gave the user lots of possible customizations of the web ui and > included workflows. Is that possible with ipa also? With the latest FreeIPA versions it is possible to write plugins to extend the Web UI, we are working on making it more straightforward, but it has been done

Re: [Freeipa-users] PWM password self-service integration with FreeIPA

2016-10-25 Thread Simo Sorce
ot just give it blanket access to read everything from the directory and write every password, you should limit it to users for example and not allow it to change service's or host's "passwords". Simo. -- Simo Sorce * Red Hat, Inc * New York -- Manage your subscription for the Freeipa-us

Re: [Freeipa-users] Why does a SAN field on a CSR require a host to be in IPA?

2016-10-25 Thread Simo Sorce
>> > > >> > All this said, I think there is a valid RFE in allowing Kerberos > >> > principal aliases to be consulted when validating a CSR. This would > >> > mean you do not have to create new objects, just add more principal > >> > names to the existing one. I filed a ticket: > >> > > >> > https://fedorahosted.org/freeipa/ticket/6432 > >> > > >> > Alexander, Simo, what do you think? > >> Certainly principal aliases should be checked if they were asked to be > >> in SAN. The question is what type of the SAN extension should be > >> considered for them in addition to Kerberos principal. The aliases are > >> stored in their full format (alias@REALM), so either you need to do full > >> match or consider dropping the realm for some types. This needs to be > >> clarified before any implementation happens. > >> > >Right, UPN and KR5PrincipalName can be checked as-is. > > > >We should check dnsNames by affixing around the dnsName the same > >service type (e.g. `HTTP') and realm as the nominated principal, and > >looking for that in the aliases. e.g. for nominated principal > >`HTTP/web.example@example.com', if there is a SAN dnsName > >`www.example.com', we look for `HTTP/www.example@example.com' in > >its aliases. > > > >Does this sound reasonable? > > > >No other GeneralName types shall be checked against principal > >aliases, unless/until we support SRVName. > Sounds reasonable for me, thanks. +1 Simo. -- Simo Sorce * Red Hat, Inc * New York -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] IPA port 80

2016-09-01 Thread Simo Sorce
On Thu, 2016-09-01 at 09:33 +1000, Peter Fern wrote: > On 01/09/16 08:35, Simo Sorce wrote: > > Port 80 is not required, the only thing you'll find there is a redirect > > to the HTTPS port. > > What about CRL/OCSP (and possibly others)? The Apache configs > explicitly

Re: [Freeipa-users] IPA port 80

2016-08-31 Thread Simo Sorce
? Has anyone attempted not opening port > 80 from IPA Server to IPA Server and clients to IPA server? > ipa-server-3.0.0-50.el6.1.x86_64 Port 80 is not required, the only thing you'll find there is a redirect to the HTTPS port. Simo. -- Simo Sorce * Red Hat, Inc * New York -- Manage your

Re: [Freeipa-users] FreeIPA and AD trusts on the same DNS domain

2016-08-04 Thread Simo Sorce
can't have this (if you want SSO and avoid headaches in general) no matter what you do. You have to keep server names on separate (sub)domains. In some cases you can use CNAMEs though. > Also, thanks for your other answers. They were very helpful :^) You are welcome, Simo. > --David A

Re: [Freeipa-users] FreeIPA and AD trusts on the same DNS domain

2016-08-03 Thread Simo Sorce
providing a GC service. HTH, Simo. -- Simo Sorce * Red Hat, Inc * New York -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] FreeIPA and AD trusts on the same DNS domain

2016-08-03 Thread Simo Sorce
http://freeipa.org for more info on the project You can have a Realm named COMPANY.COM (AD) and a Realm named FREEIPA.COMPANY.COM (IPA), as long as the AD Servers never had computer objects or subdomains in the DNS domain freeipa.company.com in it. If that's the case you can create a 1 way or 2 way trust

Re: [Freeipa-users] IPAv3.0 WebUI User Population

2016-08-03 Thread Simo Sorce
dy been answered, I tried google-fu and it > didn't return anything useful. > Using IPA 3.0 on Redhat 6.8 > > Thanks > -Brad > > > -- Manage your subscription for the Freeipa-users mailing list: > https://www.redhat.com/mailman/listinfo/freeipa-users Go to > http://freeipa.org for more info on the project -- Simo Sorce * Red Hat, Inc * New York -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] Replicating users/groups from AD

2016-07-25 Thread Simo Sorce
> --David Alston > > -Original Message- > From: Simo Sorce [mailto:s...@redhat.com] > Sent: Friday, July 22, 2016 10:49 AM > To: Alston, David > Cc: freeipa-users@redhat.com > Subject: Re: [Freeipa-users] Replicating users/groups from AD >

Re: [Freeipa-users] Replicating users/groups from AD

2016-07-22 Thread Simo Sorce
the coexistence of FreeIPA and AD in a single DNS domain. Simo. -- Simo Sorce * Red Hat, Inc * New York -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] FreeIPAv3 and SSSD // Disable automatic Kerberos authentication

2016-06-30 Thread Simo Sorce
n add something like: > > > >export KRB5CCNAME=$HOME/my_cc_cache > ^ > Is FILE: considered as default or it need to be > written as well for KRB5CCNAME If no ccache type is specified the krb5 libs default to the FILE ccache type. Simo. -- Simo Sorce * Red Hat, Inc * New York -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] Best practices on enrolling existing hosts.

2016-06-30 Thread Simo Sorce
uide/id-views.html Also here: https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Windows_Integration_Guide/id-views.html note that ID Views are not confined just to AD trust environments this second doc is just to have a wider view of the feature. HTH, Simo. -- Simo Sorce * Red

Re: [Freeipa-users] What causes the web ui to display a second login dialog ?

2016-06-23 Thread Simo Sorce
nd in RHEL7.3 and hopefully make it easier to deal with this problem. https://fedorahosted.org/freeipa/ticket/5614 Simo. -- Simo Sorce * Red Hat, Inc * New York -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http:

Re: [Freeipa-users] a user delegated to control a OU and realmd join - how..

2016-05-17 Thread Simo Sorce
I'm thinking, asking, is - what would be the correct > possible way to plug in, connect IPA domain to win AD when one has > admin control only over a OU in win AD? Not sure you can even do sync, there isn't really much you can do with those privileges, you are basically just allowed to administ

Re: [Freeipa-users] Mac OS 10.11.4 issue: Cannot change expired Kerberos passwords on GUI login

2016-05-16 Thread Simo Sorce
work for MIT Kerberos >or does it also work for Heimdal? > > > Thank you, > Stefan Zecevic > -- > Manage your subscription for the Freeipa-users mailing list: > https://www.redhat.com/mailman/listinfo/freeipa-users > Go to http://freeipa.org for more info

Re: [Freeipa-users] IPA as subdomain, part of AD ?

2016-05-16 Thread Simo Sorce
ll create a trust between 2 different forests, it's just so happen that one of them will be in a DNS subdomain. For this to work, no other windows machine may have used the ipa.activedir.local domain before. Simo. -- Simo Sorce * Red Hat, Inc * New York -- Manage your subscription for the Freeip

Re: [Freeipa-users] freeipa password policy ( hsitory ) getting reset with password reset

2016-05-04 Thread Simo Sorce
On Wed, 2016-05-04 at 16:16 +0200, Martin Kosek wrote: > On 05/03/2016 08:20 AM, Rakesh Rajasekharan wrote: > > Hi, > > > > I am running a freeipa server 4.2.x. > > > > I have the following password global password policy set to force a history > > of 3 > > > > ipa pwpolicy-mod global_policy

Re: [Freeipa-users] Who uses FreeIPA?

2016-05-03 Thread Simo Sorce
ould be greatly appreciated! I have not found a "Who uses > FreeIPA" page on the Internet. > > Best regards, > -- > Alexandre de Verteuil <alexan...@deverteuil.net> > public key ID : 0xDD237C00 > http://alexandre.deverteuil.net/ > -- Simo Sorce

Re: [Freeipa-users] Ubuntu 16.04 released with FreeIPA 4.3.1

2016-04-21 Thread Simo Sorce
t split in certain ways Thanks Timo, this is awesome! Simo. -- Simo Sorce * Red Hat, Inc * New York -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] user certificate ldap EXTERNAL authentication

2016-03-04 Thread Simo Sorce
> > > > > So, sorry, I cannot edit the contribute to the wiki. I will write > > something down in my own wiki and post the link here, search engines > > will index this mailing list posts as well, so this knowledge will not > > go lost. > > It's not just you. I can't log

Re: [Freeipa-users] Kerberos authentication from a third party app - Shibboleth

2016-03-02 Thread Simo Sorce
on fails. Error message > >> is > >> like "Pre-authentication information was invalid (24) - PREAUTH_FAILED". > >> > >> Any pointers on how to make OTP work? > >> > > http://www.freeipa.org/page/V4/OTP > > http://www.freeipa.org/page/V4/OTP/Deta

Re: [Freeipa-users] OTP not working since upgrade

2016-02-29 Thread Simo Sorce
> Alessandro > > On 29 February 2016 at 05:44, Simo Sorce <s...@redhat.com> wrote: > > > On Mon, 2016-02-29 at 00:11 +, Alessandro De Maria wrote: > > > Solved. > > > This turned out to be the ipa-otp process stuck on one of the 2 servers. > > &

Re: [Freeipa-users] OTP not working since upgrade

2016-02-28 Thread Simo Sorce
t; Could someone help me understand what is going on? > > > > Regards > > Alessandro > > > > > > -- > > Alessandro De Maria > > alessandro.dema...@gmail.com > > > > > > -- > Manage your subscription for the Freeipa-users mailing list: &

Re: [Freeipa-users] 14: No supported authentication methods available

2016-02-25 Thread Simo Sorce
uot; which > may be overridden elsewhere if ChallengeResponseAuthentication is set to yes > > Terry > > -Original Message- > From: Simo Sorce [mailto:s...@redhat.com] > Sent: 25 February 2016 15:01 > To: Terry John > Cc: freeipa-users@redhat.com > Subject: Re: [Freeipa-users] 14

Re: [Freeipa-users] 14: No supported authentication methods available

2016-02-25 Thread Simo Sorce
, Manheim Direct, Manheim De-fleet and Manheim > Aftersales Solutions. > > V:0CF72C13B2AC > > > -- > Manage your subscription for the Freeipa-users mailing list: > https://www.redhat.com/mailman/listinfo/freeipa-users > Go to http://freeipa.org for more info on the pro

Re: [Freeipa-users] PA Soalris client- Kerberos error

2016-02-25 Thread Simo Sorce
while getting initial > credentials" > > > > How to work around this issue ? I think this is something that can only be analyzed and fixed by Solaris support channels. A segfault is a bug in the client. Simo. -- Simo Sorce * Red Hat, Inc * New York -- Manage your su

Re: [Freeipa-users] Client-Install failures

2016-01-28 Thread Simo Sorce
Doesn't look related to mod_auth_gssapi, it's past it. - Original Message - > From: "Martin Kosek" <mko...@redhat.com> > To: "David Zabner" <da...@cazena.com>, freeipa-users@redhat.com, "Simo Sorce" > <sso...@redhat.com> &g

Re: [Freeipa-users] Client-Install failures

2016-01-28 Thread Simo Sorce
ner" <da...@cazena.com> > To: "Simo Sorce" <s...@redhat.com> > Cc: "Martin Kosek" <mko...@redhat.com>, freeipa-users@redhat.com > Sent: Thursday, January 28, 2016 10:18:06 AM > Subject: Re: [Freeipa-users] Client-Install failures > > Any g

Re: [Freeipa-users] How to migrate from freeipa distribution to separate components

2016-01-13 Thread Simo Sorce
site. Can you explain what you mean by "migrate to the following separate components" ? And why you want to do so ? Simo. -- Simo Sorce * Red Hat, Inc * New York -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] How to migrate from freeipa distribution to separate components

2016-01-13 Thread Simo Sorce
FreeIPA uses is coupled with about two > > >> dozen additional plugins. These plugins either don't exist for OpenLDAP > > >> at all or have different behavior and rely on different LDAP schema. > > >> > > >> In short, if you move the data from

Re: [Freeipa-users] How to migrate from freeipa distribution to separate components

2016-01-13 Thread Simo Sorce
olla to a set of loose parts (including and engine from Mercedes and the chassis of an Honda) that our mechanic can put together ? Simo. > Best regards. > > Bahan > > On Wed, Jan 13, 2016 at 2:58 PM, Simo Sorce <s...@redhat.com> wrote: > > > On Wed, 2016-01-1

Re: [Freeipa-users] How to migrate from freeipa distribution to separate components

2016-01-13 Thread Simo Sorce
s", also Access control, delegation, etc... the feature list is huge. Simo. -- Simo Sorce * Red Hat, Inc * New York -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] Problem with ipa-getkeytab, usage of ldappasswd

2016-01-08 Thread Simo Sorce
> > > -- > > / Alexander Bokovoy > > > -- > Manage your subscription for the Freeipa-users mailing list: > https://www.redhat.com/mailman/listinfo/freeipa-users > Go to http://freeipa.org for more info on the project -- Simo Sorce * Red Hat, Inc * New York -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] DNSSEC Question (KSK ZSK)

2015-12-29 Thread Simo Sorce
ably easier to just regenerate all keys and upload the new public keys on the glue record of the delegating provider. Simo. > Then I have to wait after the holidays to UPDATE the DS Record on my ISP :-(. > > Thanks for a answer, > > -- > mit freundlichen Grüßen / best regards, >

Re: [Freeipa-users] ipa-replica-install --setup-ca: do or don't?

2015-12-28 Thread Simo Sorce
no need to have a CA on every ipa server, so a CA is not installed by default. You can pass --setup-ca at install time or you can use ipa-ca-install later on. Simo. -- Simo Sorce * Red Hat, Inc * New York -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mai

Re: [Freeipa-users] ipa-replica-install --setup-ca: do or don't?

2015-12-28 Thread Simo Sorce
ve changed the way replicas are created, at domain level 1, it may be a good RFE to ask to make it possible to install w/o CA by generating a self signed cert for HTTP only. Simo. > On Mon, Dec 28, 2015 at 7:11 PM, Simo Sorce <s...@redhat.com> wrote: > > > On Mon, 2015-12-28 at 13:

Re: [Freeipa-users] Want faster user-add

2015-12-22 Thread Simo Sorce
lugin during > provisioning. As long as the schema compat is not needed by users during the provisioning, turning it off is fine. All the contents are regenerated at startup anyway. So it can be re-enabled and the server restarted after the bulk provisioning is done. Simo. -- Simo Sorce * Red Hat, Inc * New York -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] confused about replica role and use

2015-12-16 Thread Simo Sorce
pubconf and krb5 libraries read from it, however kinit cannot force sssd to re-evaluate if the file needs updating. If you do a local login instead of a kinit, you will see that SSSD will switch to the new server and subsequent kinit will start using it. This is tracked here: https://fedorahosted.org/s

Re: [Freeipa-users] confused about replica role and use

2015-12-15 Thread Simo Sorce
; respond, but I can not find how to do it. > Is this happening automagically ? Yes, if you use ipa-client-install and do not force to use a specific server. > Or this is not the way it is supposed to be used ? This is what replicas are for, redundancy, and load sharing. Simo. -- Simo Sor

Re: [Freeipa-users] Any recent guides for Postfix and IPA integration?

2015-12-14 Thread Simo Sorce
eipa. > > Should I just create a normal user account, set the password and mail > and disable logins? There are a few ways to go about it. another way is to use a custom subtree + schema to store these emails only. It really depends on what kind of tools you want to use to manage the infor

Re: [Freeipa-users] Generation of /etc/krb5.conf file

2015-12-07 Thread Simo Sorce
t; running the ipa client install to join the domain. > > > Would you mind filing a ticket? I think this should be fixed. > > Done - https://fedorahosted.org/freeipa/ticket/5518 Thanks! Simo. -- Simo Sorce * Red Hat, Inc * New York -- Manage your subscription for the Fr

Re: [Freeipa-users] Generation of /etc/krb5.conf file

2015-12-07 Thread Simo Sorce
ow if these options are generated by the installer or are those the ones included with the sssd generated file ? Would you mind filing a ticket? I think this should be fixed. Simo. -- Simo Sorce * Red Hat, Inc * New York -- Manage your subscription for the Freeipa-users mailing list: https://www.re

Re: [Freeipa-users] .k5login and auth_to_local_names principal -> account mapping and localauth plugin not working on 6.7

2015-12-07 Thread Simo Sorce
t; > > - is there a more suitable way to obtain the above delegation and > > security > > > context switching using other mechanisms supported by IPA? > > > > > > Thanks in advance > > > Stefano FWIW a better way to solve this would be to use constrained

Re: [Freeipa-users] IPA + Java 8 + S4U2Self/Proxy

2015-12-01 Thread Simo Sorce
rsonate(KerberosDemo.java:121) > at test24u2.KerberosDemo.generateToken(KerberosDemo.java:179) > at test24u2.KerberosDemo.main(KerberosDemo.java:215) > Caused by: KrbException: S4U2self ticket must be FORWARDABLE > at > sun.security.krb5.internal.CredentialsUtil.acquireS4U2selfCreds(Cre

Re: [Freeipa-users] IPA + Java 8 + S4U2Self/Proxy

2015-12-01 Thread Simo Sorce
I think they key part is setting the +ok_to_auth_as_delegate flag which we do not provide an official higher level interface for yet. Simo. -- Simo Sorce * Red Hat, Inc * New York -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] IPA + Java 8 + S4U2Self/Proxy

2015-12-01 Thread Simo Sorce
s works with ipa-web. > Thanks > > Marc Boorshtein > CTO Tremolo Security > marc.boorsht...@tremolosecurity.com > (703) 828-4902 > > > On Tue, Dec 1, 2015 at 12:42 PM, Simo Sorce <s...@redhat.com> wrote: > > On Tue, 2015-12-01 at 11:55 -0500, Marc Boorsh

Re: [Freeipa-users] FreeIPA AD password sync

2015-12-01 Thread Simo Sorce
On Tue, 2015-12-01 at 12:57 +0100, Martin Kosek wrote: > On 11/30/2015 02:25 PM, Gašper Bregar wrote: > > I have been strugling with FreeIPA and AD password sync for a couple of > > days now. At first everything was working fine, but then all of a sudden > > the synchronization started to fail for

Re: [Freeipa-users] Active Directory Integration and limitations

2015-11-23 Thread Simo Sorce
d then just use the getpwnam interface. Simo. > I currently have > > bug here: > https://www.redhat.com/archives/freeipa-users/2014-June/msg00163.html > -- > Manage your subscription for the Freeipa-users mailing list: > https://www.redhat.com/mailman/listinfo/freeipa-use

Re: [Freeipa-users] "ASN.1 structure is missing a required field" - what is missing?

2015-11-23 Thread Simo Sorce
rom: 2015-11-18 02:17:44 (UTC) > till: 2015-11-18 10:17:44 (UTC) > nonce: 604310537 > etype: 1 item > ENCTYPE: eTYPE-AES128-CTS-HMAC-SHA1-96 (17) > > > Is there a field missing? CCing Andreas as this one sounds like a bug w

[Freeipa-users] [Solved] Re: "ASN.1 structure is missing a required field" - what is missing?

2015-11-23 Thread Simo Sorce
up. Simo. > IPA 4.1 on CentOS7 > > Thanks > Marc Boorshtein > CTO Tremolo Security > marc.boorsht...@tremolosecurity.com > > > > On Mon, Nov 23, 2015 at 10:38 AM, Simo Sorce <s...@redhat.com> wrote: > > On Tue, 2015-11-17 at 21:36 -0500, Marc Boorshte

Re: [Freeipa-users] ipa-getkeytab missing permissions after migration

2015-11-12 Thread Simo Sorce
he fallback was made to allow a client to work against an older server not to work "around" permission issues. The idea is to actually change the default permissions soon(*) so that the *old* interface stops working by default and the admin has to enable it intentionally in cn=etc c

Re: [Freeipa-users] krb5kdc will not start (kerberos authentication error)

2015-11-12 Thread Simo Sorce
On 10/11/15 11:54, Gronde, Christopher (Contractor) wrote: # ldapsearch -x -D 'cn=Directory Manager' -W -b cn=mapping,cn=sasl,cn=config Enter LDAP Password: # extended LDIF # # LDAPv3 # base

Re: [Freeipa-users] SSO Git http smart server and freeipa group authentication

2015-11-08 Thread Simo Sorce
r ',' ' ' > /my/authorization/file And in apache have set the following directives instead of the above two: AuthGroupFile /my/authorization/file Require group git-users HTH, Simo -- Simo Sorce * Red Hat, Inc * New York -- Manage your subscription for the Freeipa-users mailing list: https://www.

Re: [Freeipa-users] IPA + Java 8 + S4U2Self/Proxy

2015-10-27 Thread Simo Sorce
options back in the response I'd be in business? Any thoughts? Thanks Marc Boorshtein CTO Tremolo Security marc.boorsht...@tremolosecurity.com (703) 828-4902 -- Simo Sorce * Red Hat, Inc * New York -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman

Re: [Freeipa-users] IPA + Java 8 + S4U2Self/Proxy

2015-10-27 Thread Simo Sorce
e the specification was born. Simo. -- Simo Sorce * Red Hat, Inc * New York -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] substitute local system groups by ipa groups

2015-10-14 Thread Simo Sorce
used ;-) > > > > Hopefully this makes it clear. > > Ok, that's what I thought, didn't want to assume. It is my understanding > that nss returns the first match it finds, in this case the system-local > wheel group. There is no merging in SSSD AFAIK. FYI: we are working on this problem: https://sourceware.org/glibc/wiki/Proposals/GroupMerging Stephen has patches for glibc, not sure what is th status of the submission yet though. Simo. -- Simo Sorce * Red Hat, Inc. * New York -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] import debian (salted SHA-512) password

2015-10-12 Thread Simo Sorce
ation mode and the server they log in is configured with SSSD. Simo. -- Simo Sorce * Red Hat, Inc * New York -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] Web login problems

2015-10-07 Thread Simo Sorce
G: jsonserver_session: 401 Unauthorized need login Any ideas? The webUI will normally need to be used by people on systems that are not managed by FreeIPA (this is meant to manage our server infrastructure, not our workstations), but as far as I can tell username/password auth should work?

Re: [Freeipa-users] Groups

2015-10-06 Thread Simo Sorce
on the files wdadeploy creates. Simo. -- Simo Sorce * Red Hat, Inc * New York -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] More replication fun

2015-10-05 Thread Simo Sorce
he RUV was not properly cleaned Simo. -- Simo Sorce * Red Hat, Inc * New York -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] Trust Issues W/ Logins on Windows Desktops

2015-10-02 Thread Simo Sorce
On 02/10/15 04:06, Alexander Bokovoy wrote: On Thu, 01 Oct 2015, Simo Sorce wrote: On 01/10/15 03:15, Petr Spacek wrote: On 30.9.2015 20:36, Matt Wells wrote: Hi all, I hoped I may glean some brilliance from the group. I have a Freeipa Server sitting atop a Fedora 21 server. The initial plan

Re: [Freeipa-users] Cannot connect to FreeIPA web UI anymore

2015-10-02 Thread Simo Sorce
subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project -- / Alexander Bokovoy -- Simo Sorce * Red Hat, Inc * New York -- Manage your subscription for the Freeipa-users mailing list: https://ww

Re: [Freeipa-users] HBAC

2015-10-01 Thread Simo Sorce
as to why I posted the original ask? When SSSD is integrated directly in AD you can use Group Policies to define access controls. See ad_gpo_access_control in sssd-ad(5) Simo. -- Simo Sorce * Red Hat, Inc * New York -- Manage your subscription for the Freeipa-users mailing list: https

Re: [Freeipa-users] Trust Issues W/ Logins on Windows Desktops

2015-10-01 Thread Simo Sorce
ble to see user names, but only SIDs for IPA users. Some tools that may depend on SID->Name translation may also fail in unexpected ways. This is why we do not recommend to try this, but it is technically possible if you know very well how to handle everything through Windows CLIs (I don't so do

Re: [Freeipa-users] What todo when a company/domain name should be changed ?

2015-09-30 Thread Simo Sorce
to share the same DNS namespace). HTH, Simo. http://www.freeipa.org/page/Howto/Migration#Migrating_from_other_FreeIPA_to_FreeIPA Lenka was already investigating https://fedorahosted.org/freeipa/ticket/3656, so some updates may happen. -- Simo Sorce * Red Hat, Inc * New York -- Manage your

Re: [Freeipa-users] password resets - errors

2015-09-28 Thread Simo Sorce
from using UDP completely, although I am not 100% certain this will avoid the problem, IIRC at least in some versions the client library would retry after 1 second even on TCP. Simo. -- Simo Sorce * Red Hat, Inc * New York -- Manage your subscription for the Freeipa-users mailing list: https

Re: [Freeipa-users] User, keytab, password and ldap

2015-09-24 Thread Simo Sorce
tkeytab -P, if it is not, please file a bug. Simo. -- Simo Sorce * Red Hat, Inc * New York -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] ipa-client-install not creating reverse DNS entries

2015-09-11 Thread Simo Sorce
ing PTR records ? There is a global DNS option (As awell as per-zone setting) called "Allow PTR Sync" you may want to enable. -- Simo Sorce * Red Hat, Inc * New York -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://

Re: [Freeipa-users] GSSAPI authentication for libvirt VNC

2015-09-05 Thread Simo Sorce
e-hkvm-ctrl > > -01.core.nice.cloud.oliv > > arim@cloud.olivarim.com (aes256-cts-hmac-sha1-96) > >3 30/08/2015 15:50:36 libvirt/nice-hkvm-ctrl > > -01.core.nice.cloud.oliv > > arim@cloud.olivarim.com (aes128-cts-hmac-sha1-96) > >3 30/08/2015 15:50:36 lib

Re: [Freeipa-users] stubborn old replicas

2015-08-26 Thread Simo Sorce
tried restarting DS before trying to clean the ruv ? I run in a similar problem in a test install recently, and I got better results that way. The bug is known to the DS people and they are working to get out patches that fix the root issue. Simo. -- Simo Sorce * Red Hat, Inc * New York

Re: [Freeipa-users] AD trust deployment without IPA authority over reverse lookup zone

2015-08-25 Thread Simo Sorce
that prevents you from GSSAPI-updating PTR records (over AD trust) so going with manual PTR records would work. You need to make sure AD has no policy to periodically remove PTR records for Linux machines. -- / Alexander Bokovoy -- Simo Sorce * Red Hat, Inc * New York -- Manage your

Re: [Freeipa-users] FreeIPA user Home Directory Permission Issue

2015-08-25 Thread Simo Sorce
are specifying the umask is incorrect :-) Hint: see oddjob-mkhomedir.conf HTH, Simo. -- Simo Sorce * Red Hat, Inc * New York -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info

Re: [Freeipa-users] FreeIPA user Home Directory Permission Issue

2015-08-23 Thread Simo Sorce
...@gmail.com | Web: www.initd.in http://www.initd.in/ * *RHCE, VCE-CIA, RACKSPACE CLOUD U Certified* https://www.fb.com/yks http://in.linkedin.com/in/yks https://twitter.com/checkwithyogesh http://google.com/+YogeshSharmaOnGooglePlus -- Simo Sorce * Red Hat, Inc * New

Re: [Freeipa-users] FreeIPA certificate for Outlook

2015-08-18 Thread Simo Sorce
freundlichen Grüssen / best regards, Günther J. Niederwimmer Hi, IPA CA certificate is located here /etc/ipa/ca.crt on server It is also available from http[s]://ipa.server.name/ipa/config/ca.crt HTH, Simo. -- Simo Sorce * Red Hat, Inc * New York -- Manage your subscription

Re: [Freeipa-users] freeipa on http?

2015-08-18 Thread Simo Sorce
On Tue, 2015-08-18 at 18:01 -0400, Simo Sorce wrote: The load balancer would have to have the exact same name (for the clients) as the IPA server, which may be challenging depending on the network configuration you have. More on that issue here: http://ssimo.org/blog/id_019.html On Tue, 2015

Re: [Freeipa-users] freeipa on http?

2015-08-18 Thread Simo Sorce
the problem of the referer, but should be easy to fix with a rewrite rule. Simo. ~J On 8/18/15 3:02 PM, Simo Sorce wrote: On Tue, 2015-08-18 at 18:01 -0400, Simo Sorce wrote: The load balancer would have to have the exact same name (for the clients) as the IPA server, which may

  1   2   3   4   5   6   7   8   >