Hello all,
I am very lost at the moment, I cannot seem to get a yubikey 4 to work
with freeipa.
Server information:
CentOS Linux Release 7.3.1611
ipa-server-4.4.0-14.el7.centos.4.x86_64
I installed the IPA admin tools on my laptop and joined it to IPA, and
have successfully ran the
Hi All,
I am having some odd issues with MFA on CentOS release 6.8 (Final),
debug logs included below. I have two users, one with MFA enabled, and
one without. They are both in the same groups and have the same level
of access to the server, both pass the HBAC tests, however the one with
MFA
Hi All,
I have done some searching around, and I am wondering if there is a way
to require OTP for certain hosts, and not for others.
Example:
Lets say that I want foo.example.com to force using 2FA because it is an
entry point into the network. However bar.example.com is only used
internally,
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512
Hi All,
I have been messing around with AD trust installs mainly around doing
ntlm_auth for a radius server.
However, as I was unable to see some of the needed resources, I
thought maybe IPA may need a kick.
So I ran the following command
is most likely a time skew issue between AD and IPA. Can you verify
this? Thanks!
-- Dave
- Original Message -
From: William Graboyes wgrabo...@cenic.org To:
freeipa-users freeipa-users@redhat.com Sent: Wednesday, July
22, 2015 2:14:51 PM Subject: [Freeipa-users] Samba Failing to
start
# search result
search: 4
result: 0 Success
# numResponses: 3
# numEntries: 2
Thanks,
Bill Graboyes
On 7/22/15 12:53 PM, Alexander Bokovoy wrote:
On Wed, 22 Jul 2015, William Graboyes wrote:
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512
Hi All,
I have been messing around with AD trust
=accounts,dc=foo,dc=bar
# search result
search: 4
result: 0 Success
# numResponses: 3
# numEntries: 2
Thanks,
Bill Graboyes
On 7/21/15 11:16 AM, Alexander Bokovoy wrote:
On Mon, 20 Jul 2015, William Graboyes wrote:
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512
Hi List,
I have run
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512
Hi List,
I have run into a snag, I figured I would start here and move forward.
I have been searching around for the past 3 or 4 hours looking for
some solution to this the issue that I am having.
We are doing 802.1x against our freeipa servers.
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512
Hi Martin,
Here are the outputs of the various commands, cleaned of course:
time ldapsearch
SASL/EXTERNAL authentication started
ldap_sasl_interactive_bind_s: Unknown authentication method (-6)
additional info: SASL(-4): no mechanism
request: error -1 (Can't contact LDAP server) errno 107
(Transport endpoint is not connected)
Thanks,
Bill Graboyes
On 6/12/15 1:36 PM, Rich Megginson wrote:
On 06/12/2015 02:10 PM, Martin Kosek wrote:
On 06/12/2015 09:15 PM, William Graboyes wrote:
Hi Martin,
Here are the outputs of the various
. This looks like the
server is attempting to contact a replica which is down, and has
backed off for the full 5 minute max backoff.
Thanks, Bill Graboyes
On 6/12/15 1:36 PM, Rich Megginson wrote:
On 06/12/2015 02:10 PM, Martin Kosek wrote:
On 06/12/2015 09:15 PM, William Graboyes wrote:
Hi
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512
Hi List,
This is a problem that has surfaced after a reboot of this system in
particular. It is being really, really slow. In terms of hardware
usage issues, there are none. It is taking 3-5 minutes to list users
in the gui. Running commands like
forcing the user to reset thier password
on next login. This would be for if a user forgets thier password and uses a
mail token style auth.
Thanks,
Bill
On 5/13/15 5:28 PM, Dmitri Pal wrote:
On 05/13/2015 08:18 PM, William Graboyes wrote:
Hi Dmitri,
That is quite a bucket of stuff
data set.
I was looking at PWM, and may try to get that implemented.
Thanks,
Bill
On 5/13/15 5:00 PM, Dmitri Pal wrote:
On 05/13/2015 07:40 PM, William Graboyes wrote:
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512
Hi List,
I am trying to figure out a method of allowing users who do
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512
Hi List,
I am trying to figure out a method of allowing users who do not have
shell access to change their own passwords. The GUI that comes with
FreeIPA is out of the question due to the untrusted CA (yes I know we
are a strange shop, there is
Let me ask this a different way.
What is the easiest method of using a trusted third party cert for the web UI?
Running IPA 4.1.0 on Centos 7.
Thanks,
Bill
On 4/30/15 1:44 PM, Rob Crittenden wrote:
William Graboyes wrote:
Hi list,
The end goal is to eliminate self signed certs from user
of example.com.
Thanks,
Bill
On 4/21/15 2:55 PM, Rob Crittenden wrote:
William Graboyes wrote:
Hi List,
I am having yet another issue, when I run the following command:
ipa-cacert-manage renew --external-ca
It does output the CSR, however the CN is not a valid name
(Certificate
PM, Dmitri Pal d...@redhat.com wrote:
On 04/30/2015 04:50 PM, William Graboyes wrote:
Let me ask this a different way.
What is the easiest method of using a trusted third party cert for the
web UI?
Make IPA CA-less with just certs from that 3rd party CA installed or make
IPA
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512
Hi List,
I am having yet another issue, when I run the following command:
ipa-cacert-manage renew --external-ca
It does output the CSR, however the CN is not a valid name
(Certificate Authority). Is it possible to change the output of this
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512
Hi All,
I have been searching for a while and cannot seem to find an answer to
the question of how to promote a replicate to a master, and use that
as the new master.
My original master is on ipa-server-3.0.0-37.el6.x86_64, and I am
upgrading to
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512
Hello List,
So the whole not being able to change the CA easily is becoming a
regular point of contention in meetings. If I have read the e-mails
on this list correctly this issue is fixed in 4.1. After spending a
large amount of time thinking
Hi there,
My understanding is the only way to install a third party cert is to
start from scratch. The part that is unclear to me is if there is a
method of exporting the data prior to, and importing the data after the
fresh instance of freeipa has been installed. I assume that one would
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512
Hello list,
I have been fruitlessly searching for some information, especially
related to Certs, namely how to replace the self signed certs with
certs from a trusted CA? As we are moving forward into
productionizing of our free-ipa install, I am
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512
Hi List,
I am looking into changing the branding on the free-ipa GUI interface.
This is something that is being requested by my management,
considering that we are asking users to trust an e-mail prodding them
to change their password. I don't
for a post by me and certs... Basically there is a install
flag that will do all the work for you once you have it the cert in the
right format.
On Sep 10, 2014 5:53 PM, William Graboyes wgrabo...@cenic.org wrote:
* *BEGIN ENCRYPTED or SIGNED PART* *
Hello list,
I have been
wrote:
On 09/10/2014 07:26 PM, William Graboyes wrote:
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512
Hi Chris,
Thank you for the suggestion. Looking at
http://www.redhat.com/archives/freeipa-users/2014-August/msg00334.html
Installing a new, third party cert requires a reinstall of IPA
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512
Hi Megan,
I had the same problem with CENTOS 6.5 and free-ipa. I did a ton of
searching, and IIRC the conclusion was a bug in that version of sssd, I
don't remember all of the details, however I do remember the work
around.
Create a system
on the client
side is the rancid group, which is showing up here.
Thanks,
Bill G.
On Fri Aug 1 01:14:32 2014, Jakub Hrozek wrote:
On Thu, Jul 31, 2014 at 03:42:43PM -0700, William Graboyes wrote:
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512
Hi List,
I am running into some odd issues
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512
Hi List,
I am running into some odd issues with IPA and users not inheriting
all groups they are a member of.
I spent a lot of time nesting groups so that when we add a user all of
the groups they need with one group setting (a boon for
29 matches
Mail list logo