[Freeipa-users] DNS forwarding issue

Hello, I have a problem with Samba setup that I haven't been able to overcome for months. I am trying to setup samba on RHEL 7 using SSSD instead of winbind Currently, I have a one way trust between the production Active directory and productin IPA. I have users on IPA and Active directory.

[Freeipa-users] Creating trust relationship that survive password rotation

Good evening, I am looking through the IPA documentation and it looks like I will need a password that don't expire on the active directory side. These are the two documented ways. ipa trust-add --type=ad ad.example.com --admin Administrator –password ipa trust-add --type=ad ad.example.com

Re: [Freeipa-users] LDAP based autofs map redundancy

CTION: lithium.eng.example.com. 1200 INA 192.168.20.3 hydrogen.eng.example.com. 1200 IN A 192.168.20.1 ;; Query time: 1 msec ;; SERVER: 192.168.20.1#53(192.168.20.1) ;; WHEN: Tue Mar 14 18:32:44 2017 ;; MSG SIZE rcvd: 200 What could I be missing? Regards, William On 5 March 2017 at 14

Re: [Freeipa-users] LDAP based autofs map redundancy

Jakub, >> >> It does look though like kerberos is not affected as all systems can >> authenticate fine, so looks like its autofs issue alone >> >> This is the error I am noticing on the logs. >> >> Mar 2 14:18:29 platinum automount[2887]: key "brad" not found in map >> source(s). >> Mar 2

[Freeipa-users] Push authentication policy using IPA

Hello, Is there currently any way one can force IPA clients (Gnome and KDE) to authenticate users before one can have Gnome based services like browser and such? I am looking for something similar to windows GPO that one can publish to force password authentication after restart or after a

[Freeipa-users] LDAP based autofs map redundancy

Afternoon, I have noticed that even when a network has two IPA for redundancy, autofs don't seem to be able to take advantage of the remaining IPA should one of the IPA goes down. Is this a know issue with LDAP based maps or is it a configuration that need to be adjusted. By the way, only about

[Freeipa-users] Kerberos autheticated NFS issue

Afternoon. I have noticed below errors on a RHEL 6.8 NFS client that is using a IPA 4.4 for authentication. On some system, this error show up a lot. The connection is fine according to nmap, but the logs imply there is issue with the connection. What are some of the reason that can trigger the

Re: [Freeipa-users] How to change kerberos key lifetime?

as far as IPA usage is concerned and what would make one choose one over the other? Regards, William On 17 February 2017 at 09:56, Lukas Slebodnik <lsleb...@redhat.com> wrote: > On (16/02/17 18:05), William Muriithi wrote: >>> The fact that your desktops are using SSSD c

Re: [Freeipa-users] How to change kerberos key lifetime?

David > > The fact that your desktops are using SSSD changes the situation dramatically. > > SSSD (with ipa or krb5 provider) obtains ticket for user when he is > logging-in. > And can be configured to renew the ticket for the user until the ticket renew > life time expires. > > Given this you

Re: [Freeipa-users] How to change kerberos key lifetime?

Morning David, Thank you very much for your help. > first you're mentioning "key expiry" but if I understand correctly you're > interested in "ticket lifetime". Yes, want to increase ticket lifetime. > > As mentioned here [1] the ticket lifetime is the minimum of 4 values: > 1) maxlife for the

[Freeipa-users] How to change kerberos key lifetime?

Hello We are currently mostly using RHEL 6 on the clients but IPA is on RHEL 7.3. I am using Kerberos to authenticate NFS mount and its working fine. However, there is a lot of users who are complaining that its causing too much problems. They are all related to key expiry I have looked at

[Freeipa-users] (no subject)

Hello, I have been attempting to setup samba server on RHEL 7 and I haven't had luck so far. I am hoping to get some guidance on what I could be missing. I am using the link below as a guide. http://www.freeipa.org/page/Howto/Integrating_a_Samba_File_Server_With_IPA My setup is made up of two

[Freeipa-users] Effect of reversing trust relationship

Hello, Curious, two weeks ago, we established a two way trust between AD and FreeIPA. This has been working fine till yesterday when AD started having DNS issues. I am 99% certain trust had nothing to do with DNS issue, but want to reverse the trust and see if we could fair better My question

[Freeipa-users] Assistance with Samba share intergration with IPA

Hello I am trying to setup a samba share - actually replace winbind on a current samba server and I am basing my change on these instructions. http://www.freeipa.org/page/Howto/Integrating_a_Samba_File_Server_With_IPA The IPA servers is version ipa-server-4.4.0-14.el7 and I have trust

Re: [Freeipa-users] (no subject)

Hi Rob, > > >> automount --dumpmaps sss auto.projects > >> > > Thanks, this indeed is working. Thanks for clarifying the man page. > > Its however not listing any keys on map created as child to master > > using the flag below. > > --parentmap=auto.master > > > > This seem like a bug. Could

Re: [Freeipa-users] Kerberos realm for different domain

Stephen > > Can you have a domain that belongs to a Kerberos realm with a completely > different domain? For example, could example.com belong to the > ANOTHERDOMAIN.COM realm as long as we control DNS for both and have all the > necessary SRV and TXT records to locate it and krb5.conf is

Re: [Freeipa-users] (no subject)

Hello Rob, Thanks >> After reading the above map page, I was hoping the below command would >> list keys on one of the projects map. It doesn't work though. >> >> automount --dumpmaps map autofs map tercel >> >> The info page isn't also any better. I wonder if someone can explain >> the use of

[Freeipa-users] (no subject)

Hello I have indirect map that I would like to list the keys but from command line. I am able to see every key on the home directories map, but it display just names for the rest of the maps. Looking at the man page, I believe this would be my solution. -m, --dumpmaps [ ]

[Freeipa-users] Intergrating vino or krfb to IPA server

Hello, I am trying to see if either of the two desktop manager may be able to work with FreeIPA and I haven't had much luck. It seem like for example vino should be able to do so - see link below, but I haven't been able to do it or find article from those who have attemptd it before

[Freeipa-users] mailing list SPAM

Hello, This is just a FYI. Whenever I post an email here, I get lot of emails from this address - kimirachel4...@cczaa.com. Think there is someone in the list who is harvesting email addresses. That wouldn't be too bad because if he try to send a fresh mail, the spam system at google would

Re: [Freeipa-users] mount lookup failure getautomntent_r

Jakub, Thanks for response On 27 November 2016 at 15:43, Jakub Hrozek wrote: > >> >> I have noticed an error that pop up as the final line after running >> lookup_read_map: lookup(sss): getautomntent_r: No such file or directory >> >> failed to read map >> >> Have anyone

[Freeipa-users] mount lookup failure getautomntent_r

Hello, I have noticed an error that pop up as the final line after running this command " automount -m". I suspect its related to selinux, but haven't seen how to fix it from the google search this morning. I have autofs maps on IPA and using SSSD to read the maps. Mount point: /- source(s):

[Freeipa-users] Would fixing hosts file break kerberos

Afternoon. I just noticed that I used inappropriate way of setting up my hosts files and I am planning to make a fix. I am however worried this may break Kerberos. Should this change be of concern and have anyone made the changes before? My current /etc/hosts are as follows: 192.168.20.2

[Freeipa-users] query for key with hostname from automap

Hello I have a system using automount for home directories and the automount maps are on FreeIPA. Is there a way I can query the username assigned to a certain host? Essentially, if I have a hostname xyz.example.com, what would be the process that I would need to query the keys living on that

Re: [Freeipa-users] Kerberos enabled NFS error (Key has expired)

On 3 November 2016 at 22:59, William Muriithi <william.murii...@gmail.com> wrote: > Hello > > I have NFS server that has been working fine with "sec=sys" for years > but changed it last weekend to use "sec=krb5" last weekend. Since > then, users have been

Re: [Freeipa-users] Kerberos enabled NFS error (Key has expired)

being renewed but that was back in 2012, so don't look very relevant. William On 3 November 2016 at 22:59, William Muriithi <william.murii...@gmail.com> wrote: > Hello > > I have NFS server that has been working fine with "sec=sys" for years > but changed it last we

[Freeipa-users] Kerberos enabled NFS error (Key has expired)

Hello I have NFS server that has been working fine with "sec=sys" for years but changed it last weekend to use "sec=krb5" last weekend. Since then, users have been randomly complaining that they are seeing the below error: [alexl@manganese /<7>dtop/simulation/vhdl_example]$ ll

Re: [Freeipa-users] is ipa-client-automount idempotent?

Hi On 30 October 2016 at 03:26, William Muriithi <william.murii...@gmail.com> wrote: > Morning, > > I am curious to know if ipa-client-automount would be safe to rerun > multiple times. I have done a bit of google search and this don't > seem to have been discussed pr

[Freeipa-users] is ipa-client-automount idempotent?

Morning, I am curious to know if ipa-client-automount would be safe to rerun multiple times. I have done a bit of google search and this don't seem to have been discussed previously in this list. I have attempted to rerun it on a system multiple time and don't seem to break anything, but that

Re: [Freeipa-users] ipa automount bug?

Rob, >>> >>> 2. How would one import an existing maps to ipa auto.home map. Import >>> seem to be only capable of importing to auto.master, which make its >>> utility doubtful >>> >>> [root@hydrogen ~]# ipa automountlocation-import default >>> /tmp/2016-10-26/auto.home >>> >>> Imported maps:

Re: [Freeipa-users] ipa automount bug?

>> >> [root@hydrogen ~]# ipa automountmap-add-indirect default >> auto.projects-prs1013 –-mount=/projects/prs1013 >> --parentmap=auto.projects > > Is this a direct copy-paste from the terminal? If so and your e-mail client > did not do any reformatting then the first character in the >

[Freeipa-users] ipa automount bug?

Evening, I am trying to import some autos map from a file to FreeIPA LDAP and have noticed two problems that can be considered a bug in my humble opinion. This is on: ipa-server-4.2.0-15.0.1.el7 1. This either is a documentation bug that suggest one can specify a parent map while thats

Re: [Freeipa-users] IPA-AD trust group membership: display 'short' group names for *two* AD domains?

Morning Jakub, >> However, I would like to tune this configuration to drop the domain >> component of the user and group names. I tried to do this by adding >> these settings to the [sssd] section in sssd.conf on the client: >> >>default_domain_suffix = example.au >> full_name_format

Re: [Freeipa-users] openLDAP to FreeIPA user migration

Morning Alexander, >>Failed user: >> aagrim: missing attribute "sn" required by object class >> "organizationalPerson" >> acctemp: missing attribute "sn" required by object class >>"organizationalPerson" >> ... > This looks like a common problem. I had recently made a small 'hack' to

[Freeipa-users] openLDAP to FreeIPA user migration

Afternoon, I have an openLDAP system that lack a required attribute. This result in the migration script rejecting all the user import. I have googled externsively, read ever line of ipa migration --help doc and it doesn't seem I will be able to use this migration script. I wonder if there is

[Freeipa-users] FreeIPA without using User Principal Name

Hello, I am having a problem introducing IPA to an organization because FreeIPA uses User Principal Name and the organization has scripts that will break as they expect the short username. I had initially used trust but have since un-enrolled it from AD as I realized I couldn't use short name

[Freeipa-users] nfsidmap oddity

Morning I have been struggling with nfsidmap issue for a couple of days and wouldn't mind a fresh eyes. Essentially, I have a FreeIPA that has a trust relationship with AD. The AD is on domain example-corp.example.com while FreeIPA manages eng.example.com. The problem is, when I login using AD

[Freeipa-users] Very slow enrolment process

Hello, I have systems that were previously using openLDAP and plan to migrate them to freeIPA. I have a problem I have been struggling with since Thursday. The client take 10 to 15 minutes to finish the enrolment process. I can't find anything in the logs, have disabled nscd, the DNS and

Re: [Freeipa-users] PKI signing certificate question

Mateusz >> > There is "X.509 Name Constraints" extension for certificates, however >> > external CA would have to make this extension as "critical" (which would >> > probably cause compatibility issues with some software - "critical" means >> > that if some app doesn't know how to handle this

Re: [Freeipa-users] PKI signing certificate question

Mateusz > > > > Which external CA would be more open to signing this kind of certificate? > > I'm afraid that there is not a single external CA that would sign request for CA certificate. They need to make sure that certificate would not be used for fraudulent purposes (for e.g. Man-in-the-Middle

Re: [Freeipa-users] PKI signing certificate question

Clark, Thank you. > I personally haven't done this, but from https://www.freeipa.org/page/PKI > > "when --external-ca option is used, ipa-server-install produces a certificate certificate request for it's CA certificate so that it can be properly chained in existing PKI infrastructure." > Is

[Freeipa-users] PKI signing certificate question

Hello I want to use an external certificate when setting up a new FreeIPA next week and plan to send the CSR tomorrow. I would like to source a certificate for example.com and use it on FreeIPA on eng.example.com. I can't specifically set the FreeIPA on example.com because we have active

Re: [Freeipa-users] DNS Design for FreeIPA4

that my servers are using can resolve both AD and IPA. Thanks, Josh -Original Message- From: freeipa-users-boun...@redhat.com [mailto:freeipa-users- boun...@redhat.com] On Behalf Of William Muriithi Sent: Thursday, January 15, 2015 8:08 PM To: freeipa-users@redhat.com; freeipa-users

Re: [Freeipa-users] DNS Design for FreeIPA4

‎Josh, You will have problems if you go with below plan in my opinion. I used arrangements like the one you listed below when I used freeipa 2.2. This worked for me only when I had users hosted on freeipa. After upgrading to 3.3 for trust, it became very unreliable and had to point the ipa

Re: [Freeipa-users] ipa / sudoers on centos 6.3 client

‎Hi, I also think you will have to update to rhel 6.6 if you want to use sssd for sudo. If updating to 6.6 is not a problem, this would be least painful.  The problem is that I can't get sudo rules to work. I know that the ipa client software version 3.0.0 doesn't automatically set up all

[Freeipa-users] SUDO options on freeipa

Afternoon  ‎ I have the following commands and I need to set up for Jenkins to run through sudo.  For this to work, I need to add two sudo options, no password and no requiretty Is this something supported by IPA version ipa-server-3.3.3-28.el7_0.3.x86_64 ?  I can't seem to get it working and

Re: [Freeipa-users] Is it possible to set up SUDO with redudancy

Implications of adding above is that SUDO would break if the hardcoded ipa is not available even if there is another replica somewhere in the network. Is that correct assumption? Is there a better way of doing it that I have missed? Which version of sssd do you have? sssd = 1.10 has native

Re: [Freeipa-users] Is it possible to set up SUDO with redudancy

::126:25]:389 - Ah, thanks. Now Google is helpful when I try the 'failover' keywords. See it in mailing list but not on docs Thank you. William  On Mon, Nov 24, 2014 at 8:38 PM, William Muriithi william.murii...@gmail.com wrote: Evening, After looking at almost

[Freeipa-users] Is it possible to set up SUDO with redudancy?

Evening,After looking at almost all the SUDO documentation I could find, it looks one has to hardcode FreeIPA hostname on sssd.conf file. Below is what red hat advice to add in sssd config file.‎services = nss, pam, ssh, pac, sudo [domain/idm.coe.muc.redhat.com] sudo_provider = ldap ldap_uri =

[Freeipa-users] Mixing local FreeIPA users with active directory users

‎Hi guys,I am wondering how one would go about allowing both ad users and FreeIPA user to work in harmony.I recently was able to get FreeIPA to use trust to service unix systems. However, I encountered resistance as some people didn't like the long username, for example,

[Freeipa-users] Possible trust issues

‎Evening, ‎I have been trying to get IPA server working using AD users and I think I need some assistance as I have run into the wall.  Below is some background information.  The active directory domain is called example.local and the IPA domain is called example.loc.  My plan is to map domain

[Freeipa-users] Possible trust issues

‎Evening, Also, this show up on /var/log/krb5kdc.log on ipa server Nov 10 18:43:22 ipa3-yyz-int.example.loc krb5kdc[5469](info): AS_REQ (4 etypes {18 17 16 23}) 10.10.10.29: NEEDED_PREAUTH: host/sogo-eval.example@example.loc for krbtgt/example@example.loc, Additional

[Freeipa-users] Trust relationship issues

Sending again  Previous mail hot mangled by blackberry  ‎ I have two AD and would like to retain that redundancy within IPA after establishing trust relationship. How would one achieve that? I have attempted the following: [root@ipa3-yyz-int ~]# ipa dnszone-add example.local

Re: [Freeipa-users] Trust relationship redundancy

‎Peter, ‎  Sorry, missed your response earlier. On 4.11.2014 21:57, William Muriithi wrote: Afternoon, I have two AD and would like to retain that redundancy within IPA after establishing trust relationship. How would one achieve that? I have attempted the following: [root@ipa3-yyz-int

[Freeipa-users] Trust relationship redundancy

Afternoon,I have two AD and would like to retain that redundancy within IPA after establishing trust relationship. How would one achieve that?I have attempted the following:[root@ipa3-yyz-int ~]# ipa dnszone-add example.local --name-server=srvyyzdc02.example.local

[Freeipa-users] Renewing FreeIPA 2.2 certificate

Afternoon I have been trying to renew FreeIPA certificate for the last three days and I am running out of luck. I can't for example use the GUI interface and the ipa cli tools are also failing since the certificate expired on 27th last month. I have followed the instructions below but may be

[Freeipa-users] Permission for root running cron task as a different user

Evening, Came across a problem where a cron job I had setup last night seemed not to run. On further investigation, I noticed FreeIPA must be pushing a policy that block cron task that adopt a different user than the one its set under. I am certain its FreeIPA related as I have a system that's

[Freeipa-users] sudo 'run as' question

Afternoon, I have an application that use the account image as service account. I can su to the account 'image' and start or stop it fine. No root privilege needed. So I am not trying to set it up so that other developers can be able to restart it through sudo and that's when I realized I am

Re: [Freeipa-users] Deny SSH access from selected host

Would it be possible to deny ssh access per host without pulling a host off FreeIPA management? from-host part of the rule is not enforced by default due to the fact that it is pretty easy to fake that one on connection. You can try to create more specific rules allowing access to the

[Freeipa-users] Deny SSH access from selected host

Hello I have an ipa-server-2.2.0-16.el6.x86_64 server serving different version of ipa-clients and so far it has been good. I have noticed that some of our DEVs have started to ssh into some of the systems that I had no intention of making available through ssh. I have tried to revoke specific

Re: [Freeipa-users] Updated doc, synchronization question

Two questions: - Any ETA on an updated 3.3.3 Users Guide? Our current plan is to release next documentation release along with FreeIPA 3.4, when more documentation fixes are factored in. Would you by any chance know when FreeIPA 3.4 will be realised? Looking to update a version

[Freeipa-users] Suppressing the domain section after authentication

Hello I have set up gitolite3 and its working fine when I connect to it through ssh. I am using LDAP (FreeIPA) for authorization. When I connect through http/https, I am authenticated, but I believe authorization is not working. I have not been able to figure how to work around it.. git clone

Re: [Freeipa-users] Suppressing the domain section after authentication

Rob, The question is, how would I coerce apache or kerberos to pass gitolite only section before the @ character? With mod_auth_kerb = 5.4 you can use KrbLocalUserMapping on to strip the realm. rob Thanks a lot, that did it. I added KrbLocalUserMapping On And it worked perfectly.

[Freeipa-users] Authenticating Apache through FreeIPA

Hello, This seem well documented, but I can't seem to get it working. Not sure what I am missing.. I will try go over it and hopefully someone may notice why I am failing I got a system enrolled to IPA and its running httpd-2.2.15-28.el6.centos.x86_64 mod_auth_kerb-5.4-9.el6.x86_64

[Freeipa-users] FreeIPA gitolite intergration

Thank Martin and Natxo, Really appreciate. Got a question, I know FreeIPA does not allow anonymous binding so if one need to create an account to query for such information. I did this during the sudo setup. unless you have changed it yourself (or stuff has changed in the

Re: [Freeipa-users] Process conflict issue when restarting IPA

I see the same issue as William on CentOS6.3 fully up-to-date... [root@test-1 ~]# rpm -qa|grep ipa ipa-client-2.2.0-16.el6.x86_64 ipa-server-selinux-2.2.0-16.el6.x86_64 libipa_hbac-1.8.0-32.el6.x86_64 ipa-pki-common-theme-9.0.3-7.el6.noarch python-iniparse-0.3.1-2.1.el6.noarch

[Freeipa-users] Process conflict issue when restarting IPA

Hello When I restart IPA through ipactl, I get the following message. All seem to be working despite the message. I think it is pki-ca that is running on tomcat Starting httpd: [Fri Jan 11 16:13:25 2013] [warn] worker ajp://localhost:9447/ already used by another worker [Fri Jan 11 16:13:25

Re: [Freeipa-users] FreeIPA and Samba 4

I know this may be a loaded question, but I am asking it anyways. Can anyone tell me what the current status and future plan for IPA / Samba 4 is? We plan to support setting up trusts with Samba4 just like we do with AD when Samba4 will start supporting Cross-forest trusts. It

Re: [Freeipa-users] Managing Sudo through FreeIPA

Dmitri, The SODO integration is evolving so it important to know what OS and version you are on. I would assume you are on RHEL6.3 or equivalent. That's correct. I am on RHEL6.3 equivalent There are two main ways to integrate SUDO with IPA. One with SSSD integration and another without.

Re: [Freeipa-users] Managing Sudo through FreeIPA

] on behalf of William Muriithi [william.murii...@gmail.com] Sent: Thursday, 8 November 2012 10:28 a.m. To: freeipa-users@redhat.com Subject: [Freeipa-users] Managing Sudo through FreeIPA Hello I have been trying to setup user access through sudo file managed by FreeIPA and it don't seem

Re: [Freeipa-users] Managing Sudo through FreeIPA

FYI Got it working, credit to JR for pointing I need to assign a password to sudo account on LDAP and use it for binding. Thanks a lot William On 8 November 2012 12:11, William Muriithi william.murii...@gmail.com wrote: Steven, Thanks for the pointers. I remember finding a post

Re: [Freeipa-users] FreeIPA v 2.2 in an AD environment

when you do it until after you are happy its stable and OK. Will use 6.3. Thank you again for the advice William From: freeipa-users-boun...@redhat.com [freeipa-users-boun...@redhat.com] on behalf of William Muriithi [william.murii...@gmail.com

Re: [Freeipa-users] FreeIPA v 2.2 in an AD environment

Rich, In addition to other comments I want to step back and give a bit of a bigger picture. 1) Regardless of what approach you choose we recommend using the latest available version at the moment of deployment. Good suggestion. This mean I should use version 3. Problem that would have to