[Freeipa-users] Re: Cannot get a second FreeIPA client authentication working.

2017-07-14 Thread Jakub Hrozek via FreeIPA-users
On Fri, Jul 14, 2017 at 09:57:44AM +1200, Patrick McHale via FreeIPA-users wrote: > Hi, > > > > I have had a success with installing the FreeIPA system but I needed to add > another client in order to reproduce the steps required for > > building a client to authenticate with the server. I

[Freeipa-users] Re: Unable to login as user

2017-07-14 Thread Jakub Hrozek via FreeIPA-users
On Fri, Jul 14, 2017 at 02:02:03AM -, patrick.mchale--- via FreeIPA-users wrote: > Hi, > > I am getting an error logging into a FreeIPA server from a new FreeIPA > client. I have reset the password for the user using "kinit admin" but still > no joy. Is there another password that is

[Freeipa-users] Re: HBAC rules / ssh keys for AD users not working right away

2017-07-14 Thread Sumit Bose via FreeIPA-users
On Thu, Jul 13, 2017 at 07:22:58PM -, bogusmaster--- via FreeIPA-users wrote: > I've uploaded them here: goo.gl/hiFHKE Thanks. [ipa_s2n_exop_done] (0x0040): ldap_extended_operation result: No such object(32), (null). This indicates that the user cannot be found on the server. There are

[Freeipa-users] Re: Unable to login as user

2017-07-14 Thread Callum Guy via FreeIPA-users
Hi Jakub, Apologies for hijacking the thread but you reminded me of a longstanding issue - I can't manually use kinit on my client nodes. As I operate a jump server that means I get a ticket on first login but when i login to other client systems the ticket gives me entry but doesn't follow me.

[Freeipa-users] Re: Unable to login as user

2017-07-14 Thread Jakub Hrozek via FreeIPA-users
On Fri, Jul 14, 2017 at 08:10:39AM +, Callum Guy via FreeIPA-users wrote: > Hi Jakub, > > Apologies for hijacking the thread but you reminded me of a longstanding > issue - I can't manually use kinit on my client nodes. As I operate a jump > server that means I get a ticket on first login but

[Freeipa-users] Re: HBAC rules / ssh keys for AD users not working right away

2017-07-14 Thread bogusmaster--- via FreeIPA-users
I also observed one peculiar thing when it comes to group membership of the group which is used in my HBAC rule. When I issue getent group ad_users on the server, I get: ad_users:*:101025:j...@td.mydomain.com In the FreeIPA's web UI membership looks like follows: External member

[Freeipa-users] Re: Unable to login as user

2017-07-14 Thread Callum Guy via FreeIPA-users
Thanks for that Jakub. Following a review of the output I've found that this is simply a known conflict with OTP: https://www.freeipa.org/page/V4/OTP#kinit_Method On Fri, Jul 14, 2017 at 9:20 AM Jakub Hrozek wrote: > On Fri, Jul 14, 2017 at 08:10:39AM +, Callum Guy

[Freeipa-users] Re: IPA Servers will not start - dirsrv

2017-07-14 Thread Ludwig Krispenz via FreeIPA-users
looks like you lost your configuration files dse.ldif and its backup as well could you check what you have in /etc/dirsrv/slapd- you can try to copy one of the *dse.ldif* to dse.ldif and try to restart, but that file maybe up to date. Ludwig On 07/14/2017 04:22 PM, email--- via FreeIPA-users

[Freeipa-users] Re: HBAC rules / ssh keys for AD users not working right away

2017-07-14 Thread Sumit Bose via FreeIPA-users
On Fri, Jul 14, 2017 at 10:00:20AM -, bogusmaster--- via FreeIPA-users wrote: > > Can you do a test on the server by calling > > > > id username(a)ad.domain > > > > and collect sssd_nss.log and sssd_your.ipa.domain.log on the server as > > well? > I uploaded these files to the same

[Freeipa-users] IPA Servers will not start - dirsrv

2017-07-14 Thread email--- via FreeIPA-users
IPA-Users, We relocated a rack recently across the states and are no longer able to start dirsrv389. sudo ipactl start Starting Directory Service Failed to start Directory Service: Command '/bin/systemctl start dirsrv@IPA-EXAMPLE-COM.service' returned non-zero exit status 1 Thousands of

[Freeipa-users] Re: autofs.service on NFS clients and servers

2017-07-14 Thread Petros Triantafyllidis via FreeIPA-users
Thanks a lot for replying, Yes, your suggestion is working. Doesn't seem that elegant though, since a partition is mounted several times. However it's practical and I can't figure out how else it could be done. From mount stats, the first two are from fstab mount and appears only on NFS

[Freeipa-users] Re: [Freeipa-users]dirsrv will not start, tried cp dse.ldif.startOK to dse.ldif but issue remains.

2017-07-14 Thread Jake via FreeIPA-users
from Journal, maybe it's kerberos issues Jul 14 12:11:28 server02.ipa.example.com named-pkcs11[1041]: Failed to get initial credentials (TGT) using principal 'DNS/server02.ipa.example.com' and keytab 'FILE:/etc/named.keytab' (Cannot contact any KDC for realm 'IPA.EXAMPLE.COM') Jul 14

[Freeipa-users] Re: [Freeipa-users]Re: IPA Servers will not start - dirsrv [Solved]

2017-07-14 Thread email--- via FreeIPA-users
Copied over the dse.ldif.startOK to dse.ldif and it started. Thank You, From: "freeipa-users" To: "freeipa-users" Cc: "Ludwig Krispenz" Sent: Friday, July 14, 2017 10:35:55 AM Subject:

[Freeipa-users] Re: HBAC rules / ssh keys for AD users not working right away

2017-07-14 Thread bogusmaster--- via FreeIPA-users
> On Fri, Jul 14, 2017 at 10:00:20AM -, bogusmaster--- via FreeIPA-users > wrote: > > yes, but I think this is only a side effect. SSSD cannot resolve a > global catalog server. Does > > dig SRV _gc._tcp.td.mydomain.com > > return anything when called on the IPA server? It didn't.

[Freeipa-users] dirsrv will not start, tried cp dse.ldif.startOK to dse.ldif but issue remains.

2017-07-14 Thread email--- via FreeIPA-users
IPA Users, I'm not sure when the last time this service was running/working, any ideas are appreciated. IPA Version: ipa-server-4.4.0-14.el7.centos.7.x86_64 ipa-server-upgrade Upgrading IPA: [1/8]: saving configuration [2/8]: disabling listeners [3/8]: enabling DS global lock [4/8]:

[Freeipa-users] Re: autofs.service on NFS clients and servers

2017-07-14 Thread Prasun Gera via FreeIPA-users
The only thing I would be interested in knowing is if there is a performance penalty to mounting NFS locally. Ideally, it should be smart enough to know that, but I'm not sure if it is. On 14 Jul 2017 6:08 pm, "Petros Triantafyllidis" wrote: > Thanks a lot for replying, > Yes,

[Freeipa-users] Re: autofs.service on NFS clients and servers

2017-07-14 Thread Jochen Hein via FreeIPA-users
Prasun Gera via FreeIPA-users writes: > The only thing I would be interested in knowing is if there is a > performance penalty to mounting NFS locally. Ideally, it should be smart > enough to know that, but I'm not sure if it is. On my NFS server /home is a

[Freeipa-users] Re: Replication and SSL certs

2017-07-14 Thread Mark Haney via FreeIPA-users
On 07/13/2017 09:57 PM, Fraser Tweedale wrote: OK, I think I understand. ipa0 has been set up with a 3rd-party HTTP cert, but ipa1 has been set up with a certificate issued by the IPA CA, which your browser does not trust. There are two ways forward here: 1. You can use