On 11/17/2017 06:41 PM, Matt . via FreeIPA-users wrote:
Hi Guys,
Is there a proven way to set the WebGui cert back to a self signed one
? I have installed an expired 3rd party certificate and want to move
back to a selfsigned cert and later on to an letsEncrypt one.
Setting back the time before
So i'm trying to add FreeRADIUS as a service to my IPA setup. I"ve added the
service using --force and i'm trying to get the keytab for it but getting the
following error:
[root@asm-rancid02 keytabs]# ipa-getkeytab -s asm-rancid02.mgt.asm.borg.local.
-p radius/asm-rancid02.mgt.asm.borg.local -k
Andrew Meyer via FreeIPA-users
writes:
> [root@asm-rancid02 keytabs]# ipa-getkeytab -s
> asm-rancid02.mgt.asm.borg.local. -p radius/asm-rancid02.mgt.asm.borg.local -k
> /etc/krb5.keytab
> Unable to initialize STARTTLS session
> Failed to bind to server!
> Retrying with pre-4.0 keytab retrieval
Not connecting to the FreeIPA server?
On Monday, November 20, 2017 4:36 PM, Robbie Harwood via FreeIPA-users
wrote:
Andrew Meyer via FreeIPA-users
writes:
> [root@asm-rancid02 keytabs]# ipa-getkeytab -s
> asm-rancid02.mgt.asm.borg.local. -p radius/asm-rancid02.mgt.asm.borg.local -k
Robbie Harwood via FreeIPA-users wrote:
> Andrew Meyer via FreeIPA-users
> writes:
>
>> [root@asm-rancid02 keytabs]# ipa-getkeytab -s
>> asm-rancid02.mgt.asm.borg.local. -p radius/asm-rancid02.mgt.asm.borg.local
>> -k /etc/krb5.keytab
>> Unable to initialize STARTTLS session
>> Failed to bind t
[andrew.meyer@asm-rancid02 ~]$ ldapsearch -LL -x -ZZ -H
ldap://asm-dns01.meyer.local -b '' -s base vendorNameversion: 1
dn:vendorName: 389 Project
[andrew.meyer@asm-rancid02 ~]$
[andrew.meyer@asm-rancid02 ~]$ ipa-getkeytab -p
'radiusd/asm-rancid02.mgt.asm.borg.local' -s asm-rancid02.mgt.asm.borg.
Do I need to do any of this:
ipa permission-add 'ipaNTHash service read' --attrs=ipaNTHash --type=user
--right=readipa privilege-add 'Radius services' --desc='Privileges needed to
allow radiusd servers to operate'ipa privilege-add-permission 'Radius services'
--permissions='ipaNTHash service rea
Andrew Meyer wrote:
> [andrew.meyer@asm-rancid02 ~]$ ldapsearch -LL -x -ZZ -H
> ldap://asm-dns01.meyer.local -b '' -s base vendorName
> version: 1
>
> dn:
> vendorName: 389 Project
>
> [andrew.meyer@asm-rancid02 ~]$
>
> [andrew.meyer@asm-rancid02 ~]$ ipa-getkeytab -p
> 'radiusd/asm-rancid02.mgt.
Hello the list,
I think pam/sssd is not authenticating correctly
This is what the login sequence looks like when the otp auth indicator is set
on the host, and default user auth is password and otp:
ssh user@test2fa01
user@test2fa01's password:
user@test2fa01's password:
user@test2fa01's passwo
my host is asm-dns01.meyer.local
On Monday, November 20, 2017 4:57 PM, Rob Crittenden
wrote:
Andrew Meyer wrote:
> [andrew.meyer@asm-rancid02 ~]$ ldapsearch -LL -x -ZZ -H
> ldap://asm-dns01.meyer.local -b '' -s base vendorName
> version: 1
>
> dn:
> vendorName: 389 Project
>
> [andre
Andrew Meyer wrote:
> my host is asm-dns01.meyer.local
That didn't answer the question. The question was which host is an IPA
master?
The -s argument of ipa-getkeytab should be an IPA master. Near as I can
tell you used the host you want to generate the keytab for and not an
IPA master.
rob
>
My apologies. asm-dns01.meyer.local is my FreeIPA master.
On Monday, November 20, 2017 5:46 PM, Rob Crittenden via FreeIPA-users
wrote:
Andrew Meyer wrote:
> my host is asm-dns01.meyer.local
That didn't answer the question. The question was which host is an IPA
master?
The -s argume
When assuming the user as a regular user we get a "Correct" response, so pam
and sssd are not co-operating:
[user2@test2fa01 ~]$ su - user
First Factor:
Second Factor (optional):
Last login: Mon Nov 20 04:23:17 UTC 2017 from laptop.local on pts/0 Last failed
login: Mon Nov 20 23:27:17 UTC 2017 f
I think pam/sssd is not authenticating correctly
This is what the login sequence looks like when the otp auth indicator is set
on the host, and default user auth is password and otp:
ssh user@test2fa01
user@test2fa01's password:
user@test2fa01's password:
user@test2fa01's password:
First Factor:
I found it, it was in /etc/ssh/sshd_config
This requires in the sshd config:
ChallengeResponseAuthentication yes
AuthenticationMethods keyboard-interactive
We now can enable 2FA on a per-host basis.
-Original Message-
From: Aaron Hicks [mailto:aaron.hi...@nesi.org.nz]
Sent: Tuesday, 21
I think I figured it out. When I issue the command to get the keytab I'm
exporting and I was trying to overwrite the /etc/krb5.keytab file. I was not
running this as root rather as a regular user. Should I overwrite the default
krb5.keytab file?
I'm working on documenting all of my steps.
Th
Ok now I am trying to add puppet to my FreeIPA environment. Following the
instructions from:
https://www.freeipa.org/page/Howto/Using_FreeIPA_CA_for_Puppet
I am getting the following error:
[root@asm-automation01 ~]# ipa service-add
puppetmaster/asm-automation01.mgt.asm.borg.localipa: ERROR: H
Hello the list,
I think this is the last thing to make our terrible user management model work.
With a helpdesk role via the REST API we can reset a users password, which is
expired, because this is the right thing to do.
These users are expected to log into a node with 2FA using an OTP token
Hi.
I asked about Owncloud, Zimbra, etc autentification in freeipa with AD trust.
I was offered to use SAML.
But I dont undestand SAML. It very dificult for me.
I only want use LDAP for autentification as in this artikle
https://www.freeipa.org/page/Owncloud_Authentication_against_FreeIPA
Or this
Hi,
yesterday I noticed a strange issue on a Centos 7 client running
ipa-client-4.5.0-21.el7.centos.2.2.x86_64:
My daughter tried to log in to the machine and was kicked out again
after GNOME failed to load (/home on kerberized NFS4). Closer inspection
showed that she had no permission to ac
20 matches
Mail list logo
