[Freeipa-users] sebastien.toulmo...@proximus.com

2019-10-10 Thread SPC/DCS
sebastien.toulmo...@proximus.com This e-mail cannot be used for other purposes than Proximus business use. See more on https://www.proximus.be/maildisclaimer ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send

[Freeipa-users] Re: IPA's Certs - country, state, organization ?

2019-10-10 Thread lejeczek via FreeIPA-users
On 01/10/2019 02:21, Fraser Tweedale wrote: > On Mon, Sep 30, 2019 at 02:04:15PM +0100, lejeczek via FreeIPA-users wrote: >> On 09/09/2019 01:07, Fraser Tweedale wrote: >>> On Fri, Sep 06, 2019 at 12:01:23PM +0100, lejeczek via FreeIPA-users wrote: hi guys, how to manage those?

[Freeipa-users] How to change the timeout of 60 seconds on the login with AD users

2019-10-10 Thread SOLER SANGUESA Miguel via FreeIPA-users
Hi, Thanks for the tip. I try to login executing: ssh -l USER@AD.DOMAIN HOSTNAME Unfortunately I have tested with: LOGIN_TIMEOUT 90 And also changing on sshd_conf: LogLevel DEBUG3 ClientAliveInterval 600 LoginGraceTime 600 ClientAliveCountMax 3 And on sssd.conf:

[Freeipa-users] Can't resolve external users on clients, but I can on servers

2019-10-10 Thread S Toulmonde via FreeIPA-users
Hi, I setup an IPA realm (under rhel7) with an trust relationship to a Windows domain. All users in AD have an idoverride to override uid and gid. Originally, everything was working like expected: servers could resolve IPA and external (trusted) users, I could create kerberos tickets, log-in via

[Freeipa-users] DNS - classless/subnet reverse zones ?

2019-10-10 Thread lejeczek via FreeIPA-users
hi guys, when I try to add a zone: $ ipa dnszone-add --name-from-ip=10.5.4.128/25 Zone name [4.5.10.in-addr.arpa.]: I see the above. Is what IPA does there correct? Or... what is the recipe for a classless/subnet reverse zone creation? many thanks, L. pEpkey.asc Description:

[Freeipa-users] Re: How to make ipa root certificate available system wide

2019-10-10 Thread Kees Bakker via FreeIPA-users
On 10-10-19 14:35, Rob Crittenden via FreeIPA-users wrote Kevin Vasko via FreeIPA-users wrote: How would I validate that certs are getting added properly on a CentOS machine system wide store? I’m going to test it today to find out if this is a problem unique to Ubuntu/CentOS. On Fedora

[Freeipa-users] Re: How to make ipa root certificate available system wide

2019-10-10 Thread Kevin Vasko via FreeIPA-users
Kees Bakker, If it is, I'm certainly not seeing it done on Ubuntu 16.04 or Ubuntu 18.04 and based on Rob's comment it might not be done if I'm understanding him correctly. -Kevin On Thu, Oct 10, 2019 at 8:19 AM Kees Bakker via FreeIPA-users wrote: > > On 10-10-19 14:35, Rob Crittenden via

[Freeipa-users] Re: How to make ipa root certificate available system wide

2019-10-10 Thread Kevin Vasko via FreeIPA-users
I actually manually checked the system wide crt files on each distribution I'm using, Ubuntu, CentOS and RHEL6/7. In all cases my /etc/ipa/ca.crt did appear to be in the each of their respective *.crt files. That indicates to me that there isn't any problem with the ipa-install-client on any of

[Freeipa-users] Re: How to make ipa root certificate available system wide

2019-10-10 Thread Rob Crittenden via FreeIPA-users
Kevin Vasko via FreeIPA-users wrote: > How would I validate that certs are getting added properly on a CentOS > machine system wide store? > > I’m going to test it today to find out if this is a problem unique to > Ubuntu/CentOS. On Fedora the chain is put into

[Freeipa-users] Re: How to make ipa root certificate available system wide

2019-10-10 Thread Kevin Vasko via FreeIPA-users
How would I validate that certs are getting added properly on a CentOS machine system wide store? I’m going to test it today to find out if this is a problem unique to Ubuntu/CentOS. -Kevin > On Oct 9, 2019, at 10:44 PM, Fraser Tweedale wrote: > > On Wed, Oct 09, 2019 at 08:58:14PM

[Freeipa-users] Re: DNS - classless/subnet reverse zones ?

2019-10-10 Thread Vinícius Ferrão via FreeIPA-users
Hello, IPA utilizes BIND in the backend, so have you tried to create the subzone with the way BIND expects? 0-31.0.168.192.in-addr.arpa. This one is for /27 for instance. Modify it for your needs and see if it works. Never tried this myself but I worth checking. Sent from my iPhone On 10

[Freeipa-users] Re: How to make ipa root certificate available system wide

2019-10-10 Thread Rob Crittenden via FreeIPA-users
Kevin Vasko via FreeIPA-users wrote: > Kees Bakker, > > If it is, I'm certainly not seeing it done on Ubuntu 16.04 or Ubuntu > 18.04 and based on Rob's comment it might not be done if I'm > understanding him correctly. Assuming I'm reading the code right it is not being executed on

[Freeipa-users] Re: Can't resolve external users on clients, but I can on servers

2019-10-10 Thread Sumit Bose via FreeIPA-users
On Thu, Oct 10, 2019 at 10:21:12AM -, S Toulmonde via FreeIPA-users wrote: > Hi, I setup an IPA realm (under rhel7) with an trust relationship to a > Windows domain. All users in AD have an idoverride to override uid and gid. > Originally, everything was working like expected: servers could

[Freeipa-users] Re: How to make ipa root certificate available system wide

2019-10-10 Thread Alexander Bokovoy via FreeIPA-users
On to, 10 loka 2019, Kevin Vasko wrote: Alexander, Unless I'm misunderstanding the information I don't think it will matter though because Firefox and Chrome use their own certificates stores. I found that information after I posted this question. Speaking specifically for firefox (and Chrome

[Freeipa-users] Where does the "admin" user get its privileges from?

2019-10-10 Thread Russell Jones via FreeIPA-users
Hi all, I am still exploring my default setup, and have noticed that while the "admin" user is a part of the admins and trust admins group, neither the user nor those groups have any roles defined on them that I can see. Where is this special username getting its permissions from? Thanks for

[Freeipa-users] Re: How to make ipa root certificate available system wide

2019-10-10 Thread Alexander Bokovoy via FreeIPA-users
On to, 10 loka 2019, Kevin Vasko via FreeIPA-users wrote: I actually manually checked the system wide crt files on each distribution I'm using, Ubuntu, CentOS and RHEL6/7. In all cases my /etc/ipa/ca.crt did appear to be in the each of their respective *.crt files. That indicates to me that

[Freeipa-users] Re: How to make ipa root certificate available system wide

2019-10-10 Thread Kevin Vasko via FreeIPA-users
Alexander, Unless I'm misunderstanding the information I don't think it will matter though because Firefox and Chrome use their own certificates stores. I found that information after I posted this question. Speaking specifically for firefox (and Chrome looks to be similar)...I'm concluding that

[Freeipa-users] Re: Where does the "admin" user get its privileges from?

2019-10-10 Thread Russell Jones via FreeIPA-users
Ah I see now. Adding --raw to the end of the privilege-show CLI command shows me that the admins group is a member of that privilege. Thank you! On Thu, Oct 10, 2019 at 10:36 AM Rob Crittenden wrote: > Russell Jones via FreeIPA-users wrote: > > Hi all, > > > > I am still exploring my default

[Freeipa-users] Re: Where does the "admin" user get its privileges from?

2019-10-10 Thread Rob Crittenden via FreeIPA-users
Russell Jones via FreeIPA-users wrote: > Hi all, > > I am still exploring my default setup, and have noticed that while the > "admin" user is a part of the admins and trust admins group, neither the > user nor those groups have any roles defined on them that I can see. > > Where is this special

[Freeipa-users] Re: How to make ipa root certificate available system wide

2019-10-10 Thread Kevin Vasko via FreeIPA-users
So you are saying that if the p11-kit-trust module is available it should be automatically adding the system wide trust store into the internal Firefox cert store? This is the out of my commands. I have the cert store thats create in my home directory. But there is no p11-kit-proxy do I have to

[Freeipa-users] Re: How to make ipa root certificate available system wide

2019-10-10 Thread Alexander Bokovoy via FreeIPA-users
On to, 10 loka 2019, Kevin Vasko wrote: So I went back and read, reread, studied what you wrote and I think I’m following you. I’m really unfamiliar with certs and the tools around it so forgive the ignorance. So what I ended up doing is spinning up a CentOS7 VM and installing everything on it,

[Freeipa-users] Re: How to make ipa root certificate available system wide

2019-10-10 Thread Kevin Vasko via FreeIPA-users
So I went back and read, reread, studied what you wrote and I think I’m following you. I’m really unfamiliar with certs and the tools around it so forgive the ignorance. So what I ended up doing is spinning up a CentOS7 VM and installing everything on it, adding it to the FreeIPA realm etc.

[Freeipa-users] Re: IPA's Certs - country, state, organization ?

2019-10-10 Thread Fraser Tweedale via FreeIPA-users
On Thu, Oct 10, 2019 at 12:09:48PM +0100, lejeczek via FreeIPA-users wrote: > On 01/10/2019 02:21, Fraser Tweedale wrote: > > On Mon, Sep 30, 2019 at 02:04:15PM +0100, lejeczek via FreeIPA-users wrote: > >> On 09/09/2019 01:07, Fraser Tweedale wrote: > >>> On Fri, Sep 06, 2019 at 12:01:23PM +0100,