[Freeipa-users] Enrolling SLE 12 SP2 hosts with FreeIPA

Hello the FreeIPA List, We've got a FreeIPA directory set up and running. That's all good. The difficult part is that we also have a number (many) of SLE 12 SP2 hosts that need to be enrolled. I can see that the freeipa-client package has not been available to SLE/SUSE since 2015 or

[Freeipa-users] PWM and FreeIPA integration

Hello the FreeIPA List, So as using the FreeIPA API and using LDAP directly to set existing users passwords (because they don't yet have one) didn't work, we've set up PWM by mostly following this gist: https://gist.github.com/PowerWagon/d794a1233d7943f1614d2ae5223e678a This has worked,

[Freeipa-users] Re: Creating a permission to manage OTP Tokens

Hello the list, After ignoring things, this now _works_ $kinit helpagent Password for helpag...@test.org: $ ipa otptoken-find 2 OTP tokens matched Unique ID: otpuser1 Type: TOTP Owner: otpuser1 Unique ID: otpuser2 Type: TOTP

[Freeipa-users] Re: Expired passwords and generating an OTP token

Oh, this requires the pam_krb5 package :P Get Outlook for iOS From: Aaron Hicks Sent: Tuesday, November 28, 2017 2:28:15 PM To: 'FreeIPA users list' Cc: 'Sumit Bose' Subject: RE: [Freeipa-users] Re: Expired

[Freeipa-users] Re: Expired passwords and generating an OTP token

Hello the list, It's here: https://pagure.io/SSSD/sssd/blob/master/f/src/providers/ipa/ipa_auth.c#_395 SSSD is not doing its job properly when a user has an expired password and an OTP token, and they should reset their password at the ssh prompt. When a user has an expired password it

[Freeipa-users] Re: Expired passwords and generating an OTP token

05:16:05PM +1300, Aaron Hicks via FreeIPA-users wrote: > Hello the List, > > > > This turned out to be a workflow issue, we still have a problem but > this first use case works. > > > > In the case of a user with an invalid password (none or expired)

[Freeipa-users] Re: Expired passwords and generating an OTP token

PM To: freeipa-users@lists.fedorahosted.org Cc: Sumit Bose <sb...@redhat.com> Subject: [Freeipa-users] Re: Expired passwords and generating an OTP token On Wed, Nov 22, 2017 at 05:16:05PM +1300, Aaron Hicks via FreeIPA-users wrote: > Hello the List, > > > > This turned

[Freeipa-users] Re: Creating a permission to manage OTP Tokens

Sadly no, another person had been creating OTP tokens with the helpagent. These were tokens owned by the helpagent, but with other user's names. From: Aaron Hicks [mailto:aaron.hi...@nesi.org.nz] Sent: Thursday, 23 November 2017 4:00 PM To: 'freeipa-users@lists.fedorahosted.org'

[Freeipa-users] Re: Expired passwords and generating an OTP token

Hello the list, We've kept at this today and this is what we think we are seeing: * Preauth is detecting that a user has an expired password and a token, so discards the token and just asks for password * Password check succeeds and hands to the password change process (maybe

[Freeipa-users] Re: Expired passwords and generating an OTP token

Hello the list, The next bit of information is that the passwd command itself is broken when a user has a OTP token set. $ passwd Changing password for user otpuser1. Current Password: passwd: Authentication token manipulation error $ passwd Changing password for user otpuser1.

[Freeipa-users] Re: Expired passwords and generating an OTP token

Hi Sumit, I sent those to you directly as I wasn’t comfortable posting them to the list. Regards, Aaron Get Outlook for iOS From: Sumit Bose Sent: Wednesday, November 22, 2017 10:19:34 PM To: Aaron Hicks Cc: 'FreeIPA

[Freeipa-users] Re: Expired passwords and generating an OTP token

Hello the List, We have a workaround, but it is not entirely satisfactory, we change /etc/pam.d/password-auth-ac passwordrequisite pam_pwquality.so try_first_pass local_users_only retry=3 authtok_type= passwordsufficientpam_unix.so sha512 shadow try_first_pass use_authtok

[Freeipa-users] Re: Expired passwords and generating an OTP token

Hello the List, A couple of new things to this problem, when a user has an expired password and a valid OTP token, the password reset process is broken on all machines at the ssh prompt. Even the ones that do not require 2FA. Feedback so far form Sumit indicates this is incorrect

[Freeipa-users] Re: Unable to create GSSAPI-encrypted LDAP connection

the ipa-client tools, had to be done on the IPA server and delivered via SCP) and the problem was resolved. Regards, Aaron From: Aaron Hicks [mailto:aaron.hi...@nesi.org.nz] Sent: Monday, 4 December 2017 2:51 PM To: 'Aaron Hicks via FreeIPA-users' <freeipa-users@lists.fedorahosted.

[Freeipa-users] Case insensitivity issues

Hello the group, We have a script that keeps things like user names and group descriptions in sync with our customer management system, and mostly this is great, but the FreeIPA API is very case insensitive. If we have someone update their surname to fix capitalization (e.g. update "De

[Freeipa-users] Re: Enabling two-factor by host

r by host On Fri, Nov 17, 2017 at 04:09:01AM +, Aaron Hicks via FreeIPA-users wrote: > Hello the list, > > Is it possible to enable two-factor authentication using Google Authenticator > on FreeIPA on specific hosts or groups of hosts? > > Alternatively, are there any recommen

[Freeipa-users] Re: Enabling two-factor by host

<sb...@redhat.com> Subject: [Freeipa-users] Re: Enabling two-factor by host On Fri, Nov 17, 2017 at 04:09:01AM +, Aaron Hicks via FreeIPA-users wrote: > Hello the list, > > Is it possible to enable two-factor authentication using Google Authenticator > on FreeIPA on specif

[Freeipa-users] Re: Enabling two-factor by host

ay, 17 November 2017 9:06 PM To: freeipa-users@lists.fedorahosted.org Cc: Sumit Bose <sb...@redhat.com> Subject: [Freeipa-users] Re: Enabling two-factor by host On Fri, Nov 17, 2017 at 04:09:01AM +, Aaron Hicks via FreeIPA-users wrote: > Hello the list, > > Is it possible

[Freeipa-users] Re: Expired passwords and generating an OTP token

Hello the List, This turned out to be a workflow issue, we still have a problem but this first use case works. In the case of a user with an invalid password (none or expired) with no OTP token they can reset their password and ask IPA to create an OTP token for them. 1. Helpdesk

[Freeipa-users] Re: Expired passwords and generating an OTP token

Hi the list. .I'd consider createing a permission with permission-add, but there is no token object type. [hicksaw@hpch2fa02 ~]$ ipa permission-add mangage-otptoken --right=all --bindtype=permission --type=token ipa: ERROR: invalid 'type': "token" is not an object type Even though

[Freeipa-users] Enabling two-factor by host

Hello the list, Is it possible to enable two-factor authentication using Google Authenticator on FreeIPA on specific hosts or groups of hosts? Alternatively, are there any recommendations on modifying the Pam configuration on these 2FA required machines to grab the OTP token from FreeIPA when

[Freeipa-users] Re: Searching for user by extended attribute

s] Searching for user by extended attribute On pe, 03 marras 2017, Aaron Hicks via FreeIPA-users wrote: >Hi all, > > > >We've added two objectclasses to the default user in our FreeIPA instance. >We're able to set and modify them fine, however we need two additional >functio

[Freeipa-users] Re: Searching for user by extended attribute

ers@lists.fedorahosted.org> Cc: Aaron Hicks <aaron.hi...@nesi.org.nz> Subject: Re: [Freeipa-users] Searching for user by extended attribute On pe, 03 marras 2017, Aaron Hicks via FreeIPA-users wrote: >Hi all, > > > >We've added two objectclasses to the default user in our Fr

[Freeipa-users] Re: Searching for user by extended attribute

t;freeipa-users@lists.fedorahosted.org> Cc: Aaron Hicks <aaron.hi...@nesi.org.nz> Subject: Re: [Freeipa-users] Searching for user by extended attribute On pe, 03 marras 2017, Aaron Hicks via FreeIPA-users wrote: >Hi all, > > > >We've added two objectclasses to the default user in our FreeIPA

[Freeipa-users] Re: Searching for user by extended attribute

okovoy <aboko...@redhat.com> Sent: Monday, November 6, 2017 8:14:29 PM To: FreeIPA users list Cc: Aaron Hicks Subject: Re: [Freeipa-users] Re: Searching for user by extended attribute On ma, 06 marras 2017, Aaron Hicks via FreeIPA-users wrote: >Hi everyon, > >This seems to be a fl

[Freeipa-users] Re: Searching for user by extended attribute

aka.ms/o0ukef> From: Alexander Bokovoy <aboko...@redhat.com> Sent: Monday, November 6, 2017 8:08:23 PM To: FreeIPA users list Cc: Aaron Hicks Subject: Re: [Freeipa-users] Re: Searching for user by extended attribute On ma, 06 marras 2017, Aaron Hicks via FreeIPA-users wro

[Freeipa-users] Re: Searching for user by extended attribute

--- >> *From:* Alexander Bokovoy <aboko...@redhat.com> >> *Sent:* Monday, November 6, 2017 8:14:29 PM >> *To:* FreeIPA users list >> *Cc:* Aaron Hicks >> *Subject:* Re: [Freeipa-users] Re: Searching for user by extended attribute >> >> On ma, 06 marra

[Freeipa-users] Re: Searching for user by extended attribute

--- >> *From:* Alexander Bokovoy <aboko...@redhat.com <mailto:aboko...@redhat.com> > >> *Sent:* Monday, November 6, 2017 8:14:29 PM >> *To:* FreeIPA users list >> *Cc:* Aaron Hicks >> *Subject:* Re: [Freeipa-users] Re: Sear

[Freeipa-users] Re: Searching for user by extended attribute

o0ukef> > >From: Rob Crittenden <rcrit...@redhat.com <mailto:rcrit...@redhat.com> > >Sent: Tuesday, November 7, 2017 8:31:31 AM >To: FreeIPA users list; Alexander Bokovoy >Cc: Aaron Hicks >Subject: Re: [Freeipa-users] Re: Searching for

[Freeipa-users] Re: Searching for user by extended attribute

Re: [Freeipa-users] Re: Searching for user by extended attribute Aaron Hicks via FreeIPA-users wrote: > Sorry, this does not address that the REST API is giving a different > response than the command line or built in Python API. > > This behaviour is unexpected and not described in

[Freeipa-users] Searching for user by extended attribute

Hi all, We've added two objectclasses to the default user in our FreeIPA instance. We're able to set and modify them fine, however we need two additional functions. We need two additional attributes auedupersonsharedtoken and edupersonprinciplename to be included in the user attributes

[Freeipa-users] Using user-mod to set a hashed password

Hello the list, The next terrible bad thing our customer service model says we'd like to do with FreeIPA is set user passwords from our customer management system. It's not AD and it's not LDAP. It does have a store of salted hashed sha512 passwords. I have set the FreeIPA directory in

[Freeipa-users] Re: Using pam_krb5 to change password at ssh prompt gives shell

enabled passwordsufficientpam_krb5.so chpw_prompt=true use_authok debug=true [banner=Retype old] passwordrequired pam_deny.so -Original Message- From: Jochen Hein [mailto:joc...@jochen.org] Sent: Wednesday, 29 November 2017 6:37 PM To: Aaron Hicks via FreeIPA-users <free

[Freeipa-users] Unable to create GSSAPI-encrypted LDAP connection

Hello the list, I've seen this issue on the list several times, but I've not yet seen a solution posted., We're having this issue on one of our SLES 12 SP2 hosts (we have other SLES hosts are fine), were seeing this error when users try and login, they just keep getting the Password: prompt

[Freeipa-users] User's personal group not resolving

Hello the list, We imported all our users with uidnumbers from our old LDAP, but their gidNumber was from 4 groups. This caused us issues with users wanting to grant access to personal spaces to one user, but instead granting access to all the members of the group. To resolve this, when

[Freeipa-users] Re: FreeIPA connection limits?

reeipa-users@lists.fedorahosted.org Cc: Sumit Bose Subject: [Freeipa-users] Re: FreeIPA connection limits? On Mon, Dec 11, 2017 at 10:08:50AM +1300, Aaron Hicks via FreeIPA-users wrote: > Hello the list, > > > > We've got a number (hundreds) of hosts inside a private network, th

[Freeipa-users] Re: FreeIPA connection limits?

s working? I mean, suppose if there is no reply from IPA-server, it should use local cache for existing users. 2017-12-11 0:08 GMT+03:00 Aaron Hicks via FreeIPA-users <freeipa-users@lists.fedorahosted.org<mailto:freeipa-users@lists.fedorahosted.org>>: Hello the list, We’ve got a nu

[Freeipa-users] Re: FreeIPA connection limits?

Sent: Monday, December 11, 2017 7:54:45 PM To: FreeIPA users list Cc: Aaron Hicks Subject: Re: [Freeipa-users] FreeIPA connection limits? Does sssd caching of privileges is working? I mean, suppose if there is no reply from IPA-server, it should use local cache for existing users. 2017-12-11 0:

[Freeipa-users] Re: User's personal group not resolving

day, 7 December 2017 3:59 AM To: FreeIPA users list <freeipa-users@lists.fedorahosted.org> Cc: Aaron Hicks <aaron.hi...@nesi.org.nz> Subject: Re: [Freeipa-users] User's personal group not resolving Aaron Hicks via FreeIPA-users wrote: > Hello the list, > > > > We impor

[Freeipa-users] Re: User's personal group not resolving

.hi...@nesi.org.nz> > Subject: Re: [Freeipa-users] User's personal group not resolving > > Aaron Hicks via FreeIPA-users wrote: >> Hello the list, >> >> >> >> We imported all our users with uidnumbers from our old LDAP, but >> their gidNumber was f

[Freeipa-users] FreeIPA connection limits?

Hello the list, We've got a number (hundreds) of hosts inside a private network, these all query the FreeIPA server for user and group information using NAT and a gateway server. However we're having issues with the LDAP queries timing out or becoming unresponsive. Is there a limit on

[Freeipa-users] Re: Enrolling SLE 12 SP2 hosts with FreeIPA

gt; Cc: Aaron Hicks <aaron.hi...@nesi.org.nz> Subject: Re: [Freeipa-users] Re: Enrolling SLE 12 SP2 hosts with FreeIPA Aaron Hicks via FreeIPA-users wrote: > Hi Simo, > >> Use ipa-getkeytab on an admin workstation, then securely transfer the keytab >> to the serv

[Freeipa-users] FreeIPA API dynamic inventory script for Ansible, Ansible AWX, and Ansible Tower

Hello the list, I thought I'd share this with you, it's a dynamic inventory script that uses the FreeIPA API to populate the Ansible inventory. I'm using it in AWX, but I expect it'll work with Ansible and RedHat Ansible Tower

[Freeipa-users] Re: api scripts

Hi Andrew and Jens, I’ve been using python-freeipa https://github.com/opennode/python-freeipa https://pypi.python.org/pypi/python-freeipa/0.1.2 So… from python_freeipa import Client from configuration import config, args # a thing that processes args and configparser config

[Freeipa-users] Creating CA replica fails

Hello the List, I'm successfully replicating IPA and DNS across two sites, however when I try and replicate CA it fails: [root@ipa01 pki]# ipa-ca-install Directory Manager (existing master) password: Run connection check to master Connection check OK

[Freeipa-users] Re: Creating CA replica fails

og/pki/pki-tomcat/ca/debug from both the replica (if it exists) and the master. Thanks, Fraser On Thu, Aug 02, 2018 at 05:03:54PM +1200, Aaron Hicks via FreeIPA-users wrote: > Hello the List, > > > > I'm successfully replicating IPA and DNS across two sites, however >

[Freeipa-users] sftp file broswer causes 4 (System Error)

Hello the list, We just had a bit of fuss involved user logins. We're using sssd 1.16.1 on a client and FreeIPA 4.5.4 (ok, it's really RHIdM) We had a lot of users having issues logging and/or resetting their passwords on a host with 2FA enabled, and it turns out when they're using an