[Freeipa-users] Re: AD trust setup woes

On to, 03 elo 2017, Igor Sever via FreeIPA-users wrote: I didn’t specify any ID range. This was all done automagically by setup. I read a lot of documentation, and I can’t remember that ever been mentioned. We indeed had NIS at some point, but this is not supported any more by MS, and FreeIPA

[Freeipa-users] Re: custom attributes as a part of default ipa permissions

On to, 03 elo 2017, Petr Fišer via FreeIPA-users wrote: Hello, We are currently deploying FreeIPA and we make use of custom attributes. We defined them in custom.py script (located in /usr/lib/python2.7/site-packages/ipaserver/plugins/custom.py). custom.py looks like this: from

[Freeipa-users] Re: Ubuntu 16 Desktop trouble with AD credentials

On ma, 14 elo 2017, Steve Weeks wrote: It is example.com and ad.example.com, but all DNS is handled by an external server so I assumed neither was a subdomain. I don't understand DNS much and it seems to work just fine with Fedora 25 ipa clients and ad users. Which DNS server handles DNS zones

[Freeipa-users] Re: Ubuntu 16 Desktop trouble with AD credentials

On ma, 14 elo 2017, Steve Weeks via FreeIPA-users wrote: So we just got lucky with the fedora 25 systems? If we move the Linux system to host.ipa.example.com and leave the Windows stuff as ad.example.com we should be fine? Yes, as long as AD is not a sub-domain of IPA in terms of AD domain +

[Freeipa-users] Re: Can’t SSH with AD user to freeipa joined Centos client

ipa-users@lists.fedorahosted.org> wrote: > On 12 Aug 2017, at 20:14, Alexander Bokovoy via FreeIPA-users < freeipa-users@lists.fedorahosted.org> wrote: > > To close this thread, I helped Alexandre on the IRC. The basic issue is > that one needs to plan domain space carefull

[Freeipa-users] Re: FreeIPA AD Trust. Clarifying Doubts before I proceed

On ma, 07 elo 2017, Sameer Gurung via FreeIPA-users wrote: Hi All, I have a network consisting of both windows and linux clients running windows server 2008 (active directory) and centos 7 (freeipa). Obviously, the windows clients authenticate against the *AD DC* *(domain windows.foo)* and the

[Freeipa-users] Re: Unable to access web-ui after FreeIPA 4.4 to 4.5 upgrade.

On ma, 07 elo 2017, Troels Hansen via FreeIPA-users wrote: Hi, we just upgraded one of our FreeIPA 4.4 to FreeIPA 4.5 (running on RHEL) and wanted to put this here before creating a bug report with RedHat. After upgrading we are unable to log into web-ui but everything else seems to be

[Freeipa-users] Re: Can’t SSH with AD user to freeipa joined Centos client

On ke, 09 elo 2017, Jakub Hrozek via FreeIPA-users wrote: On 9 Aug 2017, at 16:26, Alexandre Pitre wrote: If your hosts are in the IPA subdomain, then I would have expected centos.ipa.ad.com The centos client has a hostname set to

[Freeipa-users] Re: FreeIPA client offline with sudo

On to, 10 elo 2017, Matthew Carter via FreeIPA-users wrote: The clients machines on my network from time to time get brought to another network and plugged in to test programs that are being developed. In the past this hasn't been an issue as it's usually a short stay and thus the kerberos key

[Freeipa-users] Re: remove ipa-dns-server ?

On ti, 08 elo 2017, Günther J. Niederwimmer via FreeIPA-users wrote: Hello, CentOS 7.3 what is the best way to remove a installed ipa-dns-server? I can't found any helpful Doc's for this only for installing the server I found Docs No, we don't have any particular means to uninstall

[Freeipa-users] Re: Chromium complains about ipa's web server certificate

On la, 12 elo 2017, Harald Dunkel via FreeIPA-users wrote: Hi Fraser, On Fri, 11 Aug 2017 18:48:29 +1000 Fraser Tweedale via FreeIPA-users wrote: On Fri, Aug 11, 2017 at 09:40:56AM +0200, Harald Dunkel via FreeIPA-users wrote: > >

[Freeipa-users] Re: Ubuntu 16 Desktop trouble with AD credentials

On ma, 14 elo 2017, Steve Weeks wrote: No, the IPA and AD domains are separate, but do have a cross-trust. We are running IPA 4.4. This all works fine on Fedora 25 systems. Can you be more specific? In your logs below you choose ad.example.com and example.com. This is known to not work. If

[Freeipa-users] Re: IPA <-> Samba AD trust issue

On ma, 07 elo 2017, Yuri Moens via FreeIPA-users wrote: The previous error_log I attached was already created with log level = 100. I've tried to run the command again and attached the log file again but it seems to be pretty much the same. I see in the logs that it fails at the verification

[Freeipa-users] Re: Authenticating users with a different UPN suffix in an AD trust configuration

On to, 06 heinä 2017, Robert Sturrock wrote: Hi Alexander, On 6 Jul 2017, at 4:55 pm, Alexander Bokovoy wrote: Can you show 'ipa trust-show staff.localdomain'? It should have list of additional name suffixes we derive from the AD forest trust. After releasing 4.4.x we

[Freeipa-users] Re: AD trust setup woes

On ke, 02 elo 2017, Igor Sever via FreeIPA-users wrote: There is no gidNumber attribute on AD group objects. If I want to apply posix attributes directly in AD, then I don't need FreeIPA, do I...

[Freeipa-users] Re: Extended Schema attributes missing

On pe, 04 elo 2017, Kristian Petersen wrote: If it helps, the python file where we customized things is included below: # Place in /usr/lib/python2.7/site-packages/ipalib/plugins/ Ok, this is location for pre-4.5 plugins. With FreeIPA 4.5 we split them into ipaserver/plugins and

[Freeipa-users] Re: IPA <-> Samba AD trust issue

On pe, 04 elo 2017, Yuri Moens via FreeIPA-users wrote: Hi I'm currently trying to setup a trust between IPA and Samba AD but I keep running into some issues. IPA is running on CentOS 7 VERSION: 4.4.0, API_VERSION: 2.213 ipa01.cloud.ymo.lab, Netbios CLOUD, domain cloud.ymo.lab Samba is

[Freeipa-users] Re: Samba update can't read NT Hash

On to, 17 elo 2017, Alexander Bokovoy via FreeIPA-users wrote: - Original Message - Yesterday we updated our fileserver to bring it up to the newest kernel. At the same time it update the ipa-client and samba. After the update was finished our ability to access the shared resources

[Freeipa-users] Re: web UI - login failed after updates on server

On pe, 18 elo 2017, Stefan Uygur via FreeIPA-users wrote: Well, I posted the httpd error.log in the very beginning; that is how I started the conversation. It did not have enough details I was looking for. Now it does but you didn't provide corresponding non-abbreviated gssproxy logs, sorry.

[Freeipa-users] Re: web UI - login failed after updates on server

On pe, 18 elo 2017, Stefan Uygur via FreeIPA-users wrote: I have reproduced what you requested below. Each line where you see Client connected is my attempt to login via web UI. As you can see there are no issues, at least from what I read/see. Just to repeat what I said at the beginning of my

[Freeipa-users] Re: web UI - login failed after updates on server

On pe, 18 elo 2017, Stefan Uygur wrote: Yeah sorry, the debug logs were not included originally. Re to RPMs, I have removed all dupes, they were many. All is clean now and the system is up to date. Attached is the ipa.conf file. Alias for /session/cookie is missing in it. You can see a

[Freeipa-users] Re: web UI - login failed after updates on server

On pe, 18 elo 2017, Alexander Bokovoy via FreeIPA-users wrote: On pe, 18 elo 2017, Stefan Uygur wrote: Yeah sorry, the debug logs were not included originally. Re to RPMs, I have removed all dupes, they were many. All is clean now and the system is up to date. Attached is the ipa.conf file

[Freeipa-users] Re: Samba update can't read NT Hash

- Original Message - > > > Yesterday we updated our fileserver to bring it up to the newest kernel. At > the same time it update the ipa-client and samba. After the update was > finished our ability to access the shared resources on the fileserver > disappeared. After some very careful

[Freeipa-users] Re: GSSAPI login from trusted AD domain to FreeIPA clients not working

ly related to the technology of the trust. BTW, I reproduced the original issue in a lab at the interop here at Microsoft HQ and I'm going to talk to Microsoft guys to find out what is happening there in reality. Rob Johnson On Tue, Jun 20, 2017 at 3:04 PM, Alexander Bokovoy via FreeIPA-users <

[Freeipa-users] Re: GSSAPI login from trusted AD domain to FreeIPA clients not working

On ti, 20 kesä 2017, Tiemen Ruiten via FreeIPA-users wrote: Please see the attached screenshot for the Trust settings, and thank you for your time. Thanks. I'm not sure why is that happening even for the immediate forest root domain that i.rdmedia.com is. I'll check with Microsoft doc help team

[Freeipa-users] Re: GSSAPI login from trusted AD domain to FreeIPA clients not working

On ke, 21 kesä 2017, Alexander Bokovoy via FreeIPA-users wrote: On ke, 21 kesä 2017, Robert Johnson via FreeIPA-users wrote: For what its worth, I dug through my emails with Red Hat tech support and this is what we got back from the Identity Management support team: --- I did some

[Freeipa-users] Re: GSSAPI login from trusted AD domain to FreeIPA clients not working

is equivalent of krb5.conf's [domain_realm] section and is not really related to the technology of the trust. BTW, I reproduced the original issue in a lab at the interop here at Microsoft HQ and I'm going to talk to Microsoft guys to find out what is happening there in reality. Rob Johnson On

[Freeipa-users] Re: LDAP + Nextcloud -> retrieve Mailfield

On to, 22 kesä 2017, Rob Crittenden via FreeIPA-users wrote: Jens Laufer via FreeIPA-users wrote: Hello, iam very happy that i got nextcloud connected to freeipa over ldap. It seems to work nearly perfect now, the only thing i wont get worked is to pull the mail from freeipa and add it to

[Freeipa-users] Re: Chrome 58 - CN for IPA management console to include SANs

On ti, 23 touko 2017, Prasun Gera via FreeIPA-users wrote: I posted this in the earlier thread, but didn't get a response. I was able to fix this on the master, but "getcert list -d /etc/httpd/alias -n "Server-Cert" on the replica doesn't return anything. Are the replica's SSL certs handled

[Freeipa-users] Re: 4.5.0+ Rhel 7 support

On ke, 24 touko 2017, Troels Hansen via FreeIPA-users wrote: - On May 23, 2017, at 10:09 PM, Arpit Tolani via FreeIPA-users freeipa-users@lists.fedorahosted.org wrote: Hello A bugzilla for the same is already open https://bugzilla.redhat.com/show_bug.cgi?id=1392858 From the current

[Freeipa-users] Re: ipa command breaks by setting "NSSVerifyClient require"

On la, 27 touko 2017, Ivars Strazdiņš via FreeIPA-users wrote: Hi there, our IPA servers' https port is exposed to internet. I wanted to restrict access to Web UI by requesting a user certificate issued by IPA and enabling Apache setting "NSSVerifyClient require" (or "optional") in

[Freeipa-users] Re: IPA and CM?

On pe, 02 kesä 2017, Simo Sorce via FreeIPA-users wrote: On Fri, 2017-06-02 at 10:10 -0500, Kat wrote: Hi Simo, I understand the mechanics of the error, however, when you are trying to configure Cloudera Manager with IPA, the configuration/setup process fails with the error (and it shows in

[Freeipa-users] Re: Compat tree question

On ti, 30 touko 2017, Robert Johnson via FreeIPA-users wrote: Red Hat Enterprise Linux Server release 7.3 ipa-server-4.4.0-14.el7_3.4.x86_64 389-ds-base-1.3.5.10-15.el7_3.x86_64 sssd-1.14.0-43.el7_3.11.x86_64 When looking at entries in the "cn=groups,cn=compat" tree, I noticed that the entries

[Freeipa-users] Re: Establish Kerberos trust to non AD server running MIT Kerberos

On ti, 30 touko 2017, Andrey Ptashnik via FreeIPA-users wrote: Team, What will be correct procedure to establish kerberos trust to non Active Directory server running MIT Kerberos. This is something we do not officially support, but see https://bugzilla.redhat.com/show_bug.cgi?id=1035494#c16

[Freeipa-users] Re: Compat tree question

On ti, 30 touko 2017, Robert Johnson via FreeIPA-users wrote: Is there a option in SSSD or the plugin to turn off the normalization ? No. But as I said, you are not supposed to use all capital fqdn. You need to use your user/group name as it is. id user@ad.realm kinit user@AD.REALM are two

[Freeipa-users] Re: Do keytabs expire?

On to, 14 syys 2017, Ronald Wimmer via FreeIPA-users wrote: Hi, today I found out that some entries in a keytab file seemed to have expired: Request ticket server HTTP/mwc.linux.mydomain...@linux.mydomain.at kvno 4 not found in keytab; keytab is likely out of date Fetching the keytab again

[Freeipa-users] Re: IPA Server down after system update

On pe, 15 syys 2017, Gady Notrica via FreeIPA-users wrote: I am going to try now. Any workaround for people that don't want to have IPv6? On IPA servers? IPA masters must have IPv6 stack enabled in the kernel. You may opt to not assigning IP addresses to the interfaces but we do rely on

[Freeipa-users] Re: IPA sudo rules CentOS 6 vs CentOS 7

On to, 14 syys 2017, Mark Haney via FreeIPA-users wrote: Well this is interesting. The latest version of sudo is sudo-1.8.6p3-29.el6_9.x86_64. Mine is sudo-1.8.6-7.el6.x86_64. The issue here is that this box is CentOS 6.4 and I can't fully update it to 6.9. But I can't simply update sudo by

[Freeipa-users] Re: IPA sudo rules CentOS 6 vs CentOS 7

On to, 14 syys 2017, Mark Haney via FreeIPA-users wrote: Sigh. As I said, I edited the repo to point DIRECTLY to 6.9 and got the same result. Care to explain that with some other policy? Even then, DOWNLOADING the RPM still will not install. Is there a policy for that too? Well, I only

[Freeipa-users] Re: Solaris client proxyDN logins not working

On to, 14 syys 2017, Jakub Hrozek via FreeIPA-users wrote: On Thu, Sep 14, 2017 at 11:08:54AM -0400, Rob Crittenden via FreeIPA-users wrote: Louis Abel via FreeIPA-users wrote: > I should probably mention that IPA users have started working. But not my AD users. > > [root@rhn2 tmp]# ssh -l

[Freeipa-users] Re: [+] Re: ipa-server-install fails on fresh install

On pe, 15 syys 2017, Rob Crittenden via FreeIPA-users wrote: John R. Shannon via FreeIPA-users wrote: Attached It is failing with "KerberosError: No valid Negotiate header in server response" What package version of freeipa-server do you have? This seems like

[Freeipa-users] Re: 7.4 upgrade fails with timeout exceeded

On ke, 20 syys 2017, Lachlan Musicman via FreeIPA-users wrote: On 20 September 2017 at 13:01, Lachlan Musicman wrote: https://pagure.io/freeipa/c/bdf9a34dffdf4d7925208e5df9f69e3927b88858 On 20 September 2017 at 12:30, Fraser Tweedale wrote: Can you

[Freeipa-users] Re: 7.4 upgrade fails with timeout exceeded

On ke, 20 syys 2017, Lachlan Musicman wrote: Notice that many ports are only available as tcp6 listeners? Like 636 (LDAPS), 389 (LDAP), 80 (HTTP), 443 (HTTPS) and so on? This is an effect of using v6 API that supports v4-mapped-on-v6 addresses. It makes the code less complex and handles with the

[Freeipa-users] Re: Unable to add AD group to new install

On ke, 20 syys 2017, Bobby Jones via FreeIPA-users wrote: Hi: I am trying to finish my integration of FreeIPA with Active Directory, but when I try to add my group information it fails. # ipa group-add-member ad_admins_external --external 'AD/Domain Admins' member group: AD\Domain Admins:

[Freeipa-users] Re: IPA sudo rules CentOS 6 vs CentOS 7

On ke, 13 syys 2017, Mark Haney via FreeIPA-users wrote: On 09/13/2017 03:44 PM, Răzvan Corneliu C.R. VILT via FreeIPA-users wrote: Hi Mark, Not all CentOS releases are created equal. Support for Sudo appeared later in IPA and you’ll probably need to update sssd and ipa-client. The one in 6.8

[Freeipa-users] Re: Route53 private dns zone, _srv_ lookup issue for failover

On pe, 15 syys 2017, Wanderley Teixeira via FreeIPA-users wrote: I am running into an issue with FreeIPA and DNS. Perhaps, you guys could point me to a better realm/domain solution. - I run a private DNS zone on AWS, called "int.example.com" (with ptr and srv, etc) - I have 3

[Freeipa-users] Re: Solaris client proxyDN logins not working

On to, 14 syys 2017, Louis Abel via FreeIPA-users wrote: Jakub, you might be onto something. Sep 14 18:11:08 pentl01.ipa.example.com ns-slapd: pam_sss(system-auth:auth): authentication failure; logname= uid=389 euid=389 tty= ruser= rhost= user=louis.a...@ad.example.com Sep 14 18:11:08

[Freeipa-users] Re: Do keytabs expire?

On ti, 19 syys 2017, Ronald Wimmer wrote: On 2017-09-19 11:53, Alexander Bokovoy wrote: [...] Please spend some time reading the documentation. It is vast and has a lot of answers to questions people keep asking on these lists. I've already spent some time reading the documentation. Since

[Freeipa-users] Re: Do keytabs expire?

On ti, 19 syys 2017, Ronald Wimmer wrote: Adding "-r" leads to this error message:  ipa-getkeytab -r -k /etc/httpd.keytab -p HTTP/mwoc.linux.mydomain...@linux.mydomain.at Failed to parse result: Insufficient access rights Failed to get keytab The ipa user is admin which should have all

[Freeipa-users] Re: kdc.crt absent after upgrade from 4.4 to 4.5 (Scientific linux 7)

On to, 21 syys 2017, Niels Walet via FreeIPA-users wrote: My kdc.crt has disappeared after a large number of problems with amn upgrade from 7.3 to 7.4 on my SL7 box (roughly equivalent to Centos). It is a vanilla installation with self-signed cerificates. I am aware of the permission errors in

[Freeipa-users] Re: Valid Sender ? - Re: Re: Web UI login fails after upgrading to 4.5

On pe, 06 loka 2017, Marius Bjørnstad via FreeIPA-users wrote: Thanks for the replies! I do have the krb5-pkinit package installed. ipa-pkinit-manage status was disabled, but enabling it with ipa-pkinit-manage enable didn't fix the problem. $ ipa pkinit-status --server=SERVER_NAME says PKINIT

[Freeipa-users] Re: Valid Sender ? - Re: Re: Web UI login fails after upgrading to 4.5

On pe, 06 loka 2017, Marius Bjørnstad wrote: Wow that's well spotted! That IP is the 4.4 server (I just blindly assumed that it would use the value in krb5.conf, which is the 4.5 server). It goes to 248 every time. strace showed me that kinit gets the IP address from

[Freeipa-users] Re: unexpected upgrade to 4.5

On ma, 16 loka 2017, Charles Hedrick via FreeIPA-users wrote: I just installed a new replica on Centos 7.3. Our existing servers are also on Centos 7.3, and use IPA 4.4, which comes with Centos 7.3. I was somewhat surprised to find that my new replica was IPA 4.5 with a newer version of sssd as

[Freeipa-users] Re: IPA server upgrade fails with KDC error

On ti, 17 loka 2017, Johannes Brandstetter via FreeIPA-users wrote: Hi, I'm trying to upgrade FreeIPA through ipa-server-upgrade from 4.4 to 4.5. The command fails with an "ACIError: Insufficient access:" . I find in the kdc log that it complains about " Database module does not match KDC

[Freeipa-users] Re: IPA server upgrade fails with KDC error

On ti, 17 loka 2017, Alexander Bokovoy via FreeIPA-users wrote: On ti, 17 loka 2017, Johannes Brandstetter via FreeIPA-users wrote: Hi, I'm trying to upgrade FreeIPA through ipa-server-upgrade from 4.4 to 4.5. The command fails with an "ACIError: Insufficient access:" . I find in t

[Freeipa-users] Re: IPA server upgrade fails with KDC error

On ti, 17 loka 2017, Johannes Brandstetter via FreeIPA-users wrote: Hi, it was all done in one yum upgrade session. I just grepped the output for ipa and krb and didn't bother to put them back in the correct order. If I run ipa-server-upgrade directly I get the following output which leads to

[Freeipa-users] Re: Default principal switched back to cifs every 5 minutes (after done ipa-adtrust-install)

On to, 12 loka 2017, Kees Bakker via FreeIPA-users wrote: Hey, This week I tried to install Samba (which failed because of Ubuntu, but that's another story). One of the steps was to do ipa-adtrust-install. It created a cifs/myhost pricipal on my IPA master server. But now it keeps switching

[Freeipa-users] Re: ERROR: CIFS server communication error: Memory allocation error (both may be "None") upon establishing trust

On pe, 08 syys 2017, Bart J via FreeIPA-users wrote: I invoked this command with --external=true, but result is the same: ipa trust-add --type=ad my.domain.com --admin adminaccount --password --external=true Active Directory domain administrator's password: ipa: ERROR: CIFS server

[Freeipa-users] Re: AD trust setup woes

On ti, 12 syys 2017, Igor Sever via FreeIPA-users wrote: Unfortunately, I cannot upgrade systems and packages as I want because of legacy applications. Is there somewhere information how would I approach to configure SSSD to use FreeIPA as Kerberos and LDAP provider and for policies to work? I

[Freeipa-users] Re: Find IPA user or computer account from windows

On ti, 05 syys 2017, Ronald Wimmer via FreeIPA-users wrote: Is it possible to find an IPA user or computer account from a windows (AD) machine [trust between ipa and ad domain is set up]? If I try that, all i get is a message that no object can be found. Not supported yet. -- / Alexander

[Freeipa-users] Re: Kvno error on validating one-way trust: "kvno: Decrypt integrity check failed while getting credentials"

On ke, 06 syys 2017, Bart J via FreeIPA-users wrote: Thank you. I checked in my test environment and setting trust with administrative credentials works. I got mixed results for Windows 2012 and Windows 2008 R2 because I previously had set up trust using administrative credentials for Windows

[Freeipa-users] Re: [+] Re: ipa-server-install fails on fresh install

On pe, 22 syys 2017, John R. Shannon via FreeIPA-users wrote: I upgraded to 4.6.1 today. The same problem persists. 1. Can you show /etc/pki/ca-trust/source/ipa.p11-kit? 2. Can you show /var/log/ipaupgrade.log? On 09/15/17 13:17, John R. Shannon wrote: Attached On 09/15/17 12:58,

[Freeipa-users] Re: Apache Group Based Authorization for AD users

On to, 28 syys 2017, Ronald Wimmer via FreeIPA-users wrote: On 2017-09-28 11:37, Alexander Bokovoy wrote: You need to define HBAC rules that target system-auth PAM service on this host then. But yes, any practical PAM service would work as long as you have appropriate HBAC rules for this

[Freeipa-users] Re: Apache Group Based Authorization for AD users

On to, 28 syys 2017, Ronald Wimmer via FreeIPA-users wrote: Hi, I was reading https://www.freeipa.org/page/Apache_Group_Based_Authorization but failed to implement that for AD users. The problem is that Kerberos authenticates myuser0...@mywindows.domain.at but there is no corresponding

[Freeipa-users] Re: FreeIPA vault with ActiveDirectory user

On to, 24 elo 2017, Felipe Barreto Volpone via FreeIPA-users wrote: Hi Bjoern, AFAIK it should be possible to an AD user use FreeIPA vault, once you have setup trust. No, it is not. To get access to a vault you need to have access rights in LDAP for that. We do not have that yet for AD users

[Freeipa-users] Re: AD trust and ACL on OUs

On la, 26 elo 2017, Sigbjorn Lie-Soland via FreeIPA-users wrote: Hi list, I have an issue with an AD one-way trust to IPA, where the AD is configured with a very specific set of ACL's on the various OUs where the user accounts live. Authenticated Users cannot search for all users in the AD LDAP

[Freeipa-users] Re: Unable to create an Active Directory Trust

On pe, 01 syys 2017, PAESSENS Daniel (BCS/PSD) wrote: I've checked on the windows part. And nothing is mentioned overthere. Even with adsiedit I can't find any trace of it. Active Directory verifies three important types of conflicts when establishing a trust between any domains (including a

[Freeipa-users] Re: Kvno error on validating one-way trust: "kvno: Decrypt integrity check failed while getting credentials"

On ti, 22 elo 2017, bogusmaster--- via FreeIPA-users wrote: Hi All, I am setting up a one-way trust from FreeIPA server to AD domain with a pre-shared key. This is currently not working due to chicken/egg problem: in order to turn trust into an active one, you need to validate it. We do not

[Freeipa-users] Re: User ID overrides staying persistent in cache for AD users

On ma, 28 elo 2017, Eddleman, David via FreeIPA-users wrote: So I've created a ID override on the IPA master called "TestShellView" to test out changing per-user requirements for shells. Verify the ID override on the master: [root@ipamaster01 ~]# ipa idoverrideuser-find TestShellView

[Freeipa-users] Re: User ID overrides staying persistent in cache for AD users

On ti, 29 elo 2017, Sumit Bose via FreeIPA-users wrote: On Tue, Aug 29, 2017 at 05:00:06PM +0300, Alexander Bokovoy via FreeIPA-users wrote: On ma, 28 elo 2017, Eddleman, David via FreeIPA-users wrote: > So I've created a ID override on the IPA master called "TestShellView"

[Freeipa-users] Re: ipa-cacert-manage vs NIS support

On su, 22 loka 2017, Harald Dunkel wrote: On Fri, 20 Oct 2017 20:42:25 +0300 Alexander Bokovoy via FreeIPA-users <freeipa-users@lists.fedorahosted.org> wrote: On pe, 20 loka 2017, Harald Dunkel via FreeIPA-users wrote: >Hi folks, > >I had to replace the CA chain about 3 months

[Freeipa-users] Re: FreeIPA, Yubikeys, and OpenVPN

On Wed, 18 Oct 2017, Jeremy Utley via FreeIPA-users wrote: Hello all! In the process of changing to a FreeIPA based authentication system for a part of our network. FreeIPA is set up, working beautifully for most things already. Right now, we're trying to convert our old jump hosts from

[Freeipa-users] Re: Guidance on setting up locked down role for a local IPA user who can only do "ipa hbactest ... " command?

On to, 19 loka 2017, Chris Dagdigian via FreeIPA-users wrote: Hi folks, We have an absurdly complex multi-domain/multi-child AD forrest tied together on AWS via FreeIPA. I'm spending a lot of time debugging login issues and the "ipa hbactest" command is fantastic at "proving" out if

[Freeipa-users] Re: ipa-getkeytab: PrincipalName not found

On ma, 13 marras 2017, Harald Dunkel wrote: Hi Alex, On Fri, 10 Nov 2017 16:59:07 +0200 Alexander Bokovoy via FreeIPA-users <freeipa-users@lists.fedorahosted.org> wrote: On pe, 10 marras 2017, Harald Dunkel via FreeIPA-users wrote: > >ipa-getkeytab failed with > >Fail

[Freeipa-users] Re: FreeIPA wiki: troubleshooting

On ma, 13 marras 2017, Florence Blanc-Renaud via FreeIPA-users wrote: Hi all, FreeIPA wiki contains a really long page for Troubleshooting [1], and I would like to re-organize the content a little bit differently. My proposal would be to keep this page as the main access point and only

[Freeipa-users] Re: Make custom attribute fail in UI and SAVE Button

On ma, 13 marras 2017, barry...@gmail.com wrote: Finally I found which location is wrong , IT is in the JS "comDate"If I rename it to "comdate" small letter it can saved and display, I claim on ldap customPerson is using this "comDate" so I mislead that I should use same in JS and

[Freeipa-users] Re: restrict parallel ssh logins on different freeipa systems

On ma, 27 marras 2017, Michael Frank via FreeIPA-users wrote: Hi, we run freeipa based on red hat 7.3 It is possible to determine if a certain user (idm user who can become root via sudo) is logged in on multiple idm machines and restrict for the user that only *one* login on a single server at

[Freeipa-users] Re: Slow FreeIPA UI

On pe, 24 marras 2017, Maciej Drobniuch via FreeIPA-users wrote: Hi All, One of my IPA UI is working very slow. I can observe the issue after moving the VM server onto another host. The machine itself is not overloaded and the number of CPU cores and RAM memory went up. Other IPA UI on other

[Freeipa-users] Re: Expired passwords and generating an OTP token

On pe, 24 marras 2017, Sumit Bose via FreeIPA-users wrote: On Fri, Nov 24, 2017 at 04:57:01PM +1300, Aaron Hicks via FreeIPA-users wrote: Hello the list, It's here: https://pagure.io/SSSD/sssd/blob/master/f/src/providers/ipa/ipa_auth.c#_395 SSSD is not doing its job properly when a user

[Freeipa-users] Re: FreeIPA-users Digest, Vol 7, Issue 22

On ke, 22 marras 2017, Николай Савельев via FreeIPA-users wrote: I think the better reference in the documentation is https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/windows_integration_guide/trust-legacy If there is a trust to an AD forest and

[Freeipa-users] Re: Update of compat tree after change of AD user attributes

On to, 30 marras 2017, Lenhardt, Matthias via FreeIPA-users wrote: Hi, any recommendations how to best update the compat tree after changes of AD user attributes? We use IPA 4.5 with AD trust. After modification of a AD user attribute, e.g. loginShell, the compat tree doesn't get updated

[Freeipa-users] Re: X509v3 Subject Alternative Name in IPA master Webserver certificate

On to, 30 marras 2017, dbischof--- via FreeIPA-users wrote: Dear list, one of my IPA masters (master.example.com, IPA 4.5) runs a Dokuwiki and a DAViCal instance besides IPA. DNS is external (not managed by IPA) and I asked the DNS admin to create CNAMEs wiki.example.com and cal.example.com

[Freeipa-users] Re: Update of compat tree after change of AD user attributes

On pe, 01 joulu 2017, Lenhardt, Matthias wrote: -Ursprüngliche Nachricht- Von: Alexander Bokovoy [mailto:aboko...@redhat.com] Gesendet: Donnerstag, 30. November 2017 17:40 An: FreeIPA users list Cc: Lenhardt, Matthias

[Freeipa-users] Re: How to deal with 'su root'

On ti, 19 joulu 2017, Ronald Wimmer via FreeIPA-users wrote: On 2017-12-19 12:05, Jakub Hrozek via FreeIPA-users wrote: [...] I think the best practice is to restrict the commands the users can run to a bare minimum. Letting them only through sudo (as opposed to sudo su) has the advantage that

[Freeipa-users] Re: IPA & AD Domain Layout

On to, 16 marras 2017, Justin Smith via FreeIPA-users wrote: I was tasked with setting up FreeIPA & Active Directory and connecting them with a trust relationship. On FreeIPA 4.5, I created ipa.companydomain.com, set up an internal DNS zone for companydomain.com (which my company has used for

[Freeipa-users] Re: how to enable "kinit -n"

On pe, 10 marras 2017, Charles Hedrick via FreeIPA-users wrote: OK, I finally took time to figure out what is going on with kinit -n. This is an issue for us because we use one-time passwords, and kinit -n is useful for bootstrapping kinit. * concatenate /var/kerberos/krb5kdc/kdc.crt from all

[Freeipa-users] Re: FOSDEM

On ma, 13 marras 2017, Thomas Woerner via FreeIPA-users wrote: Hello Alexander, is the dev room for IPA on FOSDEM still open to submit new proposals? Yes, it is! To anyone: at FOSDEM 2018 we will have Identity and Access Management deveroom this time. CfP for the talks/reports/workshops is

[Freeipa-users] Re: Got RBAC controls for individual AD users sorted; now to allow login based on AD group membership ?

On ti, 14 marras 2017, Chris Dagdigian via FreeIPA-users wrote: Hi folks, Have an AWS footprint that thanks to FreeIPA can talk to a really complex remote AD forest with lots of transitive trusts and child domains. Would not be possible without FreeIPA in the mix. So far we've only really

[Freeipa-users] Re: freeipa trust issues

On ti, 14 marras 2017, Zach Bayne wrote: trust add completes and logs attached. appreciate the help Zach, I'd suggest you to re-establish trust again, to re-generate cross-forest trust object passwords which you made public by posting link to logs to the list. Anyway, the trust itself seems to

[Freeipa-users] Re: Make custom attribute fail in UI and SAVE Button

On ke, 15 marras 2017, barry...@gmail.com wrote: So I have one more question is that: If have several custom attributes should open servral new folders in different /usr/share/ipa/ui/js/plugins/ ? can it write in single file? thx It is up to you. I'd do it in a single one and would try to

[Freeipa-users] Re: AD trust and external services

On ke, 15 marras 2017, Николай Савельев wrote: Can I get AD users from ipa wia ldap? Yes, you sort of can. Learn about 'legacy clients support' in Windows Integration Guide. However, it will not help you with Owncloud / Zimbra / etc. because most of those applications expect to have mail

[Freeipa-users] Re: Make custom attribute fail in UI and SAVE Button

On ke, 15 marras 2017, barrykfl--- via FreeIPA-users wrote: anywhere can explain the following RFC of ldap ? I have confuse how come and must use this ...can I random gen some number .. 2.25.28639311321113238241701611583088740684.14.2.1 < it used custom person class so if relate to it I should

[Freeipa-users] Re: AD trust and external services

On ke, 15 marras 2017, Николай Савельев via FreeIPA-users wrote: Hello. I install AD trust. It works normally. I setup owcloud by this docs http://www.freeipa.org/page/Owncloud_Authentication_against_FreeIPA But i dont undestand how get all users from freeipa and ad for owncloud. By

[Freeipa-users] Re: freeipa trust issues

On ma, 13 marras 2017, Zach Bayne via FreeIPA-users wrote: I have active directory as dc1.ad.domainname and dc2.ad.domainname I also have freeipa at ipa1.ipa.domainname and ipa2.ipa.domainname both of them seem to work fine independently, I then created a trust and set smb min and max to 2. from

[Freeipa-users] Re: ipa-getkeytab: PrincipalName not found

On pe, 10 marras 2017, Harald Dunkel via FreeIPA-users wrote: Hi folks, maybe I missed something, but shouldn't admin have sufficient privileges to run # ipa-client-install --hostname stretch1.vs.example.de --no-ssh --no-sshd --no-nisdomain --no-sudo --no-ntp --no-dns-sshfp # reboot : : #

[Freeipa-users] Re: RPI2 FreeIPA Installation on Centos 7 not working

On ke, 01 marras 2017, Abraham Cabrera via FreeIPA-users wrote: Apologies here is my script [root@dns01 ~]# cat setup.ipa.sh #!/bin/sh set -x HOSTNAME=dns01 DOMAIN_NAME=int.mrmcmuffinz.com HOST_FQDN="${HOSTNAME}.${DOMAIN_NAME}" REALM_NAME=INT.MRMCMUFFINZ.com # Directory Manager password

[Freeipa-users] Re: RPI2 FreeIPA Installation on Centos 7 not working

On ke, 01 marras 2017, abe wrote: This is because I have installed and uninstalled the ipa server multiple times after refining the cli options. What exactly do you want or need to know? Can you show what's wrong with your ipa-server-install run. In particular, if it fails to install on RPI2,

[Freeipa-users] Re: kinit -n

On ke, 01 marras 2017, Charles Hedrick via FreeIPA-users wrote: I understood that kinit -n is supposed to work with IPA 4.5. I have a server upgraded from 4.4 to 4.5. kinit -n prompts for a password. What needs to be true on client and server for this to work? What needs to be done depends on

[Freeipa-users] Re: RPI2 FreeIPA Installation on Centos 7 not working

On ke, 01 marras 2017, Abraham Cabrera via FreeIPA-users wrote: As the title implies I've been trying to setup freeipa on a rpi2 with centos 7 arm image for the past few days and no luck. I would like to note this is just for home lab and testing purposes. That being said I can provide logs on

[Freeipa-users] Re: RPI2 FreeIPA Installation on Centos 7 not working

On ke, 01 marras 2017, abe via FreeIPA-users wrote: I did, did you read all the pastebins? It's in my original post. You provided ipaclient-install.log, not ipaserver-install.log. And I commented on that state already. Seems we are going in a loop here. -- / Alexander Bokovoy

  1   2   3   4   5   6   7   8   9   10   >