[Freeipa-users] Re: AD trust setup woes

2017-08-03 Thread Alexander Bokovoy via FreeIPA-users
On to, 03 elo 2017, Igor Sever via FreeIPA-users wrote: I didn’t specify any ID range. This was all done automagically by setup. I read a lot of documentation, and I can’t remember that ever been mentioned. We indeed had NIS at some point, but this is not supported any more by MS, and FreeIPA

[Freeipa-users] Re: custom attributes as a part of default ipa permissions

2017-08-03 Thread Alexander Bokovoy via FreeIPA-users
On to, 03 elo 2017, Petr Fišer via FreeIPA-users wrote: Hello, We are currently deploying FreeIPA and we make use of custom attributes. We defined them in custom.py script (located in /usr/lib/python2.7/site-packages/ipaserver/plugins/custom.py). custom.py looks like this: from

[Freeipa-users] Re: Extended Schema attributes missing

2017-08-03 Thread Alexander Bokovoy via FreeIPA-users
On to, 03 elo 2017, Kristian Petersen via FreeIPA-users wrote: The customizations are in separate files and are still there, but seem to be getting ignored for lack of a better description. You'd need to describe more and in more detail. Look at https://github.com/abbra/freeipa-desktop-profile/

[Freeipa-users] Re: Replication health check

2017-08-16 Thread Alexander Bokovoy via FreeIPA-users
On ke, 16 elo 2017, Anthony Clark via FreeIPA-users wrote: Hello All, I was wondering if anyone has written a health check script for FreeIPA? How do you all check replication (and IPA server health)? https://github.com/peterpakos/ipa_check_consistency/ -- / Alexander Bokovoy

[Freeipa-users] Re: Ubuntu 16 Desktop trouble with AD credentials

2017-08-14 Thread Alexander Bokovoy via FreeIPA-users
On ma, 14 elo 2017, Steve Weeks wrote: It is example.com and ad.example.com, but all DNS is handled by an external server so I assumed neither was a subdomain. I don't understand DNS much and it seems to work just fine with Fedora 25 ipa clients and ad users. Which DNS server handles DNS zones

[Freeipa-users] Re: Ubuntu 16 Desktop trouble with AD credentials

2017-08-15 Thread Alexander Bokovoy via FreeIPA-users
On ma, 14 elo 2017, Steve Weeks via FreeIPA-users wrote: So we just got lucky with the fedora 25 systems? If we move the Linux system to host.ipa.example.com and leave the Windows stuff as ad.example.com we should be fine? Yes, as long as AD is not a sub-domain of IPA in terms of AD domain +

[Freeipa-users] Re: Can’t SSH with AD user to freeipa joined Centos client

2017-08-15 Thread Alexander Bokovoy via FreeIPA-users
ipa-users@lists.fedorahosted.org> wrote: > On 12 Aug 2017, at 20:14, Alexander Bokovoy via FreeIPA-users < freeipa-users@lists.fedorahosted.org> wrote: > > To close this thread, I helped Alexandre on the IRC. The basic issue is > that one needs to plan domain space carefull

[Freeipa-users] Re: FreeIPA AD Trust. Clarifying Doubts before I proceed

2017-08-10 Thread Alexander Bokovoy via FreeIPA-users
On ma, 07 elo 2017, Sameer Gurung via FreeIPA-users wrote: Hi All, I have a network consisting of both windows and linux clients running windows server 2008 (active directory) and centos 7 (freeipa). Obviously, the windows clients authenticate against the *AD DC* *(domain windows.foo)* and the

[Freeipa-users] Re: Unable to access web-ui after FreeIPA 4.4 to 4.5 upgrade.

2017-08-11 Thread Alexander Bokovoy via FreeIPA-users
On ma, 07 elo 2017, Troels Hansen via FreeIPA-users wrote: Hi, we just upgraded one of our FreeIPA 4.4 to FreeIPA 4.5 (running on RHEL) and wanted to put this here before creating a bug report with RedHat. After upgrading we are unable to log into web-ui but everything else seems to be

[Freeipa-users] Re: Can’t SSH with AD user to freeipa joined Centos client

2017-08-12 Thread Alexander Bokovoy via FreeIPA-users
On ke, 09 elo 2017, Jakub Hrozek via FreeIPA-users wrote: On 9 Aug 2017, at 16:26, Alexandre Pitre wrote: If your hosts are in the IPA subdomain, then I would have expected centos.ipa.ad.com The centos client has a hostname set to

[Freeipa-users] Re: FreeIPA client offline with sudo

2017-08-12 Thread Alexander Bokovoy via FreeIPA-users
On to, 10 elo 2017, Matthew Carter via FreeIPA-users wrote: The clients machines on my network from time to time get brought to another network and plugged in to test programs that are being developed. In the past this hasn't been an issue as it's usually a short stay and thus the kerberos key

[Freeipa-users] Re: remove ipa-dns-server ?

2017-08-12 Thread Alexander Bokovoy via FreeIPA-users
On ti, 08 elo 2017, Günther J. Niederwimmer via FreeIPA-users wrote: Hello, CentOS 7.3 what is the best way to remove a installed ipa-dns-server? I can't found any helpful Doc's for this only for installing the server I found Docs No, we don't have any particular means to uninstall

[Freeipa-users] Re: Chromium complains about ipa's web server certificate

2017-08-12 Thread Alexander Bokovoy via FreeIPA-users
On la, 12 elo 2017, Harald Dunkel via FreeIPA-users wrote: Hi Fraser, On Fri, 11 Aug 2017 18:48:29 +1000 Fraser Tweedale via FreeIPA-users wrote: On Fri, Aug 11, 2017 at 09:40:56AM +0200, Harald Dunkel via FreeIPA-users wrote: > >

[Freeipa-users] Re: Ubuntu 16 Desktop trouble with AD credentials

2017-08-14 Thread Alexander Bokovoy via FreeIPA-users
On ma, 14 elo 2017, Steve Weeks via FreeIPA-users wrote: I'm having trouble logging in via the gui console to an Ubuntu 16 Desktop host that is affiliated with a FreeIPA server, which in turn is affiliated with an Active Directory server. When I try to log in with debugging turned up on the

[Freeipa-users] Re: Ubuntu 16 Desktop trouble with AD credentials

2017-08-14 Thread Alexander Bokovoy via FreeIPA-users
On ma, 14 elo 2017, Steve Weeks wrote: No, the IPA and AD domains are separate, but do have a cross-trust. We are running IPA 4.4. This all works fine on Fedora 25 systems. Can you be more specific? In your logs below you choose ad.example.com and example.com. This is known to not work. If

[Freeipa-users] Re: IPA <-> Samba AD trust issue

2017-08-10 Thread Alexander Bokovoy via FreeIPA-users
On ma, 07 elo 2017, Yuri Moens via FreeIPA-users wrote: The previous error_log I attached was already created with log level = 100. I've tried to run the command again and attached the log file again but it seems to be pretty much the same. I see in the logs that it fails at the verification

[Freeipa-users] Re: Understanding an AD Trust

2017-07-11 Thread Alexander Bokovoy via FreeIPA-users
On ti, 11 heinä 2017, erricg--- via FreeIPA-users wrote: We're planning an IdM implementation where we have several data centers over a large geographic location. We're following the Red Hat guide:

[Freeipa-users] Re: IPA to AD trust 4625 NULL SID logon failures

2017-07-11 Thread Alexander Bokovoy via FreeIPA-users
On ti, 11 heinä 2017, Andy Thompson via FreeIPA-users wrote: We are troubleshooting an account lockout issue and came across the error below in the windows DC event logs while investigating. They are appearing in two of our environments, the third is quiet. These are logged several times a

[Freeipa-users] Re: IPA for public/private krb (kadmin) - no corresponding DNS A/AAAA record

2017-07-11 Thread Alexander Bokovoy via FreeIPA-users
On ti, 11 heinä 2017, Pieter Baele via FreeIPA-users wrote: Hi, Is there a correct way to setup a public/private design using IPA for Kerberos? I am currently implementing Kerberos for our Hadoop cluster. For communication between nodes, I use RFC 1918 addresses This works properly, but adds a

[Freeipa-users] Re: IPA to AD trust 4625 NULL SID logon failures

2017-07-13 Thread Alexander Bokovoy via FreeIPA-users
On to, 13 heinä 2017, Andy Thompson via FreeIPA-users wrote: -Original Message- From: Alexander Bokovoy [mailto:aboko...@redhat.com] Sent: Wednesday, July 12, 2017 1:45 AM To: FreeIPA users list Cc: Andy Thompson Subject:

[Freeipa-users] Re: FreeIPA and AD Trust - macOS cannot see AD trust users

2017-07-10 Thread Alexander Bokovoy via FreeIPA-users
On su, 09 heinä 2017, Louis Abel via FreeIPA-users wrote: Hello! I created a FreeIPA (ipa.angelsofclockwork.net) and Active Directory (ad.angelsofclockwork.net) and put them into a two way trust with posix. I used these commands: ipa-adtrust-install --enable-compat --add-agents ipa trust-add

[Freeipa-users] Re: Authenticating users with a different UPN suffix in an AD trust configuration

2017-07-06 Thread Alexander Bokovoy via FreeIPA-users
On to, 06 heinä 2017, Robert Sturrock wrote: Hi Alexander, On 6 Jul 2017, at 4:55 pm, Alexander Bokovoy wrote: Can you show 'ipa trust-show staff.localdomain'? It should have list of additional name suffixes we derive from the AD forest trust. After releasing 4.4.x we

[Freeipa-users] Re: FreeIPA Multitenancy

2017-07-06 Thread Alexander Bokovoy via FreeIPA-users
Hi Winfried, On to, 06 heinä 2017, Winfried de Heiden via FreeIPA-users wrote: Hi all, There's a nice litle article on http://www.freeipa.org/page/V3/Multiten ancy: Multi-tenancy  is an aspect of Identity Management (IdM) where multiple  parties use the same resource without learn any

[Freeipa-users] Re: Extended Schema attributes missing

2017-08-04 Thread Alexander Bokovoy via FreeIPA-users
On pe, 04 elo 2017, Kristian Petersen via FreeIPA-users wrote: Alexander, That was it! I had seen this before at a previous place of employment, but couldn't recall enough of what we'd done there to fix it. You're a lifesaver, really. Thank you very much to *everyone* who chimed in to lend a

[Freeipa-users] Re: AD trust setup woes

2017-08-02 Thread Alexander Bokovoy via FreeIPA-users
On ke, 02 elo 2017, Igor Sever via FreeIPA-users wrote: There is no gidNumber attribute on AD group objects. If I want to apply posix attributes directly in AD, then I don't need FreeIPA, do I...

[Freeipa-users] Re: Extended Schema attributes missing

2017-08-04 Thread Alexander Bokovoy via FreeIPA-users
On pe, 04 elo 2017, Kristian Petersen wrote: If it helps, the python file where we customized things is included below: # Place in /usr/lib/python2.7/site-packages/ipalib/plugins/ Ok, this is location for pre-4.5 plugins. With FreeIPA 4.5 we split them into ipaserver/plugins and

[Freeipa-users] Re: IPA <-> Samba AD trust issue

2017-08-04 Thread Alexander Bokovoy via FreeIPA-users
On pe, 04 elo 2017, Yuri Moens via FreeIPA-users wrote: Hi I'm currently trying to setup a trust between IPA and Samba AD but I keep running into some issues. IPA is running on CentOS 7 VERSION: 4.4.0, API_VERSION: 2.213 ipa01.cloud.ymo.lab, Netbios CLOUD, domain cloud.ymo.lab Samba is

[Freeipa-users] Re: Samba update can't read NT Hash

2017-08-22 Thread Alexander Bokovoy via FreeIPA-users
On to, 17 elo 2017, Alexander Bokovoy via FreeIPA-users wrote: - Original Message - Yesterday we updated our fileserver to bring it up to the newest kernel. At the same time it update the ipa-client and samba. After the update was finished our ability to access the shared resources

[Freeipa-users] Re: web UI - login failed after updates on server

2017-08-18 Thread Alexander Bokovoy via FreeIPA-users
On pe, 18 elo 2017, Stefan Uygur via FreeIPA-users wrote: Hi Fraser, Thanks for the tips. I did put SELinux in permissive mode and of course I have restarted the IPA after that to makes sure the new setting picked up by IPA. All certs including CA sanitized and they are correct with the trust

[Freeipa-users] Re: web UI - login failed after updates on server

2017-08-18 Thread Alexander Bokovoy via FreeIPA-users
On pe, 18 elo 2017, Stefan Uygur via FreeIPA-users wrote: Your assumptions is correct Alexander, I did accept the server cert otherwise the browser won't open the login page at all. Beside, that log was there even before when it was working...before the update. Re to gssproxy, all my attempts

[Freeipa-users] Re: web UI - login failed after updates on server

2017-08-18 Thread Alexander Bokovoy via FreeIPA-users
On pe, 18 elo 2017, Stefan Uygur via FreeIPA-users wrote: Well, I posted the httpd error.log in the very beginning; that is how I started the conversation. It did not have enough details I was looking for. Now it does but you didn't provide corresponding non-abbreviated gssproxy logs, sorry.

[Freeipa-users] Re: web UI - login failed after updates on server

2017-08-18 Thread Alexander Bokovoy via FreeIPA-users
On pe, 18 elo 2017, Stefan Uygur via FreeIPA-users wrote: I have reproduced what you requested below. Each line where you see Client connected is my attempt to login via web UI. As you can see there are no issues, at least from what I read/see. Just to repeat what I said at the beginning of my

[Freeipa-users] Re: web UI - login failed after updates on server

2017-08-18 Thread Alexander Bokovoy via FreeIPA-users
On pe, 18 elo 2017, Stefan Uygur wrote: Yeah sorry, the debug logs were not included originally. Re to RPMs, I have removed all dupes, they were many. All is clean now and the system is up to date. Attached is the ipa.conf file. Alias for /session/cookie is missing in it. You can see a

[Freeipa-users] Re: web UI - login failed after updates on server

2017-08-18 Thread Alexander Bokovoy via FreeIPA-users
On pe, 18 elo 2017, Alexander Bokovoy via FreeIPA-users wrote: On pe, 18 elo 2017, Stefan Uygur wrote: Yeah sorry, the debug logs were not included originally. Re to RPMs, I have removed all dupes, they were many. All is clean now and the system is up to date. Attached is the ipa.conf file

[Freeipa-users] Re: Samba update can't read NT Hash

2017-08-17 Thread Alexander Bokovoy via FreeIPA-users
- Original Message - > > > Yesterday we updated our fileserver to bring it up to the newest kernel. At > the same time it update the ipa-client and samba. After the update was > finished our ability to access the shared resources on the fileserver > disappeared. After some very careful

[Freeipa-users] Re: GSSAPI login from trusted AD domain to FreeIPA clients not working

2017-06-20 Thread Alexander Bokovoy via FreeIPA-users
ly related to the technology of the trust. BTW, I reproduced the original issue in a lab at the interop here at Microsoft HQ and I'm going to talk to Microsoft guys to find out what is happening there in reality. Rob Johnson On Tue, Jun 20, 2017 at 3:04 PM, Alexander Bokovoy via FreeIPA-users <

[Freeipa-users] Re: GSSAPI login from trusted AD domain to FreeIPA clients not working

2017-06-20 Thread Alexander Bokovoy via FreeIPA-users
On ti, 20 kesä 2017, Tiemen Ruiten via FreeIPA-users wrote: Please see the attached screenshot for the Trust settings, and thank you for your time. Thanks. I'm not sure why is that happening even for the immediate forest root domain that i.rdmedia.com is. I'll check with Microsoft doc help team

[Freeipa-users] Re: GSSAPI login from trusted AD domain to FreeIPA clients not working

2017-06-21 Thread Alexander Bokovoy via FreeIPA-users
On ke, 21 kesä 2017, Alexander Bokovoy via FreeIPA-users wrote: On ke, 21 kesä 2017, Robert Johnson via FreeIPA-users wrote: For what its worth, I dug through my emails with Red Hat tech support and this is what we got back from the Identity Management support team: --- I did some

[Freeipa-users] Re: GSSAPI login from trusted AD domain to FreeIPA clients not working

2017-06-21 Thread Alexander Bokovoy via FreeIPA-users
is equivalent of krb5.conf's [domain_realm] section and is not really related to the technology of the trust. BTW, I reproduced the original issue in a lab at the interop here at Microsoft HQ and I'm going to talk to Microsoft guys to find out what is happening there in reality. Rob Johnson On

[Freeipa-users] Re: Freeipa and Google Cloud Directory Sync (GCDS) password sync failing

2017-06-22 Thread Alexander Bokovoy via FreeIPA-users
On to, 22 kesä 2017, Janet Houser via FreeIPA-users wrote: Hi Folks, We are trying to use G Suite's GCDS to sync users and passwords from our Freeipa server running on a CentOS server. The sync appears *mostly* working and when the sync is executed, it registers that a user has changed

[Freeipa-users] Re: LDAP + Nextcloud -> retrieve Mailfield

2017-06-22 Thread Alexander Bokovoy via FreeIPA-users
On to, 22 kesä 2017, Rob Crittenden via FreeIPA-users wrote: Jens Laufer via FreeIPA-users wrote: Hello, iam very happy that i got nextcloud connected to freeipa over ldap. It seems to work nearly perfect now, the only thing i wont get worked is to pull the mail from freeipa and add it to

[Freeipa-users] Re: Chrome 58 - CN for IPA management console to include SANs

2017-05-23 Thread Alexander Bokovoy via FreeIPA-users
On ti, 23 touko 2017, Prasun Gera via FreeIPA-users wrote: I posted this in the earlier thread, but didn't get a response. I was able to fix this on the master, but "getcert list -d /etc/httpd/alias -n "Server-Cert" on the replica doesn't return anything. Are the replica's SSL certs handled

[Freeipa-users] Re: 4.5.0+ Rhel 7 support

2017-05-24 Thread Alexander Bokovoy via FreeIPA-users
On ke, 24 touko 2017, Troels Hansen via FreeIPA-users wrote: - On May 23, 2017, at 10:09 PM, Arpit Tolani via FreeIPA-users freeipa-users@lists.fedorahosted.org wrote: Hello A bugzilla for the same is already open https://bugzilla.redhat.com/show_bug.cgi?id=1392858 From the current

[Freeipa-users] Re: ipa command breaks by setting "NSSVerifyClient require"

2017-05-29 Thread Alexander Bokovoy via FreeIPA-users
On la, 27 touko 2017, Ivars Strazdiņš via FreeIPA-users wrote: Hi there, our IPA servers' https port is exposed to internet. I wanted to restrict access to Web UI by requesting a user certificate issued by IPA and enabling Apache setting "NSSVerifyClient require" (or "optional") in

[Freeipa-users] Re: Establish Kerberos trust to non AD server running MIT Kerberos

2017-05-31 Thread Alexander Bokovoy via FreeIPA-users
On ti, 30 touko 2017, Andrey Ptashnik via FreeIPA-users wrote: Alexander, Thank you for those documents! Term “experimental” little scared me away, however I’ll give it a try, since we have a journey for the best, read future proof, option. "Scared" sounds interesting given that you were

[Freeipa-users] Re: IPA and CM?

2017-06-02 Thread Alexander Bokovoy via FreeIPA-users
On pe, 02 kesä 2017, Simo Sorce via FreeIPA-users wrote: On Fri, 2017-06-02 at 10:10 -0500, Kat wrote: Hi Simo, I understand the mechanics of the error, however, when you are trying to configure Cloudera Manager with IPA, the configuration/setup process fails with the error (and it shows in

[Freeipa-users] Re: ipa 4.4.0-14 not honoring "ipa-client-install --force-join" command?

2017-06-13 Thread Alexander Bokovoy via FreeIPA-users
On ti, 13 kesä 2017, Rob Crittenden wrote: Alexander Bokovoy via FreeIPA-users wrote: On ti, 13 kesä 2017, Chris Dagdigian via FreeIPA-users wrote: Hi folks, Fixing a topology and replication issue caused my IDM infrastructure to forget about roughly 30 enrolled client hosts. Though

[Freeipa-users] Re: ipa 4.4.0-14 not honoring "ipa-client-install --force-join" command?

2017-06-13 Thread Alexander Bokovoy via FreeIPA-users
On ti, 13 kesä 2017, Rob Crittenden via FreeIPA-users wrote: Alexander Bokovoy wrote: On ti, 13 kesä 2017, Rob Crittenden wrote: Alexander Bokovoy via FreeIPA-users wrote: On ti, 13 kesä 2017, Chris Dagdigian via FreeIPA-users wrote: Hi folks, Fixing a topology and replication issue caused

[Freeipa-users] Re: ipa 4.4.0-14 not honoring "ipa-client-install --force-join" command?

2017-06-13 Thread Alexander Bokovoy via FreeIPA-users
On ti, 13 kesä 2017, Rob Crittenden via FreeIPA-users wrote: Chris Dagdigian via FreeIPA-users wrote: Hi folks, Fixing a topology and replication issue caused my IDM infrastructure to forget about roughly 30 enrolled client hosts. Though this would be trivial to fix via an ansible playbook

[Freeipa-users] Re: Enroll CentOS 5 on FreeIPA 4.3

2017-06-09 Thread Alexander Bokovoy via FreeIPA-users
On pe, 09 kesä 2017, Rob Crittenden via FreeIPA-users wrote: Jose and I exchanged some files privately and I think I've narrowed down the enrollment problem to failing to get a keytab due to the error: Failed to retrieve encryption type DES cbc mode with CRC-32 (#1) This is because newer IPA

[Freeipa-users] Re: Compat tree question

2017-05-30 Thread Alexander Bokovoy via FreeIPA-users
On ti, 30 touko 2017, Robert Johnson via FreeIPA-users wrote: Red Hat Enterprise Linux Server release 7.3 ipa-server-4.4.0-14.el7_3.4.x86_64 389-ds-base-1.3.5.10-15.el7_3.x86_64 sssd-1.14.0-43.el7_3.11.x86_64 When looking at entries in the "cn=groups,cn=compat" tree, I noticed that the entries

[Freeipa-users] Re: Establish Kerberos trust to non AD server running MIT Kerberos

2017-05-30 Thread Alexander Bokovoy via FreeIPA-users
On ti, 30 touko 2017, Andrey Ptashnik via FreeIPA-users wrote: Team, What will be correct procedure to establish kerberos trust to non Active Directory server running MIT Kerberos. This is something we do not officially support, but see https://bugzilla.redhat.com/show_bug.cgi?id=1035494#c16

[Freeipa-users] Re: Compat tree question

2017-05-30 Thread Alexander Bokovoy via FreeIPA-users
On ti, 30 touko 2017, Robert Johnson via FreeIPA-users wrote: Is there a option in SSSD or the plugin to turn off the normalization ? No. But as I said, you are not supposed to use all capital fqdn. You need to use your user/group name as it is. id user@ad.realm kinit user@AD.REALM are two

[Freeipa-users] Re: Do keytabs expire?

2017-09-14 Thread Alexander Bokovoy via FreeIPA-users
On to, 14 syys 2017, Ronald Wimmer via FreeIPA-users wrote: Hi, today I found out that some entries in a keytab file seemed to have expired: Request ticket server HTTP/mwc.linux.mydomain...@linux.mydomain.at kvno 4 not found in keytab; keytab is likely out of date Fetching the keytab again

[Freeipa-users] Re: IPA Server down after system update

2017-09-15 Thread Alexander Bokovoy via FreeIPA-users
On pe, 15 syys 2017, Gady Notrica via FreeIPA-users wrote: I am going to try now. Any workaround for people that don't want to have IPv6? On IPA servers? IPA masters must have IPv6 stack enabled in the kernel. You may opt to not assigning IP addresses to the interfaces but we do rely on

[Freeipa-users] Re: IPA sudo rules CentOS 6 vs CentOS 7

2017-09-14 Thread Alexander Bokovoy via FreeIPA-users
On to, 14 syys 2017, Mark Haney via FreeIPA-users wrote: Well this is interesting. The latest version of sudo is sudo-1.8.6p3-29.el6_9.x86_64. Mine is sudo-1.8.6-7.el6.x86_64. The issue here is that this box is CentOS 6.4 and I can't fully update it to 6.9. But I can't simply update sudo by

[Freeipa-users] Re: IPA sudo rules CentOS 6 vs CentOS 7

2017-09-14 Thread Alexander Bokovoy via FreeIPA-users
On to, 14 syys 2017, Mark Haney via FreeIPA-users wrote: Sigh. As I said, I edited the repo to point DIRECTLY to 6.9 and got the same result. Care to explain that with some other policy? Even then, DOWNLOADING the RPM still will not install. Is there a policy for that too? Well, I only

[Freeipa-users] Re: Solaris client proxyDN logins not working

2017-09-14 Thread Alexander Bokovoy via FreeIPA-users
On to, 14 syys 2017, Rob Crittenden via FreeIPA-users wrote: Louis Abel via FreeIPA-users wrote: I should probably mention that IPA users have started working. But not my AD users. [root@rhn2 tmp]# ssh -l louis.ab...@ipa.example.com devu16 -q Password: Last login: Thu Sep 14 07:57:55 2017

[Freeipa-users] Re: Solaris client proxyDN logins not working

2017-09-14 Thread Alexander Bokovoy via FreeIPA-users
On to, 14 syys 2017, Jakub Hrozek via FreeIPA-users wrote: On Thu, Sep 14, 2017 at 11:08:54AM -0400, Rob Crittenden via FreeIPA-users wrote: Louis Abel via FreeIPA-users wrote: > I should probably mention that IPA users have started working. But not my AD users. > > [root@rhn2 tmp]# ssh -l

[Freeipa-users] Re: [+] Re: ipa-server-install fails on fresh install

2017-09-15 Thread Alexander Bokovoy via FreeIPA-users
On pe, 15 syys 2017, Rob Crittenden via FreeIPA-users wrote: John R. Shannon via FreeIPA-users wrote: Attached It is failing with "KerberosError: No valid Negotiate header in server response" What package version of freeipa-server do you have? This seems like

[Freeipa-users] Re: 7.4 upgrade fails with timeout exceeded

2017-09-19 Thread Alexander Bokovoy via FreeIPA-users
On ke, 20 syys 2017, Lachlan Musicman via FreeIPA-users wrote: On 20 September 2017 at 13:01, Lachlan Musicman wrote: https://pagure.io/freeipa/c/bdf9a34dffdf4d7925208e5df9f69e3927b88858 On 20 September 2017 at 12:30, Fraser Tweedale wrote: Can you

[Freeipa-users] Re: 7.4 upgrade fails with timeout exceeded

2017-09-20 Thread Alexander Bokovoy via FreeIPA-users
On ke, 20 syys 2017, Lachlan Musicman wrote: Notice that many ports are only available as tcp6 listeners? Like 636 (LDAPS), 389 (LDAP), 80 (HTTP), 443 (HTTPS) and so on? This is an effect of using v6 API that supports v4-mapped-on-v6 addresses. It makes the code less complex and handles with the

[Freeipa-users] Re: Unable to add AD group to new install

2017-09-20 Thread Alexander Bokovoy via FreeIPA-users
On ke, 20 syys 2017, Bobby Jones via FreeIPA-users wrote: Hi: I am trying to finish my integration of FreeIPA with Active Directory, but when I try to add my group information it fails. # ipa group-add-member ad_admins_external --external 'AD/Domain Admins' member group: AD\Domain Admins:

[Freeipa-users] Re: IPA sudo rules CentOS 6 vs CentOS 7

2017-09-13 Thread Alexander Bokovoy via FreeIPA-users
On ke, 13 syys 2017, Mark Haney via FreeIPA-users wrote: On 09/13/2017 03:44 PM, Răzvan Corneliu C.R. VILT via FreeIPA-users wrote: Hi Mark, Not all CentOS releases are created equal. Support for Sudo appeared later in IPA and you’ll probably need to update sssd and ipa-client. The one in 6.8

[Freeipa-users] Re: Route53 private dns zone, _srv_ lookup issue for failover

2017-09-15 Thread Alexander Bokovoy via FreeIPA-users
On pe, 15 syys 2017, Wanderley Teixeira via FreeIPA-users wrote: I am running into an issue with FreeIPA and DNS. Perhaps, you guys could point me to a better realm/domain solution. - I run a private DNS zone on AWS, called "int.example.com" (with ptr and srv, etc) - I have 3

[Freeipa-users] Re: Solaris client proxyDN logins not working

2017-09-14 Thread Alexander Bokovoy via FreeIPA-users
On to, 14 syys 2017, Louis Abel via FreeIPA-users wrote: Jakub, you might be onto something. Sep 14 18:11:08 pentl01.ipa.example.com ns-slapd: pam_sss(system-auth:auth): authentication failure; logname= uid=389 euid=389 tty= ruser= rhost= user=louis.a...@ad.example.com Sep 14 18:11:08

[Freeipa-users] Re: Do keytabs expire?

2017-09-19 Thread Alexander Bokovoy via FreeIPA-users
On ti, 19 syys 2017, Ronald Wimmer wrote: Why does fetching a keytab influence its version number? If i have three servers in a load balancer service compound and do a ipa-getkeytab -k /etc/httpd.keytab -p HTTP/compoundservice.linux.mydomain...@linux.mydomain.at on each of the servers the

[Freeipa-users] Re: Do keytabs expire?

2017-09-19 Thread Alexander Bokovoy via FreeIPA-users
On ti, 19 syys 2017, Ronald Wimmer wrote: On 2017-09-19 11:53, Alexander Bokovoy wrote: [...] Please spend some time reading the documentation. It is vast and has a lot of answers to questions people keep asking on these lists. I've already spent some time reading the documentation. Since

[Freeipa-users] Re: Do keytabs expire?

2017-09-19 Thread Alexander Bokovoy via FreeIPA-users
On ti, 19 syys 2017, Ronald Wimmer wrote: Adding "-r" leads to this error message:  ipa-getkeytab -r -k /etc/httpd.keytab -p HTTP/mwoc.linux.mydomain...@linux.mydomain.at Failed to parse result: Insufficient access rights Failed to get keytab The ipa user is admin which should have all

[Freeipa-users] Re: kdc.crt absent after upgrade from 4.4 to 4.5 (Scientific linux 7)

2017-09-21 Thread Alexander Bokovoy via FreeIPA-users
On to, 21 syys 2017, Niels Walet via FreeIPA-users wrote: My kdc.crt has disappeared after a large number of problems with amn upgrade from 7.3 to 7.4 on my SL7 box (roughly equivalent to Centos). It is a vanilla installation with self-signed cerificates. I am aware of the permission errors in

[Freeipa-users] Re: ansible-freeipa

2017-10-05 Thread Alexander Bokovoy via FreeIPA-users
On to, 05 loka 2017, Mark Haney via FreeIPA-users wrote: I never said I didn't like. Just that it's not that complicated to setup a playbook to do what you're doing. There is a context to Thomas' message, Mark. We are trying to create a set of playbooks that would be supported by FreeIPA

[Freeipa-users] Re: Web UI login fails after upgrading to 4.5

2017-10-05 Thread Alexander Bokovoy via FreeIPA-users
On to, 05 loka 2017, Jochen Hein via FreeIPA-users wrote: Marius Bjørnstad via FreeIPA-users writes: After I upgraded to FreeIPA 4.5 (on CentOS 7), I get an error "Login failed due to an unknown reason" on the web UI, no matter if I use the admin user or

[Freeipa-users] Re: ansible-freeipa

2017-10-05 Thread Alexander Bokovoy via FreeIPA-users
On to, 05 loka 2017, Mark Haney wrote: I'm fine with that. Just that IPA's implementation is very much end-user specific. I really doubt you could abstract the playbook enough to make it viable for even a majority of users. That's why we want to make it possible to reference individual steps

[Freeipa-users] Re: Valid Sender ? - Re: Re: Web UI login fails after upgrading to 4.5

2017-10-06 Thread Alexander Bokovoy via FreeIPA-users
On pe, 06 loka 2017, Marius Bjørnstad via FreeIPA-users wrote: Thanks for the replies! I do have the krb5-pkinit package installed. ipa-pkinit-manage status was disabled, but enabling it with ipa-pkinit-manage enable didn't fix the problem. $ ipa pkinit-status --server=SERVER_NAME says PKINIT

[Freeipa-users] Re: Valid Sender ? - Re: Re: Web UI login fails after upgrading to 4.5

2017-10-06 Thread Alexander Bokovoy via FreeIPA-users
On pe, 06 loka 2017, Marius Bjørnstad wrote: Wow that's well spotted! That IP is the 4.4 server (I just blindly assumed that it would use the value in krb5.conf, which is the 4.5 server). It goes to 248 every time. strace showed me that kinit gets the IP address from

[Freeipa-users] Re: unexpected upgrade to 4.5

2017-10-16 Thread Alexander Bokovoy via FreeIPA-users
On ma, 16 loka 2017, Charles Hedrick via FreeIPA-users wrote: I just installed a new replica on Centos 7.3. Our existing servers are also on Centos 7.3, and use IPA 4.4, which comes with Centos 7.3. I was somewhat surprised to find that my new replica was IPA 4.5 with a newer version of sssd as

[Freeipa-users] Re: IPA server upgrade fails with KDC error

2017-10-17 Thread Alexander Bokovoy via FreeIPA-users
On ti, 17 loka 2017, Johannes Brandstetter via FreeIPA-users wrote: Hi, I'm trying to upgrade FreeIPA through ipa-server-upgrade from 4.4 to 4.5. The command fails with an "ACIError: Insufficient access:" . I find in the kdc log that it complains about " Database module does not match KDC

[Freeipa-users] Re: IPA server upgrade fails with KDC error

2017-10-17 Thread Alexander Bokovoy via FreeIPA-users
On ti, 17 loka 2017, Alexander Bokovoy via FreeIPA-users wrote: On ti, 17 loka 2017, Johannes Brandstetter via FreeIPA-users wrote: Hi, I'm trying to upgrade FreeIPA through ipa-server-upgrade from 4.4 to 4.5. The command fails with an "ACIError: Insufficient access:" . I find in t

[Freeipa-users] Re: IPA server upgrade fails with KDC error

2017-10-17 Thread Alexander Bokovoy via FreeIPA-users
On ti, 17 loka 2017, Johannes Brandstetter via FreeIPA-users wrote: Hi, it was all done in one yum upgrade session. I just grepped the output for ipa and krb and didn't bother to put them back in the correct order. If I run ipa-server-upgrade directly I get the following output which leads to

[Freeipa-users] Re: Default principal switched back to cifs every 5 minutes (after done ipa-adtrust-install)

2017-10-12 Thread Alexander Bokovoy via FreeIPA-users
On to, 12 loka 2017, Kees Bakker wrote: On 12-10-17 14:11, Alexander Bokovoy wrote: On to, 12 loka 2017, Kees Bakker via FreeIPA-users wrote: >> Hey, >> >> This week I tried to install Samba (which failed because of Ubuntu, but that's >> another story). >> >> One of the steps was to do

[Freeipa-users] Re: Default principal switched back to cifs every 5 minutes (after done ipa-adtrust-install)

2017-10-12 Thread Alexander Bokovoy via FreeIPA-users
On to, 12 loka 2017, Kees Bakker via FreeIPA-users wrote: Hey, This week I tried to install Samba (which failed because of Ubuntu, but that's another story). One of the steps was to do ipa-adtrust-install. It created a cifs/myhost pricipal on my IPA master server. But now it keeps switching

[Freeipa-users] Re: ERROR: CIFS server communication error: Memory allocation error (both may be "None") upon establishing trust

2017-09-08 Thread Alexander Bokovoy via FreeIPA-users
On pe, 08 syys 2017, Bart J via FreeIPA-users wrote: I invoked this command with --external=true, but result is the same: ipa trust-add --type=ad my.domain.com --admin adminaccount --password --external=true Active Directory domain administrator's password: ipa: ERROR: CIFS server

[Freeipa-users] Re: ERROR: CIFS server communication error: Memory allocation error (both may be "None") upon establishing trust

2017-09-07 Thread Alexander Bokovoy via FreeIPA-users
On to, 07 syys 2017, Bart J via FreeIPA-users wrote: Hi all, I have been trying to set up one-way trust for quite a while. I thought I have everything sorted out but when I tried to move from test environment to production, I received error below upon trying to set up trust with ipa trust add:

[Freeipa-users] Re: AD trust setup woes

2017-09-12 Thread Alexander Bokovoy via FreeIPA-users
On ti, 12 syys 2017, Igor Sever via FreeIPA-users wrote: Unfortunately, I cannot upgrade systems and packages as I want because of legacy applications. Is there somewhere information how would I approach to configure SSSD to use FreeIPA as Kerberos and LDAP provider and for policies to work? I

[Freeipa-users] Re: Find IPA user or computer account from windows

2017-09-06 Thread Alexander Bokovoy via FreeIPA-users
On ti, 05 syys 2017, Ronald Wimmer via FreeIPA-users wrote: Is it possible to find an IPA user or computer account from a windows (AD) machine [trust between ipa and ad domain is set up]? If I try that, all i get is a message that no object can be found. Not supported yet. -- / Alexander

[Freeipa-users] Re: Kvno error on validating one-way trust: "kvno: Decrypt integrity check failed while getting credentials"

2017-09-06 Thread Alexander Bokovoy via FreeIPA-users
On ke, 06 syys 2017, Bart J via FreeIPA-users wrote: Thank you. I checked in my test environment and setting trust with administrative credentials works. I got mixed results for Windows 2012 and Windows 2008 R2 because I previously had set up trust using administrative credentials for Windows

[Freeipa-users] Re: [+] Re: ipa-server-install fails on fresh install

2017-09-25 Thread Alexander Bokovoy via FreeIPA-users
On pe, 22 syys 2017, John R. Shannon via FreeIPA-users wrote: I upgraded to 4.6.1 today. The same problem persists. 1. Can you show /etc/pki/ca-trust/source/ipa.p11-kit? 2. Can you show /var/log/ipaupgrade.log? On 09/15/17 13:17, John R. Shannon wrote: Attached On 09/15/17 12:58,

[Freeipa-users] Re: Apache Group Based Authorization for AD users

2017-09-28 Thread Alexander Bokovoy via FreeIPA-users
On to, 28 syys 2017, Ronald Wimmer via FreeIPA-users wrote: On 2017-09-28 11:37, Alexander Bokovoy wrote: You need to define HBAC rules that target system-auth PAM service on this host then. But yes, any practical PAM service would work as long as you have appropriate HBAC rules for this

[Freeipa-users] Re: dirsrv locks up when importing zone files with ldapadd

2017-09-29 Thread Alexander Bokovoy via FreeIPA-users
On pe, 29 syys 2017, Andy Stubbs via FreeIPA-users wrote: Hi We'd like to test FreeIPA in our environment, but I'm having a little bit of trouble importing DNS zone files. Running on fresh install of CentOS 7.4.1708 with FreeIPA 4.5.0-21.el7.centos.1.2 I install a vanilla IPA server from

[Freeipa-users] Re: Apache Group Based Authorization for AD users

2017-09-28 Thread Alexander Bokovoy via FreeIPA-users
On to, 28 syys 2017, Ronald Wimmer via FreeIPA-users wrote: On 2017-09-28 10:19, Alexander Bokovoy via FreeIPA-users wrote: Don't use mod_authnz_ldap, it doesn't have any clue about real complexity like the above. A proper solution would be to use mod_authnz_pam and allow pam_sss to handle

[Freeipa-users] Re: Apache Group Based Authorization for AD users

2017-09-28 Thread Alexander Bokovoy via FreeIPA-users
On to, 28 syys 2017, Ronald Wimmer via FreeIPA-users wrote: Hi, I was reading https://www.freeipa.org/page/Apache_Group_Based_Authorization but failed to implement that for AD users. The problem is that Kerberos authenticates myuser0...@mywindows.domain.at but there is no corresponding

[Freeipa-users] Re: FreeIPA vault with ActiveDirectory user

2017-08-24 Thread Alexander Bokovoy via FreeIPA-users
On to, 24 elo 2017, Felipe Barreto Volpone via FreeIPA-users wrote: Hi Bjoern, AFAIK it should be possible to an AD user use FreeIPA vault, once you have setup trust. No, it is not. To get access to a vault you need to have access rights in LDAP for that. We do not have that yet for AD users

[Freeipa-users] Re: Centos/Redhat 7.4

2017-08-24 Thread Alexander Bokovoy via FreeIPA-users
On to, 24 elo 2017, Jakub Hrozek via FreeIPA-users wrote: On Thu, Aug 24, 2017 at 08:18:42AM -0600, Kristian Petersen via FreeIPA-users wrote: If you are using Samba with FreeIPA, you may want to wait to upgrade to 7.4. There is a bug in a library that comes with sssd that will break it for

[Freeipa-users] Re: AD trust and ACL on OUs

2017-08-26 Thread Alexander Bokovoy via FreeIPA-users
On la, 26 elo 2017, Sigbjorn Lie-Soland via FreeIPA-users wrote: Hi list, I have an issue with an AD one-way trust to IPA, where the AD is configured with a very specific set of ACL's on the various OUs where the user accounts live. Authenticated Users cannot search for all users in the AD LDAP

[Freeipa-users] Re: Unable to create an Active Directory Trust

2017-09-01 Thread Alexander Bokovoy via FreeIPA-users
On pe, 01 syys 2017, PAESSENS Daniel (BCS/PSD) wrote: I've checked on the windows part. And nothing is mentioned overthere. Even with adsiedit I can't find any trace of it. Active Directory verifies three important types of conflicts when establishing a trust between any domains (including a

[Freeipa-users] Re: Unable to create an Active Directory Trust

2017-08-31 Thread Alexander Bokovoy via FreeIPA-users
On to, 31 elo 2017, PAESSENS Daniel (BCS/PSD) via FreeIPA-users wrote: Hello, When performing a trust between IPA & AD I get the following error: CIFS server communication error: code "-1073741771", message "The object name already exists." (both may be "None") For testing purpose did I

[Freeipa-users] Re: Kvno error on validating one-way trust: "kvno: Decrypt integrity check failed while getting credentials"

2017-08-30 Thread Alexander Bokovoy via FreeIPA-users
On ti, 22 elo 2017, bogusmaster--- via FreeIPA-users wrote: Hi All, I am setting up a one-way trust from FreeIPA server to AD domain with a pre-shared key. This is currently not working due to chicken/egg problem: in order to turn trust into an active one, you need to validate it. We do not

[Freeipa-users] Re: User ID overrides staying persistent in cache for AD users

2017-08-29 Thread Alexander Bokovoy via FreeIPA-users
On ma, 28 elo 2017, Eddleman, David via FreeIPA-users wrote: So I've created a ID override on the IPA master called "TestShellView" to test out changing per-user requirements for shells. Verify the ID override on the master: [root@ipamaster01 ~]# ipa idoverrideuser-find TestShellView

[Freeipa-users] Re: using external passwords

2017-08-31 Thread Alexander Bokovoy via FreeIPA-users
On to, 31 elo 2017, Charles Hedrick via FreeIPA-users wrote: We have a department that would like to use IPA, but would like users to use their University passwords. I conjecture that we can do that by generating users with random passwords, but setting the default authentication as RADIUS,

[Freeipa-users] Re: User ID overrides staying persistent in cache for AD users

2017-08-29 Thread Alexander Bokovoy via FreeIPA-users
On ti, 29 elo 2017, Sumit Bose via FreeIPA-users wrote: On Tue, Aug 29, 2017 at 05:00:06PM +0300, Alexander Bokovoy via FreeIPA-users wrote: On ma, 28 elo 2017, Eddleman, David via FreeIPA-users wrote: > So I've created a ID override on the IPA master called "TestShellView"

  1   2   3   4   5   >