I’m following this because I’m having same issue. Since the OpenVPN client
won’t prompt twice for the second factor I know you have to do the whole
“password+otp” (without the +) but keep getting invalid password.
> On Nov 8, 2018, at 12:51 PM, Eric Fredrickson via FreeIPA-users
Thanks for the reply.
> On Nov 8, 2018, at 12:46 PM, Robbie Harwood wrote:
> Kevin Vasko via FreeIPA-users
>> I followed these instructions to enable kerberos within my realm/domain.
>> My FreeIPA, NFS server and my NFS
I followed these instructions to enable kerberos within my realm/domain.
My FreeIPA, NFS server and my NFS client is CentOS 7.4
I’m completely stuck in that when I mount the NFS share I get
Sudo mount -o sec=krb5p
Thanks Louis! Will be trying this as soon as I get in on Monday (no remote
access). If I wanted to validate my configuration how do I go about getting
this information out of my FreeIPA installation?
Since the EMC by default includes the schema I attached is it old/out of
date or is it for
Thanks much! I just tried this and sure enough everything came alive and
started working as soon as I changed the scheme to what Louis posted in his
The only other thing that I will note is that the Dell EMC seems to hard code
what is entered for the REALM as the SPN (Service
I’m trying to integrate the “NAS Server” on our Dell EMC Unity with our FreeIPA
server so we can secure our NFS shares. Our FreeIPA server is run of the mill
setup. We don’t have any special configuration.
The Dell EMC Box NAS configuration settings is asking for the following.
Mainly looking for input on where to file a bug I think I found in
p11-kit-trust.so but potentially caused by the FreeIPA client install process
I have been trying to figure out a way of getting Ubuntu to load the system
wide certs like CentOS/Fedora does. Alexander helped me
I posted the bug report.
> On Oct 28, 2019, at 9:24 AM, Alexander Bokovoy wrote:
> On ma, 28 loka 2019, Kevin Vasko via FreeIPA-users wrote:
>> Mainly looking for input on where to file a bug I
Well that’s the thing, I didn’t realize the service certificate was revoked as
I thought the entire point of validating the client cert was to validate the
entire “chain” with OCSP.
Im using IPAs internal cert system.
Yeah, I kept reissueing tickets when I was trying to get the post command
So. this is an interesting read thanks for that.
But just a FYI to the OP, if you are using any Ubuntu 18.04 clients (i haven’t
tried it with Fedora/CentOS) there is an issue with not having local docker
groups on the system.
What ends up happening is on a boot, docker services try starting
So I feel we have a decent process for users on Linux (Ubuntu/CentOS)
to access NFS shares, however there is rumbling of people wanting to
use their Mac and Windows boxes to access the data shares.
The tricky part of this is we won't be able to enroll the Windows or
Mac systems into FreeIPA.
someone even saw this. Thanks for answering.
> On Oct 7, 2019, at 2:19 PM, François Cami wrote:
> On Mon, Oct 7, 2019 at 8:39 PM Kevin Vasko via FreeIPA-users
>> Ok thanks! I just tried it and that seems to do it! Just using the
onfigure the domain on
>>> the server (as any of the domain strings you want) and then use the
>>> same domain on all clients), that should make them work.
>>>> On Mon, 2019-10-07 at 12:37 -0400, Simo Sorce via FreeIPA-users wrote:
ld make them work.
>> On Mon, 2019-10-07 at 12:37 -0400, Simo Sorce via FreeIPA-users wrote:
>> If you use krb5 authentication you should have no issues, are you using
>> auth=sys instead ?
>>> On Fri, 2019-10-04 at 17:10 -0500, Kevin Vasko via FreeIPA-user
On Wed, Oct 9, 2019 at 8:25 PM Fraser Tweedale wrote:
> On Wed, Oct 09, 2019 at 06:28:11PM -0500, Kevin Vasko via FreeIPA-users wrote:
> > Hello,
> > I’m wanting to make our https servers use a trusted certificate within our
> > LAN only. So for example if
I’m wanting to make our https servers use a trusted certificate within our LAN
only. So for example if I have websrv1.ny.example.com when a user uses a
machine that’s enrolled into our realm and they visit
https://websrv1.ny.example.com they shouldn’t be prompted to accept the self
en via FreeIPA-users wrote
> > Kevin Vasko via FreeIPA-users wrote:
> >> How would I validate that certs are getting added properly on a CentOS
> >> machine system wide store?
> >> I’m going to test it today to find out if this is a problem
So based off of this information I'm going to have to manually add the
root certificates to each Chrome and Firefox cert store on the client
machines, which is a bummer.
Sorry for the noise.
On Thu, Oct 10, 2019 at 8:40 AM Rob Crittenden wrote:
> Thanks for the details. I do not know about system trust on Ubuntu.
> It could be that ipa-client on Ubuntu does add the IPA CA to system
> trust, but the Firefox/Chrome packages ignore the system trust
> Hopefully someone more familiar with Ubuntu can
hat I find.
On Thu, Oct 10, 2019 at 9:17 AM Alexander Bokovoy wrote:
> On to, 10 loka 2019, Kevin Vasko via FreeIPA-users wrote:
> >I actually manually checked the system wide crt files on each
> >distribution I'm using, Ubuntu, CentOS and RHEL6/7. In all cases my
>ipa-install-client and it is performing correctly at this point adding
> >it to the cert store. Given that the exception that you mentioned,
> >that there is a difference in ipa-install-client adding it to the the
> >NSS database on RHEL/Fedora/CentOS and not on the Ubuntu/Debia
> It is the first one that brings all the system-wide certificates into
>> NSS and other databases. For OpenSSL applications it can be brought in
>> via PKCS#11 engine support.
>>> So I at this point I don't think anything is wrong with
>>> ipa-install-client and it is perf
Have you made sure your “elham” user has the correct permissions to access the
machines? Take a look in the UI at the groups/permissions that user elham has.
Take a look at your HBAC rules as well. That would be my first recommendation
to check if it was me.
> On Oct 9, 2019, at 7:23
I’ve got FreeIPA setup where I have multiple domains for client machines
depending on their geography.
For example, ca.example.com, and ny.example.com.
I have a NFS server in nfs-server.ny.example.com and users mapping the NFS
server on their clients from ny.example.com and
So following these instructions I found out that the certs are NOT revoked.
The one thing I did find is that in Firefox if I uncheck "Query OCSP
responder servers to confirm the current validity of
I'm 100% positive I did nothing with this cert.
To validate, I spun up a brand new machine completely from scratch.
1. ran yum update
2. installed Gnome
3. installed ipa with my normal "sudo ipa-client-install
--domain=exaple.com --realm=EXAMPLE.COM --enable-dns-updates
Welp, I'm an idiot and you are completely 100% correct.
It was indeed revoked, but the http servers certificate was revoked
and not the client..which is where I was focusing 100% of my
debugging. Which clears up a LOT of things. I originally was loading
the ca.crt on an Ubuntu machine a few days
I’m interested in hearing others responses as well on this.
Is there anything in particular I would need to do to make sure I can get
things back into a “working” state?
> On Feb 24, 2020, at 12:10 PM, Andrew Meyer via FreeIPA-users
> I was trying to search the
I’m trying to understand when/how the different KVNO versions in a file should
or shouldn’t work. We have a Dell EMC Unity box that’s giving us fits on what
it will accept for a keytab file with different KVNO versions. I’m not sure if
I’m misunderstanding something, or there’s a bug
Is the clock off? NTP working correctly?
> On Mar 7, 2020, at 12:55 PM, Nicholas DeMarco wrote:
> Good question. Yes. The user is in the admin group and has access to other
> newly joined machines.
>> On Sat, Mar 7, 2020, 1:39 PM Kevin Vasko wrote:
>> Does the user have
Does the user have access to the machine?
> On Mar 7, 2020, at 11:33 AM, Nicholas DeMarco via FreeIPA-users
FreeIPA-users mailing list -- email@example.com
To unsubscribe send an email to
Our users on their local machines (which are enrolled into our domain/realm)
access (mount read/write) our NFS shares as they need with their LDAP accounts.
We are wanting to allow users to use docker containers to mount/access these
same mount/NFS Servers. These containers are short lived so
We have an application that does some data processing on our NFS server. Users
typically just ssh into a box which then has a kerberos key generated for them,
which allows them access the NFS share and run the script.
We are wanting to set this up in a more automated fashion. Such as
Mail list logo