[Freeipa-users] Re: FreeIPA 4.5.4 + OpenVPN 2.4.6 + OTP

2018-11-09 Thread Kevin Vasko via FreeIPA-users
I’m following this because I’m having same issue. Since the OpenVPN client won’t prompt twice for the second factor I know you have to do the whole “password+otp” (without the +) but keep getting invalid password. -Kevin > On Nov 8, 2018, at 12:51 PM, Eric Fredrickson via FreeIPA-users >

[Freeipa-users] Re: Getting access denied when using kerberos when mounting nfs share

2018-11-08 Thread Kevin Vasko via FreeIPA-users
the services. Thanks for the reply. -Kevin > On Nov 8, 2018, at 12:46 PM, Robbie Harwood wrote: > > Kevin Vasko via FreeIPA-users > writes: > >> I followed these instructions to enable kerberos within my realm/domain. >> >> My FreeIPA, NFS server and my NFS

[Freeipa-users] Getting access denied when using kerberos when mounting nfs share

2018-11-06 Thread Kevin Vasko via FreeIPA-users
I followed these instructions to enable kerberos within my realm/domain. My FreeIPA, NFS server and my NFS client is CentOS 7.4 https://docs.fedoraproject.org/en-US/Fedora/18/html/FreeIPA_Guide/kerb-nfs.html I’m completely stuck in that when I mount the NFS share I get Sudo mount -o sec=krb5p

[Freeipa-users] Re: Issues with config between FreeIPA and Dell EMC Unity NAS server

2019-09-06 Thread Kevin Vasko via FreeIPA-users
Thanks Louis! Will be trying this as soon as I get in on Monday (no remote access). If I wanted to validate my configuration how do I go about getting this information out of my FreeIPA installation? Since the EMC by default includes the schema I attached is it old/out of date or is it for

[Freeipa-users] Re: Issues with config between FreeIPA and Dell EMC Unity NAS server

2019-09-09 Thread Kevin Vasko via FreeIPA-users
Thanks much! I just tried this and sure enough everything came alive and started working as soon as I changed the scheme to what Louis posted in his first post. The only other thing that I will note is that the Dell EMC seems to hard code what is entered for the REALM as the SPN (Service

[Freeipa-users] Issues with config between FreeIPA and Dell EMC Unity NAS server

2019-09-06 Thread Kevin Vasko via FreeIPA-users
I’m trying to integrate the “NAS Server” on our Dell EMC Unity with our FreeIPA server so we can secure our NFS shares. Our FreeIPA server is run of the mill setup. We don’t have any special configuration. The Dell EMC Box NAS configuration settings is asking for the following. Realm: KDC

[Freeipa-users] ca-certificate file not being parses correctly on Ubuntu with p11-kit-trust.so due to data inserted by FreeIPA Client install

2019-10-28 Thread Kevin Vasko via FreeIPA-users
Mainly looking for input on where to file a bug I think I found in p11-kit-trust.so but potentially caused by the FreeIPA client install process on Ubuntu. I have been trying to figure out a way of getting Ubuntu to load the system wide certs like CentOS/Fedora does. Alexander helped me

[Freeipa-users] Re: ca-certificate file not being parses correctly on Ubuntu with p11-kit-trust.so due to data inserted by FreeIPA Client install

2019-10-28 Thread Kevin Vasko via FreeIPA-users
Thanks. I posted the bug report. https://pagure.io/freeipa/issue/8106 -Kevin > On Oct 28, 2019, at 9:24 AM, Alexander Bokovoy wrote: > > On ma, 28 loka 2019, Kevin Vasko via FreeIPA-users wrote: >> >> >> Mainly looking for input on where to file a bug I

[Freeipa-users] Re: How to make ipa root certificate available system wide

2019-10-15 Thread Kevin Vasko via FreeIPA-users
Well that’s the thing, I didn’t realize the service certificate was revoked as I thought the entire point of validating the client cert was to validate the entire “chain” with OCSP. Im using IPAs internal cert system. Yeah, I kept reissueing tickets when I was trying to get the post command

[Freeipa-users] Re: group management on freeipa clients

2019-10-24 Thread Kevin Vasko via FreeIPA-users
So. this is an interesting read thanks for that. But just a FYI to the OP, if you are using any Ubuntu 18.04 clients (i haven’t tried it with Fedora/CentOS) there is an issue with not having local docker groups on the system. What ends up happening is on a boot, docker services try starting

[Freeipa-users] Easiest path to provide access to shares to Windows and Mac systems

2019-11-23 Thread Kevin Vasko via FreeIPA-users
So I feel we have a decent process for users on Linux (Ubuntu/CentOS) to access NFS shares, however there is rumbling of people wanting to use their Mac and Windows boxes to access the data shares. The tricky part of this is we won't be able to enroll the Windows or Mac systems into FreeIPA. So

[Freeipa-users] Re: FreeIPA with multiple domains not mappings ids correctly on NFS

2019-10-07 Thread Kevin Vasko via FreeIPA-users
someone even saw this. Thanks for answering. -Kevin > On Oct 7, 2019, at 2:19 PM, François Cami wrote: > > On Mon, Oct 7, 2019 at 8:39 PM Kevin Vasko via FreeIPA-users > wrote: >> >> Ok thanks! I just tried it and that seems to do it! Just using the >> “example.

[Freeipa-users] Re: FreeIPA with multiple domains not mappings ids correctly on NFS

2019-10-07 Thread Kevin Vasko via FreeIPA-users
onfigure the domain on >>> the server (as any of the domain strings you want) and then use the >>> same domain on all clients), that should make them work. >>> >>>> On Mon, 2019-10-07 at 12:37 -0400, Simo Sorce via FreeIPA-users wrote: >>>>

[Freeipa-users] Re: FreeIPA with multiple domains not mappings ids correctly on NFS

2019-10-07 Thread Kevin Vasko via FreeIPA-users
ld make them work. > >> On Mon, 2019-10-07 at 12:37 -0400, Simo Sorce via FreeIPA-users wrote: >> If you use krb5 authentication you should have no issues, are you using >> auth=sys instead ? >> >>> On Fri, 2019-10-04 at 17:10 -0500, Kevin Vasko via FreeIPA-user

[Freeipa-users] Re: How to make ipa root certificate available system wide

2019-10-09 Thread Kevin Vasko via FreeIPA-users
. On Wed, Oct 9, 2019 at 8:25 PM Fraser Tweedale wrote: > > On Wed, Oct 09, 2019 at 06:28:11PM -0500, Kevin Vasko via FreeIPA-users wrote: > > Hello, > > > > I’m wanting to make our https servers use a trusted certificate within our > > LAN only. So for example if

[Freeipa-users] How to make ipa root certificate available system wide

2019-10-09 Thread Kevin Vasko via FreeIPA-users
Hello, I’m wanting to make our https servers use a trusted certificate within our LAN only. So for example if I have websrv1.ny.example.com when a user uses a machine that’s enrolled into our realm and they visit https://websrv1.ny.example.com they shouldn’t be prompted to accept the self

[Freeipa-users] Re: How to make ipa root certificate available system wide

2019-10-10 Thread Kevin Vasko via FreeIPA-users
en via FreeIPA-users wrote > > > > Kevin Vasko via FreeIPA-users wrote: > >> How would I validate that certs are getting added properly on a CentOS > >> machine system wide store? > >> > >> I’m going to test it today to find out if this is a problem

[Freeipa-users] Re: How to make ipa root certificate available system wide

2019-10-10 Thread Kevin Vasko via FreeIPA-users
g/en-US/kb/setting-certificate-authorities-firefox So based off of this information I'm going to have to manually add the root certificates to each Chrome and Firefox cert store on the client machines, which is a bummer. Sorry for the noise. On Thu, Oct 10, 2019 at 8:40 AM Rob Crittenden wrote: > >

[Freeipa-users] Re: How to make ipa root certificate available system wide

2019-10-10 Thread Kevin Vasko via FreeIPA-users
re? >> > Thanks for the details. I do not know about system trust on Ubuntu. > It could be that ipa-client on Ubuntu does add the IPA CA to system > trust, but the Firefox/Chrome packages ignore the system trust > store. > > Hopefully someone more familiar with Ubuntu can

[Freeipa-users] Re: How to make ipa root certificate available system wide

2019-10-10 Thread Kevin Vasko via FreeIPA-users
hat I find. -Kevin On Thu, Oct 10, 2019 at 9:17 AM Alexander Bokovoy wrote: > > On to, 10 loka 2019, Kevin Vasko via FreeIPA-users wrote: > >I actually manually checked the system wide crt files on each > >distribution I'm using, Ubuntu, CentOS and RHEL6/7. In all cases my &

[Freeipa-users] Re: How to make ipa root certificate available system wide

2019-10-10 Thread Kevin Vasko via FreeIPA-users
>ipa-install-client and it is performing correctly at this point adding > >it to the cert store. Given that the exception that you mentioned, > >that there is a difference in ipa-install-client adding it to the the > >NSS database on RHEL/Fedora/CentOS and not on the Ubuntu/Debia

[Freeipa-users] Re: How to make ipa root certificate available system wide

2019-10-10 Thread Kevin Vasko via FreeIPA-users
> It is the first one that brings all the system-wide certificates into >> NSS and other databases. For OpenSSL applications it can be brought in >> via PKCS#11 engine support. >>> So I at this point I don't think anything is wrong with >>> ipa-install-client and it is perf

[Freeipa-users] Re: Ipa user can't login via ssh

2019-10-09 Thread Kevin Vasko via FreeIPA-users
Have you made sure your “elham” user has the correct permissions to access the machines? Take a look in the UI at the groups/permissions that user elham has. Take a look at your HBAC rules as well. That would be my first recommendation to check if it was me. -Kevin > On Oct 9, 2019, at 7:23

[Freeipa-users] FreeIPA with multiple domains not mappings ids correctly on NFS

2019-10-04 Thread Kevin Vasko via FreeIPA-users
Hello, I’ve got FreeIPA setup where I have multiple domains for client machines depending on their geography. For example, ca.example.com, and ny.example.com. I have a NFS server in nfs-server.ny.example.com and users mapping the NFS server on their clients from ny.example.com and

[Freeipa-users] Re: How to make ipa root certificate available system wide

2019-10-11 Thread Kevin Vasko via FreeIPA-users
So following these instructions I found out that the certs are NOT revoked. https://serverfault.com/questions/590504/how-do-i-check-if-my-ssl-certificates-have-been-revoked The one thing I did find is that in Firefox if I uncheck "Query OCSP responder servers to confirm the current validity of

[Freeipa-users] Re: How to make ipa root certificate available system wide

2019-10-11 Thread Kevin Vasko via FreeIPA-users
I'm 100% positive I did nothing with this cert. To validate, I spun up a brand new machine completely from scratch. 1. ran yum update 2. installed Gnome 3. installed ipa with my normal "sudo ipa-client-install --domain=exaple.com --realm=EXAMPLE.COM --enable-dns-updates --mkhomedir" 4. started

[Freeipa-users] Re: How to make ipa root certificate available system wide

2019-10-14 Thread Kevin Vasko via FreeIPA-users
Welp, I'm an idiot and you are completely 100% correct. It was indeed revoked, but the http servers certificate was revoked and not the client..which is where I was focusing 100% of my debugging. Which clears up a LOT of things. I originally was loading the ca.crt on an Ubuntu machine a few days

[Freeipa-users] Re: dhcp dynamic update

2020-02-24 Thread Kevin Vasko via FreeIPA-users
I’m interested in hearing others responses as well on this. Is there anything in particular I would need to do to make sure I can get things back into a “working” state? -Kevin > On Feb 24, 2020, at 12:10 PM, Andrew Meyer via FreeIPA-users > wrote: > > Hello, > I was trying to search the

[Freeipa-users] Help in understanding multiple KVNO versions in keytab file

2020-02-14 Thread Kevin Vasko via FreeIPA-users
Hello, I’m trying to understand when/how the different KVNO versions in a file should or shouldn’t work. We have a Dell EMC Unity box that’s giving us fits on what it will accept for a keytab file with different KVNO versions. I’m not sure if I’m misunderstanding something, or there’s a bug

[Freeipa-users] Re: Ubuntu client: Kerberos works, authentication does not

2020-03-07 Thread Kevin Vasko via FreeIPA-users
Is the clock off? NTP working correctly? -Kevin > On Mar 7, 2020, at 12:55 PM, Nicholas DeMarco wrote: > >  > Good question. Yes. The user is in the admin group and has access to other > newly joined machines. > >> On Sat, Mar 7, 2020, 1:39 PM Kevin Vasko wrote: >> Does the user have

[Freeipa-users] Re: Ubuntu client: Kerberos works, authentication does not

2020-03-07 Thread Kevin Vasko via FreeIPA-users
Does the user have access to the machine? -Kevin > On Mar 7, 2020, at 11:33 AM, Nicholas DeMarco via FreeIPA-users > wrote: > ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to

[Freeipa-users] Approach to allowing users access to NFS with kerberos through containers

2020-03-11 Thread Kevin Vasko via FreeIPA-users
Our users on their local machines (which are enrolled into our domain/realm) access (mount read/write) our NFS shares as they need with their LDAP accounts. We are wanting to allow users to use docker containers to mount/access these same mount/NFS Servers. These containers are short lived so

[Freeipa-users] permanent service account keys for kerberos NFS share

2020-10-08 Thread Kevin Vasko via FreeIPA-users
Hello, We have an application that does some data processing on our NFS server. Users typically just ssh into a box which then has a kerberos key generated for them, which allows them access the NFS share and run the script. We are wanting to set this up in a more automated fashion. Such as