[Freeipa-users] Re: HBAC rules / ssh keys for AD users not working right away

2017-07-14 Thread Sumit Bose via FreeIPA-users
On Thu, Jul 13, 2017 at 07:22:58PM -, bogusmaster--- via FreeIPA-users wrote: > I've uploaded them here: goo.gl/hiFHKE Thanks. [ipa_s2n_exop_done] (0x0040): ldap_extended_operation result: No such object(32), (null). This indicates that the user cannot be found on the server. There are

[Freeipa-users] Re: HBAC rules / ssh keys for AD users not working right away

2017-07-14 Thread Sumit Bose via FreeIPA-users
On Fri, Jul 14, 2017 at 10:00:20AM -, bogusmaster--- via FreeIPA-users wrote: > > Can you do a test on the server by calling > > > > id username(a)ad.domain > > > > and collect sssd_nss.log and sssd_your.ipa.domain.log on the server as > > well? > I uploaded these files to the same

[Freeipa-users] Re: HBAC rules / ssh keys for AD users not working right away

2017-07-13 Thread Sumit Bose via FreeIPA-users
On Wed, Jul 12, 2017 at 02:48:47PM -, bogusmaster--- via FreeIPA-users wrote: > > On Thu, Jul 06, 2017 at 02:29:34PM -, bogusmaster--- via FreeIPA-users > > wrote: > > > > > > The ipa-client gets all its data from the IPA server and for efficiency > > the lookup on the server goes via

[Freeipa-users] Re: HBAC rules / ssh keys for AD users not working right away

2017-07-18 Thread Sumit Bose via FreeIPA-users
On Fri, Jul 14, 2017 at 03:19:57PM -, bogusmaster--- via FreeIPA-users wrote: > > On Fri, Jul 14, 2017 at 10:00:20AM -, bogusmaster--- via FreeIPA-users > > wrote: > > > > yes, but I think this is only a side effect. SSSD cannot resolve a > > global catalog server. Does > > > > dig

[Freeipa-users] Re: Krb5.conf only sees first two kdc servers

2017-07-26 Thread Sumit Bose via FreeIPA-users
On Wed, Jul 26, 2017 at 03:56:52AM +, pgb205 via FreeIPA-users wrote: > As far as I know krb5.conf does not have limitations on the number of KDCs > that can be listedhttps://web.mit.edu/kerberos/krb5-1krb5_conf.html > I have 3 servers that I would like to be read. I have no problem with

[Freeipa-users] Re: Authenticating users with a different UPN suffix in an AD trust configuration

2017-07-06 Thread Sumit Bose via FreeIPA-users
On Thu, Jul 06, 2017 at 09:55:46AM +0200, Ronald Wimmer wrote: > On 2017-07-06 08:25, Robert Sturrock via FreeIPA-users wrote: > > [...] > > We have a test IPA server with HBAC allow_all and we can ssh to it reliably > > as a regular user, but when we try to ssh as ‘first > >

[Freeipa-users] Re: HBAC rules / ssh keys for AD users not working right away

2017-07-06 Thread Sumit Bose via FreeIPA-users
On Thu, Jul 06, 2017 at 02:29:34PM -, bogusmaster--- via FreeIPA-users wrote: > Just to add some example of behaviour I described, I configured an AD user > group membership and granted him access via HBAC rule. Waited approximately > for 2 hours and then, all of a sudden, it magically

[Freeipa-users] Re: { possibly offtopic } -- can sssd.conf alone be configured to copy the custom AD ID Ranges used by IPA server?

2017-06-29 Thread Sumit Bose via FreeIPA-users
On Wed, Jun 28, 2017 at 08:22:12PM +0200, Jakub Hrozek via FreeIPA-users wrote: > On Wed, Jun 28, 2017 at 01:03:45PM -0400, Chris Dagdigian via FreeIPA-users > wrote: > > Hi folks, > > > > > > I have a set of servers that CANNOT become enrolled IDM clients due to a > > vendor refusing to

[Freeipa-users] Re: (no subject)

2017-06-28 Thread Sumit Bose via FreeIPA-users
On Wed, Jun 28, 2017 at 07:04:58AM -0700, Sean Hogan via FreeIPA-users wrote: > > Hi All, > > We are having an issue performing RHEL 6.6 to 6.7 upgrade with SSSD. The > systems are already enrolled and working in IPA 3.0.0-50 using 6.6 client. > We yum update and sssd gives this >

[Freeipa-users] Re: SSSD Cache and Service Tickets

2017-05-26 Thread Sumit Bose via FreeIPA-users
On Tue, May 16, 2017 at 11:30:25AM +0200, Ronald Wimmer wrote: > On 2017-05-15 21:27, Jakub Hrozek wrote: > > [...] > > > > On Mon, May 15, 2017 at 03:54:22PM +0200, Ronald Wimmer wrote: > > > Hi, > > > > > > I am confronted with a behaviour for which I do not have an explanation > > > for. > >

[Freeipa-users] Re: [Freeipa-users]Re: [SOLVED] Re: Illegal cross-realm ticket

2017-05-26 Thread Sumit Bose via FreeIPA-users
On Fri, May 26, 2017 at 01:30:36PM -0400, Jake wrote: > `ipa realmdomains-show` lists all domains already, so that isn't used for > some reason. oops, looks likes SSSD does not read those entries, I added https://pagure.io/SSSD/sssd/issue/3412 to track this. bye, Sumit > > - Original

[Freeipa-users] Re: Illegal cross-realm ticket

2017-05-26 Thread Sumit Bose via FreeIPA-users
On Thu, May 25, 2017 at 04:55:16PM -0400, Jake via FreeIPA-users wrote: > Hey Guys, > > Centos7.3 > FreeIPA 4.4.0 > > > I'm having a strange issue with cross-realm tickets that I'm having a hard > time troubleshooting. it looks similar to an issue posted back in 2014. >

[Freeipa-users] Re: SSSD Cache and Service Tickets

2017-05-29 Thread Sumit Bose via FreeIPA-users
On Sat, May 27, 2017 at 05:46:57PM +0200, Ronald Wimmer via FreeIPA-users wrote: > On 2017-05-26 18:51, Sumit Bose via FreeIPA-users wrote: > > [...] > > Did you ‘Allow GSSAPI credential delegation’ in the putty configuration? > > Additionally the internal Windows Kerberos

[Freeipa-users] Re: Scripting a SSSD client to add SIDtoUIDnumbers from ad Trust into custom LDAP schema.

2017-06-06 Thread Sumit Bose via FreeIPA-users
On Fri, Jun 02, 2017 at 12:02:04PM -0600, Frank Rey via FreeIPA-users wrote: > I have a Netapp that does not support SSSD or Windbind and i want to use > IDM ldap to do permission/name mapping. would using a Script on a SSSD > client to populate a custom ldap schema in IPA with the SSSD uidnumber

[Freeipa-users] Re: Login failed due to an unknown reason.

2017-10-09 Thread Sumit Bose via FreeIPA-users
On Mon, Oct 09, 2017 at 03:16:13PM +0300, Markovich via FreeIPA-users wrote: > Hello, ipa-users! > > Can't login into my FreeIpa system with admin user. > > *On WebUi * > > Login failed due to an unknown reason. > > *In krb5kdc.log:* > > Oct 09 08:08:24 myhost.mydomain krb5kdc[24788](info):

[Freeipa-users] Re: Smartcard not working on Ubuntu 16.04

2017-10-05 Thread Sumit Bose via FreeIPA-users
b=/etc/pki/nssdb > > > >> > > > >> should do the trick. > > > >> > > > >> HTH > > > >> > > > >> bye, > > > >> Sumit > > > >> > > > >> > > > > >> > Thanks,

[Freeipa-users] Re: Smartcard not working on Ubuntu 16.04

2017-10-05 Thread Sumit Bose via FreeIPA-users
the lines below. This will call pam_unix only for users from > >> > > /etc/passwd and skip the line it otherwise (default=1). Maybe > >> something > >> > > like this would help on Ubuntu as well? > >> > > > >> > > bye, > >

[Freeipa-users] Re: Default principal switched back to cifs every 5 minutes (after done ipa-adtrust-install)

2017-10-12 Thread Sumit Bose via FreeIPA-users
On Thu, Oct 12, 2017 at 11:47:26AM +0200, Kees Bakker via FreeIPA-users wrote: > Hey, > > This week I tried to install Samba (which failed because of Ubuntu, but that's > another story). > > One of the steps was to do ipa-adtrust-install. It created a cifs/myhost > pricipal > on my IPA master

[Freeipa-users] Re: Force 2FA on specific hosts

2017-09-25 Thread Sumit Bose via FreeIPA-users
On Mon, Sep 25, 2017 at 08:25:30AM -0500, Jeremy Utley via FreeIPA-users wrote: > Hello all on the list! > > Kind of an odd question, but management has asked me to try to find this > out. We've been rolling out FreeIPA to replace OpenLDAP inside a > higher-security (PCI Compliant) part of our

[Freeipa-users] Re: Smartcard not working on Ubuntu 16.04

2017-09-28 Thread Sumit Bose via FreeIPA-users
sing the lines and get a pam error about user not know (it is > an AD user which works fine on fedora). > > Also, it looks like pam_pkcs11.so is used in smartcard-auth on Fedora. > Don't know if this is relevant or not. > > Steve > > > On Thu, Sep 28, 2017 at 11:40 A

[Freeipa-users] Re: Smartcard not working on Ubuntu 16.04

2017-09-28 Thread Sumit Bose via FreeIPA-users
On Thu, Sep 28, 2017 at 11:29:27AM -0400, Steve Weeks via FreeIPA-users wrote: > We have smartcards (PIV) working just fine on Fedora 25 with FreeIPA client > version 4.4.4 (SSSD 1.14.2). However on Ubuntu 16.04, FreeIPA client > 4.3.1, SSSD 1.13.4 the smartcard seems to be ignored. > > The

[Freeipa-users] Re: Smartcard not working on Ubuntu 16.04

2017-09-29 Thread Sumit Bose via FreeIPA-users
lines and get a pam error about user not know (it > > is > > > an AD user which works fine on fedora). > > > > > > Also, it looks like pam_pkcs11.so is used in smartcard-auth on Fedora. > > > Don't know if this is relevant or not. > > > > > &g

[Freeipa-users] Re: Force 2FA on specific hosts

2017-09-26 Thread Sumit Bose via FreeIPA-users
a test environment and see what I can figure out. Thanks for > the hint! > > Jeremy Utley > > On Mon, Sep 25, 2017 at 8:47 AM, Sumit Bose via FreeIPA-users < > freeipa-users@lists.fedorahosted.org> wrote: > > > On Mon, Sep 25, 2017 at 08:25:30AM -0500, Jeremy Ut

[Freeipa-users] Re: password and keytab weirdness

2017-08-24 Thread Sumit Bose via FreeIPA-users
On Thu, Aug 24, 2017 at 09:51:51AM -0500, Kat via FreeIPA-users wrote: > Hi all, > > Has anyone seen this before: > > 1. User created, and being used for logins, no issues. Works just fine. > > 2. At one point, keytab file is retrieved via getkeytab, which also works. > > 3. After the keytab

[Freeipa-users] Re: FIPA 2FA OTP+PASSWORD

2017-08-22 Thread Sumit Bose via FreeIPA-users
On Thu, Aug 10, 2017 at 04:58:33PM +0530, saidireddy ranabothu via FreeIPA-users wrote: > Hello all, I have enabled password+OTP authentication for a user and able > to sync tokens and SSH. While ssh to server using FIPA credentials it's > asking authentication in two steps as First Factor and

[Freeipa-users] Re: User ID overrides staying persistent in cache for AD users

2017-08-29 Thread Sumit Bose via FreeIPA-users
On Mon, Aug 28, 2017 at 04:39:46PM +, Eddleman, David via FreeIPA-users wrote: > So I've created a ID override on the IPA master called "TestShellView" to > test out changing per-user requirements for shells. > > Verify the ID override on the master: > [root@ipamaster01 ~]# ipa

[Freeipa-users] Re: Kvno error on validating one-way trust: "kvno: Decrypt integrity check failed while getting credentials"

2017-08-30 Thread Sumit Bose via FreeIPA-users
On Wed, Aug 30, 2017 at 10:45:11AM -, bogusmaster--- via FreeIPA-users wrote: > Behavior that I described above pertains to Windows 2008 R2. When I attempt > at doing exactly the same with AD set up on top of Windows 2012, it works > flawlessly. Unfortunately, environment I have to set up

[Freeipa-users] Re: User ID overrides staying persistent in cache for AD users

2017-08-29 Thread Sumit Bose via FreeIPA-users
end the SSSD domain logs with debug_level=10 which covers the steps on rhel7template? bye, Sumit > > David Eddleman > > On 8/29/17, 8:02 AM, "Sumit Bose via FreeIPA-users" > <freeipa-users@lists.fedorahosted.org> wrote: > > On Mon, Aug 28, 2017 at 04:39:46

[Freeipa-users] Re: User ID overrides staying persistent in cache for AD users

2017-08-29 Thread Sumit Bose via FreeIPA-users
On Tue, Aug 29, 2017 at 05:00:06PM +0300, Alexander Bokovoy via FreeIPA-users wrote: > On ma, 28 elo 2017, Eddleman, David via FreeIPA-users wrote: > > So I've created a ID override on the IPA master called "TestShellView" > > to test out changing per-user requirements for shells. > > > > Verify

[Freeipa-users] Re: User ID overrides staying persistent in cache for AD users

2017-08-29 Thread Sumit Bose via FreeIPA-users
On Tue, Aug 29, 2017 at 06:11:43PM +0300, Alexander Bokovoy wrote: > On ti, 29 elo 2017, Sumit Bose via FreeIPA-users wrote: > > On Tue, Aug 29, 2017 at 05:00:06PM +0300, Alexander Bokovoy via > > FreeIPA-users wrote: > > > On ma, 28 elo 2017, Eddleman, David via FreeIPA

[Freeipa-users] Re: VPN access with FreeRADIUS enforcing OTP backed by FreeIPA

2017-10-09 Thread Sumit Bose via FreeIPA-users
On Mon, Oct 09, 2017 at 11:50:59AM +0100, Andy Stubbs via FreeIPA-users wrote: > I'm having a bit of a hard time trying to enforce OTP on VPN access using > FreeRADIUS backed by FreeIPA as the auth oracle. > > I'm using a FreeIPA 4.5.0-21 client which is running FreeRADIUS 3.0.13-8, > enrolled to

[Freeipa-users] Re: Directory service stop and won't stay up when restarted

2017-11-25 Thread Sumit Bose via FreeIPA-users
On Fri, Nov 24, 2017 at 07:04:10PM -0500, Alexandre Pitre via FreeIPA-users wrote: > Hi, > > I had two freeipa replica servers up and running in our german DC for > nearly 2 months and this morning out of the blue they stopped working. > > Looking at ipactl status, both servers are reporting

[Freeipa-users] Re: Expired passwords and generating an OTP token

2017-11-23 Thread Sumit Bose via FreeIPA-users
On Fri, Nov 24, 2017 at 04:57:01PM +1300, Aaron Hicks via FreeIPA-users wrote: > Hello the list, > > > > It's here: > https://pagure.io/SSSD/sssd/blob/master/f/src/providers/ipa/ipa_auth.c#_395 > > > > SSSD is not doing its job properly when a user has an expired password and > an OTP

[Freeipa-users] Re: Expired passwords and generating an OTP token

2017-11-21 Thread Sumit Bose via FreeIPA-users
On Wed, Nov 22, 2017 at 05:16:05PM +1300, Aaron Hicks via FreeIPA-users wrote: > Hello the List, > > > > This turned out to be a workflow issue, we still have a problem but this > first use case works. > > > > In the case of a user with an invalid password (none or expired) with no OTP >

[Freeipa-users] Re: Expired passwords and generating an OTP token

2017-11-22 Thread Sumit Bose via FreeIPA-users
On Wed, Nov 22, 2017 at 09:21:52PM +1300, Aaron Hicks wrote: > Hi Sumit, > > Here is /etc/pam.d/password-auth I missed that it was an include, an that you > wanted it too, again it's as installed bt CentOS 7.4 and ipa-client-install > ok, the PAM configuration looks good. Can you send me the

[Freeipa-users] Re: Enabling two-factor by host

2017-11-17 Thread Sumit Bose via FreeIPA-users
On Fri, Nov 17, 2017 at 04:09:01AM +, Aaron Hicks via FreeIPA-users wrote: > Hello the list, > > Is it possible to enable two-factor authentication using Google Authenticator > on FreeIPA on specific hosts or groups of hosts? > > Alternatively, are there any recommendations on modifying the

[Freeipa-users] Re: Enabling two-factor by host

2017-11-21 Thread Sumit Bose via FreeIPA-users
required on specific hosts, the other hosts should > authenticate with just password. > > > Any suggestions? > > Aaron > -----Original Message- > From: Aaron Hicks [mailto:aaron.hi...@nesi.org.nz] > Sent: Monday, 20 November 2017 12:59 PM > To: 'FreeIPA users li

[Freeipa-users] Re: Autentification in application with freeipa

2017-11-21 Thread Sumit Bose via FreeIPA-users
On Tue, Nov 21, 2017 at 08:14:49AM -0500, Rob Crittenden via FreeIPA-users wrote: > Николай Савельев via FreeIPA-users wrote: > > Hi. > > I asked about Owncloud, Zimbra, etc autentification in freeipa with AD > > trust. > > I was offered to use SAML. > > But I dont undestand SAML. It very

[Freeipa-users] Re: pointing SSSD/IPA at named AD domain controllers now with recent updates?

2017-11-16 Thread Sumit Bose via FreeIPA-users
On Thu, Nov 16, 2017 at 12:10:01PM -0500, Chris Dagdigian via FreeIPA-users wrote: > > The most fragile and user-angering aspect of our complex IPA setup in AWS is > when user AD password checks mysteriously fail and deny login. All of the > troubleshooting stuff works fine - user is recognized

[Freeipa-users] Re: FreeIPA OTP/FAST: MIT KDC <--> heimdal client integration

2017-11-03 Thread Sumit Bose via FreeIPA-users
On Fri, Nov 03, 2017 at 11:12:09AM +0200, Oleksandr Yermolenko via FreeIPA-users wrote: > Hi, > > I have a strange (for me?) situation using MIT KDC together with > Heimdal client. PKINIT/FAST scenario. The OTP implementation of MIT Kerberos is based on https://www.ietf.org/rfc/rfc6560.txt, I

[Freeipa-users] Re: GSSAPI-encrypted LDAP connection

2017-12-01 Thread Sumit Bose via FreeIPA-users
On Fri, Dec 01, 2017 at 11:54:35AM +, James Harrison via FreeIPA-users wrote: > Hello,One one of our FreeIPA servers we are seeing the following messages > from journal -f > > Dec 01 11:50:14 ipa-01.int.domain.com krb5kdc[7056](info): AS_REQ (8 etypes > {18 17 16 23 25 26 20 19})

[Freeipa-users] Re: Unable to create GSSAPI-encrypted LDAP connection

2017-12-04 Thread Sumit Bose via FreeIPA-users
hanks > > On Monday, 4 December 2017, 07:23:51 GMT, Sumit Bose via FreeIPA-users > <freeipa-users@lists.fedorahosted.org> wrote: > > On Mon, Dec 04, 2017 at 02:51:16PM +1300, Aaron Hicks via FreeIPA-users > wrote: > > Hello the list, > > > >  >

[Freeipa-users] Re: Unable to create GSSAPI-encrypted LDAP connection

2017-12-03 Thread Sumit Bose via FreeIPA-users
On Mon, Dec 04, 2017 at 02:51:16PM +1300, Aaron Hicks via FreeIPA-users wrote: > Hello the list, > > > > I've seen this issue on the list several times, but I've not yet seen a > solution posted., We're having this issue on one of our SLES 12 SP2 hosts > (we have other SLES hosts are fine),

[Freeipa-users] Re: FreeIPA connection limits?

2017-12-11 Thread Sumit Bose via FreeIPA-users
On Mon, Dec 11, 2017 at 10:08:50AM +1300, Aaron Hicks via FreeIPA-users wrote: > Hello the list, > > > > We've got a number (hundreds) of hosts inside a private network, these all > query the FreeIPA server for user and group information using NAT and a > gateway server. > > > > However

[Freeipa-users] Re: FreeIPA connection limits?

2017-12-12 Thread Sumit Bose via FreeIPA-users
On Tue, Dec 12, 2017 at 10:46:50AM +1300, Aaron Hicks via FreeIPA-users wrote: > Hi Andrew, > > > > Single operations are fine. From the command line names resolve quickly, > especially once cached, ldapsearch and other commands work when properly > authenticated. > > > > When the hosts

[Freeipa-users] Re: FreeIPA connection limits?

2017-12-12 Thread Sumit Bose via FreeIPA-users
n find them at /var/log/dirsrv/slapd-YOUR-IPA-DOMAIN/access* bye, Sumit > > Get Outlook for iOS<https://aka.ms/o0ukef> > ____ > From: Sumit Bose via FreeIPA-users <freeipa-users@lists.fedorahosted.org> > Sent: Monday, December 11, 20

[Freeipa-users] Re: Announcing SSSD 1.16.1

2018-06-07 Thread Sumit Bose via FreeIPA-users
On Thu, Jun 07, 2018 at 04:39:09PM +0300, AvigdorFin via FreeIPA-users wrote: > How do I report a suspected Bug against sssd? > I have a problem with sssd 1.14 1.15 1.16 but not 1.13. > > The problem is with small tree of files that is created on > /tmp/adcli-krb5-X every 5 minutes. > The

[Freeipa-users] Re: apparent error with ad_enum_cross_dom_members

2018-06-04 Thread Sumit Bose via FreeIPA-users
On Mon, Jun 04, 2018 at 05:33:28AM +, Craig H Silva (Cenitex) via FreeIPA-users wrote: > Background - stupidly large AD domain with 30,000 plus groups. It is a forest > with a number of legacy domains that are not relevant to our authentication > on Linux but the AD admins don't want to

[Freeipa-users] Re: SSH public keys and cache invalidation

2018-06-22 Thread Sumit Bose via FreeIPA-users
On Thu, Jun 21, 2018 at 12:13:03PM -, Bart via FreeIPA-users wrote: > Or it is not solved yet :). > > After the update my sssd versions are: > server: 1.16.1-8 > client: 1.16.1-7 > > Public keys get updated on the client host but ONLY after I log in to the > server. Even though I set

[Freeipa-users] Re: sudo fails as the Kerberos realm from an alternate UPN suffix

2018-01-09 Thread Sumit Bose via FreeIPA-users
On Tue, Jan 09, 2018 at 03:26:57PM +, Marin BERNARD via FreeIPA-users wrote: > Hi, > > We're using FreeIPA 4.5.0 on CentOS 7.4. > > We've set up a two-way trust between our 2 FreeIPA servers and our AD domain > (forest an domain levels both on 2012 R2). So far, everything works as >

[Freeipa-users] Re: Private PEN for OID not accepted

2018-01-10 Thread Sumit Bose via FreeIPA-users
On Thu, Jan 11, 2018 at 04:49:46AM -, Matt . via FreeIPA-users wrote: > HI guys. > > I'm having an issue with my private PEN when I want to add an objectclass and > an attribute with the following ldif (9 is a replacement for my private > PEN registered at Iana) > > The following

[Freeipa-users] Re: sudo fails as the Kerberos realm from an alternate UPN suffix

2018-01-10 Thread Sumit Bose via FreeIPA-users
On Tue, Jan 09, 2018 at 05:16:03PM +, Marin BERNARD via FreeIPA-users wrote: > Hi, > > > > The client systems are the FreeIPA servers! Both are running on up-to-date > CentOS 7.4 with sssd 1.15.2. There is https://pagure.io/SSSD/sssd/issue/3431 which is fixed upstream in 1.15.3 which

[Freeipa-users] Re: AD Trust

2018-01-03 Thread Sumit Bose via FreeIPA-users
On Wed, Jan 03, 2018 at 07:07:03PM +0700, Николай Савельев via FreeIPA-users wrote: > I have ipa domain with AD trust. id ad_users@ad_domain works. su > ad_users@ad_domain works. > kinit ad_users@ad_domain don't works in ubuntu but works in centos 7 Which erro do you see with kinit? Does

[Freeipa-users] Re: sudo fails as the Kerberos realm from an alternate UPN suffix

2018-01-10 Thread Sumit Bose via FreeIPA-users
On Wed, Jan 10, 2018 at 09:22:05AM +, Marin BERNARD wrote: > > > Hi, > > > > > > > > > > > > The client systems are the FreeIPA servers! Both are running on up-to- > > date CentOS 7.4 with sssd 1.15.2. > > > > There is https://pagure.io/SSSD/sssd/issue/3431 which is fixed upstream in > >

[Freeipa-users] Re: Get user ssh key instead of fingerprint.

2018-01-16 Thread Sumit Bose via FreeIPA-users
On Tue, Jan 16, 2018 at 10:53:21AM +0100, Maciej Drobniuch via FreeIPA-users wrote: > Hi all. > > Is there any way to get the user's ssh key (not fingerprint) via console? if the key is store in IPA you can get the full key with ipa user-show --all username or sss_ssh_authorizedkeys

[Freeipa-users] Re: pkinit

2018-02-09 Thread Sumit Bose via FreeIPA-users
On Thu, Feb 08, 2018 at 09:43:48PM -0600, Sergei Gerasenko via FreeIPA-users wrote: > Hello, > > I recently upgraded to version 4.5 of FreeIPA. I only upgraded the server, > not the clients. Do my clients now have to use pkinit? Or is it optional? How > can I check what is being used? I’m

[Freeipa-users] Re: AD Trust

2018-01-03 Thread Sumit Bose via FreeIPA-users
On Wed, Jan 03, 2018 at 07:56:57PM +0700, Николай Савельев via FreeIPA-users wrote: > I have ipa domain with AD trust. id ad_users@ad_domain works. su > ad_users@ad_domain works. > kinit ad_users@ad_domain don't works in ubuntu but works in centos 7 > What? > /etc/krb5.conf is the same. > ipa

[Freeipa-users] Re: SSH public keys and cache invalidation

2018-06-20 Thread Sumit Bose via FreeIPA-users
On Wed, Jun 20, 2018 at 01:15:24PM -, Bart via FreeIPA-users wrote: > Hi all, > > I have set up ipa server, established trust with an ad controller and > enrolled a couple of clients to it. > I have a problem understanding how to properly set up ssh pubkey > authentication when it comes to

[Freeipa-users] Re: IPA and AD basedn

2018-08-09 Thread Sumit Bose via FreeIPA-users
On Thu, Aug 09, 2018 at 10:34:57AM +, Mirko Spezie via FreeIPA-users wrote: > This is the output from both IPA server and client: > > > > From IPA Server: > > # id mspe...@example.org > uid=1070607073(mspe...@example.org) gid=1070607073(mspe...@example.org) >

[Freeipa-users] Re: IPA and AD basedn

2018-08-09 Thread Sumit Bose via FreeIPA-users
On Thu, Aug 09, 2018 at 08:23:57AM +, Mirko Spezie via FreeIPA-users wrote: > Hi, > I've configured IPA with trust to our AD. Everything seems ok except for one > thing: if one AD user is not present in "cn=Users,dc=example,dc=org" but > exists in "ou=Group,dc=example,dc=org" , I can login

[Freeipa-users] Re: Kerberized SSH SSO

2018-08-08 Thread Sumit Bose via FreeIPA-users
On Tue, Aug 07, 2018 at 04:51:00PM -, Ryan Slominski via FreeIPA-users wrote: > Hi Robbie, >What is the proper way to configure an IPA host so that the sshd will use > the FQDN? I've noticed that IPA client installer modifies the file > /etc/krb5.conf and adds the lines: Does the

[Freeipa-users] Re: Kerberized SSH SSO

2018-08-07 Thread Sumit Bose via FreeIPA-users
On Mon, Aug 06, 2018 at 05:30:22PM -0400, Robbie Harwood via FreeIPA-users wrote: > Ryan Slominski via FreeIPA-users > writes: > > > [testuser@testclient1 ssh]$ ssh -vvv testclient2.example.com > > [snip] > > > debug1: Authentications that can continue: > >

[Freeipa-users] Re: Client authentication against trusted AD broken

2018-07-05 Thread Sumit Bose via FreeIPA-users
On Thu, Jul 05, 2018 at 04:57:26PM -, Mike Conner via FreeIPA-users wrote: > I've seen similar situations in other threads, but searching for a solution > hasn't proven fruitful so far; please point me in the right direction! I've > configured an ipa server with a trusted AD domain and both

[Freeipa-users] Re: trust-add => ipa: ERROR: Cannot find specified domain or server name

2018-03-08 Thread Sumit Bose via FreeIPA-users
On Thu, Mar 08, 2018 at 01:39:58PM +, lejeczek via FreeIPA-users wrote: > hi guys > I'm trying to add a trust to AD, I do DNS regural(as per Win Integration > Guide) and all seems good, but it fails with error as per the subject. > > With regards to DNS, only thing on the odd side (guide

[Freeipa-users] Re: Obtain TGT at login.

2018-04-09 Thread Sumit Bose via FreeIPA-users
On Wed, Apr 04, 2018 at 11:07:55AM -0500, Michael Rainey (Contractor, Code 7320) via FreeIPA-users wrote: > Greetings, > > My organization is working to remove the need for passwords for its > end-users.  While moving forward on this project I have noticed after > logging into a system the user

[Freeipa-users] Re: SSH Key auth with expired Kerberos password

2018-11-08 Thread Sumit Bose via FreeIPA-users
On Wed, Nov 07, 2018 at 09:53:03PM +, Nathan Harper via FreeIPA-users wrote: > Hi all, > > We have noticed some behaviour that we are trying to work out if it is > expected or not (or if this is an SSSD thing). We have a pair of FreeIPA > replicas running on CentOS 7 (v4.5.x), with various

[Freeipa-users] Re: smartcard auth + kerberos ticket?

2018-11-15 Thread Sumit Bose via FreeIPA-users
On Thu, Nov 15, 2018 at 04:17:20PM +0100, Natxo Asenjo via FreeIPA-users wrote: > hi, > > for posterity's sake, this appears to be a problem with kcm (whatever that > is, don't know yet, will look it up later). > > I turned it off in /etc/krb5.conf.d/kcm_default_ccache (just comment the > two

[Freeipa-users] Re: smartcard auth + kerberos ticket?

2018-11-15 Thread Sumit Bose via FreeIPA-users
On Thu, Nov 15, 2018 at 11:43:22AM +0100, Natxo Asenjo via FreeIPA-users wrote: > hi, > > I found this blog post: > > https://floblanc.wordpress.com/2017/06/02/troubleshooting-authentication-to-the-system-console-or-gnome-desktop-manager-of-an-idm-host-with-a-smartcard/ > > $ ipa certmap-match

[Freeipa-users] Re: smartcard auth + kerberos ticket?

2018-11-15 Thread Sumit Bose via FreeIPA-users
On Thu, Nov 15, 2018 at 12:49:26PM +0200, Alexander Bokovoy via FreeIPA-users wrote: > On to, 15 marras 2018, Natxo Asenjo via FreeIPA-users wrote: > > hi, > > > > I can successfully login using a smartcard (fedora 29 client, centos 7 > > kdcs, latest patch level). > > > > However, when I try

[Freeipa-users] Re: smartcard auth + kerberos ticket?

2018-11-15 Thread Sumit Bose via FreeIPA-users
On Thu, Nov 15, 2018 at 01:23:37PM +0100, Natxo Asenjo wrote: > On Thu, Nov 15, 2018 at 11:49 AM Alexander Bokovoy > wrote: > > > > > >Am I doing something wrong or is this to be expected? > > Enable debug_level=9 in sssd configuration (domain section) and try to > > login with smartcard, then

[Freeipa-users] Re: smartcard yubikey opensc-pkcs11.so error

2018-11-09 Thread Sumit Bose via FreeIPA-users
On Fri, Nov 09, 2018 at 10:56:31AM +0100, Natxo Asenjo via FreeIPA-users wrote: > On Fri, Nov 9, 2018 at 9:29 AM Sumit Bose via FreeIPA-users < > freeipa-users@lists.fedorahosted.org> wrote: > > > On Fri, Nov 09, 2018 at 08:02:05AM +0100, Natxo Asenjo via FreeIPA-user

[Freeipa-users] Re: smartcard yubikey opensc-pkcs11.so error

2018-11-08 Thread Sumit Bose via FreeIPA-users
On Fri, Nov 09, 2018 at 08:02:05AM +0100, Natxo Asenjo via FreeIPA-users wrote: > hi, > > trying to get smart card authentication using a yubikey. > > I follow the > > $ opensc-tool --list-readers > # Detected readers (pcsc) > Nr. Card Features Name > 0Yes Yubico Yubikey NEO

[Freeipa-users] Re: smartcard yubikey opensc-pkcs11.so error

2018-11-09 Thread Sumit Bose via FreeIPA-users
On Fri, Nov 09, 2018 at 01:05:19PM +0100, Natxo Asenjo via FreeIPA-users wrote: > hi Sumit, > > > On Fri, Nov 9, 2018 at 12:53 PM Sumit Bose via FreeIPA-users < > freeipa-users@lists.fedorahosted.org> wrote: > > > > > I would suggest to first check if

[Freeipa-users] Re: FreeIPA 4.5.4 + OpenVPN 2.4.6 + OTP

2018-11-16 Thread Sumit Bose via FreeIPA-users
On Thu, Nov 08, 2018 at 06:51:22PM -, Eric Fredrickson via FreeIPA-users wrote: > Hello everyone, > > I'm having an issue with OTP when logging into a vpn server that is a client > of FreeIPA. I can login with no issues when OTP is disabled. > > FreeIPA Setup: > CentOS 7.5 > FreeIPA 4.5.4

[Freeipa-users] Re: OTP sudo prompts

2018-11-27 Thread Sumit Bose via FreeIPA-users
orry, try again. > First Factor: > Second Factor (optional): > sudo: 3 incorrect password attempts > > Both IPA-server and client are running on CentOS 7.5. > > > > > > Op 23-03-18 om 09:32 schreef Sumit Bose via FreeIPA-users: > > On Thu, Mar 22, 2018 at 10:28:1

[Freeipa-users] Re: OTP sudo prompts

2018-11-28 Thread Sumit Bose via FreeIPA-users
Second Factor (optional): > Sorry, try again. > First Factor: > Second Factor (optional): > sudo: 3 incorrect password attempts > > Both IPA-server and client are running on CentOS 7.5. > > > > > > Op 23-03-18 o

[Freeipa-users] Re: kinit: Password incorrect while getting initial credentials

2019-01-12 Thread Sumit Bose via FreeIPA-users
On Fri, Jan 11, 2019 at 04:38:15PM -0500, Robbie Harwood via FreeIPA-users wrote: > nandha kumar via FreeIPA-users > writes: > > > Hi Robbie, > > > > Yes, I am able to kinit the administrator account > > > > Yes. My password is correct and even I check for other 4 AD users, it > > gives the