[Freeipa-users] Re: RHEL/CentOS 5 and IPA 4.5

2017-11-08 Thread Sigbjorn Lie via FreeIPA-users
Hi,

Thank you. That worked well. :)


Regards,
Siggi

> On 7 Nov 2017, at 11:24, Alexander Bokovoy via FreeIPA-users 
>  wrote:
> 
> On ma, 06 marras 2017, Sigbjorn Lie via FreeIPA-users wrote:
>> Hi list,
>> 
>> RHEL/CentOS 5.11 clients does not seem to work with IPA 4.5 unless I go
>> from sssd-ipa to sssd-ldap. I would prefer to continue to use sssd-ipa
>> to allow the existing HBAC rules to function.
>> 
>> Is there a known workaround to get EL 5.11 clients to work with IPA 4.5
>> using sssd-ipa?
>> 
>> Thanks.
>> 
>> 
>> Regards,
>> Siggi
>> 
>> 
>> [root@ipaclient sssd]# kinit -kt /etc/krb5.keytab
>> 
>> kinit(v5): Preauthentication failed while getting initial credentials
>> 
> Uninstall pkinit-nss if you have it installed. Restart sssd.
> 
> -- 
> / Alexander Bokovoy
> ___
> FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
> To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org


[Freeipa-users] Re: RHEL/CentOS 5 and IPA 4.5

2017-11-07 Thread Lukas Slebodnik via FreeIPA-users
On (07/11/17 10:34), Sigbjorn Lie via FreeIPA-users wrote:
>Hi,
>
>I would also prefer to stop using an unsupported distribution. Unfortunately 
>not all application vendors have updated their software, which prevents the 
>upgrade of these machines to a newer and supported distribution.
>

For such setup I would recommend to run sssd on el7 and
application in container with el5 + bind mount /var/lib/sss/pipes/
from host to container.

Such setup should be a little bit more secure.

LS
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org


[Freeipa-users] Re: RHEL/CentOS 5 and IPA 4.5

2017-11-07 Thread Alexander Bokovoy via FreeIPA-users

On ma, 06 marras 2017, Sigbjorn Lie via FreeIPA-users wrote:

Hi list,

RHEL/CentOS 5.11 clients does not seem to work with IPA 4.5 unless I go
from sssd-ipa to sssd-ldap. I would prefer to continue to use sssd-ipa
to allow the existing HBAC rules to function.

Is there a known workaround to get EL 5.11 clients to work with IPA 4.5
using sssd-ipa?

Thanks.


Regards,
Siggi


[root@ipaclient sssd]# kinit -kt /etc/krb5.keytab

kinit(v5): Preauthentication failed while getting initial credentials


Uninstall pkinit-nss if you have it installed. Restart sssd.

--
/ Alexander Bokovoy
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org


[Freeipa-users] Re: RHEL/CentOS 5 and IPA 4.5

2017-11-07 Thread Sigbjorn Lie via FreeIPA-users
Hi,

I would also prefer to stop using an unsupported distribution. Unfortunately 
not all application vendors have updated their software, which prevents the 
upgrade of these machines to a newer and supported distribution.



Regards,
Siggi


> On 7 Nov 2017, at 07:57, Lukas Slebodnik  wrote:
> 
> On (06/11/17 16:58), Sigbjorn Lie via FreeIPA-users wrote:
>> Hi list,
>> 
>> RHEL/CentOS 5.11 clients does not seem to work with IPA 4.5 unless I go from 
>> sssd-ipa to sssd-ldap. I would prefer to continue to use sssd-ipa to allow 
>> the existing HBAC rules to function.
>> 
>> Is there a known workaround to get EL 5.11 clients to work with IPA 4.5 
>> using sssd-ipa? 
>> 
> 
> I would not recommend to use unsupported distribution.
> https://lists.centos.org/pipermail/centos-announce/2017-April/022350.html
> 
> You should consider to move from el5 to el6 or el7
> 
> LS
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org


[Freeipa-users] Re: RHEL/CentOS 5 and IPA 4.5

2017-11-07 Thread Sigbjorn Lie via FreeIPA-users
Hi,

The EL5 servers are already enrolled in an RHEL6/IPA3 domain, and has been for 
several years. The EL5 machines work just fine when connected to the RHEL6/IPA3 
domain.

The RHEL6/IPA3 domain will now be upgraded to RHEL7/IPA4, and while performing 
some testing before the upgrade, we noticed the mentioned issues with sssd-ipa 
in EL5.


Regards,
Siggi




> On 6 Nov 2017, at 17:22, Mark Haney via FreeIPA-users 
>  wrote:
> 
> On 11/06/2017 10:58 AM, Sigbjorn Lie via FreeIPA-users wrote:
>> Hi list,
>> 
>> RHEL/CentOS 5.11 clients does not seem to work with IPA 4.5 unless I go from 
>> sssd-ipa to sssd-ldap. I would prefer to continue to use sssd-ipa to allow 
>> the existing HBAC rules to function.
>> 
>> Is there a known workaround to get EL 5.11 clients to work with IPA 4.5 
>> using sssd-ipa?
>> 
>> Thanks.
>> 
>> 
>> Regards,
>> Siggi
>> 
>> 
> Not really an answer, but we have 5 CentOS 5 boxes and not one of them did I 
> migrate to IPA, it's just not worth the hassle.
> 
> 
> -- 
> Mark Haney
> Network Engineer at NeoNova
> 919-460-3330 option 1
> mark.ha...@neonova.net
> www.neonova.net
> ___
> FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
> To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org


[Freeipa-users] Re: RHEL/CentOS 5 and IPA 4.5

2017-11-06 Thread Lukas Slebodnik via FreeIPA-users
On (06/11/17 16:58), Sigbjorn Lie via FreeIPA-users wrote:
>Hi list,
>
>RHEL/CentOS 5.11 clients does not seem to work with IPA 4.5 unless I go from 
>sssd-ipa to sssd-ldap. I would prefer to continue to use sssd-ipa to allow the 
>existing HBAC rules to function.
>
>Is there a known workaround to get EL 5.11 clients to work with IPA 4.5 using 
>sssd-ipa? 
>

I would not recommend to use unsupported distribution.
https://lists.centos.org/pipermail/centos-announce/2017-April/022350.html

You should consider to move from el5 to el6 or el7

LS
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org


[Freeipa-users] Re: RHEL/CentOS 5 and IPA 4.5

2017-11-06 Thread Mark Haney via FreeIPA-users

On 11/06/2017 10:58 AM, Sigbjorn Lie via FreeIPA-users wrote:

Hi list,

RHEL/CentOS 5.11 clients does not seem to work with IPA 4.5 unless I 
go from sssd-ipa to sssd-ldap. I would prefer to continue to use 
sssd-ipa to allow the existing HBAC rules to function.


Is there a known workaround to get EL 5.11 clients to work with IPA 
4.5 using sssd-ipa?


Thanks.


Regards,
Siggi


Not really an answer, but we have 5 CentOS 5 boxes and not one of them 
did I migrate to IPA, it's just not worth the hassle.



--
Mark Haney
Network Engineer at NeoNova
919-460-3330 option 1
mark.ha...@neonova.net
www.neonova.net
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org