Re: [Freeipa-users] Password requirements too stringent

On Tue, Sep 18, 2012 at 09:43:48PM -0400, Tim Hildred wrote: > So, commenting out: > passwordrequisite pam_cracklib.so try_first_pass retry=3 type= > dcredit=-1 ucredit=-1 ocredit=-1 lcredit=0 minlen=8 > > Caused users updating their passwords using ssh to get: > > [ykatabam@ykatabam ~]

Re: [Freeipa-users] Password requirements too stringent

Sep 19 11:40:43 dns1 sshd[11197]: pam_sss(sshd:account): User info message: Password expired. Change your password now. Sep 19 11:40:43 dns1 sshd[11197]: Accepted password for ykatabam from 10.64.48.102 port 47713 ssh2 Sep 19 11:40:43 dns1 sshd[11197]: pam_unix(sshd:session): session opened for

Re: [Freeipa-users] NFS on Mac

On 09/17/2012 10:32 PM, Steven Jones wrote: If anyone has MAC instructions' I'd love a copy pls. As usual, we can create account on freeipa.org wiki if anybody is interested in creating a how-to. That is the best place to share. Let us know! Petr^2 Spacek

Re: [Freeipa-users] NFS on Mac

As usual, if someone is interested in sending me a Mac I'll be happy to do the testing and submit the results. *grin* :) Regards, Siggi On Wed, September 19, 2012 10:08, Petr Spacek wrote: > On 09/17/2012 10:32 PM, Steven Jones wrote: > >> If anyone has MAC instructions' I'd love a copy pls

Re: [Freeipa-users] NFS on Mac

what about this one? http://code.google.com/p/macnfsv4/wiki/HOWTO looks like rpc.idmapd on linux == nfsuserd on Mac O. On 09/19/2012 10:18 AM, Sigbjorn Lie wrote: As usual, if someone is interested in sending me a Mac I'll be happy to do the testing and submit the results. *grin* :) Regard

Re: [Freeipa-users] Password requirements too stringent

On 09/19/2012 02:56 AM, Jakub Hrozek wrote: > On Tue, Sep 18, 2012 at 09:43:48PM -0400, Tim Hildred wrote: >> So, commenting out: >> passwordrequisite pam_cracklib.so try_first_pass retry=3 type= >> dcredit=-1 ucredit=-1 ocredit=-1 lcredit=0 minlen=8 >> >> Caused users updating their pass

Re: [Freeipa-users] Password requirements too stringent

On 09/19/2012 01:32 PM, Dmitri Pal wrote: On 09/19/2012 02:56 AM, Jakub Hrozek wrote: On Tue, Sep 18, 2012 at 09:43:48PM -0400, Tim Hildred wrote: So, commenting out: passwordrequisite pam_cracklib.so try_first_pass retry=3 type= dcredit=-1 ucredit=-1 ocredit=-1 lcredit=0 minlen=8 Cau

Re: [Freeipa-users] sudden ipa errors.

-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 09/18/2012 03:06 PM, Nathan Lager wrote: > Sorry for falling off like that. > I opened a RedHat ticket on the issue, and have been running in > circles with them. I forgot to check on the list for responses. > > > I'm still having problems. Someone

Re: [Freeipa-users] sudden ipa errors.

-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 09/18/2012 04:37 PM, Nathan Lager wrote: > [Tue Sep 18 16:27:06 2012] [debug] src/mod_auth_kerb.c(1597): [client > 139.147.7.204] Done obtaining credentials for s4u2proxy, referer: > https://caroline0.lafayette.edu/ipa/xml > [Tue Sep 18 16:27:08 20

[Freeipa-users] ipa {user-find} ca cert file

Hi, I have followed this http://freeipa.org/page/Certificate_Authority#Using_Certificates_From_a_Different_CAand everything works well. Now when, from the console, I execute $ ipa user-find I've got [root@ipa ipa]# ipa user-find ipa: ERROR: cert validation failed for "E=certus...@example.com,C

Re: [Freeipa-users] sudden ipa errors.

Lager, Nathan T. wrote: - Original Message - From: "Rob Crittenden" To: "Nathan Lager" Cc: freeipa-users@redhat.com Sent: Tuesday, September 18, 2012 5:17:00 PM Subject: Re: [Freeipa-users] sudden ipa errors. Ok, what are the permissions on the keytab, /etc/httpd/conf/ipa.keytab? The

Re: [Freeipa-users] ipa {user-find} ca cert file

James James wrote: Hi, I have followed this http://freeipa.org/page/Certificate_Authority#Using_Certificates_From_a_Different_CA and everything works well. Now when, from the console, I execute $ ipa user-find I've got [root@ipa ipa]# ipa user-find ipa: ERROR: cert validation failed for "E=c

Re: [Freeipa-users] ipa {user-find} ca cert file

OK Thanks a lot for the solution and for the advice. 2012/9/19 Rob Crittenden > James James wrote: > >> Hi, >> >> I have followed this >> http://freeipa.org/page/**Certificate_Authority#Using_** >> Certificates_From_a_Different_**CA

Re: [Freeipa-users] sudden ipa errors.

On 09/19/2012 10:37 AM, Rob Crittenden wrote: > Lager, Nathan T. wrote: >> >> - Original Message - >>> From: "Rob Crittenden" To: "Nathan Lager" >>> Cc: freeipa-users@redhat.com Sent: >>> Tuesday, September 18, 2012 5:17:00 PM Subject: Re: >>> [Freeipa-users] sudden ipa errors. >>> >>>

Re: [Freeipa-users] sudden ipa errors.

Nathan Lager wrote: On 09/19/2012 10:37 AM, Rob Crittenden wrote: Lager, Nathan T. wrote: - Original Message - From: "Rob Crittenden" To: "Nathan Lager" Cc: freeipa-users@redhat.com Sent: Tuesday, September 18, 2012 5:17:00 PM Subject: Re: [Freeipa-users] sudden ipa errors. Ok, wh

Re: [Freeipa-users] errors when one ipa server down

On 2012-09-18, at 4:03 PM, Jakub Hrozek wrote: > On Tue, Sep 18, 2012 at 02:38:13PM -0400, Michael Mercier wrote: >> >> On 2012-09-18, at 4:03 AM, Jakub Hrozek wrote: >> >>> On Mon, Sep 17, 2012 at 11:17:47AM -0400, Dmitri Pal wrote: > [root@ipaserver2 ~]ifdown eth0 # NOTE: ipaserver2 is

Re: [Freeipa-users] errors when one ipa server down

On Wed, Sep 19, 2012 at 12:00:08PM -0400, Michael Mercier wrote: > > On 2012-09-18, at 4:03 PM, Jakub Hrozek wrote: > > > On Tue, Sep 18, 2012 at 02:38:13PM -0400, Michael Mercier wrote: > >> > >> On 2012-09-18, at 4:03 AM, Jakub Hrozek wrote: > >> > >>> On Mon, Sep 17, 2012 at 11:17:47AM -0400

Re: [Freeipa-users] errors when one ipa server down

On 09/19/2012 12:11 PM, Jakub Hrozek wrote: > On Wed, Sep 19, 2012 at 12:00:08PM -0400, Michael Mercier wrote: >> On 2012-09-18, at 4:03 PM, Jakub Hrozek wrote: >> >>> On Tue, Sep 18, 2012 at 02:38:13PM -0400, Michael Mercier wrote: On 2012-09-18, at 4:03 AM, Jakub Hrozek wrote: > On

Re: [Freeipa-users] sudden ipa errors.

On 09/19/2012 11:34 AM, Rob Crittenden wrote: > Nathan Lager wrote: >> >> On 09/19/2012 10:37 AM, Rob Crittenden wrote: >>> Lager, Nathan T. wrote: - Original Message - > From: "Rob Crittenden" To: "Nathan > Lager" Cc: freeipa-users@redhat.com > Sent: Tuesday, Se

Re: [Freeipa-users] sudden ipa errors.

Nathan Lager wrote: On 09/19/2012 11:34 AM, Rob Crittenden wrote: Nathan Lager wrote: On 09/19/2012 10:37 AM, Rob Crittenden wrote: Lager, Nathan T. wrote: - Original Message - From: "Rob Crittenden" To: "Nathan Lager" Cc: freeipa-users@redhat.com Sent: Tuesday, September 18, 2

Re: [Freeipa-users] sudden ipa errors.

-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 09/19/2012 02:54 PM, Rob Crittenden wrote: > Nathan Lager wrote: >> >> >> On 09/19/2012 11:34 AM, Rob Crittenden wrote: >>> Nathan Lager wrote: On 09/19/2012 10:37 AM, Rob Crittenden wrote: > Lager, Nathan T. wrote: >> >>

Re: [Freeipa-users] sudden ipa errors.

-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 09/19/2012 03:37 PM, Nathan Lager wrote: > > > On 09/19/2012 02:54 PM, Rob Crittenden wrote: > > Nathan Lager wrote: > >> > >> > >> On 09/19/2012 11:34 AM, Rob Crittenden wrote: > >>> Nathan Lager wrote: > > On 09/19/2012 10:37 AM, Rob Cr

Re: [Freeipa-users] sudden ipa errors.

Dmitri Pal wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 09/19/2012 03:37 PM, Nathan Lager wrote: > > On 09/19/2012 02:54 PM, Rob Crittenden wrote: > > Nathan Lager wrote: > >> > >> > >> On 09/19/2012 11:34 AM, Rob Crittenden wrote: > >>> Nathan Lager wrote: > >

Re: [Freeipa-users] sudden ipa errors.

-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 09/19/2012 03:47 PM, Rob Crittenden wrote: > Dmitri Pal wrote: >> >> Rob, keytab and kerberos part seems to be fine, ldap works too. >> Can it be one of the certs? May be some cert expired? > > No, the error is coming from GSSAPI, it is unfortu

[Freeipa-users] krb5-server-1.9-33.el6_3.3.x86_64 prevents named from starting when selinux is enforcing

Hi, I noticed an updated krb5-server package today advertising that it's fixing the issue with slow GSSAPI binds discussed earlier, so I installed it in my test environment, set SElinux back to enforcing in /etc/sysconfig/selinux and rebooted. The named daemon does not start now. The error b

Re: [Freeipa-users] sudden ipa errors.

Nathan Lager wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 09/19/2012 03:47 PM, Rob Crittenden wrote: Dmitri Pal wrote: Rob, keytab and kerberos part seems to be fine, ldap works too. Can it be one of the certs? May be some cert expired? No, the error is coming from GSSAPI, it i

Re: [Freeipa-users] krb5-server-1.9-33.el6_3.3.x86_64 prevents named from starting when selinux is enforcing

Sigbjorn Lie wrote: Hi, I noticed an updated krb5-server package today advertising that it's fixing the issue with slow GSSAPI binds discussed earlier, so I installed it in my test environment, set SElinux back to enforcing in /etc/sysconfig/selinux and rebooted. The named daemon does not start

Re: [Freeipa-users] NFS on Mac

I can do you a virtual Mac... :P regards Steven Jones Technical Specialist - Linux RHCE Victoria University, Wellington, NZ 0064 4 463 6272 From: freeipa-users-boun...@redhat.com [freeipa-users-boun...@redhat.com] on behalf of Sigbjorn Lie [sigbj...@

Re: [Freeipa-users] krb5-server-1.9-33.el6_3.3.x86_64 prevents named from starting when selinux is enforcing

On 09/19/2012 10:48 PM, Rob Crittenden wrote: Sigbjorn Lie wrote: Hi, I noticed an updated krb5-server package today advertising that it's fixing the issue with slow GSSAPI binds discussed earlier, so I installed it in my test environment, set SElinux back to enforcing in /etc/sysconfig/selinux

Re: [Freeipa-users] krb5-server-1.9-33.el6_3.3.x86_64 prevents named from starting when selinux is enforcing

Sigbjorn Lie wrote: On 09/19/2012 10:48 PM, Rob Crittenden wrote: Sigbjorn Lie wrote: Hi, I noticed an updated krb5-server package today advertising that it's fixing the issue with slow GSSAPI binds discussed earlier, so I installed it in my test environment, set SElinux back to enforcing in /

Re: [Freeipa-users] krb5-server-1.9-33.el6_3.3.x86_64 prevents named from starting when selinux is enforcing

Ok. I'm fairly new to selinux but I will give it a go tomorrow. Thanks. Rgds S. Rob Crittenden wrote: >Sigbjorn Lie wrote: >> On 09/19/2012 10:48 PM, Rob Crittenden wrote: >>> Sigbjorn Lie wrote: Hi, I noticed an updated krb5-server package today advertising that >it's fixi

Re: [Freeipa-users] krb5-server-1.9-33.el6_3.3.x86_64 prevents named from starting when selinux is enforcing

On 09/19/2012 11:05 PM, Rob Crittenden wrote: Sigbjorn Lie wrote: On 09/19/2012 10:48 PM, Rob Crittenden wrote: Sigbjorn Lie wrote: Hi, I noticed an updated krb5-server package today advertising that it's fixing the issue with slow GSSAPI binds discussed earlier, so I installed it in my test

Re: [Freeipa-users] krb5-server-1.9-33.el6_3.3.x86_64 prevents named from starting when selinux is enforcing

Sigbjorn Lie wrote: On 09/19/2012 11:05 PM, Rob Crittenden wrote: Sigbjorn Lie wrote: On 09/19/2012 10:48 PM, Rob Crittenden wrote: Sigbjorn Lie wrote: Hi, I noticed an updated krb5-server package today advertising that it's fixing the issue with slow GSSAPI binds discussed earlier, so I ins

Re: [Freeipa-users] winsync agreement wipes IPA users

Hi, Sample of errors log, = [17/Sep/2012:13:31:48 +1200] NSMMReplicationPlugin - changelog program - _cl5GetDBFileByReplicaName: found DB object 1bcf2e0 for database /var/lib/dirsrv/slapd-ODS-VUW-AC-NZ/cldb/32d77a0d-778a11e1-a445c792-b25c661e_4fbdbe640004.db4 [17/Sep/2012:13:31

Re: [Freeipa-users] winsync agreement wipes IPA users

On 09/19/2012 04:55 PM, Steven Jones wrote: Hi, Sample of errors log, = [17/Sep/2012:13:31:48 +1200] NSMMReplicationPlugin - changelog program - _cl5GetDBFileByReplicaName: found DB object 1bcf2e0 for database /var/lib/dirsrv/slapd-ODS-VUW-AC-NZ/cldb/32d77a0d-778a11e1-a445c792-b25c66

Re: [Freeipa-users] winsync agreement wipes IPA users

Hi, No that is the replication agreement, Ive turned that server off so it doesnt also get "wiped". I am running with a log error level 8192 right now for a full errrors output... regards Steven Jones Technical Specialist - Linux RHCE Victoria University, Wellington, NZ 0064 4 463 6272 _

Re: [Freeipa-users] winsync agreement wipes IPA users

Hi, I have -win-subtree cn= etc I take it that cn= is fine and that ou= and cn= are the same thing? regards Steven Jones Technical Specialist - Linux RHCE Victoria University, Wellington, NZ 0064 4 463 6272 From: Rich Megginson [rmegg...@redhat.com] Sent: T

Re: [Freeipa-users] winsync agreement wipes IPA users

it isnt, Im doing a OU=VUW_Staff instead of cn=VUW_Staff and its mostly working except Im also getting some "rubbish" so its looking like the import script/query to AD isnt right. regards Steven Jones Technical Specialist - Linux RHCE Victoria University, Wellington, NZ 0064 4 463 6272 __

Re: [Freeipa-users] Password requirements too stringent

Hey, sorry, I'm a little confused about all the pieces. I want to let my users reset expired password using ssh. I would really like them to be able to use the same password every time, and not worry if that password is "icecream". >From what I can tell, sshd_config turns the authentication o