hi,
I'm following the howto on
http://freeipa.org/page/Libvirt_with_VNC_Consoles to authenticate
users voor virsh with ipa.
I have it mostly working :-) except for the fact that libvirtd is not
respecting the sasl_allowed_username_list parameter.
If I do not set it, and I have a realm ticket, th
30.11.2012 00:18, 小龙 陈 kirjoitti:
> Could you post a link to the git repo (if it's public)? I'd like to test
> out the
> work in progress :)
it's all on http://anonscm.debian.org/gitweb/
check out pkg-sssd/*, pkg-fedora-ds/* and pkg-freeipa/*
if you have questions, use #ubuntu-freeipa on freenod
Hi Natxo,
On Fri, 2012-11-30 at 13:06 +0100, Natxo Asenjo wrote:
> hi,
>
> I'm following the howto on
> http://freeipa.org/page/Libvirt_with_VNC_Consoles to authenticate
> users voor virsh with ipa.
>
> I have it mostly working :-) except for the fact that libvirtd is not
> respecting the sasl_a
hi,
sasl_allowed_username_list = ["ad...@ipa.example.com" ]
if I leave this field commented out (default setting), everybody can
manage the kvm host.
--
Groeten,
natxo
On Fri, Nov 30, 2012 at 3:42 PM, Daniel P. Berrange wrote:
> On Fri, Nov 30, 2012 at 09:25:34AM -0500, Simo Sorce wrote:
>> Hi
On Fri, Nov 30, 2012 at 4:04 PM, Daniel P. Berrange wrote:
> On Fri, Nov 30, 2012 at 03:56:14PM +0100, Natxo Asenjo wrote:
>> hi,
>>
>> sasl_allowed_username_list = ["ad...@ipa.example.com" ]
>>
>> if I leave this field commented out (default setting), everybody can
>> manage the kvm host.
>
> Oh
On Fri, Nov 30, 2012 at 03:56:14PM +0100, Natxo Asenjo wrote:
> hi,
>
> sasl_allowed_username_list = ["ad...@ipa.example.com" ]
>
> if I leave this field commented out (default setting), everybody can
> manage the kvm host.
Oh it isn't very obvious, but in this log message:
> >> > 2012-11-30 12
On Fri, Nov 30, 2012 at 09:25:34AM -0500, Simo Sorce wrote:
> Hi Natxo,
>
> On Fri, 2012-11-30 at 13:06 +0100, Natxo Asenjo wrote:
> > hi,
> >
> > I'm following the howto on
> > http://freeipa.org/page/Libvirt_with_VNC_Consoles to authenticate
> > users voor virsh with ipa.
> >
> > I have it mos
On Fri, Nov 30, 2012 at 04:16:56PM +0100, Natxo Asenjo wrote:
> On Fri, Nov 30, 2012 at 4:04 PM, Daniel P. Berrange
> wrote:
> > On Fri, Nov 30, 2012 at 03:56:14PM +0100, Natxo Asenjo wrote:
> >> hi,
> >>
> >> sasl_allowed_username_list = ["ad...@ipa.example.com" ]
> >>
> >> if I leave this field
On Fri, 2012-11-30 at 16:16 +0100, Natxo Asenjo wrote:
> On Fri, Nov 30, 2012 at 4:04 PM, Daniel P. Berrange
> wrote:
> > On Fri, Nov 30, 2012 at 03:56:14PM +0100, Natxo Asenjo wrote:
> >> hi,
> >>
> >> sasl_allowed_username_list = ["ad...@ipa.example.com" ]
> >>
> >> if I leave this field commen
On 11/30/2012 10:20 AM, Daniel P. Berrange wrote:
> On Fri, Nov 30, 2012 at 04:16:56PM +0100, Natxo Asenjo wrote:
>> On Fri, Nov 30, 2012 at 4:04 PM, Daniel P. Berrange
>> wrote:
>>> On Fri, Nov 30, 2012 at 03:56:14PM +0100, Natxo Asenjo wrote:
hi,
sasl_allowed_username_list = ["ad
On Fri, Nov 30, 2012 at 11:33:30AM -0500, Dmitri Pal wrote:
> On 11/30/2012 10:20 AM, Daniel P. Berrange wrote:
> > On Fri, Nov 30, 2012 at 04:16:56PM +0100, Natxo Asenjo wrote:
> >> On Fri, Nov 30, 2012 at 4:04 PM, Daniel P. Berrange
> >> wrote:
> >>> On Fri, Nov 30, 2012 at 03:56:14PM +0100, Na
On Fri, Nov 30, 2012 at 4:52 PM, Simo Sorce wrote:
> Natxo it sounds odd that you are getting back a non fully qualified
> principal name, are you sure your configuration is using SASL/GSSAPI ?
>
> What other directives have you configured ?
I have followed the howto in the freeipa.org wiki.
I
On Fri, Nov 30, 2012 at 4:20 PM, Daniel P. Berrange wrote:
> On Fri, Nov 30, 2012 at 04:16:56PM +0100, Natxo Asenjo wrote:
>> Thanks. If I may just hijack this thread: is it possible to whitelist
>> groups instead of individual users to use virsh/virtual manager?
>>
>> I know sasl only deals with
my dovecot IMAP server would randomly lose memory of users, as an example:
Samba/NFS server knows this user:
[root@smb2 shassan]# getent passwd bqiang
bqiang:*:47105:471:Beiping Qiang:/home2/bqiang:/bin/tcsh
But dovecot server does not:
[root@dovecot2 ~]# getent passwd bqiang
Only when I apply
hi,
the default hbac rule 'allow_all' is nice for testing, but for a
production environment I am not so sure ;-)
We do not want our users getting a shell in our kdc servers or in the
database servers for instance. We want them to use the postgresql
service, but not login the database server with
Qing Chang wrote:
my dovecot IMAP server would randomly lose memory of users, as an example:
Samba/NFS server knows this user:
[root@smb2 shassan]# getent passwd bqiang
bqiang:*:47105:471:Beiping Qiang:/home2/bqiang:/bin/tcsh
But dovecot server does not:
[root@dovecot2 ~]# getent passwd bqiang
Natxo Asenjo wrote:
hi,
the default hbac rule 'allow_all' is nice for testing, but for a
production environment I am not so sure ;-)
We do not want our users getting a shell in our kdc servers or in the
database servers for instance. We want them to use the postgresql
service, but not login the
On Fri, Nov 30, 2012 at 06:56:28PM +0100, Natxo Asenjo wrote:
> On Fri, Nov 30, 2012 at 4:20 PM, Daniel P. Berrange
> wrote:
> > On Fri, Nov 30, 2012 at 04:16:56PM +0100, Natxo Asenjo wrote:
>
> >> Thanks. If I may just hijack this thread: is it possible to whitelist
> >> groups instead of indiv
18 matches
Mail list logo