Re: [Freeipa-users] Cross-Realm authentification

2014-12-04 Thread Andreas Ladanyi
Am 03.12.2014 um 14:53 schrieb Alexander Bokovoy: On Wed, 03 Dec 2014, Andreas Ladanyi wrote: Hi, iam trying to setup a cross-realm relationship. Generated krbtgt cross-realm principals on both KDCs with the same password and kvno: krbtgt/REALM_B (MIT Kerberos)@REALM_A (FreeIPA 3.3.5)

Re: [Freeipa-users] FreeIPA4 OTP vs PAM

2014-12-04 Thread Jakub Hrozek
On Sat, Nov 22, 2014 at 02:05:19PM -0800, Michael Lasevich wrote: I got some extra log output: seems that FAST IS being used. I am running SSSD 1.11.6, which is supposed to have above mentioned issues fixed: Log: = (Sat Nov 22 14:55:43 2014) [[sssd[krb5_child[2451

Re: [Freeipa-users] Cross-Realm authentification

2014-12-04 Thread Alexander Bokovoy
On Thu, 04 Dec 2014, Andreas Ladanyi wrote: Am 03.12.2014 um 14:53 schrieb Alexander Bokovoy: On Wed, 03 Dec 2014, Andreas Ladanyi wrote: Hi, iam trying to setup a cross-realm relationship. Generated krbtgt cross-realm principals on both KDCs with the same password and kvno: krbtgt/REALM_B

Re: [Freeipa-users] Cross-Realm authentification

2014-12-04 Thread Petr Spacek
On 4.12.2014 12:07, Alexander Bokovoy wrote: On Thu, 04 Dec 2014, Andreas Ladanyi wrote: Am 03.12.2014 um 14:53 schrieb Alexander Bokovoy: On Wed, 03 Dec 2014, Andreas Ladanyi wrote: Hi, iam trying to setup a cross-realm relationship. Generated krbtgt cross-realm principals on both KDCs

Re: [Freeipa-users] Cross-Realm authentification

2014-12-04 Thread Alexander Bokovoy
On Thu, 04 Dec 2014, Petr Spacek wrote: And /var/log/krb5kdc.log on master.f21.test (KDC for F21.TEST) I can see: Dec 04 12:41:52 master.f21.test krb5kdc[1131](info): bad realm transit path from 'ad...@ipa5.test' to 'host/master.f21.t...@f21.test' via '' Dec 04 12:41:52 master.f21.test

Re: [Freeipa-users] strange replica install error (another one)

2014-12-04 Thread Rich Megginson
On 12/04/2014 08:39 AM, Rich Megginson wrote: On 12/04/2014 01:45 AM, Petr Spacek wrote: On 4.12.2014 05:02, Janelle wrote: Thanks -- still a bit strange that it did not show up on some servers - vary random and intermittent. BTW - a bit of information others might find useful. If you try

Re: [Freeipa-users] strange replica install error (another one)

2014-12-04 Thread Rich Megginson
On 12/04/2014 01:45 AM, Petr Spacek wrote: On 4.12.2014 05:02, Janelle wrote: Thanks -- still a bit strange that it did not show up on some servers - vary random and intermittent. BTW - a bit of information others might find useful. If you try to use the LDAP portion of IPA for authentication

Re: [Freeipa-users] strange replica install error (another one)

2014-12-04 Thread Dmitri Pal
On 12/04/2014 09:41 AM, Rich Megginson wrote: On 12/04/2014 08:39 AM, Rich Megginson wrote: On 12/04/2014 01:45 AM, Petr Spacek wrote: On 4.12.2014 05:02, Janelle wrote: Thanks -- still a bit strange that it did not show up on some servers - vary random and intermittent. BTW - a bit of

Re: [Freeipa-users] strange replica install error (another one)

2014-12-04 Thread Rob Crittenden
Dmitri Pal wrote: On 12/04/2014 09:41 AM, Rich Megginson wrote: On 12/04/2014 08:39 AM, Rich Megginson wrote: On 12/04/2014 01:45 AM, Petr Spacek wrote: On 4.12.2014 05:02, Janelle wrote: Thanks -- still a bit strange that it did not show up on some servers - vary random and intermittent.

Re: [Freeipa-users] strange replica install error (another one)

2014-12-04 Thread Janelle
Hi all, just (pam)auth and nslcd It was ported from a running OpenLDAP environment to IPA. Just trying to do conversions in stages so as not to change too much all at once. Thought I could go from OpenLDAP to IPA and just use the backend of 389ds. Functionally it does work, but the load

Re: [Freeipa-users] Cross-Realm authentification

2014-12-04 Thread Simo Sorce
On Thu, 4 Dec 2014 13:22:01 +0200 Alexander Bokovoy aboko...@redhat.com wrote: On Thu, 04 Dec 2014, Petr Spacek wrote: And /var/log/krb5kdc.log on master.f21.test (KDC for F21.TEST) I can see: Dec 04 12:41:52 master.f21.test krb5kdc[1131](info): bad realm transit path from

Re: [Freeipa-users] Cross-Realm authentification

2014-12-04 Thread Petr Spacek
On 4.12.2014 16:58, Simo Sorce wrote: On Thu, 4 Dec 2014 13:22:01 +0200 Alexander Bokovoy aboko...@redhat.com wrote: On Thu, 04 Dec 2014, Petr Spacek wrote: And /var/log/krb5kdc.log on master.f21.test (KDC for F21.TEST) I can see: Dec 04 12:41:52 master.f21.test krb5kdc[1131](info): bad

Re: [Freeipa-users] Cross-Realm authentification

2014-12-04 Thread Alexander Bokovoy
On Thu, 04 Dec 2014, Petr Spacek wrote: On 4.12.2014 16:58, Simo Sorce wrote: On Thu, 4 Dec 2014 13:22:01 +0200 Alexander Bokovoy aboko...@redhat.com wrote: On Thu, 04 Dec 2014, Petr Spacek wrote: And /var/log/krb5kdc.log on master.f21.test (KDC for F21.TEST) I can see: Dec 04 12:41:52

Re: [Freeipa-users] strange replica install error (another one)

2014-12-04 Thread Rich Megginson
On 12/04/2014 09:56 AM, Janelle wrote: Hi all, just (pam)auth and nslcd It was ported from a running OpenLDAP environment to IPA. Just trying to do conversions in stages so as not to change too much all at once. Thought I could go from OpenLDAP to IPA and just use the backend of 389ds.

Re: [Freeipa-users] strange replica install error (another one)

2014-12-04 Thread Alexander Bokovoy
On Thu, 04 Dec 2014, Janelle wrote: Hi all, just (pam)auth and nslcd It was ported from a running OpenLDAP environment to IPA. Just trying to do conversions in stages so as not to change too much all at once. Thought I could go from OpenLDAP to IPA and just use the backend of 389ds.

Re: [Freeipa-users] strange replica install error (another one)

2014-12-04 Thread Janelle
On 12/4/14 8:30 AM, Alexander Bokovoy wrote: On Thu, 04 Dec 2014, Janelle wrote: Hi all, just (pam)auth and nslcd It was ported from a running OpenLDAP environment to IPA. Just trying to do conversions in stages so as not to change too much all at once. Thought I could go from OpenLDAP to

Re: [Freeipa-users] strange replica install error (another one)

2014-12-04 Thread Ludwig Krispenz
On 12/04/2014 04:56 PM, Janelle wrote: Hi all, just (pam)auth and nslcd It was ported from a running OpenLDAP environment to IPA. Just trying to do conversions in stages so as not to change too much all at once. Thought I could go from OpenLDAP to IPA and just use the backend of 389ds.

Re: [Freeipa-users] Cross-Realm authentification

2014-12-04 Thread Petr Spacek
On 4.12.2014 17:27, Alexander Bokovoy wrote: On Thu, 04 Dec 2014, Petr Spacek wrote: On 4.12.2014 16:58, Simo Sorce wrote: On Thu, 4 Dec 2014 13:22:01 +0200 Alexander Bokovoy aboko...@redhat.com wrote: On Thu, 04 Dec 2014, Petr Spacek wrote: And /var/log/krb5kdc.log on master.f21.test (KDC

Re: [Freeipa-users] strange replica install error (another one)

2014-12-04 Thread Janelle
To help understand the environment a bit - perhaps this will help. 1. Approx 7500 clients across 3 datacenters- all manor of *nix, ranging from AIX, Linux, HP-UX and Solaris - hence the reason why they all can't use ipa-client configs. Although that is in the plan at least for Linux

Re: [Freeipa-users] strange replica install error (another one)

2014-12-04 Thread Rich Megginson
On 12/04/2014 11:01 AM, Janelle wrote: To help understand the environment a bit - perhaps this will help. 1. Approx 7500 clients across 3 datacenters- all manor of *nix, ranging from AIX, Linux, HP-UX and Solaris - hence the reason why they all can't use ipa-client configs. Although

[Freeipa-users] ad trust and default_domain_suffix

2014-12-04 Thread Nicolas Zin
Hi, I have a IDM (v3.3) installed on a Redhat7. I have a IDM realm connected to an AD via trust relationship. In the IDM realm there are Redhat6 and Redhat5 clients. My client ask to be able to connect to the Linux machine with their AD without entering their domain (just username). On Redhat

Re: [Freeipa-users] ad trust and default_domain_suffix

2014-12-04 Thread Nicolas Zin
I answer to myself. (but my problem is not resolved) - Mail original - De: Nicolas Zin nicolas@savoirfairelinux.com À: freeipa-users@redhat.com Envoyé: Jeudi 4 Décembre 2014 18:49:36 Objet: [Freeipa-users] ad trust and default_domain_suffix Hi, I have a IDM (v3.3) installed