Re: [Freeipa-users] strange error - disconnecting a replica?

2014-12-05 Thread Martin Kosek
On 12/03/2014 06:23 PM, Janelle wrote: Hi all.. Was on vacation - now I'm back. Have a new problem I thought I would run by you -- I have replica agreements between a server and 3 others. They all show up in ipa-replica-manage list, BUT when I try to disconnect one of them : ipa: INFO:

Re: [Freeipa-users] strange error - disconnecting a replica?

2014-12-05 Thread thierry bordaz
On 12/05/2014 10:03 AM, thierry bordaz wrote: On 12/05/2014 10:00 AM, Martin Kosek wrote: On 12/03/2014 06:23 PM, Janelle wrote: Hi all.. Was on vacation - now I'm back. Have a new problem I thought I would run by you -- I have replica agreements between a server and 3 others. They all

Re: [Freeipa-users] strange error - disconnecting a replica?

2014-12-05 Thread Martin Kosek
On 12/05/2014 10:00 AM, Martin Kosek wrote: On 12/03/2014 06:23 PM, Janelle wrote: Hi all.. Was on vacation - now I'm back. Have a new problem I thought I would run by you -- I have replica agreements between a server and 3 others. They all show up in ipa-replica-manage list, BUT when I try

Re: [Freeipa-users] strange error - disconnecting a replica?

2014-12-05 Thread thierry bordaz
On 12/05/2014 10:00 AM, Martin Kosek wrote: On 12/03/2014 06:23 PM, Janelle wrote: Hi all.. Was on vacation - now I'm back. Have a new problem I thought I would run by you -- I have replica agreements between a server and 3 others. They all show up in ipa-replica-manage list, BUT when I

Re: [Freeipa-users] Cross-Realm authentification

2014-12-05 Thread Andreas Ladanyi
I'm also getting errors but they are different to yours. Here is what I did: (on master.f21.test, realm F21.TEST): [root@master ~]# kadmin.local -x ipa-setup-override-restrictions -r F21.TEST Authenticating as principal root/ad...@f21.test with password. kadmin.local: addprinc

Re: [Freeipa-users] Cross-Realm authentification

2014-12-05 Thread Alexander Bokovoy
On Fri, 05 Dec 2014, Andreas Ladanyi wrote: I'm also getting errors but they are different to yours. Here is what I did: (on master.f21.test, realm F21.TEST): [root@master ~]# kadmin.local -x ipa-setup-override-restrictions -r F21.TEST Authenticating as principal root/ad...@f21.test with

Re: [Freeipa-users] Cross-Realm authentification

2014-12-05 Thread Alexander Bokovoy
On Fri, 05 Dec 2014, Alexander Bokovoy wrote: On Fri, 05 Dec 2014, Andreas Ladanyi wrote: I'm also getting errors but they are different to yours. Here is what I did: (on master.f21.test, realm F21.TEST): [root@master ~]# kadmin.local -x ipa-setup-override-restrictions -r F21.TEST

Re: [Freeipa-users] Cross-Realm authentification

2014-12-05 Thread Andreas Ladanyi
Am 05.12.2014 um 14:04 schrieb Alexander Bokovoy: Ok, i see one difference: i didnt use the -requires_preauth flag. Why did you use them ? Because this is recommended by MIT documentation. The link between realms has to be protected well, including preauth and good passwords for the

Re: [Freeipa-users] Cross-Realm authentification

2014-12-05 Thread Petr Spacek
On 5.12.2014 15:21, Andreas Ladanyi wrote: Am 05.12.2014 um 14:04 schrieb Alexander Bokovoy: Ok, i see one difference: i didnt use the -requires_preauth flag. Why did you use them ? Because this is recommended by MIT documentation. The link between realms has to be protected well, including

Re: [Freeipa-users] sudo utilizing sssd rhel6.6

2014-12-05 Thread sipazzo
Thank you both. I was able to get this working by just adding the sudo_provider = ipa to sssd.conf. I removed all the ldap_uri and krb5_server lines to keep the file tidier. I had read service discovery works with sssd but was told by Redhat support it does not. I am happy to hear it does as it

Re: [Freeipa-users] [Freeipa-interest] Announcing FreeIPA 4.1.2 - NEED HELP WITH 2FA/OTP!!!

2014-12-05 Thread Dmitri Pal
Hello, WE NEED HELP! The biggest and the most interesting feature of FreeIPA 4.1.2 is support for the two factor authentication using HOTP/TOTP compatible software tokens like FreeOTP (open source compatible alternative to Google Authenticator) and hardware tokens like Yubikeys. This feature

Re: [Freeipa-users] Cross-Realm authentification

2014-12-05 Thread Alexander Bokovoy
On Fri, 05 Dec 2014, Petr Spacek wrote: On 5.12.2014 15:21, Andreas Ladanyi wrote: Am 05.12.2014 um 14:04 schrieb Alexander Bokovoy: Ok, i see one difference: i didnt use the -requires_preauth flag. Why did you use them ? Because this is recommended by MIT documentation. The link between

[Freeipa-users] can't register new clients

2014-12-05 Thread Megan .
Good Day! I am getting an error when i register new clients. libcurl failed to execute the HTTP POST transaction. SSL connect error I can't find anything useful not the internet about the error. Can someone help me troubleshoot? CentOS 6.6 x64 ipa-client-3.0.0-42.el6.centos.x86_64

Re: [Freeipa-users] can't register new clients

2014-12-05 Thread Rob Crittenden
Megan . wrote: Good Day! I am getting an error when i register new clients. libcurl failed to execute the HTTP POST transaction. SSL connect error I can't find anything useful not the internet about the error. Can someone help me troubleshoot? CentOS 6.6 x64

Re: [Freeipa-users] Cross-Realm authentification

2014-12-05 Thread Alexander Bokovoy
On Fri, 05 Dec 2014, Alexander Bokovoy wrote: On Fri, 05 Dec 2014, Petr Spacek wrote: On 5.12.2014 15:21, Andreas Ladanyi wrote: Am 05.12.2014 um 14:04 schrieb Alexander Bokovoy: Ok, i see one difference: i didnt use the -requires_preauth flag. Why did you use them ? Because this is

Re: [Freeipa-users] can't register new clients

2014-12-05 Thread Rob Crittenden
Rob Crittenden wrote: Megan . wrote: Good Day! I am getting an error when i register new clients. libcurl failed to execute the HTTP POST transaction. SSL connect error I can't find anything useful not the internet about the error. Can someone help me troubleshoot? CentOS 6.6 x64

Re: [Freeipa-users] Cross-Realm authentification

2014-12-05 Thread Petr Spacek
On 5.12.2014 21:53, Alexander Bokovoy wrote: On Fri, 05 Dec 2014, Alexander Bokovoy wrote: On Fri, 05 Dec 2014, Petr Spacek wrote: On 5.12.2014 15:21, Andreas Ladanyi wrote: Am 05.12.2014 um 14:04 schrieb Alexander Bokovoy: Ok, i see one difference: i didnt use the -requires_preauth flag.

Re: [Freeipa-users] can't register new clients

2014-12-05 Thread Rob Crittenden
Megan . wrote: Sorry for being unclear. It still fails. Same error. Hmm, strange. Try being explicit about sql: # certutil -L -d sql:/etc/pki/nssdb And if there is a CA cert there, delete it. rob On Dec 5, 2014 4:39 PM, Rob Crittenden rcrit...@redhat.com mailto:rcrit...@redhat.com

Re: [Freeipa-users] can't register new clients

2014-12-05 Thread Megan .
It failed again. [root@cache2-uat ~]# certutil -L -d sql:/etc/pki/nssdb Certificate Nickname Trust Attributes SSL,S/MIME,JAR/XPI [root@cache2-uat ~]# Not sure if its related, but on the