Re: [Freeipa-users] AD trust users cannot login to Solaris

2015-03-05 Thread Alexander Bokovoy
On Thu, 05 Mar 2015, nat...@nathanpeters.com wrote: You need to use authenticated bind and password proxying. There are two actions here: 1. Add system account in IPA To create a system account for NS_LDAP_BINDDN, use # cat END 45-my-solaris-binddn.update dn:

Re: [Freeipa-users] AD trust users cannot login to Solaris

2015-03-05 Thread nathan
Ok, I sort of have this working now, but there are still some loose ends. Comments inline 2. Setup Solaris properly NS_LDAP_AUTH=tls:simple NS_LDAP_CREDENTIAL_LEVEL=proxy NS_LDAP_BINDDN=uid=solaris,cn=sysaccounts,cn=etc,dc=ipacloud,dc=test

Re: [Freeipa-users] Web UI Authentication errors - revisited

2015-03-05 Thread Dan Mossor
On Thu, Mar 5, 2015 at 4:55 PM, Dmitri Pal d...@redhat.com wrote: On 03/05/2015 05:51 PM, Dan Mossor wrote: As an additional test, I created a new user on my workstation and switched to it. the first thing I did was kinit as admin, then started Firefox, went through the browser

Re: [Freeipa-users] Freeipa and dns

2015-03-05 Thread Dmitri Pal
On 03/05/2015 12:41 PM, Andrew Holway wrote: Hello, We're working on a plan to spin up a bunch of private networks around the globe and we would like to use freeipa as our domain controller. I'm trying to work out how we do DNS. Actually, more specifically, making sure that hosts are

Re: [Freeipa-users] Web UI Authentication errors - revisited

2015-03-05 Thread Dan Mossor
On Thu, Mar 5, 2015 at 5:17 PM, Dan Mossor danofs...@gmail.com wrote: On Thu, Mar 5, 2015 at 4:55 PM, Dmitri Pal d...@redhat.com wrote: On 03/05/2015 05:51 PM, Dan Mossor wrote: As an additional test, I created a new user on my workstation and switched to it. the first thing I did was

Re: [Freeipa-users] Web UI Authentication errors - revisited

2015-03-05 Thread Rob Crittenden
Dan Mossor wrote: On Thu, Mar 5, 2015 at 4:34 PM, Dan Mossor danofs...@gmail.com mailto:danofs...@gmail.com wrote: As an additional test, I created a new user on my workstation and switched to it. the first thing I did was kinit as admin, then started Firefox, went through the

Re: [Freeipa-users] Web UI Authentication errors - revisited

2015-03-05 Thread Dan Mossor
On Thu, Mar 5, 2015 at 4:59 PM, Rob Crittenden rcrit...@redhat.com wrote: Dan Mossor wrote: On Thu, Mar 5, 2015 at 4:34 PM, Dan Mossor danofs...@gmail.com mailto:danofs...@gmail.com wrote: As an additional test, I created a new user on my workstation and switched to it. the first

Re: [Freeipa-users] Web UI Authentication errors - revisited

2015-03-05 Thread Dan Mossor
On Thu, Mar 5, 2015 at 7:21 PM, Dmitri Pal d...@redhat.com wrote: http://i.imgur.com/mhX86Ng.png It should show up if you do not have a ticket. Destroy the ticket on the client and try to access the server via browser, you should be redirected. -- Thank you, Dmitri Pal Sr. Engineering

Re: [Freeipa-users] Web UI Authentication errors - revisited

2015-03-05 Thread Dan Mossor
On Thu, Mar 5, 2015 at 6:44 PM, Dmitri Pal d...@redhat.com wrote: On 03/05/2015 07:36 PM, Dan Mossor wrote: On Thu, Mar 5, 2015 at 5:17 PM, Dan Mossor danofs...@gmail.com wrote: On Thu, Mar 5, 2015 at 4:55 PM, Dmitri Pal d...@redhat.com wrote: On 03/05/2015 05:51 PM, Dan Mossor

Re: [Freeipa-users] Web UI Authentication errors - revisited

2015-03-05 Thread Dmitri Pal
On 03/05/2015 08:09 PM, Dan Mossor wrote: On Thu, Mar 5, 2015 at 6:44 PM, Dmitri Pal d...@redhat.com mailto:d...@redhat.com wrote: On 03/05/2015 07:36 PM, Dan Mossor wrote: On Thu, Mar 5, 2015 at 5:17 PM, Dan Mossor danofs...@gmail.com mailto:danofs...@gmail.com wrote:

Re: [Freeipa-users] Adding FreeIPA as a vsphere identity source

2015-03-05 Thread reesb
Ok here is the search result; # ldapsearch -x -D cn=Directory Manager -W -b cn=config cn=groups Enter LDAP Password: # extended LDIF # # LDAPv3 # base cn=config with scope subtree # filter: cn=groups # requesting: ALL # # groups, Schema Compatibility, plugins, config dn: cn=groups,cn=Schema

Re: [Freeipa-users] group issue (freeipa4)

2015-03-05 Thread Jakub Hrozek
On Thu, Mar 05, 2015 at 08:32:32AM +0100, Łukasz Jaworski wrote: Hello, I have group issue on sssd 1.8.6 and 1.11.5 (on ubuntu 12.04 and 14.04) and freeipa4 (freeipa-server-4.1.2-1 on fedora 21, 389-ds-base-1.3.3.8-1). If user has assigned Role I couldn't get all groups with id command.

Re: [Freeipa-users] Adding FreeIPA as a vsphere identity source

2015-03-05 Thread Gianluca Cecchi
On Thu, Mar 5, 2015 at 8:54 AM, Martin Kosek mko...@redhat.com wrote: I am also CCing Gialunca who contributed the HOWTO. I checked it again and tried to apply it on my FreeIPA 4.1.3, my compat group now contain the proper uniqueMember attribute and groupOfUniqueNames objectclass. I am not

Re: [Freeipa-users] Adding FreeIPA as a vsphere identity source

2015-03-05 Thread Martin Kosek
On 03/05/2015 02:37 AM, re...@hushmail.com wrote: Opps, I got that wrong, my groups don't show the 'uniqueMember' attribute. Here is an example returned from ldapsearch; # admins, groups, compat, localdomain.local dn: cn=admins,cn=groups,cn=compat,dc=localdomain,dc=local gidNumber:

Re: [Freeipa-users] group issue (freeipa4)

2015-03-05 Thread Jakub Hrozek
On Thu, Mar 05, 2015 at 10:22:35AM +0100, Łukasz Jaworski wrote: This ^^ line tells me it's a known SSSD bug: https://fedorahosted.org/sssd/ticket/2421 This bug only happens in a combination of old client and a particular server version. IIRC a subsequent server update fixed the

[Freeipa-users] Freeipa and dns

2015-03-05 Thread Andrew Holway
Hello, We're working on a plan to spin up a bunch of private networks around the globe and we would like to use freeipa as our domain controller. I'm trying to work out how we do DNS. Actually, more specifically, making sure that hosts are authenticating against its local freeipa. Each regional

Re: [Freeipa-users] Adding FreeIPA as a vsphere identity source

2015-03-05 Thread Martin Kosek
On 03/05/2015 09:29 AM, Gianluca Cecchi wrote: On Thu, Mar 5, 2015 at 8:54 AM, Martin Kosek mko...@redhat.com wrote: I am also CCing Gialunca who contributed the HOWTO. I checked it again and tried to apply it on my FreeIPA 4.1.3, my compat group now contain the proper uniqueMember

Re: [Freeipa-users] group issue (freeipa4)

2015-03-05 Thread Łukasz Jaworski
This ^^ line tells me it's a known SSSD bug: https://fedorahosted.org/sssd/ticket/2421 This bug only happens in a combination of old client and a particular server version. IIRC a subsequent server update fixed the ACIs on the server so that at least objectClass was readable. You can

Re: [Freeipa-users] Adding FreeIPA as a vsphere identity source

2015-03-05 Thread Martin Kosek
On 03/05/2015 11:18 AM, Gianluca Cecchi wrote: On Thu, Mar 5, 2015 at 10:37 AM, Martin Kosek mko...@redhat.com wrote: users' updates were force by vSphere originated queries. For example without adding iNetOrgPerson objectclass, when I wanted to bind a permission to a user and searched

Re: [Freeipa-users] Web UI Authentication errors - revisited

2015-03-05 Thread Dmitri Pal
On 03/05/2015 07:36 PM, Dan Mossor wrote: On Thu, Mar 5, 2015 at 5:17 PM, Dan Mossor danofs...@gmail.com mailto:danofs...@gmail.com wrote: On Thu, Mar 5, 2015 at 4:55 PM, Dmitri Pal d...@redhat.com mailto:d...@redhat.com wrote: On 03/05/2015 05:51 PM, Dan Mossor wrote:

Re: [Freeipa-users] Adding FreeIPA as a vsphere identity source

2015-03-05 Thread reesb
Just to confirm I should restart the server after i've run the ldapmodify? Also I've used ldap modify to remove the 'uniqueMember' object class from the compat schema and added the 'sn=%{sn}' attribute and I still am having no luck. I get the same 'identity source may be malfunctioning error'

Re: [Freeipa-users] AD trust users cannot login to Solaris

2015-03-05 Thread Alexander Bokovoy
On Thu, 05 Mar 2015, nat...@nathanpeters.com wrote: Ok, I sort of have this working now, but there are still some loose ends. Comments inline 2. Setup Solaris properly NS_LDAP_AUTH=tls:simple NS_LDAP_CREDENTIAL_LEVEL=proxy NS_LDAP_BINDDN=uid=solaris,cn=sysaccounts,cn=etc,dc=ipacloud,dc=test

Re: [Freeipa-users] Adding FreeIPA as a vsphere identity source

2015-03-05 Thread Martin Kosek
On 03/06/2015 08:35 AM, Alexander Bokovoy wrote: On Fri, 06 Mar 2015, Martin Kosek wrote: On 03/06/2015 02:24 AM, re...@hushmail.com wrote: Just to confirm I should restart the server after i've run the ldapmodify? Right. It would be safer thing to do, if you modified the Schema

Re: [Freeipa-users] Adding FreeIPA as a vsphere identity source

2015-03-05 Thread Martin Kosek
On 03/06/2015 02:24 AM, re...@hushmail.com wrote: Just to confirm I should restart the server after i've run the ldapmodify? Right. It would be safer thing to do, if you modified the Schema Compatibility config. At least to make sure it re-creates the entries from scratch. Also I've used

Re: [Freeipa-users] Web UI Authentication errors - revisited

2015-03-05 Thread Martin Kosek
On 03/06/2015 02:38 AM, Dan Mossor wrote: On Thu, Mar 5, 2015 at 7:21 PM, Dmitri Pal d...@redhat.com mailto:d...@redhat.com wrote: http://i.imgur.com/mhX86Ng.png It should show up if you do not have a ticket. Destroy the ticket on the client and try to access the server via

Re: [Freeipa-users] Problem FreeIPA 4.1.3 for vCenter 5.5u2b SSO

2015-03-05 Thread Martin Kosek
On 03/06/2015 04:38 AM, Herwono W Wijaya wrote: Problems with FreeIPA 4.1.3 for vCenter 5.5u2b SSO, only the admin user can be used and always get an error for other users. You mean admin user from vCenter, not admin user from FreeIPA, right? Did you follow this HOWTO:

Re: [Freeipa-users] Adding FreeIPA as a vsphere identity source

2015-03-05 Thread Alexander Bokovoy
On Fri, 06 Mar 2015, Martin Kosek wrote: On 03/06/2015 02:24 AM, re...@hushmail.com wrote: Just to confirm I should restart the server after i've run the ldapmodify? Right. It would be safer thing to do, if you modified the Schema Compatibility config. At least to make sure it re-creates the

Re: [Freeipa-users] Problem FreeIPA 4.1.3 for vCenter 5.5u2b SSO

2015-03-05 Thread Dmitri Pal
On 03/05/2015 10:38 PM, Herwono W Wijaya wrote: Problems with FreeIPA 4.1.3 for vCenter 5.5u2b SSO, only the admin user can be used and always get an error for other users. Can you check without full name? It seems like the name is expanded twice. -- Thank you, Dmitri Pal Sr. Engineering