Re: [Freeipa-users] SSSD in redundant configuration

On Thu, Mar 19, 2015 at 10:32:08PM +0100, Andrew Holway wrote: > > > > > > I wasn't precise enough, I meant the sssd version, sorry. But given that > > you're on RHEL-7, I think you can switch to: > > sudo_provider=ipa > > > > That does indeed seem to work. Thanks! You're welcome, btw if you

[Freeipa-users] Minimum rights to enrol a client

Hello, I'd like to find our what the minimum role would be to allow a user to join a new client to freeipa. Currently our enrol command looks like: ipa-client-install --force-join --enable-dns-updates -U -p admin -w : Thanks, Andrew -- Manage your subscription for the Freeipa-users mai

Re: [Freeipa-users] SSSD in redundant configuration

Actually, I stumbled across this which explains everything you need to do to get sudo working on Centos6 clients. https://www.redhat.com/archives/freeipa-users/2013-June/msg00064.html I have had to kind of scratch together bits of information from various sources including this list (thanks!!) but

Re: [Freeipa-users] Really slow logins with AD SID Mapping vs. POSIX

On Thu, Mar 19, 2015 at 05:29:39PM -0400, Gould, Joshua wrote: > Thank you! You're welcome, please try these builds: https://jhrozek.fedorapeople.org/sssd-test-builds/sssd-7.1-gr-request/ But please note that when POSIX attributes are requested, the lookups will /always/ be slower. With ID mappin

Re: [Freeipa-users] Problems with ssh and install-uninstall-install sequence on the server

On Thu, Mar 19, 2015 at 05:50:50PM -0400, Prasun Gera wrote: > It's just that /var/lib/sss/db is not cleared between subsequent server > installs and uninstall, and that seems to be creating problems on the > server since the server is also a client. If you do > install-uninstall-install on the ser

Re: [Freeipa-users] Minimum rights to enrol a client

On 03/20/2015 09:16 AM, Andrew Holway wrote: Hello, I'd like to find our what the minimum role would be to allow a user to join a new client to freeipa. Currently our enrol command looks like: ipa-client-install --force-join --enable-dns-updates -U -p admin -w : Thanks, Andrew Hel

Re: [Freeipa-users] SSSD in redundant configuration

On Fri, Mar 20, 2015 at 09:20:15AM +0100, Andrew Holway wrote: > Actually, I stumbled across this which explains everything you need to do > to get sudo working on Centos6 clients. > https://www.redhat.com/archives/freeipa-users/2013-June/msg00064.html > > I have had to kind of scratch together bi

Re: [Freeipa-users] ipa-client-install failure

It seems so: $ firewall-cmd --list-all FedoraServer (default, active) interfaces: em2 sources: services: cockpit dhcpv6-client ssh ports: 8009/tcp 443/tcp 7999/tcp 464/tcp 9443/tcp 636/tcp 88/udp 464/udp 8010/tcp 88/tcp 7990/tcp 123/udp 80/tcp 389/tcp 7389/tcp 9444/tcp 9445/tcp 8011/tcp 53

Re: [Freeipa-users] Minimum rights to enrol a client

On Fri, 20 Mar 2015, David Kupka wrote: On 03/20/2015 09:16 AM, Andrew Holway wrote: Hello, I'd like to find our what the minimum role would be to allow a user to join a new client to freeipa. Currently our enrol command looks like: ipa-client-install --force-join --enable-dns-updates -U -p ad

Re: [Freeipa-users] Problems with ssh and install-uninstall-install sequence on the server

I'll open a ticket. It should probably be cleared, unless handled in some other way, before installs too. This looks like more of a client side issue than a server one. The database should be cleared when a client is explicitly uninstalled, and also if the client tries to register to a different se

Re: [Freeipa-users] SSSD in redundant configuration

On Wed, Mar 18, 2015 at 01:11:44PM -0400, Rob Crittenden wrote: > On Wed, Mar 18, 2015 at 17:40:19 +0100, Andrew Holway wrote: > > > > Im wondering how we should be handing SSSD for redundant configurations > > on our freeipa clients. We have three freeipa servers; how can we make > > SSSD check a

Re: [Freeipa-users] 'Preauthentication failed' with SSSD in ipa_server_mode

On Thu, Mar 19, 2015 at 04:46:44PM +0100, Bobby Prins wrote: >> Hi there, >> >> I'm currently trying to use the 'AD Trust for Legacy Clients' freeIPA setup >> (described here: >> http://www.freeipa.org/images/0/0d/FreeIPA33-legacy-clients.pdf) to be able >> to autenticate AIX 7.1 clients agains

Re: [Freeipa-users] SSSD in redundant configuration

On Fri, Mar 20, 2015 at 11:06:04AM +0100, Jan Pazdziora wrote: > On Wed, Mar 18, 2015 at 01:11:44PM -0400, Rob Crittenden wrote: > > On Wed, Mar 18, 2015 at 17:40:19 +0100, Andrew Holway wrote: > > > > > > Im wondering how we should be handing SSSD for redundant configurations > > > on our freeipa

Re: [Freeipa-users] 'Preauthentication failed' with SSSD in ipa_server_mode

On Fri, Mar 20, 2015 at 11:44:43AM +0100, Bobby Prins wrote: > On Thu, Mar 19, 2015 at 04:46:44PM +0100, Bobby Prins wrote: > >> Hi there, > >> > >> I'm currently trying to use the 'AD Trust for Legacy Clients' freeIPA > >> setup (described here: > >> http://www.freeipa.org/images/0/0d/FreeIPA33

Re: [Freeipa-users] 'Preauthentication failed' with SSSD in ipa_server_mode

On Fri, 20 Mar 2015, Sumit Bose wrote: On Fri, Mar 20, 2015 at 11:44:43AM +0100, Bobby Prins wrote: On Thu, Mar 19, 2015 at 04:46:44PM +0100, Bobby Prins wrote: >> Hi there, >> >> I'm currently trying to use the 'AD Trust for Legacy Clients' freeIPA setup (described here: http://www.freeipa.org

Re: [Freeipa-users] ipa-client-install failure

Hello, do you have enabled DNS dynamic updates for hq.example.zone? You can check it in zone settings. Are there any log entries in dns log related to nsupdate executed from a client? $ journalctl -b -u named-pkcs11 On 20/03/15 09:53, Roberto Cornacchia wrote: It seems so: $ firewall-cmd --

Re: [Freeipa-users] 'Preauthentication failed' with SSSD in ipa_server_mode

>On Fri, 20 Mar 2015, Sumit Bose wrote: >>On Fri, Mar 20, 2015 at 11:44:43AM +0100, Bobby Prins wrote: >>> On Thu, Mar 19, 2015 at 04:46:44PM +0100, Bobby Prins wrote: >>> >> Hi there, >>> >> >>> >> I'm currently trying to use the 'AD Trust for Legacy Clients' freeIPA >>> >> setup (described here:

Re: [Freeipa-users] SSSD in redundant configuration

On Fri, Mar 20, 2015 at 11:51:14AM +0100, Jakub Hrozek wrote: > > Or even better, set the weight and priority fields on the server and > keep using SRV resolution :-) How do you specify different priorities for different consumers if the DNS is IPA-based (== the records are in LDAP and replicated

Re: [Freeipa-users] 'Preauthentication failed' with SSSD in ipa_server_mode

On Fri, 20 Mar 2015, Bobby Prins wrote: On Fri, 20 Mar 2015, Sumit Bose wrote: On Fri, Mar 20, 2015 at 11:44:43AM +0100, Bobby Prins wrote: On Thu, Mar 19, 2015 at 04:46:44PM +0100, Bobby Prins wrote: >> Hi there, >> >> I'm currently trying to use the 'AD Trust for Legacy Clients' >> freeIPA se

Re: [Freeipa-users] SSSD in redundant configuration

On Fri, Mar 20, 2015 at 01:02:58PM +0100, Jan Pazdziora wrote: > On Fri, Mar 20, 2015 at 11:51:14AM +0100, Jakub Hrozek wrote: > > > > Or even better, set the weight and priority fields on the server and > > keep using SRV resolution :-) > > How do you specify different priorities for different c

Re: [Freeipa-users] 'Preauthentication failed' with SSSD in ipa_server_mode

On 03/20/2015 08:05 AM, Alexander Bokovoy wrote: On Fri, 20 Mar 2015, Bobby Prins wrote: On Fri, 20 Mar 2015, Sumit Bose wrote: On Fri, Mar 20, 2015 at 11:44:43AM +0100, Bobby Prins wrote: On Thu, Mar 19, 2015 at 04:46:44PM +0100, Bobby Prins wrote: >> Hi there, >> >> I'm currently trying to u

Re: [Freeipa-users] Really slow logins with AD SID Mapping vs. POSIX

Updated: libipa_hbac.x86_64 0:1.12.2-58.el7_1.6.1 libipa_hbac-python.x86_64 0:1.12.2-58.el7_1.6.1 libsss_idmap.x86_64 0:1.12.2-58.el7_1.6.1 libsss_nss_idmap.x86_64 0:1.12.2-58.el7_1.6.1 libsss_nss_idmap-python.x86_64 0:1.12.2-58.el7_1.6.1 python-sssdconfig.noarch 0:1.12.2-58.el7_1.6.1

Re: [Freeipa-users] Really slow logins with AD SID Mapping vs. POSIX

On Fri, Mar 20, 2015 at 09:41:08AM -0400, Gould, Joshua wrote: > Updated: > libipa_hbac.x86_64 0:1.12.2-58.el7_1.6.1 > libipa_hbac-python.x86_64 0:1.12.2-58.el7_1.6.1 > libsss_idmap.x86_64 0:1.12.2-58.el7_1.6.1 > libsss_nss_idmap.x86_64 0:1.12.2-58.el7_1.6.1 > libsss_nss_idmap-python.x86_

Re: [Freeipa-users] subjectAlternitiveName for webservice

Matt . wrote: > The right way to sequest a SAN, this seems to need some extra config file ? Like I said before, use certmonger, it makes life easier. I'll create a new host balancer.example.com with a HTTP service. I'll generate a cert with a SAN for idp.example.com in that service. I'm generatin

Re: [Freeipa-users] ipa-client-install failure

The zone settings: $ ipa dnszone-show --all Zone name: hq.example.com. dn: idnsname=hq.example.com.,cn=dns,dc=hq,dc=example,dc=com Zone name: hq.example.com. Active zone: TRUE Authoritative nameserver: ipa.hq.example.com. Administrator e-mail address: hostmaster.hq.example.com. SOA ser

[Freeipa-users] SSSD in redundant configuration - part 2

Hi, I am having one of those really annoying pesky troubles. I add clients to freeipa but the first time I am logging in and trying to sudo with my freeipa credentials the sudo is not working. If I restart the SSSD process this usually fixes it but not always. Im going to try and do some systemat

Re: [Freeipa-users] SSSD in redundant configuration - part 2

On Fri, Mar 20, 2015 at 04:05:56PM +0100, Andrew Holway wrote: > Hi, > > I am having one of those really annoying pesky troubles. > > I add clients to freeipa but the first time I am logging in and trying to > sudo with my freeipa credentials the sudo is not working. If I restart the > SSSD proce

Re: [Freeipa-users] ipa-client-install failure

On 03/20/2015 10:56 AM, Roberto Cornacchia wrote: The zone settings: $ ipa dnszone-show --all Zone name: hq.example.com . dn: idnsname=hq.example.com .,cn=dns,dc=hq,dc=example,dc=com Zone name: hq.example.com . Active z

Re: [Freeipa-users] ipa-client-install failure

ipv6 re-enabled. No luck yet :( On 20 March 2015 at 17:06, Dmitri Pal wrote: > On 03/20/2015 10:56 AM, Roberto Cornacchia wrote: > > The zone settings: > > $ ipa dnszone-show --all > Zone name: hq.example.com. > dn: idnsname=hq.example.com.,cn=dns,dc=hq,dc=example,dc=com > Zone name: hq.e

Re: [Freeipa-users] ipa-client-install failure

Update: I tried from another client. Also FC21, same network, same settings from the same DHCP. But obviously it must have something different because it partially succeeded. - I do not get errors about LDAP users. - I do not get errors about DNS update However: - I still get the initial error ab

Re: [Freeipa-users] ipa-client-install failure

Oops. Not true, forget last email. This secon client installation went different just because it took the wrong domain. It used *example.com * (what was previously set) instead of *hq.example.com * Uninstalled, tried again with --hostname=photon.hq.examp

Re: [Freeipa-users] ipa-client-install failure

On 03/20/2015 01:25 PM, Roberto Cornacchia wrote: Oops. Not true, forget last email. This secon client installation went different just because it took the wrong domain. It used *example.com * (what was previously set) instead of *hq.example.com * U

Re: [Freeipa-users] ipa-client-install failure

No, sorry about the confusion, i shouldn't have posted so quickly. When I use the correct domain (hq.example.com), then I really get all the same errors as before, also in the new client. On 20 Mar 2015 18:39, "Dmitri Pal" wrote: > On 03/20/2015 01:25 PM, Roberto Cornacchia wrote: > > Oops.

Re: [Freeipa-users] ipa-client-install failure

But the ipa server itself is also enrolled as a client, just after the server installation, right?. And that worked fine. On 20 March 2015 at 18:55, Roberto Cornacchia wrote: > No, sorry about the confusion, i shouldn't have posted so quickly. > > When I use the correct domain (hq.example.com),

Re: [Freeipa-users] ipa-client-install failure

On 03/20/2015 01:55 PM, Roberto Cornacchia wrote: No, sorry about the confusion, i shouldn't have posted so quickly. When I use the correct domain (hq.example.com ), then I really get all the same errors as before, also in the new client. Does it really hit the righ

Re: [Freeipa-users] ipa-client-install failure

On 03/20/2015 01:57 PM, Roberto Cornacchia wrote: But the ipa server itself is also enrolled as a client, just after the server installation, right?. And that worked fine. Are these VMs? There have been a similar case when the network was not set properly for the virtual test environment.

Re: [Freeipa-users] ipa-client-install failure

No, all real machines. I'm really sorry it's taking so much of your time. I had tried almost everything on a VM setting first, and everything was fine. Everything always works fine, until you actually need it. On 20 March 2015 at 19:41, Dmitri Pal wrote: > On 03/20/2015 01:57 PM, Roberto Corn

Re: [Freeipa-users] ipa-client-install failure

On 03/20/2015 02:48 PM, Roberto Cornacchia wrote: No, all real machines. I'm really sorry it's taking so much of your time. I had tried almost everything on a VM setting first, and everything was fine. Everything always works fine, until you actually need it. We try to help as much as we ca

[Freeipa-users] Certificate and key problems in Linux

I have FreeIPA installed on several types of Linux machines and they are all experiencing strange issues with certificates and host keys. Here is the setup: Server : FreeIPA 4.1.2 on Centos 7 Client 1&2 : FreeIPA 3.0.0-42.el6 with sssd 1.11.6-30.el6_6.4 on CentOS 6.5 Client 3&4 : FreeIPA 4.1.2-1.e

[Freeipa-users] Firewalld rules to allow AD Join

Hi FreeIPA Users: I can only get my new Fedora 21 freeipa to server to setup a trust with Active Directory if I turn off the firewall on the ipa server. I have looked through all the doc on which ports to open but have had no luck getting the join to work with firewalld running... Can someon

Re: [Freeipa-users] Certificate and key problems in Linux

nat...@nathanpeters.com wrote: > I have FreeIPA installed on several types of Linux machines and they are > all experiencing strange issues with certificates and host keys. > Here is the setup: > > Server : FreeIPA 4.1.2 on Centos 7 > Client 1&2 : FreeIPA 3.0.0-42.el6 with sssd 1.11.6-30.el6_6.4 o

Re: [Freeipa-users] AD users not getting single sign on (Solaris)

> nat...@nathanpeters.com wrote: >> I have finally gotten all of my Solaris servers to accept AD users but >> the >> behavior is inconsistent. >> >> In my FreeIPA domain, I can login to a Linux server and then ssh to the >> Solaris server and I am automatically logged in because of my Kerberos >> t

Re: [Freeipa-users] Certificate and key problems in Linux

On 03/20/2015 04:51 PM, nat...@nathanpeters.com wrote: I have FreeIPA installed on several types of Linux machines and they are all experiencing strange issues with certificates and host keys. Here is the setup: Server : FreeIPA 4.1.2 on Centos 7 Client 1&2 : FreeIPA 3.0.0-42.el6 with sssd 1.11.

Re: [Freeipa-users] ipa-client-install failure

It certainly gets there, because the client gets in fact enrolled as a domain host. I can see it from the UI in Identity / Hosts. But not in the DNS zone. *Before ipa-client-install, all these do work: * $ ssh ipa.hq.example.com $ ntpdate ipa.hq.example.com $ ldapsearch -x -h ipa.hq.example.com -

Re: [Freeipa-users] AD users not getting single sign on (Solaris)

On 03/20/2015 05:23 PM, nat...@nathanpeters.com wrote: nat...@nathanpeters.com wrote: I have finally gotten all of my Solaris servers to accept AD users but the behavior is inconsistent. In my FreeIPA domain, I can login to a Linux server and then ssh to the Solaris server and I am automaticall

Re: [Freeipa-users] ipa-client-install failure

On 03/20/2015 05:28 PM, Roberto Cornacchia wrote: It certainly gets there, because the client gets in fact enrolled as a domain host. I can see it from the UI in Identity / Hosts. But not in the DNS zone. *Before ipa-client-install, all these do work: * $ ssh ipa.hq.example.com

Re: [Freeipa-users] ipa-client-install failure

SSSD logs are empty so far. Isn't sssd.conf written by ipa-client-install? If I raise the debug level after client installation, what activities do you suggest to attempt from the client? On 20 March 2015 at 22:37, Dmitri Pal wrote: > On 03/20/2015 05:28 PM, Roberto Cornacchia wrote: > > It c

Re: [Freeipa-users] ipa-client-install failure

On 03/20/2015 05:59 PM, Roberto Cornacchia wrote: SSSD logs are empty so far. This is wrong. Isn't sssd.conf written by ipa-client-install? Yes If I raise the debug level after client installation, (and restart) what activities do you suggest to attempt from the client? the ones that

Re: [Freeipa-users] Certificate and key problems in Linux

> nat...@nathanpeters.com wrote: >> I have FreeIPA installed on several types of Linux machines and they are >> all experiencing strange issues with certificates and host keys. >> Here is the setup: >> >> Server : FreeIPA 4.1.2 on Centos 7 >> Client 1&2 : FreeIPA 3.0.0-42.el6 with sssd 1.11.6-30.el

Re: [Freeipa-users] Certificate and key problems in Linux

> On 03/20/2015 04:51 PM, nat...@nathanpeters.com wrote: >> I have FreeIPA installed on several types of Linux machines and they are >> all experiencing strange issues with certificates and host keys. >> Here is the setup: >> >> Server : FreeIPA 4.1.2 on Centos 7 >> Client 1&2 : FreeIPA 3.0.0-42.el

Re: [Freeipa-users] Certificate and key problems in Linux

On 03/20/2015 07:41 PM, nat...@nathanpeters.com wrote: On 03/20/2015 04:51 PM, nat...@nathanpeters.com wrote: I have FreeIPA installed on several types of Linux machines and they are all experiencing strange issues with certificates and host keys. Here is the setup: Server : FreeIPA 4.1.2 on Ce

Re: [Freeipa-users] ipa-client-install failure

Ah, I see, I had forgotten to enable debut in the nss section. Here its log. On 21 March 2015 at 00:40, Roberto Cornacchia wrote: > Two log files in attachment (the other files in /var/log/sssd are all > empty). > > I'll also go through the troubleshooting page again, thanks > > > On 20 March 20

Re: [Freeipa-users] ipa-client-install failure

>From https://fedorahosted.org/sssd/wiki/Troubleshooting, I see that invoking getent should correspond to seeing command 17 invoked in the nss log: Something like: [sssd[nss]] [nss_cmd_getbynam] (0x0400): Running command [17] with input [admin]. I don't see any command invocation in my sss_dnss l

Re: [Freeipa-users] ipa-client-install failure

On 03/20/2015 07:40 PM, Roberto Cornacchia wrote: Two log files in attachment (the other files in /var/log/sssd are all empty). I'll also go through the troubleshooting page again, thanks Do the logs include an id call for admin? I do not see any instance of the word "admin" in the log. O

Re: [Freeipa-users] ipa-client-install failure

On 03/20/2015 07:56 PM, Roberto Cornacchia wrote: From https://fedorahosted.org/sssd/wiki/Troubleshooting, I see that invoking getent should correspond to seeing command 17 invoked in the nss log: Something like: [sssd[nss]] [nss_cmd_getbynam] (0x0400): Running command [17] with input [admin]

Re: [Freeipa-users] Certificate and key problems in Linux

>> nat...@nathanpeters.com wrote: >>> I have FreeIPA installed on several types of Linux machines and they >>> are >>> all experiencing strange issues with certificates and host keys. >>> Here is the setup: >>> >>> Server : FreeIPA 4.1.2 on Centos 7 >>> Client 1&2 : FreeIPA 3.0.0-42.el6 with sssd 1

Re: [Freeipa-users] Certificate and key problems in Linux

>> Actually this was the problem : >> >> I had added the following line to the [sssd] section of sssd.conf : >> [sssd] >> default_domain_suffix = addomain.net >> >> The reason I had added this is because our business asked if our active >> directory trusted users can be allowed to login without ent

Re: [Freeipa-users] Certificate and key problems in Linux

On 03/20/2015 08:18 PM, nat...@nathanpeters.com wrote: Actually this was the problem : I had added the following line to the [sssd] section of sssd.conf : [sssd] default_domain_suffix = addomain.net The reason I had added this is because our business asked if our active directory trusted users

[Freeipa-users] Password entry through Trust not correct

When I look at the password entries for my rfc2307 account in Active directory I get three different answers. The only correct one is on a server where I used sssd to join AD directly ( the last one ). Do I need to configure rfc2307? When I configured the server to join AD directly I use the op