Re: [Freeipa-users] add SubjectAltName (SAN) to IPA certificate

2015-09-14 Thread Brian J. Murrell
On Mon, 2015-09-14 at 08:28 +0200, Martin Kosek wrote: > Hello, Hi, > It is the right way to do it AFAIK, Indeed, no. It's a hack around the lack of SNI support in mod_nss. > however it would only work with FreeIPA 4.0 > or older: > > https://fedorahosted.org/freeipa/ticket/3977 That's

Re: [Freeipa-users] Using SSH from Active Directory machines for FreeIPA clients with kerberos tickets

2015-09-14 Thread Morgan Marodin
Now is working, with the same configuration ... Could it be possibile some delay on the trust if the AD group was a new one? Thanks, Morgan 2015-09-14 11:35 GMT+02:00 Sumit Bose : > On Mon, Sep 14, 2015 at 11:16:57AM +0200, Morgan Marodin wrote: > > Ok, but now I've an other

Re: [Freeipa-users] Sudo entry not found by sssd in the cache db

2015-09-14 Thread Pavel Březina
On 09/11/2015 02:40 PM, Molnár Domokos wrote: Full log attached. "Molnár Domokos" írta: "Pavel Březina" írta: On 09/09/2015 09:31 PM, Molnár Domokos wrote: > I have a working IPA server and a working client config on an

[Freeipa-users] freeIPA or just SSSD?

2015-09-14 Thread Milam, Tyler S
My organization is evaluating new methods of user account provisioning in Linux. What advantages does freeIPA offer over just SSSD? Some background - we use Active Directory for everything but have a small linux footprint (25 servers). However, many services are going to be migrated from AIX

Re: [Freeipa-users] AD Trust Issues

2015-09-14 Thread Matt Wells
Is the fix in CentOS or RHEL yet? On Fri, Sep 11, 2015 at 1:34 PM, Alexander Bokovoy wrote: > On Fri, 11 Sep 2015, Matt Wells wrote: > >> I've been working on an AD trust with our freeipa servers but have run >> into >> some of the same issues others have had. >> It's well

Re: [Freeipa-users] AuthorizedKeysCommand for clients using nss-pam-ldapd

2015-09-14 Thread Pawel Fiuto
Hi Gustavo, Using settings from 'ipa-advise config-redhat-sssd-before-1-9' with below modifications seems to work quite well: - on ipa server add permisson to read ipaSshPubKey anonymously: [ipa-server]# ipa permission-add 'Read ipaSshPubKey' --type=user --attrs=ipaSshPubKey

Re: [Freeipa-users] AuthorizedKeysCommand for clients using nss-pam-ldapd

2015-09-14 Thread Gustavo Mateus
I did not try that setup because the config-redhat-sssd-before-1-9 because its description says it works with version 1.5 - 1.8, and Amazon linux has 1.2 config-redhat-sssd-before-1-9: Instructions for configuring a system with an old

[Freeipa-users] PHP example of authenticating to Freeipa api

2015-09-14 Thread Marc van de Geijn
Hi, I've been searching for an PHP example that autheticates to the Freeipa API. Does somebody have working PHP code? I've been trying to het php code working with bits I could find, but it does not work. I want to communicate with Freeipa to add users, change passwords, etc from our

Re: [Freeipa-users] V6 and v4

2015-09-14 Thread Janelle
On 9/13/15 11:46 PM, Alexander Bokovoy wrote: On Sun, 13 Sep 2015, Janelle wrote: Hello, I read something recently that if ip v6 is disable on a server this hurts performance in some way? Is there more info on this or did I misread it? Do not disable IPv6 stack on your machines. By disabling

Re: [Freeipa-users] vsftpd PAM setup problem

2015-09-14 Thread jcnt
> Is there anything for /var/log/secure for vsftpd ? I would look for > messages from pam_sss.so Sep 14 19:50:11 fds vsftpd[27097]: pam_unix(vsftpd:auth): authentication failure; logname= uid=0 euid=0 tty=ftp ruser=admin rhost=::1 user=admin (END) Nothing from pam_sss.so Found a temporary

Re: [Freeipa-users] Sudo entry not found by sssd in the cache db

2015-09-14 Thread Molnár Domokos
On 09/14/2015 03:08 PM, Pavel Březina wrote: >On 09/11/2015 02:40 PM, Molnár Domokos wrote: >>Full log attached. >>"Molnár Domokos" írta: >> >> >>"Pavel Březina" írta: >> >>On 09/09/2015 09:31 PM, Molnár Domokos wrote: >> > I have a

Re: [Freeipa-users] ipa-client-install not creating reverse DNS entries

2015-09-14 Thread Nathan Peters
I think it was not having dynamic updates enabled for the reverse zone. I enabled those and PTR sync on both the forward and reverse and now it seems to be working for a new client that I joined. What I'm not clear on at this point is why that is not a default setting. I know at some point

Re: [Freeipa-users] ipa-client-install not creating reverse DNS entries

2015-09-14 Thread Martin Basti
Hi, can you check the journalctl -u named(-pkcs11) on server, they might be errors why PTR record has not been added. Do you have enabled dynamic updates for the reverse zone? Martin On 09/12/2015 10:42 PM, Youenn PIOLET wrote: Hi, I've seen the same issue recently on various clients

Re: [Freeipa-users] Using SSH from Active Directory machines for FreeIPA clients with kerberos tickets

2015-09-14 Thread Morgan Marodin
The Pro edition. I've solved my connection problem, I have to specify manually the username ( name.surname@ad_domain.com) with Microsoft SSPI. In this mode is ok, but using Putty "Use system username" do not works for me. I don't know why :) Bye, Morgan 2015-09-11 22:24 GMT+02:00 Alexander

Re: [Freeipa-users] Using SSH from Active Directory machines for FreeIPA clients with kerberos tickets

2015-09-14 Thread Sumit Bose
On Mon, Sep 14, 2015 at 09:24:15AM +0200, Morgan Marodin wrote: > The Pro edition. > > I've solved my connection problem, I have to specify manually the username ( > name.surname@ad_domain.com) with Microsoft SSPI. > In this mode is ok, but using Putty "Use system username" do not works for > me.

Re: [Freeipa-users] Using SSH from Active Directory machines for FreeIPA clients with kerberos tickets

2015-09-14 Thread Alexander Bokovoy
On Mon, 14 Sep 2015, Morgan Marodin wrote: The Pro edition. I've solved my connection problem, I have to specify manually the username ( name.surname@ad_domain.com) with Microsoft SSPI. In this mode is ok, but using Putty "Use system username" do not works for me. I don't know why :) A

Re: [Freeipa-users] ipa-client-install --request-cert fails

2015-09-14 Thread Jan Pazdziora
On Sat, Sep 12, 2015 at 03:14:35PM +0200, Natxo Asenjo wrote: > On Sat, Sep 12, 2015 at 12:18 PM, Natxo Asenjo > wrote: > > > on a a centos 7.1 host when enrolling it with (among other) the switch > > --request-cert it does not create a host certificate for it. The host

Re: [Freeipa-users] V6 and v4

2015-09-14 Thread Alexander Bokovoy
On Sun, 13 Sep 2015, Janelle wrote: Hello, I read something recently that if ip v6 is disable on a server this hurts performance in some way? Is there more info on this or did I misread it? Do not disable IPv6 stack on your machines. By disabling IPv6 you are not doing good. On contrary, many

Re: [Freeipa-users] PHP example of authenticating to Freeipa api

2015-09-14 Thread Alexander Bokovoy
On Mon, 14 Sep 2015, Marc van de Geijn wrote: Hi, I've been searching for an PHP example that autheticates to the Freeipa API. Does somebody have working PHP code? I've been trying to het php code working with bits I could find, but it does not work. I want to communicate with Freeipa to add

Re: [Freeipa-users] freeIPA or just SSSD?

2015-09-14 Thread Jakub Hrozek
On Mon, Sep 14, 2015 at 12:38:00PM -0400, Mark Heslin wrote: > Hi Tyler, > > Some comments below...I'm sure others will chime in :-) > > On 09/14/2015 10:33 AM, Milam, Tyler S wrote: > > > >My organization is evaluating new methods of user account provisioning in > >Linux. What advantages does

Re: [Freeipa-users] V6 and v4

2015-09-14 Thread David Kupka
On 13/09/15 16:33, Janelle wrote: Hello, I read something recently that if ip v6 is disable on a server this hurts performance in some way? Is there more info on this or did I misread it? Thank you ~J Hello Janelle, I do not now about any performance issue with disabled IPv6. Only case

Re: [Freeipa-users] ipa-client-install --request-cert fails

2015-09-14 Thread Martin Kosek
On 09/12/2015 03:14 PM, Natxo Asenjo wrote: > On Sat, Sep 12, 2015 at 12:18 PM, Natxo Asenjo > wrote: > >> hi, >> >> on a a centos 7.1 host when enrolling it with (among other) the switch >> --request-cert it does not create a host certificate for it. The host is >>

Re: [Freeipa-users] Search 'hosts'

2015-09-14 Thread Martin Kosek
On 09/12/2015 01:12 AM, Craig White wrote: > ipa-server-4.1.0-18.el7_1.4.x86_64 > > Maybe I was spoiled but from the web ui, I can't seem to search for hosts or > DNS names - all searches seem to return nothing at all > > User searches work (thankfully) > > Previous version 3.0.0 from RHEL6 I

Re: [Freeipa-users] add SubjectAltName (SAN) to IPA certificate

2015-09-14 Thread Martin Kosek
On 09/12/2015 02:57 PM, Brian J. Murrell wrote: > Due to the bug in mod_nss that prevents SNI from functioning (i.e. > limits a port to a single certificate) I need to add SANs > (SubjectAltName) to the certificate that freeipa created for the > webserver (Server-Cert) so that I can add more

Re: [Freeipa-users] ocsp server not respondig after migrating from centos 6.7 to 7.1

2015-09-14 Thread Martin Kosek
On 09/12/2015 09:51 AM, Natxo Asenjo wrote: > On Sat, Sep 12, 2015 at 9:43 AM, Natxo Asenjo > wrote: > >> hi, >> >> In a test network I followed the procedure especified in >>

Re: [Freeipa-users] V6 and v4

2015-09-14 Thread Martin Kosek
On 09/13/2015 04:33 PM, Janelle wrote: > Hello, > > I read something recently that if ip v6 is disable on a server this hurts > performance in some way? Is there more info on this or did I misread it? > > Thank you > ~J The only area where I recall disabled IPv6 causing trouble is

Re: [Freeipa-users] Search 'hosts'

2015-09-14 Thread thierry bordaz
On 09/14/2015 08:18 AM, Martin Kosek wrote: On 09/12/2015 01:12 AM, Craig White wrote: ipa-server-4.1.0-18.el7_1.4.x86_64 Maybe I was spoiled but from the web ui, I can't seem to search for hosts or DNS names - all searches seem to return nothing at all User searches work (thankfully)

Re: [Freeipa-users] Using SSH from Active Directory machines for FreeIPA clients with kerberos tickets

2015-09-14 Thread Morgan Marodin
Ok, but now I've an other problem :) If I disable the default allow_all HBAC rule creating one custom HBAC rule that enable ad_admins to access any host any service, kerberos ticket via ssh does not works. Username/password authentication with the same custom HBAC rules works. SSH logs with

Re: [Freeipa-users] Using SSH from Active Directory machines for FreeIPA clients with kerberos tickets

2015-09-14 Thread Sumit Bose
On Mon, Sep 14, 2015 at 11:16:57AM +0200, Morgan Marodin wrote: > Ok, but now I've an other problem :) > > If I disable the default allow_all HBAC rule creating one custom HBAC rule > that enable ad_admins to access any host any service, kerberos ticket via > ssh does not works. >