Re: [Freeipa-users] Automatic IPA CA cert generation

2015-09-23 Thread James Masson
On 23/09/15 11:03, Fraser Tweedale wrote: On Wed, Sep 23, 2015 at 09:09:25AM +0200, David Kupka wrote: On 22/09/15 17:02, James Masson wrote: Hi, we're building IPAs in an automated fashion, for environments that get created and destroyed a lot. At the moment, the CA certs used inside these

Re: [Freeipa-users] How to turn off RC4 in 389ds???

2015-09-23 Thread Martin Kosek
On 09/23/2015 11:00 AM, Michael Lasevich wrote: > OK, this is most bizarre issue, > > I am trying to disable RC4 based TLS Cipher Suites in LDAPs(port 636) and > for the life of me cannot get it to work > > I have followed many nearly identical instructions to create ldif file and > change

Re: [Freeipa-users] Automatic IPA CA cert generation

2015-09-23 Thread Fraser Tweedale
On Wed, Sep 23, 2015 at 09:09:25AM +0200, David Kupka wrote: > On 22/09/15 17:02, James Masson wrote: > > > >Hi, > > > >we're building IPAs in an automated fashion, for environments that get > >created and destroyed a lot. At the moment, the CA certs used inside > >these IPAs are self-signed, as

Re: [Freeipa-users] [Import existing CA Cert]

2015-09-23 Thread Michael Anderson
Hi Martin, thanks for your reply. On 09/23/2015 09:07 AM, Martin Kosek wrote: On 09/22/2015 12:41 PM, Michael Anderson wrote: Hi All, we're evaluation freeipa/dogtag as a pki management service and hoping to replace our existing menagerie of bash/openssl scripts. I'm trying to establish a

Re: [Freeipa-users] [Import existing CA Cert]

2015-09-23 Thread Fraser Tweedale
On Wed, Sep 23, 2015 at 09:07:31AM +0200, Martin Kosek wrote: > On 09/22/2015 12:41 PM, Michael Anderson wrote: > > Hi All, > > > > we're evaluation freeipa/dogtag as a pki management service and hoping to > > replace our existing menagerie of bash/openssl scripts. I'm trying to > > establish >

[Freeipa-users] OTP unstable/non functional after upgrade?

2015-09-23 Thread Michael Lasevich
Ok, something odd happened I would love some feedback/ideas on: We had 4.1.2 running on Fedora that we used for, among other things, OTP authentication. I have just upgraded these to CentOS 7 with 4.1.4 running and our OTP setup suddenly became very unstable. Things that have changed during

Re: [Freeipa-users] Automatic IPA CA cert generation

2015-09-23 Thread Rob Crittenden
David Kupka wrote: > On 22/09/15 17:02, James Masson wrote: >> >> Hi, >> >> we're building IPAs in an automated fashion, for environments that get >> created and destroyed a lot. At the moment, the CA certs used inside >> these IPAs are self-signed, as part of the normal "ipa-server-install" >>

[Freeipa-users] User, keytab, password and ldap

2015-09-23 Thread bahan w
Hello ! I'm using IPA 3.0.0 and I have a problem with one of the user I created. user3 I created this user with the command ipa user-add without specifying any password. Then I performed an ipa-getkeytab command with the -P option to have a keytab and a password. When I check the ldap server

Re: [Freeipa-users] How to turn off RC4 in 389ds???

2015-09-23 Thread Ludwig Krispenz
On 09/23/2015 05:05 PM, Michael Lasevich wrote: Yes, I am talking about 389ds as is integrated in FreeIPA (would be silly to post completely non-IPA questions to this list...). I am running FreeIPA 4.1.4 on CentOS 7.1 and RC4 is enabled on port 636 no matter what I do. I am running "CentOS

Re: [Freeipa-users] How to turn off RC4 in 389ds???

2015-09-23 Thread Michael Lasevich
Yes, I am talking about 389ds as is integrated in FreeIPA (would be silly to post completely non-IPA questions to this list...). I am running FreeIPA 4.1.4 on CentOS 7.1 and RC4 is enabled on port 636 no matter what I do. I am running "CentOS Linux release 7.1.1503 (Core)" Relevant Packages:

[Freeipa-users] When changing passwords gui displays Login screen is showing

2015-09-23 Thread Andrew Holway
Hi, When a user changes their password the ipa gui briefly redirects to a login page. The user often has an impulse to click on the login button which, on occasion, can seem to cause a mess with the password change. Anyone else aware of this behaviour? ta Andrew -- Manage your subscription

Re: [Freeipa-users] How to turn off RC4 in 389ds???

2015-09-23 Thread Michael Lasevich
No difference. It is as if this setting is being overwritten somewhere deep in 389ds, because the "error" log correctly reflects the changes, but the actual process does not. (and yes, I verified that the process actually shuts down and start up again when I restart it) ldapsearch -x -D

[Freeipa-users] Ghost user?

2015-09-23 Thread Janelle
I have a user I created for testing, but now shows as both "there" but not there.. *ipa user-show jtest* ipa: ERROR: jtest: user not found *ipa user-find jtest* -- 1 user matched -- User login: jtest First name: janelle Last name: test Home directory:

Re: [Freeipa-users] Ghost user?

2015-09-23 Thread Martin Basti
On 09/23/2015 07:15 PM, Janelle wrote: I have a user I created for testing, but now shows as both "there" but not there.. *ipa user-show jtest* ipa: ERROR: jtest: user not found *ipa user-find jtest* -- 1 user matched -- User login: jtest First name:

[Freeipa-users] sssd public socket error

2015-09-23 Thread Andy Thompson
On one of my servers I'm getting Sep 23 13:35:07 mdhixuatisamw03 sshd[8136]: pam_unix(sshd:session): session opened for user user by (uid=0) Sep 23 13:35:07 mdhixuatisamw03 sshd[8164]: pam_sss(sshd:setcred): Request to sssd failed. Public socket has wrong ownership or permissions.

Re: [Freeipa-users] Ghost user?

2015-09-23 Thread Rob Crittenden
Janelle wrote: > On 9/23/15 10:36 AM, Martin Basti wrote: >> >> >> On 09/23/2015 07:15 PM, Janelle wrote: >>> I have a user I created for testing, but now shows as both "there" >>> but not there.. >>> >>> *ipa user-show jtest* >>> >>> ipa: ERROR: jtest: user not found >>> >>> *ipa

Re: [Freeipa-users] How to turn off RC4 in 389ds???

2015-09-23 Thread Martin Kosek
On 09/23/2015 05:05 PM, Michael Lasevich wrote: Yes, I am talking about 389ds as is integrated in FreeIPA (would be silly to post completely non-IPA questions to this list...). You would not be the first to do it :-) I am running FreeIPA 4.1.4 on CentOS 7.1 and RC4 is enabled on port 636 no

[Freeipa-users] dns_lookup_kdc question

2015-09-23 Thread Aly Khimji
Hey guys, Quick question. Just running through a poc and ran into a question. I have a simple AD DC (win2k8r2 box) with a trust setup to our IPA server. Trust and all is setup properly and I can see users on the client/ipa server and on the ipa server I can ssh into it with the AD user. I am

Re: [Freeipa-users] [Import existing CA Cert]

2015-09-23 Thread Martin Kosek
On 09/22/2015 12:41 PM, Michael Anderson wrote: > Hi All, > > we're evaluation freeipa/dogtag as a pki management service and hoping to > replace our existing menagerie of bash/openssl scripts. I'm trying to > establish > a migration path for our existing pki solution and have a few questions:

Re: [Freeipa-users] otp issue: can't log in with password+otp

2015-09-23 Thread Martin Kosek
On a related point to this note - Duncan, did you try to run your setup with RPM version of FreeIPA? FreeIPA 4.2 is included both in RHEL-7.2 Beta or in Fedora 23 Beta updates-testing repo, so you can try the latest and greatest version there and thus find out if the problems you are seeing are

[Freeipa-users] Possible bug in ipa-replica-install/pkispawn - or maybe lib mismatch

2015-09-23 Thread Michael Lasevich
Ok, I just went through process of migrating our IPA setup from 4.1.2 running on Fedora 20 (?? may have been 21) to 4.1.4 on CentOS 7 (MKosek Copr version) and run into a nasty bug. The replica-install crashes during CA configuration with something like: ''/usr/sbin/pkispawn' '-s' 'CA' '-f'

Re: [Freeipa-users] [Import existing CA Cert]

2015-09-23 Thread Martin Kosek
On 09/23/2015 10:05 AM, Michael Anderson wrote: > Hi Martin, > > thanks for your reply. > > On 09/23/2015 09:07 AM, Martin Kosek wrote: >> On 09/22/2015 12:41 PM, Michael Anderson wrote: >>> Hi All, >>> >>> we're evaluation freeipa/dogtag as a pki management service and hoping to >>> replace

[Freeipa-users] How to turn off RC4 in 389ds???

2015-09-23 Thread Michael Lasevich
OK, this is most bizarre issue, I am trying to disable RC4 based TLS Cipher Suites in LDAPs(port 636) and for the life of me cannot get it to work I have followed many nearly identical instructions to create ldif file and change "nsSSL3Ciphers" in "cn=encryption,cn=config". Seems simple enough -

Re: [Freeipa-users] sec_error_reused_issuer_and_serial

2015-09-23 Thread Winfried de Heiden
Hi all, Including a "timestamp" when installing test servers like "ipa-server-install --subject 'O=IPA.LOCAL 201508311610'." looks promising. I will try that! Kind regards, Winfried Op 23-09-15 om 02:59 schreef Fraser Tweedale: On Tue, Sep 22, 2015 at 09:52:38PM +, Les Stott

Re: [Freeipa-users] Ghost user?

2015-09-23 Thread Janelle
On 9/23/15 10:36 AM, Martin Basti wrote: On 09/23/2015 07:15 PM, Janelle wrote: I have a user I created for testing, but now shows as both "there" but not there.. *ipa user-show jtest* ipa: ERROR: jtest: user not found *ipa user-find jtest* -- 1 user matched

Re: [Freeipa-users] How to turn off RC4 in 389ds???

2015-09-23 Thread Michael Lasevich
I actually just posted that in a previous email. The only thing I cut out were nsSSLEnabledCiphers - but here is the complete listing: # ldapsearch -x -D "cn=directory manager" -W -b "cn=encryption,cn=config" Enter LDAP Password: # extended LDIF # # LDAPv3 # base

Re: [Freeipa-users] dns_lookup_kdc question

2015-09-23 Thread Aly Khimji
Excellent, Thank you for the quick response. I will look further into your suggestions Aly On Wed, Sep 23, 2015 at 3:50 PM, Alexander Bokovoy wrote: > On Wed, 23 Sep 2015, Aly Khimji wrote: > >> Hey guys, >> >> Quick question. Just running through a poc and ran into a

Re: [Freeipa-users] sudo not work in linux

2015-09-23 Thread Jakub Hrozek
On Wed, Sep 23, 2015 at 12:48:47PM +0330, alireza baghery wrote: > hi > i have centos 6.7 (ipa server) > and i have centos 6.5 (client) I would advise to upgrade, 6.5 is old. I'm not sure if 6.5 already supported sudo_provider=ipa, but I'm pretty sure 6.6 did. That would simplify the

Re: [Freeipa-users] sssd public socket error

2015-09-23 Thread Jakub Hrozek
On Wed, Sep 23, 2015 at 06:03:45PM +, Andy Thompson wrote: > On one of my servers I'm getting > > Sep 23 13:35:07 mdhixuatisamw03 sshd[8136]: pam_unix(sshd:session): session > opened for user user by (uid=0) > Sep 23 13:35:07 mdhixuatisamw03 sshd[8164]: pam_sss(sshd:setcred): Request to >

Re: [Freeipa-users] dns_lookup_kdc question

2015-09-23 Thread Alexander Bokovoy
On Wed, 23 Sep 2015, Aly Khimji wrote: Hey guys, Quick question. Just running through a poc and ran into a question. I have a simple AD DC (win2k8r2 box) with a trust setup to our IPA server. Trust and all is setup properly and I can see users on the client/ipa server and on the ipa server I

Re: [Freeipa-users] V6 and v4

2015-09-23 Thread Janelle
On 9/13/15 11:46 PM, Alexander Bokovoy wrote: On Sun, 13 Sep 2015, Janelle wrote: Hello, I read something recently that if ip v6 is disable on a server this hurts performance in some way? Is there more info on this or did I misread it? Do not disable IPv6 stack on your machines. By disabling

[Freeipa-users] sudo not work in linux

2015-09-23 Thread alireza baghery
hi i have centos 6.7 (ipa server) and i have centos 6.5 (client) i can not sudo on client i add rule sudo on ipa i config file sss.conf +++ [domain/l.infotechpsp.net] debug_level = 6 #cache_credentials = True #krb5_store_password_if_offline = True ipa_domain = l.infotechpsp.net id_provider =

Re: [Freeipa-users] Ubuntu Samba Server Auth against IPA

2015-09-23 Thread Matt .
Hi Guys, Please keep this topic updated as many people seem to have this question. What's the status at your side ? Cheers, Matt 2015-09-04 15:27 GMT+02:00 Matt . : > Hi, > > Does everyone have this working or gived up on it ? > > Chers, > > Matt > > 2015-08-26 20:07

[Freeipa-users] Generic preauthentication failure while getting initial credentials using kinit -k -t

2015-09-23 Thread Brian J. Murrell
I've put a kerberos principle into a keytab: # klist -k asterisk.keytab Keytab name: FILE:asterisk.keytab KVNO Principal -- 8 aster...@example.com using: # ipa-getkeytab -s server.example.com -p asterisk -k

Re: [Freeipa-users] Automatic IPA CA cert generation

2015-09-23 Thread Fraser Tweedale
On Wed, Sep 23, 2015 at 11:16:27AM +0100, James Masson wrote: > > On 23/09/15 11:03, Fraser Tweedale wrote: > >On Wed, Sep 23, 2015 at 09:09:25AM +0200, David Kupka wrote: > >>On 22/09/15 17:02, James Masson wrote: > >>> > >>>Hi, > >>> > >>>we're building IPAs in an automated fashion, for

[Freeipa-users] IPA server failover

2015-09-23 Thread Andy Thompson
I've got all of my environments setup with two IPA servers. I'm fighting intermittent problems with krb5kdc crashing on them in all of my environments and I've opened a ticket with Redhat on that. What I can't figure out though is why the clients will not fail over to the second functioning

Re: [Freeipa-users] IPA server failover

2015-09-23 Thread Alexander Bokovoy
On Wed, 23 Sep 2015, Andy Thompson wrote: I've got all of my environments setup with two IPA servers. I'm fighting intermittent problems with krb5kdc crashing on them in all of my environments and I've opened a ticket with Redhat on that. What I can't figure out though is why the clients will

Re: [Freeipa-users] Generic preauthentication failure while getting initial credentials using kinit -k -t

2015-09-23 Thread Alexander Bokovoy
On Wed, 23 Sep 2015, Brian J. Murrell wrote: I've put a kerberos principle into a keytab: # klist -k asterisk.keytab Keytab name: FILE:asterisk.keytab KVNO Principal -- 8 aster...@example.com using: # ipa-getkeytab