Re: [Freeipa-users] DNS Module (DNSSEC) NSEC§

2016-01-21 Thread Martin Basti
Hello, you can try to set up NSEC3PARAM record for zone ipa dnszone-mod example.com. --nsec3param-rec " " Martin On 20.01.2016 20:33, Günther J. Niederwimmer wrote: Hello, I can't find a way to integrate NSEC3, all DOC's I found is only for DNSSEC, but not including NSEC3. Can any help

Re: [Freeipa-users] FREAK Vulnerability

2016-01-21 Thread Martin Kosek
On 01/21/2016 03:31 PM, Terry John wrote: > I've been trying to tidy the security on my FreeIPA and this is causing me > some problems. I'm using OpenVAS vulnerability scanner and it is coming up > with this issue > > EXPORT_RSA cipher suites supported by the remote server: > TLSv1.0:

[Freeipa-users] FREAK Vulnerability

2016-01-21 Thread Terry John
I've been trying to tidy the security on my FreeIPA and this is causing me some problems. I'm using OpenVAS vulnerability scanner and it is coming up with this issue EXPORT_RSA cipher suites supported by the remote server: TLSv1.0: TLS_RSA_EXPORT_WITH_RC2_CBC_40_MD5 (0006) TLSv1.0:

Re: [Freeipa-users] ipa-client-install and nsslapd-allow-anonymous-access: off

2016-01-21 Thread Martin Kosek
On 01/21/2016 02:29 PM, bahan w wrote: > Hello Martin. > > Thank you for your answer. Adding freeipa-users list back, so that others can follow the thread. > Excuse me for my ignorance, but may you tell me how the bug and resolution > work for FreeIPA ? This is probably not something that

Re: [Freeipa-users] Freeipa 4.3.0 replica installation fails with DuplicateEntry: This entry already exists

2016-01-21 Thread Ludwig Krispenz
On 01/21/2016 08:50 AM, Nathan Peters wrote: I don't know if this makes a difference too, but I performed the same checks on a different completely working and joined FreeIPA master, against other masters, and even against itself directly. It seems that no account, no keytab, and no host can

Re: [Freeipa-users] Freeipa 4.3.0 replica installation fails with DuplicateEntry: This entry already exists

2016-01-21 Thread Rich Megginson
On 01/21/2016 12:50 AM, Nathan Peters wrote: I don't know if this makes a difference too, but I performed the same checks on a different completely working and joined FreeIPA master, against other masters, and even against itself directly. It seems that no account, no keytab, and no host can

Re: [Freeipa-users] FREAK Vulnerability

2016-01-21 Thread Christian Heimes
On 2016-01-21 15:51, Martin Kosek wrote: > On 01/21/2016 03:31 PM, Terry John wrote: >> I've been trying to tidy the security on my FreeIPA and this is causing me >> some problems. I'm using OpenVAS vulnerability scanner and it is coming up >> with this issue >> >> EXPORT_RSA cipher suites

Re: [Freeipa-users] FREAK Vulnerability

2016-01-21 Thread Terry John
>> I've been trying to tidy the security on my FreeIPA and this is >> causing me some problems. I'm using OpenVAS vulnerability scanner and >> it is coming up with this issue >> >> EXPORT_RSA cipher suites supported by the remote server: >> TLSv1.0: TLS_RSA_EXPORT_WITH_RC2_CBC_40_MD5 (0006) >>

Re: [Freeipa-users] FREAK Vulnerability

2016-01-21 Thread Rob Crittenden
Christian Heimes wrote: > On 2016-01-21 15:51, Martin Kosek wrote: >> On 01/21/2016 03:31 PM, Terry John wrote: >>> I've been trying to tidy the security on my FreeIPA and this is causing me >>> some problems. I'm using OpenVAS vulnerability scanner and it is coming up >>> with this issue >>>

Re: [Freeipa-users] FREAK Vulnerability

2016-01-21 Thread Christian Heimes
On 2016-01-21 17:54, Terry John wrote: >>> I've been trying to tidy the security on my FreeIPA and this is >>> causing me some problems. I'm using OpenVAS vulnerability scanner and >>> it is coming up with this issue >>> >>> EXPORT_RSA cipher suites supported by the remote server: >>> TLSv1.0:

Re: [Freeipa-users] Freeipa 4.3.0 replica installation fails with DuplicateEntry: This entry already exists

2016-01-21 Thread Nathan Peters
Here are the results for that aci search using a non gssapi bind by directory manager on the old master that we are attempting to join agains. I don't see anything in this list that would indicate that some users should or should not have access through a certain method. Unless one of those

Re: [Freeipa-users] Freeipa 4.3.0 replica installation fails with DuplicateEntry: This entry already exists

2016-01-21 Thread Nathan Peters
Ok, here are the logs and console session from those searches as admin and as the host on the new master against itself. Same result, nothing in there. See my email reply to Rich I sent a few minutes ago for the directory manager aci search results.

Re: [Freeipa-users] idoverride-add gives incorrect, inconsistant results?

2016-01-21 Thread Jakub Hrozek
> On 22 Jan 2016, at 01:25, Lachlan Musicman wrote: > > The /var/log/sssd/ldap_child.log have one line repeated: > > [[sssd[ldap_child[9738 [ldap_child_get_tgt_sync] (0x0010): Failed to > init credentials: Cannot contact any KDC for realm UNIX.CO.ORG.AU > > All other

[Freeipa-users] Samba crashes with recent F23 update

2016-01-21 Thread John Obaterspok
Hello, I'm running F23 and now IPA fails to start due to crash in smb: -- Unit smb.service has begun starting up. jan 22 08:38:52 ipa.win.lan audit[7037]: ANOM_ABEND auid=4294967295 uid=0 gid=0 ses=4294967295 subj=system_u:system_r:smbd_t:s0 pid=7037 comm="smbd" exe="/usr/sbin/smbd" sig=6 jan