On Fri, Feb 12, 2016 at 10:49:36PM +0200, Alexander Bokovoy wrote:
> On Fri, 12 Feb 2016, Jakub Hrozek wrote:
> >On Fri, Feb 12, 2016 at 01:29:47PM +0200, Alexander Bokovoy wrote:
> >>On Fri, 12 Feb 2016, w...@dds.nl wrote:
> >>>Hi all,
> >>>
> >>>Yes, you can filter out certain SIDs--> I tried, bu
On Mon, 15 Feb 2016, Sumit Bose wrote:
On Fri, Feb 12, 2016 at 10:49:36PM +0200, Alexander Bokovoy wrote:
On Fri, 12 Feb 2016, Jakub Hrozek wrote:
>On Fri, Feb 12, 2016 at 01:29:47PM +0200, Alexander Bokovoy wrote:
>>On Fri, 12 Feb 2016, w...@dds.nl wrote:
>>>Hi all,
>>>
>>>Yes, you can filter o
Hello,
I would like to get freeipa to work with a proxy solution ( I currently have
this working with an active directory/no trust authentication and sudo but no
HBAC) including HBAC. I can get sudo to work but not HBAC. I see there is a
ticket for this as a new enhancement #4634 but wanted
On Mon, Feb 15, 2016 at 11:10:41AM +0200, Alexander Bokovoy wrote:
> On Mon, 15 Feb 2016, Sumit Bose wrote:
> >On Fri, Feb 12, 2016 at 10:49:36PM +0200, Alexander Bokovoy wrote:
> >>On Fri, 12 Feb 2016, Jakub Hrozek wrote:
> >>>On Fri, Feb 12, 2016 at 01:29:47PM +0200, Alexander Bokovoy wrote:
> >>
On 02/12/2016 06:22 PM, Filip Pytloun wrote:
Following is in /etc/ldap/ldap.conf on both servers (only URI differs):
what is your OS, do you also have a /etc/openldap/ldap.conf
ldapsearch and the replication connection shoudl use the same openldap
libraries and so it is strange that -ZZ works
On Mon, Feb 15, 2016 at 10:24:23AM +0530, Rakesh Rajasekharan wrote:
> hbac seems to be fine
>
>
> ipa hbactest --user=q-temp --host=x.x.x.x --service=sshd
>
> Access granted: True
>
> Matched rules: allow_all
>
>
> I see this in the sssd.log
>
> (Mo
I am using Ubuntu 16.04 (Xenial), there's no /etc/openldap
Here's complete debug log of replica install:
http://pastebin.com/38zi5MWd
Now I noticed following, don't know if it can directly relate to this issue:
ipa : DEBUGstderr=ldap_initialize(
ldap://idm02.tcpcloud.eu:389/??base )
On Mon, Feb 15, 2016 at 09:34:33AM +, Birnbaum, Warren (ETW) wrote:
> Hello,
>
> I would like to get freeipa to work with a proxy solution ( I currently have
> this working with an active directory/no trust authentication and sudo but no
> HBAC) including HBAC. I can get sudo to work but no
Hi Jakub,
Thanks but I have sudo working OK. What I am trying make work is HBAC.
That I can¹t get to work with the proxy hack. Is there a way to do that?
Thanks,
Warren
___
Warren Birnbaum : Infrastructure Services
Digital Linux Infrastructure Services
Europe CDT Techn. Opera
On 12.2.2016 20:49, Chris Lajoie wrote:
> On 02/12/2016 12:53 AM, Petr Spacek wrote:
>> On 11.2.2016 19:32, Chris Lajoie wrote:
>>> On 02/11/2016 02:46 AM, Petr Spacek wrote:
What version of BIND and bind-dyndb-ldap packages are you using? $ rpm
-q bind bind-dyndb-ldap
>>> bind-9.9.4-29.e
On (15/02/16 09:34), Birnbaum, Warren (ETW) wrote:
>Hello,
>
>I would like to get freeipa to work with a proxy solution ( I currently have
>this working with an active directory/no trust authentication and sudo but no
>HBAC) including HBAC. I can get sudo to work but not HBAC. I see there is a
Thanks Lukas.
Unfortunately setting up a IPA Ad Trust is something not possible within
our organization. Is it then fair to say that waiting for Ticket #4623 is
our only option? https://fedorahosted.org/freeipa/ticket/4634
Thanks,
Warren
___
Warren Birnbaum : Infrastructure
On Mon, 15 Feb 2016, Birnbaum, Warren (ETW) wrote:
Thanks Lukas.
Unfortunately setting up a IPA Ad Trust is something not possible within
our organization. Is it then fair to say that waiting for Ticket #4623 is
our only option? https://fedorahosted.org/freeipa/ticket/4634
This ticket is not
Alexander,
Thanks for letting me know this. Is it true then that my only option is
to have the IPA AD trust to achieve AD authentication (proxy style), HBAC
and sudo?
Thanks
___
Warren Birnbaum : Infrastructure Services
Digital Linux Infrastructure Services
Europe CDT Techn. Oper
On (15/02/16 11:45), Birnbaum, Warren (ETW) wrote:
>Thanks Lukas.
>
>Unfortunately setting up a IPA Ad Trust is something not possible within
>our organization. Is it then fair to say that waiting for Ticket #4623 is
>our only option? https://fedorahosted.org/freeipa/ticket/4634
>
As I wrote i
On Mon, 15 Feb 2016, Birnbaum, Warren (ETW) wrote:
Alexander,
Thanks for letting me know this. Is it true then that my only option is
to have the IPA AD trust to achieve AD authentication (proxy style), HBAC
and sudo?
I'm not sure using 'proxy' term is actually helpful here. IPA does not
work
On 26.1.2016 13:18, Zeal Vora wrote:
> Thanks David.
>
> Generally for Operating systems like Amazon Linux etc which does not have a
> IPA-Client, we generally use SSSD to get things working.
>
> In such cases, what would be optimal way to configure the SRV records as
> --domain parameter won't b
Hello Rob
Regarding the thread
https://www.redhat.com/archives/freeipa-users/2010-July/msg00022.html I
have tested to set KrbMethodK5Passwd to on and restarted httpd but IPA
Web UI was still trying to auto-login user through a browser dialog.
In order to effectively disable this browser d
this is what I have in /var/log/secure
Feb 15 12:22:33 ipa-xyz sshd[13499]: pam_unix(sshd:auth): authentication
failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=x.x.x.x user=tempuser
Feb 15 12:22:33 ipa-xyz sshd[13499]: pam_sss(sshd:auth): authentication
failure; logname= uid=0 euid=0 tty=ssh
On Thu, Feb 04, 2016 at 12:37:07PM -0500, Prasun Gera wrote:
> On Thu, Feb 4, 2016 at 10:56 AM, Jan Pazdziora
> wrote:
>
> > > The goal is to run the
> > > docker container such that when the user calls docker run,
> >
> > Is any user allowed to run docker run? That seems like a security
> > issu
I tried creating a FreeIPA replica in GCE.
GCE is a little weird in that it's DHCP assigns a /32 netmask to VMs. There
does not seem to be any way to disable that specific behavior in GCE since
as a user you have no control of the DHCP server. As a user you can create
your own networks but it seem
Filip Pytloun wrote:
> I am using Ubuntu 16.04 (Xenial), there's no /etc/openldap
That's the problem right there. I don't believe Ubuntu supports setting
up replication agreements yet due to gnutls vs NSS issues. An effort is
being made upstream to eliminate the need for TLS during agreement setup
On Mon, Feb 15, 2016 at 11:24:08AM +, Birnbaum, Warren (ETW) wrote:
> Hi Jakub,
>
> Thanks but I have sudo working OK.
I'm sorry, my fault..
> What I am trying make work is HBAC.
> That I can¹t get to work with the proxy hack. Is there a way to do that?
I haven't tested that use-case, but
Hi guys
I've just installed a RHEL7 server with ipa-server 4.2.0...
Everything seems to work fine, until I add a service principle:
(Running on a client, after a kinit)
[root@dantooine ~]# ipa-getkeytab -s naboo.outerrim.lan -p
HTTP/naboo.outerrim@outerrim.lan -k /etc/krb5.keytab
Keytab su
On Mon, Feb 15, 2016 at 04:27:15PM +0100, Martin Juhl wrote:
> Hi guys
>
> I've just installed a RHEL7 server with ipa-server 4.2.0...
>
> Everything seems to work fine, until I add a service principle:
>
> (Running on a client, after a kinit)
>
> [root@dantooine ~]# ipa-getkeytab -s naboo.oute
On Mon, Feb 15, 2016 at 06:59:57PM +0530, Rakesh Rajasekharan wrote:
> this is what I have in /var/log/secure
>
> Feb 15 12:22:33 ipa-xyz sshd[13499]: pam_unix(sshd:auth): authentication
> failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=x.x.x.x user=tempuser
> Feb 15 12:22:33 ipa-xyz sshd[134
Hello,
On 02/15/2016 02:12 PM, Wanderley Mayhé wrote:
Hello Rob
Regarding the thread
https://www.redhat.com/archives/freeipa-users/2010-July/msg00022.html I
have tested to set KrbMethodK5Passwd to “on” and restarted httpd but IPA
Web UI was still trying to auto-login user through a browser
On Mon, Feb 15, 2016 at 03:58:15PM +, Birnbaum, Warren (ETW) wrote:
> Jakub,
>
> We want to use password stored in AD and get a yes/no from the AD side.
OK, I see. Yes, with IPA provider you would authenticate the IPA user
against the IPA KDC.
> My understanding (which is very limited) is th
On 02/15/2016 04:41 PM, Sumit Bose wrote:
On Mon, Feb 15, 2016 at 04:27:15PM +0100, Martin Juhl wrote:
Hi guys
I've just installed a RHEL7 server with ipa-server 4.2.0...
Everything seems to work fine, until I add a service principle:
(Running on a client, after a kinit)
[root@dantooine ~]#
Jakub,
We want to use password stored in AD and get a yes/no from the AD side.
My understanding (which is very limited) is that if we use the IPA
authentication then it resides in the local kerberos database. Is that
not correct? If I am completely off, how would I setup type of
authentication f
Jakub,
I am very interested in your standalone HBAC PAM module if you think it
would apply in this situation. I would be happy to test it out if helpful.
Thanks again for you help,
Warren Birnbaum
___
Warren Birnbaum : Infrastructure Services
Digital Linux Infrastructure Servic
Thank you, this information helped.
I have found related bugs:
FreeIPA: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=786411
OpenLDAP switch to NSS:
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=725153
389ds ticket: https://fedorahosted.org/389/ticket/47536
It doesn't seem there's some fu
32 matches
Mail list logo