Re: [Freeipa-users] Active Directory password sync fails with RC 34

Thanks for the help Rich. Looking at the log I noticed some extra characters in the DN that corresponds to "Search Base". I got the Windows admin to share his RDP session to the DC and had a look at the registry in "HKEY_LOCAL_MACHINE\SOFTWARE\PasswordSync". I noticed the same characters in the "

Re: [Freeipa-users] Ghost ipaSshPubKey in sss_ssh_authorizedkeys or 'Error looking up public keys'

On Mon, Jun 20, 2016 at 10:46:13PM +0200, Martin Štefany wrote: > Hello all, > > I've ran into strange issue with IPA/SSSD/SSH/SELinux which started when I > figured out that I cannot ssh with pubkey auth to Fedora 23 (ipa-client) > systems > while I can to CentOS 7.2 (ipa-client and ipa-server)

[Freeipa-users] CentOS 7 & FreeIPA 4.2: DNS resolution at the top-level domain/zone

We've recently set up a "clean" install of FreeIPA replete with replicas, but we just noticed an odd behavior in the DNS service: hosts in the top level domain (like ipa.example.com) do not resolve, whereas hosts in subdomains (like ipa.dev.example.com) do. I'm not sure what to look for in the v

Re: [Freeipa-users] CentOS 6.8: uninstalling IPA client causes python error

Oh, I disabled that first. I turn on services and restrictions one-by-one after things are working, not before. —Dan [cid:image001.jpg@01D1CB7D.8BC9E530] Daniel Alex Finkelstein| Lead Dev Ops Engineer dan.finkelst...@h5g.com | 212.604.34

Re: [Freeipa-users] CentOS 7 & FreeIPA 4.2: DNS resolution at the top-level domain/zone

On 21.6.2016 11:23, dan.finkelst...@high5games.com wrote: > We've recently set up a "clean" install of FreeIPA replete with replicas, but > we just noticed an odd behavior in the DNS service: hosts in the top level > domain (like ipa.example.com) do not resolve, whereas hosts in subdomains > (li

Re: [Freeipa-users] Ghost ipaSshPubKey in sss_ssh_authorizedkeys or 'Error looking up public keys'

Hello Sumit, putting SELinux to permissive mode and/or enabling nis_enabled seboolean seemed not help at all. And you are right, my user has userCertificate (needed for secure libvirtd connection). [martin@desk2 ~]$ sss_ssh_authorizedkeys martin Error looking up public keys [martin@desk2 ~]

Re: [Freeipa-users] Ghost ipaSshPubKey in sss_ssh_authorizedkeys or 'Error looking up public keys'

On Tue, Jun 21, 2016 at 12:43:23PM +0200, Martin Štefany wrote: > Hello Sumit, > > putting SELinux to permissive mode and/or enabling nis_enabled seboolean > seemed not help at all. And you are right, my user has userCertificate > (needed for secure libvirtd connection). > > > [martin@desk2 ~]$

Re: [Freeipa-users] CentOS 7 & FreeIPA 4.2: DNS resolution at the top-level domain/zone

Hi Petr, Top level means the root zone of the various DNS trees we serve. For example, h5g.com would be the root and dev.h5g.com, test.h5g.com, etc., would be the subdomains. Our subdomains query fine, but any hosts in the root domain no longer resolve. An example of an unresolvable name is IP

Re: [Freeipa-users] Ghost ipaSshPubKey in sss_ssh_authorizedkeys or 'Error looking up public keys'

On 6/21/2016 1:16 PM, Sumit Bose wrote: On Tue, Jun 21, 2016 at 12:43:23PM +0200, Martin Štefany wrote: Hello Sumit, putting SELinux to permissive mode and/or enabling nis_enabled seboolean seemed not help at all. And you are right, my user has userCertificate (needed for secure libvirtd connec

[Freeipa-users] AD trust with POSIX attributes

Hi all, I have a questions about IPA with AD forest trust. What I am trying to do is setup environment, where all informations about users are stored in one place - AD. I would like to read at least uid, home, shell and sshkey from AD. I have set up trust with this parameters: ipa trust-add

Re: [Freeipa-users] CentOS 7 & FreeIPA 4.2: DNS resolution at the top-level domain/zone

Solution found (or, if not, a workaround): IPA replicas must be named in the root domain/zone and not in a subdomain, else DNS fails to serve records in the root domain. Once we changed our configuration to reflect this, DNS returned to normal. —Dan [cid:image001.jpg@01D1CB9B.D6819140]

[Freeipa-users] FreeIPA+FreeRadius+OpenVPN

Hello everyone, I recently started using FreeIPA and FreeRadius so I might still have some misconceptions. What I am trying to achieve is to have clients use client certificate to login into OpenVPN using FreeRadius and FreeIPA. So far clients can connect to OpenVPN (radiusplugin) with FreeRadi

Re: [Freeipa-users] OS X Yosemite unable to authenticate

As usual, apologies for any formatting issues due to extracting message threads out of digests ... Anyhow., i have determined where everything goes terribly wrong with OSX clients: OSX 10.10.3 ("out of the box" Yosemite) works fine using linsec.ca's guidance. However, the second you patch to

Re: [Freeipa-users] CentOS 7 & FreeIPA 4.2: DNS resolution at the top-level domain/zone

On 21.6.2016 15:03, dan.finkelst...@high5games.com wrote: > Solution found (or, if not, a workaround): > IPA replicas must be named in the root domain/zone and not in a subdomain, > else DNS fails to serve records in the root domain. Once we changed our > configuration to reflect this, DNS return

Re: [Freeipa-users] OS X Yosemite unable to authenticate

I've actually got a whole stack of El Capitan clients authenticating against FreeIPA: mac-mini-01:~ jdito$ system_profiler SPSoftwareDataType Software: System Software Overview: System Version: OS X 10.11.5 (15F34) Kernel Version: Darwin 15.5.0 Boot Volume: Macintosh HD

Re: [Freeipa-users] OS X Yosemite unable to authenticate

Wow, that's surprising, Joe. I'm also using the linsec recipe. Yours required no fiddling? You can login straight off from the graphical loginWindow? Yes, very interested in any help you can offer. Are you authenticating against IPA 3 or 4, for sake of curiosity. BTW: you can get your s

Re: [Freeipa-users] OS X Yosemite unable to authenticate

No fiddling that I remember. Basically got the setup working once and then have been pushing out plist files to all new installs. Graphical login works, as does sudo, sort of-still have to add the user as an administrator on the local machine, but then their kerberos password works for authenticati

Re: [Freeipa-users] Replication time and relation to cache size

anyone have any thoughts on this? Thank You On Fri, Jun 10, 2016 at 2:59 PM, Ash Alam wrote: > Hello > > I have been going through the lists but i have not found the answer i am > looking for. I am seeing few issues for which i am looking for some > clarification. > > 1. What is the relationshi

Re: [Freeipa-users] OS X Yosemite unable to authenticate

... "have to add the user as an administrator on the local machine"? That's pretty intriguing, but not great security-wise, unfortunately. Not a big deal at the moment, though ok, just made my user account an admin but it's still dragging on login. My IPA setup is the same: ipa-server-4.2.0

Re: [Freeipa-users] OS X Yosemite unable to authenticate

You don't have to add them as an administrator for login to work, just sudo. Will send one over in a second. On Tue, Jun 21, 2016 at 12:11 PM, Cal Sawyer wrote: > ... "have to add the user as an administrator on > the local machine"? That's pretty intriguing, but not great security-wise, > unf

Re: [Freeipa-users] IPA 3.0.47 to 3.0.50 Upgrade problem

Noticed something else really goofy in the DNS logs on master ipa client 10.9.0.1#58094: query failed (SERVFAIL) for serv1.domain.local.domain.local/IN/ at query.c:6569 timeout in ldap_pool_getconnection(): try to raise 'connections' parameter; potential deadlock? client 10.10.0.1#44147: q

Re: [Freeipa-users] CA: IPA certificates not renewing

Marc Wiatrowski wrote: Thanks for the reply Rob, So should fixing replication be more than running a re-initialize? I've tried this with no luck. Still the same errors in renewing the IPA certs. re-init drops one database and replaces it with another. If you really did that then you have pot

Re: [Freeipa-users] CentOS 6.8: uninstalling IPA client causes python error

dan.finkelst...@high5games.com wrote: Oh, I disabled that first. I turn on services and restrictions one-by-one after things are working, not before. I guess brute force via strace then. Something is throwing a permission error. rob —Dan *Daniel Alex Finkels

Re: [Freeipa-users] Multiple issues (weblogin, DNS) with 4.3.1

Tomasz Torcz wrote: On Sat, Jun 18, 2016 at 11:02:23PM -0400, Rob Crittenden wrote: Most of the functions work, but 5) I cannot get Authentication→Certificates list: On okda, going to Certificates list yields ”Certificate operation cannot be completed: Unable to communicate with CMS (Inte

Re: [Freeipa-users] EXAMPLE.COM IPA CA Import /etc/httpd/alias

Günther J. Niederwimmer wrote: Hello Rob, Am Mittwoch, 1. Juni 2016, 09:54:58 CEST schrieb Rob Crittenden: Günther J. Niederwimmer wrote: Hello, Am Dienstag, 31. Mai 2016, 11:06:09 CEST schrieb Rob Crittenden: Günther J. Niederwimmer wrote: Hello I found any Help for the IPA Certificate but

[Freeipa-users] Announcing FreeIPA 4.4.0 alpha1

== FreeIPA 4.4.0 Alpha 1 === The FreeIPA team would like to announce FreeIPA v4.4.0 alpha1 release! A tarball can be downloaded from http://www.freeipa.org/page/Downloads == Highlights in 4.4.0 Alpha 1 == Enhancements: * Improved Topology Management

Re: [Freeipa-users] IPA 3.0.47 to 3.0.50 Upgrade problem

Has anyone seen these before? First Master IPA DNS logs show: Looks like the host names are getting the domain twice domain.local.domain.local client 10.x.x.x#58094: query failed (SERVFAIL) for server1.domain.local.domain.local/IN/ at query.c:6569 timeout in ldap_pool_getconnection():

Re: [Freeipa-users] AD trust with POSIX attributes

On Tue, Jun 21, 2016 at 01:55:54PM +0200, Jan Karásek wrote: > Hi all, > > I have a questions about IPA with AD forest trust. What I am trying to do is > setup environment, where all informations about users are stored in one place > - AD. I would like to read at least uid, home, shell and sshk

Re: [Freeipa-users] FreeOTP

I have found and fixed what I believe to be the issue. I have submitted a patch upstream for review: https://github.com/krb5/krb5/pull/471 Once merged, we will backport the fix into all existing Fedora releases. So you should get an update via a simple: dnf update. On Thu, 2016-06-16 at 10:28 +02

Re: [Freeipa-users] Active Directory password sync fails with RC 34

Great! Glad you got that working. Next step is to use AD trust instead of sync . . . On 06/21/2016 12:58 AM, Toby Gale wrote: Thanks for the help Rich. Looking at the log I noticed some extra characters in the DN that corresponds to "Search Base". I got the Windows admin to share his RDP s

Re: [Freeipa-users] IPA 3.0.47 to 3.0.50 Upgrade problem

More info Krb5 log is showing: Jun 21 20:42:47 Firstmaster.domain.local krb5kdc[2141](info): AS_REQ (4 etypes {18 17 16 23}) 10.x.x.x: LOOKING_UP_CLIENT: admin@domain.LOCAL for krbtgt/DOMAIN.LOCAL@DOMAIN.LOCAL, Server error [bob@Firstmaster etc]# kinit -v admin kinit: Credentials cache file '/tm

Re: [Freeipa-users] IPA 3.0.47 to 3.0.50 Upgrade problem

On 22.6.2016 02:56, Sean Hogan wrote: > More info > > > Krb5 log is showing: > Jun 21 20:42:47 Firstmaster.domain.local krb5kdc[2141](info): AS_REQ (4 > etypes {18 17 16 23}) 10.x.x.x: LOOKING_UP_CLIENT: admin@domain.LOCAL for > krbtgt/DOMAIN.LOCAL@DOMAIN.LOCAL, Server error Hello, this is rea