On 01/02/2017 11:22 PM, Alan Latteri wrote:
I upgraded our FreeIPA server from Cent7.2 to 7.3 which also upgraded freeipa
to 4.4. On some clients they failed to re-authenticate post upgrade. I then
did an
ipa-client-install —uninstall , and then tried re-joining to IPA server with
ipa-client-
Hi,
I have trouble with resolving AD users from my IPA clients.
Environment: 2x IPA server with trust into AD - both IPA servers and clients
running latest rhel 7.3.
IPA domain: vs.example.com
AD domain: example.com, cen.example.com
All tstx users are in cen.example.com but their UPN
Hello Mike,
I don't know if I'm aligned with your problem, but generally I was facing a
SAN cert issue too.
Not sure if you're terminating SSL/TLS on the load balancer or not?
Usually I do SAN certs in IPA via GUI/IdM.
I am adding a service and hosts assigned to that service.
Every host has an
Maciej,
Thank you for the information. I am not terminating at a load balancer.
Originally, I was trying to use a Route53 DNS CNAME entry of
ipa.dev.crosschx.com but we found documentation that says the entry should
be an A record and not a CNAME. I then created an A record in FreeIPA for
ipa.d
Hi All,
We have a topo with 3x IPA servers + freeradius.
Freeradius is being used to do mschap with wifi APs. Freeradius connects
over ldap to IPA.
In order to do the challange-response thing, freeipa has AllowNTHash
enabled.
So I wanted to enable 2FA/OTP but leave the NTHash as is for wifi aut
Good Morning!
Happy New Year to you, and any news on getting to FIPS Compliance?
Michael Sean Conley
Principal Systems Engineer
--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the proj
I see.
Generally the SAN thing I mentioned does the job but definitely not in your
case.
A IPA power user is needed here.
On Tue, Jan 3, 2017 at 4:26 PM, Michael Plemmons <
michael.plemm...@crosschx.com> wrote:
> Maciej,
> Thank you for the information. I am not terminating at a load
> balan
I am experiencing difficulty dragging this over the finish line. I have many
CentOS hosts authenticating to IPA, but have hit the wall on OS-X.
I consider myself pretty strong on os-x, and have run OpenDirectory (though
that was ten years ago). My issue appears to be the LDAP mapping between OD
On 01/03/2017 04:28 PM, Sean Conley wrote:
> Good Morning!
>
> Happy New Year to you, and any news on getting to FIPS Compliance?
>
> *Michael Sean Conley*
>
> Principal Systems Engineer
>
>
>
Hello Sean,
It's being actively developed and support of it will most likely be part
of FreeIPA 4.
Morning,
Hope the Holidays went well for you all.
I have been trying to find documentation on the required min sssd
version needed to run otp (2 factor) with no luck. Was hoping you all
might know.
I see RHEL 6.8 comes with 1.13 SSSD so was wondering if that would be high
enough version t
Disregard... apparently I am blind. Min is 1.12 per IPA docs.
Sean Hogan
From: Sean Hogan/Durham/IBM
To: freeipa-users
Date: 01/03/2017 10:15 AM
Subject:Minimum SSSD version for 2 factor
Morning,
Hope the Holidays went well for you all.
I have been trying
"Sean Hogan" writes:
>I have been trying to find documentation on the required min sssd
> version needed to run otp (2 factor) with no luck. Was hoping you all
> might know.
> I see RHEL 6.8 comes with 1.13 SSSD so was wondering if that would be high
> enough version to work with IPA 4.X OTP
On 01/02/2017 08:46 PM, nirajkumar.si...@accenture.com wrote:
> Hi Prtr,
>
> Can you please suggest how to do it with plugins and which plugin I need to
> use and how to integrate that plugin with freeipa.
>
> Thanks
> Niraj
Disclaimer: the example below is not really save because it doesn't
ha
On (03/01/17 10:15), Sean Hogan wrote:
>
>Morning,
>
> Hope the Holidays went well for you all.
>
> I have been trying to find documentation on the required min sssd
>version needed to run otp (2 factor) with no luck. Was hoping you all
>might know.
>I see RHEL 6.8 comes with 1.13 SSSD so was
On 03/01/2017 15:28, Maciej Drobniuch wrote:
We have a topo with 3x IPA servers + freeradius.
Freeradius is being used to do mschap with wifi APs. Freeradius
connects over ldap to IPA.
In order to do the challange-response thing, freeipa has AllowNTHash
enabled.
So I wanted to enable 2FA/O
I'm running FreeIPA 4.4.0 on CentOS 7.3 and I almost succeeded in renaming a
duplicate, but then this happens:
modifying rdn of entry
"cn=ipaservers+nsuniqueid=9865b29e-c9a411e6-a937f721-75eb0f97,cn=hostgroups,cn=accounts,dc=test,dc=local"
ldap_rename: Operations error (1)
The commands were:
$
Log is attached.
ipaclient-install.log
Description: Binary data
> On Jan 3, 2017, at 12:16 AM, Martin Babinsky wrote:
>
> On 01/02/2017 11:22 PM, Alan Latteri wrote:
>> I upgraded our FreeIPA server from Cent7.2 to 7.3 which also upgraded
>> freeipa to 4.4. On some clients they failed to
Alan Latteri wrote:
> Log is attached.
Look and see if /etc/krb5.conf.d/ and
/var/lib/sss/pubconf/krb5.include.d exist and are readable (and check
for SELinux AVCs). I'm pretty sure this all runs as root so I doubt
filesystem perms are an issue but who knows.
You can also brute force things using
Thanks Rob.
/etc/krb5.conf.d/ was in fact missing from the client, which is still on
CentOS 7.2 for reasons out of our control.
Other hosts that are CentOS 7.2 running IPA Client 4.2.0 also do not have the
/etc/krb5.conf.d/ directory, but are running fine. So maybe the 4.4 client
requires tha
On Tue, Jan 03, 2017 at 03:39:19PM +0100, Jan Karásek wrote:
> Hi,
>
> I have trouble with resolving AD users from my IPA clients.
>
> Environment: 2x IPA server with trust into AD - both IPA servers and clients
> running latest rhel 7.3.
>
> IPA domain: vs.example.com
> AD domain: example.
Further investigation.
On a clean install of CentOS 7.2 with IPA Client 4.4, /etc/krb5.conf.d/ is
missing, and therefore initial setup will fail unless manual creation of
/etc/krb5.conf.d/
Maybe the install script for the client can be updated to check for and create?
Thanks,
Alan
> On Jan 3,
I'm attempting to migrate my IDM server from RHEL6 to RHEL7. Ie. from
IPA 3 to IPA 4. My IPA 3 installation does not manage DNS - but other
than that, it's a very basic installation on a very small set of servers
(less than 50).
To start the migration I run
# ipa-replica-prepare ipa.peterlarsen.or
Alan Latteri wrote:
> Further investigation.
>
> On a clean install of CentOS 7.2 with IPA Client 4.4, /etc/krb5.conf.d/ is
> missing, and therefore initial setup will fail unless manual creation of
> /etc/krb5.conf.d/
> Maybe the install script for the client can be updated to check for and
>
Well on new installs of Cent 7.2, when I do `yum install ipa-client`, that is
the version provided.
Unfortunately, most of our systems have to be on Cent 7.2, not 7.3, and it is
out of our control.
Alan
> On Jan 3, 2017, at 8:33 PM, Rob Crittenden wrote:
>
> Alan Latteri wrote:
>> Further inv
I have finally had some luck expunging the remnants of long removed IPA
servers now that I have upgraded to FreeIPA 4.4.
However, when I look at the IPA Servers list under Topology, I now have
three records like so:
Server name Min domain level Max domain level Managed suffixes
HI
while trying to create ipa replica, i am getting below error,
Replica creation using 'ipa-replica-prepare' to generate replica file
is supported only in 0-level IPA domain.
The current IPA domain level is 1 and thus the replica must
be created by promoting an existing IPA client.
To set up a
26 matches
Mail list logo