Re: [Freeipa-users] ipa-client-install generates bad sssd.conf

2017-03-03 Thread Jakub Hrozek
On Fri, Mar 03, 2017 at 08:45:10AM +0100, Harald Dunkel wrote: > Hi folks, > > running freeipa client 4.3.2-5 and sssd 1.15.0-3 on > Debian Stretch ~~ This is important I guess. Since SSSD 1.15, SSSD allows to socket-activate the services, so it is no longer required to have them ex

Re: [Freeipa-users] ipa-client-install generates bad sssd.conf

2017-03-03 Thread Harald Dunkel
Hi Jakub, On 03/03/17 09:32, Jakub Hrozek wrote: > On Fri, Mar 03, 2017 at 08:45:10AM +0100, Harald Dunkel wrote: >> Hi folks, >> >> running freeipa client 4.3.2-5 and sssd 1.15.0-3 on >> Debian Stretch > ~~ > This is important I guess. > > Since SSSD 1.15, SSSD allows to socket-act

Re: [Freeipa-users] ipa-client-install generates bad sssd.conf

2017-03-03 Thread Jakub Hrozek
On Fri, Mar 03, 2017 at 09:56:55AM +0100, Harald Dunkel wrote: > Hi Jakub, > > On 03/03/17 09:32, Jakub Hrozek wrote: > > On Fri, Mar 03, 2017 at 08:45:10AM +0100, Harald Dunkel wrote: > >> Hi folks, > >> > >> running freeipa client 4.3.2-5 and sssd 1.15.0-3 on > >> Debian Stretch > > ~~

Re: [Freeipa-users] cannot connect to ldaps during replica install, port 636 not listening

2017-03-03 Thread Tomas Krizek
On 03/02/2017 06:25 PM, Chris Herdt wrote: > On Thu, Mar 2, 2017 at 10:06 AM, Martin Basti >wrote: > > > > > On 02.03.2017 16:55, Chris Herdt wrote: >> >> >> On Thu, Mar 2, 2017 at 2:48 AM, Martin Basti > > wrote: >> >> >> >>

Re: [Freeipa-users] ipa-client-install generates bad sssd.conf

2017-03-03 Thread Harald Dunkel
On 03/03/17 10:14, Jakub Hrozek wrote: > On Fri, Mar 03, 2017 at 09:56:55AM +0100, Harald Dunkel wrote: >> >> This is systemd-only? >> >> Wouldn't it be better to create a working sssd.conf, no matter >> what? > > It is up to whoever is creating the sssd.conf. As I said, the change is > backwards-

Re: [Freeipa-users] Can mount NFS, but user only gets the permission question marks

2017-03-03 Thread Kees Bakker
On 02-03-17 14:55, Brendan Kearney wrote: > On 03/02/2017 08:43 AM, Kees Bakker wrote: >> On 02-03-17 13:34, Brendan Kearney wrote: >>> On 03/02/2017 05:40 AM, Kees Bakker wrote: On 24-02-17 14:38, Brendan Kearney wrote: > On 02/24/2017 03:33 AM, Kees Bakker wrote: >> On 23-02-17 15:39

Re: [Freeipa-users] renewing cert and migrating free-ipa 3.1

2017-03-03 Thread Umarzuki Mochlis
At first ip-getcert list hows certificate error ca-error: Server failed request, will retry: -504 (libcurl failed to execute the HTTP POST transaction, explaining: Peer's Certificate has expired.). but after I changed ipa server's date to before expirate date, it shows ca-error: Server failed r

Re: [Freeipa-users] ipa-client-install generates bad sssd.conf

2017-03-03 Thread Rob Crittenden
Harald Dunkel wrote: > On 03/03/17 10:14, Jakub Hrozek wrote: >> On Fri, Mar 03, 2017 at 09:56:55AM +0100, Harald Dunkel wrote: >>> >>> This is systemd-only? >>> >>> Wouldn't it be better to create a working sssd.conf, no matter >>> what? >> >> It is up to whoever is creating the sssd.conf. As I sa

Re: [Freeipa-users] renewing cert and migrating free-ipa 3.1

2017-03-03 Thread Rob Crittenden
Umarzuki Mochlis wrote: > At first ip-getcert list hows certificate error > > ca-error: Server failed request, will retry: -504 (libcurl failed to > execute the HTTP POST transaction, explaining: Peer's Certificate has > expired.). > > but after I changed ipa server's date to before expirate dat

[Freeipa-users] Freeipa 4.4 creating users with expiration

2017-03-03 Thread Rakesh Rajasekharan
Hello, Am using Freeipa 4.4 version . I would like to create few users only valid for few days or months. So,is there a way to create few users with a preset expiration or auto lock those accounts after a few days Thanks Rakesh -- Manage your subscription for the Freeipa-users mailing list: ht

[Freeipa-users] GSSAPI for second hop (SSH)

2017-03-03 Thread Jason B. Nance
Hello, I have a FreeIPA 4.4.0 setup with Active Directory trusts. Users connecting to Linux servers from their domain-joined workstations are not required to enter a password for the first connection. However, if they attempt to ssh to a second Linux machine from the first they are being prom

Re: [Freeipa-users] GSSAPI for second hop (SSH)

2017-03-03 Thread Alexander Bokovoy
On pe, 03 maalis 2017, Jason B. Nance wrote: Hello, I have a FreeIPA 4.4.0 setup with Active Directory trusts. Users connecting to Linux servers from their domain-joined workstations are not required to enter a password for the first connection. However, if they attempt to ssh to a second L

Re: [Freeipa-users] GSSAPI for second hop (SSH)

2017-03-03 Thread Robbie Harwood
"Jason B. Nance" writes: > I have a FreeIPA 4.4.0 setup with Active Directory trusts. Users > connecting to Linux servers from their domain-joined workstations are > not required to enter a password for the first connection. However, > if they attempt to ssh to a second Linux machine from the f

Re: [Freeipa-users] GSSAPI for second hop (SSH)

2017-03-03 Thread Jason B. Nance
>>I have a FreeIPA 4.4.0 setup with Active Directory trusts. Users connecting >>to >>Linux servers from their domain-joined workstations are not required to enter >>a >>password for the first connection. However, if they attempt to ssh to a >>second >>Linux machine from the first they are bein

Re: [Freeipa-users] GSSAPI for second hop (SSH)

2017-03-03 Thread Jason B. Nance
>> I have a FreeIPA 4.4.0 setup with Active Directory trusts. Users >> connecting to Linux servers from their domain-joined workstations are >> not required to enter a password for the first connection. However, >> if they attempt to ssh to a second Linux machine from the first they >> are being

Re: [Freeipa-users] GSSAPI for second hop (SSH)

2017-03-03 Thread Alexander Bokovoy
On pe, 03 maalis 2017, Jason B. Nance wrote: I have a FreeIPA 4.4.0 setup with Active Directory trusts. Users connecting to Linux servers from their domain-joined workstations are not required to enter a password for the first connection. However, if they attempt to ssh to a second Linux machin

Re: [Freeipa-users] GSSAPI for second hop (SSH)

2017-03-03 Thread Jason B. Nance
I have a FreeIPA 4.4.0 setup with Active Directory trusts. Users connecting to Linux servers from their domain-joined workstations are not required to enter a password for the first connection. However, if they attempt to ssh to a second Linux machine from the first

[Freeipa-users] [solved] Re: GSSAPI for second hop (SSH)

2017-03-03 Thread Jason B. Nance
>I have a FreeIPA 4.4.0 setup with Active Directory trusts. Users >connecting to >Linux servers from their domain-joined workstations are not required to >enter a >password for the first connection. However, if they attempt to ssh to a >second >Linux machine from th

Re: [Freeipa-users] cannot connect to ldaps during replica install, port 636 not listening

2017-03-03 Thread Chris Herdt
On Fri, Mar 3, 2017 at 4:22 AM, Tomas Krizek wrote: > > > On 03/02/2017 06:25 PM, Chris Herdt wrote: > > On Thu, Mar 2, 2017 at 10:06 AM, Martin Basti wrote: >> >> >> >> >> On 02.03.2017 16:55, Chris Herdt wrote: >> >> >> >> On Thu, Mar 2, 2017 at 2:48 AM, Martin Basti wrote: >>> >>> >>> >>> On

[Freeipa-users] Can kerberos SSSD provider be used against IPA

2017-03-03 Thread William Muriithi
Hello, I just came across this document. https://www.susecon.com/doc/2015/sessions/TUT19343.pdf If you look at page 8, that diagram imply that kerberos provider can only be used against active directory back end. However, this Redhat article below recommended the solution above for an IPA setu