Re: [Freeipa-users] How long should it take to propagate user role changes?

Hey, Is that the sssd configuration on the server or the client? There's no sss_cache executable on the client; is that correct? I noticed that when I remove a user from the sudo role, the clients notice it almost immediately, but when I readd the sudo role, it doesn't come back. I usually

Re: [Freeipa-users] How long should it take to propagate user role changes?

Actually I just saw Jakub's response, and that helped me out. I just added this to the sssd.conf on the client, and it seems to work: [domain/ipa.services.FOO] ldap_sudo_smart_refresh_interval = 60 ldap_sudo_full_refresh_interval = 21600 Thanks, all! On 2017-04-06 11:47,

[Freeipa-users] ipa-getkeytab client equivalent for Unix

Hello, Can anybody explain briefly what ipa-getkeytab runs under the hood in order to use similar logic for unix clients (will help in automating the registration to IPA server) ? Thank You ! -- Manage your subscription for the Freeipa-users mailing list:

[Freeipa-users] user keytab retrieval

hi all, (this is IPA 4.4.0-14.el7.centos.4) i'm a bit puzzled by the following: i want to retrieve a user keytab using ipa-getkeytab -r (since the keytab for the same user was already retrieved on another host). when doing so, i get Failed to parse result: Insufficient access rights however,

Re: [Freeipa-users] Problem with sid creation

On to, 06 huhti 2017, Mikael wrote: Hello! I try to create sids for all my users when running ipa-adtrust-install but there are no signs of the sids in ldap and I get the following error in the error log for the directory server. [06/Apr/2017:17:18:02.336841997 +0200] sidgen_task_thread -

[Freeipa-users] Problem with sid creation

Hello! I try to create sids for all my users when running ipa-adtrust-install but there are no signs of the sids in ldap and I get the following error in the error log for the directory server. [06/Apr/2017:17:18:02.336841997 +0200] sidgen_task_thread - [file ipa_sidgen_task.c, line 194]:

Re: [Freeipa-users] ipa-getkeytab client equivalent for Unix

Iulian Roman wrote: > Hello, > > Can anybody explain briefly what ipa-getkeytab runs under the hood in > order to use similar logic for unix clients (will help in automating > the registration to IPA server) ? > > Thank You ! Honestly your best bet would be to pull the freeipa source and

Re: [Freeipa-users] Fwd: Marking subdomain offline

I see similar things in our environment where IPA is used as "glue" between AD Forests that have a 1-way trust relationship. We believe that the root cause has something to do with the 30+ domain controllers the IPA client tries to make contact with (in seemingly random order) across the AD

[Freeipa-users] Fwd: Marking subdomain offline

Hi, My IPA<->AD trust setup experiences intermittent failures during login events. The AD subdomain goes in an inactive/offline state and users logging in are put into a 'delayed authentication' queue. Usually logging in after a minute or so succeeds as the subdomain is reset and the user is

[Freeipa-users] RHEL 6.9 AD Smart Card login

I have created a two way trust between my IDM server and Active Directory.I have been able to successful get RHEL 7.3 IDM server and RHEL 7.3 IDM clients to allow Active Directory login using CAC smart cards into Gnome. I'm using SSSD for the smart card login process instead of

Re: [Freeipa-users] Fwd: Marking subdomain offline

On Thu, Apr 06, 2017 at 07:21:01PM +0200, m...@chinewalking.com wrote: > Hi, > > My IPA<->AD trust setup experiences intermittent failures during login > events. The AD subdomain goes in an inactive/offline state and users logging > in are put into a 'delayed authentication' queue. Usually

Re: [Freeipa-users] Password-based authentication with AD users does not work

On Thu, Apr 06, 2017 at 01:55:02PM +0200, Ronald Wimmer wrote: > On 2017-04-06 12:16, Sumit Bose wrote: > > On Thu, Apr 06, 2017 at 12:58:32PM +0200, Ronald Wimmer wrote: > > [...] > > > AD trust: > > > mydomain.at (forest root) > > > xyz (subdomain -> where myuser resides) > > > > > > BCC

Re: [Freeipa-users] user keytab retrieval

hi rob, >> i'm a bit puzzled by the following: i want to retrieve a user keytab >> using ipa-getkeytab -r (since the keytab for the same user was already >> retrieved on another host). >> >> when doing so, i get >> >> Failed to parse result: Insufficient access rights >> >> however, i can get the

Re: [Freeipa-users] user keytab retrieval

Stijn De Weirdt wrote: > hi all, > > (this is IPA 4.4.0-14.el7.centos.4) > > i'm a bit puzzled by the following: i want to retrieve a user keytab > using ipa-getkeytab -r (since the keytab for the same user was already > retrieved on another host). > > when doing so, i get > > Failed to parse

Re: [Freeipa-users] Fwd: Marking subdomain offline

On 2017-04-06 20:18, Jakub Hrozek wrote: On Thu, Apr 06, 2017 at 07:21:01PM +0200, m...@chinewalking.com wrote: Hi, My IPA<->AD trust setup experiences intermittent failures during login events. The AD subdomain goes in an inactive/offline state and users logging in are put into a 'delayed

Re: [Freeipa-users] user keytab retrieval

Stijn De Weirdt wrote: > hi rob, > >>> i'm a bit puzzled by the following: i want to retrieve a user keytab >>> using ipa-getkeytab -r (since the keytab for the same user was already >>> retrieved on another host). >>> >>> when doing so, i get >>> >>> Failed to parse result: Insufficient access

Re: [Freeipa-users] Password-based authentication with AD users does not work

Zitat von Sumit Bose : On Thu, Apr 06, 2017 at 01:55:02PM +0200, Ronald Wimmer wrote: On 2017-04-06 12:16, Sumit Bose wrote: > On Thu, Apr 06, 2017 at 12:58:32PM +0200, Ronald Wimmer wrote: > [...] > > AD trust: > > mydomain.at (forest root) > > xyz (subdomain -> where myuser

Re: [Freeipa-users] Upgrade from IPA 4.2

Thank you for hint, Martin! Looks like upgrade went smooth just with yum upgrade. Following multi step upgrade in previous versions I was hesitant this time. Andrey From: Martin Bašti > Date: Wednesday, April 5, 2017 at 4:11 AM To: Lachlan Musicman

Re: [Freeipa-users] SSSD hangs on IPA master

On 2017-04-04 11:19, Jakub Hrozek wrote: On Tue, Apr 04, 2017 at 09:51:04AM +0200, Ronald Wimmer wrote: Hi, my IPA master has an AD trust (several thousand users). Since the trust has been set up I am experiencing that I cannot login on the web interface. Even connecting via SSH does not work

Re: [Freeipa-users] Creating trust relationship that survive password rotation

On ke, 05 huhti 2017, William Muriithi wrote: Good evening, I am looking through the IPA documentation and it looks like I will need a password that don't expire on the active directory side. No. These are the two documented ways. ipa trust-add --type=ad ad.example.com --admin

Re: [Freeipa-users] How long should it take to propagate user role changes?

On Thu, Apr 06, 2017 at 09:11:32AM +0200, Martin Bašti wrote: > > > On 06.04.2017 01:57, Greg Gilbert wrote: > > Hey. I'm a bit new to FreeIPA, so apologies if this has already been > > addressed. For reference, I'm running FreeIPA 4.4 server on CentOS 7, > > and FreeIPA client 4.3.1 on Ubuntu

Re: [Freeipa-users] Password-based authentication with AD users does not work

On Thu, Apr 06, 2017 at 12:10:29PM +0200, Ronald Wimmer wrote: > Hi, > > when I try to login to an IPA client with my AD user it works perfectly when > I already have a kerberos ticket for my user. When I do not and I try a > password-based login it fails: Please send the sssd_domain.log and

Re: [Freeipa-users] Password-based authentication with AD users does not work

On 2017-04-06 11:21, Sumit Bose wrote: On Thu, Apr 06, 2017 at 12:10:29PM +0200, Ronald Wimmer wrote: Hi, when I try to login to an IPA client with my AD user it works perfectly when I already have a kerberos ticket for my user. When I do not and I try a password-based login it fails: Please

[Freeipa-users] Password-based authentication with AD users does not work

Hi, when I try to login to an IPA client with my AD user it works perfectly when I already have a kerberos ticket for my user. When I do not and I try a password-based login it fails: Password-based: (Thu Apr 6 10:39:12 2017) [sssd[pam]] [pam_check_user_search] (0x0400): Returning info for

Re: [Freeipa-users] Password-based authentication with AD users does not work

On 2017-04-06 12:58, Ronald Wimmer wrote: [...] BCC (appearing in krb5_child.log) is not a domain here. It is my company's name and might derive from some information in the AD. After doing an LDAP search on the domain controller of my AD domain (xyz.mydomain.at) I found out that my

Re: [Freeipa-users] Password-based authentication with AD users does not work

On Thu, Apr 06, 2017 at 12:58:32PM +0200, Ronald Wimmer wrote: > On 2017-04-06 11:21, Sumit Bose wrote: > > On Thu, Apr 06, 2017 at 12:10:29PM +0200, Ronald Wimmer wrote: > > > Hi, > > > > > > when I try to login to an IPA client with my AD user it works perfectly > > > when > > > I already have

Re: [Freeipa-users] Password-based authentication with AD users does not work

On 2017-04-06 12:16, Sumit Bose wrote: On Thu, Apr 06, 2017 at 12:58:32PM +0200, Ronald Wimmer wrote: [...] AD trust: mydomain.at (forest root) xyz (subdomain -> where myuser resides) BCC (appearing in krb5_child.log) is not a domain here. It is my company's name and might derive from some

Re: [Freeipa-users] How long should it take to propagate user role changes?

On 06.04.2017 01:57, Greg Gilbert wrote: Hey. I'm a bit new to FreeIPA, so apologies if this has already been addressed. For reference, I'm running FreeIPA 4.4 server on CentOS 7, and FreeIPA client 4.3.1 on Ubuntu nodes. I've noticed that when I make changes to policies, it either takes a

Re: [Freeipa-users] getcert, multiple alternative names (SANs), and wildcard certificates

On Wed, Apr 05, 2017 at 10:38:48PM -0700, Wim Lewis wrote: > With a bit of tweaking, I was able to generate a usable > certificate by creating a second host entry, > 'wildcard.blah.example.com', managed by blah.example.com, and then > editing the leftmost label from 'wildcard' to '*' in all of the