[Freeipa-users] Cannot loging via SSH with AD user TO IPA Domain.

2014-01-02 Thread Genadi Postrilko
Hi all. I have a running IPA Server (3.0.0-37) on RHEL 6.2. I'm trying to create Trust between IPA server and AD (In different DNS domains). I followed the red hat guide

Re: [Freeipa-users] Cannot loging via SSH with AD user TO IPA Domain.

2014-01-02 Thread Genadi Postrilko
sshd[4868]: Failed password for invalid user administra...@addc.com from 192.168.227.100 port 62484 ssh2 2014/1/2 Rob Crittenden rcrit...@redhat.com Genadi Postrilko wrote: Hi all. I have a running IPA Server (3.0.0-37) on RHEL 6.2. I'm trying to create Trust between IPA server and AD

Re: [Freeipa-users] Cannot loging via SSH with AD user TO IPA Domain.

2014-01-02 Thread Genadi Postrilko
Here are the *sssd.log, **sssd_nss.log. *Other logs where empty of did not contain the output for the relevant log in. https://gist.github.com/anonymous/8228284 2014/1/2 Dmitri Pal d...@redhat.com On 01/02/2014 04:45 PM, Genadi Postrilko wrote: Its a newly installed IPA Server, haven't

Re: [Freeipa-users] Cannot loging via SSH with AD user TO IPA Domain.

2014-01-03 Thread Genadi Postrilko
Here are the other logs as well (ldap_child.log, sssd_pac.log, sssd_ssh.log). https://gist.github.com/anonymous/8242061 I attempted to log in (as administra...@addc.com) at 9:04. Thanks for the help. ___ Freeipa-users mailing list

Re: [Freeipa-users] Cannot loging via SSH with AD user TO IPA Domain.

2014-01-04 Thread Genadi Postrilko
sshd[5958]: Failed password for invalid user administra...@addc.com from 192.168.227.1 port 53125 ssh2 2014/1/3 Genadi Postrilko genadip...@gmail.com Here are the other logs as well (ldap_child.log, sssd_pac.log, sssd_ssh.log). https://gist.github.com/anonymous/8242061 I attempted to log

Re: [Freeipa-users] Cannot loging via SSH with AD user TO IPA Domain.

2014-01-05 Thread Genadi Postrilko
, then joined the IPA clients and finally created the trust. 2014/1/5 Dmitri Pal d...@redhat.com On 01/04/2014 06:13 PM, Genadi Postrilko wrote: Output from /var/log/secure: Jan 4 15:03:02 ipaserver sshd[5958]: Invalid user Administrator@ADDC.COMfrom 192.168.227.1 Jan 4 15:03:02 ipaserver sshd

Re: [Freeipa-users] Cannot loging via SSH with AD user TO IPA Domain.

2014-01-06 Thread Genadi Postrilko
: S-1-5-21-33789592-1708006097-2663368750 Active Directory : No Native: No Primary : No 2014/1/6 Jakub Hrozek jhro...@redhat.com On Fri, Jan 03, 2014 at 07:29:54PM +0200, Genadi Postrilko wrote: Here are the other logs as well (ldap_child.log, sssd_pac.log

[Freeipa-users] Choosing the right way to create trust

2014-02-11 Thread Genadi Postrilko
I work in environment where the AD is the DC of the windows machines , while the linux machines (RHEL 5\6) are not centrally managed. I would like to create an IPA server to manage the linux machines while creating a trust with AD. The current situation is all windows and linux machines are under

Re: [Freeipa-users] Choosing the right way to create trust

2014-02-12 Thread Genadi Postrilko
What about adding alias DNS record of hostname.ipa.zone.corp to all linux machines, so they will keep the old FQDM. On Feb 12, 2014 10:49 AM, Martin Kosek mko...@redhat.com wrote: On 02/11/2014 07:29 PM, Genadi Postrilko wrote: I work in environment where the AD is the DC of the windows

Re: [Freeipa-users] Choosing the right way to create trust

2014-02-12 Thread Genadi Postrilko
Client's local hostname must match the DNS A record? ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users

[Freeipa-users] Issues creating trust with AD.

2014-02-14 Thread Genadi Postrilko
I have seen threads where opened on trust issues: AD - Freeipa trust confusion Cross domain trust Cannot loging via SSH with AD user TO IPA Domain - which I opened. It looks like after creation of trust, TGT ticket can be issued from AD, but su and ssh do not allow a log in with AD user. I'm not

Re: [Freeipa-users] Issues creating trust with AD.

2014-02-17 Thread Genadi Postrilko
linux.adexample.com = LINUX.ADEXAMPLE.COM *And again - Thanks you. I was stuck on it for log time.* 2014-02-17 10:34 GMT+02:00 Sumit Bose sb...@redhat.com: On Sat, Feb 15, 2014 at 12:14:58AM +0200, Genadi Postrilko wrote: I have seen threads where opened on trust issues: AD - Freeipa trust

Re: [Freeipa-users] Issues creating trust with AD.

2014-02-20 Thread Genadi Postrilko
Update: For some reason the AD server has rebooted himself. After the reboot i couldn't preform kinit with AD users. I found a bugzilla that describes the symptoms that i experienced : https://bugzilla.redhat.com/show_bug.cgi?id=878564 Not sure if it is the same bug - the bugzilla reports bug in

Re: [Freeipa-users] Issues creating trust with AD.

2014-02-21 Thread Genadi Postrilko
conclusions. Not sure if opening a bug is needed. 2014-02-21 17:38 GMT+02:00 Simo Sorce s...@redhat.com: On Fri, 2014-02-21 at 00:27 +0200, Genadi Postrilko wrote: Update: For some reason the AD server has rebooted himself. After the reboot i couldn't preform kinit with AD users. I found

[Freeipa-users] Understanding role of the certificate in client - server communication.

2014-03-18 Thread Genadi Postrilko
Hello all. I'm trying to understand the use of the certificates in the communication between an IPA client and server. The documentation describes the retrieval of CA certificate while client setup: Retrieve the CA certificate for the IdM CA And retrieval of SSL server certificate: Enable

Re: [Freeipa-users] Understanding role of the certificate in client - server communication.

2014-03-19 Thread Genadi Postrilko
Thank you for the answer. Sory if i lack the knowledge, but why SSL is needed when using kerberos? Kerberos is based on 3th party that is trusted, why there is a need for public key encryption? On Mar 19, 2014 12:24 AM, Rob Crittenden rcrit...@redhat.com wrote: Genadi Postrilko wrote: Hello

Re: [Freeipa-users] Understanding role of the certificate in client - server communication.

2014-03-28 Thread Genadi Postrilko
Thank you for the answer. Is the communication between IPA Client and Server HTTPS based? not just SSL over TCP? So is Kerberos? Does it have to be over HTTP? or its purely over TCP/UDP? 2014-03-19 10:56 GMT+02:00 Alexander Bokovoy aboko...@redhat.com: On Wed, 19 Mar 2014, Genadi Postrilko

Re: [Freeipa-users] freeIPA client sudo / sssd setup

2014-04-08 Thread Genadi Postrilko
Have you installed libsss_sudo? Try to follow the instruction here: https://www.redhat.com/archives/freeipa-users/2013-June/msg00064.html and http://www.freeipa.org/images/7/77/Freeipa30_SSSD_SUDO_Integration.pdf 2014-04-08 22:17 GMT+03:00 Mark Gardner malek...@gmail.com: I know I'm missing

[Freeipa-users] AD Trust - Cannot resolve servers for KDC after reboot

2014-09-15 Thread Genadi Postrilko
Hello all ! I have deployed test environment for AD trust feature, the environment contains : Windows Server 2008 - AD Server. RHEL 7 - IPA 3.3 Server. RHEL 6.2 - IPA Client. I have established the trust as IPA in the sub domain of AD. AD DNS domain - blue.com IPA DNS domain - linux.blue.com

Re: [Freeipa-users] AD Trust - Cannot resolve servers for KDC after reboot

2014-09-17 Thread Genadi Postrilko
Sumit Bose sb...@redhat.com: On Tue, Sep 16, 2014 at 01:39:41AM +0300, Genadi Postrilko wrote: Hello all ! I have deployed test environment for AD trust feature, the environment contains : Windows Server 2008 - AD Server. RHEL 7 - IPA 3.3 Server. RHEL 6.2 - IPA Client. I have

Re: [Freeipa-users] AD Trust - Cannot resolve servers for KDC after reboot

2014-09-19 Thread Genadi Postrilko
GMT+03:00 Sumit Bose sb...@redhat.com: On Tue, Sep 16, 2014 at 01:39:41AM +0300, Genadi Postrilko wrote: Hello all ! I have deployed test environment for AD trust feature, the environment contains : Windows Server 2008 - AD Server. RHEL 7 - IPA 3.3 Server. RHEL 6.2 - IPA Client

Re: [Freeipa-users] AD Trust - Cannot resolve servers for KDC after reboot

2014-09-24 Thread Genadi Postrilko
2014-09-22 9:29 GMT+03:00 Petr Spacek pspa...@redhat.com: 'IPA forwarders' are exactly the same as normal 'BIND forward zone' so they involve normal DNS cache. Which type of forwarder do you have configured? Is your 'forwarding policy' set to 'first' (default) or 'only'? I have default

Re: [Freeipa-users] AD Trust - Cannot resolve servers for KDC after reboot [SOLVED]

2014-09-25 Thread Genadi Postrilko
The NetworkManager service was overriding the /etc/resolv.conf, so kinit couldn't resolve with the right DNS server. After stopping the NetworkManager and canceling its start up on boot, i can kinit with no problem. Didn't even had to change to forward-policy=only. Thank you for the help, and

[Freeipa-users] Firewall rules for AD TRUST

2014-09-29 Thread Genadi Postrilko
Hello all again. I am trying to make sense of the documentation on firewall rules for in IPA/AD Trust relationship. The official RHEL 7 Windows Integration Guide states in section - 5.2.6 Firewalls And Ports, that: *For a trust relationship, the Active Directory server and IdM server must have

[Freeipa-users] Error: invalid 'AD domain controller' when establishing trust

2014-10-07 Thread Genadi Postrilko
Hello. I am attempting to create trust between AD and IPA. I have deployed AD environment as follows: I have created domain RED.COM Then i add new domain tree root - BLUE.COM. Now i would like to establish trust with IPA as a sub domain (LINUX.BLUE.COM) of BLUE.COM. I followed the guide and

Re: [Freeipa-users] Error: invalid 'AD domain controller' when establishing trust

2014-10-08 Thread Genadi Postrilko
Both Domain functional level and Forest functional level are Windows Server 2008 R2. 2014-10-08 9:24 GMT+02:00 Sumit Bose sb...@redhat.com: On Wed, Oct 08, 2014 at 02:42:47AM +0200, Genadi Postrilko wrote: Hello. I am attempting to create trust between AD and IPA. I have deployed AD

Re: [Freeipa-users] Error: invalid 'AD domain controller' when establishing trust

2014-10-08 Thread Genadi Postrilko
The ipa server is able to resolve blue.com. dig SRV _ldap._tcp.blue.com does return answer. 2014-10-08 14:11 GMT+02:00 Dmitri Pal d...@redhat.com: On 10/08/2014 07:29 AM, Genadi Postrilko wrote: Both Domain functional level and Forest functional level are Windows Server 2008 R2. Does

Re: [Freeipa-users] Error: invalid 'AD domain controller' when establishing trust

2014-10-09 Thread Genadi Postrilko
to IPA domain? And so are users from other child and root domains in the forest? 2014-10-08 19:06 GMT+02:00 Alexander Bokovoy aboko...@redhat.com: On Wed, 08 Oct 2014, Genadi Postrilko wrote: 2014-10-08 17:48 GMT+02:00 Alexander Bokovoy aboko...@redhat.com: On Wed, 08 Oct 2014, Genadi

Re: [Freeipa-users] Error: invalid 'AD domain controller' when establishing trust

2014-10-11 Thread Genadi Postrilko
All understood :) Thank you (and all others who responded) for the explanations. Genadi. 2014-10-10 6:26 GMT+02:00 Alexander Bokovoy aboko...@redhat.com: On Fri, 10 Oct 2014, Genadi Postrilko wrote: Thank you for providing the reference. I understood that when creating a forest trust

[Freeipa-users] Using Selective authentication on AD-IPA trust.

2014-10-19 Thread Genadi Postrilko
Hello all ! I am working on integrating IPA in a Microsoft dominated organization. After playing around with Cross forest trust and Directory server synchronization i came to the conclusion that Trust is the right way to go. Because it involves less configuration on AD side and its the direction

Re: [Freeipa-users] Using Selective authentication on AD-IPA trust.

2014-10-25 Thread Genadi Postrilko
We need to get host/ipa.master and HTTP/ipa.master principals to get authenticated read only access to AD DC and LDAP servers. The problem with granting this access in 'Selective authentication' case will prevent the trust from working. Only the IPA servers are accessing AD DC? Or all the

Re: [Freeipa-users] freeipa-server from copr repo

2014-11-21 Thread Genadi Postrilko
Ok :) Thank you for the response. 2014-11-21 10:39 GMT+02:00 Martin Kosek mko...@redhat.com: On 11/21/2014 09:30 AM, Genadi Postrilko wrote: Actually no, FreeIPA 4.1 is planned to be included in RHEL-7.1 release - so you can look forward to that :-) Martin Will it be included

[Freeipa-users] Certificate Authorities requirement for Cross realm trust?

2014-12-16 Thread Genadi Postrilko
In the Windows Integration guide the need for CA is mentioned. Both Active Directory and Identity Management must be configured with integrated certificate services.

[Freeipa-users] Importing /etc/sudoers into IPA.

2014-12-22 Thread Genadi Postrilko
Hello All. I'm planning to migrate the /etc/sudoers into the IPA. I have read that sudoers2ldif should be used to import /etc/sudoers into LDAP. http://www.sudo.ws/sudo/readme_ldap.html The script will work as is? or changes should be add? Should the users and group mentioned in sudoers be

Re: [Freeipa-users] Importing /etc/sudoers into IPA.

2014-12-22 Thread Genadi Postrilko
[mailto: freeipa-users-boun...@redhat.com] *On Behalf Of *Genadi Postrilko *Sent:* Monday, December 22, 2014 1:38 PM *To:* freeipa-users@redhat.com *Subject:* [Freeipa-users] Importing /etc/sudoers into IPA. Hello All. I'm planning to migrate the /etc/sudoers into the IPA. I have read

Re: [Freeipa-users] Importing /etc/sudoers into IPA.

2014-12-24 Thread Genadi Postrilko
OK, I will try and brew something. Thank you for the response. 2014-12-23 23:28 GMT+02:00 Alexander Bokovoy aboko...@redhat.com: Hi, -- Hello All. I'm planning to migrate the /etc/sudoers into the IPA. I have read that sudoers2ldif should be used to import

Re: [Freeipa-users] Importing /etc/sudoers into IPA.

2014-12-28 Thread Genadi Postrilko
Thanks you for the response. The amount of rules is : 50+ Host_Alias 50+ User_Alias 10+ Runas_Alias 450+ Cmnd_Alias The user/groups -- command mapping itself is about 50 more rules. 2014-12-27 23:28 GMT+02:00 Rob Crittenden rcrit...@redhat.com: Genadi Postrilko wrote: I'm not sure i

[Freeipa-users] IPA trust integration in AD Forests that been upgraded to higher functional level

2015-01-02 Thread Genadi Postrilko
Hello all. I'm working on integrating AD trust feature in the forest of a large organization (Its network is not connected to the internet). First I tested the trust in clean environment (that i have deployed) to simulate production forest deployment , in the following configuration: The

Re: [Freeipa-users] sssd compatibility with older RHEL 6 minor releases.

2015-02-02 Thread Genadi Postrilko
Thank you for your reply. I think ill go with the first option, it about time to upgrade :). Genadi. 2015-02-01 2:09 GMT+02:00 Dmitri Pal d...@redhat.com: On 01/31/2015 01:37 PM, Genadi Postrilko wrote: Hello all. The environment i'm currently working to migrate under IPA identity

Re: [Freeipa-users] IPA trust integration in AD Forests that been upgraded to higher functional level

2015-01-15 Thread Genadi Postrilko
Sorry for the late response. I can confirm that with 3.3.3-28.el7_0.3, i'm able to fetch the sub-domains and to log with its users. Thank you ! 2015-01-04 10:17 GMT+02:00 Alexander Bokovoy aboko...@redhat.com: -- Hello all. I'm working on integrating AD trust

[Freeipa-users] sssd compatibility with older RHEL 6 minor releases.

2015-01-31 Thread Genadi Postrilko
Hello all. The environment i'm currently working to migrate under IPA identity management contains mostly RHEL 6.2 servers. I'm planing to use Active Directory Cross Forest Trust for Identities, IPA as sudo provider, and all the other goodies that IPA provides. If i want to enjoy all the new

Re: [Freeipa-users] IPA trust integration in AD Forests that been upgraded to higher functional level

2015-01-04 Thread Genadi Postrilko
It will take some time to bring the new packages into organizations network. But as soon as it happens, ill inform you on the results. Thank you. 2015-01-04 10:17 GMT+02:00 Alexander Bokovoy aboko...@redhat.com: -- Hello all. I'm working on integrating AD

Re: [Freeipa-users] IPA trust integration in AD Forests that been upgraded to higher functional level

2015-01-04 Thread Genadi Postrilko
I would like to make a correction. The change i made is: if ((t.trust_attributes trust_attributes['NETR_TRUST_ATTRIBUTE_WITHIN_FOREST'] *or* (t.trust_attributes 0x0080)) and (t.trust_flags trust_flags['NETR_TRUST_FLAG_IN_FOREST'])): and not: if ((t.trust_attributes