Re: [Freeipa-users] Problems with ssh and install-uninstall-install sequence on the server

2015-03-18 Thread Prasun Gera
:54 PM, Prasun Gera prasun.g...@gmail.com wrote: Sorry, the message got sent accidentally earlier before I could provide all the details. Version: 4.1.0 on RHEL 7.1 x86_64 Steps: 1. ipa-server-install 2. service sshd restart 3. kinit admin - This always works

Re: [Freeipa-users] Automatic client enrollment

2015-03-22 Thread Prasun Gera
: On 03/21/2015 08:57 PM, Prasun Gera wrote: Yes, this approach would work, and it would be a good enhancement. It would make migration from NIS easier with very little impact to users. Are you saying that something like this can be implemented right now? Or do you mean that this is how it could

Re: [Freeipa-users] Problems with ssh and install-uninstall-install sequence on the server

2015-03-17 Thread Prasun Gera
is conflicting with the subsequent installation with the same domain name Regards, Prasun On Tue, Mar 17, 2015 at 2:41 PM, Prasun Gera prasun.g...@gmail.com wrote: Hello, I installed the ipa-server on an RHEL 7.1 system, uninstalled it and reinstalled it with the same domain name as the first

[Freeipa-users] Problems with ssh and install-uninstall-install sequence on the server

2015-03-17 Thread Prasun Gera
Hello, I installed the ipa-server on an RHEL 7.1 system, uninstalled it and reinstalled it with the same domain name as the first time. This somehow creates problems with ssh authentication on the server from external systems as well as from the server itself. Steps: 1. ipa-server-install 2.

Re: [Freeipa-users] Problems with ssh and install-uninstall-install sequence on the server

2015-03-18 Thread Prasun Gera
...@redhat.com wrote: Prasun Gera wrote: How do I confirm that there are no certs left behind and that cert-monger isn't tracking them? I'm a bit new to all the components used by IPA. I do see that the /root/cacert.p12 file is never deleted. Not clean but this shouldn't prevent re-install

Re: [Freeipa-users] Problems with ssh and install-uninstall-install sequence on the server

2015-03-18 Thread Prasun Gera
I think I have figured it out. The contents of /var/lib/sss/db are not cleared on uninstall. Stopping sssd, clearing that directory and restarting sssd solves the problem. Is there a reason why this is not cleared on uninstall? On Wed, Mar 18, 2015 at 6:35 PM, Prasun Gera prasun.g...@gmail.com

Re: [Freeipa-users] Problems with ssh and install-uninstall-install sequence on the server

2015-03-19 Thread Prasun Gera
: On 19 Mar 2015, at 20:09, Prasun Gera prasun.g...@gmail.com wrote: I thought a bit more about the issue of conflicts in /var/lib/sss/db, and I think it's a pretty significant problem, probably from a security standpoint too. The fact that it's trying to authenticate against something stale

[Freeipa-users] Automatic client enrollment

2015-03-21 Thread Prasun Gera
Is it possible to completely automate the client enrollment process similar to securenets in NIS? I'm trying to migrate NIS to IDM, and hoping that it runs largely in auto-pilot mode. The kickstarter method suggests adding host entries with a one time kerberos password to launch unattended client

Re: [Freeipa-users] Automatic client enrollment

2015-03-21 Thread Prasun Gera
a request to the host admin? Is there a host admin daemon that listens for these requests ? On Sat, Mar 21, 2015 at 1:50 PM, Dmitri Pal d...@redhat.com wrote: On 03/21/2015 05:53 AM, Prasun Gera wrote: Is it possible to completely automate the client enrollment process similar to securenets

Re: [Freeipa-users] Problems with ssh and install-uninstall-install sequence on the server

2015-03-19 Thread Prasun Gera
I thought a bit more about the issue of conflicts in /var/lib/sss/db, and I think it's a pretty significant problem, probably from a security standpoint too. The fact that it's trying to authenticate against something stale and incorrect would imply that it might erroneously authenticate against

Re: [Freeipa-users] Problems with ssh and install-uninstall-install sequence on the server

2015-03-20 Thread Prasun Gera
server with the same domain name (in a scenario where the master has been replaced or something similar). I don't know how that is handled, but it could create similar problems. On Fri, Mar 20, 2015 at 4:25 AM, Jakub Hrozek jhro...@redhat.com wrote: On Thu, Mar 19, 2015 at 05:50:50PM -0400, Prasun

Re: [Freeipa-users] Debian 7.0.8 and REHL IPA

2015-03-24 Thread Prasun Gera
I tried setting up the client on an ubuntu 12.04 system, and had some initial hiccups. I used the ppa for ipa and sssd. This bug report lists some pitfalls: https://bugs.launchpad.net/ubuntu/+source/freeipa/+bug/1280215. I don't know why it is marked as won't fix, but it affects 12.04, which is

Re: [Freeipa-users] Understanding the migration mode

2015-03-31 Thread Prasun Gera
The idea is that you tel lall the users to either login via migration page or via SSSD. If your server is in a migration mode the migration page should be available and SSSD should detect that server is in migration mode. In this case any authentication via SSSD will end up creating proper

Re: [Freeipa-users] Understanding the migration mode

2015-03-27 Thread Prasun Gera
The passwords will only show if they are in {crypt} format. If the password is changed in IPA it will use the default 389-ds password scheme which is a salted SHA. Yes, that's right. If the password is changed in IPA afterwards, it will stop working for NIS clients. This is the expected

Re: [Freeipa-users] Understanding the migration mode

2015-03-31 Thread Prasun Gera
for persisting with this. It's pretty clear how it works now. On Tue, Mar 31, 2015 at 11:32 AM, Prasun Gera prasun.g...@gmail.com wrote: ? SSSD does not seem to be involved as user is found in the /etc/passwd and this SSSD should not do anything. It's not a local user. There's no entry in /etc

Re: [Freeipa-users] Understanding the migration mode

2015-03-27 Thread Prasun Gera
Keys can be generated in migration in two ways: by the migration web UI or by sssd. I'm guessing you were unaware of this second method and that is how the keys are being created. That's what I suspected too. But it doesn't look like SSSD is generating keys. At least not right away. I SSHed

[Freeipa-users] Understanding the migration mode

2015-03-26 Thread Prasun Gera
Hello, I followed https://www.freeipa.org/page/NIS_accounts_migration_preserving_Passwords in order to migrate our NIS installation, and for the most part it worked. The server responds to ypcat from the NIS clients, and users can log in. However, I'm seeing a couple of weird issues. Normally,

Re: [Freeipa-users] Understanding the migration mode

2015-03-26 Thread Prasun Gera
available: True, and their cryptpasses have changed to * in ypcat passwd's output. On Thu, Mar 26, 2015 at 5:59 PM, Dmitri Pal d...@redhat.com wrote: On 03/26/2015 02:29 PM, Prasun Gera wrote: Hello, I followed https://www.freeipa.org/page/NIS_accounts_migration_preserving_Passwords

Re: [Freeipa-users] Problems with ssh and install-uninstall-install sequence on the server

2015-03-18 Thread Prasun Gera
...@redhat.com wrote: On 03/17/2015 02:54 PM, Prasun Gera wrote: Sorry, the message got sent accidentally earlier before I could provide all the details. Version: 4.1.0 on RHEL 7.1 x86_64 Steps: 1. ipa-server-install 2. service sshd restart 3. kinit admin - This always

Re: [Freeipa-users] Understanding the migration mode

2015-04-02 Thread Prasun Gera
encodings which allow MD5, SHA256 and SHA512 ( https://docs.python.org/3/library/crypt.html) . Is it possible to force one of those as the storage scheme in the directory server ? On Tue, Mar 31, 2015 at 12:04 PM, Prasun Gera prasun.g...@gmail.com wrote: I've figured it out. You are right. SSSD triggers

Re: [Freeipa-users] Understanding the migration mode

2015-04-02 Thread Prasun Gera
in recent glibcs supports them. Would it make sense to add the other options to the encoding function ? On Thu, Apr 2, 2015 at 3:27 AM, Prasun Gera prasun.g...@gmail.com wrote: I tried enabling crypt for experimentation, and things seem to work well for both NIS and SSSD clients. I noticed

Re: [Freeipa-users] Understanding the migration mode

2015-04-03 Thread Prasun Gera
, or live with DES crypt if one wants to do a staged migration from NIS. On Fri, Apr 3, 2015 at 9:06 AM, Simo Sorce s...@redhat.com wrote: On Thu, 2015-04-02 at 17:33 -0400, Prasun Gera wrote: I had a look at ldap/servers/plugins/pwdstorage/crypt_pwd.c, and it looks like it is hardcoded

Re: [Freeipa-users] Synology DSM5 and freeIPA

2015-04-13 Thread Prasun Gera
for the mount on the IPA server. If someone has achieved this functionality, can you share your experience ? On Fri, Apr 10, 2015 at 1:05 PM, Prasun Gera prasun.g...@gmail.com wrote: Here's the link: https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html

Re: [Freeipa-users] Synology DSM5 and freeIPA

2015-04-14 Thread Prasun Gera
need have some notification mechanism deployed on FreeIPA server, that would trigger the home directory creation on the server. (We have a ticket for it: https://fedorahosted.org/freeipa/ticket/1593) On 04/13/2015 08:58 PM, Prasun Gera wrote: Just a follow up. I thought that making NFS

Re: [Freeipa-users] Synology DSM5 and freeIPA

2015-04-14 Thread Prasun Gera
the chapter again, to remove the uncertainty. Would you then be willing to proof-read the result? On 04/14/2015 10:37 AM, Prasun Gera wrote: Thanks. Yes, the feature would be pretty useful. Do you have any thoughts on the documentation blurb mentioned a couple of mails ago ( Use a remote

Re: [Freeipa-users] Fw: ssh problem with migrated FreeIPA client on EL7.1 --Solved

2015-06-05 Thread Prasun Gera
I had faced a similar issue a month ago, for which I had created a ticket. https://fedorahosted.org/freeipa/ticket/4956 On Fri, Jun 5, 2015 at 7:30 AM, Alexander Bokovoy aboko...@redhat.com wrote: On Fri, 05 Jun 2015, Christopher Lamb wrote: Hi Martin Thanks for updating the documenation!

Re: [Freeipa-users] hesitate to deploy freeipa

2015-06-26 Thread Prasun Gera
I've found that if you are setting up a new environment from scratch which is mostly going to involve RHEL/Fedora systems, and that you have full control over your network including DNS, DHCP etc., it should mostly be smooth sailing. However, if you already have a network of old and new machines

Re: [Freeipa-users] sudo (sssd) hangs due to ipa install/uninstall scripts

2015-06-24 Thread Prasun Gera
Thanks. It's good to know that it is fixed upstream. For discussion though, are any enhancements planned for dealing with installation/removal of ipa ? On Wed, Jun 24, 2015 at 12:49 AM, Jakub Hrozek jhro...@redhat.com wrote: On Tue, Jun 23, 2015 at 10:46:14PM -0700, Prasun Gera wrote: After

[Freeipa-users] sudo (sssd) hangs due to ipa install/uninstall scripts

2015-06-23 Thread Prasun Gera
Version: idm 4.x on rhel 7.1 Yet again, I've discovered a problem with residual state left behind by ipa client install and uninstall scripts. I was having some trouble with autofs+sssd leading to users not being mapped correctly (got nobody users for everything). So I tried

Re: [Freeipa-users] hesitate to deploy freeipa

2015-06-26 Thread Prasun Gera
More importantly, ipa-client-install is just a thin configuration tool. If ipa-client-install is not available on your platform you can configure everything manually and it will work (as long as the client is standard-compliant). I.e. the client side is *in the worst case* (without

Re: [Freeipa-users] 3rd party certificate for WebUI only

2015-07-02 Thread Prasun Gera
How smooth is the renewal process ? if the webui cert expires, does it affect the core ipa functionality in any way ? Also, when ipa does it's own auto-renewal, does it leave the webui alone if set up this way ? On Wed, Jul 1, 2015 at 9:16 PM, Prashant Bapat prash...@apigee.com wrote: I had the

Re: [Freeipa-users] Users can't login on some systems.

2015-08-20 Thread Prasun Gera
Did you clear out /var/lib/sss/db between re-installation of the client? There was a bug which might not have been fixed downstream yet. On Thu, Aug 20, 2015 at 1:21 PM, Chris Mohler cmoh...@oberlin.edu wrote: Hi List, I'm still fairly new to this list and administrating FreeIPA. I had a

Re: [Freeipa-users] Kerberized NFS and home automount issues

2015-08-13 Thread Prasun Gera
Where are you trying to create the home directories ? Is your NFS server the same as the IPA server ? You can only create home directories on the NFS home server unless the nfs-client sees the export option no_root_squash. That is not recommended though. On Thu, Aug 13, 2015 at 9:49 AM, Youenn

Re: [Freeipa-users] users- ssh keys self service

2015-08-14 Thread Prasun Gera
Did you try the */ipa/migration/* url for migrated users ? On Fri, Aug 14, 2015 at 3:38 AM, Petr Vobornik pvobo...@redhat.com wrote: On 08/13/2015 09:25 PM, Janelle wrote: AHA!!! The problem is found, but the solution eludes me. Any user migrated in compat mode has the problem. NEW users

Re: [Freeipa-users] enabling selinux on ipa server

2015-10-24 Thread Prasun Gera
to do sudo setsebool -P httpd_manage_ipa 1 On Sat, Oct 24, 2015 at 10:51 AM, Lukas Slebodnik <lsleb...@redhat.com> wrote: > On (23/10/15 20:57), Prasun Gera wrote: > >selinux was disabled for some reason when the ipa server(replica) was > >installed. I enabled it, and see

Re: [Freeipa-users] enabling selinux on ipa server

2015-10-25 Thread Prasun Gera
in the selinux disabled state didn't set up the selinux related stuff properly, which manifested later when i set it to enforcing mode. On Sat, Oct 24, 2015 at 9:13 PM, Rob Crittenden <rcrit...@redhat.com> wrote: > Prasun Gera wrote: > > I've done that now in addition to the few fi

[Freeipa-users] enabling selinux on ipa server

2015-10-23 Thread Prasun Gera
selinux was disabled for some reason when the ipa server(replica) was installed. I enabled it, and see that there are a lot of selinux related permissions problems in syslog. Is this a known issue ? I tried fixing some of them manually, but i would like a better approach. -- Manage your

Re: [Freeipa-users] let's encrypt integration and best practices for mod_nss/mod_ssl

2015-11-10 Thread Prasun Gera
/fullchain.pem On Tue, Nov 10, 2015 at 3:31 PM, Fraser Tweedale <ftwee...@redhat.com> wrote: > On Tue, Nov 10, 2015 at 03:12:04PM -0800, Prasun Gera wrote: > > I tried using let's encrypt's certs manually, but I think I'm missing > > something. Let's encrypt creates the follo

Re: [Freeipa-users] let's encrypt integration and best practices for mod_nss/mod_ssl

2015-11-10 Thread Prasun Gera
it to work. That page says, "The certificate in mysite.crt must be signed by the CA used when installing FreeIPA." Since my ipa installation uses the default internal CA, how do I get lets encrypt's certs signed by the ipa CA ? Is that the missing step ? On Sat, Nov 7, 2015 at 9:15 PM, P

Re: [Freeipa-users] let's encrypt integration and best practices for mod_nss/mod_ssl

2015-11-11 Thread Prasun Gera
n Tue, Nov 10, 2015 at 08:30:47PM -0800, Prasun Gera wrote: >> >>> You are right in that the fullchain.pem doesn't have the root >>> certificate. >>> I ran "openssl x509 -in chain.pem -noout -text", and saw that it >>> had Issuer: O=Digital Signat

Re: [Freeipa-users] let's encrypt integration and best practices for mod_nss/mod_ssl

2015-11-10 Thread Prasun Gera
On Tue, Nov 10, 2015 at 5:04 PM, Fraser Tweedale <ftwee...@redhat.com> wrote: > On Tue, Nov 10, 2015 at 03:44:19PM -0800, Prasun Gera wrote: > > No it didn't quite work. > > > > I ran ipa-server-certinstall -w /etc/letsencrypt/live/ > > example.com/privkey.pem

Re: [Freeipa-users] let's encrypt integration and best practices for mod_nss/mod_ssl

2015-11-10 Thread Prasun Gera
r, the webui hadn't configured the certificates properly. At this point, I just restored my backups of /etc/httpd/conf.d/ and /etc/httpd/alias/, which brought things back to where things were earlier. I think it would be better to do these experiments on a test bed first. On Tue, Nov 10, 2015 at 5:19 PM, Pras

[Freeipa-users] let's encrypt integration and best practices for mod_nss/mod_ssl

2015-11-04 Thread Prasun Gera
I'm using idm (4.1.x) on a RHEL 7.1 with the webui accessible publicly. I'm using a stock configuration which uses the certs signed by ipa's CA for the webui. This is mostly for convenience since it manages renewals seamlessly. This, however, requires users to add the CA as trusted to their

Re: [Freeipa-users] let's encrypt integration and best practices for mod_nss/mod_ssl

2015-11-04 Thread Prasun Gera
capped to C. This server accepts the RC4 cipher, which is weak. Grade capped to B. The server does not support Forward Secrecy with the reference browsers. On Wed, Nov 4, 2015 at 4:44 PM, Fraser Tweedale <ftwee...@redhat.com> wrote: > On Wed, Nov 04, 2015 at 03:20:22PM -0800, Prasun G

Re: [Freeipa-users] let's encrypt integration and best practices for mod_nss/mod_ssl

2015-11-05 Thread Prasun Gera
at 05:03:29PM -0800, Prasun Gera wrote: > > Thanks for the ticket information. I would still be interested in > > configuring mod_nss properly (irrespective of whether the certs are ipa > > generated or 3rd party). These are the worrying notes from ssllabs test: > > &

Re: [Freeipa-users] let's encrypt integration and best practices for mod_nss/mod_ssl

2015-11-07 Thread Prasun Gera
that in the package would also have the added benefit of settings remaining up to date without manual intervention as standards evolve. On Thu, Nov 5, 2015 at 9:23 PM, Fraser Tweedale <ftwee...@redhat.com> wrote: > On Thu, Nov 05, 2015 at 11:52:32PM -0500, Rob Crittenden wrote: > > Pr

Re: [Freeipa-users] let's encrypt integration and best practices for mod_nss/mod_ssl

2015-11-05 Thread Prasun Gera
mption (caching)*No (IDs assigned but not accepted)* Are these relevant/serious ? Can they be mitigated ? On Thu, Nov 5, 2015 at 6:51 AM, Rob Crittenden <rcrit...@redhat.com> wrote: > Prasun Gera wrote: > > Yes, that's what I was planning to do. i.e. Convert cipher names from > >

Re: [Freeipa-users] sudo (sssd) hangs due to ipa install/uninstall scripts

2015-09-01 Thread Prasun Gera
guarantees ? On Sat, Jun 27, 2015 at 6:26 AM, Dmitri Pal <d...@redhat.com> wrote: > On 06/24/2015 04:31 AM, Jakub Hrozek wrote: > >> On Wed, Jun 24, 2015 at 01:24:37AM -0700, Prasun Gera wrote: >> >>> Thanks. It's good to know that it is fixed upstream. For disc

Re: [Freeipa-users] sudo (sssd) hangs due to ipa install/uninstall scripts

2015-09-02 Thread Prasun Gera
FYI, I think the culprit (at least one of) is ipa-client-automount --uninstall. This removes sss entirely from nssswitch, not just from the automount section. On Tue, Sep 1, 2015 at 11:56 AM, Prasun Gera <prasun.g...@gmail.com> wrote: > So I've again spent a couple of hours debuggi

Re: [Freeipa-users] sudo (sssd) hangs due to ipa install/uninstall scripts

2015-09-03 Thread Prasun Gera
t; On Wed, Sep 02, 2015 at 06:30:09PM -0700, Prasun Gera wrote: > > FYI, I think the culprit (at least one of) is ipa-client-automount > > --uninstall. This removes sss entirely from nssswitch, not just from the > > automount section. > > Hmm, I haven't tested that but it s

[Freeipa-users] ntpd frequency error xxx PPM exceeds tolerance 500 PPM

2015-09-10 Thread Prasun Gera
OS: RHEL 7.1 w IDM I'm seeing these messages in my master's log messages. I don't know if it's related, but I think I started seeing them after I set up a replica. Everything seems to be working fine, but I'm worried that things will break if delta grows beyond a point. I tried steps in

Re: [Freeipa-users] ntpd frequency error xxx PPM exceeds tolerance 500 PPM

2015-09-10 Thread Prasun Gera
tolerant to heavily drifting virtual clocks. > > Cheers, > > Andrew > > On 10 September 2015 at 13:46, Prasun Gera <prasun.g...@gmail.com> wrote: > >> OS: RHEL 7.1 w IDM >> >> I'm seeing these messages in my master's log messages. I don't know if >>

Re: [Freeipa-users] ntpd frequency error xxx PPM exceeds tolerance 500 PPM

2015-09-10 Thread Prasun Gera
aceroute to the time server you are using? > Are there any other machines on the same local network that are using this > timeserver? Do they have problems? > > > > > On 10 September 2015 at 14:18, Prasun Gera <prasun.g...@gmail.com> wrote: > >> So I did a bit

Re: [Freeipa-users] ntpd frequency error xxx PPM exceeds tolerance 500 PPM

2015-09-10 Thread Prasun Gera
It could be > broken hardware. > > On 10 September 2015 at 14:05, Prasun Gera <prasun.g...@gmail.com> wrote: > >> Thanks. I'm not virtualizing though. Should I still add it ? >> >> On Thu, Sep 10, 2015 at 5:02 AM, Andrew Holway <andrew.hol...@gmai

Re: [Freeipa-users] ntpd frequency error xxx PPM exceeds tolerance 500 PPM

2015-09-11 Thread Prasun Gera
, 2015 at 6:03 AM, Prasun Gera <prasun.g...@gmail.com> wrote: > The hardware is not very old (ivybridge). The entries appear every few > minutes in the log. The /etc/ntp.conf has not been modified manually. It > lists 3 servers - 0.rhel.pool.ntp.org, 1 and 2. At the end, there are

Re: [Freeipa-users] admin loses access?

2015-10-05 Thread Prasun Gera
I was facing similar issues, and ended up changing the username from admin to something else since admin is a common name in brute force ssh attacks. It was getting locked out in spite of using fail2ban. I guess fail2ban can be tweaked to block the host before ipa blocks the admin account, but I

Re: [Freeipa-users] yum update today broke ipa

2015-12-09 Thread Prasun Gera
com> wrote: > Run upgrade manually, this is just error in checking function, obviously > 4.2.0-15.el7_2.3 is never than 4.2.0-15.el7 > > > On 09.12.2015 17:21, Prasun Gera wrote: > > Before I try this on the actual node, would it be better to roll back the > last yum trans

[Freeipa-users] yum update today broke ipa

2015-12-09 Thread Prasun Gera
Ran yum update today. Pulled in https://rhn.redhat.com/errata/RHBA-2015-2562.html. Seeing this error: 2015-12-09T15:21:02Z DEBUG The ipa-server-upgrade command failed, exception: ScriptError: ("Unable to execute IPA upgrade: data are in newer version than IPA (data version '4.2.0-15.el7', IPA

Re: [Freeipa-users] FreeIPA and LetsEncrypt Question

2015-12-02 Thread Prasun Gera
Have a look at a recent thread that I had started. You might be able to do it manually for http/ldap certs. However, there were some issues which I haven't figured out yet. You might have better luck. Anyone should be able to try it out given that LE enters public beta in a couple of days. On

Re: [Freeipa-users] yum update today broke ipa

2015-12-13 Thread Prasun Gera
Before I try this on the actual node, would it be better to roll back the last yum transaction ? I want to do whatever is safer. On Wed, Dec 9, 2015 at 8:14 AM, Martin Basti <mba...@redhat.com> wrote: > > > On 09.12.2015 16:32, Prasun Gera wrote: > > Ran yum update toda

Re: [Freeipa-users] IPA, autofs, kerberos

2016-01-04 Thread Prasun Gera
I would like to understand this better too. I'm not using kerberized NFS. I'm using regular nfs for user home dirs as well as other mount points, which used to work quite well with autofs + NIS. For the most part it works fine with ipa too. However, I have occasionally faced problems with autofs

Re: [Freeipa-users] IPA users not visible in NIS passwd map

2016-01-11 Thread Prasun Gera
. On Mon, Jan 11, 2016 at 4:21 PM, Alexander Bokovoy <aboko...@redhat.com> wrote: > On Mon, 11 Jan 2016, Prasun Gera wrote: > >> I upgraded ipa to 4.2 on my rhel 7.2 servers a few weeks ago. One of the >> users reported that he is not able to log in to certain systems a

[Freeipa-users] IPA users not visible in NIS passwd map

2016-01-11 Thread Prasun Gera
I upgraded ipa to 4.2 on my rhel 7.2 servers a few weeks ago. One of the users reported that he is not able to log in to certain systems any more. It turns out that there is some change in behaviour w.r.t NIS clients after this upgrade. I see that his username is not visible in "ypcat passwd" on

Re: [Freeipa-users] question about automount config

2016-06-07 Thread Prasun Gera
rd,proto=tcp,port=0,timeo=600,retrans=2,sec=krb5,clientaddr=10.254.1.168,local_lock=none,addr=10.254.1.167) > > $ ssh nfsclient > Creating home directory for afayzullin. > Last login: Tue Jun 7 17:34:14 2016 > Could not chdir to home directory /home/afayzullin: No such file or > direc

Re: [Freeipa-users] OCSP and CRL in certs for java firefox plugin

2016-05-27 Thread Prasun Gera
, Rob Crittenden <rcrit...@redhat.com> wrote: > Prasun Gera wrote: > >> I've identified the problem. The uris seem to be incorrect. This looks >> like some substitution gone wrong. Instead of using the actual ipa >> server's address, it points to a generic placeholder t

[Freeipa-users] OCSP and CRL in certs for java firefox plugin

2016-05-27 Thread Prasun Gera
I've set up a couple of dell idrac card's ssl certs signed by ipa CA. I've also added the ipa CA to java's trusted CAs. However, when you try to launch the idrac java console, it will still show an error that the site is untrusted. Upon clicking on "more information", the message says that

Re: [Freeipa-users] OCSP and CRL in certs for java firefox plugin

2016-05-27 Thread Prasun Gera
It looks like that issue was fixed and the OCSP and CRL uris in the certs are now http. So I'm not sure why java is complaining. On Fri, May 27, 2016 at 7:03 PM, Prasun Gera <prasun.g...@gmail.com> wrote: > I've set up a couple of dell idrac card's ssl certs signed by ipa CA. I've >

Re: [Freeipa-users] OCSP and CRL in certs for java firefox plugin

2016-05-30 Thread Prasun Gera
10:19 PM, Rob Crittenden <rcrit...@redhat.com > > <mailto:rcrit...@redhat.com>> wrote: > > > > Prasun Gera wrote: > > > > I've identified the problem. The uris seem to be incorrect. This > looks > > like some substitution gone wrong. In

Re: [Freeipa-users] OCSP and CRL in certs for java firefox plugin

2016-05-27 Thread Prasun Gera
2 PM, Prasun Gera <prasun.g...@gmail.com> wrote: > It looks like that issue was fixed and the OCSP and CRL uris in the certs > are now http. So I'm not sure why java is complaining. > > On Fri, May 27, 2016 at 7:03 PM, Prasun Gera <prasun.g...@gmail.com> > wrote: > >&g

Re: [Freeipa-users] What causes the web ui to display a second login dialog ?

2016-06-23 Thread Prasun Gera
Thanks. I'll wait for RHEL 7.3 then. On Thu, Jun 23, 2016 at 4:27 PM, Simo Sorce <s...@redhat.com> wrote: > On Thu, 2016-06-23 at 14:11 -0400, Prasun Gera wrote: > > Image attached. I don't use Windows much, but I noticed this on a windows > > machine with Chrome. Before

Re: [Freeipa-users] IPA users not visible in NIS passwd map

2016-01-13 Thread Prasun Gera
They are authenticated using CRYPT passwords. i.e. Even after a user is disabled in ipa, it's entry is still visible in ypcat passwd on the clients. On Wed, Jan 13, 2016 at 4:17 PM, Alexander Bokovoy <aboko...@redhat.com> wrote: > On Wed, 13 Jan 2016, Prasun Gera wrote: > >> I

Re: [Freeipa-users] IPA users not visible in NIS passwd map

2016-01-13 Thread Prasun Gera
, 2016 at 9:21 PM, Prasun Gera <prasun.g...@gmail.com> wrote: > This is the output of the command: > > ldapsearch -LLL -H $(cat /etc/ipa/default.conf | grep ldap_uri|cut -d= > -f2) -b cn=config '(nis-domain=*)' dn CreateTimestamp ModifyTimestamp > SASL/EXTERNAL authentication st

Re: [Freeipa-users] Announcing FreeIPA 4.3.0 - demo

2016-01-15 Thread Prasun Gera
This is great. Can you post instructions for getting Let's Encrypt working on 4.2.x ? I had created a thread, but I eventually got stuck, and it felt a bit risky to modify low level things on a production system. This is the thread for reference:

Re: [Freeipa-users] IPA users not visible in NIS passwd map

2016-01-13 Thread Prasun Gera
Great! I hope it makes it downstream to RHEL. On Wed, Jan 13, 2016 at 4:27 PM, Alexander Bokovoy <aboko...@redhat.com> wrote: > On Wed, 13 Jan 2016, Prasun Gera wrote: > >> They are authenticated using CRYPT passwords. i.e. Even after a user is >> disabled in ipa, it'

Re: [Freeipa-users] GID, groups and ipa group-show

2016-01-13 Thread Prasun Gera
This is an old thread, but I can confirm that this is still an issue on RHEL 7.2 + 4.2. This creates problems when there are roles associated with groups, but group membership through GID is broken. I had migrated all old NIS accounts into ipa. I then added the host enrollment role to a particular

Re: [Freeipa-users] client/authentication inside a docker container

2016-02-04 Thread Prasun Gera
. > Bryce > > > > *From:* freeipa-users-boun...@redhat.com [mailto: > freeipa-users-boun...@redhat.com] *On Behalf Of *Prasun Gera > *Sent:* Thursday, February 04, 2016 8:19 AM > *To:* freeipa-users@redhat.com > *Subject:* [Freeipa-users] client/authentication inside a do

[Freeipa-users] client/authentication inside a docker container

2016-02-04 Thread Prasun Gera
I am trying to set up a docker image with a specific development environment. We use idm 4.2 for authentication, and non-kerberized nfs (including home) for data storage on the hosts. The goal is to run the docker container such that when the user calls docker run, it just drops into a shell with

Re: [Freeipa-users] client/authentication inside a docker container

2016-02-04 Thread Prasun Gera
On Thu, Feb 4, 2016 at 10:56 AM, Jan Pazdziora <jpazdzi...@redhat.com> wrote: > On Thu, Feb 04, 2016 at 10:19:16AM -0500, Prasun Gera wrote: > > I am trying to set up a docker image with a specific development > > environment. We use idm 4.2 for authentication, a

Re: [Freeipa-users] [freeipa-users] Configuring Automount on Ubuntu Clients

2016-02-13 Thread Prasun Gera
Just replying to this thread to express interest in good client support in Ubuntu. As 16.04 draws close to a release, it would be great if the client side of things work well out of the box in 16.04 without any 3rd party ppas. 12.04 was pretty bad, 14.04 was mostly usable with some issues. I'm

Re: [Freeipa-users] FREAK Vulnerability

2016-01-28 Thread Prasun Gera
Can someone at RH update this article https://access.redhat.com/articles/1467293 ? I found it to be fairly useful, but I'm not sure if it's up to date. On Thu, Jan 28, 2016 at 11:04 AM, Terry John < terry.j...@completeautomotivesolutions.co.uk> wrote: > Ok thanks for that but I've had to give

Re: [Freeipa-users] Fwd: [freeipa-users] Configuring Automount on Ubuntu Clients

2016-02-17 Thread Prasun Gera
t; https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=814314 > > Maybe someone could be interested in Salt formula we are using to setup > Freeipa server/client: https://github.com/tcpcloud/salt-formula-freeipa > > Filip > > On 2016/02/13 17:40, Prasun Gera wrote: > > Just repl

Re: [Freeipa-users] deleting duplicate groups with groupdel

2016-04-13 Thread Prasun Gera
. On Wed, Apr 13, 2016 at 3:28 AM, Jakub Hrozek <jhro...@redhat.com> wrote: > On Wed, Apr 13, 2016 at 12:30:56AM -0400, Prasun Gera wrote: > > My main ipa server used to be an NIS server. After migrating everything > > into ipa, there is no need for the users and groups to e

[Freeipa-users] deleting duplicate groups with groupdel

2016-04-12 Thread Prasun Gera
My main ipa server used to be an NIS server. After migrating everything into ipa, there is no need for the users and groups to exist in /etc/passwd and /etc/group. Leaving them around would cause duplicate entries, passwords falling out of sync and other issues on the server. So the right approach

[Freeipa-users] Disabling passwd NIS map

2016-04-04 Thread Prasun Gera
I have a master + replica setup on RHEL 7.2 (ipa 4.2). When this was setup, most of the clients were on NIS, and hence the nis compatibility and migration mode was enabled. The NIS maps in use right now are passwd, group and autofs. Passwords were set to CRYPT for this to work. I have managed to

Re: [Freeipa-users] IPA users central Home Directories

2016-03-30 Thread Prasun Gera
NFS and ipa are sort of orthogonal unless you mix nfsv4 with kerberos. If you aren't using kerberos, and don't need kerberos, then the nfs home setup is pretty straightforward. ipa just controls authentication. If you have a simple enough environment, you can just add your nfs mounts in the fstab

Re: [Freeipa-users] Account/password expirations

2016-04-30 Thread Prasun Gera
is working on ubuntu 14.04 ? On Fri, Apr 29, 2016 at 12:30 PM, Anon Lister <listera...@gmail.com> wrote: > Yep sorry I missed that. You need to put your public keys in IPA. > On Apr 29, 2016 3:32 AM, "Jakub Hrozek" <jhro...@redhat.com> wrote: > > On Thu, Apr 28,

Re: [Freeipa-users] Account/password expirations

2016-04-28 Thread Prasun Gera
> > Moreover, if you login through an SSH key, you don't get a ticket on > login and you can't kinit, so you can't access any network resources > anyway.. > > A bit off topic, but a related question: How does nfsv4 work with ssh keys ? Does it mean that you can't use ssh keys if /home is nfsv4

Re: [Freeipa-users] Account/password expirations

2016-04-28 Thread Prasun Gera
> > Your can still authenticate with SSH keys, but to access any NFS 4 shares > they will need a Kerberos ticket, which can be obtained via a 'kinit' after > logging in. > Then how does the key authentication work if the .ssh directory on nfs4 is not accessible ? Doesn't the key authentication

Re: [Freeipa-users] question about automount config

2016-05-24 Thread Prasun Gera
You can stop the autofs daemon, and run it in foreground with automount -fvv. Then try to access the mount point in parallel. The logs from the foreground run should shed some light. Also, does your autofs setup work without kerberos ? As a first step it to work with non-kerberised nfs. On Mon,

Re: [Freeipa-users] krb5kdc service not starting

2016-05-11 Thread Prasun Gera
Hi everyone, I had a pretty similar failure on my replica yesterday. The replica was not reachable, and I asked someone to have a look at the system. They presumably rebooted it. When it came back up, ipactl wouldn't start, and the symptoms were pretty similar to those described in this thread. I

Re: [Freeipa-users] krb5kdc service not starting

2016-05-12 Thread Prasun Gera
RetroclPlugin - delete_changerecord: could not delete change record 404058 (rc: 32) ... lots of similar messages On Thu, May 12, 2016 at 4:25 AM, Ludwig Krispenz <lkris...@redhat.com> wrote: > > On 05/12/2016 05:28 AM, Prasun Gera wrote: > > Hi everyone, > I had a pretty simi

Re: [Freeipa-users] How to determine cause/source of user lockout?

2016-05-17 Thread Prasun Gera
If it's the admin account, there would be a pretty good likelihood of bruteforce attempts if your server is on the internet. One option is to rename it to something else. On 17 May 2016 11:36 a.m., "Rich Megginson" wrote: > On 05/17/2016 08:18 AM, Rob Crittenden wrote: > >>

Re: [Freeipa-users] Account/password expirations

2016-05-01 Thread Prasun Gera
It turns out that this was a permissions issue. Everything works now. Thanks. On Sat, Apr 30, 2016 at 11:26 PM, Prasun Gera <prasun.g...@gmail.com> wrote: > Ah, this doesn't work on ubuntu (14.04). The command itself works, but > sshd on ubuntu isn't probably compiled

Re: [Freeipa-users] Please Provide the IPA Client Configuration Doc for Ubuntu 12.04, 14.04

2016-07-15 Thread Prasun Gera
Ubuntu 12.04 won't work very well out of the box. You can get it to work with the freeipa and sssd ppas, but you'll still need some small hacks on top of it. 14.04 is much better, and 16.04 is presumably the best in terms of things working out of the box. On Fri, Jul 15, 2016 at 3:59 AM, Jakub

Re: [Freeipa-users] Replace with 3rd part certificates

2016-07-01 Thread Prasun Gera
There were issues with 3rd party certs as of RHEL 7.2/4.2. If this is fixed in 7.3, that would be great, especially for Lets Encrypt certs (even without auto-renewal) On Fri, Jul 1, 2016 at 5:15 AM, Andreas Ladanyi wrote: > Hi, > > For the time being and as far as I can

Re: [Freeipa-users] IDM server doesn't boot after update to RHEL 7.3

2017-02-21 Thread Prasun Gera
Any systemd experts that can help in figuring out what's going on here ? Here's a shortened log up to that error if it makes it more convenient: https://gist.github.com/pgera/00f1ae31f77b9e9aa652db2be0e29574 On Fri, Feb 17, 2017 at 8:40 PM, Prasun Gera <prasun.g...@gmail.com> wrote: &

Re: [Freeipa-users] SELinux errors with sssd-krb5-common-1.13.0-40.el7_2.12.x86_64

2016-09-29 Thread Prasun Gera
I need to set SELinux to enforcing to get the relevant SSSD logs, right ? On Thu, Sep 29, 2016 at 3:42 AM, Sumit Bose <sb...@redhat.com> wrote: > On Thu, Sep 29, 2016 at 12:47:34AM -0400, Prasun Gera wrote: > > I started seeing some selinux errors on one of my RHEL 7 c

Re: [Freeipa-users] ipa-client-automount --uninstall breaks central sudo on ipa-server

2016-08-28 Thread Prasun Gera
;> ipa-client-automount command would not even start it it was >> executed on the ipa server. >> >> >> thanks everyone! >> >> ms >> >> >> >> *From:* Prasun Gera <p

Re: [Freeipa-users] ipa-client-automount --uninstall breaks central sudo on ipa-server

2016-08-27 Thread Prasun Gera
gest that the ipa-client-automount command would not even > start it it was executed on the ipa server. > > > thanks everyone! > ms > > -- > *From:* Prasun Gera <prasun.g...@gmail.com> > *Sent:* Friday, August 26, 2016 4:02 PM > *To:*

Re: [Freeipa-users] ipa-client-automount --uninstall breaks central sudo on ipa-server

2016-08-26 Thread Prasun Gera
ipa-client-automount --uninstall was(is?) a bit broken in that it tries to revert back to an older configuration, but it can accidentally revert it to a state before the ipa-client was installed (as opposed to the state where automount was installed). Check your nssswitch.conf file and compare it

  1   2   >