and allow
ssh logins. Is the version difference between the ipa client/sssd and
server an issue and any ideas on where to go next?
Sean Hogan
Security Engineer
CISSP, RHSA, CCNA
Watson Security & Risk Assurance
Watson Cloud Technology and Support
email: scho...@us.ibm.com | Tel 919 486
Hi Jakub,
Negative.. only one domain.
I just obscured the names here:
Could not reconnect to domain.name provider.
/var/log/dirsrv/slapd-DOMAIN-LOCAL
Sean Hogan
From: Jakub Hrozek <jhro...@redhat.com>
To: freeipa-users@redhat.com
Date: 11/06/2015 01:39 AM
Subject:
Is it just me or is white space ignored as well with sudo commands much
like the sudo options?
Sean Hogan
Security Engineer
Watson Security & Risk Assurance
Watson Cloud Technology and Support
email: scho...@us.ibm.com | Tel 919 486 1397
--
Manage your subscription for the Freeipa-u
comments or suggestions welcome
Sean Hogan
Security Engineer
Watson Security & Risk Assurance
Watson Cloud Technology and Support
email: scho...@us.ibm.com | Tel 919 486 1397
From: Rob Crittenden <rcrit...@redhat.com>
To: Sean Hogan/Durham/IBM@IBMUS, "Freeipa-u
doable. Also.. any recommendations on a ldap query tool for use with IPA?
Sean Hogan
--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project
Thanks Robert,
Appreciated
Sean Hogan
Security Engineer
From: Rob Crittenden <rcrit...@redhat.com>
To: Sean Hogan/Durham/IBM@IBMUS, freeipa-users@redhat.com
Date: 12/07/2015 03:30 PM
Subject:Re: [Freeipa-users] Ldap search for enrolled boxes
Sean Hogan
Jan 11 22:43:40 2016) [sssd[be[watson.local]]] [id_callback] (0x0010):
The Monitor returned an error [org.freedesktop.DBus.Error.NoReply]
Sean Hogan
Security Engineer
Watson Security & Risk Assurance
Watson Cloud Technology and Support
email: scho...@us.ibm.com | Tel 919 486 1397
) [sssd] [ping_check] (0x0100): Service pam
replied to ping
Sean Hogan
Security Engineer
--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project
and this
time it did shutdown. Powered back up and it seems to be running fine now.
BTW... there is a lot of info in the upgrade log but will overview it more
later.
Thanks
Sean Hogan
From: Rob Crittenden <rcrit...@redhat.com>
To: Sean Hogan/Durham/IBM@IBMUS, freeipa
startTLS request: error -1 (Can't contact LDAP server) errno 107 (Transport
endpoint is not connected)
[02/Jun/2016:12:06:41 -0400] slapi_ldap_bind - Error: could not send
startTLS request: error -1 (Can't contact LDAP server) errno 0 (Success)
NTP seems OK
[God@FirstMasterIPA slapd-PKI-IP
gt; found)) errno 2 (No such file or directory)
> [20/Jun/2016:13:59:51 -0400] slapi_ldap_bind - Error: could not perform
> interactive bind for id [] mech [GSSAPI]: error -2 (Local error)
> [20/Jun/2016:13:59:57 -0400] slapd_ldap_sasl_interactive_bind - Error:
> could not perform in
'/tmp/krb5cc_0' not found while validating
credentials
Sean Hogan
From: Sean Hogan/Durham/IBM
To: freeipa-users <freeipa-users@redhat.com>
Date: 06/21/2016 12:02 PM
Subject:Re: [Freeipa-users] IPA 3.0.47 to 3.0.50 Upgrade problem
Has anyone seen these before?
troubleshooting loop being to close to it.. has
anyone seen this before?
Sean Hogan
From: Sean Hogan/Durham/IBM
To: Sean Hogan/Durham/IBM@IBMUS
Cc: freeipa-users <freeipa-users@redhat.com>
Date: 06/20/2016 12:49 PM
Subject:Re: [Freeipa-users] IPA 3.0.47 to 3.0.50 U
uninstall complete.
Sean Hogan
From: Sean Hogan/Durham/IBM
To: Sean Hogan/Durham/IBM@IBMUS
Cc: freeipa-users <freeipa-users@redhat.com>
Date: 06/20/2016 12:49 PM
Subject:Re: [Freeipa-users] IPA 3.0.47 to 3.0.50 Upgrade problem
Also seeing this in the upgra
Also seeing this in the upgrade log on the first master but not on the 7
ipas.
ERROR Failed to restart named: Command '/sbin/service named restart '
returned non-zero exit status 7
which led me to
https://bugzilla.redhat.com/show_bug.cgi?id=895298
Sean Hogan
From: Sean Hogan
p_bind - Error: could not perform
interactive bind for id [] mech [GSSAPI]: error 49 (Invalid credentials)
[20/Jun/2016:13:59:57 -0400] NSMMReplicationPlugin -
agmt="cn=meToserver2.domain.local" (server2:389): Replication bind with
GSSAPI auth resumed
Sean Hogan
From: Sean Hoga
Sean Hogan
Security Engineer
--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project
Sean Hogan
Security Engineer
Watson Security & Risk Assurance
Watson Cloud Technology and Support
email: scho...@us.ibm.com | Tel 919 486 1397
From: Rob Crittenden <rcrit...@redhat.com>
To: Sean Hogan/Durham/IBM@IBMUS, Noriko Hosoi <nho...@redhat.com>
Cc:
suites.
So I do see RC4 and the exports so I guess I can - those in the dse.ldif
From: Sean Hogan/Durham/IBM
To: Martin Kosek <mko...@redhat.com>
Cc: freeipa-users <freeipa-users@redhat.com>
Date: 04/27/2016 09:33 AM
Subject:Re: [Freeipa-users] IPA vulnerability ma
Hi Martin,
Thanks for the response. We are at RHEL 6.7... getting the hits on 389
and 636 so its the Directory server ports which I assume is dse.ldif.
Sean Hogan
From: Martin Kosek <mko...@redhat.com>
To: Sean Hogan/Durham/IBM@IBMUS, freeipa-users
<free
cipher control needs
to upgrade to IPA 4.3.1 and there OS to RHEL(centos, scientific) 7
Sean Hogan
From: Alexander Bokovoy <aboko...@redhat.com>
To: Sean Hogan/Durham/IBM@IBMUS
Cc: freeipa-users <freeipa-users@redhat.com>
Date: 04/26/2016 11:52 PM
Subject:Re: [F
something wrong here?
Sean Hogan
From: Alexander Bokovoy <aboko...@redhat.com>
To: Sean Hogan/Durham/IBM@IBMUS
Cc: freeipa-users <freeipa-users@redhat.com>
Date: 04/27/2016 10:35 AM
Subject:Re: [Freeipa-users] IPA vulnerability management SSL
On Wed,
rs instead of SSL
Sean Hogan
From: Sean Hogan/Durham/IBM
To: Martin Kosek <mko...@redhat.com>
Cc: freeipa-users <freeipa-users@redhat.com>
Date: 04/27/2016 09:59 AM
Subject:Re: [Freeipa-users] IPA vulnerability management SSL
I ran the following:
nmap --s
DES_EDE_CBC_SHA,-SSL3_RSA_WITH_NULL_MD5,-TLS_RSA_EXPORT1024_WITH_RC4_56_SHA,+TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA,+TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA"
Is there a config for this version of IPA/DS somewhere that will pass
poodle, freak, null ciphers scanning or only allow strong ciphers?
Sea
Apparently making it the master ca will not work at this point since the
replica is removed. So still stuck with non-changing ciphers.
Sean Hogan
From: Sean Hogan/Durham/IBM
To: Rob Crittenden <rcrit...@redhat.com>
Cc: freeipa-users@redhat.com, Noriko Hosoi <nho...@r
cipher suites.
This is whay I was trying to remove -tls_rsa_export1024_with_rc4_56_sha
Sean Hogan
From: Sean Hogan/Durham/IBM
To: Ludwig Krispenz <lkris...@redhat.com>
Cc: freeipa-users@redhat.com, Noriko Hosoi <nho...@redhat.com>
Date: 04/28/2016 08:20 AM
Subjec
Hey guys.. yes I so want to upgrade to 4.x however not in my control right
now and can not really discuss. I see us stuck at 3.x for a while.
Sean Hogan
From: Sean Hogan/Durham/IBM
To: Ludwig Krispenz <lkris...@redhat.com>
Cc: freeipa-users@redhat.com, Noriko Hoso
.el6_7.1.x86_64
ipa-server-3.0.0-47.el6_7.1.x86_64
libipa_hbac-python-1.12.4-47.el6_7.4.x86_64
ipa-admintools-3.0.0-47.el6_7.1.x86_64
ipa-pki-ca-theme-9.0.3-7.el6.noarch
389-ds-base-1.2.11.15-68.el6_7.x86_64
389-ds-base-libs-1.2.11.15-68.el6_7.x86_64
I need to get rid of any rc4s
Sean Hogan
Yes sir.. I am stopping DS with ipactl stop before making changes.. .I
often times have to really play with the ciphers cause many times when I
restart DS I get unknown cipher and IPA fails to start. Go back into
dse.ldif and modify til it comes back up.
Sean Hogan
Security Engineer
Watson
Forgot to mention this is for ipa-server-3.0.0-47.el6_7.1.x86_64
Thanks
Sean Hogan
From: Sean Hogan/Durham/IBM@IBMUS
To: freeipa-users <freeipa-users@redhat.com>
Date: 05/16/2016 04:01 PM
Subject:[Freeipa-users] IPA and RSA
Sent by:freeipa-users-boun...@redh
| TLS_RSA_WITH_AES_128_CBC_SHA256
| TLS_RSA_WITH_AES_128_GCM_SHA256
| TLS_RSA_WITH_AES_256_CBC_SHA
| TLS_RSA_WITH_AES_256_CBC_SHA256
| Compressors (1)
|_ uncompressed
Sean Hogan
From: Sean Hogan/Durham/IBM
To: Rob Crittenden <rcrit...@redhat.com&
?
Sean Hogan
--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project
,-tls_rsa_export1024_with_des_cbc_sha
numSubordinates: 1
Sean Hogan
From: Rob Crittenden <rcrit...@redhat.com>
To: Sean Hogan/Durham/IBM@IBMUS
Cc: freeipa-users@redhat.com, Noriko Hosoi <nho...@redhat.com>
Date: 04/29/2016 01:36 PM
Subject:Re: [Freeip
ete
Sean Hogan
--
Manage your subscription for the Freeipa-users mailing list:
ht
s in the logs
Server: correct IP of DNS server
Address:correct IP of DNS server#53
Name: dingle.test.local
Address: correct ip of dingle
reoslv.conf has 1st listing as the same ip as in the logs and nslookup
result.
Sean Hogan
From: Martin Basti <mba...@redhat.com>
To:
-06T21:27:16Z DEBUG stdout=
2016-05-06T21:27:16Z DEBUG stderr=nscd: unrecognized service
Sean Hogan
From: Martin Basti <mba...@redhat.com>
To: Sean Hogan/Durham/IBM@IBMUS
Cc: freeipa-users <freeipa-users@redhat.com>
Date: 05/06/2016 01:25 PM
Subject:Re: [F
.
Thanks for the help.
Sean Hogan
From: Sean Hogan/Durham/IBM
To: Martin Basti <mba...@redhat.com>
Cc: freeipa-users <freeipa-users@redhat.com>
Date: 05/06/2016 02:36 PM
Subject:Re: [Freeipa-users] SSHFP upload
Hi Martin,
TCP 53 was not open as per
Not sure it is the same as 14.X but I had to add the sudo in the list of
services to sssd.conf as it was not put in by default. I am by no means an
expert on it but my own personal experience with 14.x
Sean Hogan
From: Jeff Goddard <jgodd...@emerlyn.com>
To: freeipa
master and
the backup replica having an agreement.
Not sure that fixed it or not but it seems to be stable at this point and I
know the docs say no more than 4 replications agreements so maybe it was
the cause.
Sean Hogan
From: Petr Spacek <pspa...@redhat.com>
To: Sean Hogan/Durh
Hi All,
Where can I find information about the IPA schema as in what = what in
the dir srv? I do not have a ldap viewer.
I am looking to pull specific info from it such as a list of servers that
have enrolled = true and have been playing with ldapsearch to no avail.
Sean Hogan
of the box.
I ran ipa host-find --all
and noticed this setting in the list
Keytab: True
I am thinking Keytab entry = enroll true
Sean Hogan
From: Ben Lipton <blip...@redhat.com>
To: Sean Hogan/Durham/IBM@IBMUS, freeipa-users
<freeipa-users@redhat.com>
Date:
-3.0.0-50.el6.1.x86_64
Sean Hogan
--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project
unning DNS and NTP from IPA.
Sean Hogan
From: Simo Sorce <s...@redhat.com>
To: Sean Hogan/Durham/IBM@IBMUS
Cc: freeipa-users <freeipa-users@redhat.com>
Date: 08/31/2016 03:36 PM
Subject:Re: [Freeipa-users] IPA port 80
On Wed, 2016-08-31 at 14:22 -0700,
Note: In RHEL 7, 389 port is used for replication instead of 7389 port.
Sean Hogan
From: Peter Fern <free...@0xc0dedbad.com>
To: freeipa-users <freeipa-users@redhat.com>
Date: 08/31/2016 04:01 PM
Subject:Re: [Freeipa-users] IPA port 80
Sent by:fr
Thank You for the clarification all.
Sean Hogan
From: Rob Crittenden <rcrit...@redhat.com>
To: Sean Hogan/Durham/IBM@IBMUS, Peter Fern
<free...@0xc0dedbad.com>
Cc: freeipa-users <freeipa-users@redhat.com>
Date: 09/01/2016 06:47 AM
Subject:
home of the
user meaning it is mounted on any system the user logs onto which is not a
good idea. Is there a way to set this up so the priv keys stay out of the
mounted home or since I have the keys uploaded into IPA I do not need the
key in home?
Sean Hogan
--
Manage your subscription
.
DNS2. 360 A 10.10.10.2
DNS2. 360 2001:503:c27::2:30
Sean Hogan
--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project
fingerprint: 1B:26:REMOVED
(ssh-dss),
2D:66:D7:REMOVED
(ssh-rsa)
Sean Hogan
From: Sean Hogan/Durham/IBM@IBMUS
To: Martin Babinsky <mbabi...@redhat.com>
Cc: freeipa-users@redhat.com
Date:
| Compressors (1)
|_ uncompressed
Sean Hogan
From: Jakub Hrozek <jhro...@redhat.com>
To: Sean Hogan/Durham/IBM@IBMUS
Cc: Martin Babinsky <mbabi...@redhat.com>, freeipa-users@redhat.com
Date: 11/16/2016 02:38 PM
Subject:Re: [Freeipa-users] Rhel 7 c
Yes... just got 2 of them from same address.. kimi rachel
Sean Hogan
From: Tony Brian Albers <t...@statsbiblioteket.dk>
To: "freeipa-users@redhat.com" <freeipa-users@redhat.com>
Date: 11/15/2016 11:54 PM
Subject:Re: [Freeipa-users] anyone
and profiles.. on the boxes
having this issue some of the IDs show just the UID numbers/GID numebrs
where some of the IDs actually show the UID name/GID name. We have over 2k
servers showing the UID name/GID name with no issues.. just the boxes
having this issue.
Sean Hogan
From
rb5.keytab host/server1.ipa.local
kinit: Program lacks support for encryption type while getting initial
credentials
Sean Hogan
From: Martin Babinsky <mbabi...@redhat.com>
To: Sean Hogan/Durham/IBM@IBMUS, Jakub Hrozek <jhro...@redhat.com>
Cc: freeipa-users@redhat.
.keytab host/server1.ipa.local
> kinit: Program lacks support for encryption type while getting initial
> credentials
Sean Hogan
From: Martin Babinsky <mbabi...@redhat.com>
To: Sean Hogan/Durham/IBM@IBMUS
Cc: freeipa-users@redhat.com, Jakub Hrozek <jhro...@redhat.com&g
Hi Robert,
No I did not cut it off there was no reason listed.. that was the last
line about the issue.
I did find this to be my issue however
https://bugzilla.redhat.com/show_bug.cgi?id=1262718 ... having our sat guys
see if they can pull the new selinux policy packages as I do not see
-m avc -m user_avc -m selinux_err -i -ts
recent
Sean Hogan
Security Engineer
Watson Security & Risk Assurance
Watson Cloud Technology and Support
email: scho...@us.ibm.com | Tel 919 486 1397
From: Rob Crittenden <rcrit...@redhat.com>
To: Sean Hogan/Durham/IBM@IBMUS
C
-s0:c0.c1023
msg='op=PAM:accounting grantors=pam_unix,pam_sss,pam_permit acct="janedoe"
exe="/usr/sbin/sshd" hostname=10.10.10.10 addr=10.10.10.10 terminal=ssh
res=success'
Its almost as if the pam files are not being read?
Sean Hogan
--
Manage your subscription f
Disregard... apparently I am blind. Min is 1.12 per IPA docs.
Sean Hogan
From: Sean Hogan/Durham/IBM
To: freeipa-users <freeipa-users@redhat.com>
Date: 01/03/2017 10:15 AM
Subject:Minimum SSSD version for 2 factor
Morning,
Hope the Holidays went well f
to work with IPA 4.X OTP.
Thank You
Sean Hogan
--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project
Disregard .. I figured it out
just added /usr/bin fdisk -l to command list
run as user root and applied the command to sudo rule
Running as expected where sudo fdisk /dev/sda fails but sudo fdisk -l works
Sean Hogan
From: Sean Hogan/Durham/IBM@IBMUS
To: freeipa-users <free
Thank you
Sean Hogan
--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project
%20chat%7D/IMAGE
$1B778A1810D34E76.jpg
Has anyone attempted this or have any sample configs to play with or see
anything I am doing incorrect?
Sean Hogan
--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http
Thanks Michael,
Yes sir, the qradar box is able to hit the ipa server on 389 and 636 with
success via telnet.
Sean Hogan
From: Michael Plemmons <michael.plemm...@crosschx.com>
To: freeipa-users <freeipa-users@redhat.com>
Date: 05/08/2017 01:21 PM
Subjec
62 matches
Mail list logo