Re: [Freeipa-users] Library to change expired password

2009-10-30 Thread Sumit Bose
On Thu, Oct 29, 2009 at 10:54:01PM -0600, Jason Gerard DeRose wrote: On Thu, 2009-10-29 at 17:56 -0400, Dan Scott wrote: Hi, I'm trying to integrate FreeIPA with a Java webapp using JAAS. I have the login module configured properly and it is working fine. However, I have a problem

Re: [Freeipa-users] Is sssd currently useable with freeipa v2 ?

2010-05-03 Thread Sumit Bose
On Sun, May 02, 2010 at 08:41:14PM +0200, Oliver Burtchen wrote: Am Sonntag, 2. Mai 2010 04:43:22 schrieb Rob Crittenden: Oliver Burtchen wrote: Hi Stephen, I nailed the problem now a little bit down. I think it's HBAC with it's empty rules in the standard configuration. For me it

Re: [Freeipa-users] Is sssd currently useable with freeipa v2 ?

2010-05-03 Thread Sumit Bose
On Mon, May 03, 2010 at 10:51:10PM +0200, Oliver Burtchen wrote: Am Montag, 3. Mai 2010 21:17:35 schrieb Dmitri Pal: Stephen Gallagher wrote: On 05/03/2010 02:55 PM, Rob Crittenden wrote: Oliver Burtchen wrote: What are the exact service-names to use in --service? I know basically

Re: [Freeipa-users] SSS problems with eDirectory

2010-07-22 Thread Sumit Bose
On Thu, Jul 22, 2010 at 11:19:44AM -0400, Scott Duckworth wrote: On Thu, Jul 22, 2010 at 11:07 AM, Sumit Bose sb...@redhat.com wrote: On Thu, Jul 22, 2010 at 10:19:37AM +0200, Sumit Bose wrote: On Wed, Jul 21, 2010 at 03:22:29PM -0400, Scott Duckworth wrote: ... something

Re: [Freeipa-users] limit access to a specific CN

2011-02-16 Thread Sumit Bose
On Tue, Feb 15, 2011 at 06:30:51PM -0500, Peter Doherty wrote: On Feb 15, 2011, at 14:45 , Simo Sorce wrote: On Tue, 15 Feb 2011 14:09:07 -0500 Peter Doherty dohe...@hkl.hms.harvard.edu wrote: On Feb 15, 2011, at 14:02 , Rob Crittenden wrote: Peter Doherty wrote: Hello, I'm

Re: [Freeipa-users] limit access to a specific CN

2011-02-16 Thread Sumit Bose
On Wed, Feb 16, 2011 at 09:28:10AM -0500, Peter Doherty wrote: On Feb 16, 2011, at 04:10 , Sumit Bose wrote: On Tue, Feb 15, 2011 at 06:30:51PM -0500, Peter Doherty wrote: On Feb 15, 2011, at 14:45 , Simo Sorce wrote: On Tue, 15 Feb 2011 14:09:07 -0500 Peter Doherty dohe

Re: [Freeipa-users] TLS: hostname does not match CN in peer certificate

2011-06-23 Thread Sumit Bose
On Thu, Jun 23, 2011 at 02:15:37PM +0200, Pieter Baele wrote: Probably, this question is been asked before I try to register an IPA client but get the following error. (primary kerberos are AD hosts, so I use --server etc) What can be wrong? The necessary firewall ports are opened

Re: [Freeipa-users] Kerberos kew renewal not working

2011-08-11 Thread Sumit Bose
adding sssd-devel On Thu, Aug 11, 2011 at 10:14:09AM +0200, Tim Niemueller wrote: Hi all. We have setup FreeIPA on a F-15 virtual machine. I'm currently testing with a F-14 client. We would like to keep F-14, as F-15 seems not generally stable enough for wide deployment (graphics issues

Re: [Freeipa-users] Extending Schema, CLI and Web UI for use with Samba 3 (groups!)

2011-08-17 Thread Sumit Bose
On Tue, Aug 16, 2011 at 04:50:56PM -0400, Dmitri Pal wrote: On 08/16/2011 03:50 PM, Ryan Thomson wrote: Hello, I'm trying to follow various steps and instructions I've found online for extending FreeIPA v2 for use with Samba 3 as the LDAP backend. Things have mostly gone well but I've

Re: [Freeipa-users] using kerberos

2011-12-09 Thread Sumit Bose
On Fri, Dec 09, 2011 at 02:15:18AM +, Steven Jones wrote: Hi From the HNAS manual 8- Kerberos Configuration Configuring the NAS server requires three steps: 1. Create the principal and key of the service (the EVS) on the KDC (Key Distribution Center). 2. Export a keytab

Re: [Freeipa-users] acroread: unknown user id

2012-02-07 Thread Sumit Bose
On Tue, Feb 07, 2012 at 11:49:07AM +0100, Sigbjorn Lie wrote: Hi, This error occurs when starting Acrobat Reader. This occured with version 8, and I just downloaded AdobeReader_enu-9.4.7-1 to see if that would make a difference. Same problem. This is a Red Hat 5 machine running

Re: [Freeipa-users] Please help: What the purposes of '--usercat' and '--hostcat' options to IPA net groups?

2012-05-15 Thread Sumit Bose
On Mon, May 14, 2012 at 07:57:06PM -0700, David Copperfield wrote: Hi all,  The online manual says that the '--usercat' means 'User category the rule applies to';  '--hostcat' has the similar explanation. But I still don't understand how that could be used in real life and when/where to

Re: [Freeipa-users] Please help: What the purposes of '--usercat' and '--hostcat' options to IPA net groups?

2012-05-16 Thread Sumit Bose
with IPA if possible. HTH bye, Sumit Thanks. --Gelen From: Sumit Bose sb...@redhat.com To: freeipa-users@redhat.com Sent: Tuesday, May 15, 2012 1:48 AM Subject: Re: [Freeipa-users] Please help: What the purposes of '--usercat

Re: [Freeipa-users] strange gss failures in RHEL 6.3

2012-06-27 Thread Sumit Bose
On Wed, Jun 27, 2012 at 10:35:00PM +0100, Dale Macartney wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Evening all I have just updated my local RHEL 6 repositories from 6.2 to 6.3 and installed a new ipa server in a test network. I get the following errors now despite having a

Re: [Freeipa-users] errors when one ipa server down

2012-09-10 Thread Sumit Bose
On Mon, Sep 10, 2012 at 10:07:26AM -0400, Simo Sorce wrote: On Mon, 2012-09-10 at 15:20 +0200, Jakub Hrozek wrote: On Mon, Sep 10, 2012 at 09:08:07AM -0400, Rob Crittenden wrote: Dmitri Pal wrote: On 09/07/2012 04:50 PM, Rob Crittenden wrote: Michael Mercier wrote: On

Re: [Freeipa-users] DNS forward to sub domain not working

2012-10-23 Thread Sumit Bose
On Mon, Oct 22, 2012 at 08:57:56PM +0200, Fred van Zwieten wrote: Hello, I have a problem. My setup: - IPA server for domain example.com on ipa.example.com - DNS server sub.example.com on host.sub.example.com - client.example.com with IP-nr off ipa.example.com in resolv.conf - an A

Re: [Freeipa-users] testing AD trust on Fedora 18

2012-12-18 Thread Sumit Bose
On Tue, Dec 18, 2012 at 03:16:47PM -0500, John Dennis wrote: On 12/18/2012 01:26 PM, Andre Rodrigues wrote: Hi all, I'm testing AD trust following this how to: http://www.freeipa.org/page/IPAv3_testing_AD_trust but when I set ipa dnszone-add I get this: [root@m ~] ipa dnszone-add AD.DOMAIN

Re: [Freeipa-users] testing AD trust on Fedora 18

2012-12-19 Thread Sumit Bose
On Wed, Dec 19, 2012 at 09:13:21AM +0100, Petr Spacek wrote: On 12/18/2012 09:56 PM, John Dennis wrote: ipa: ERROR: unable to parse cookie header 'ipa_session=f963e8e4006fdcd79e1a2a5a989b4d01; Domain=IPA.DOMAIN; Path=/ipa; Expires=Thu, 18 Dec 2012 13:54:33 GMT; Secure; HttpOnly': unable to

Re: [Freeipa-users] testing AD trust on Fedora 18

2012-12-19 Thread Sumit Bose
On Tue, Dec 18, 2012 at 03:56:27PM -0500, John Dennis wrote: On 12/18/2012 03:30 PM, Sumit Bose wrote: On Tue, Dec 18, 2012 at 03:16:47PM -0500, John Dennis wrote: On 12/18/2012 01:26 PM, Andre Rodrigues wrote: Hi all, I'm testing AD trust following this how to: http://www.freeipa.org/page

Re: [Freeipa-users] authentication with latest putty fails

2013-01-04 Thread Sumit Bose
On Fri, Jan 04, 2013 at 04:14:36PM +0100, Han Boetes wrote: You are absolutely right; the credentials aren't forwarded. I have enabled the option allow gssapi credential delegation. So one would expect that it should work. I just installed the mit kerberos tools and I can see all the

Re: [Freeipa-users] authentication with latest putty fails

2013-01-04 Thread Sumit Bose
01/04/13 14:52:49 01/05/13 14:52:49 krbtgt/REALM@REALM [fh@test-server-ipa ~]$ That's does provide a valid ticket but not a passwordless login. Actually I have to enter a pass twice here! On Fri, Jan 4, 2013 at 4:25 PM, Sumit Bose sb...@redhat.com wrote: On Fri, Jan 04, 2013

Re: [Freeipa-users] authentication with latest putty fails

2013-01-07 Thread Sumit Bose
On Mon, Jan 07, 2013 at 09:15:41AM +0100, Han Boetes wrote: On Fri, Jan 4, 2013 at 6:52 PM, Sumit Bose sb...@redhat.com wrote: About delegating credentials, you might need to set the ok_as_delegate flag on the host/* service ticket. To do this you can call kadmin.local on the IPA server

Re: [Freeipa-users] authentication with latest putty fails

2013-01-07 Thread Sumit Bose
On Mon, Jan 07, 2013 at 09:56:42AM +0100, Han Boetes wrote: There was something going on with a firewall blocking something and that windows host didn't have a cert yet. But still: Using Kerberos authentication Using principal fh@REALM Got host ticket host/test-server-ipa.domain@REALM

Re: [Freeipa-users] authentication with latest putty fails

2013-01-07 Thread Sumit Bose
On Mon, Jan 07, 2013 at 05:00:09PM +0100, Han Boetes wrote: I just had a long and fruitfull debugging session with Sumit and this is what we discovered. Thank you for your patience and help to debug this issue. The default settings do run fine for linux machines but for windows hosts they

Re: [Freeipa-users] Fedora 18 - FreeIPA + AD

2013-01-21 Thread Sumit Bose
On Sun, Jan 20, 2013 at 02:24:36PM -0500, Dmitri Pal wrote: On 01/20/2013 05:01 AM, MaSch wrote: On 1/19/13 8:16 PM, Dmitri Pal wrote: What is the situation with the time on that box? Was the time and time zone set correctly? Is it a VM? Can it be that the time drifted in some way?

Re: [Freeipa-users] KPasswd TCP issues

2013-02-20 Thread Sumit Bose
On Tue, Feb 19, 2013 at 03:29:03PM -0700, ninib...@worldd.org wrote: ? ? Actually i'd like to take that back now, it works fine when running kpasswd, but if user password is expired when SSH to client, during the reset it only tried UDP same if issuing passwd command as well. Both use

Re: [Freeipa-users] Upgraded, login + password webui auth and ssh token manipulation gone

2013-03-11 Thread Sumit Bose
On Mon, Mar 11, 2013 at 01:21:26AM -0400, Tim Hildred wrote: It definately wasn't a policy problem. I couldn't even use ipa passwd as admin from the command line, there was a connection error. The upgrade meant my IPA server was straight borked. The solution? Revert to a previous snapshot,

Re: [Freeipa-users] Trouble verifying domain trust IPA 3.0, AD 2012

2013-03-15 Thread Sumit Bose
On Fri, Mar 15, 2013 at 09:38:04AM +, Dale Macartney wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Morning all I have setup the domain trust set up and have errors when trying to map groups from AD to IPA Environment is IPA 3.0 on RHEL 6.4 and Windows 2012 When adding

Re: [Freeipa-users] kinit seg-fault for Solaris 9

2013-03-27 Thread Sumit Bose
On Tue, Mar 26, 2013 at 07:05:20PM -0400, Rob Crittenden wrote: David Redmond wrote: Hi, I've setup FreeIPA for the first time and am using it successfully with Linux and Solaris 10 clients. On 8 separate Solaris 9 clients I'm running into an issue where 'kinit USER', for any user, fails

Re: [Freeipa-users] kinit seg-fault for Solaris 9

2013-03-27 Thread Sumit Bose
On Wed, Mar 27, 2013 at 10:44:53AM +0100, Martin Kosek wrote: On 03/27/2013 02:11 AM, David Redmond wrote: Hi again, I've got a bit more information. I've found that I can successfully kinit on the Solaris 9 clients if, on the server, I change the user's password by: ipa-getkeytab

Re: [Freeipa-users] kinit seg-fault for Solaris 9

2013-03-27 Thread Sumit Bose
On Wed, Mar 27, 2013 at 11:44:06AM +0100, Martin Kosek wrote: On 03/27/2013 11:36 AM, Sumit Bose wrote: On Wed, Mar 27, 2013 at 10:44:53AM +0100, Martin Kosek wrote: On 03/27/2013 02:11 AM, David Redmond wrote: Hi again, I've got a bit more information. I've found that I can

Re: [Freeipa-users] problems with trust with AD (2 different domains

2013-04-19 Thread Sumit Bose
On Fri, Apr 19, 2013 at 11:03:02AM +0200, Natxo Asenjo wrote: hi, while following the instructions in https://access.redhat.com/site/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Identity_Management_Guide/trust-diff-dns-domains.html I run step 9: smbclient -L kdc.ipa.asenjo.nx -k

Re: [Freeipa-users] problems with trust with AD (2 different domains

2013-04-19 Thread Sumit Bose
On Fri, Apr 19, 2013 at 11:45:47AM +0200, Natxo Asenjo wrote: I saw there is a log in /var/log/samba/log.wb-IPA The log complains about missing keys for the spn for the hostname (not the fqdn, just the hostname): Connection to LDAP server failed for the 15 try! [2013/04/19

Re: [Freeipa-users] problems with trust with AD (2 different domains

2013-04-19 Thread Sumit Bose
feature. It was always recommended because also other services like sshd, httpd, sssd might have problems finding the right Kerberos keys from their keytabs. bye, Sumit Thanks! -- groet, natxo -- Groeten, natxo On Fri, Apr 19, 2013 at 12:11 PM, Sumit Bose sb...@redhat.com wrote

Re: [Freeipa-users] problems with trust with AD (2 different domains

2013-04-19 Thread Sumit Bose
On Fri, Apr 19, 2013 at 12:47:47PM +0200, Natxo Asenjo wrote: hi, just a little 'but'. when verifying the trust (point 12 https://access.redhat.com/site/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Identity_Management_Guide/trust-diff-dns-domains.html) # kinit user Password

Re: [Freeipa-users] ssh login from windows AD trust host not working

2013-04-20 Thread Sumit Bose
On Fri, Apr 19, 2013 at 10:14:36PM +0200, Natxo Asenjo wrote: hi, a bit puzzled now. I have joined another 2k8r2 host to the AD domain that is trusted by the ipa domain. As AD\administrator I can ssh to the linux host. I create a bunch of AD users, standard members of 'Domain Users'.

Re: [Freeipa-users] Issue IPA: AD Users and IPA Users when using SSS/LDAP with SUDO

2013-04-25 Thread Sumit Bose
On Thu, Apr 25, 2013 at 12:38:18PM +0200, Pavel Březina wrote: On 04/24/2013 07:20 PM, Aly Khimji wrote: (Wed Apr 24 13:07:35 2013) [sssd[be[nix.corpnonprd..com]]] [be_pam_handler_callback] (0x0100): Backend returned: (0, 0, NULL) [Success] (Wed Apr 24 13:07:35 2013)

Re: [Freeipa-users] IPA different ID results on different nodes

2013-06-04 Thread Sumit Bose
On Mon, Jun 03, 2013 at 09:22:21PM -0400, Aly Khimji wrote: Hey guys, Just wanted to say thank you for all your support with everything and answering all my questions. Just wanted to show you something, maybe you can shed some light.. Below is my self running the ID command on 2 different

Re: [Freeipa-users] Logging Failed User logins for Trust Users

2013-06-04 Thread Sumit Bose
On Mon, Jun 03, 2013 at 04:30:19PM -0400, Dmitri Pal wrote: On 06/03/2013 02:23 PM, Aly Khimji wrote: Quick questions guys, can you advise if there is a particular place(s) successful and failed users authentication is logged? I know from local users I can go through the 389 access

Re: [Freeipa-users] IPA different ID results on different nodes

2013-06-05 Thread Sumit Bose
On Tue, Jun 04, 2013 at 09:40:21AM -0400, Aly Khimji wrote: I re-logged in this morning into the server and i see the following on the server Any thoughts? Thx again. SERVER: -sh-4.1$ id uid=59401108(akhi...@corpnonprd..com) gid=59401108( akhi...@corpnonprd..com)

Re: [Freeipa-users] Trusted AD Users login via gdm

2013-06-13 Thread Sumit Bose
On Wed, Jun 12, 2013 at 02:04:33PM +0200, Leah Zimmermann wrote: Am 12.06.2013 12:03, schrieb Sumit Bose: On Wed, Jun 12, 2013 at 11:42:23AM +0200, Leah Zimmermann wrote: Dear List Members, I have a FreeIPA-Domain on a CentOS 6.4 machine. It is in a trusted relationship to an AD-Domain

Re: [Freeipa-users] Trusted AD Users login via gdm

2013-06-14 Thread Sumit Bose
On Thu, Jun 13, 2013 at 01:49:30PM +0200, Leah Zimmermann wrote: Hello Sumit, Hello List Members, Am 13.06.2013 09:18, schrieb Sumit Bose: On Wed, Jun 12, 2013 at 02:04:33PM +0200, Leah Zimmermann wrote: Am 12.06.2013 12:03, schrieb Sumit Bose: On Wed, Jun 12, 2013 at 11:42:23AM +0200

Re: [Freeipa-users] Trusted AD Users login via gdm

2013-06-19 Thread Sumit Bose
On Tue, Jun 18, 2013 at 08:00:02AM +0200, Leah Zimmermann wrote: On 06/14/2013 09:08 AM, Sumit Bose wrote: On Thu, Jun 13, 2013 at 01:49:30PM +0200, Leah Zimmermann wrote: Hello Sumit, Hello List Members, Am 13.06.2013 09:18, schrieb Sumit Bose: On Wed, Jun 12, 2013 at 02:04:33PM +0200

Re: [Freeipa-users] Trusted AD Users login via gdm

2013-06-21 Thread Sumit Bose
On Thu, Jun 20, 2013 at 04:04:06PM +0200, Leah Zimmermann wrote: On 06/19/2013 03:01 PM, Sumit Bose wrote: On Tue, Jun 18, 2013 at 08:00:02AM +0200, Leah Zimmermann wrote: On 06/14/2013 09:08 AM, Sumit Bose wrote: On Thu, Jun 13, 2013 at 01:49:30PM +0200, Leah Zimmermann wrote: Hello Sumit

Re: [Freeipa-users] Login hangs / hung task?

2013-07-03 Thread Sumit Bose
On Wed, Jul 03, 2013 at 10:17:19AM -0400, Michael Mercier wrote: Hello, I tried to login (ssh) to one (of three) freeipa systems running on CentOS yesterday without success. Running 'ssh root@service-2', the server would reply with a password prompt and then hang. I went to the system

Re: [Freeipa-users] authenticate with base domain name?

2013-07-31 Thread Sumit Bose
On Tue, Jul 30, 2013 at 03:01:18PM -0500, KodaK wrote: Ok, so, yeah -- my first question stands. This works when it falls back to LDAP, but it does not honor a kerberos ticket. Is there a way to do that in the same circumstances? Thanks again, --Jason On Tue, Jul 30, 2013 at 2:58 PM,

Re: [Freeipa-users] authenticate with base domain name?

2013-07-31 Thread Sumit Bose
On Wed, Jul 31, 2013 at 11:09:43AM -0500, KodaK wrote: On Wed, Jul 31, 2013 at 6:56 AM, Sumit Bose sb...@redhat.com wrote: I think that's the issue. You have to make sure that host.domain.com has a DNS entry somewhere, it does not have to be the IPA DNS but the DNS setup must

Re: [Freeipa-users] authenticate with base domain name?

2013-07-31 Thread Sumit Bose
On Wed, Jul 31, 2013 at 11:12:47AM -0500, KodaK wrote: On Wed, Jul 31, 2013 at 11:09 AM, KodaK sako...@gmail.com wrote: On Wed, Jul 31, 2013 at 6:56 AM, Sumit Bose sb...@redhat.com wrote: I think that's the issue. You have to make sure that host.domain.com has a DNS entry

Re: [Freeipa-users] authenticate with base domain name?

2013-07-31 Thread Sumit Bose
On Wed, Jul 31, 2013 at 01:57:50PM -0500, KodaK wrote: On Wed, Jul 31, 2013 at 1:28 PM, KodaK sako...@gmail.com wrote: On Wed, Jul 31, 2013 at 11:24 AM, Sumit Bose sb...@redhat.com wrote: On Wed, Jul 31, 2013 at 11:12:47AM -0500, KodaK wrote: On Wed, Jul 31, 2013 at 11:09 AM, KodaK sako

Re: [Freeipa-users] authenticate with base domain name?

2013-08-01 Thread Sumit Bose
On Wed, Jul 31, 2013 at 03:03:04PM -0500, KodaK wrote: On Wed, Jul 31, 2013 at 1:28 PM, KodaK sako...@gmail.com wrote: On Wed, Jul 31, 2013 at 11:24 AM, Sumit Bose sb...@redhat.com wrote: On Wed, Jul 31, 2013 at 11:12:47AM -0500, KodaK wrote: On Wed, Jul 31, 2013 at 11:09 AM, KodaK sako

Re: [Freeipa-users] Sanity check on hbac rule on foreign domains.

2013-08-05 Thread Sumit Bose
On Fri, Aug 02, 2013 at 12:55:12PM -0500, KodaK wrote: First, before we go any further: is it supported to use sssd when the client machines domain differs from the realm name? If not, then the rest of this is moot. Client box is a RHEL 5.something. I didn't do ipa-client-install because

Re: [Freeipa-users] Blocking 389 and 636 for AD trusts

2013-08-14 Thread Sumit Bose
On Mon, Aug 12, 2013 at 11:24:03AM -0400, Brian Lee wrote: Hello everyone, I understand this is well documented that we need to block AD from establishing communication to the LDAP ports, but I've never heard an explanation on why this is needed. Additionally, In our environment, we have

Re: [Freeipa-users] Restrict AD users from passwd

2013-08-14 Thread Sumit Bose
On Wed, Aug 14, 2013 at 09:19:17AM -0400, Brian Lee wrote: Hi All, Our current account management policy requires that users change their AD passwords via a special portal, however I've noticed that this can be bypassed by issuing passwd on a Linux system while logged in with AD

Re: [Freeipa-users] access denied ssh

2013-09-24 Thread Sumit Bose
On Tue, Sep 24, 2013 at 01:39:28PM +0400, Михаил А wrote: Hello. freeipa-server-3.3fedora19 ipa-replica1-fedora19 ipa-replica2 ferdora19 ssh auth with windows accounts on ipa-replica1-fedora19 is OK ssh auth with windows accounts on ipa-replica1-fedora19 is acces denied id

Re: [Freeipa-users] Cross-realm trust with AD and ssh keys management

2013-09-25 Thread Sumit Bose
On Wed, Sep 25, 2013 at 10:17:04AM +0200, Martin Kosek wrote: On 09/24/2013 04:40 PM, Alexander Bokovoy wrote: On Tue, 24 Sep 2013, Alexandre Ellert wrote: Hi, I've successfully setup a testing environment with an IPA server (RHEL 6.4) and a cross realm trust with my Active Directory

Re: [Freeipa-users] Cross-realm trust with AD and ssh keys management

2013-09-25 Thread Sumit Bose
On Wed, Sep 25, 2013 at 12:01:38PM +0300, Alexander Bokovoy wrote: On Wed, 25 Sep 2013, Sumit Bose wrote: On Wed, Sep 25, 2013 at 10:17:04AM +0200, Martin Kosek wrote: On 09/24/2013 04:40 PM, Alexander Bokovoy wrote: On Tue, 24 Sep 2013, Alexandre Ellert wrote: Hi, I've successfully

Re: [Freeipa-users] Force IPA to accept password?

2013-09-26 Thread Sumit Bose
On Thu, Sep 26, 2013 at 02:58:43PM +0100, Innes, Duncan wrote: Sorry, -Original Message- From: Martin Kosek [mailto:mko...@redhat.com] Sent: 26 September 2013 14:29 To: Innes, Duncan Cc: freeipa-users@redhat.com Subject: Re: [Freeipa-users] Force IPA to accept password?

Re: [Freeipa-users] Force IPA to accept password?

2013-09-27 Thread Sumit Bose
On Fri, Sep 27, 2013 at 10:27:30AM +0200, Martin Kosek wrote: On 09/27/2013 09:31 AM, Innes, Duncan wrote: -Original Message- From: freeipa-users-boun...@redhat.com [mailto:freeipa-users-boun...@redhat.com] On Behalf Of Sumit Bose Sent: 26 September 2013 17:36 To: freeipa-users

Re: [Freeipa-users] krb5kdc Additional pre-authentication required

2013-09-30 Thread Sumit Bose
On Mon, Sep 30, 2013 at 03:20:46PM +0100, Mohan Cheema wrote: Hi, We are trying to authenticate from Windows machine and getting below error. Sep 30 14:07:34 kdc1.domain.com krb5kdc[10105](info): AS_REQ (7 etypes {18 17 23 3 1 24 -135}) 10.43.2.45:

Re: [Freeipa-users] Pure Kerberos login on Windows stopped working

2013-11-14 Thread Sumit Bose
On Wed, Nov 13, 2013 at 08:19:18PM +0100, Nicklas Björk wrote: On 2013-11-13 20:00, Simo Sorce wrote: On Tue, 2013-11-12 at 21:50 +0100, Nicklas Björk wrote: On 2013-11-12 21:39, Simo Sorce wrote: On Tue, 2013-11-12 at 21:11 +0100, Nicklas Björk wrote: In our evironment we have very

Re: [Freeipa-users] Intermittent Issues changing passwords since updating to ipa v3 and sasl_bind timeouts ..

2013-11-25 Thread Sumit Bose
On Mon, Nov 25, 2013 at 09:23:22AM +1000, Matt Bryant wrote: All, Was wondering if anyone can help out or point us the in right direction. Ever since we updated from IPA v2.1 to IPA v3.0 have been seeing some intermittent errors when trying to change passwords etc. Getting the error cannot

Re: [Freeipa-users] Intermittent Issues changing passwords since updating to ipa v3 and sasl_bind timeouts ..

2013-11-26 Thread Sumit Bose
On Tue, Nov 26, 2013 at 03:07:30PM +1000, Matt Bryant wrote: OK so been running some tcpdumps on this issue and the wierd thing is .. can see the initial sasl bind request followed by ack from ldap ... then nothing ldap/gssapi related until the unbind request post the 6s timeout period ...

Re: [Freeipa-users] postfix ipa

2013-11-29 Thread Sumit Bose
On Fri, Nov 29, 2013 at 12:03:58PM +0100, Martin Kosek wrote: On 11/29/2013 11:27 AM, Natxo Asenjo wrote: hi, just came accross Erinn Looney-Triggs's excellent writeup on using kerberos voor relaying e-mail

Re: [Freeipa-users] Ipa AD trust

2014-01-24 Thread Sumit Bose
On Fri, Jan 24, 2014 at 04:32:33PM +, Zulkifal Ahmad wrote: Hi List , I want an update on this bug . https://bugzilla.samba.org/show_bug.cgi?id=9618 I just re-tested with the python script from the ticket and Samba-4.1.3 and it seems to be fixed. HTH bye, Sumit Thanks Best

Re: [Freeipa-users] Deploying freeipa behind nginx

2014-01-29 Thread Sumit Bose
On Tue, Jan 28, 2014 at 02:29:07PM -0800, Steve Severance wrote: Hi Everyone, I have deployed freeipa inside our production network. I want to be able to access the web ui so I am attempting to add it to our nginx edge machine. I can pass the requests upstream just fine but I am unable to

Re: [Freeipa-users] More SSO Strangeness

2014-02-06 Thread Sumit Bose
On Wed, Feb 05, 2014 at 01:44:13PM -0500, Mark Gardner wrote: Okay, Spent some time on this one... Some users can login SSO no problem, others have to put in their password. Strange as it seems, if the length of the username was greater than 4, the SSO worked. So markg@test.local works,

Re: [Freeipa-users] HOW to Add employeenumber to user easily? there is account object with emoployee number ttribute

2014-02-06 Thread Sumit Bose
On Thu, Feb 06, 2014 at 04:31:49PM +0800, barry...@gmail.com wrote: Hi: I can make it show on ldap browser or the ui but finding where to add it in command base. ipa user-mod ---employeenumber no such parameter. There is no specific option for employeenumber, but you can set the

Re: [Freeipa-users] RHEL 7 beta trust - slow domain user authentication to Linux hosts

2014-02-10 Thread Sumit Bose
On Mon, Feb 10, 2014 at 10:55:33AM -0500, Steve Dainard wrote: I've setup RHEL 7 beta IPA with a trust to an AD domain. When I use an AD domain login it takes roughly 9-14 seconds to get to a shell after entering a password. Is there any way to speed this process up? I thought supplemental

Re: [Freeipa-users] Choosing the right way to create trust

2014-02-12 Thread Sumit Bose
On Tue, Feb 11, 2014 at 08:29:43PM +0200, Genadi Postrilko wrote: I work in environment where the AD is the DC of the windows machines , while the linux machines (RHEL 5\6) are not centrally managed. I would like to create an IPA server to manage the linux machines while creating a trust with

Re: [Freeipa-users] Choosing the right way to create trust

2014-02-12 Thread Sumit Bose
On Wed, Feb 12, 2014 at 11:45:50AM +0100, Petr Spacek wrote: On 12.2.2014 11:32, Alexander Bokovoy wrote: On Wed, 12 Feb 2014, Genadi Postrilko wrote: What about adding alias DNS record of hostname.ipa.zone.corp to all linux machines, so they will keep the old FQDM. What would it give to you?

Re: [Freeipa-users] RHEL 7 beta trust - slow domain user authentication to Linux hosts

2014-02-12 Thread Sumit Bose
On Mon, Feb 10, 2014 at 02:08:22PM -0500, Steve Dainard wrote: Sure: ... (0x0400): Attempting kinit for realm [MIOVISION.CORP] (Mon Feb 10 10:14:58 2014) [[sssd[krb5_child[9879 [validate_tgt] (0x0400): TGT verified using key for [host/snapshot-test.miolinux.c...@miolinux.corp]. (Mon

Re: [Freeipa-users] Issues creating trust with AD.

2014-02-17 Thread Sumit Bose
On Sat, Feb 15, 2014 at 12:14:58AM +0200, Genadi Postrilko wrote: I have seen threads where opened on trust issues: AD - Freeipa trust confusion Cross domain trust Cannot loging via SSH with AD user TO IPA Domain - which I opened. It looks like after creation of trust, TGT ticket can be

Re: [Freeipa-users] Issues creating trust with AD.

2014-02-18 Thread Sumit Bose
On Tue, Feb 18, 2014 at 01:11:38AM +0200, Genadi Postrilko wrote: Thank you for the help! I have preformed downgrade: yum downgrade samba4* [root@ipaserver1 ~]# rpm -qa | grep samb samba4-python-4.0.0-58.el6.rc4.x86_64 samba4-winbind-4.0.0-58.el6.rc4.x86_64

Re: [Freeipa-users] Issues creating trust with AD.

2014-02-19 Thread Sumit Bose
11:38 GMT+02:00 Sumit Bose sb...@redhat.com: On Tue, Feb 18, 2014 at 01:11:38AM +0200, Genadi Postrilko wrote: Thank you for the help! I have preformed downgrade: yum downgrade samba4* [root@ipaserver1 ~]# rpm -qa | grep samb samba4-python-4.0.0-58.el6.rc4.x86_64 samba4

Re: [Freeipa-users] Issues creating trust with AD.

2014-02-24 Thread Sumit Bose
On Fri, Feb 21, 2014 at 11:17:38PM +0200, Genadi Postrilko wrote: I would like to clarify myself, i wasn't accurate when i compared it to : https://bugzilla.redhat.com/show_bug.cgi?id=878564. ... *But kinit with AD users failed:* [root@ipaserver1 ~]# kinit gen...@adexample.com kinit:

Re: [Freeipa-users] Sudo denied on first attempt, allowed on second attempt

2014-02-24 Thread Sumit Bose
On Mon, Feb 24, 2014 at 10:46:19AM -0500, Pavel Brezina wrote: Hi, I wasn't able to reproduce with membership setup exactly like this. I have already seen similar problem once, unfortunately the user stopped responding before we could reach the root cause. I think it is correct from the

Re: [Freeipa-users] Password issues

2014-03-06 Thread Sumit Bose
On Thu, Mar 06, 2014 at 07:39:15AM -0500, Bret Wortman wrote: Strange behavior now with our passwords (and we still haven't solved our problem with the ipa command, but at least with script, we have a workaround): I noticed yesterday morning that my password, which has the following policy,

Re: [Freeipa-users] Migration mode

2014-03-10 Thread Sumit Bose
On Mon, Mar 10, 2014 at 05:23:59PM +0100, Jitse Klomp wrote: On 10-03-14 17:03, Lukas Slebodnik wrote: On (10/03/14 16:58), Lukas Slebodnik wrote: On (10/03/14 16:35), Jitse Klomp wrote: On 10-03-14 16:10, Lukas Slebodnik wrote: On (10/03/14 15:19), Jitse Klomp wrote: On 10-03-14 14:59,

Re: [Freeipa-users] Migration mode

2014-03-10 Thread Sumit Bose
On Mon, Mar 10, 2014 at 07:56:07PM +0100, Jitse Klomp wrote: On 10-03-14 18:57, Sumit Bose wrote: On Mon, Mar 10, 2014 at 05:23:59PM +0100, Jitse Klomp wrote: On 10-03-14 17:03, Lukas Slebodnik wrote: On (10/03/14 16:58), Lukas Slebodnik wrote: On (10/03/14 16:35), Jitse Klomp wrote: On 10

Re: [Freeipa-users] Migration mode

2014-03-10 Thread Sumit Bose
On Mon, Mar 10, 2014 at 09:10:01PM +0100, Jitse Klomp wrote: On 10-03-14 20:34, Sumit Bose wrote: On Mon, Mar 10, 2014 at 07:56:07PM +0100, Jitse Klomp wrote: On 10-03-14 18:57, Sumit Bose wrote: On Mon, Mar 10, 2014 at 05:23:59PM +0100, Jitse Klomp wrote: On 10-03-14 17:03, Lukas Slebodnik

Re: [Freeipa-users] uninstalled IPA client and reinstalled and enrolled to new server cant authenticate

2014-04-01 Thread Sumit Bose
On Mon, Mar 31, 2014 at 11:05:18PM +, Todd Maugh wrote: [root@black-62 sssd]# tail -f sssd_ops.boingo.com.log (Mon Mar 31 22:58:01 2014) [sssd[be[ops.boingo.com]]] [be_resolve_server_done] (4): Found address for server idm-master-els.ops.boingo.com: [172.22.170.46] TTL 7200 (Mon Mar

Re: [Freeipa-users] ipa: ERROR: did not receive Kerberos credentials

2014-04-10 Thread Sumit Bose
On Thu, Apr 10, 2014 at 11:55:05AM -0400, rashard.ke...@sita.aero wrote: I can run commands after changing the permissions on the files, but why is it generating files that are not world readable? [rkelly@replicahostname ~]$ ll total 84 -rw-r--r-- 1 rootroot 2428 Apr 9 22:34

Re: [Freeipa-users] ipa: ERROR: did not receive Kerberos credentials

2014-04-10 Thread Sumit Bose
. SELINUXTYPE=targeted Thank You, Rashard Kelly From: Sumit Bose sb...@redhat.com To: rashard.ke...@sita.aero Cc: freeipa-users@redhat.com Date: 04/10/2014 12:31 PM Subject:Re: [Freeipa-users] ipa: ERROR: did not receive Kerberos credentials On Thu, Apr 10

Re: [Freeipa-users] ipa: ERROR: did not receive Kerberos credentials

2014-04-11 Thread Sumit Bose
, Sumit Thank You, Rashard Kelly From: Alexander Bokovoy aboko...@redhat.com To: rashard.ke...@sita.aero Cc: Sumit Bose sb...@redhat.com, freeipa-users@redhat.com Date: 04/11/2014 09:06 AM Subject:Re: [Freeipa-users] ipa: ERROR: did not receive Kerberos

Re: [Freeipa-users] ipa: ERROR: did not receive Kerberos credentials

2014-04-11 Thread Sumit Bose
for the file and id will show yours. HTH bye, Sumit Thank You, Rashard Kelly SITA Senior Linux Specialist From: Sumit Bose sb...@redhat.com To: rashard.ke...@sita.aero Cc: Alexander Bokovoy aboko...@redhat.com, freeipa-users@redhat.com Date: 04/11/2014 09:54 AM Subject

Re: [Freeipa-users] AD trust showing offline after reboot

2014-05-16 Thread Sumit Bose
On Fri, May 16, 2014 at 04:29:33PM +0530, Supratik Goswami wrote: Yes DNS is working fine and is able to return the IP address of the AD server. [root@master samba]# dig SRV _ldap._tcp.ad.idm.example.com ; DiG 9.8.2rc1-RedHat-9.8.2-0.23.rc1.el6_5.1 SRV _ldap._ tcp.ad.idm.example.com ;;

Re: [Freeipa-users] AD trust showing offline after reboot

2014-05-19 Thread Sumit Bose
On Mon, May 19, 2014 at 04:29:24PM +0530, Supratik Goswami wrote: Hi Let me start from the beginning once again. Let me explain you what steps I followed during the setup. I am setting up the environment in Amazon AWS, both Windows AD server and Linux IPA configured in EC2. For

Re: [Freeipa-users] AD trust showing offline after reboot

2014-05-20 Thread Sumit Bose
files in a tar/zip archive and send the archive. If you think the archive is too large for a mailing-list fell free to send them to me directly. bye, Sumit On Mon, May 19, 2014 at 4:45 PM, Sumit Bose sb...@redhat.com wrote: On Mon, May 19, 2014 at 04:29:24PM +0530, Supratik Goswami wrote: Hi

Re: [Freeipa-users] AD trust showing offline after reboot

2014-05-20 Thread Sumit Bose
20, 2014 at 12:38 PM, Sumit Bose sb...@redhat.com wrote: On Mon, May 19, 2014 at 05:40:49PM +0530, Supratik Goswami wrote: Initially after configuring the setup I rebooted once and I was thinking that it worked before the reboot but unfortunately it didn't work the first time itself

Re: [Freeipa-users] Getting Samba3 and FreeIPAv3 working together

2014-05-22 Thread Sumit Bose
On Tue, May 20, 2014 at 02:00:18PM +0100, Dylan Evans wrote: Hello, I need some help with getting Samba and FreeIPA working together. I’ve been following the guide at http://techslaves.org/2011/08/24/freeipa-and-samba-3-integration but that seems quite out of date for IPAv3 and I need

Re: [Freeipa-users] Trust services

2014-05-28 Thread Sumit Bose
On Wed, May 28, 2014 at 10:47:13AM -0300, tizo wrote: I would like to know, if having configured trusts services between FreeIPA and Active Directory, allow AD users to authenticate in services that are only configured to authenticate against FreeIPA. For example, having configured the

Re: [Freeipa-users] Some computers cannot get Some users logged in.

2014-05-30 Thread Sumit Bose
On Thu, May 29, 2014 at 11:20:37AM -0700, Scott Allen wrote: Hi, Having a particularly weird problem. We have moved from AD to freeIPA recently and while there have been some bumps, most of the CentOS 6.2 boxes make the transition successfully. Some background. The Linux boxes were joined

Re: [Freeipa-users] Trust services

2014-06-02 Thread Sumit Bose
On Fri, May 30, 2014 at 09:23:58PM -0300, tizo wrote: On Fri, May 30, 2014 at 6:40 PM, Dmitri Pal d...@redhat.com wrote: On 05/30/2014 05:00 PM, tizo wrote: From: Alexander Bokovoy abokovoy redhat com To: Sumit Bose sbose redhat com Cc: freeipa-users redhat com

Re: [Freeipa-users] IPA+AD trust and NFS nobody issue

2014-06-04 Thread Sumit Bose
On Wed, Jun 04, 2014 at 12:24:11PM +, Johan Petersson wrote: Mail got posted before I was finished sorry. I found one clue to the issue after increasing autofs logging to debug and as i thought it has to do with id-mapping. From /var/log/messages: Nfsidmap[1696]: nss_getpwnam: name

Re: [Freeipa-users] Getting Samba3 and FreeIPAv3 working together

2014-06-04 Thread Sumit Bose
, Sumit Bose wrote: On Tue, May 20, 2014 at 02:00:18PM +0100, Dylan Evans wrote: Hello, I need some help with getting Samba and FreeIPA working together. I’ve been following the guide at http://techslaves.org/2011/08/24/freeipa-and-samba-3-integration but that seems quite out

Re: [Freeipa-users] Some computers cannot get Some users logged in.

2014-06-06 Thread Sumit Bose
: Hi, I didn't migrate the passwords. All users started with a new default on IPA. The new user foo doesn't exist on the AD system but can login successfully using IPA credentials on a migrated system. On Fri, May 30, 2014 at 12:35 AM, Sumit Bose sb...@redhat.com wrote: On Thu

Re: [Freeipa-users] External collaboration edits

2014-06-11 Thread Sumit Bose
On Sat, Jun 07, 2014 at 09:21:29PM +, Nordgren, Bryce L -FS wrote: Dimitri, thanks for the reply! Pls forgive my lateness. I fear I am not currently up to fighting with MS Outlook to convince it to let me respond inline. It wants to block quote your entire message and if I type in the

Re: [Freeipa-users] convert krbExtraData password to plain text

2014-06-16 Thread Sumit Bose
On Mon, Jun 16, 2014 at 12:28:09AM -0400, Dmitri Pal wrote: On 06/16/2014 12:20 AM, barry...@gmail.com wrote: dear all: Is it possible to quiry freeipa 's account password and displan in plain txt ? or convert krbExtraData to plaintxt. rather than reset it. Regards barry

Re: [Freeipa-users] IPA + AD Integration - Auditor wants verification of integration

2014-06-25 Thread Sumit Bose
On Wed, Jun 25, 2014 at 08:36:49AM -0400, Mark Gardner wrote: Since this information isn't in the Web Interface. How do I find query the ipa ldap server to proof that IPA is talking to our AD server in order to get identity and authorization information. Yes we know we've established a

Re: [Freeipa-users] Help: Rebooted IPA server and AD Trust shows offline

2014-06-30 Thread Sumit Bose
On Fri, Jun 27, 2014 at 02:23:47PM -0400, Mark Gardner wrote: Was trying to add an external ad group to IPA, it kept failing with unable to connect to server. Figured I'd reboot to clear things up. Oops. Now wbinfo --online-status shows are AD as offline. wbinfo -u shows blank wbinfo

  1   2   3   4   >