Re: [Freeipa-users] FreeIPA and Samba4

2015-10-29 Thread Troels Hansen
Hmm, weird. I ran ipa-adtrust-install and it says it said it had user without SID's, and I told it to generete SID's. However, I still can't see them on the user. a IPA-db doesn't reveal them being generated and I can't look them up via LDAP. ldapsearch -Y GSSAPI uid=th ipaNTHash ... #

Re: [Freeipa-users] FreeIPA and Samba4

2015-10-29 Thread Troels Hansen
Same result... ldapsearch -h kenai.casalogic.lan -D 'cn=Directory Manager' -x -W uid=th ipaNTHash Enter LDAP Password: # extended LDIF # # LDAPv3 # base

Re: [Freeipa-users] FreeIPA and Samba4

2015-10-29 Thread Troels Hansen
I should think so: On IPA server. ipa role-show 'CIFS server' Role name: CIFS server Privileges: CIFS server privilege Member services: cifs/tinkerbell.casalogic@casalogic.lan ipa privilege-show 'CIFS server privilege' Privilege name: CIFS server privilege Permissions: CIFS test,

[Freeipa-users] FreeIPA and Samba4

2015-10-27 Thread Troels Hansen
rently 4.1 -- Med venlig hilsen Troels Hansen Systemkonsulent Casalogic A/S T (+45) 70 20 10 63 M (+45) 22 43 71 57 Red Hat, SUSE, VMware, Citrix, Novell, Yellowfin BI, EnterpriseDB, Sophos og meget mere. -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.c

Re: [Freeipa-users] FreeIPA and Samba4

2015-11-03 Thread Troels Hansen
Hi again, so I finally got time to look further into this. This task works: dn: cn=$TIME-$FQDN-$LIBARCH,cn=ipa-sidgen-task,cn=tasks,cn=config add:objectclass:top,extensibleObject add:cn:$TIME-$FQDN-$LIBARCH add:nsslapd-basedn:"$SUFFIX" add:delay:0 add:ttl:3600 However, the task gets generated,

Re: [Freeipa-users] FreeIPA and Samba4

2015-10-30 Thread Troels Hansen
Hi Alexander, sorry for the last update directly to you, this was not intended. Anyway, shouldn't I be able to check the status of task added by ipa-adtrust-install directly by just issuing a: ldapsearch -D "cn=Directory Manager" -W -b 'cn=sidgen,cn=ipa-sidgen-task,cn=tasks,cn=config' All I

Re: [Freeipa-users] FreeIPA and Samba4

2015-10-30 Thread Troels Hansen
ater_NonUpgrade: INFO: The ipa-ldap-updater command was successful Where did you find the source for the sidgen task? I could try looking at at it myself, but can't find it. -- Med venlig hilsen Troels Hansen Systemkonsulent Casalogic A/S T (+45) 70 20 10 63 M (+45) 22 43 71 57

Re: [Freeipa-users] FreeIPA and Samba4

2015-10-30 Thread Troels Hansen
I can't why I should get a constraint violation? Am I missing something? tried with a filter, without ttl, delay etc. nsslapd-basedn instead of basedn, but no luck. Am I missing something? As a test, I tried creating the tesk from your example, and this runs fine. -- Med venlig hilsen Troels Hansen Sy

Re: [Freeipa-users] FreeIPA and Samba4

2015-11-03 Thread Troels Hansen
can't find it saved in the LDAP anywhere? - On Nov 3, 2015, at 1:36 PM, Sumit Bose sb...@redhat.com wrote: > On Tue, Nov 03, 2015 at 01:09:53PM +0100, Troels Hansen wrote: >> Hi again, so I finally got time to look further into this. >> >> This task works: >> >>

Re: [Freeipa-users] FreeIPA and Samba4

2015-11-05 Thread Troels Hansen
- On Nov 4, 2015, at 4:03 PM, Sumit Bose sb...@redhat.com wrote: > > do you see any more details if you run pdbedit with '-d 255' ? > Not really: pdbedit -d 255 -Lv th ... check lock order 1 for /var/lib/samba/private/secrets.tdb lock order: 1:/var/lib/samba/private/secrets.tdb

Re: [Freeipa-users] FreeIPA and Samba4

2015-11-04 Thread Troels Hansen
have gone wrong in my shifting round in the ranges and this somehow causes ipasam to segfault. Could I just delete the ipaNTSecurityIdentifier directly in LDAP and let the SID generation run again, or do someone have a good idea to have the SID's reset? - On Nov 3, 2015, at 8:06 PM, Troel

Re: [Freeipa-users] FreeIPA and Samba4

2015-10-30 Thread Troels Hansen
as my ipa service. > --Joshua D Doll > On Thu, Oct 29, 2015 at 3:09 PM Troels Hansen < t...@casalogic.dk > wrote: >> Same result... >> ldapsearch -h kenai.casalogic.lan -D 'cn=Directory Manager' -x -W uid=th >> ipaNTHash >> Enter LDAP Password: >> # extended LDIF >> # >> # LDAPv3 >> # base

Re: [Freeipa-users] Error in IPA webinterface then DNS name contains \032 ()

2016-03-22 Thread Troels Hansen
ulb A record: 192.168.20.252 TXT record: "009143ca16c9890339c7ec33825e0da5ce" . # ipa --version VERSION: 4.2.0, API_VERSION: 2.156 > I would say that there weren't any changes in 4.2 -> 4.3 it this area. > So not sure why the behavior in your case is opposite. > >

[Freeipa-users] Error in IPA webinterface then DNS name contains \032 ()

2016-03-22 Thread Troels Hansen
2 TXT record: "009143ca16c9890339c7ec33825e0da5ce" I can dig it: # dig "LIFX Bulb.casalogic.lan" A .. ;; ANSWER SECTION: LIFX\032Bulb.casalogic.lan. 1800 IN A 192.168.20.252 However, something goes wrong in the web interface. I'm running IPA 4.2.0 --

Re: [Freeipa-users] Error in IPA webinterface then DNS name contains \032 ()

2016-03-22 Thread Troels Hansen
- On Mar 22, 2016, at 12:34 PM, Petr Spacek pspa...@redhat.com wrote: > > Have you tried > # ipa dnsrecord-show casalogic.lan. 'LIFX\032Bulb' > ? > > I suspect that Bash is playing escaping game with you. > Same result.. ipa dnsrecord-show casalogic.lan. 'LIFX\032Bulb' ipa: ERROR:

Re: [Freeipa-users] Error in IPA webinterface then DNS name contains \032 ()

2016-03-23 Thread Troels Hansen
- On Mar 23, 2016, at 10:37 AM, Petr Spacek pspa...@redhat.com wrote: > > Interesting, I'm curious how the data in LDAP look like. > > Please run ldapsearch command similar to this: > > $ ldapsearch -Y GSSAPI -b 'cn=dns,dc=example,dc=com' '(idnsName=*LIFX*)' > # LIFX Bulb,

Re: [Freeipa-users] Error in IPA webinterface then DNS name contains \032 ()

2016-03-23 Thread Troels Hansen
> > # LIFX Bulb, casalogic.lan, dns, casalogic.lan > dn: idnsName=LIFX Bulb,idnsname=casalogic.lan,cn=dns,dc=casalogic,dc=lan > dNSTTL: 1800 > tXTRecord: "009143ca16c9890339c7ec33825e0da5ce" > aRecord: 192.168.20.252 > objectClass: idnsRecord > objectClass: top > idnsName: LIFX Bulb Which

[Freeipa-users] Possible bug in SSSD/IPA/AD trust

2016-08-11 Thread Troels Hansen
Hi, we are curretly workig on a larger IPA test project and I have a problems which have been buggin me for some time now: On the client we are have set "full_name_format = %1$s" to have users presented without the AD domain part. However, this seems to make SSSD not lookup a users group

[Freeipa-users] SSH auth failing in IPA trust

2016-08-04 Thread Troels Hansen
0.el7_2.12 Anyone having any clues on how to proceed? Could of cause just raise it as an RedHat support case, but guite a lot of genious people sit in here :-) -- Med venlig hilsen Troels Hansen Systemkonsulent Casalogic A/S T (+45) 70 20 10 63 M (+45) 22 43 71 57 Red Hat, SU

Re: [Freeipa-users] SSH auth failing in IPA trust

2016-08-04 Thread Troels Hansen
Solved it myself. http://www.redhat.com/archives/freeipa-users/2016-May/msg00209.html Apparently its well known, and will be solved in 7.3 - On Aug 4, 2016, at 1:56 PM, Troels Hansen t...@casalogic.dk wrote: > Hmm, well, yes, it did: > > (Thu Aug 4 13:46:58 2016) [[sssd[k

Re: [Freeipa-users] SSH auth failing in IPA trust

2016-08-04 Thread Troels Hansen
, setting ldap_user_principal in the domain part to something non-existing doesn't seem to work. - On Aug 4, 2016, at 1:22 PM, Jakub Hrozek jhro...@redhat.com wrote: > On Thu, Aug 04, 2016 at 12:57:40PM +0200, Troels Hansen wrote: >> Hi, we have set up IPA in a AD trust and is about

Re: [Freeipa-users] SSH auth failing in IPA trust

2016-08-04 Thread Troels Hansen
code 1432158209 Any reason for this not working on a normal client ? - On Aug 4, 2016, at 2:31 PM, Troels Hansen t...@casalogic.dk wrote: > Solved it myself. > > http://www.redhat.com/archives/freeipa-users/2016-May/msg00209.html > > Apparently its well known, and will b

[Freeipa-users] headless ipa client join using kerberos ticket

2016-08-11 Thread Troels Hansen
I can see this have been discussed a lot here, but I still can't seem to find the correct answer, so bare with me if i'm asking a question already answered. I'm trying to create a user that can be used for (headless) joining out RHEL clients to IPA Here is what have been done:

Re: [Freeipa-users] Periodic unable to authenticate

2016-07-07 Thread Troels Hansen
You mean the /var/log/dirsrv//error right? Clean except for when I do ipa backup, which actually doesn't look like tis errors, but more info.. However, sometimes, at 0:20 I have: [07/Jul/2016:00:15:41 +0200] NSMMReplicationPlugin - replication keep alive entry

[Freeipa-users] Periodic unable to authenticate

2016-07-07 Thread Troels Hansen
0200] conn=370373 op=1 UNBIND [07/Jul/2016:19:38:19 +0200] conn=370373 op=1 fd=118 closed - U1 Anyone having any clues about where to look? -- Med venlig hilsen Troels Hansen Systemkonsulent Casalogic A/S T (+45) 70 20 10 63 M (+45) 22 43 71 57 Red Hat, SUSE, VMware, Citr

[Freeipa-users] ipa_get_*_acct request failed: [22]: Invalid argument on IPA client when looking up AD users

2016-08-09 Thread Troels Hansen
Hi,I have an sssd client which is currently causing problems when looking up IPA / AD users. # getent passwd drext...@net.dr.dk returns nothing. # getent passwd ad...@linux.dr.dk ad...@linux.dr.dk:*:1:1:admin admin:/home/admin:/bin/bash works, so it can see the IPA domain. tried

Re: [Freeipa-users] ipa_get_*_acct request failed: [22]: Invalid argument on IPA client when looking up AD users

2016-08-09 Thread Troels Hansen
think I'm circeling aroud the solution as both lookup and ssh login works on the IPA server. - On Aug 9, 2016, at 1:19 PM, Jakub Hrozek jhro...@redhat.com wrote: > On Tue, Aug 09, 2016 at 12:34:04PM +0200, Troels Hansen wrote: >> Hi,I have an sssd client which is currently cau

Re: [Freeipa-users] SSH auth failing in IPA trust

2016-08-09 Thread Troels Hansen
Hmm, can't get it to work, but right now it looks like I have other problems.. I'll try to follow up on this if the problem continues when I get the other problems solved. > > Can you clear the caches on the client? The client receives the principals > from the server the same way as it

Re: [Freeipa-users] ipa_get_*_acct request failed: [22]: Invalid argument on IPA client when looking up AD users

2016-08-09 Thread Troels Hansen
sssd krb5 commits looking to be related to password change? - On Aug 9, 2016, at 2:29 PM, Troels Hansen t...@casalogic.dk wrote: > - On Aug 9, 2016, at 2:09 PM, Jakub Hrozek jhro...@redhat.com wrote: > > >>> >>> So, I currently works in the curren

Re: [Freeipa-users] ipa_get_*_acct request failed: [22]: Invalid argument on IPA client when looking up AD users

2016-08-09 Thread Troels Hansen
- On Aug 9, 2016, at 1:57 PM, Jakub Hrozek jhro...@redhat.com wrote: >> >> If I set it >> "full_name_format = %1$s" > > Yes, This only works with 1.14.0 or newer. >> So, I currently works in the current RedHat (sssd-ipa-1.13.0-40.el7_2.12) but only on the server, but not on a pure IPA

Re: [Freeipa-users] ipa_get_*_acct request failed: [22]: Invalid argument on IPA client when looking up AD users

2016-08-09 Thread Troels Hansen
- On Aug 9, 2016, at 3:16 PM, Jakub Hrozek jhro...@redhat.com wrote: >> >> What does "Cannot handle password prompts" mean? the only thing I can find is >> some sssd krb5 commits looking to be related to password change? > > I'm not sure this is related, can you paste more context?

Re: [Freeipa-users] ipa_get_*_acct request failed: [22]: Invalid argument on IPA client when looking up AD users

2016-08-09 Thread Troels Hansen
- On Aug 9, 2016, at 2:09 PM, Jakub Hrozek jhro...@redhat.com wrote: >> >> So, I currently works in the current RedHat (sssd-ipa-1.13.0-40.el7_2.12) but >> only on the server, but not on a pure IPA client, but will work in 1.14.0 ? > > I would not recommend this setting on the server,

Re: [Freeipa-users] Needs help understand this timeout issue

2017-02-01 Thread Troels Hansen
Hmm, suspect its happening on the server.. thous I haven't been able to pinpoint a log entry that confirms my suspecting. I have pinpointed the timeout to happen after 58 seconds after completely removing the SSSD cache and restaring SSSD, which leads me to think my issue is related to

Re: [Freeipa-users] Needs help understand this timeout issue

2017-02-01 Thread Troels Hansen
to find documented anywhere. Isn't the SSSD group cache on the IPA servers supposed to be used then a sssd client requests a user? - On Feb 1, 2017, at 9:53 AM, Troels Hansen t...@casalogic.dk wrote: > Hmm, suspect its happening on the server.. thous I haven't been able to > pinp

Re: [Freeipa-users] Needs help understand this timeout issue

2017-02-07 Thread Troels Hansen
ficant performance boost. Please note that id > aduser@ad_domain would still return all the correct groups! > ==snip== > > > Dan > > On Feb 6, 2017, at 1:59 AM, Troels Hansen <t...@casalogic.dk> wrote: > > Hi > > I'm aware of the anatomy of how the l

Re: [Freeipa-users] ipa- client rhel 6.9 support for UPN different then domain name

2017-02-08 Thread Troels Hansen
hanks, >> Jan >> > > > -- > Manage your subscription for the Freeipa-users mailing list: > https://www.redhat.com/mailman/listinfo/freeipa-users > Go to http://freeipa.org for more info on the project -- Med venlig hilsen Troels Hansen Systemkonsulent Casalogic A

Re: [Freeipa-users] Needs help understand this timeout issue

2017-02-08 Thread Troels Hansen
modate large numbers of concurrent AD lookups, this improved the > performance of our environment and solved many issues. > > Dan > >> On Feb 8, 2017, at 1:27 AM, Troels Hansen <t...@casalogic.dk> wrote: >> >> No, ignore_group_members option is already set. >

Re: [Freeipa-users] Needs help understand this timeout issue

2017-02-06 Thread Troels Hansen
press.com/2015/03/11/anatomy-of-sssd-user-lookup/ > > Dan > > >> On Feb 1, 2017, at 4:32 AM, Troels Hansen <t...@casalogic.dk> wrote: >> >>> From looking af at TCP dump, I can see that if a client requests a AD user >>> from >>> IPA, I

[Freeipa-users] Needs help understand this timeout issue

2017-01-30 Thread Troels Hansen
Hi there I'm trying to debug on a strange IPA timeout issue. Its SSSD 1.14, IPA 4.4, RHEL 7.3. 2 IPA servers in AD trust. Besides being a bit slow on groups membership lookups on users with a moderate number of Groups, there are some users with a HUGE amount of nested groups. A server

[Freeipa-users] IPA and SSSD sudo

2017-02-15 Thread Troels Hansen
Hi there We have a strange problem... We're trying to override options in sudo rules from IPA, in this case secure_path: sudo -ll reports: RunAsUsers: root Options: requiretty, lecture=always, timestamp_timeout=0, !authenticate, secure_path=/bin:/usr/bin:/usr/local/bin Commands:

Re: [Freeipa-users] IPA and SSSD sudo

2017-02-15 Thread Troels Hansen
PM, Jakub Hrozek jhro...@redhat.com wrote: > On Wed, Feb 15, 2017 at 11:04:47AM +0100, Troels Hansen wrote: >> Hi there >> >> We have a strange problem... >> >> We're trying to override options in sudo rules from IPA, in this case >> secure_path:

[Freeipa-users] Kerberos - Weblogic SSO in IPA

2017-02-27 Thread Troels Hansen
Med venlig hilsen Troels Hansen Systemkonsulent Casalogic A/S T (+45) 70 20 10 63 M (+45) 22 43 71 57 Red Hat, SUSE, VMware, Citrix, Novell, Yellowfin BI, EnterpriseDB, Sophos og meget mere. -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailm

Re: [Freeipa-users] Needs help understand this timeout issue

2017-02-28 Thread Troels Hansen
Hi all Just wanted to follow up on this as I created a case with RedHat, and here is their findings, for all of you to share: >From RedHat support: -- As per the current discussion with our engineering team. --- The client requests info about a user. This goes to the

Re: [Freeipa-users] SUDO and group lookup in AD trust

2016-08-25 Thread Troels Hansen
ozek jhro...@redhat.com wrote: > On Tue, Aug 23, 2016 at 03:17:48PM +0200, Troels Hansen wrote: >> Running RHEL 7.2: >> >> ipa-client-4.2.0-15.el7_2.18 >> sssd-ipa-1.13.0-40.el7_2.12.x86_64 >> ipa-server-4.2.0-15.el7_2.18.x86_64 >> >> I have a sudo r

Re: [Freeipa-users] SUDO and group lookup in AD trust

2016-08-25 Thread Troels Hansen
Hmm, seems waiting for RHEL 7.3 and SSSD 1.14 will solve this problem https://fedorahosted.org/sssd/ticket/2919 Am I correct? - On Aug 25, 2016, at 9:24 AM, Troels Hansen t...@casalogic.dk wrote: > Hmm, sometimes the man page actually helps > > It seem

Re: [Freeipa-users] SUDO and group lookup in AD trust

2016-08-25 Thread Troels Hansen
their full login including domain - Setting default_domain_suffix to help the users and efficiently break SUDO? Can this be true? - On Aug 25, 2016, at 8:42 AM, Troels Hansen t...@casalogic.dk wrote: > Yes and no > > Have tried setting it to both true and false, but doesn't make

Re: [Freeipa-users] SUDO and group lookup in AD trust

2016-08-25 Thread Troels Hansen
logging in. - On Aug 25, 2016, at 10:48 AM, Lukas Slebodnik lsleb...@redhat.com wrote: > On (25/08/16 10:05), Troels Hansen wrote: >>Hmm, seems waiting for RHEL 7.3 and SSSD 1.14 will solve this problem >> >>https://fedorahosted.org/sssd/ticket/2919 >> > Me

Re: [Freeipa-users] SSH login using putty from Windows to SSSD client in IPA AD trust

2016-09-07 Thread Troels Hansen
- On Sep 7, 2016, at 10:31 AM, Sumit Bose sb...@redhat.com wrote: > > So I guess there is no cross-realm ticket either, i.e. > krbtgt/IPA.DOMAIN@AD.DOMAIN. Can you check on AD if the IPA DNS domain > is listed in the 'Name Suffix Routing' tab in the trust properties of > the IPA domain?

Re: [Freeipa-users] SSH login using putty from Windows to SSSD client in IPA AD trust

2016-09-07 Thread Troels Hansen
- On Sep 7, 2016, at 9:43 AM, Sumit Bose sb...@redhat.com wrote: > Additionally please check the klist output on the Windows client. It > should show the host principal of the Linux client > (host/client.ipa.domain@IPA.DOMAIN). If the principal is there the sshd > logs on the Linux client

Re: [Freeipa-users] SSH login using putty from Windows to SSSD client in IPA AD trust

2016-09-07 Thread Troels Hansen
- On Sep 7, 2016, at 9:55 AM, Alexander Bokovoy aboko...@redhat.com wrote: > "Target was not recognized" means AD DC doesn't know that > rhel02edv.linux.dr.dk belongs to LINUX.DR.DK realm and thus has to > forward the authentication requests there. > > What do you have in the trust

Re: [Freeipa-users] SSH login using putty from Windows to SSSD client in IPA AD trust

2016-09-07 Thread Troels Hansen
- On Sep 7, 2016, at 10:17 AM, Troels Hansen t...@casalogic.dk wrote: > > Yes, its correct, there is no routing configured. > I can't see to be able to add it manually, and auto refresh doesn't work: > https://fedorahosted.org/freeipa/ticket/5683 > According to the DOC's

Re: [Freeipa-users] SSH login using putty from Windows to SSSD client in IPA AD trust

2016-09-07 Thread Troels Hansen
- On Sep 7, 2016, at 10:36 AM, Alexander Bokovoy aboko...@redhat.com wrote: > How exactly did you establish the trust? I see you have one-way trust > but did you establish it with AD admin credentials or using a shared > secret? If the latter, it is a known issue that AD does not activate the

Re: [Freeipa-users] SUDO and group lookup in AD trust

2016-09-05 Thread Troels Hansen
- On Sep 2, 2016, at 9:56 AM, Jakub Hrozek jhro...@redhat.com wrote: >> >We were debugging this yesterday with Troels and the logs said it's: >> >https://fedorahosted.org/sssd/ticket/3127 >> > >> Fixed version is in 1.14 copr > > Thank you, btw another affected user confirmed that the

Re: [Freeipa-users] SSH login using putty from Windows to SSSD client in IPA AD trust

2016-09-07 Thread Troels Hansen
entication initialisation failed Event Log: The target was not recognized. - On Sep 7, 2016, at 9:27 AM, Alexander Bokovoy <aboko...@redhat.com> wrote: > On Wed, 07 Sep 2016, Troels Hansen wrote: >> Running RHEL 7.2, IPA 4.2 and SSSD 1.13, we have set up a IPA-AD trust &

[Freeipa-users] ipa-client requires ntp

2016-09-12 Thread Troels Hansen
ipa-client (and ipa-server) RPM requires ntp. Shouldn't it be sufficient to req -- Med venlig hilsen Troels Hansen Systemkonsulent Casalogic A/S T (+45) 70 20 10 63 M (+45) 22 43 71 57 Red Hat, SUSE, VMware, Citrix, Novell, Yellowfin BI, EnterpriseDB, Sophos og meget mere

[Freeipa-users] ipa-client requires ntp

2016-09-12 Thread Troels Hansen
Not sure if this should actually go here? ipa-client (and ipa-server) RPM requires ntp. Shouldn't it be sufficient to require any tools that provides ntp functionality (at least ntp and chrony exists in RHEL) ? -- Med venlig hilsen Troels Hansen Systemkonsulent Casalogic A/S T

Re: [Freeipa-users] ipa-client requires ntp

2016-09-12 Thread Troels Hansen
Sorry for this half written email.. - On Sep 12, 2016, at 2:00 PM, Troels Hansen <t...@casalogic.dk> wrote: > ipa-client (and ipa-server) RPM requires ntp. > Shouldn't it be sufficient to req > -- > Med venlig hilsen > Troels Hansen > Systemkonsulent >

Re: [Freeipa-users] ipa-client requires ntp

2016-09-12 Thread Troels Hansen
- On Sep 12, 2016, at 2:54 PM, Rob Crittenden rcrit...@redhat.com wrote: > Troels Hansen wrote: >> Not sure if this should actually go here? >> >> ipa-client (and ipa-server) RPM requires ntp. >> Shouldn't it be sufficient to require any tools that provides ntp >

[Freeipa-users] ipa trust-add using password

2016-09-16 Thread Troels Hansen
n't change anything. -- Med venlig hilsen Troels Hansen Systemkonsulent Casalogic A/S T (+45) 70 20 10 63 M (+45) 22 43 71 57 Red Hat, SUSE, VMware, Citrix, Novell, Yellowfin BI, EnterpriseDB, Sophos og meget mere. -- Manage your subscription for the Freeipa-users mailing list:

[Freeipa-users] SSH using putty to IPA client

2016-09-26 Thread Troels Hansen
After we installed a new set of IPA servers for prod, and joined AD using username and password to have AD create a correct suffix routing everythin seems to work, and the suffix routing is created correctly on AD. However, trying to SSH from Windows using Putty and kerberos fails: Putty log

[Freeipa-users] User gecos in IPA-AD trust

2016-09-19 Thread Troels Hansen
hilsen Troels Hansen Systemkonsulent Casalogic A/S T (+45) 70 20 10 63 M (+45) 22 43 71 57 Red Hat, SUSE, VMware, Citrix, Novell, Yellowfin BI, EnterpriseDB, Sophos og meget mere. -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo

Re: [Freeipa-users] ipa trust-add using password

2016-09-19 Thread Troels Hansen
> If you add 'log level = 50' to /usr/share/ipa/smb.conf.empty, then > /var/log/httpd/error_log will contain detailed debug information from > IPA attempts to talk to AD DCs. > > -- > / Alexander Bokovoy Hi Alexander I added the log level, and had the domain admin try to create the trust, and

Re: [Freeipa-users] Possible bug in SSSD/IPA/AD trust

2016-08-23 Thread Troels Hansen
- On Aug 11, 2016, at 3:56 PM, Jakub Hrozek jhro...@redhat.com wrote: > On Thu, Aug 11, 2016 at 03:11:10PM +0200, Troels Hansen wrote: >> Hi, we are curretly workig on a larger IPA test project and I have a problems >> which have been buggin me for some time now: > >

[Freeipa-users] SUDO and group lookup in AD trust

2016-08-23 Thread Troels Hansen
doUser @ ./sssd.c:683 := false Soo, a rule is matched, but I'm not in the group? I have tried setting use_fully_qualified_names = true in sssd.conf, but no luck. The sudo is still denied. Am I missing something? -- Med venlig hilsen Troels Hansen Systemkonsulent Casalogic A

Re: [Freeipa-users] SSH using putty to IPA client

2016-09-28 Thread Troels Hansen
- On Sep 26, 2016, at 1:30 PM, Sumit Bose sb...@redhat.com wrote: > About the DNS SRV records, did you add matching records for _udp as > well? I'm not sure if the AD client will fallback to _tcp if they are > missing or just stop? > Ok, finally got some time to debug this. tcpdump'ing

Re: [Freeipa-users] SSH using putty to IPA client

2016-09-28 Thread Troels Hansen
- On Sep 28, 2016, at 10:06 AM, Sumit Bose sb...@redhat.com wrote: > KRB5KRB_ERR-RESPONSE_TOO_BIG is an expected return code here. The > Kerberos communication is typically started via UDP. But the PAC data in > the ticket is typically larger than a single UPD packet. The KDC tells > the

Re: [Freeipa-users] SSH using putty to IPA client

2016-09-28 Thread Troels Hansen
> Yes, this makes sense as well. If you are not in the forest root you > first need a cross-realm TGT for your domain and the forest root. Then > you need a cross-realm TGT for the forest root and the IPA domain. > > As a next step you should see a request to the IPA KDC to get the actual >

Re: [Freeipa-users] SSH using putty to IPA client

2016-09-26 Thread Troels Hansen
- On Sep 26, 2016, at 1:30 PM, Sumit Bose sb...@redhat.com wrote: > > Do you see and log messages in the krb5kdc.log on the IPA server? If it > is not the firewall I would suggest to record the IP traffic of the AD > client and check what it tries to do after the AD DC send the >

Re: [Freeipa-users] SUDO and group lookup in AD trust

2016-11-06 Thread Troels Hansen
Hi there, I can see that RHEL 7.3 have left beta, and wanted to check this shiny new release that should fix a lot of the problems and current quirks we have, so I went through the release notes on SSSD in RHEL 7.3 and can't see any patched being added since end September, and in particular a

Re: [Freeipa-users] SUDO and group lookup in AD trust

2016-11-07 Thread Troels Hansen
> I'm not completely sure which release notes are you referring to, but > this bug was fixed in sssd-1.14.0-32.el7. It's also listed in the > changelog: > > * Fri Sep 2 2016 Jakub Hrozek - 1.14.0-32 > - Resolves: rhbz#1371152 - SSSD qualifies principal twice in IPA-AD trust

Re: [Freeipa-users] URL is changing on the browser

2016-11-14 Thread Troels Hansen
- On Nov 14, 2016, at 9:38 AM, Peter Fern wrote: > I'd be interested to hear from anyone who has a working recipe for > HA/load-balancing (with HAProxy preferably). Cookie rewriting is doable, but I > can't see a way to rewrite the referrer for multiple backend

[Freeipa-users] Samba in IPA / AD trust, best practise

2016-11-22 Thread Troels Hansen
Hi there I'm having a bit of a dilemma. I'm going to set up a Samba in a IPA 4.4 / AD trust, and was wondering what the official or best practise method of joining the Samba server is: I see two methods: - The one from

Re: [Freeipa-users] Samba in IPA / AD trust, best practise

2016-11-23 Thread Troels Hansen
- On Nov 23, 2016, at 8:52 AM, Alexander Bokovoy aboko...@redhat.com wrote: > IPA client running Samba server currently can only be configured with > the way described in the wiki, with SSSD-provided libwbclient > replacement. It has own limitations, namely lack of NTLMSSP >

Re: [Freeipa-users] SSH using putty to IPA client

2016-11-28 Thread Troels Hansen
server! - On Sep 28, 2016, at 11:48 AM, Sumit Bose sb...@redhat.com wrote: > On Wed, Sep 28, 2016 at 11:30:56AM +0200, Troels Hansen wrote: >> >> > Yes, this makes sense as well. If you are not in the forest root you >> > first need a cross-realm TGT for your

Re: [Freeipa-users] anyone else getting porn spam pretending to be replies to freeipa-users threads?

2016-11-15 Thread Troels Hansen
- On Nov 15, 2016, at 5:32 PM, Chris Dagdigian d...@sonsorol.org wrote: > Got a porn spam today that had a subject header of: > >> Re: [Freeipa-users] URL is changing on the browser > > Have to admit that got through my spam filter and got me to open the email. > > It's clear that it was

Re: [Freeipa-users] Allow external AD users on webui

2016-10-31 Thread Troels Hansen
- On Oct 31, 2016, at 8:33 AM, Alexander Bokovoy aboko...@redhat.com wrote: > You make it sound as if it is a done deal. It is not, there is a number > of changes that yet not figured out how to do in an efficient way. > > It is in our pipeline for 4.5. It is understandable that people ask

[Freeipa-users] Allow external AD users on webui

2016-10-31 Thread Troels Hansen
Hi there After trying to add external usergroups from AD to allow (admin) users to log in to IPA webUI, by tdding the groups to toe local admin group and discovering that it didn't work, I found that as far as I can see, its currently not possibly, and fount this rather old ticket on the

[Freeipa-users] Services missing in web-ui

2016-12-07 Thread Troels Hansen
I have a strange issue in IPA 4.4.0-12 (RHEL 7.3) Navigating to Identity -> Services reveals 5 services. 2 cifs, 2 dogtag and one empty line... cifs/host1.domain@REALM cifs/host2.domain@REALM dogtag/ipa01.domain@REALM dogtag/ipa02.domain@REALM However, from CLI everything

Re: [Freeipa-users] Services missing in web-ui

2016-12-07 Thread Troels Hansen
gt; freeipa-common-4.4.2-1.fc25.no arch >>> freeipa-server-trust-ad-4.4.2-1.fc25.x86_64 >>> freeipa-client-4.4.2-1.fc25.x86_64 >>> freeipa-client-common-4.4.2-1.fc25.noarch >>> ​F.​ >>> On Wed, Dec 7, 2016 at 11:13 AM, Troels Hansen < t...@casalogi

Re: [Freeipa-users] Services missing in web-ui

2016-12-07 Thread Troels Hansen
Sorry. Didn't see this. https://bugzilla.redhat.com/show_bug.cgi?id=1387782 - On Dec 7, 2016, at 12:43 PM, Troels Hansen <t...@casalogic.dk> wrote: > Looks great.. Pavel, as a RedHat internal, should I create a ticket to > have > this fixed in the RedHat v

[Freeipa-users] Different cache on 2 IPA servers

2017-01-11 Thread Troels Hansen
Hi, we have just seen a weird issue, which I need some advice on. We have 2 IPA 4.4 servere in a AD trust and a number of Linux clients connected. A little story of what we experienced. We had a AD user which sometimes couldn't log in to a server, because his shell was being set to

Re: [Freeipa-users] Different cache on 2 IPA servers

2017-01-11 Thread Troels Hansen
Hi Sumit - On Jan 11, 2017, at 12:51 PM, Sumit Bose sb...@redhat.com wrote: > > I guess this is because the last update on one server was done with data > from LDAP while the other used data from the Global Catalog. In general > missing data in the GC should not remove the data read from

[Freeipa-users] SLAPD stops answering

2017-01-09 Thread Troels Hansen
minate [06/Jan/2017:07:58:02 +0100] SSL Initialization - Configured SSL version range: min: TLS1.0, max: TLS1.2 However, see a gazillion of these lines in the error log: DSRetroclPlugin - replog: an error occured while adding change number 3875312, dn = changenumber=3875312,cn=changelog: Already exists

Re: [Freeipa-users] SLAPD stops answering

2017-01-09 Thread Troels Hansen
- On Jan 9, 2017, at 3:37 PM, Adam Bishop adam.bis...@jisc.ac.uk wrote: > If you attach strace to the slapd process, do you see repeated (failing) calls > to getpeername()? > Actually, just tried attaching a running dirsrv (which responds to requests): This also spawns lots of failing

Re: [Freeipa-users] SLAPD stops answering

2017-01-09 Thread Troels Hansen
ys the same changenumber which is > reported ? > On 01/09/2017 02:06 PM, Troels Hansen wrote: >> Hi, we have a IPA installation, which obviously needs upgrading. >> Its a single server running RHEL7.1 running IPA 4.1 >> However, it have been running smooth untill now: >>