Re: [Freeipa-users] OS X Yosemite unable to authenticate

[Joe DiTommasso]

You don't have to add them as an administrator for login to work, just
sudo. Will send one over in a second.

On Tue, Jun 21, 2016 at 12:11 PM, Cal Sawyer  wrote:

>  ... "have to add the user as an administrator on
> the local machine"?  That's pretty intriguing, but not great security-wise,
> unfortunately.  Not a big deal at the moment, though
>
> ok, just made my user account an admin but it's still dragging on login.
>
> My IPA setup is the same: ipa-server-4.2.0-15.0.1.el7.centos.6.1.x86_64
>
> Any chance i could get a denatured plist from you offline, Joe?
>
> cheers
>
> Cal Sawyer | Systems Engineer | BlueBolt Ltd
> 15-16 Margaret Street | London W1W 8RW+44 (0)20 7637 5575 | www.blue-bolt.com
>
> On 21/06/16 16:07, Joe DiTommasso wrote:
>
> No fiddling that I remember. Basically got the setup working once and then
> have been pushing out plist files to all new installs. Graphical login
> works, as does sudo, sort of-still have to add the user as an administrator
> on the local machine, but then their kerberos password works for
> authentication. Running up-to-date-ish IPA 4 on CentOS 7.
>
> jdito@sum-freeipa-01:~$ rpm -qa | grep ipa
>
> *ipa*-python-4.2.0-15.0.1.el7.centos.6.1.x86_64
>
> lib*ipa*_hbac-1.13.0-40.el7_2.4.x86_64
>
> *ipa*-server-4.2.0-15.0.1.el7.centos.6.1.x86_64
>
> python-in*ipa*rse-0.4-9.el7.noarch
>
> *ipa*-server-dns-4.2.0-15.0.1.el7.centos.6.1.x86_64
>
> sssd-*ipa*-1.13.0-40.el7_2.4.x86_64
>
> *ipa*-client-4.2.0-15.0.1.el7.centos.6.1.x86_64
>
> python-lib*ipa*_hbac-1.13.0-40.el7_2.4.x86_64
>
> *ipa*-admintools-4.2.0-15.0.1.el7.centos.6.1.x86_64
>
>
> Let me know what you'd like to see from my config. Thanks for the tip on
> the secondary groups-I already had that in there, but looking at it
> realized that I needed to point at the compat tree, because the regular one
> doesn't expose memberUID.
>
> On Tue, Jun 21, 2016 at 10:42 AM, Cal Sawyer  wrote:
>
>> Wow, that's surprising, Joe.  I'm also using the linsec recipe. Yours
>> required no fiddling?   You can login straight off from the graphical
>> loginWindow?
>>
>> Yes, very interested in any help you can offer.  Are you authenticating
>> against IPA 3 or 4, for sake of curiosity.
>>
>> BTW:  you can get your secondary groups by:
>>
>> In Groups add attribute 'GroupMembership' mapped to 'memberUID'
>>
>> thanks!
>>
>> Cal Sawyer | Systems Engineer | BlueBolt Ltd
>> 15-16 Margaret Street | London W1W 8RW+44 (0)20 7637 5575 | www.blue-bolt.com
>>
>> On 21/06/16 15:07, Joe DiTommasso wrote:
>>
>> I've actually got a whole stack of El Capitan clients authenticating
>> against FreeIPA:
>>
>> mac-mini-01:~ jdito$ system_profiler SPSoftwareDataType
>> Software:
>>
>> System Software Overview:
>>
>>   System Version: OS X 10.11.5 (15F34)
>>   Kernel Version: Darwin 15.5.0
>>   Boot Volume: Macintosh HD
>>   Boot Mode: Normal
>>   Computer Name: admin’s Mac mini
>>   User Name: Joe DiTommasso (jdito)
>>   Secure Virtual Memory: Enabled
>>   System Integrity Protection: Enabled
>>   Time since boot: 14 days 15:00
>>
>> The Linsec guide worked for me. The only real issue is that it only sees
>> the user's primary group, and not supplemental groups. I'm not terribly
>> good with Macs, but happy to assist in troubleshooting.
>>
>> Joe
>>
>> On Tue, Jun 21, 2016 at 9:46 AM, Cal Sawyer < 
>> ca...@blue-bolt.com> wrote:
>>
>>> As usual, apologies for any formatting issues due to extracting message
>>> threads out of digests ...
>>>
>>> Anyhow., i have determined where everything goes terribly wrong with OSX
>>> clients:  OSX 10.10.3 ("out of the box" Yosemite) works fine using
>>> linsec.ca's guidance.  However, the second you patch to 10.10.5 or
>>> upgrade to El Capitan (10.11.5), authentication fails absolutely in the
>>> ways described in earlier threads.  Colleagues who i've spoken with who are
>>> trying to set up IPA at their facilities report the same problem and it's a
>>> total show-stopper.  Interesting how all(?) of what is written on the topic
>>> of OSX and IPA dries up after 10.8, although we've seen in an earlier
>>> thread reports of 10.9 working.  I've repeated this test a few times and
>>> the result is always the same. - 10.10.3 is the last OSX capable of
>>> authenticating against IPA using currently available knowledge.
>>>
>>> Running tcpdump on 10.10.3 and a 10.10.5 clients show very different
>>> authentication dialogues.  I'm afraid, however, that i lack the skills to
>>> interpret where exactly the later OSX release is failing. I have my
>>> (unfounded) suspicions - that SASL binding for LDAP and kerberos are
>>> implicated. 10.10.3 certainly shows no kerberos transactions whereas 10.10.5
>>>
>>> Re DNS: both client types resolve all SRV records hosted in IPA fine.  I
>>> even went so far as setting up rudimentary ipv6 as there were some 
>>> requests that were going unanswered and it thought it might related (not,
>>> as it turns out)
>>>
>>> So, would anyone on the I

Re: [Freeipa-users] OS X Yosemite unable to authenticate

[Cal Sawyer]

 ... "have to add the user as an administrator on 
the local machine"?  That's pretty intriguing, but not great 
security-wise, unfortunately.  Not a big deal at the moment, though


ok, just made my user account an admin but it's still dragging on login.

My IPA setup is the same: ipa-server-4.2.0-15.0.1.el7.centos.6.1.x86_64

Any chance i could get a denatured plist from you offline, Joe?

cheers

Cal Sawyer | Systems Engineer | BlueBolt Ltd
15-16 Margaret Street | London W1W 8RW
+44 (0)20 7637 5575 | www.blue-bolt.com

On 21/06/16 16:07, Joe DiTommasso wrote:
No fiddling that I remember. Basically got the setup working once and 
then have been pushing out plist files to all new installs. Graphical 
login works, as does sudo, sort of-still have to add the user as an 
administrator on the local machine, but then their kerberos password 
works for authentication. Running up-to-date-ish IPA 4 on CentOS 7.


jdito@sum-freeipa-01:~$ rpm -qa | grep ipa

*ipa*-python-4.2.0-15.0.1.el7.centos.6.1.x86_64

lib*ipa*_hbac-1.13.0-40.el7_2.4.x86_64

*ipa*-server-4.2.0-15.0.1.el7.centos.6.1.x86_64

python-in*ipa*rse-0.4-9.el7.noarch

*ipa*-server-dns-4.2.0-15.0.1.el7.centos.6.1.x86_64

sssd-*ipa*-1.13.0-40.el7_2.4.x86_64

*ipa*-client-4.2.0-15.0.1.el7.centos.6.1.x86_64

python-lib*ipa*_hbac-1.13.0-40.el7_2.4.x86_64

*ipa*-admintools-4.2.0-15.0.1.el7.centos.6.1.x86_64


Let me know what you'd like to see from my config. Thanks for the tip 
on the secondary groups-I already had that in there, but looking at it 
realized that I needed to point at the compat tree, because the 
regular one doesn't expose memberUID.



On Tue, Jun 21, 2016 at 10:42 AM, Cal Sawyer > wrote:


Wow, that's surprising, Joe.  I'm also using the linsec recipe.
Yours required no fiddling?   You can login straight off from the
graphical loginWindow?

Yes, very interested in any help you can offer.  Are you
authenticating against IPA 3 or 4, for sake of curiosity.

BTW:  you can get your secondary groups by:

In Groups add attribute 'GroupMembership' mapped to 'memberUID'

thanks!

Cal Sawyer | Systems Engineer | BlueBolt Ltd 15-16 Margaret Street
| London W1W 8RW +44 (0)20 7637 5575
  |www.blue-bolt.com 


On 21/06/16 15:07, Joe DiTommasso wrote:

I've actually got a whole stack of El Capitan clients
authenticating against FreeIPA:

mac-mini-01:~ jdito$ system_profiler SPSoftwareDataType
Software:

System Software Overview:

  System Version: OS X 10.11.5 (15F34)
  Kernel Version: Darwin 15.5.0
  Boot Volume: Macintosh HD
  Boot Mode: Normal
  Computer Name: admin’s Mac mini
  User Name: Joe DiTommasso (jdito)
  Secure Virtual Memory: Enabled
  System Integrity Protection: Enabled
  Time since boot: 14 days 15:00

The Linsec guide worked for me. The only real issue is that it
only sees the user's primary group, and not supplemental groups.
I'm not terribly good with Macs, but happy to assist in
troubleshooting.

Joe

On Tue, Jun 21, 2016 at 9:46 AM, Cal Sawyer mailto:ca...@blue-bolt.com>> wrote:

As usual, apologies for any formatting issues due to
extracting message threads out of digests ...

Anyhow., i have determined where everything goes terribly
wrong with OSX clients:  OSX 10.10.3 ("out of the box"
Yosemite) works fine using linsec.ca 's
guidance.  However, the second you patch to 10.10.5 or
upgrade to El Capitan (10.11.5), authentication fails
absolutely in the ways described in earlier threads. 
Colleagues who i've spoken with who are trying to set up IPA

at their facilities report the same problem and it's a total
show-stopper. Interesting how all(?) of what is written on
the topic of OSX and IPA dries up after 10.8, although we've
seen in an earlier thread reports of 10.9 working.  I've
repeated this test a few times and the result is always the
same. - 10.10.3 is the last OSX capable of authenticating
against IPA using currently available knowledge.

Running tcpdump on 10.10.3 and a 10.10.5 clients show very
different authentication dialogues.  I'm afraid, however,
that i lack the skills to interpret where exactly the later
OSX release is failing. I have my (unfounded) suspicions -
that SASL binding for LDAP and kerberos are implicated.
10.10.3 certainly shows no kerberos transactions whereas 10.10.5

Re DNS: both client types resolve all SRV records hosted in
IPA fine.  I even went so far as setting up rudimentary ipv6
as there were some  requests that were going unanswered
and it thought it might related (not, as it turns out)

So, would anyone on the IPA team be interested in look

Re: [Freeipa-users] OS X Yosemite unable to authenticate

[Joe DiTommasso]

No fiddling that I remember. Basically got the setup working once and then
have been pushing out plist files to all new installs. Graphical login
works, as does sudo, sort of-still have to add the user as an administrator
on the local machine, but then their kerberos password works for
authentication. Running up-to-date-ish IPA 4 on CentOS 7.

jdito@sum-freeipa-01:~$ rpm -qa | grep ipa

*ipa*-python-4.2.0-15.0.1.el7.centos.6.1.x86_64

lib*ipa*_hbac-1.13.0-40.el7_2.4.x86_64

*ipa*-server-4.2.0-15.0.1.el7.centos.6.1.x86_64

python-in*ipa*rse-0.4-9.el7.noarch

*ipa*-server-dns-4.2.0-15.0.1.el7.centos.6.1.x86_64

sssd-*ipa*-1.13.0-40.el7_2.4.x86_64

*ipa*-client-4.2.0-15.0.1.el7.centos.6.1.x86_64

python-lib*ipa*_hbac-1.13.0-40.el7_2.4.x86_64

*ipa*-admintools-4.2.0-15.0.1.el7.centos.6.1.x86_64


Let me know what you'd like to see from my config. Thanks for the tip on
the secondary groups-I already had that in there, but looking at it
realized that I needed to point at the compat tree, because the regular one
doesn't expose memberUID.

On Tue, Jun 21, 2016 at 10:42 AM, Cal Sawyer  wrote:

> Wow, that's surprising, Joe.  I'm also using the linsec recipe. Yours
> required no fiddling?   You can login straight off from the graphical
> loginWindow?
>
> Yes, very interested in any help you can offer.  Are you authenticating
> against IPA 3 or 4, for sake of curiosity.
>
> BTW:  you can get your secondary groups by:
>
> In Groups add attribute 'GroupMembership' mapped to 'memberUID'
>
> thanks!
>
> Cal Sawyer | Systems Engineer | BlueBolt Ltd
> 15-16 Margaret Street | London W1W 8RW+44 (0)20 7637 5575 | www.blue-bolt.com
>
> On 21/06/16 15:07, Joe DiTommasso wrote:
>
> I've actually got a whole stack of El Capitan clients authenticating
> against FreeIPA:
>
> mac-mini-01:~ jdito$ system_profiler SPSoftwareDataType
> Software:
>
> System Software Overview:
>
>   System Version: OS X 10.11.5 (15F34)
>   Kernel Version: Darwin 15.5.0
>   Boot Volume: Macintosh HD
>   Boot Mode: Normal
>   Computer Name: admin’s Mac mini
>   User Name: Joe DiTommasso (jdito)
>   Secure Virtual Memory: Enabled
>   System Integrity Protection: Enabled
>   Time since boot: 14 days 15:00
>
> The Linsec guide worked for me. The only real issue is that it only sees
> the user's primary group, and not supplemental groups. I'm not terribly
> good with Macs, but happy to assist in troubleshooting.
>
> Joe
>
> On Tue, Jun 21, 2016 at 9:46 AM, Cal Sawyer  wrote:
>
>> As usual, apologies for any formatting issues due to extracting message
>> threads out of digests ...
>>
>> Anyhow., i have determined where everything goes terribly wrong with OSX
>> clients:  OSX 10.10.3 ("out of the box" Yosemite) works fine using
>> linsec.ca's guidance.  However, the second you patch to 10.10.5 or
>> upgrade to El Capitan (10.11.5), authentication fails absolutely in the
>> ways described in earlier threads.  Colleagues who i've spoken with who are
>> trying to set up IPA at their facilities report the same problem and it's a
>> total show-stopper.  Interesting how all(?) of what is written on the topic
>> of OSX and IPA dries up after 10.8, although we've seen in an earlier
>> thread reports of 10.9 working.  I've repeated this test a few times and
>> the result is always the same. - 10.10.3 is the last OSX capable of
>> authenticating against IPA using currently available knowledge.
>>
>> Running tcpdump on 10.10.3 and a 10.10.5 clients show very different
>> authentication dialogues.  I'm afraid, however, that i lack the skills to
>> interpret where exactly the later OSX release is failing. I have my
>> (unfounded) suspicions - that SASL binding for LDAP and kerberos are
>> implicated. 10.10.3 certainly shows no kerberos transactions whereas 10.10.5
>>
>> Re DNS: both client types resolve all SRV records hosted in IPA fine.  I
>> even went so far as setting up rudimentary ipv6 as there were some 
>> requests that were going unanswered and it thought it might related (not,
>> as it turns out)
>>
>> So, would anyone on the IPA team be interested in looking at some packet
>> captures?  I'm completely up for working with you, providing whatever is
>> needed and doing testing.  It would be fantastic to restore IPA-based auth
>> for newer OSX releases.
>>
>> best regards,
>>
>> - cal sawyer
>>
>> From: John Obaterspok  
>> To: Nicola Canepa  
>> Cc: "freeipa-users@redhat.com"  
>>  , Cal Sawyer
>>   
>>
>> Hi, Are you only having problems to login to login to OSX with the IPA
>> user now? If that is the case then check the DNS settings you are using and
>> make sure the IPA server is listed first and that it has full name. Exactly
>> the same problem occurred for me with the slow logins to OSX which was due
>> to the DNS settings and that OSX only used short name of IPA server during
>> login (if I logged in as local user I could ping and lookup hosts using
>> short name) -- john 2015-12-21 17:49 GMT+01:00 Nico

Re: [Freeipa-users] OS X Yosemite unable to authenticate

[Cal Sawyer]

Wow, that's surprising, Joe.  I'm also using the linsec recipe. Yours 
required no fiddling?   You can login straight off from the graphical 
loginWindow?


Yes, very interested in any help you can offer.  Are you authenticating 
against IPA 3 or 4, for sake of curiosity.


BTW:  you can get your secondary groups by:

In Groups add attribute 'GroupMembership' mapped to 'memberUID'

thanks!

Cal Sawyer | Systems Engineer | BlueBolt Ltd
15-16 Margaret Street | London W1W 8RW
+44 (0)20 7637 5575 | www.blue-bolt.com

On 21/06/16 15:07, Joe DiTommasso wrote:
I've actually got a whole stack of El Capitan clients authenticating 
against FreeIPA:


mac-mini-01:~ jdito$ system_profiler SPSoftwareDataType
Software:

System Software Overview:

  System Version: OS X 10.11.5 (15F34)
  Kernel Version: Darwin 15.5.0
  Boot Volume: Macintosh HD
  Boot Mode: Normal
  Computer Name: admin’s Mac mini
  User Name: Joe DiTommasso (jdito)
  Secure Virtual Memory: Enabled
  System Integrity Protection: Enabled
  Time since boot: 14 days 15:00

The Linsec guide worked for me. The only real issue is that it only 
sees the user's primary group, and not supplemental groups. I'm not 
terribly good with Macs, but happy to assist in troubleshooting.


Joe

On Tue, Jun 21, 2016 at 9:46 AM, Cal Sawyer > wrote:


As usual, apologies for any formatting issues due to extracting
message threads out of digests ...

Anyhow., i have determined where everything goes terribly wrong
with OSX clients:  OSX 10.10.3 ("out of the box" Yosemite) works
fine using linsec.ca 's guidance.  However, the
second you patch to 10.10.5 or upgrade to El Capitan (10.11.5),
authentication fails absolutely in the ways described in earlier
threads. Colleagues who i've spoken with who are trying to set up
IPA at their facilities report the same problem and it's a total
show-stopper.  Interesting how all(?) of what is written on the
topic of OSX and IPA dries up after 10.8, although we've seen in
an earlier thread reports of 10.9 working.  I've repeated this
test a few times and the result is always the same. - 10.10.3 is
the last OSX capable of authenticating against IPA using currently
available knowledge.

Running tcpdump on 10.10.3 and a 10.10.5 clients show very
different authentication dialogues.  I'm afraid, however, that i
lack the skills to interpret where exactly the later OSX release
is failing. I have my (unfounded) suspicions - that SASL binding
for LDAP and kerberos are implicated. 10.10.3 certainly shows no
kerberos transactions whereas 10.10.5

Re DNS: both client types resolve all SRV records hosted in IPA
fine.  I even went so far as setting up rudimentary ipv6 as there
were some  requests that were going unanswered and it thought
it might related (not, as it turns out)

So, would anyone on the IPA team be interested in looking at some
packet captures?  I'm completely up for working with you,
providing whatever is needed and doing testing. It would be
fantastic to restore IPA-based auth for newer OSX releases.

best regards,

- cal sawyer

From: John Obaterspok 

To: Nicola Canepa 
Cc:"freeipa-users@redhat.com"   
 ,  Cal Sawyer
 

Hi, Are you only having problems to login to login to OSX
with the IPA user now? If that is the case then check the
DNS settings you are using and make sure the IPA server is
listed first and that it has full name. Exactly the same
problem occurred for me with the slow logins to OSX which
was due to the DNS settings and that OSX only used short
name of IPA server during login (if I logged in as local
user I could ping and lookup hosts using short name) --
john 2015-12-21 17:49 GMT+01:00 Nicola Canepa
 :

I had to configure /etc/krb5.conf, and to avoid the requested 
reboot, I
did a "dscacheutil -flushcache", both as the logged in user and as 
root.
I tried enabling the anonymous bind and now also the directory 
browser
(and all the login process) works as expected.

Nicola

Il 21/12/15 17:39, Cal Sawyer ha scritto:

Thanks, John and Nicola

Kerberos occurred to me as well late in the day yesterday.  Happily 
(?),
knit works fine simply specifying the user in question with no need 
to
suffix with the kerberos realm

I did find that my test user had an expired password, which i fixed 
on the
IPA server.  This was never flagged up unde

Re: [Freeipa-users] OS X Yosemite unable to authenticate

[Joe DiTommasso]

I've actually got a whole stack of El Capitan clients authenticating
against FreeIPA:

mac-mini-01:~ jdito$ system_profiler SPSoftwareDataType
Software:

System Software Overview:

  System Version: OS X 10.11.5 (15F34)
  Kernel Version: Darwin 15.5.0
  Boot Volume: Macintosh HD
  Boot Mode: Normal
  Computer Name: admin’s Mac mini
  User Name: Joe DiTommasso (jdito)
  Secure Virtual Memory: Enabled
  System Integrity Protection: Enabled
  Time since boot: 14 days 15:00

The Linsec guide worked for me. The only real issue is that it only sees
the user's primary group, and not supplemental groups. I'm not terribly
good with Macs, but happy to assist in troubleshooting.

Joe

On Tue, Jun 21, 2016 at 9:46 AM, Cal Sawyer  wrote:

> As usual, apologies for any formatting issues due to extracting message
> threads out of digests ...
>
> Anyhow., i have determined where everything goes terribly wrong with OSX
> clients:  OSX 10.10.3 ("out of the box" Yosemite) works fine using
> linsec.ca's guidance.  However, the second you patch to 10.10.5 or
> upgrade to El Capitan (10.11.5), authentication fails absolutely in the
> ways described in earlier threads.  Colleagues who i've spoken with who are
> trying to set up IPA at their facilities report the same problem and it's a
> total show-stopper.  Interesting how all(?) of what is written on the topic
> of OSX and IPA dries up after 10.8, although we've seen in an earlier
> thread reports of 10.9 working.  I've repeated this test a few times and
> the result is always the same. - 10.10.3 is the last OSX capable of
> authenticating against IPA using currently available knowledge.
>
> Running tcpdump on 10.10.3 and a 10.10.5 clients show very different
> authentication dialogues.  I'm afraid, however, that i lack the skills to
> interpret where exactly the later OSX release is failing. I have my
> (unfounded) suspicions - that SASL binding for LDAP and kerberos are
> implicated. 10.10.3 certainly shows no kerberos transactions whereas 10.10.5
>
> Re DNS: both client types resolve all SRV records hosted in IPA fine.  I
> even went so far as setting up rudimentary ipv6 as there were some 
> requests that were going unanswered and it thought it might related (not,
> as it turns out)
>
> So, would anyone on the IPA team be interested in looking at some packet
> captures?  I'm completely up for working with you, providing whatever is
> needed and doing testing.  It would be fantastic to restore IPA-based auth
> for newer OSX releases.
>
> best regards,
>
> - cal sawyer
>
> From: John Obaterspok  
> To: Nicola Canepa  
> Cc: "freeipa-users@redhat.com"  
>  ,  Cal Sawyer
>
>
> Hi, Are you only having problems to login to login to OSX with the IPA
> user now? If that is the case then check the DNS settings you are using and
> make sure the IPA server is listed first and that it has full name. Exactly
> the same problem occurred for me with the slow logins to OSX which was due
> to the DNS settings and that OSX only used short name of IPA server during
> login (if I logged in as local user I could ping and lookup hosts using
> short name) -- john 2015-12-21 17:49 GMT+01:00 Nicola Canepa
>  :
>
> I had to configure /etc/krb5.conf, and to avoid the requested reboot, I
> did a "dscacheutil -flushcache", both as the logged in user and as root.
> I tried enabling the anonymous bind and now also the directory browser
> (and all the login process) works as expected.
>
> Nicola
>
> Il 21/12/15 17:39, Cal Sawyer ha scritto:
>
> Thanks, John and Nicola
>
> Kerberos occurred to me as well late in the day yesterday.  Happily (?),
> knit works fine simply specifying the user in question with no need to
> suffix with the kerberos realm
>
> I did find that my test user had an expired password, which i fixed on the
> IPA server.  This was never flagged up under Linux, btw.  It has not change
> anything, however, other than not prompting for password changes that never
> take effect.  Funnily, it expired in the midst of testing - fun.
>
> I was mistaken when i said i was unable to log in - it turns out that it
> takes almost 10 minutes for a login from the frintend to complete - i just
> didn't wait long enough.  10 mins is of course unacceptable :)  "su - user"
> and "login user" fail outright after rejecting accept any user's password
>
> DNS is fine and i can resolve ldap and kerberos SRV records from the Mac
>
> In line with Nicola's experience, i can browse groups and users in the
> Directory Editor and all attributes appear spot on.
>
> Besides modding /etc/pam.d/authorization, adding a corrected
> edu.mit.kerberos to /LibraryPreferences and setting up the directory 
> perlinsec.ca, can anyone think of something i may have missed?  It's a real
> shame that the documentation on this stops around 5 years ago.
>
> IPA devs: is there anything i should be on the lookout for in the dirsrv
> or krb5 logs on the IPA master?  I've disabled the

Re: [Freeipa-users] OS X Yosemite unable to authenticate

[Cal Sawyer]

As usual, apologies for any formatting issues due to extracting message 
threads out of digests ...


Anyhow., i have determined where everything goes terribly wrong with OSX 
clients:  OSX 10.10.3 ("out of the box" Yosemite) works fine using 
linsec.ca's guidance.  However, the second you patch to 10.10.5 or 
upgrade to El Capitan (10.11.5), authentication fails absolutely in the 
ways described in earlier threads.  Colleagues who i've spoken with who 
are trying to set up IPA at their facilities report the same problem and 
it's a total show-stopper.  Interesting how all(?) of what is written on 
the topic of OSX and IPA dries up after 10.8, although we've seen in an 
earlier thread reports of 10.9 working.  I've repeated this test a few 
times and the result is always the same. - 10.10.3 is the last OSX 
capable of authenticating against IPA using currently available knowledge.


Running tcpdump on 10.10.3 and a 10.10.5 clients show very different 
authentication dialogues.  I'm afraid, however, that i lack the skills 
to interpret where exactly the later OSX release is failing. I have my 
(unfounded) suspicions - that SASL binding for LDAP and kerberos are 
implicated. 10.10.3 certainly shows no kerberos transactions whereas 10.10.5


Re DNS: both client types resolve all SRV records hosted in IPA fine.  I 
even went so far as setting up rudimentary ipv6 as there were some  
requests that were going unanswered and it thought it might related 
(not, as it turns out)


So, would anyone on the IPA team be interested in looking at some packet 
captures?  I'm completely up for working with you, providing whatever is 
needed and doing testing.  It would be fantastic to restore IPA-based 
auth for newer OSX releases.


best regards,

- cal sawyer

   From: John Obaterspok
   To: Nicola Canepa
   Cc:"freeipa-users@redhat.com"  ,   Cal Sawyer


   Hi, Are you only having problems to login to login to OSX with
   the IPA user now? If that is the case then check the DNS
   settings you are using and make sure the IPA server is listed
   first and that it has full name. Exactly the same problem
   occurred for me with the slow logins to OSX which was due to the
   DNS settings and that OSX only used short name of IPA server
   during login (if I logged in as local user I could ping and
   lookup hosts using short name) -- john 2015-12-21 17:49
   GMT+01:00 Nicola Canepa :

I had to configure /etc/krb5.conf, and to avoid the requested reboot, I
did a "dscacheutil -flushcache", both as the logged in user and as root.
I tried enabling the anonymous bind and now also the directory browser
(and all the login process) works as expected.

Nicola

Il 21/12/15 17:39, Cal Sawyer ha scritto:

Thanks, John and Nicola

Kerberos occurred to me as well late in the day yesterday.  Happily (?),
knit works fine simply specifying the user in question with no need to
suffix with the kerberos realm

I did find that my test user had an expired password, which i fixed on 
the
IPA server.  This was never flagged up under Linux, btw.  It has not 
change
anything, however, other than not prompting for password changes that 
never
take effect.  Funnily, it expired in the midst of testing - fun.

I was mistaken when i said i was unable to log in - it turns out that it
takes almost 10 minutes for a login from the frintend to complete - i 
just
didn't wait long enough.  10 mins is of course unacceptable :)  "su - 
user"
and "login user" fail outright after rejecting accept any user's 
password

DNS is fine and i can resolve ldap and kerberos SRV records from the Mac

In line with Nicola's experience, i can browse groups and users in the
Directory Editor and all attributes appear spot on.

Besides modding /etc/pam.d/authorization, adding a corrected
edu.mit.kerberos to /LibraryPreferences and setting up the directory per
linsec.ca, can anyone think of something i may have missed?  It's a real
shame that the documentation on this stops around 5 years ago.

IPA devs: is there anything i should be on the lookout for in the dirsrv
or krb5 logs on the IPA master?  I've disabled the secondary to prevent
replication from clouding the log events

thanks, everyone

Cal Sawyer | Systems Engineer | BlueBolt Ltd
15-16 Margaret Street | London W1W 8RW+44 (0)20 7637 5575 | 
www.blue-bolt.com

On 21/12/15 07:57, Nicola Canepa wrote:

Hello, I tried 2 weeks ago from Mavericks (OSX 10.9), but I had the
opposite problem: kinit works fine, while I'm unable to see users with
Directory Admin ((it always says it cant' connect, either with or 
without
SSL)
I disabled anonymous searches in 389-ds, by the way.

Nicola

Re: [Freeipa-users] OS X Yosemite unable to authenticate

[John Obaterspok]

Hi,

Are you only having problems to login to login to OSX with the IPA user
now? If that is the case then check the DNS settings you are using and make
sure the IPA server is listed first and that it has full name. Exactly the
same problem occurred for me with the slow logins to OSX which was due to
the DNS settings and that OSX only used short name of IPA server during
login (if I logged in as local user I could ping and lookup hosts using
short name)

-- john

2015-12-21 17:49 GMT+01:00 Nicola Canepa :

> I had to configure /etc/krb5.conf, and to avoid the requested reboot, I
> did a "dscacheutil -flushcache", both as the logged in user and as root.
> I tried enabling the anonymous bind and now also the directory browser
> (and all the login process) works as expected.
>
> Nicola
>
> Il 21/12/15 17:39, Cal Sawyer ha scritto:
>
> Thanks, John and Nicola
>
> Kerberos occurred to me as well late in the day yesterday.  Happily (?),
> knit works fine simply specifying the user in question with no need to
> suffix with the kerberos realm
>
> I did find that my test user had an expired password, which i fixed on the
> IPA server.  This was never flagged up under Linux, btw.  It has not change
> anything, however, other than not prompting for password changes that never
> take effect.  Funnily, it expired in the midst of testing - fun.
>
> I was mistaken when i said i was unable to log in - it turns out that it
> takes almost 10 minutes for a login from the frintend to complete - i just
> didn't wait long enough.  10 mins is of course unacceptable :)  "su - user"
> and "login user" fail outright after rejecting accept any user's password
>
> DNS is fine and i can resolve ldap and kerberos SRV records from the Mac
>
> In line with Nicola's experience, i can browse groups and users in the
> Directory Editor and all attributes appear spot on.
>
> Besides modding /etc/pam.d/authorization, adding a corrected
> edu.mit.kerberos to /LibraryPreferences and setting up the directory per
> linsec.ca, can anyone think of something i may have missed?  It's a real
> shame that the documentation on this stops around 5 years ago.
>
> IPA devs: is there anything i should be on the lookout for in the dirsrv
> or krb5 logs on the IPA master?  I've disabled the secondary to prevent
> replication from clouding the log events
>
> thanks, everyone
>
> Cal Sawyer | Systems Engineer | BlueBolt Ltd
> 15-16 Margaret Street | London W1W 8RW+44 (0)20 7637 5575 | www.blue-bolt.com
>
> On 21/12/15 07:57, Nicola Canepa wrote:
>
> Hello, I tried 2 weeks ago from Mavericks (OSX 10.9), but I had the
> opposite problem: kinit works fine, while I'm unable to see users with
> Directory Admin ((it always says it cant' connect, either with or without
> SSL)
> I disabled anonymous searches in 389-ds, by the way.
>
> Nicola
>
> Il 21/12/15 07:50, John Obaterspok ha scritto:
>
> Hi Cal,
>
> Does a kinit work from a terminal? Does it work if you use "kinit user" or
> just if you use "kinit user@REALM.suffix"
>
> -- john
>
>
> 2015-12-20 15:09 GMT+01:00 Cal Sawyer :
>
>> Hi, all
>>
>> I'm attempting to set up LDAP auth (against IPA server 4.10) from a OSX
>> 10.10.5 (Yosemite) client
>>
>> Using the excellent instructions at
>> 
>> http://linsec.ca/Using_FreeIPA_for_User_Authentication#Mac_OS_X_10.7.2F10.8%20%22Linsec.ca%20tutorial%20for%20connecting%20Mac%20OS%2010.7%20to%20IPA%20Server,
>> I've populated the specified files, d/l'd the cert, am able to configure
>> Users and Groups objects/attribs and browse both from within OSX's
>> Directory Utility.ldapsearch similarly returns the expected results.
>>
>> In spite of this, i'm unable to authenticate as any IPA-LDAP user on this
>> system
>>
>> dirsrv log on the ipa master shows no apparent errors - remote auth
>> attempts exit with "RESULT err=0 tag=101 nentries=1 etime=0", but tell the
>> truth, there so much stuff there and being rather inexperienced with LDAP
>> diags i might easily be missing something in the details
>>
>> The linsec.ca instructions were written in the 10.7-10.8 era so
>> something may have changed since.  Having said that, we've had no problems
>> authenticating against our existing OpenLDAP server (which IPA is slated to
>> replace) right up to 10.10.5 with no zero to our Directory Utility setup.
>>
>> Hoping someone here has some contemporary experience with OSX and IPA and
>> for whom this issue rings a bell?
>>
>> many thanks
>>
>> Cal Sawyer | Systems Engineer | BlueBolt Ltd
>> 15-16 Margaret Street | London W1W 8RW
>> +44 (0)20 7637 5575 <%2B44%20%280%2920%207637%205575> | www.blue-bolt.com
>>
>>
>> --
>> Manage your subscription for the Freeipa-users mailing list:
>> https://www.redhat.com/mailman/listinfo/freeipa-users
>> Go to http://freeipa.org for more info on the project
>>
>
>
>
>
> --
>
> Nicola Canepa
> T

Re: [Freeipa-users] OS X Yosemite unable to authenticate

[Nicola Canepa]

I had to configure /etc/krb5.conf, and to avoid the requested reboot, I 
did a "dscacheutil -flushcache", both as the logged in user and as root.
I tried enabling the anonymous bind and now also the directory browser 
(and all the login process) works as expected.


Nicola

Il 21/12/15 17:39, Cal Sawyer ha scritto:

Thanks, John and Nicola

Kerberos occurred to me as well late in the day yesterday. Happily 
(?), knit works fine simply specifying the user in question with no 
need to suffix with the kerberos realm


I did find that my test user had an expired password, which i fixed on 
the IPA server.  This was never flagged up under Linux, btw.  It has 
not change anything, however, other than not prompting for password 
changes that never take effect.  Funnily, it expired in the midst of 
testing - fun.


I was mistaken when i said i was unable to log in - it turns out that 
it takes almost 10 minutes for a login from the frintend to complete - 
i just didn't wait long enough.  10 mins is of course unacceptable :)  
"su - user" and "login user" fail outright after rejecting accept any 
user's password


DNS is fine and i can resolve ldap and kerberos SRV records from the Mac

In line with Nicola's experience, i can browse groups and users in the 
Directory Editor and all attributes appear spot on.


Besides modding /etc/pam.d/authorization, adding a corrected 
edu.mit.kerberos to /LibraryPreferences and setting up the directory 
per linsec.ca, can anyone think of something i may have missed?  It's 
a real shame that the documentation on this stops around 5 years ago.


IPA devs: is there anything i should be on the lookout for in the 
dirsrv or krb5 logs on the IPA master?  I've disabled the secondary to 
prevent replication from clouding the log events


thanks, everyone
Cal Sawyer | Systems Engineer | BlueBolt Ltd
15-16 Margaret Street | London W1W 8RW
+44 (0)20 7637 5575 |www.blue-bolt.com

On 21/12/15 07:57, Nicola Canepa wrote:
Hello, I tried 2 weeks ago from Mavericks (OSX 10.9), but I had the 
opposite problem: kinit works fine, while I'm unable to see users 
with Directory Admin ((it always says it cant' connect, either with 
or without SSL)

I disabled anonymous searches in 389-ds, by the way.

Nicola

Il 21/12/15 07:50, John Obaterspok ha scritto:

Hi Cal,

Does a kinit work from a terminal? Does it work if you use "kinit 
user" or just if you use "kinit user@REALM.suffix"


-- john


2015-12-20 15:09 GMT+01:00 Cal Sawyer >:


Hi, all

I'm attempting to set up LDAP auth (against IPA server 4.10)
from a OSX 10.10.5 (Yosemite) client

Using the excellent instructions at

http://linsec.ca/Using_FreeIPA_for_User_Authentication#Mac_OS_X_10.7.2F10.8%20%22Linsec.ca%20tutorial%20for%20connecting%20Mac%20OS%2010.7%20to%20IPA%20Server,
I've populated the specified files, d/l'd the cert, am able to
configure Users and Groups objects/attribs and browse both from
within OSX's Directory Utility. ldapsearch similarly returns the
expected results.

In spite of this, i'm unable to authenticate as any IPA-LDAP
user on this system

dirsrv log on the ipa master shows no apparent errors - remote
auth attempts exit with "RESULT err=0 tag=101 nentries=1
etime=0", but tell the truth, there so much stuff there and
being rather inexperienced with LDAP diags i might easily be
missing something in the details

The linsec.ca  instructions were written in
the 10.7-10.8 era so something may have changed since.  Having
said that, we've had no problems authenticating against our
existing OpenLDAP server (which IPA is slated to replace) right
up to 10.10.5 with no zero to our Directory Utility setup.

Hoping someone here has some contemporary experience with OSX
and IPA and for whom this issue rings a bell?

many thanks

Cal Sawyer | Systems Engineer | BlueBolt Ltd
15-16 Margaret Street | London W1W 8RW
+44 (0)20 7637 5575  |
www.blue-bolt.com 


-- 
Manage your subscription for the Freeipa-users mailing list:

https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project






--

Nicola Canepa
Tel: +39-0522-399-3474
canep...@mmfg.it
---
Il contenuto della presente comunicazione è riservato e destinato 
esclusivamente ai destinatari indicati. Nel caso in cui sia ricevuto da persona 
diversa dal destinatario sono proibite la diffusione, la distribuzione e la 
copia. Nel caso riceveste la presente per errore, Vi preghiamo di informarci e 
di distruggerlo e/o cancellarlo dal Vostro computer, senza utilizzare i dati 
contenuti. La presente comunicazione (comprensiva dei documenti allegati) non 
avrà valore di proposta contrattuale e/o accettazione di proposte provenienti 
dal destinatario, nè rinuncia o riconoscimento di diritti, debiti e/o crediti, 
nè sarà impegnativa, qualora non sia so

Re: [Freeipa-users] OS X Yosemite unable to authenticate

[Cal Sawyer]

Thanks, John and Nicola

Kerberos occurred to me as well late in the day yesterday.  Happily (?), 
knit works fine simply specifying the user in question with no need to 
suffix with the kerberos realm


I did find that my test user had an expired password, which i fixed on 
the IPA server.  This was never flagged up under Linux, btw.  It has not 
change anything, however, other than not prompting for password changes 
that never take effect.  Funnily, it expired in the midst of testing - fun.


I was mistaken when i said i was unable to log in - it turns out that it 
takes almost 10 minutes for a login from the frintend to complete - i 
just didn't wait long enough.  10 mins is of course unacceptable :)  "su 
- user" and "login user" fail outright after rejecting accept any user's 
password


DNS is fine and i can resolve ldap and kerberos SRV records from the Mac

In line with Nicola's experience, i can browse groups and users in the 
Directory Editor and all attributes appear spot on.


Besides modding /etc/pam.d/authorization, adding a corrected 
edu.mit.kerberos to /LibraryPreferences and setting up the directory per 
linsec.ca, can anyone think of something i may have missed? It's a real 
shame that the documentation on this stops around 5 years ago.


IPA devs: is there anything i should be on the lookout for in the dirsrv 
or krb5 logs on the IPA master?  I've disabled the secondary to prevent 
replication from clouding the log events


thanks, everyone

Cal Sawyer | Systems Engineer | BlueBolt Ltd
15-16 Margaret Street | London W1W 8RW
+44 (0)20 7637 5575 | www.blue-bolt.com

On 21/12/15 07:57, Nicola Canepa wrote:
Hello, I tried 2 weeks ago from Mavericks (OSX 10.9), but I had the 
opposite problem: kinit works fine, while I'm unable to see users with 
Directory Admin ((it always says it cant' connect, either with or 
without SSL)

I disabled anonymous searches in 389-ds, by the way.

Nicola

Il 21/12/15 07:50, John Obaterspok ha scritto:

Hi Cal,

Does a kinit work from a terminal? Does it work if you use "kinit 
user" or just if you use "kinit user@REALM.suffix"


-- john


2015-12-20 15:09 GMT+01:00 Cal Sawyer >:


Hi, all

I'm attempting to set up LDAP auth (against IPA server 4.10) from
a OSX 10.10.5 (Yosemite) client

Using the excellent instructions at

http://linsec.ca/Using_FreeIPA_for_User_Authentication#Mac_OS_X_10.7.2F10.8%20%22Linsec.ca%20tutorial%20for%20connecting%20Mac%20OS%2010.7%20to%20IPA%20Server,
I've populated the specified files, d/l'd the cert, am able to
configure Users and Groups objects/attribs and browse both from
within OSX's Directory Utility. ldapsearch similarly returns the
expected results.

In spite of this, i'm unable to authenticate as any IPA-LDAP user
on this system

dirsrv log on the ipa master shows no apparent errors - remote
auth attempts exit with "RESULT err=0 tag=101 nentries=1
etime=0", but tell the truth, there so much stuff there and being
rather inexperienced with LDAP diags i might easily be missing
something in the details

The linsec.ca  instructions were written in the
10.7-10.8 era so something may have changed since.  Having said
that, we've had no problems authenticating against our existing
OpenLDAP server (which IPA is slated to replace) right up to
10.10.5 with no zero to our Directory Utility setup.

Hoping someone here has some contemporary experience with OSX and
IPA and for whom this issue rings a bell?

many thanks

Cal Sawyer | Systems Engineer | BlueBolt Ltd
15-16 Margaret Street | London W1W 8RW
+44 (0)20 7637 5575  |
www.blue-bolt.com 


-- 
Manage your subscription for the Freeipa-users mailing list:

https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project






--

Nicola Canepa
Tel: +39-0522-399-3474
canep...@mmfg.it
---
Il contenuto della presente comunicazione è riservato e destinato 
esclusivamente ai destinatari indicati. Nel caso in cui sia ricevuto da persona 
diversa dal destinatario sono proibite la diffusione, la distribuzione e la 
copia. Nel caso riceveste la presente per errore, Vi preghiamo di informarci e 
di distruggerlo e/o cancellarlo dal Vostro computer, senza utilizzare i dati 
contenuti. La presente comunicazione (comprensiva dei documenti allegati) non 
avrà valore di proposta contrattuale e/o accettazione di proposte provenienti 
dal destinatario, nè rinuncia o riconoscimento di diritti, debiti e/o crediti, 
nè sarà impegnativa, qualora non sia sottoscritto successivo accordo da chi può 
validamente obbligarci. Non deriverà alcuna responsabilità precontrattuale a 
ns. carico, se la presente non sia seguita da contratto sottoscritto dalle 
parti.

The content of the above communication is strictly confidential and reserved 
solely for the referred addressees

Re: [Freeipa-users] OS X Yosemite unable to authenticate

[Nicola Canepa]

Hello, I tried 2 weeks ago from Mavericks (OSX 10.9), but I had the 
opposite problem: kinit works fine, while I'm unable to see users with 
Directory Admin ((it always says it cant' connect, either with or 
without SSL)

I disabled anonymous searches in 389-ds, by the way.

Nicola

Il 21/12/15 07:50, John Obaterspok ha scritto:

Hi Cal,

Does a kinit work from a terminal? Does it work if you use "kinit 
user" or just if you use "kinit user@REALM.suffix"


-- john


2015-12-20 15:09 GMT+01:00 Cal Sawyer >:


Hi, all

I'm attempting to set up LDAP auth (against IPA server 4.10) from
a OSX 10.10.5 (Yosemite) client

Using the excellent instructions at

http://linsec.ca/Using_FreeIPA_for_User_Authentication#Mac_OS_X_10.7.2F10.8%20%22Linsec.ca%20tutorial%20for%20connecting%20Mac%20OS%2010.7%20to%20IPA%20Server,
I've populated the specified files, d/l'd the cert, am able to
configure Users and Groups objects/attribs and browse both from
within OSX's Directory Utility.ldapsearch similarly returns
the expected results.

In spite of this, i'm unable to authenticate as any IPA-LDAP user
on this system

dirsrv log on the ipa master shows no apparent errors - remote
auth attempts exit with "RESULT err=0 tag=101 nentries=1 etime=0",
but tell the truth, there so much stuff there and being rather
inexperienced with LDAP diags i might easily be missing something
in the details

The linsec.ca  instructions were written in the
10.7-10.8 era so something may have changed since.  Having said
that, we've had no problems authenticating against our existing
OpenLDAP server (which IPA is slated to replace) right up to
10.10.5 with no zero to our Directory Utility setup.

Hoping someone here has some contemporary experience with OSX and
IPA and for whom this issue rings a bell?

many thanks

Cal Sawyer | Systems Engineer | BlueBolt Ltd
15-16 Margaret Street | London W1W 8RW
+44 (0)20 7637 5575  |
www.blue-bolt.com 


-- 
Manage your subscription for the Freeipa-users mailing list:

https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project






--

Nicola Canepa
Tel: +39-0522-399-3474
canep...@mmfg.it
---
Il contenuto della presente comunicazione è riservato e destinato 
esclusivamente ai destinatari indicati. Nel caso in cui sia ricevuto da persona 
diversa dal destinatario sono proibite la diffusione, la distribuzione e la 
copia. Nel caso riceveste la presente per errore, Vi preghiamo di informarci e 
di distruggerlo e/o cancellarlo dal Vostro computer, senza utilizzare i dati 
contenuti. La presente comunicazione (comprensiva dei documenti allegati) non 
avrà valore di proposta contrattuale e/o accettazione di proposte provenienti 
dal destinatario, nè rinuncia o riconoscimento di diritti, debiti e/o crediti, 
nè sarà impegnativa, qualora non sia sottoscritto successivo accordo da chi può 
validamente obbligarci. Non deriverà alcuna responsabilità precontrattuale a 
ns. carico, se la presente non sia seguita da contratto sottoscritto dalle 
parti.

The content of the above communication is strictly confidential and reserved 
solely for the referred addressees. In the event of receipt by persons 
different from the addressee, copying, alteration and distribution are 
forbidden. If received by mistake we ask you to inform us and to destroy and/or 
delete from your computer without using the data herein contained. The present 
message (eventual annexes inclusive) shall not be considered a contractual 
proposal and/or acceptance of offer from the addressee, nor waiver recognizance 
of rights, debts  and/or credits, nor shall it be binding when not executed as 
a subsequent agreement by persons who could lawfully represent us. No 
pre-contractual liability shall apply to us when the present communication is 
not followed by any binding agreement between the parties.

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] OS X Yosemite unable to authenticate

[John Obaterspok]

Hi Cal,

Does a kinit work from a terminal? Does it work if you use "kinit user" or
just if you use "kinit user@REALM.suffix"

-- john


2015-12-20 15:09 GMT+01:00 Cal Sawyer :

> Hi, all
>
> I'm attempting to set up LDAP auth (against IPA server 4.10) from a OSX
> 10.10.5 (Yosemite) client
>
> Using the excellent instructions at
> http://linsec.ca/Using_FreeIPA_for_User_Authentication#Mac_OS_X_10.7.2F10.8%20%22Linsec.ca%20tutorial%20for%20connecting%20Mac%20OS%2010.7%20to%20IPA%20Server,
> I've populated the specified files, d/l'd the cert, am able to configure
> Users and Groups objects/attribs and browse both from within OSX's
> Directory Utility.ldapsearch similarly returns the expected results.
>
> In spite of this, i'm unable to authenticate as any IPA-LDAP user on this
> system
>
> dirsrv log on the ipa master shows no apparent errors - remote auth
> attempts exit with "RESULT err=0 tag=101 nentries=1 etime=0", but tell the
> truth, there so much stuff there and being rather inexperienced with LDAP
> diags i might easily be missing something in the details
>
> The linsec.ca instructions were written in the 10.7-10.8 era so something
> may have changed since.  Having said that, we've had no problems
> authenticating against our existing OpenLDAP server (which IPA is slated to
> replace) right up to 10.10.5 with no zero to our Directory Utility setup.
>
> Hoping someone here has some contemporary experience with OSX and IPA and
> for whom this issue rings a bell?
>
> many thanks
>
> Cal Sawyer | Systems Engineer | BlueBolt Ltd
> 15-16 Margaret Street | London W1W 8RW
> +44 (0)20 7637 5575 | www.blue-bolt.com
>
>
> --
> Manage your subscription for the Freeipa-users mailing list:
> https://www.redhat.com/mailman/listinfo/freeipa-users
> Go to http://freeipa.org for more info on the project
>
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project