from:"Ben .T.George"

HI

in my case i have 2 domains

AD DNS : corp.example.kw.com
main DNS ( from appliance) : kw.example.com

and all the linux box are pointed to kw.example.com

so i put my IPA server hostname as : ipa.kw.example.com and created A & PTR
on kw.example.com

is that the correct way?

Regards,
Ben

On Mon, May 23, 2016 at 8:20 PM, Michael ORourke <mrorou...@earthlink.net>
wrote:

> Ben,
>
> Yes, that is a requirement.  Just creating the A & PTR records for you
> FreeIPA server is not enough.  You will need to keep the DNS zones separate
> too, example:
> Windows AD Domain: mydomain.com
> FreeIPA Realm/Domain: subdomain.mydomain.com
>
> You cannot have a cross-forest trust between two domains with the same DNS
> zone name.  So if you have a flat DNS namespace, then you will want to plan
> accordingly to move all the linux boxes that will participate in the
> FreeIPA domain into the new DNS zone.
>
> -Mike
>
> -Original Message-
> From: "Ben .T.George"
> Sent: May 23, 2016 10:44 AM
> To: Michael ORourke
> Cc: freeipa-users
> Subject: Re: [Freeipa-users] What id my AD domain user password not
> available
>
> HI
>
> yea that GIf screen i shared with him. but that doesn't show how to take
> shared key.
>
> In my case DNS is handled by 3rd party appliances and from their side they
> created A record for my IPA server. bth forward and reverse is working
>
> is this forwader is mandatory thing from DNS side?
>
> Regards,
> ben
>
> On Mon, May 23, 2016 at 5:31 PM, Michael ORourke <mrorou...@earthlink.net>
> wrote:
>
>> Actually one of his questions doesn't make sense, because last I checked,
>> normal domain users do not have permissions to create a forest trust.
>> I believe the default is a one-way trust, so maybe his concerns about the
>> bi-directional trust is really a non-issue.
>> If he refuses to type in the admin password in a linux console session
>> (extreme paranoia?), then perhaps you could give him a link to the tutorial
>> on using a pre-shared key and have him setup the AD side and give you the
>> key.  You don't have to be a Windows expert to do this, just ask your
>> domain admin to do the steps for you.  Also, you will need to setup a
>> separate DNS zone and some forwarding rules.  Otherwise you are going to
>> have problems.
>>
>> -Mike
>>
>>
>> -Original Message-
>> From: "Ben .T.George"
>> Sent: May 23, 2016 10:07 AM
>> To: Michael ORourke
>> Cc: freeipa-users
>> Subject: Re: [Freeipa-users] What id my AD domain user password not
>> available
>>
>> HI
>>
>> He is local only but he is asking so many questions.
>>
>> first of all he is refusing to give domain admin users password .
>>
>> questions he is asking is:
>>
>> Is this trust relationship is two directional? If, yes why IPA require
>> two directional trust?
>> can we build this trust one directional?
>> can we achieve this with normal domain user?
>>
>> and hs is opposing to enter password in command line and i was going
>> though the rust using a pre-shared key and its too hard for me to
>> understand as i have no windows experience
>>
>> regards,
>> Ben
>>
>> On Mon, May 23, 2016 at 4:22 PM, Michael ORourke <mrorou...@earthlink.net
>> > wrote:
>>
>>> A couple of ways to go about this.  If he is local to you, you could
>>> explain that you need to establish a trust with his domain and you need his
>>> assistance for a few minutes while you type the command to join, then have
>>> him type in the password.  You need to assure that the DNS forward/stub
>>> zones are setup and working too.  If he is remote, you could use some
>>> screen share software and share out your desktop and walk him through the
>>> part where he has to type the admin password.  There is also a way to
>>> create a trust using a pre-shared key.  That may be more acceptable to
>>> him.
>>>
>>> -Mike
>>>
>>> -Original Message-
>>> From: "Ben .T.George"
>>> Sent: May 23, 2016 8:42 AM
>>> To: freeipa-users
>>> Subject: [Freeipa-users] What id my AD domain user password not
>>> available
>>>
>>> Hi LIst,
>>>
>>> my Windows domain Admin is not giving domain admin user password.
>>>
>>> in this case how can i proceed ipa trust-add
>>>
>>> regards,
>>> Ben
>>>
>>>
>>> --
>>> Manage your subscription for the Freeipa-users mailing list:
>>> https://www.redhat.com/mailman/listinfo/freeipa-users
>>> Go to http://freeipa.org for more info on the project
>>>
>>
>>
>> --
>> Manage your subscription for the Freeipa-users mailing list:
>> https://www.redhat.com/mailman/listinfo/freeipa-users
>> Go to http://freeipa.org for more info on the project
>>
>
>
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] What id my AD domain user password not available

HI

yea that GIf screen i shared with him. but that doesn't show how to take
shared key.

In my case DNS is handled by 3rd party appliances and from their side they
created A record for my IPA server. bth forward and reverse is working

is this forwader is mandatory thing from DNS side?

Regards,
ben

On Mon, May 23, 2016 at 5:31 PM, Michael ORourke <mrorou...@earthlink.net>
wrote:

> Actually one of his questions doesn't make sense, because last I checked,
> normal domain users do not have permissions to create a forest trust.
> I believe the default is a one-way trust, so maybe his concerns about the
> bi-directional trust is really a non-issue.
> If he refuses to type in the admin password in a linux console session
> (extreme paranoia?), then perhaps you could give him a link to the tutorial
> on using a pre-shared key and have him setup the AD side and give you the
> key.  You don't have to be a Windows expert to do this, just ask your
> domain admin to do the steps for you.  Also, you will need to setup a
> separate DNS zone and some forwarding rules.  Otherwise you are going to
> have problems.
>
> -Mike
>
>
> -Original Message-
> From: "Ben .T.George"
> Sent: May 23, 2016 10:07 AM
> To: Michael ORourke
> Cc: freeipa-users
> Subject: Re: [Freeipa-users] What id my AD domain user password not
> available
>
> HI
>
> He is local only but he is asking so many questions.
>
> first of all he is refusing to give domain admin users password .
>
> questions he is asking is:
>
> Is this trust relationship is two directional? If, yes why IPA require two
> directional trust?
> can we build this trust one directional?
> can we achieve this with normal domain user?
>
> and hs is opposing to enter password in command line and i was going
> though the rust using a pre-shared key and its too hard for me to
> understand as i have no windows experience
>
> regards,
> Ben
>
> On Mon, May 23, 2016 at 4:22 PM, Michael ORourke <mrorou...@earthlink.net>
> wrote:
>
>> A couple of ways to go about this.  If he is local to you, you could
>> explain that you need to establish a trust with his domain and you need his
>> assistance for a few minutes while you type the command to join, then have
>> him type in the password.  You need to assure that the DNS forward/stub
>> zones are setup and working too.  If he is remote, you could use some
>> screen share software and share out your desktop and walk him through the
>> part where he has to type the admin password.  There is also a way to
>> create a trust using a pre-shared key.  That may be more acceptable to
>> him.
>>
>> -Mike
>>
>> -Original Message-
>> From: "Ben .T.George"
>> Sent: May 23, 2016 8:42 AM
>> To: freeipa-users
>> Subject: [Freeipa-users] What id my AD domain user password not available
>>
>> Hi LIst,
>>
>> my Windows domain Admin is not giving domain admin user password.
>>
>> in this case how can i proceed ipa trust-add
>>
>> regards,
>> Ben
>>
>>
>> --
>> Manage your subscription for the Freeipa-users mailing list:
>> https://www.redhat.com/mailman/listinfo/freeipa-users
>> Go to http://freeipa.org for more info on the project
>>
>
>
> --
> Manage your subscription for the Freeipa-users mailing list:
> https://www.redhat.com/mailman/listinfo/freeipa-users
> Go to http://freeipa.org for more info on the project
>
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] What id my AD domain user password not available

HI

He is local only but he is asking so many questions.

first of all he is refusing to give domain admin users password .

questions he is asking is:

Is this trust relationship is two directional? If, yes why IPA require two
directional trust?
can we build this trust one directional?
can we achieve this with normal domain user?

and hs is opposing to enter password in command line and i was going though
the rust using a pre-shared key and its too hard for me to understand as i
have no windows experience

regards,
Ben

On Mon, May 23, 2016 at 4:22 PM, Michael ORourke <mrorou...@earthlink.net>
wrote:

> A couple of ways to go about this.  If he is local to you, you could
> explain that you need to establish a trust with his domain and you need his
> assistance for a few minutes while you type the command to join, then have
> him type in the password.  You need to assure that the DNS forward/stub
> zones are setup and working too.  If he is remote, you could use some
> screen share software and share out your desktop and walk him through the
> part where he has to type the admin password.  There is also a way to
> create a trust using a pre-shared key.  That may be more acceptable to
> him.
>
> -Mike
>
> -Original Message-
> From: "Ben .T.George"
> Sent: May 23, 2016 8:42 AM
> To: freeipa-users
> Subject: [Freeipa-users] What id my AD domain user password not available
>
> Hi LIst,
>
> my Windows domain Admin is not giving domain admin user password.
>
> in this case how can i proceed ipa trust-add
>
> regards,
> Ben
>
>
> --
> Manage your subscription for the Freeipa-users mailing list:
> https://www.redhat.com/mailman/listinfo/freeipa-users
> Go to http://freeipa.org for more info on the project
>
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] What id my AD domain user password not available

Hi

Thanks for your reply.

I saw this before but the thing is i cant able to follow up this one as i
am not completely getting those steps

ipa trust-add --type=ad "ad_domain" --trust-secret

Is asking for key and what i need to gave ?

And the shown gif screens and current AD windows are different for me.

Regards
Ben
On 23 May 2016 16:13, "Martin Babinsky" <mbabi...@redhat.com> wrote:

> On 05/23/2016 02:42 PM, Ben .T.George wrote:
>
>> Hi LIst,
>>
>> my Windows domain Admin is not giving domain admin user password.
>>
>> in this case how can i proceed ipa trust-add
>>
>> regards,
>> Ben
>>
>>
>>
> Hi Ben,
>
> You can ask your AD domain admin to create a shared secret for
> establishing trust. See the corresponding chapter in the guide for creating
> trusts[1] for more details.
>
> [1]
> http://www.freeipa.org/page/Active_Directory_trust_setup#When_AD_administrator_credentials_aren.27t_available
>
> --
> Martin^3 Babinsky
>
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

[Freeipa-users] What id my AD domain user password not available

Hi LIst,

my Windows domain Admin is not giving domain admin user password.

in this case how can i proceed ipa trust-add

regards,
Ben
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] AD users home directory automount

2016-05-18 Thread Ben .T.George

HI,

Thanks for the reply.

actually i don't want to share from my Trusted AD. My san has cifs and NFS
capability.

in this case how can i proceed? usually while installing client, i used to
give below options

ipa-client-install --server global.ipa.local  --domain ipa.local
--mkhomedir --fixed-primary

so whenever user loggedin, it creates home directory automatically under
/home/DOMAIN/user.

regards,
Ben

On Wed, May 18, 2016 at 4:00 PM, Michael ORourke <mrorou...@earthlink.net>
wrote:

> Yes, because you can point the automount maps to whatever device you
> want.  NFSv4 might be more tricky to setup on a SAN device and may or may
> not work depending on the software/firmware of the device.  NFSv3 is a well
> supported protocol across SAN vendors and you should not have any problems
> setting that up.  I've used Openfiler on a white-box SAN with home dirs and
> automount maps which is working fine for us.
> I wonder if you could do some sort of CIFS home dir automount with a SAN
> that is joined to an AD domain which is trusted by FreeIPA?  Seems like
> this would be feasible.
>
> -Mike
>
> -Original Message-
> From: "Ben .T.George"
> Sent: May 18, 2016 7:38 AM
> To: freeipa-users
> Subject: [Freeipa-users] AD users home directory automount
>
> HI LIst,
>
> Is it possible to mount home directories of AD authenticated users from
> external source(like san or fileshare)
>
> Regards,
> Ben
>
>
> --
> Manage your subscription for the Freeipa-users mailing list:
> https://www.redhat.com/mailman/listinfo/freeipa-users
> Go to http://freeipa.org for more info on the project
>
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

[Freeipa-users] AD users home directory automount

2016-05-18 Thread Ben .T.George

HI LIst,

Is it possible to mount home directories of AD authenticated users from
external source(like san or fileshare)

Regards,
Ben
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] From where can i get repo details for FreeIPA 4.3.1 version

2016-05-18 Thread Ben .T.George

HI All

again repo is down.

Regards,
Ben

On Mon, May 2, 2016 at 2:04 PM, Alexander Bokovoy <aboko...@redhat.com>
wrote:

> On Mon, 02 May 2016, Ben .T.George wrote:
>
>> HI
>>
>> thanks
>>
>> yes now it's working and yesterday it was not.
>>
> COPR service SLA is weaker than primary Fedora repositories. Basically,
> we have no promise COPR would be available all the time.
>
> --
> / Alexander Bokovoy
>
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] How RBAC defined.

2016-05-16 Thread Ben .T.George

HI

So basically RBAC cannot apply against system user (ssh) ?



On Mon, May 16, 2016 at 11:29 AM, Alexander Bokovoy <aboko...@redhat.com>
wrote:

> On Sat, 14 May 2016, Ben .T.George wrote:
>
>> Hi List,
>>
>> i have one working setup with HBAC and sudo rules.
>>
>> I would like to know more about RBAC. like what is RBAC and what can be
>> achieved with RBAC.
>>
>> anyone please share some good topics about this as i am getting so many
>> and
>> the information's mentioned on those are different.
>>
> FreeIPA implements RBAC only for accessing data in LDAP. Practically, it
> is used to delegate permissions to modify certain attributes of objects
> entries stored in LDAP.
>
> See
>
> https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Linux_Domain_Identity_Authentication_and_Policy_Guide/defining-roles.html
>
> --
> / Alexander Bokovoy
>
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] How RBAC defined.

2016-05-15 Thread Ben .T.George

HI Marc,

thanks for the explanation.

can you please share some kind of implementation guide for this?



On Mon, May 16, 2016 at 3:45 AM, Marc Boorshtein <
marc.boorsht...@tremolosecurity.com> wrote:

> > I would like to know more about RBAC. like what is RBAC and what can be
> > achieved with RBAC.
> >
> > anyone please share some good topics about this as i am getting so many
> and
> > the information's mentioned on those are different.
>
> I can imagine.  RBAC (Role Based Access Control) was created on the
> idea that what systems, applications and entitlements you need should
> be based on your job function.  Its a way of mapping business policies
> to to technical authorizations.  An example would be that someone in
> accounts payable shouldn't have access to the same systems as someone
> from accounts receivable.  So in RBAC terms you would have a "Role"
> called "Accounts Payable" that might map to groups in a directory for
> "access to check system" and "access to vendor system" but another
> "Role" called Accounts Receivable that has access to other groups.
> Then you have something to audit against "Why does someone with Role X
> have groups that aren't tied to that role?".
>
> In practice, this rarely works.  Few enterprises do that good of a job
> defining the roles and responsibilities for their employees at an HR
> level that trying to enforce those roles in technology is hopeless.
> Also, RBAC models are very rigid and hard to change so if you need to
> grant someone access to a system thats "one off" to get something done
> it breaks the entire model (unless your technology can handle it).
> What often happens is you get into a situation where every user could
> have their own role, completely breaking the RBAC model.
>
> In my decade plus of identity management implementations across pretty
> much every vendor and several industries I can't think of any RBAC
> based models that were successful, but several that were complete
> failures.  I was told going into a meeting at one large customer
> "Don't even mention RBAC or the meeting will be ended and we'll be
> out."
>
> Hope that helps
>
> Thanks
> Marc
>
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

[Freeipa-users] How RBAC defined.

2016-05-13 Thread Ben .T.George

Hi List,

i have one working setup with HBAC and sudo rules.

I would like to know more about RBAC. like what is RBAC and what can be
achieved with RBAC.

anyone please share some good topics about this as i am getting so many and
the information's mentioned on those are different.

 Thanks & Regards,
Ben
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] From where can i get repo details for FreeIPA 4.3.1 version

2016-05-02 Thread Ben .T.George

HI

thanks

yes now it's working and yesterday it was not.

regards,
Ben

On Mon, May 2, 2016 at 1:54 PM, Martin Basti <mba...@redhat.com> wrote:

>
>
> On 01.05.2016 10:24, Ben .T.George wrote:
>
> Hi All,
>
> again link for IPA 4.3.1 is offline
>
> https://copr.fedorainfracloud.org/coprs/g/freeipa/freeipa-4-3-centos-7/
>
>
> Could it be a temporal copr issue? I see all packages there.
> Martin
>
>
> On Tue, Apr 12, 2016 at 4:19 PM, Ben .T.George <bentech4...@gmail.com>
> wrote:
>
>> Hi
>>
>> Wow.Thanks for your fast response.
>>
>> Regards
>> Ben
>> On 12 Apr 2016 16:09, "Martin Basti" <mba...@redhat.com> wrote:
>>
>>>
>>>
>>> On 12.04.2016 14 <12.04.2016%2014>:59, Ben .T.George wrote:
>>>
>>> Hi List,
>>>
>>> Ffrom where can i get repo details for FreeIPA 4.3.1 version. the link
>>> provided in website is broken.
>>> https://www.freeipa.org/page/Releases/4.3.1
>>>
>>> please someone give me right package details.
>>>
>>> Regards,
>>> Ben
>>>
>>>
>>> Hello,
>>>
>>> thank you for report, I fixed the page
>>>
>>> CentOS repos:
>>> https://copr.fedorainfracloud.org/coprs/g/freeipa/freeipa-4-3-centos-7/
>>>
>>> Martin
>>>
>>
>
>
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] Help regarding SUDo rule implementation

HI All

sudo rules got worked .actually i tried after 6 hours, what is the default
time to get affect this rule affect normally, is there any way to manually
pull changes from client?

Regards,
Ben

On Sun, May 1, 2016 at 11:46 PM, Ben .T.George <bentech4...@gmail.com>
wrote:

> HI
>
> i have a working setup of FreeIPA 4.3 with AD integrated, I can able to
> apply HBAC rules and from client side it's working.
>
> how can i apply sudo rules to that specific POSIX group.
>
> i have created sample rue and added 2 commands put option as !authenticate
> and attached this rule to client, but still sudo -l is not working
>
> /etc/nsswitch.conf file has : sudoers: files sss
>
> and /etc/sssd/sssd.conf has : services = nss, sudo, pam, ssh
>
> Thanks & Regards,
> Ben
>
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

[Freeipa-users] Help regarding SUDo rule implementation

HI

i have a working setup of FreeIPA 4.3 with AD integrated, I can able to
apply HBAC rules and from client side it's working.

how can i apply sudo rules to that specific POSIX group.

i have created sample rue and added 2 commands put option as !authenticate
and attached this rule to client, but still sudo -l is not working

/etc/nsswitch.conf file has : sudoers: files sss

and /etc/sssd/sssd.conf has : services = nss, sudo, pam, ssh

Thanks & Regards,
Ben
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

[Freeipa-users] dnsforwardzone-add giving error

HI LIst,

i dont; know how to explain this issue. I was trying IPA 4.3.1

while adding DNS, i am getting below error

[root@global tmp]# ipa dnsforwardzone-add kwttestdc.com.kw
--forwarder=192.168.37.131 --forward-policy=only
Server will check DNS forwarder(s).
This may take some time, please wait ...
ipa: ERROR: DNS zone kwttestdc.com.kw. already exists in DNS and is handled
by server(s): corp.kwttestdc.com.kw.


and in my resolv.conf , i have given like below:

nameserver 127.0.0.1

someone please explan what is the issue and how to fix this one.

Regards,
Ben
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] dnsforwardzone-add giving error

HI

After reboot i tried the same command and i got below error

[root@global ~]# ipa dnsforwardzone-add kwttestdc.com.kw
--forwarder=192.168.37.131 --forward-policy=only
Server will check DNS forwarder(s).
This may take some time, please wait ...
ipa: ERROR: DNS check for domain kwttestdc.com.kw. failed: All nameservers
failed to answer the query kwttestdc.com.kw. IN SOA: Server 127.0.0.1 UDP
port 53 anwered The DNS operation timed out.; Server 127.0.0.1 UDP port 53
anwered The DNS operation timed out.; Server 127.0.0.1 UDP port 53 anwered
The DNS operation timed out.; Server 127.0.0.1 UDP port 53 anwered The DNS
operation timed out.; Server 127.0.0.1 UDP port 53 anwered SERVFAIL.


this is the first time i am seeing this error.



On Sun, May 1, 2016 at 3:30 PM, Ben .T.George <bentech4...@gmail.com> wrote:

> HI LIst,
>
> i dont; know how to explain this issue. I was trying IPA 4.3.1
>
> while adding DNS, i am getting below error
>
> [root@global tmp]# ipa dnsforwardzone-add kwttestdc.com.kw
> --forwarder=192.168.37.131 --forward-policy=only
> Server will check DNS forwarder(s).
> This may take some time, please wait ...
> ipa: ERROR: DNS zone kwttestdc.com.kw. already exists in DNS and is
> handled by server(s): corp.kwttestdc.com.kw.
>
>
> and in my resolv.conf , i have given like below:
>
> nameserver 127.0.0.1
>
> someone please explan what is the issue and how to fix this one.
>
> Regards,
> Ben
>
>
>
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] From where can i get repo details for FreeIPA 4.3.1 version

Hi All,

again link for IPA 4.3.1 is offline

https://copr.fedorainfracloud.org/coprs/g/freeipa/freeipa-4-3-centos-7/



On Tue, Apr 12, 2016 at 4:19 PM, Ben .T.George <bentech4...@gmail.com>
wrote:

> Hi
>
> Wow.Thanks for your fast response.
>
> Regards
> Ben
> On 12 Apr 2016 16:09, "Martin Basti" <mba...@redhat.com> wrote:
>
>>
>>
>> On 12.04.2016 14:59, Ben .T.George wrote:
>>
>> Hi List,
>>
>> Ffrom where can i get repo details for FreeIPA 4.3.1 version. the link
>> provided in website is broken.
>> https://www.freeipa.org/page/Releases/4.3.1
>>
>> please someone give me right package details.
>>
>> Regards,
>> Ben
>>
>>
>> Hello,
>>
>> thank you for report, I fixed the page
>>
>> CentOS repos:
>> https://copr.fedorainfracloud.org/coprs/g/freeipa/freeipa-4-3-centos-7/
>>
>> Martin
>>
>
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] HBAC with Active directory group is not working

and here is my sssd debug log from client side

http://pastebin.com/ud2q3FR5

On Sat, Apr 30, 2016 at 10:06 AM, Ben .T.George <bentech4...@gmail.com>
wrote:

> Hi
>
> Adding this this.
>
> in AD i habe added 2 users , ben and jude. In my HBAC rule, i pointed this
> specific external group and (were these users)
>
> but while checking the rule from IPA server using hbactest, both users
> test passes and showing one rol. but in actual only ben can able to login
> to client machine , while jude cannot.
>
> [root@freeipa ~]# ipa hbactest --user *b...@kwttestdc.com.kw
> <b...@kwttestdc.com.kw>* --host client.kwttestdc.com.kw --service sshd
> 
> *Access granted: True*
> 
>   Matched rules: test_admins
>   Not matched rules: ad_can_login
>   Not matched rules: local_admin_can_login
> [root@freeipa ~]# ipa hbactest --user* j...@kwttestdc.com.kw
> <j...@kwttestdc.com.kw>* --host client.kwttestdc.com.kw --service sshd
> 
> *Access granted: True*
> 
>   Matched rules: test_admins
>   Not matched rules: ad_can_login
>   Not matched rules: local_admin_can_login
>
> so my hbac is working partially. How can i fix this.
>
> Regards,
> Ben
>
> On Fri, Apr 29, 2016 at 7:27 PM, Ben .T.George <bentech4...@gmail.com>
> wrote:
>
>> surprisingly i have created some local IPA users and added to same HBAC
>> rule, and removed AD grop ad applied this rule to client, and that got
>> worked.
>>
>> How can i make this AD group with HBAC working?
>>
>> Regards,
>> Ben
>>
>> On Fri, Apr 29, 2016 at 7:12 PM, Ben .T.George <bentech4...@gmail.com>
>> wrote:
>>
>>> HI
>>>
>>> If i disable allow_all <https://freeipa.idm.local/ipa/ui/#allow_all> rule,
>>> i cannot able to login to client machine.
>>>
>>> On Fri, Apr 29, 2016 at 7:05 PM, Ben .T.George <bentech4...@gmail.com>
>>> wrote:
>>>
>>>> HI
>>>>
>>>> actually i have added Domain Admins and the user ben is not part of
>>>> Domain Admins. But when i login to client machine, i am getting below
>>>>
>>>> -sh-4.2$ id
>>>> uid=1827801104(b...@kwttestdc.com.kw) gid=1827801104(
>>>> b...@kwttestdc.com.kw) groups=1827801104(b...@kwttestdc.com.kw
>>>> ),1827800513(*domain us...@kwttestdc.com.kw 
>>>> <us...@kwttestdc.com.kw>*),1827801105(sudo
>>>> adm...@kwttestdc.com.kw)
>>>>
>>>>
>>>>
>>>> On Fri, Apr 29, 2016 at 6:58 PM, Ben .T.George <bentech4...@gmail.com>
>>>> wrote:
>>>>
>>>>> HI
>>>>>
>>>>> while explaning here it went wrong. actually i did is"
>>>>> Added external group to POSIX group"
>>>>>
>>>>> On Fri, Apr 29, 2016 at 6:56 PM, Jakub Hrozek <jhro...@redhat.com>
>>>>> wrote:
>>>>>
>>>>>> On Fri, Apr 29, 2016 at 06:32:28PM +0300, Ben .T.George wrote:
>>>>>> > HI,
>>>>>> >
>>>>>> > "The other is that the groups might not show up on the client (do
>>>>>> they?)"
>>>>>>
>>>>>> id $user.
>>>>>>
>>>>>> But I think Alexander noticed the root cause.
>>>>>>
>>>>>> >
>>>>>> > how can i check that.
>>>>>> >
>>>>>> > Thanks
>>>>>> > Ben
>>>>>> >
>>>>>> > On Fri, Apr 29, 2016 at 5:59 PM, Jakub Hrozek <jhro...@redhat.com>
>>>>>> wrote:
>>>>>> >
>>>>>> > > On Fri, Apr 29, 2016 at 05:38:30PM +0300, Ben .T.George wrote:
>>>>>> > > > Hi List,
>>>>>> > > >
>>>>>> > > > I have working setup of one AD, one IPA server and one client
>>>>>> server. by
>>>>>> > > > default i can login to client server by using AD username.
>>>>>> > > >
>>>>>> > > > i want to apply HBAC rules against this client server. For that
>>>>>> i have
>>>>>> > > done
>>>>>> > > > below steps.
>>>>>> > > >
>>>>>> > > > 1. created External group in IPA erver
>>>>>> > > > 2. created local POSIX group n IPA server
>>>>>> > > > 3. Added AD group to external group
>>>>>> > > > 4. added POSIX group to external group.
>>>>>> > > >
>>>>>> > > > After that  have created HBAC rule by adding both local and
>>>>>> external IPA
>>>>>> > > > groups, added sshd as service and selected service group as
>>>>>> sudo.
>>>>>> > > >
>>>>>> > > > i have applied this HBAC rule to client server and from web UI
>>>>>> and while
>>>>>> > > > testing HBAC from web, i am getting access denied .
>>>>>> > >
>>>>>> > > Sorry, not enough info.
>>>>>> > >
>>>>>> > > One guess would be that you need to add the "sudo-i" service as
>>>>>> well.
>>>>>> > > The other is that the groups might not show up on the client (do
>>>>>> they?)
>>>>>> > >
>>>>>> > > Anyway, it might be good idea to follow
>>>>>> > > https://fedorahosted.org/sssd/wiki/Troubleshooting
>>>>>> > >
>>>>>> > > --
>>>>>> > > Manage your subscription for the Freeipa-users mailing list:
>>>>>> > > https://www.redhat.com/mailman/listinfo/freeipa-users
>>>>>> > > Go to http://freeipa.org for more info on the project
>>>>>> > >
>>>>>>
>>>>>
>>>>>
>>>>
>>>
>>
>
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] HBAC with Active directory group is not working

Hi

Adding this this.

in AD i habe added 2 users , ben and jude. In my HBAC rule, i pointed this
specific external group and (were these users)

but while checking the rule from IPA server using hbactest, both users test
passes and showing one rol. but in actual only ben can able to login to
client machine , while jude cannot.

[root@freeipa ~]# ipa hbactest --user *b...@kwttestdc.com.kw
<b...@kwttestdc.com.kw>* --host client.kwttestdc.com.kw --service sshd

*Access granted: True*

  Matched rules: test_admins
  Not matched rules: ad_can_login
  Not matched rules: local_admin_can_login
[root@freeipa ~]# ipa hbactest --user* j...@kwttestdc.com.kw
<j...@kwttestdc.com.kw>* --host client.kwttestdc.com.kw --service sshd

*Access granted: True*

  Matched rules: test_admins
  Not matched rules: ad_can_login
  Not matched rules: local_admin_can_login

so my hbac is working partially. How can i fix this.

Regards,
Ben

On Fri, Apr 29, 2016 at 7:27 PM, Ben .T.George <bentech4...@gmail.com>
wrote:

> surprisingly i have created some local IPA users and added to same HBAC
> rule, and removed AD grop ad applied this rule to client, and that got
> worked.
>
> How can i make this AD group with HBAC working?
>
> Regards,
> Ben
>
> On Fri, Apr 29, 2016 at 7:12 PM, Ben .T.George <bentech4...@gmail.com>
> wrote:
>
>> HI
>>
>> If i disable allow_all <https://freeipa.idm.local/ipa/ui/#allow_all> rule,
>> i cannot able to login to client machine.
>>
>> On Fri, Apr 29, 2016 at 7:05 PM, Ben .T.George <bentech4...@gmail.com>
>> wrote:
>>
>>> HI
>>>
>>> actually i have added Domain Admins and the user ben is not part of
>>> Domain Admins. But when i login to client machine, i am getting below
>>>
>>> -sh-4.2$ id
>>> uid=1827801104(b...@kwttestdc.com.kw) gid=1827801104(b...@kwttestdc.com.kw)
>>> groups=1827801104(b...@kwttestdc.com.kw),1827800513(*domain
>>> us...@kwttestdc.com.kw <us...@kwttestdc.com.kw>*),1827801105(sudo
>>> adm...@kwttestdc.com.kw)
>>>
>>>
>>>
>>> On Fri, Apr 29, 2016 at 6:58 PM, Ben .T.George <bentech4...@gmail.com>
>>> wrote:
>>>
>>>> HI
>>>>
>>>> while explaning here it went wrong. actually i did is"
>>>> Added external group to POSIX group"
>>>>
>>>> On Fri, Apr 29, 2016 at 6:56 PM, Jakub Hrozek <jhro...@redhat.com>
>>>> wrote:
>>>>
>>>>> On Fri, Apr 29, 2016 at 06:32:28PM +0300, Ben .T.George wrote:
>>>>> > HI,
>>>>> >
>>>>> > "The other is that the groups might not show up on the client (do
>>>>> they?)"
>>>>>
>>>>> id $user.
>>>>>
>>>>> But I think Alexander noticed the root cause.
>>>>>
>>>>> >
>>>>> > how can i check that.
>>>>> >
>>>>> > Thanks
>>>>> > Ben
>>>>> >
>>>>> > On Fri, Apr 29, 2016 at 5:59 PM, Jakub Hrozek <jhro...@redhat.com>
>>>>> wrote:
>>>>> >
>>>>> > > On Fri, Apr 29, 2016 at 05:38:30PM +0300, Ben .T.George wrote:
>>>>> > > > Hi List,
>>>>> > > >
>>>>> > > > I have working setup of one AD, one IPA server and one client
>>>>> server. by
>>>>> > > > default i can login to client server by using AD username.
>>>>> > > >
>>>>> > > > i want to apply HBAC rules against this client server. For that
>>>>> i have
>>>>> > > done
>>>>> > > > below steps.
>>>>> > > >
>>>>> > > > 1. created External group in IPA erver
>>>>> > > > 2. created local POSIX group n IPA server
>>>>> > > > 3. Added AD group to external group
>>>>> > > > 4. added POSIX group to external group.
>>>>> > > >
>>>>> > > > After that  have created HBAC rule by adding both local and
>>>>> external IPA
>>>>> > > > groups, added sshd as service and selected service group as sudo.
>>>>> > > >
>>>>> > > > i have applied this HBAC rule to client server and from web UI
>>>>> and while
>>>>> > > > testing HBAC from web, i am getting access denied .
>>>>> > >
>>>>> > > Sorry, not enough info.
>>>>> > >
>>>>> > > One guess would be that you need to add the "sudo-i" service as
>>>>> well.
>>>>> > > The other is that the groups might not show up on the client (do
>>>>> they?)
>>>>> > >
>>>>> > > Anyway, it might be good idea to follow
>>>>> > > https://fedorahosted.org/sssd/wiki/Troubleshooting
>>>>> > >
>>>>> > > --
>>>>> > > Manage your subscription for the Freeipa-users mailing list:
>>>>> > > https://www.redhat.com/mailman/listinfo/freeipa-users
>>>>> > > Go to http://freeipa.org for more info on the project
>>>>> > >
>>>>>
>>>>
>>>>
>>>
>>
>
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] ipa trust-fetch-domains failing.

HI All

this issue has solved

On Sat, Apr 30, 2016 at 9:16 AM, Ben .T.George <bentech4...@gmail.com>
wrote:

> when i am running ipa trust-fetch-domains "kwttestdc.com.kw" , i am
> getting below error in error_log
>
> [Sat Apr 30 09:14:25.107449 2016] [:error] [pid 2666] ipa: ERROR: Failed
> to call com.redhat.idm.trust.fetch_domains helper.DBus exception is
> org.freedesktop.DBus.Error.NoReply: Did not receive a reply. Possible
> causes include: the remote application did not send a reply, the message
> bus security policy blocked the reply, the reply timeout expired, or the
> network connection was broken..
> [Sat Apr 30 09:14:25.108353 2016] [:error] [pid 2666] ipa: INFO:
> [jsonserver_session] admin@IDM.LOCAL: trust_fetch_domains(u'
> kwttestdc.com.kw', rights=False, all=False, raw=False, version=u'2.156'):
> ServerCommandError
>
> On Sat, Apr 30, 2016 at 12:00 AM, Ben .T.George <bentech4...@gmail.com>
> wrote:
>
>> Hi
>>
>> Anyone please help me to fix this issue.
>>
>> i have created new group in AD( 4 hours back) and while i was mapping
>> this group as --external, i am getting below error.
>>
>>
>> *[root@freeipa sysctl.d]# ipa group-add --external ad_admins_external
>> --desc "KWTTESTDC.com.KW <http://KWTTESTDC.com.KW> AD
>> Administrators-External"*
>> *--*
>> *Added group "ad_admins_external"*
>> *--*
>> *  Group name: ad_admins_external*
>> *  Description: KWTTESTDC.com.KW <http://KWTTESTDC.com.KW> AD
>> Administrators-External*
>> *[root@freeipa sysctl.d]# ipa group-add-member ad_admins_external
>> --external "KWTTESTDC\test admins"*
>> *[member user]:*
>> *[member group]:*
>> *  Group name: ad_admins_external*
>> *  Description: KWTTESTDC.com.KW <http://KWTTESTDC.com.KW> AD
>> Administrators-External*
>> *  Failed members:*
>> *member user:*
>> *member group: KWTTESTDC\test admins: Cannot find specified domain or
>> server name*
>> *-*
>> *Number of members added 0*
>> -
>>
>>
>>
>> On Fri, Apr 29, 2016 at 4:41 PM, Ben .T.George <bentech4...@gmail.com>
>> wrote:
>>
>>> Hi
>>>
>>> while issuing ipa trust-fetch-domains, i am getting below error.
>>>
>>> i have created new security group in AD and i want to add this to
>>> external group.
>>>
>>> [root@freeipa ~]# ipa trust-fetch-domains "kwttestdc.com.kw"
>>> ipa: ERROR: error on server 'freeipa.idm.local': Fetching domains from
>>> trusted fo  rest
>>> failed. See details in the error_log
>>>
>>> help me to fi/expalin more about this error
>>>
>>> Regards
>>>
>>
>>
>
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] ipa trust-fetch-domains failing.

when i am running ipa trust-fetch-domains "kwttestdc.com.kw" , i am getting
below error in error_log

[Sat Apr 30 09:14:25.107449 2016] [:error] [pid 2666] ipa: ERROR: Failed to
call com.redhat.idm.trust.fetch_domains helper.DBus exception is
org.freedesktop.DBus.Error.NoReply: Did not receive a reply. Possible
causes include: the remote application did not send a reply, the message
bus security policy blocked the reply, the reply timeout expired, or the
network connection was broken..
[Sat Apr 30 09:14:25.108353 2016] [:error] [pid 2666] ipa: INFO:
[jsonserver_session] admin@IDM.LOCAL: trust_fetch_domains(u'kwttestdc.com.kw',
rights=False, all=False, raw=False, version=u'2.156'): ServerCommandError

On Sat, Apr 30, 2016 at 12:00 AM, Ben .T.George <bentech4...@gmail.com>
wrote:

> Hi
>
> Anyone please help me to fix this issue.
>
> i have created new group in AD( 4 hours back) and while i was mapping this
> group as --external, i am getting below error.
>
>
> *[root@freeipa sysctl.d]# ipa group-add --external ad_admins_external
> --desc "KWTTESTDC.com.KW <http://KWTTESTDC.com.KW> AD
> Administrators-External"*
> *--*
> *Added group "ad_admins_external"*
> *--*
> *  Group name: ad_admins_external*
> *  Description: KWTTESTDC.com.KW <http://KWTTESTDC.com.KW> AD
> Administrators-External*
> *[root@freeipa sysctl.d]# ipa group-add-member ad_admins_external
> --external "KWTTESTDC\test admins"*
> *[member user]:*
> *[member group]:*
> *  Group name: ad_admins_external*
> *  Description: KWTTESTDC.com.KW <http://KWTTESTDC.com.KW> AD
> Administrators-External*
> *  Failed members:*
> *member user:*
> *member group: KWTTESTDC\test admins: Cannot find specified domain or
> server name*
> *-*
> *Number of members added 0*
> -
>
>
>
> On Fri, Apr 29, 2016 at 4:41 PM, Ben .T.George <bentech4...@gmail.com>
> wrote:
>
>> Hi
>>
>> while issuing ipa trust-fetch-domains, i am getting below error.
>>
>> i have created new security group in AD and i want to add this to
>> external group.
>>
>> [root@freeipa ~]# ipa trust-fetch-domains "kwttestdc.com.kw"
>> ipa: ERROR: error on server 'freeipa.idm.local': Fetching domains from
>> trusted fo  rest
>> failed. See details in the error_log
>>
>> help me to fi/expalin more about this error
>>
>> Regards
>>
>
>
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] ipa trust-fetch-domains failing.

Hi

Anyone please help me to fix this issue.

i have created new group in AD( 4 hours back) and while i was mapping this
group as --external, i am getting below error.


*[root@freeipa sysctl.d]# ipa group-add --external ad_admins_external
--desc "KWTTESTDC.com.KW <http://KWTTESTDC.com.KW> AD
Administrators-External"*
*--*
*Added group "ad_admins_external"*
*--*
*  Group name: ad_admins_external*
*  Description: KWTTESTDC.com.KW <http://KWTTESTDC.com.KW> AD
Administrators-External*
*[root@freeipa sysctl.d]# ipa group-add-member ad_admins_external
--external "KWTTESTDC\test admins"*
*[member user]:*
*[member group]:*
*  Group name: ad_admins_external*
*  Description: KWTTESTDC.com.KW <http://KWTTESTDC.com.KW> AD
Administrators-External*
*  Failed members:*
*member user:*
*member group: KWTTESTDC\test admins: Cannot find specified domain or
server name*
*-*
*Number of members added 0*
---------



On Fri, Apr 29, 2016 at 4:41 PM, Ben .T.George <bentech4...@gmail.com>
wrote:

> Hi
>
> while issuing ipa trust-fetch-domains, i am getting below error.
>
> i have created new security group in AD and i want to add this to external
> group.
>
> [root@freeipa ~]# ipa trust-fetch-domains "kwttestdc.com.kw"
> ipa: ERROR: error on server 'freeipa.idm.local': Fetching domains from
> trusted fo  rest
> failed. See details in the error_log
>
> help me to fi/expalin more about this error
>
> Regards
>
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] HBAC with Active directory group is not working

surprisingly i have created some local IPA users and added to same HBAC
rule, and removed AD grop ad applied this rule to client, and that got
worked.

How can i make this AD group with HBAC working?

Regards,
Ben

On Fri, Apr 29, 2016 at 7:12 PM, Ben .T.George <bentech4...@gmail.com>
wrote:

> HI
>
> If i disable allow_all <https://freeipa.idm.local/ipa/ui/#allow_all> rule,
> i cannot able to login to client machine.
>
> On Fri, Apr 29, 2016 at 7:05 PM, Ben .T.George <bentech4...@gmail.com>
> wrote:
>
>> HI
>>
>> actually i have added Domain Admins and the user ben is not part of
>> Domain Admins. But when i login to client machine, i am getting below
>>
>> -sh-4.2$ id
>> uid=1827801104(b...@kwttestdc.com.kw) gid=1827801104(b...@kwttestdc.com.kw)
>> groups=1827801104(b...@kwttestdc.com.kw),1827800513(*domain
>> us...@kwttestdc.com.kw <us...@kwttestdc.com.kw>*),1827801105(sudo
>> adm...@kwttestdc.com.kw)
>>
>>
>>
>> On Fri, Apr 29, 2016 at 6:58 PM, Ben .T.George <bentech4...@gmail.com>
>> wrote:
>>
>>> HI
>>>
>>> while explaning here it went wrong. actually i did is"
>>> Added external group to POSIX group"
>>>
>>> On Fri, Apr 29, 2016 at 6:56 PM, Jakub Hrozek <jhro...@redhat.com>
>>> wrote:
>>>
>>>> On Fri, Apr 29, 2016 at 06:32:28PM +0300, Ben .T.George wrote:
>>>> > HI,
>>>> >
>>>> > "The other is that the groups might not show up on the client (do
>>>> they?)"
>>>>
>>>> id $user.
>>>>
>>>> But I think Alexander noticed the root cause.
>>>>
>>>> >
>>>> > how can i check that.
>>>> >
>>>> > Thanks
>>>> > Ben
>>>> >
>>>> > On Fri, Apr 29, 2016 at 5:59 PM, Jakub Hrozek <jhro...@redhat.com>
>>>> wrote:
>>>> >
>>>> > > On Fri, Apr 29, 2016 at 05:38:30PM +0300, Ben .T.George wrote:
>>>> > > > Hi List,
>>>> > > >
>>>> > > > I have working setup of one AD, one IPA server and one client
>>>> server. by
>>>> > > > default i can login to client server by using AD username.
>>>> > > >
>>>> > > > i want to apply HBAC rules against this client server. For that i
>>>> have
>>>> > > done
>>>> > > > below steps.
>>>> > > >
>>>> > > > 1. created External group in IPA erver
>>>> > > > 2. created local POSIX group n IPA server
>>>> > > > 3. Added AD group to external group
>>>> > > > 4. added POSIX group to external group.
>>>> > > >
>>>> > > > After that  have created HBAC rule by adding both local and
>>>> external IPA
>>>> > > > groups, added sshd as service and selected service group as sudo.
>>>> > > >
>>>> > > > i have applied this HBAC rule to client server and from web UI
>>>> and while
>>>> > > > testing HBAC from web, i am getting access denied .
>>>> > >
>>>> > > Sorry, not enough info.
>>>> > >
>>>> > > One guess would be that you need to add the "sudo-i" service as
>>>> well.
>>>> > > The other is that the groups might not show up on the client (do
>>>> they?)
>>>> > >
>>>> > > Anyway, it might be good idea to follow
>>>> > > https://fedorahosted.org/sssd/wiki/Troubleshooting
>>>> > >
>>>> > > --
>>>> > > Manage your subscription for the Freeipa-users mailing list:
>>>> > > https://www.redhat.com/mailman/listinfo/freeipa-users
>>>> > > Go to http://freeipa.org for more info on the project
>>>> > >
>>>>
>>>
>>>
>>
>
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] HBAC with Active directory group is not working

HI

If i disable allow_all <https://freeipa.idm.local/ipa/ui/#allow_all> rule,
i cannot able to login to client machine.

On Fri, Apr 29, 2016 at 7:05 PM, Ben .T.George <bentech4...@gmail.com>
wrote:

> HI
>
> actually i have added Domain Admins and the user ben is not part of Domain
> Admins. But when i login to client machine, i am getting below
>
> -sh-4.2$ id
> uid=1827801104(b...@kwttestdc.com.kw) gid=1827801104(b...@kwttestdc.com.kw)
> groups=1827801104(b...@kwttestdc.com.kw),1827800513(*domain
> us...@kwttestdc.com.kw <us...@kwttestdc.com.kw>*),1827801105(sudo
> adm...@kwttestdc.com.kw)
>
>
>
> On Fri, Apr 29, 2016 at 6:58 PM, Ben .T.George <bentech4...@gmail.com>
> wrote:
>
>> HI
>>
>> while explaning here it went wrong. actually i did is"
>> Added external group to POSIX group"
>>
>> On Fri, Apr 29, 2016 at 6:56 PM, Jakub Hrozek <jhro...@redhat.com> wrote:
>>
>>> On Fri, Apr 29, 2016 at 06:32:28PM +0300, Ben .T.George wrote:
>>> > HI,
>>> >
>>> > "The other is that the groups might not show up on the client (do
>>> they?)"
>>>
>>> id $user.
>>>
>>> But I think Alexander noticed the root cause.
>>>
>>> >
>>> > how can i check that.
>>> >
>>> > Thanks
>>> > Ben
>>> >
>>> > On Fri, Apr 29, 2016 at 5:59 PM, Jakub Hrozek <jhro...@redhat.com>
>>> wrote:
>>> >
>>> > > On Fri, Apr 29, 2016 at 05:38:30PM +0300, Ben .T.George wrote:
>>> > > > Hi List,
>>> > > >
>>> > > > I have working setup of one AD, one IPA server and one client
>>> server. by
>>> > > > default i can login to client server by using AD username.
>>> > > >
>>> > > > i want to apply HBAC rules against this client server. For that i
>>> have
>>> > > done
>>> > > > below steps.
>>> > > >
>>> > > > 1. created External group in IPA erver
>>> > > > 2. created local POSIX group n IPA server
>>> > > > 3. Added AD group to external group
>>> > > > 4. added POSIX group to external group.
>>> > > >
>>> > > > After that  have created HBAC rule by adding both local and
>>> external IPA
>>> > > > groups, added sshd as service and selected service group as sudo.
>>> > > >
>>> > > > i have applied this HBAC rule to client server and from web UI and
>>> while
>>> > > > testing HBAC from web, i am getting access denied .
>>> > >
>>> > > Sorry, not enough info.
>>> > >
>>> > > One guess would be that you need to add the "sudo-i" service as well.
>>> > > The other is that the groups might not show up on the client (do
>>> they?)
>>> > >
>>> > > Anyway, it might be good idea to follow
>>> > > https://fedorahosted.org/sssd/wiki/Troubleshooting
>>> > >
>>> > > --
>>> > > Manage your subscription for the Freeipa-users mailing list:
>>> > > https://www.redhat.com/mailman/listinfo/freeipa-users
>>> > > Go to http://freeipa.org for more info on the project
>>> > >
>>>
>>
>>
>
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] HBAC with Active directory group is not working

HI

actually i have added Domain Admins and the user ben is not part of Domain
Admins. But when i login to client machine, i am getting below

-sh-4.2$ id
uid=1827801104(b...@kwttestdc.com.kw) gid=1827801104(b...@kwttestdc.com.kw)
groups=1827801104(b...@kwttestdc.com.kw),1827800513(*domain
us...@kwttestdc.com.kw <us...@kwttestdc.com.kw>*),1827801105(sudo
adm...@kwttestdc.com.kw)



On Fri, Apr 29, 2016 at 6:58 PM, Ben .T.George <bentech4...@gmail.com>
wrote:

> HI
>
> while explaning here it went wrong. actually i did is"
> Added external group to POSIX group"
>
> On Fri, Apr 29, 2016 at 6:56 PM, Jakub Hrozek <jhro...@redhat.com> wrote:
>
>> On Fri, Apr 29, 2016 at 06:32:28PM +0300, Ben .T.George wrote:
>> > HI,
>> >
>> > "The other is that the groups might not show up on the client (do
>> they?)"
>>
>> id $user.
>>
>> But I think Alexander noticed the root cause.
>>
>> >
>> > how can i check that.
>> >
>> > Thanks
>> > Ben
>> >
>> > On Fri, Apr 29, 2016 at 5:59 PM, Jakub Hrozek <jhro...@redhat.com>
>> wrote:
>> >
>> > > On Fri, Apr 29, 2016 at 05:38:30PM +0300, Ben .T.George wrote:
>> > > > Hi List,
>> > > >
>> > > > I have working setup of one AD, one IPA server and one client
>> server. by
>> > > > default i can login to client server by using AD username.
>> > > >
>> > > > i want to apply HBAC rules against this client server. For that i
>> have
>> > > done
>> > > > below steps.
>> > > >
>> > > > 1. created External group in IPA erver
>> > > > 2. created local POSIX group n IPA server
>> > > > 3. Added AD group to external group
>> > > > 4. added POSIX group to external group.
>> > > >
>> > > > After that  have created HBAC rule by adding both local and
>> external IPA
>> > > > groups, added sshd as service and selected service group as sudo.
>> > > >
>> > > > i have applied this HBAC rule to client server and from web UI and
>> while
>> > > > testing HBAC from web, i am getting access denied .
>> > >
>> > > Sorry, not enough info.
>> > >
>> > > One guess would be that you need to add the "sudo-i" service as well.
>> > > The other is that the groups might not show up on the client (do
>> they?)
>> > >
>> > > Anyway, it might be good idea to follow
>> > > https://fedorahosted.org/sssd/wiki/Troubleshooting
>> > >
>> > > --
>> > > Manage your subscription for the Freeipa-users mailing list:
>> > > https://www.redhat.com/mailman/listinfo/freeipa-users
>> > > Go to http://freeipa.org for more info on the project
>> > >
>>
>
>
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] HBAC with Active directory group is not working

HI

while explaning here it went wrong. actually i did is"
Added external group to POSIX group"

On Fri, Apr 29, 2016 at 6:56 PM, Jakub Hrozek <jhro...@redhat.com> wrote:

> On Fri, Apr 29, 2016 at 06:32:28PM +0300, Ben .T.George wrote:
> > HI,
> >
> > "The other is that the groups might not show up on the client (do they?)"
>
> id $user.
>
> But I think Alexander noticed the root cause.
>
> >
> > how can i check that.
> >
> > Thanks
> > Ben
> >
> > On Fri, Apr 29, 2016 at 5:59 PM, Jakub Hrozek <jhro...@redhat.com>
> wrote:
> >
> > > On Fri, Apr 29, 2016 at 05:38:30PM +0300, Ben .T.George wrote:
> > > > Hi List,
> > > >
> > > > I have working setup of one AD, one IPA server and one client
> server. by
> > > > default i can login to client server by using AD username.
> > > >
> > > > i want to apply HBAC rules against this client server. For that i
> have
> > > done
> > > > below steps.
> > > >
> > > > 1. created External group in IPA erver
> > > > 2. created local POSIX group n IPA server
> > > > 3. Added AD group to external group
> > > > 4. added POSIX group to external group.
> > > >
> > > > After that  have created HBAC rule by adding both local and external
> IPA
> > > > groups, added sshd as service and selected service group as sudo.
> > > >
> > > > i have applied this HBAC rule to client server and from web UI and
> while
> > > > testing HBAC from web, i am getting access denied .
> > >
> > > Sorry, not enough info.
> > >
> > > One guess would be that you need to add the "sudo-i" service as well.
> > > The other is that the groups might not show up on the client (do they?)
> > >
> > > Anyway, it might be good idea to follow
> > > https://fedorahosted.org/sssd/wiki/Troubleshooting
> > >
> > > --
> > > Manage your subscription for the Freeipa-users mailing list:
> > > https://www.redhat.com/mailman/listinfo/freeipa-users
> > > Go to http://freeipa.org for more info on the project
> > >
>
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] HBAC with Active directory group is not working

Hi

I have created 2 fresh users now and i was running below,

[root@freeipa log]# ipa hbactest --user "KWTTESTDC\jude" --host `hostname`
--service sshd
ipa: ERROR: trusted domain user not found
[root@freeipa log]# ipa hbactest --user "KWTTESTDC\muneer" --host
`hostname` --service sshd
ipa: ERROR: trusted domain user not found

but i can able to test with old users,

[root@freeipa log]# ipa hbactest --user "KWTTESTDC\Administrator" --host
`hostname` --service sshd

Access granted: True

  Matched rules: allow_all
  Not matched rules: ad_can_login
  Not matched rules: local_admin_can_login
[root@freeipa log]# ipa hbactest --user "KWTTESTDC\ben" --host `hostname`
--service sshd

Access granted: True

  Matched rules: ad_can_login
  Matched rules: allow_all
  Not matched rules: local_admin_can_login


Is there any sync time for trust.?

when i was trying ipa trust-fetch-domains, i am getting below

[root@freeipa log]# ipa trust-fetch-domains "kwttestdc.com.kw"
ipa: ERROR: error on server 'freeipa.idm.local': Fetching domains from
trusted forest failed. See details in the error_log

Thanks & Regards,
Ben

On Fri, Apr 29, 2016 at 6:33 PM, Ben .T.George <bentech4...@gmail.com>
wrote:

> Hi Alex,
>
> yea my mistake.
>
> i was following u this
>
>
> http://www.freeipa.org/page/Active_Directory_trust_setup#Allow_access_for_users_from_AD_domain_to_protected_resources
>
>
>
> On Fri, Apr 29, 2016 at 6:03 PM, Alexander Bokovoy <aboko...@redhat.com>
> wrote:
>
>> On Fri, 29 Apr 2016, Ben .T.George wrote:
>>
>>> Hi List,
>>>
>>> I have working setup of one AD, one IPA server and one client server. by
>>> default i can login to client server by using AD username.
>>>
>>> i want to apply HBAC rules against this client server. For that i have
>>> done
>>> below steps.
>>>
>>> 1. created External group in IPA erver
>>> 2. created local POSIX group n IPA server
>>> 3. Added AD group to external group
>>> 4. added POSIX group to external group.
>>>
>> You should have added external group to POSIX group, not the other way
>> around.
>>
>> --
>> / Alexander Bokovoy
>>
>
>
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] HBAC with Active directory group is not working

Hi Alex,

yea my mistake.

i was following u this

http://www.freeipa.org/page/Active_Directory_trust_setup#Allow_access_for_users_from_AD_domain_to_protected_resources



On Fri, Apr 29, 2016 at 6:03 PM, Alexander Bokovoy <aboko...@redhat.com>
wrote:

> On Fri, 29 Apr 2016, Ben .T.George wrote:
>
>> Hi List,
>>
>> I have working setup of one AD, one IPA server and one client server. by
>> default i can login to client server by using AD username.
>>
>> i want to apply HBAC rules against this client server. For that i have
>> done
>> below steps.
>>
>> 1. created External group in IPA erver
>> 2. created local POSIX group n IPA server
>> 3. Added AD group to external group
>> 4. added POSIX group to external group.
>>
> You should have added external group to POSIX group, not the other way
> around.
>
> --
> / Alexander Bokovoy
>
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] HBAC with Active directory group is not working

HI,

"The other is that the groups might not show up on the client (do they?)"

how can i check that.

Thanks
Ben

On Fri, Apr 29, 2016 at 5:59 PM, Jakub Hrozek <jhro...@redhat.com> wrote:

> On Fri, Apr 29, 2016 at 05:38:30PM +0300, Ben .T.George wrote:
> > Hi List,
> >
> > I have working setup of one AD, one IPA server and one client server. by
> > default i can login to client server by using AD username.
> >
> > i want to apply HBAC rules against this client server. For that i have
> done
> > below steps.
> >
> > 1. created External group in IPA erver
> > 2. created local POSIX group n IPA server
> > 3. Added AD group to external group
> > 4. added POSIX group to external group.
> >
> > After that  have created HBAC rule by adding both local and external IPA
> > groups, added sshd as service and selected service group as sudo.
> >
> > i have applied this HBAC rule to client server and from web UI and while
> > testing HBAC from web, i am getting access denied .
>
> Sorry, not enough info.
>
> One guess would be that you need to add the "sudo-i" service as well.
> The other is that the groups might not show up on the client (do they?)
>
> Anyway, it might be good idea to follow
> https://fedorahosted.org/sssd/wiki/Troubleshooting
>
> --
> Manage your subscription for the Freeipa-users mailing list:
> https://www.redhat.com/mailman/listinfo/freeipa-users
> Go to http://freeipa.org for more info on the project
>
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

[Freeipa-users] HBAC with Active directory group is not working

Hi List,

I have working setup of one AD, one IPA server and one client server. by
default i can login to client server by using AD username.

i want to apply HBAC rules against this client server. For that i have done
below steps.

1. created External group in IPA erver
2. created local POSIX group n IPA server
3. Added AD group to external group
4. added POSIX group to external group.

After that  have created HBAC rule by adding both local and external IPA
groups, added sshd as service and selected service group as sudo.

i have applied this HBAC rule to client server and from web UI and while
testing HBAC from web, i am getting access denied .

How can i implement HBAC with Active directory user group.

Regards,
Ben
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

[Freeipa-users] ipa trust-fetch-domains failing.

Hi

while issuing ipa trust-fetch-domains, i am getting below error.

i have created new security group in AD and i want to add this to external
group.

[root@freeipa ~]# ipa trust-fetch-domains "kwttestdc.com.kw"
ipa: ERROR: error on server 'freeipa.idm.local': Fetching domains from
trusted fo  rest
failed. See details in the error_log

help me to fi/expalin more about this error

Regards
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] HBAC implementation help

HI

Thanks for your reply.

can i do this external group mapping from web UI?

On Fri, Apr 29, 2016 at 10:50 AM, Jakub Hrozek <jhro...@redhat.com> wrote:

> On Fri, Apr 29, 2016 at 12:03:42AM +0300, Ben .T.George wrote:
> > Hi List,
> >
> > i have a working setup of IPA with AD integrated and one client joined.
> >
> > i want to implement HBAC rules against this client. can anyone please
> share
> > me good articles of implementing HBAC from web UI.
>
> I'm not sure about the web UI, but as a general rule you'll want to add
> an external group (created with --external) as a member of a POSIX group
> and reference the POSIX group in the HBAC rule. The AD members should be
> added as members of the external group.
>
> --
> Manage your subscription for the Freeipa-users mailing list:
> https://www.redhat.com/mailman/listinfo/freeipa-users
> Go to http://freeipa.org for more info on the project
>
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

[Freeipa-users] HBAC implementation help

2016-04-28 Thread Ben .T.George

Hi List,

i have a working setup of IPA with AD integrated and one client joined.

i want to implement HBAC rules against this client. can anyone please share
me good articles of implementing HBAC from web UI.


Thanks & Regards,
Ben
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

[Freeipa-users] error while adding conditional forwarder for AD domain

2016-04-13 Thread Ben .T.George

Hi LIst,

getting below error while adding conditional forwarder for AD domain on IPA

[root@ipa ~]# ipa dnsforwardzone-add ad.example.com
--forwarder=192.168.37.131 --forward-policy=only
Server will check DNS forwarder(s).
This may take some time, please wait ...
ipa: ERROR: DNS check for domain ad.example.com. failed: All nameservers
failed to answer the query ad.example.com. IN SOA: Server 127.0.0.1 UDP
port 53 anwered The DNS operation timed out.; Server 127.0.0.1 UDP port 53
anwered The DNS operation timed out.; Server 127.0.0.1 UDP port 53 anwered
The DNS operation timed out.; Server 127.0.0.1 UDP port 53 anwered The DNS
operation timed out.; Server 127.0.0.1 UDP port 53 anwered SERVFAIL.

how to fix this issue.

Operating system : CentOs 7.2
IPA VERSION: 4.3.1, API_VERSION: 2.164

Thanks & Regards
Ben
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] Good IPA implementation guide

2016-04-12 Thread Ben .T.George

Hi

Thanks.

i have istalled IPA server with "ipa-server-install". kinit admin is
working for me.

now i need to start integrating with active directory.

Thanks & Regards,
Ben

On Tue, Apr 12, 2016 at 9:30 PM, Baird, Josh <jba...@follett.com> wrote:

> You can refer to the ‘Identity Management’ section in the RHEL
> documentation:
>
>
>
> https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/
>
>
>
> Josh
>
>
>
> *From:* freeipa-users-boun...@redhat.com [mailto:
> freeipa-users-boun...@redhat.com] *On Behalf Of *Ben .T.George
> *Sent:* Tuesday, April 12, 2016 2:18 PM
> *To:* freeipa-users <freeipa-users@redhat.com>
> *Subject:* [Freeipa-users] Good IPA implementation guide
>
>
>
> Hi List,
>
>
>
> anyone please send me some refference to IPA server installation with
> active directory integration guide.
>
>
>
> I would like to install latest IPA version in RHEL 7.
>
>
>
> Thanks & Regards,
>
> Ben
>
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

[Freeipa-users] From where can i get repo details for FreeIPA 4.3.1 version

2016-04-12 Thread Ben .T.George

Hi List,

Ffrom where can i get repo details for FreeIPA 4.3.1 version. the link
provided in website is broken.
https://www.freeipa.org/page/Releases/4.3.1

please someone give me right package details.

Regards,
Ben
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] krb5kdc: Server error

2015-04-08 Thread Ben .T.George

HI Traino,

thanks for the info

i have checked the hots and confirmed that entry was ip FQDN Alias
format


And the DNS everything is working

[root@kwtprsolipa01 slapd-SUN-LOCAL]# for i in _ldap._tcp _kerberos._tcp
_kerberos._udp _kerberos-master._tcp _kerberos-master._udp _ntp._udp; do
echo ; dig @mha.local ${i}.SUN.LOCAL srv +nocmd +noquestion +nocomments
+nostats +noaa +noadditional +noauthority; done | egrep -v ^; | egrep _

_ldap._tcp.SUN.LOCAL.   21965   IN  SRV 0 100 389
kwtprsolipa01.sun.local.
_kerberos._tcp.SUN.LOCAL. 1957  IN  SRV 0 100 88
kwtprsolipa01.sun.local.
_kerberos._udp.SUN.LOCAL. 86400 IN  SRV 0 100 88
kwtprsolipa01.sun.local.
_kerberos-master._tcp.SUN.LOCAL. 86400 IN SRV   0 100 88
kwtprsolipa01.sun.local.
_kerberos-master._udp.SUN.LOCAL. 9112 IN SRV0 100 88
kwtprsolipa01.sun.local.
_ntp._udp.SUN.LOCAL.86400   IN  SRV 0 100 123
kwtprsolipa01.sun.local.

[root@kwtprsolipa01 slapd-SUN-LOCAL]# for i in _ldap._tcp _kerberos._tcp
_kerberos._udp _kerberos-master._tcp _kerberos-master._udp _ntp._udp; do
echo ; dig @mha.local ${i}.MHA.LOCAL srv +nocmd +noquestion +nocomments
+nostats +noaa +noadditional +noauthority; done | egrep -v ^; | egrep _

_ldap._tcp.MHA.LOCAL.   600 IN  SRV 0 100 389
dxbprdc002.mha.local.
_ldap._tcp.MHA.LOCAL.   600 IN  SRV 0 100 389
kwtprdc001.mha.local.
_ldap._tcp.MHA.LOCAL.   600 IN  SRV 0 100 389
dxbprdc001.mha.local.
_ldap._tcp.MHA.LOCAL.   600 IN  SRV 0 100 389
rusmosprdc002.mha.local.
_ldap._tcp.MHA.LOCAL.   600 IN  SRV 0 100 389
kwtprdc002.mha.local.
_kerberos._tcp.MHA.LOCAL. 600   IN  SRV 0 100 88
kwtprdc001.mha.local.
_kerberos._tcp.MHA.LOCAL. 600   IN  SRV 0 100 88
dxbprdc002.mha.local.
_kerberos._tcp.MHA.LOCAL. 600   IN  SRV 0 100 88
dxbprdc001.mha.local.
_kerberos._tcp.MHA.LOCAL. 600   IN  SRV 0 100 88
kwtprdc002.mha.local.
_kerberos._udp.MHA.LOCAL. 600   IN  SRV 0 100 88
kwtprdc002.mha.local.
_kerberos._udp.MHA.LOCAL. 600   IN  SRV 0 100 88
dxbprdc002.mha.local.
_kerberos._udp.MHA.LOCAL. 600   IN  SRV 0 100 88
kwtprdc001.mha.local.
_kerberos._udp.MHA.LOCAL. 600   IN  SRV 0 100 88
dxbprdc001.mha.local.

[root@kwtprsolipa01 slapd-SUN-LOCAL]# host 172.16.99.99
99.99.16.172.in-addr.arpa domain name pointer kwtprsolipa01.sun.local.
[root@kwtprsolipa01 slapd-SUN-LOCAL]# host kwtprsolipa01.sun.local
kwtprsolipa01.sun.local has address 172.16.99.99

[root@kwtprsolipa01 slapd-SUN-LOCAL]# host mha.local
mha.local has address 172.16.98.171
mha.local has address 172.16.100.180
mha.local has address 10.10.10.11
mha.local has address 10.10.10.10


[root@kwtprsolipa01 slapd-SUN-LOCAL]# dig kwtprsolipa01.sun.local

;  DiG 9.9.4-RedHat-9.9.4-18.el7  kwtprsolipa01.sun.local
;; global options: +cmd
;; Got answer:
;; -HEADER- opcode: QUERY, status: NOERROR, id: 23767
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4000
;; QUESTION SECTION:
;kwtprsolipa01.sun.local.   IN  A

;; ANSWER SECTION:
kwtprsolipa01.sun.local. 38 IN  A   172.16.99.99

;; Query time: 0 msec
;; SERVER: 172.16.100.180#53(172.16.100.180)
;; WHEN: Wed Apr 08 13:54:02 AST 2015
;; MSG SIZE  rcvd: 68



On Wed, Apr 8, 2015 at 1:27 PM, Traiano Welcome trai...@gmail.com wrote:

 Hi Ben



 On Wed, Apr 8, 2015 at 12:39 PM, Ben .T.George bentech4...@gmail.com
 wrote:
  HI
 
  i am getting krb5kdc: Server error on ligs:
 
  krb5kdc: Server error - while fetching master key K/M for realm SUN.LOCAL
 
  and the ipactl status is taking long time. Web interface is not able to
  athenticate.
 
  If i issue ipactl restart, noting is happening
 
  to solve this issue currently i am restarting full server..
 
 
  How can i fix this?
 

 Check the tail-end of  this thread:

 https://www.redhat.com/archives/freeipa-users/2015-April/msg00011.html

 You may want to begin by checking /etc/hosts for the right format (ip
 address fqdn hostname).
 DNS is probably the very next thing you want to check... thoroughly.






  Regards,
  Ben
 
  --
  Manage your subscription for the Freeipa-users mailing list:
  https://www.redhat.com/mailman/listinfo/freeipa-users
  Go to http://freeipa.org for more info on the project

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

[Freeipa-users] krb5kdc: Server error

2015-04-08 Thread Ben .T.George

HI

i am getting krb5kdc: Server error on ligs:

krb5kdc: Server error - while fetching master key K/M for realm SUN.LOCAL

and the ipactl status is taking long time. Web interface is not able to
athenticate.

If i issue ipactl restart, noting is happening

to solve this issue currently i am restarting full server..


How can i fix this?

Regards,
Ben
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] Your session has expired. Please re-login.

2015-04-03 Thread Ben .T.George

HI

i was facing the same issue last week and it got fixed now.

always user WUI from firefox. install Kerbros plugin and certificate from
ipa help page

check time(ntp)

Destroy and recreate ticket (Kdestroy  kinit admin)

restart krb5kdc,sssd  httpd services

restart ipactl (ipactl restart)

check ipactl status also.

Regards,
Ben

On Fri, Apr 3, 2015 at 1:19 PM, Andrew Holway andrew.hol...@gmail.com
wrote:

 Hello,

 Trying to log into the Gui I just get Your session has expired. Please
 re-login. Everything else appears to be working.

 I cannot find any useful logs.

 Cheers,

 Andrew

 --
 Manage your subscription for the Freeipa-users mailing list:
 https://www.redhat.com/mailman/listinfo/freeipa-users
 Go to http://freeipa.org for more info on the project

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] Your session has expired. Please re-login.

2015-04-03 Thread Ben .T.George

no, it's because of wrong ticket i guess.

try the steps and let us know the output



On Fri, Apr 3, 2015 at 2:23 PM, Andrew Holway andrew.hol...@gmail.com
wrote:



 On Friday, 3 April 2015, Ben .T.George bentech4...@gmail.com wrote:

 HI

 i was facing the same issue last week and it got fixed now.

 always user WUI from firefox. install Kerbros plugin and certificate from
 ipa help page


 Hi George,

 Thanks for the advice. Did you discover the root of the problem?

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] IPA web interface always giving Your session has expired. Please re-login.

everything is default.

but now the issue solved after many restart,kinit  ipactl restart

don't still don't know how it got fixed

Regards,
Ben

On Wed, Apr 1, 2015 at 8:31 PM, Nalin Dahyabhai na...@redhat.com wrote:

 On Wed, Apr 01, 2015 at 07:45:10PM +0300, Ben .T.George wrote:
  HI
 
  yes i have creared cache. tried from different browsers, tried from
  portable browser, configure kerbros plugin in firefox
 
  this is what i got from inspect:
 
  http://s9.postimg.org/51c5809xr/kerb.jpg

 Just to be sure, the policies for ticket lifetimes are still set to
 their defaults, right?

 Is there anything in the server-side logs (/var/log/krb5kdc.log,
 /var/log/httpd/error_log) that might shed some light on things, perhaps
 after having set debug=True in the [global] section of the server's
 /etc/ipa/default.conf and restarted the httpd service?

 Nalin

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] IPA web interface always giving Your session has expired. Please re-login.

HI

yes i have creared cache. tried from different browsers, tried from
portable browser, configure kerbros plugin in firefox

this is what i got from inspect:

http://s9.postimg.org/51c5809xr/kerb.jpg

Regards,
Ben

On Wed, Apr 1, 2015 at 7:35 PM, Dmitri Pal d...@redhat.com wrote:

  On 04/01/2015 12:32 PM, Ben .T.George wrote:

 Hi

  I have re-installed verything from RHEL 7.1 DVD and current ipa version
 is 4.0.1

  everything is working including AD trust.

  but my web interface always giving Your session has expired. Please
 re-login.

  i faced the issue before that time i destroyed kerbros ticket (Kdestroy)
 and initiated again(kinit admin). after that it got worked.

  but now i did all the exercises ans still not working

  please anyone solved this issue. or is this a known bug?

  if i open the page from chorm browser, i am getting another login screen
 like .htacess login. If i gave password, it re-appering again

  Regards,
 Ben


  Have you cleaned you browser cache data?


 --
 Thank you,
 Dmitri Pal

 Sr. Engineering Manager IdM portfolio
 Red Hat, Inc.


 --
 Manage your subscription for the Freeipa-users mailing list:
 https://www.redhat.com/mailman/listinfo/freeipa-users
 Go to http://freeipa.org for more info on the project

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

[Freeipa-users] IPA web interface always giving Your session has expired. Please re-login.

Hi

I have re-installed verything from RHEL 7.1 DVD and current ipa version is
4.0.1

everything is working including AD trust.

but my web interface always giving Your session has expired. Please
re-login.

i faced the issue before that time i destroyed kerbros ticket (Kdestroy)
and initiated again(kinit admin). after that it got worked.

but now i did all the exercises ans still not working

please anyone solved this issue. or is this a known bug?

if i open the page from chorm browser, i am getting another login screen
like .htacess login. If i gave password, it re-appering again

Regards,
Ben
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] IPA web interface always giving Your session has expired. Please re-login.

HI

i have checked from chrome and got 401 error: This is what exactly i
reported 3 weeks back :(

http://s1.postimg.org/41ik3o1hr/kerb.jpg

Regards,
Ben

On Wed, Apr 1, 2015 at 7:45 PM, Ben .T.George bentech4...@gmail.com wrote:

 HI

 yes i have creared cache. tried from different browsers, tried from
 portable browser, configure kerbros plugin in firefox

 this is what i got from inspect:

 http://s9.postimg.org/51c5809xr/kerb.jpg

 Regards,
 Ben

 On Wed, Apr 1, 2015 at 7:35 PM, Dmitri Pal d...@redhat.com wrote:

  On 04/01/2015 12:32 PM, Ben .T.George wrote:

 Hi

  I have re-installed verything from RHEL 7.1 DVD and current ipa version
 is 4.0.1

  everything is working including AD trust.

  but my web interface always giving Your session has expired. Please
 re-login.

  i faced the issue before that time i destroyed kerbros ticket
 (Kdestroy) and initiated again(kinit admin). after that it got worked.

  but now i did all the exercises ans still not working

  please anyone solved this issue. or is this a known bug?

  if i open the page from chorm browser, i am getting another login
 screen like .htacess login. If i gave password, it re-appering again

  Regards,
 Ben


  Have you cleaned you browser cache data?


 --
 Thank you,
 Dmitri Pal

 Sr. Engineering Manager IdM portfolio
 Red Hat, Inc.


 --
 Manage your subscription for the Freeipa-users mailing list:
 https://www.redhat.com/mailman/listinfo/freeipa-users
 Go to http://freeipa.org for more info on the project



-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] how can i give set of users to one particular host

2015-03-29 Thread Ben .T.George

HI

i have compiled the pam_access modules successfuly and copied access.conf
to /etc/security folder.

i included

other   account requiredpam_access.so

 and added
-:ben b...@infra.com:ALL

but still user ben can able to access the machine

anyone achieved this?


On Tue, Mar 24, 2015 at 9:19 PM, Rob Crittenden rcrit...@redhat.com wrote:

 Ben .T.George wrote:
  please anyone share bit more information on this like real example

 As we've said many times before, we have very little real experience on
 Solaris. We do the best we can and sometimes that is going to be in the
 form of bread crumbs that may be usable to finding your way to a solution.

 Access control via PAM is a very-well understood problem on Solaris.
 Once you have users and groups via nss then IPA is largely out of the
 equation. The OS vendor or Solaris-specific groups will know how to do
 this far better than us.

 If you find a detailed answer I'd be happy to add it to the freeIPA wiki.

 rob

 
  On Tue, Mar 24, 2015 at 9:03 PM, Rob Crittenden rcrit...@redhat.com
  mailto:rcrit...@redhat.com wrote:
 
  Dmitri Pal wrote:
   On 03/24/2015 01:15 PM, Ben .T.George wrote:
   Hi
  
   current stage is AD users can able to login to solaris box. But i
   don't up to what level i can control the user.
  
   i don't think to there is much pan modules in solaris. still i
 cannot
   able to make home directory with pam.
  
   I think pam_groupdn (if available on Solaris) might help but I
 could not
   find a clear example to share with you here.
 
  I'd suggest looking at pam_access.
 
  rob
 
  
  
  
  
   On Tue, Mar 24, 2015 at 4:42 PM, Dmitri Pal d...@redhat.com
 mailto:d...@redhat.com
   mailto:d...@redhat.com mailto:d...@redhat.com wrote:
  
   On 03/24/2015 07:20 AM, Ben .T.George wrote:
   HI
  
   i am using IPA 3.3 and my client is solaris 10.
  
   how can i give only some set of users to this client without
   creating user group in ad?
  
   thanks  Regards,
   Ben
  
  
  
   You can create a group in IPA and make Solaris check that
  group at
   the access phase of PAM if Solaris is capable of checking
 groups
   this way.
  
   --
   Thank you,
   Dmitri Pal
  
   Sr. Engineering Manager IdM portfolio
   Red Hat, Inc.
  
  
   --
   Manage your subscription for the Freeipa-users mailing list:
   https://www.redhat.com/mailman/listinfo/freeipa-users
   Go to http://freeipa.org for more info on the project
  
  
  
  
   --
   Thank you,
   Dmitri Pal
  
   Sr. Engineering Manager IdM portfolio
   Red Hat, Inc.
  
  
  
 
 


-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

[Freeipa-users] how can i give set of users to one particular host

2015-03-24 Thread Ben .T.George

HI

i am using IPA 3.3 and my client is solaris 10.

how can i give only some set of users to this client without creating user
group in ad?

thanks  Regards,
Ben
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] how can i give set of users to one particular host

2015-03-24 Thread Ben .T.George

please anyone share bit more information on this like real example

On Tue, Mar 24, 2015 at 9:03 PM, Rob Crittenden rcrit...@redhat.com wrote:

 Dmitri Pal wrote:
  On 03/24/2015 01:15 PM, Ben .T.George wrote:
  Hi
 
  current stage is AD users can able to login to solaris box. But i
  don't up to what level i can control the user.
 
  i don't think to there is much pan modules in solaris. still i cannot
  able to make home directory with pam.
 
  I think pam_groupdn (if available on Solaris) might help but I could not
  find a clear example to share with you here.

 I'd suggest looking at pam_access.

 rob

 
 
 
 
  On Tue, Mar 24, 2015 at 4:42 PM, Dmitri Pal d...@redhat.com
  mailto:d...@redhat.com wrote:
 
  On 03/24/2015 07:20 AM, Ben .T.George wrote:
  HI
 
  i am using IPA 3.3 and my client is solaris 10.
 
  how can i give only some set of users to this client without
  creating user group in ad?
 
  thanks  Regards,
  Ben
 
 
 
  You can create a group in IPA and make Solaris check that group at
  the access phase of PAM if Solaris is capable of checking groups
  this way.
 
  --
  Thank you,
  Dmitri Pal
 
  Sr. Engineering Manager IdM portfolio
  Red Hat, Inc.
 
 
  --
  Manage your subscription for the Freeipa-users mailing list:
  https://www.redhat.com/mailman/listinfo/freeipa-users
  Go to http://freeipa.org for more info on the project
 
 
 
 
  --
  Thank you,
  Dmitri Pal
 
  Sr. Engineering Manager IdM portfolio
  Red Hat, Inc.
 
 
 


-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] how can i give set of users to one particular host

2015-03-24 Thread Ben .T.George

Hi

current stage is AD users can able to login to solaris box. But i don't up
to what level i can control the user.

i don't think to there is much pan modules in solaris. still i cannot able
to make home directory with pam.



On Tue, Mar 24, 2015 at 4:42 PM, Dmitri Pal d...@redhat.com wrote:

  On 03/24/2015 07:20 AM, Ben .T.George wrote:

 HI

  i am using IPA 3.3 and my client is solaris 10.

  how can i give only some set of users to this client without creating
 user group in ad?

  thanks  Regards,
 Ben



 You can create a group in IPA and make Solaris check that group at the
 access phase of PAM if Solaris is capable of checking groups this way.

 --
 Thank you,
 Dmitri Pal

 Sr. Engineering Manager IdM portfolio
 Red Hat, Inc.


 --
 Manage your subscription for the Freeipa-users mailing list:
 https://www.redhat.com/mailman/listinfo/freeipa-users
 Go to http://freeipa.org for more info on the project

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] FreeIPA 3.3 AD- Solaris is working but solaris local users cannot able to login

2015-03-23 Thread Ben .T.George

HI

i created the home directory manually and copied the profile.

i tried to access the solaris box from putty and still it's not accepting
password.



On Mon, Mar 23, 2015 at 11:03 AM, Ben .T.George bentech4...@gmail.com
wrote:

 HI List

 finally after soo much struggling now i can able to login solaris box as
 AD user.

 but auto home directory creation still have issue. for that i need to
 compile some modules.


 The issue i am facing is i cannot able to login to solaris box after
 editing pam.conf file.here is the conf file

 bash-3.2# cat /etc/pam.conf
 #
 #ident  @(#)pam.conf   1.3211/04/08 SMI
 #
 #
 login   auth requisite  pam_authtok_get.so.1
 login   auth required   pam_dhkeys.so.1
 login   auth sufficient pam_ldap.so.1 debug
 login   auth sufficient pam_krb5.so.1
 login   auth required   pam_unix_cred.so.1
 login   auth required   pam_unix_auth.so.1
 #login  auth required   pam_dial_auth.so.1
 #
 # rlogin service (explicit because of pam_rhost_auth)
 #
 rlogin  auth sufficient pam_rhosts_auth.so.1
 rlogin  auth requisite  pam_authtok_get.so.1
 rlogin  auth required   pam_dhkeys.so.1
 rlogin  auth required   pam_unix_cred.so.1
 rlogin  auth required   pam_unix_auth.so.1
 #
 # Kerberized rlogin service
 #
 krlogin auth required   pam_unix_cred.so.1
 krlogin auth required   pam_krb5.so.1
 #
 # rsh service (explicit because of pam_rhost_auth,
 # and pam_unix_auth for meaningful pam_setcred)
 #
 rsh auth sufficient pam_rhosts_auth.so.1
 rsh auth required   pam_unix_cred.so.1
 #
 # Kerberized rsh service
 #
 krshauth required   pam_unix_cred.so.1
 krshauth required   pam_krb5.so.1
 #
 # Kerberized telnet service
 #
 ktelnet auth required   pam_unix_cred.so.1
 ktelnet auth required   pam_krb5.so.1
 #
 # PPP service (explicit because of pam_dial_auth)
 #
 ppp auth requisite  pam_authtok_get.so.1
 ppp auth required   pam_dhkeys.so.1
 ppp auth required   pam_unix_cred.so.1
 ppp auth required   pam_unix_auth.so.1
 ppp auth required   pam_dial_auth.so.1
 #
 # Default definitions for Authentication management
 # Used when service name is not explicitly mentioned for authentication
 #
 other   auth requisite  pam_authtok_get.so.1
 other   auth required   pam_dhkeys.so.1
 other   auth sufficient pam_krb5.so.1
 other   auth sufficient pam_ldap.so.1
 other   auth required   pam_unix_cred.so.1
 other   auth required   pam_unix_auth.so.1
 #
 # passwd command (explicit because of a different authentication module)
 #
 passwd  auth required   pam_passwd_auth.so.1
 #
 # cron service (explicit because of non-usage of pam_roles.so.1)
 #
 cronaccount requiredpam_unix_account.so.1
 #
 # Default definition for Account management
 # Used when service name is not explicitly mentioned for account management
 #
 other   account requisite   pam_roles.so.1
 other   account requiredpam_unix_account.so.1
 other   account sufficient  pam_krb5.so.1
 other   account sufficient  pam_ldap.so.1
 #
 # Default definition for Session management
 # Used when service name is not explicitly mentioned for session management
 #
 #other   session requiredpam_mkhomedir.so.1 skel=/etc/skel/
 umask=0027
 #other   session requiredpam_unix_session.so.1
 #
 # Default definition for Password management
 # Used when service name is not explicitly mentioned for password
 management
 #
 other   password required   pam_dhkeys.so.1
 other   password requisite  pam_authtok_get.so.1
 # Password construction requirements apply to all users.
 # Remove force_check to have the traditional authorized administrator
 # bypass of construction requirements.
 other   password requisite  pam_authtok_check.so.1 force_check
 other   password required   pam_authtok_store.so.1
 #
 # Support for Kerberos V5 authentication and example configurations can
 # be found in the pam_krb5(5) man page under the EXAMPLES section.
 #


 please anyone help me to fix this issue.


 Thanks  Regards,
 Ben

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

[Freeipa-users] FreeIPA 3.3 AD- Solaris is working but solaris local users cannot able to login

2015-03-23 Thread Ben .T.George

HI List

finally after soo much struggling now i can able to login solaris box as AD
user.

but auto home directory creation still have issue. for that i need to
compile some modules.


The issue i am facing is i cannot able to login to solaris box after
editing pam.conf file.here is the conf file

bash-3.2# cat /etc/pam.conf
#
#ident  @(#)pam.conf   1.3211/04/08 SMI
#
#
login   auth requisite  pam_authtok_get.so.1
login   auth required   pam_dhkeys.so.1
login   auth sufficient pam_ldap.so.1 debug
login   auth sufficient pam_krb5.so.1
login   auth required   pam_unix_cred.so.1
login   auth required   pam_unix_auth.so.1
#login  auth required   pam_dial_auth.so.1
#
# rlogin service (explicit because of pam_rhost_auth)
#
rlogin  auth sufficient pam_rhosts_auth.so.1
rlogin  auth requisite  pam_authtok_get.so.1
rlogin  auth required   pam_dhkeys.so.1
rlogin  auth required   pam_unix_cred.so.1
rlogin  auth required   pam_unix_auth.so.1
#
# Kerberized rlogin service
#
krlogin auth required   pam_unix_cred.so.1
krlogin auth required   pam_krb5.so.1
#
# rsh service (explicit because of pam_rhost_auth,
# and pam_unix_auth for meaningful pam_setcred)
#
rsh auth sufficient pam_rhosts_auth.so.1
rsh auth required   pam_unix_cred.so.1
#
# Kerberized rsh service
#
krshauth required   pam_unix_cred.so.1
krshauth required   pam_krb5.so.1
#
# Kerberized telnet service
#
ktelnet auth required   pam_unix_cred.so.1
ktelnet auth required   pam_krb5.so.1
#
# PPP service (explicit because of pam_dial_auth)
#
ppp auth requisite  pam_authtok_get.so.1
ppp auth required   pam_dhkeys.so.1
ppp auth required   pam_unix_cred.so.1
ppp auth required   pam_unix_auth.so.1
ppp auth required   pam_dial_auth.so.1
#
# Default definitions for Authentication management
# Used when service name is not explicitly mentioned for authentication
#
other   auth requisite  pam_authtok_get.so.1
other   auth required   pam_dhkeys.so.1
other   auth sufficient pam_krb5.so.1
other   auth sufficient pam_ldap.so.1
other   auth required   pam_unix_cred.so.1
other   auth required   pam_unix_auth.so.1
#
# passwd command (explicit because of a different authentication module)
#
passwd  auth required   pam_passwd_auth.so.1
#
# cron service (explicit because of non-usage of pam_roles.so.1)
#
cronaccount requiredpam_unix_account.so.1
#
# Default definition for Account management
# Used when service name is not explicitly mentioned for account management
#
other   account requisite   pam_roles.so.1
other   account requiredpam_unix_account.so.1
other   account sufficient  pam_krb5.so.1
other   account sufficient  pam_ldap.so.1
#
# Default definition for Session management
# Used when service name is not explicitly mentioned for session management
#
#other   session requiredpam_mkhomedir.so.1 skel=/etc/skel/
umask=0027
#other   session requiredpam_unix_session.so.1
#
# Default definition for Password management
# Used when service name is not explicitly mentioned for password management
#
other   password required   pam_dhkeys.so.1
other   password requisite  pam_authtok_get.so.1
# Password construction requirements apply to all users.
# Remove force_check to have the traditional authorized administrator
# bypass of construction requirements.
other   password requisite  pam_authtok_check.so.1 force_check
other   password required   pam_authtok_store.so.1
#
# Support for Kerberos V5 authentication and example configurations can
# be found in the pam_krb5(5) man page under the EXAMPLES section.
#


please anyone help me to fix this issue.


Thanks  Regards,
Ben
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

[Freeipa-users] ipa: ERROR: CIFS server communication error: code -1073741771,

Hi

i am getting ipa: ERROR: CIFS server communication error: code
-1073741771,

while doing

[root@kwtpocpbis02 ~]# ipa trust-add --type=ad infra.com --admin
Administrator --password
Active Directory domain administrator's password:
ipa: ERROR: CIFS server communication error: code -1073741771,
  message NT_STATUS_OBJECT_NAME_COLLISION (both may be
None)

i am using centos 7 and IPA 4.1.2

IPA Server

[root@kwtpocpbis02 ~]# host kwtpocpbis02.solaris.com
kwtpocpbis02.solaris.com has address 172.16.107.135
[root@kwtpocpbis02 ~]# host 172.16.107.135
135.107.16.172.in-addr.arpa domain name pointer kwtpocpbis02.solaris.com.


AD

[root@kwtpocpbis02 ~]# host 172.16.107.250
250.107.16.172.in-addr.arpa domain name pointer kwtipaad001.infra.com.
[root@kwtpocpbis02 ~]# host kwtipaad001.infra.com
kwtipaad001.infra.com has address 172.16.107.250

debugging is enabled and this is i am getting on error_log

INFO: Current debug levels:
  all: 11
  tdb: 11
  printdrivers: 11
  lanman: 11
  smb: 11
  rpc_parse: 11
  rpc_srv: 11
  rpc_cli: 11
  passdb: 11
  sam: 11
  auth: 11
  winbind: 11
  vfs: 11
  idmap: 11
  quota: 11
  acls: 11
  locking: 11
  msdfs: 11
  dmapi: 11
  registry: 11
  scavenger: 11
  dns: 11
  ldb: 11
pm_process() returned Yes
GENSEC backend 'gssapi_spnego' registered
GENSEC backend 'gssapi_krb5' registered
GENSEC backend 'gssapi_krb5_sasl' registered
GENSEC backend 'sasl-DIGEST-MD5' registered
GENSEC backend 'schannel' registered
GENSEC backend 'spnego' registered
GENSEC backend 'ntlmssp' registered
Using binding ncacn_np:kwtpocpbis02.solaris.com[,]
Mapped to DCERPC endpoint \pipe\lsarpc
added interface eno1628 ip=172.16.107.135 bcast=172.16.107.255
netmask=255.255.255.0
added interface eno1628 ip=172.16.107.135 bcast=172.16.107.255
netmask=255.255.255.0
Socket options:
SO_KEEPALIVE = 0
SO_REUSEADDR = 0
SO_BROADCAST = 0
TCP_NODELAY = 1
TCP_KEEPCNT = 9
TCP_KEEPIDLE = 7200
TCP_KEEPINTVL = 75
IPTOS_LOWDELAY = 0
IPTOS_THROUGHPUT = 0
SO_REUSEPORT = 0
SO_SNDBUF = 663430
SO_RCVBUF = 261942
SO_SNDLOWAT = 1
SO_RCVLOWAT = 1
SO_SNDTIMEO = 0
SO_RCVTIMEO = 0
TCP_QUICKACK = 1
TCP_DEFER_ACCEPT = 0
Starting GENSEC mechanism spnego
Starting GENSEC submechanism gssapi_krb5
Ticket in credentials cache for ad...@solaris.com will expire in 81540 secs
gensec_gssapi: NO credentials were delegated
GSSAPI Connection will be cryptographically sealed
num_setup=2, max_setup=0, param_total=0, this_param=0, max_param=0,
data_total=72, this_data=72, max_data=65535, param_offset=84, param_pad=2,
param_disp=0, data_offset=84, data_pad=0, data_disp=0
rpc request data:
[] 00 00 02 00 01 00 00 00   00 00 00 00 01 00 00 00    
[0010] 00 00 00 00 00 00 00 00   00 00 00 00 00 00 00 00    
[0020] 00 00 00 00 00 00 00 00   04 00 02 00 00 00 00 00    
[0030] 00 00 00 00 00 00 00 02
num_setup=2, max_setup=0, param_total=0, this_param=0, max_param=0,
data_total=80, this_data=80, max_data=4280, param_offset=84, param_pad=2,
param_disp=0, data_offset=84, data_pad=0, data_disp=0
rpc reply data:
[] 00 00 00 00 0D 00 00 00   00 00 00 00 09 55 BC 34    .U.4
[0010] 2E 0F 00 00 00 00 00 00
rpc request data:
[] 00 00 00 00 0D 00 00 00   00 00 00 00 09 55 BC 34    .U.4
[0010] 2E 0F 00 00 0C 00 ..
num_setup=2, max_setup=0, param_total=0, this_param=0, max_param=0,
data_total=46, this_data=46, max_data=4280, param_offset=84, param_pad=2,
param_disp=0, data_offset=84, data_pad=0, data_disp=0
rpc reply data:
[] 00 00 02 00 0C 00 00 00   0E 00 10 00 04 00 02 00    
[0010] 16 00 18 00 08 00 02 00   16 00 18 00 0C 00 02 00    
[0020] 15 00 00 00 5F 89 A9 B4   86 30 6C 9D B4 09 10 02   _... .0l.
[0030] 10 00 02 00 08 00 00 00   00 00 00 00 07 00 00 00    
[0040] 53 00 4F 00 4C 00 41 00   52 00 49 00 53 00 00 00   S.O.L.A. R.I.S...
[0050] 0C 00 00 00 00 00 00 00   0B 00 00 00 73 00 6F 00    s.o.
[0060] 6C 00 61 00 72 00 69 00   73 00 2E 00 63 00 6F 00   l.a.r.i. s...c.o.
[0070] 6D 00 00 00 0C 00 00 00   00 00 00 00 0B 00 00 00   m... 
[0080] 73 00 6F 00 6C 00 61 00   72 00 69 00 73 00 2E 00   s.o.l.a. r.i.s...
[0090] 63 00 6F 00 6D 00 00 00   04 00 00 00 01 04 00 00   c.o.m... 
[00A0] 00 00 00 05 15 00 00 00   5F 89 A9 B4 86 30 6C 9D    _0l.
[00B0] B4 09 10 02 00 00 00 00
rpc request data:
[] 00 00 00 00 0D 00 00 00   00 00 00 00 09 55 BC 34    .U.4
[0010] 2E 0F 00 00 06 00 ..
num_setup=2, max_setup=0, param_total=0, this_param=0, max_param=0,
data_total=46, this_data=46, max_data=4280, param_offset=84, param_pad=2,

Re: [Freeipa-users] ipa: ERROR: CIFS server communication error: code -1073741771,

HI

thanks for the reply

i have created PTR record for IPA server under reverse lookup zone manually
and ipa server resolving from AD

how can i solve trhis issue.?



On Wed, Mar 18, 2015 at 12:15 PM, Alexander Bokovoy aboko...@redhat.com
wrote:

 On Wed, 18 Mar 2015, Ben .T.George wrote:

 Hi

 i am getting ipa: ERROR: CIFS server communication error: code
 -1073741771,

 while doing

 [root@kwtpocpbis02 ~]# ipa trust-add --type=ad infra.com --admin
 Administrator --password
 Active Directory domain administrator's password:
 ipa: ERROR: CIFS server communication error: code -1073741771,
  message NT_STATUS_OBJECT_NAME_COLLISION (both may be
 None)

 i am using centos 7 and IPA 4.1.2

 NT_STATUS_OBJECT_NAME_COLLISION means AD thinks you have hosts in AD
 that belong to the solaris.com domain which 'trust-ad' operation claims
 to belong to IPA realm. AD denies operating the trust in this case.



 IPA Server

 [root@kwtpocpbis02 ~]# host kwtpocpbis02.solaris.com
 kwtpocpbis02.solaris.com has address 172.16.107.135
 [root@kwtpocpbis02 ~]# host 172.16.107.135
 135.107.16.172.in-addr.arpa domain name pointer kwtpocpbis02.solaris.com.


 AD

 [root@kwtpocpbis02 ~]# host 172.16.107.250
 250.107.16.172.in-addr.arpa domain name pointer kwtipaad001.infra.com.
 [root@kwtpocpbis02 ~]# host kwtipaad001.infra.com
 kwtipaad001.infra.com has address 172.16.107.250

 debugging is enabled and this is i am getting on error_log

 INFO: Current debug levels:
  all: 11
  tdb: 11
  printdrivers: 11
  lanman: 11
  smb: 11
  rpc_parse: 11
  rpc_srv: 11
  rpc_cli: 11
  passdb: 11
  sam: 11
  auth: 11
  winbind: 11
  vfs: 11
  idmap: 11
  quota: 11
  acls: 11
  locking: 11
  msdfs: 11
  dmapi: 11
  registry: 11
  scavenger: 11
  dns: 11
  ldb: 11
 pm_process() returned Yes
 GENSEC backend 'gssapi_spnego' registered
 GENSEC backend 'gssapi_krb5' registered
 GENSEC backend 'gssapi_krb5_sasl' registered
 GENSEC backend 'sasl-DIGEST-MD5' registered
 GENSEC backend 'schannel' registered
 GENSEC backend 'spnego' registered
 GENSEC backend 'ntlmssp' registered
 Using binding ncacn_np:kwtpocpbis02.solaris.com[,]
 Mapped to DCERPC endpoint \pipe\lsarpc
 added interface eno1628 ip=172.16.107.135 bcast=172.16.107.255
 netmask=255.255.255.0
 added interface eno1628 ip=172.16.107.135 bcast=172.16.107.255
 netmask=255.255.255.0
 Socket options:
SO_KEEPALIVE = 0
SO_REUSEADDR = 0
SO_BROADCAST = 0
TCP_NODELAY = 1
TCP_KEEPCNT = 9
TCP_KEEPIDLE = 7200
TCP_KEEPINTVL = 75
IPTOS_LOWDELAY = 0
IPTOS_THROUGHPUT = 0
SO_REUSEPORT = 0
SO_SNDBUF = 663430
SO_RCVBUF = 261942
SO_SNDLOWAT = 1
SO_RCVLOWAT = 1
SO_SNDTIMEO = 0
SO_RCVTIMEO = 0
TCP_QUICKACK = 1
TCP_DEFER_ACCEPT = 0
 Starting GENSEC mechanism spnego
 Starting GENSEC submechanism gssapi_krb5
 Ticket in credentials cache for ad...@solaris.com will expire in 81540
 secs
 gensec_gssapi: NO credentials were delegated
 GSSAPI Connection will be cryptographically sealed
 num_setup=2, max_setup=0, param_total=0, this_param=0, max_param=0,
 data_total=72, this_data=72, max_data=65535, param_offset=84, param_pad=2,
 param_disp=0, data_offset=84, data_pad=0, data_disp=0
 rpc request data:
 [] 00 00 02 00 01 00 00 00   00 00 00 00 01 00 00 00   
 
 [0010] 00 00 00 00 00 00 00 00   00 00 00 00 00 00 00 00   
 
 [0020] 00 00 00 00 00 00 00 00   04 00 02 00 00 00 00 00   
 
 [0030] 00 00 00 00 00 00 00 02
 num_setup=2, max_setup=0, param_total=0, this_param=0, max_param=0,
 data_total=80, this_data=80, max_data=4280, param_offset=84, param_pad=2,
 param_disp=0, data_offset=84, data_pad=0, data_disp=0
 rpc reply data:
 [] 00 00 00 00 0D 00 00 00   00 00 00 00 09 55 BC 34   
 .U.4
 [0010] 2E 0F 00 00 00 00 00 00
 rpc request data:
 [] 00 00 00 00 0D 00 00 00   00 00 00 00 09 55 BC 34   
 .U.4
 [0010] 2E 0F 00 00 0C 00 ..
 num_setup=2, max_setup=0, param_total=0, this_param=0, max_param=0,
 data_total=46, this_data=46, max_data=4280, param_offset=84, param_pad=2,
 param_disp=0, data_offset=84, data_pad=0, data_disp=0
 rpc reply data:
 [] 00 00 02 00 0C 00 00 00   0E 00 10 00 04 00 02 00   
 
 [0010] 16 00 18 00 08 00 02 00   16 00 18 00 0C 00 02 00   
 
 [0020] 15 00 00 00 5F 89 A9 B4   86 30 6C 9D B4 09 10 02   _...
 .0l.
 [0030] 10 00 02 00 08 00 00 00   00 00 00 00 07 00 00 00   
 
 [0040] 53 00 4F 00 4C 00 41 00   52 00 49 00 53 00 00 00   S.O.L.A.
 R.I.S...
 [0050] 0C 00 00 00 00 00 00 00   0B 00 00 00 73 00 6F 00   
 s.o.
 [0060] 6C 00 61 00 72 00 69 00   73 00 2E 00 63 00 6F 00   l.a.r.i.
 s...c.o.
 [0070] 6D 00 00 00 0C 00 00 00   00 00 00 00 0B 00 00 00   m...
 
 [0080] 73

Re: [Freeipa-users] ipa: ERROR: CIFS server communication error: code -1073741771,

HI

i saw the this in BZ and it's closed my mentioning it's got resolved on
RHEL/Centos 7.
 But i am already using 7 .

please anyone help me to fix this?

Regards,
Nem

On Wed, Mar 18, 2015 at 11:19 AM, Ben .T.George bentech4...@gmail.com
wrote:

 Hi

 i am getting ipa: ERROR: CIFS server communication error: code
 -1073741771,

 while doing

 [root@kwtpocpbis02 ~]# ipa trust-add --type=ad infra.com --admin
 Administrator --password
 Active Directory domain administrator's password:
 ipa: ERROR: CIFS server communication error: code -1073741771,
   message NT_STATUS_OBJECT_NAME_COLLISION (both may be
 None)

 i am using centos 7 and IPA 4.1.2

 IPA Server

 [root@kwtpocpbis02 ~]# host kwtpocpbis02.solaris.com
 kwtpocpbis02.solaris.com has address 172.16.107.135
 [root@kwtpocpbis02 ~]# host 172.16.107.135
 135.107.16.172.in-addr.arpa domain name pointer kwtpocpbis02.solaris.com.


 AD

 [root@kwtpocpbis02 ~]# host 172.16.107.250
 250.107.16.172.in-addr.arpa domain name pointer kwtipaad001.infra.com.
 [root@kwtpocpbis02 ~]# host kwtipaad001.infra.com
 kwtipaad001.infra.com has address 172.16.107.250

 debugging is enabled and this is i am getting on error_log

 INFO: Current debug levels:
   all: 11
   tdb: 11
   printdrivers: 11
   lanman: 11
   smb: 11
   rpc_parse: 11
   rpc_srv: 11
   rpc_cli: 11
   passdb: 11
   sam: 11
   auth: 11
   winbind: 11
   vfs: 11
   idmap: 11
   quota: 11
   acls: 11
   locking: 11
   msdfs: 11
   dmapi: 11
   registry: 11
   scavenger: 11
   dns: 11
   ldb: 11
 pm_process() returned Yes
 GENSEC backend 'gssapi_spnego' registered
 GENSEC backend 'gssapi_krb5' registered
 GENSEC backend 'gssapi_krb5_sasl' registered
 GENSEC backend 'sasl-DIGEST-MD5' registered
 GENSEC backend 'schannel' registered
 GENSEC backend 'spnego' registered
 GENSEC backend 'ntlmssp' registered
 Using binding ncacn_np:kwtpocpbis02.solaris.com[,]
 Mapped to DCERPC endpoint \pipe\lsarpc
 added interface eno1628 ip=172.16.107.135 bcast=172.16.107.255
 netmask=255.255.255.0
 added interface eno1628 ip=172.16.107.135 bcast=172.16.107.255
 netmask=255.255.255.0
 Socket options:
 SO_KEEPALIVE = 0
 SO_REUSEADDR = 0
 SO_BROADCAST = 0
 TCP_NODELAY = 1
 TCP_KEEPCNT = 9
 TCP_KEEPIDLE = 7200
 TCP_KEEPINTVL = 75
 IPTOS_LOWDELAY = 0
 IPTOS_THROUGHPUT = 0
 SO_REUSEPORT = 0
 SO_SNDBUF = 663430
 SO_RCVBUF = 261942
 SO_SNDLOWAT = 1
 SO_RCVLOWAT = 1
 SO_SNDTIMEO = 0
 SO_RCVTIMEO = 0
 TCP_QUICKACK = 1
 TCP_DEFER_ACCEPT = 0
 Starting GENSEC mechanism spnego
 Starting GENSEC submechanism gssapi_krb5
 Ticket in credentials cache for ad...@solaris.com will expire in 81540
 secs
 gensec_gssapi: NO credentials were delegated
 GSSAPI Connection will be cryptographically sealed
 num_setup=2, max_setup=0, param_total=0, this_param=0, max_param=0,
 data_total=72, this_data=72, max_data=65535, param_offset=84, param_pad=2,
 param_disp=0, data_offset=84, data_pad=0, data_disp=0
 rpc request data:
 [] 00 00 02 00 01 00 00 00   00 00 00 00 01 00 00 00   
 
 [0010] 00 00 00 00 00 00 00 00   00 00 00 00 00 00 00 00   
 
 [0020] 00 00 00 00 00 00 00 00   04 00 02 00 00 00 00 00   
 
 [0030] 00 00 00 00 00 00 00 02
 num_setup=2, max_setup=0, param_total=0, this_param=0, max_param=0,
 data_total=80, this_data=80, max_data=4280, param_offset=84, param_pad=2,
 param_disp=0, data_offset=84, data_pad=0, data_disp=0
 rpc reply data:
 [] 00 00 00 00 0D 00 00 00   00 00 00 00 09 55 BC 34   
 .U.4
 [0010] 2E 0F 00 00 00 00 00 00
 rpc request data:
 [] 00 00 00 00 0D 00 00 00   00 00 00 00 09 55 BC 34   
 .U.4
 [0010] 2E 0F 00 00 0C 00 ..
 num_setup=2, max_setup=0, param_total=0, this_param=0, max_param=0,
 data_total=46, this_data=46, max_data=4280, param_offset=84, param_pad=2,
 param_disp=0, data_offset=84, data_pad=0, data_disp=0
 rpc reply data:
 [] 00 00 02 00 0C 00 00 00   0E 00 10 00 04 00 02 00   
 
 [0010] 16 00 18 00 08 00 02 00   16 00 18 00 0C 00 02 00   
 
 [0020] 15 00 00 00 5F 89 A9 B4   86 30 6C 9D B4 09 10 02   _...
 .0l.
 [0030] 10 00 02 00 08 00 00 00   00 00 00 00 07 00 00 00   
 
 [0040] 53 00 4F 00 4C 00 41 00   52 00 49 00 53 00 00 00   S.O.L.A.
 R.I.S...
 [0050] 0C 00 00 00 00 00 00 00   0B 00 00 00 73 00 6F 00   
 s.o.
 [0060] 6C 00 61 00 72 00 69 00   73 00 2E 00 63 00 6F 00   l.a.r.i.
 s...c.o.
 [0070] 6D 00 00 00 0C 00 00 00   00 00 00 00 0B 00 00 00   m...
 
 [0080] 73 00 6F 00 6C 00 61 00   72 00 69 00 73 00 2E 00   s.o.l.a.
 r.i.s...
 [0090] 63 00 6F 00 6D 00 00 00   04 00 00 00 01 04 00 00   c.o.m...
 
 [00A0] 00 00 00 05 15 00 00 00   5F 89 A9 B4 86 30 6C 9D

Re: [Freeipa-users] ipa: ERROR: CIFS server communication error: code -1073741771,

this is the result from AD

C:\Users\Administratornslookup
Default Server:  localhost
Address:  127.0.0.1

 set type=srv
 _ldap._tcp.infra.com
Server:  localhost
Address:  127.0.0.1

_ldap._tcp.infra.comSRV service location:
  priority   = 0
  weight = 100
  port   = 389
  svr hostname   = kwtipaad001.infra.com
kwtipaad001.infra.com   internet address = 172.16.107.250
 _ldap._tcp.solaris.com
Server:  localhost
Address:  127.0.0.1

Non-authoritative answer:
_ldap._tcp.solaris.com  SRV service location:
  priority   = 0
  weight = 100
  port   = 389
  svr hostname   = kwtpocpbis02.solaris.com

kwtpocpbis02.solaris.cominternet address = 172.16.107.135

On Wed, Mar 18, 2015 at 12:21 PM, Ben .T.George bentech4...@gmail.com
wrote:

 HI

 thanks for the reply

 i have created PTR record for IPA server under reverse lookup zone
 manually and ipa server resolving from AD

 how can i solve trhis issue.?



 On Wed, Mar 18, 2015 at 12:15 PM, Alexander Bokovoy aboko...@redhat.com
 wrote:

 On Wed, 18 Mar 2015, Ben .T.George wrote:

 Hi

 i am getting ipa: ERROR: CIFS server communication error: code
 -1073741771,

 while doing

 [root@kwtpocpbis02 ~]# ipa trust-add --type=ad infra.com --admin
 Administrator --password
 Active Directory domain administrator's password:
 ipa: ERROR: CIFS server communication error: code -1073741771,
  message NT_STATUS_OBJECT_NAME_COLLISION (both may be
 None)

 i am using centos 7 and IPA 4.1.2

 NT_STATUS_OBJECT_NAME_COLLISION means AD thinks you have hosts in AD
 that belong to the solaris.com domain which 'trust-ad' operation claims
 to belong to IPA realm. AD denies operating the trust in this case.



 IPA Server

 [root@kwtpocpbis02 ~]# host kwtpocpbis02.solaris.com
 kwtpocpbis02.solaris.com has address 172.16.107.135
 [root@kwtpocpbis02 ~]# host 172.16.107.135
 135.107.16.172.in-addr.arpa domain name pointer kwtpocpbis02.solaris.com
 .


 AD

 [root@kwtpocpbis02 ~]# host 172.16.107.250
 250.107.16.172.in-addr.arpa domain name pointer kwtipaad001.infra.com.
 [root@kwtpocpbis02 ~]# host kwtipaad001.infra.com
 kwtipaad001.infra.com has address 172.16.107.250

 debugging is enabled and this is i am getting on error_log

 INFO: Current debug levels:
  all: 11
  tdb: 11
  printdrivers: 11
  lanman: 11
  smb: 11
  rpc_parse: 11
  rpc_srv: 11
  rpc_cli: 11
  passdb: 11
  sam: 11
  auth: 11
  winbind: 11
  vfs: 11
  idmap: 11
  quota: 11
  acls: 11
  locking: 11
  msdfs: 11
  dmapi: 11
  registry: 11
  scavenger: 11
  dns: 11
  ldb: 11
 pm_process() returned Yes
 GENSEC backend 'gssapi_spnego' registered
 GENSEC backend 'gssapi_krb5' registered
 GENSEC backend 'gssapi_krb5_sasl' registered
 GENSEC backend 'sasl-DIGEST-MD5' registered
 GENSEC backend 'schannel' registered
 GENSEC backend 'spnego' registered
 GENSEC backend 'ntlmssp' registered
 Using binding ncacn_np:kwtpocpbis02.solaris.com[,]
 Mapped to DCERPC endpoint \pipe\lsarpc
 added interface eno1628 ip=172.16.107.135 bcast=172.16.107.255
 netmask=255.255.255.0
 added interface eno1628 ip=172.16.107.135 bcast=172.16.107.255
 netmask=255.255.255.0
 Socket options:
SO_KEEPALIVE = 0
SO_REUSEADDR = 0
SO_BROADCAST = 0
TCP_NODELAY = 1
TCP_KEEPCNT = 9
TCP_KEEPIDLE = 7200
TCP_KEEPINTVL = 75
IPTOS_LOWDELAY = 0
IPTOS_THROUGHPUT = 0
SO_REUSEPORT = 0
SO_SNDBUF = 663430
SO_RCVBUF = 261942
SO_SNDLOWAT = 1
SO_RCVLOWAT = 1
SO_SNDTIMEO = 0
SO_RCVTIMEO = 0
TCP_QUICKACK = 1
TCP_DEFER_ACCEPT = 0
 Starting GENSEC mechanism spnego
 Starting GENSEC submechanism gssapi_krb5
 Ticket in credentials cache for ad...@solaris.com will expire in 81540
 secs
 gensec_gssapi: NO credentials were delegated
 GSSAPI Connection will be cryptographically sealed
 num_setup=2, max_setup=0, param_total=0, this_param=0, max_param=0,
 data_total=72, this_data=72, max_data=65535, param_offset=84,
 param_pad=2,
 param_disp=0, data_offset=84, data_pad=0, data_disp=0
 rpc request data:
 [] 00 00 02 00 01 00 00 00   00 00 00 00 01 00 00 00   
 
 [0010] 00 00 00 00 00 00 00 00   00 00 00 00 00 00 00 00   
 
 [0020] 00 00 00 00 00 00 00 00   04 00 02 00 00 00 00 00   
 
 [0030] 00 00 00 00 00 00 00 02
 num_setup=2, max_setup=0, param_total=0, this_param=0, max_param=0,
 data_total=80, this_data=80, max_data=4280, param_offset=84, param_pad=2,
 param_disp=0, data_offset=84, data_pad=0, data_disp=0
 rpc reply data:
 [] 00 00 00 00 0D 00 00 00   00 00 00 00 09 55 BC 34   
 .U.4
 [0010] 2E 0F 00 00 00 00 00 00
 rpc request data:
 [] 00 00 00 00 0D 00 00 00   00 00 00 00 09 55 BC 34   
 .U.4
 [0010] 2E 0F 00 00 0C 00

Re: [Freeipa-users] ipa: ERROR: CIFS server communication error: code -1073741771,

did that and the result is

[root@kwtpocpbis02 ~]# ldapsearch -D administra...@infra.com -W -b
dc=infra,dc=com '(serviceprincipalname=*solaris.com)' dn
Enter LDAP Password:
ldap_bind: No such object (32)
You have new mail in /var/spool/mail/root


On Wed, Mar 18, 2015 at 12:59 PM, Alexander Bokovoy aboko...@redhat.com
wrote:

 On Wed, 18 Mar 2015, Ben .T.George wrote:

 no,

 this is new host-name i am choosed.

 anyway how to check is there any existing solaris.com in AD, under DNS
 management, i cannot see anything

 You can search with ldapsearch, something like this, from IPA master:

 ldapsearch -D administra...@infra.com -W -b dc=infra,dc=com
 '(serviceprincipalname=*solaris.com)' dn

 --
 / Alexander Bokovoy

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] ipa: ERROR: CIFS server communication error: code -1073741771,

no,

this is new host-name i am choosed.

anyway how to check is there any existing solaris.com in AD, under DNS
management, i cannot see anything

Regards,
Ben


On Wed, Mar 18, 2015 at 12:45 PM, Alexander Bokovoy aboko...@redhat.com
wrote:

 On Wed, 18 Mar 2015, Ben .T.George wrote:

 HI

 i saw this ticket and' 13 months old

 https://fedorahosted.org/freeipa/ticket/4202

 is this fixed? i think the mentioned patch is for 3.3

 This is fixed.

 Do you have any host in .solaris.com that is joined your AD in
 infra.com?


 --
 / Alexander Bokovoy

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] ipa: ERROR: CIFS server communication error: code -1073741771,

ok thanks now the output is something different

[root@kwtpocpbis02 ~]# ldapsearch -h 172.16.107.250 -D
administra...@infra.com -W -b dc=infra,dc=com '(serviceprincipalname=*
solaris.com)' dn
Enter LDAP Password:
# extended LDIF
#
# LDAPv3
# base dc=infra,dc=com with scope subtree
# filter: (serviceprincipalname=*solaris.com)
# requesting: dn
#

# search reference
ref: ldap://ForestDnsZones.infra.com/DC=ForestDnsZones,DC=infra,DC=com

# search reference
ref: ldap://DomainDnsZones.infra.com/DC=DomainDnsZones,DC=infra,DC=com

# search reference
ref: ldap://infra.com/CN=Configuration,DC=infra,DC=com

# search result
search: 2
result: 0 Success

# numResponses: 4
# numReferences: 3
You have new mail in /var/spool/mail/root


but there is no solaris.com in this output



On Wed, Mar 18, 2015 at 1:38 PM, Alexander Bokovoy aboko...@redhat.com
wrote:

 On Wed, 18 Mar 2015, Ben .T.George wrote:

 did that and the result is

 [root@kwtpocpbis02 ~]# ldapsearch -D administra...@infra.com -W -b
 dc=infra,dc=com '(serviceprincipalname=*solaris.com)' dn
 Enter LDAP Password:
 ldap_bind: No such object (32)
 You have new mail in /var/spool/mail/root

 Ah, sorry, you need to add -h option to specify LDAP server host (your
 AD DC).




 On Wed, Mar 18, 2015 at 12:59 PM, Alexander Bokovoy aboko...@redhat.com
 wrote:

  On Wed, 18 Mar 2015, Ben .T.George wrote:

  no,

 this is new host-name i am choosed.

 anyway how to check is there any existing solaris.com in AD, under DNS
 management, i cannot see anything

  You can search with ldapsearch, something like this, from IPA master:

 ldapsearch -D administra...@infra.com -W -b dc=infra,dc=com
 '(serviceprincipalname=*solaris.com)' dn

 --
 / Alexander Bokovoy


 --
 / Alexander Bokovoy

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

[Freeipa-users] Only one AD user can able to login to IPA server

HI List

i was following this link :
http://www.freeipa.org/page/Active_Directory_trust_setup#Assumptions
to setup IPA server

my IPA version is 4.1.2

every setps in this tutorials was passed without any error

even *Allow access for users from AD domain to protected resources*
went successfully
my current issue is only one user called ben can able to login to ipa
server.please check below:

[root@kwtpocpbis01 ~]# getent passwd b...@infra.com
b...@infra.com:*:531001104:531001104:ben:/home/infra.com/ben:
[root@kwtpocpbis01 ~]# getent passwd bo...@infra.com
[root@kwtpocpbis01 ~]# getent passwd administra...@infra.com
[root@kwtpocpbis01 ~]#

the users ben  bobby are on same group (Domain users). but bobby cannot
able to login to IPA and not getting any information while querying
please help me to fix this issue. i don't know where i need to troubleshoot
this issue.

thanks  Regards,
Ben
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] Only one AD user can able to login to IPA server

HI

i have enabled debug

here is my sssd.conf

[root@kwtpocpbis01 ~]# cat /etc/sssd/sssd.conf
[domain/solaris.local]

cache_credentials = True
krb5_store_password_if_offline = True
ipa_domain = solaris.local
id_provider = ipa
auth_provider = ipa
access_provider = ipa
ipa_hostname = kwtpocpbis01.solaris.local
chpass_provider = ipa
ipa_server = kwtpocpbis01.solaris.local
ipa_server_mode = True
ldap_tls_cacert = /etc/ipa/ca.crt
[sssd]
services = nss, sudo, pam, ssh
config_file_version = 2

domains = solaris.local
debug_level = 6
[nss]
homedir_substring = /home
debug_level = 6

[pam]

[sudo]

[autofs]

[ssh]

[pac]

[ifp]


LOGS:

sssd.log:

(Tue Mar 17 12:45:34 2015) [sssd] [service_send_ping] (0x0100): Pinging
solaris.local
(Tue Mar 17 12:45:34 2015) [sssd] [service_send_ping] (0x0100): Pinging nss
(Tue Mar 17 12:45:34 2015) [sssd] [service_send_ping] (0x0100): Pinging sudo
(Tue Mar 17 12:45:34 2015) [sssd] [service_send_ping] (0x0100): Pinging pam
(Tue Mar 17 12:45:34 2015) [sssd] [service_send_ping] (0x0100): Pinging ssh
(Tue Mar 17 12:45:34 2015) [sssd] [service_send_ping] (0x0100): Pinging pac
(Tue Mar 17 12:45:34 2015) [sssd] [ping_check] (0x0100): Service nss
replied to ping
(Tue Mar 17 12:45:34 2015) [sssd] [ping_check] (0x0100): Service sudo
replied to ping
(Tue Mar 17 12:45:34 2015) [sssd] [ping_check] (0x0100): Service pam
replied to ping
(Tue Mar 17 12:45:34 2015) [sssd] [ping_check] (0x0100): Service ssh
replied to ping
(Tue Mar 17 12:45:34 2015) [sssd] [ping_check] (0x0100): Service
solaris.local replied to ping
(Tue Mar 17 12:45:34 2015) [sssd] [ping_check] (0x0100): Service pac
replied to ping


error_log:

[root@kwtpocpbis01 ~]# tail -f /var/log/httpd/error_log
[Tue Mar 17 11:26:25.458878 2015] [:error] [pid 15175] ipa: INFO: ***
PROCESS START ***
[Tue Mar 17 11:26:25.603536 2015] [:error] [pid 15176] ipa: DEBUG:
session_auth_duration: 0:20:00
[Tue Mar 17 11:26:25.609112 2015] [:error] [pid 15176] ipa: DEBUG:
session_auth_duration: 0:20:00
[Tue Mar 17 11:26:25.655477 2015] [:error] [pid 15176] ipa: DEBUG: Mounting
ipaserver.rpcserver.login_kerberos() at '/session/login_kerberos'
[Tue Mar 17 11:26:25.655597 2015] [:error] [pid 15176] ipa: DEBUG:
session_auth_duration: 0:20:00
[Tue Mar 17 11:26:25.681652 2015] [:error] [pid 15176] ipa: DEBUG: Mounting
ipaserver.rpcserver.login_password() at '/session/login_password'
[Tue Mar 17 11:26:25.681849 2015] [:error] [pid 15176] ipa: DEBUG:
session_auth_duration: 0:20:00
[Tue Mar 17 11:26:25.754351 2015] [:error] [pid 15176] ipa: INFO: ***
PROCESS START ***
p11-kit: ipa.p11-kit: x-public-key-info: invalid or unsupported attribute
[Tue Mar 17 11:26:28.847563 2015] [:warn] [pid 15377] NSSProtocol:  Unknown
protocol 'tlsv1.2' not supported

secure:
[root@kwtpocpbis01 log]# tail -f secure
Mar 17 12:35:41 kwtpocpbis01 sshd[15714]: subsystem request for sftp by
user root
Mar 17 12:35:44 kwtpocpbis01 sshd[15736]: Accepted password for root from
10.18.2.130 port 64141 ssh2
Mar 17 12:35:44 kwtpocpbis01 sshd[15736]: pam_unix(sshd:session): session
opened for user root by (uid=0)
Mar 17 12:35:44 kwtpocpbis01 sshd[15736]: subsystem request for sftp by
user root
Mar 17 12:39:12 kwtpocpbis01 sshd[14507]: pam_unix(sshd:session): session
closed for user root
Mar 17 12:40:57 kwtpocpbis01 sshd[15816]: Invalid user bo...@infra.com from
10.18.2.130
Mar 17 12:40:57 kwtpocpbis01 sshd[15816]: input_userauth_request: invalid
user bo...@infra.com [preauth]
Mar 17 12:41:02 kwtpocpbis01 sshd[15816]: pam_unix(sshd:auth): check pass;
user unknown
Mar 17 12:41:02 kwtpocpbis01 sshd[15816]: pam_unix(sshd:auth):
authentication failure; logname= uid=0 euid=0 tty=ssh ruser=
rhost=10.18.2.130
Mar 17 12:41:04 kwtpocpbis01 sshd[15816]: Failed password for invalid user
bo...@infra.com from 10.18.2.130 port 64470 ssh2

Mar 17 12:44:56 kwtpocpbis01 sshd[15840]: pam_unix(sshd:auth):
authentication failure; logname= uid=0 euid=0 tty=ssh ruser=
rhost=10.18.2.130  user=b...@infra.com
Mar 17 12:44:57 kwtpocpbis01 sshd[15840]: pam_sss(sshd:auth):
authentication success; logname= uid=0 euid=0 tty=ssh ruser=
rhost=10.18.2.130 user=b...@infra.com
Mar 17 12:44:57 kwtpocpbis01 sshd[15840]: Accepted password for
b...@infra.com from 10.18.2.130 port 64782 ssh2
Mar 17 12:44:59 kwtpocpbis01 sshd[15840]: pam_unix(sshd:session): session
opened for user b...@infra.com by (uid=0)



On Tue, Mar 17, 2015 at 12:09 PM, Jakub Hrozek jhro...@redhat.com wrote:

 On Tue, Mar 17, 2015 at 11:37:24AM +0300, Ben .T.George wrote:
  HI List
 
  i was following this link :
  http://www.freeipa.org/page/Active_Directory_trust_setup#Assumptions
  to setup IPA server
 
  my IPA version is 4.1.2
 
  every setps in this tutorials was passed without any error
 
  even *Allow access for users from AD domain to protected resources*
  went successfully
  my current issue is only one user called ben can able to login to ipa
  server.please check below:
 
  [root@kwtpocpbis01 ~]# getent passwd b...@infra.com
  b...@infra.com

Re: [Freeipa-users] Only one AD user can able to login to IPA server

Hi all

how can i fix this issue.? even i tried to trust add AD again. that too
failed.

from where i need to troubleshoot ?

On Tue, Mar 17, 2015 at 3:02 PM, Ben .T.George bentech4...@gmail.com
wrote:

 Hi

 i did kinit

 [root@kwtpocpbis01 sssd]# kinit -kt /etc/dirsrv/ds.keytab
 kinit: Keytab contains no suitable keys for
 host/kwtpocpbis01.solaris.local@SOLARIS.LOCAL while getting initial
 credentials


 i destroyed and re-created. but still same



 On Tue, Mar 17, 2015 at 2:45 PM, Jakub Hrozek jhro...@redhat.com wrote:

 On Tue, Mar 17, 2015 at 02:38:41PM +0300, Ben .T.George wrote:
  here is separated logs:
 
  tail -f sssd_solaris.local.log

 Thank you, see inline:

  (Tue Mar 17 14:35:45 2015) [sssd[be[solaris.local]]] [sdap_get_tgt_recv]
  (0x0400): Child responded: 14 [Decrypt integrity check failed], expired
 on
  [0]
  (Tue Mar 17 14:35:45 2015) [sssd[be[solaris.local]]] [sdap_kinit_done]
  (0x0100): Could not get TGT: 14 [Bad address]
  (Tue Mar 17 14:35:45 2015) [sssd[be[solaris.local]]]
 [sdap_cli_kinit_done]
  (0x0400): Cannot get a TGT: ret [1432158219](Authentication Failed)
  (Tue Mar 17 14:35:45 2015) [sssd[be[solaris.local]]]
 [fo_set_port_status]
  (0x0100): Marking port 0 of server 'kwtpocpbis01.solaris.local' as 'not
  working'
  (Tue Mar 17 14:35:45 2015) [sssd[be[solaris.local]]]
 [fo_set_port_status]
  (0x0400): Marking port 0 of duplicate server
 'kwtpocpbis01.solaris.local'
  as 'not working'
  (Tue Mar 17 14:35:45 2015) [sssd[be[solaris.local]]]
 [sdap_handle_release]
  (0x2000): Trace: sh[0x7f6b7d2c3140], connected[1], ops[(nil)],
  ldap[0x7f6b7d265a00], destructor_lock[0], release_memory[0]
  (Tue Mar 17 14:35:45 2015) [sssd[be[solaris.local]]]
  [remove_connection_callback] (0x4000): Successfully removed connection
  callback.
  (Tue Mar 17 14:35:45 2015) [sssd[be[solaris.local]]]
  [check_online_callback] (0x0100): Backend returned: (3, 0, NULL)
  [Internal Error (Success)]

 So it seems the keytab is wrong, you can also test the keytab validity
 with kinit -k..



-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] Only one AD user can able to login to IPA server

HI

i have changed like this:

[root@kwtpocpbis01 yum.repos.d]# more /etc/sssd/sssd.conf
[domain/solaris.local]
cache_credentials = True
krb5_store_password_if_offline = True
ipa_domain = solaris.local
id_provider = ipa
auth_provider = ipa
access_provider = ipa
ipa_hostname = kwtpocpbis01.solaris.local
chpass_provider = ipa
ipa_server = kwtpocpbis01.solaris.local
ipa_server_mode = True
ldap_tls_cacert = /etc/ipa/ca.crt
debug_level = 10
[sssd]
services = nss, sudo, pam, ssh
config_file_version = 2
debug_level = 5
domains = solaris.local
[nss]
homedir_substring = /home
debug_level = 6

[pam]
debug_level = 10
[sudo]
debug_level = 5
[autofs]
debug_level = 5
[ssh]
debug_level = 5
[pac]
debug_level = 5
[ifp]


but sssd.log looks same.

(Tue Mar 17 14:23:13 2015) [sssd] [ping_check] (0x0100): Service pam
replied to ping
(Tue Mar 17 14:23:23 2015) [sssd] [service_send_ping] (0x0100): Pinging
solaris.local
(Tue Mar 17 14:23:23 2015) [sssd] [service_send_ping] (0x0100): Pinging nss
(Tue Mar 17 14:23:23 2015) [sssd] [service_send_ping] (0x0100): Pinging sudo
(Tue Mar 17 14:23:23 2015) [sssd] [service_send_ping] (0x0100): Pinging pam
(Tue Mar 17 14:23:23 2015) [sssd] [service_send_ping] (0x0100): Pinging ssh
(Tue Mar 17 14:23:23 2015) [sssd] [service_send_ping] (0x0100): Pinging pac
(Tue Mar 17 14:23:23 2015) [sssd] [ping_check] (0x0100): Service sudo
replied to ping
(Tue Mar 17 14:23:23 2015) [sssd] [ping_check] (0x0100): Service ssh
replied to ping
(Tue Mar 17 14:23:23 2015) [sssd] [ping_check] (0x0100): Service pam
replied to ping
(Tue Mar 17 14:23:23 2015) [sssd] [ping_check] (0x0100): Service
solaris.local replied to ping
(Tue Mar 17 14:23:23 2015) [sssd] [ping_check] (0x0100): Service pac
replied to ping
(Tue Mar 17 14:23:23 2015) [sssd] [ping_check] (0x0100): Service nss
replied to ping

On Tue, Mar 17, 2015 at 1:27 PM, Jakub Hrozek jhro...@redhat.com wrote:

 On Tue, Mar 17, 2015 at 12:57:27PM +0300, Ben .T.George wrote:
  HI
 
  i have enabled debug
 
  here is my sssd.conf
 
  [root@kwtpocpbis01 ~]# cat /etc/sssd/sssd.conf
  [domain/solaris.local]
 
  cache_credentials = True
  krb5_store_password_if_offline = True
  ipa_domain = solaris.local
  id_provider = ipa
  auth_provider = ipa
  access_provider = ipa
  ipa_hostname = kwtpocpbis01.solaris.local
  chpass_provider = ipa
  ipa_server = kwtpocpbis01.solaris.local
  ipa_server_mode = True
  ldap_tls_cacert = /etc/ipa/ca.crt

 Please also add debug_level to this section, not just [sssd] and [nss]


  [sssd]
  services = nss, sudo, pam, ssh
  config_file_version = 2
 
  domains = solaris.local
  debug_level = 6
  [nss]
  homedir_substring = /home
  debug_level = 6
 
  [pam]
 
  [sudo]
 
  [autofs]
 
  [ssh]
 
  [pac]
 
  [ifp]

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] Only one AD user can able to login to IPA server

 Mar 17 14:33:30 2015) [sssd[be[solaris.local]]] [get_server_status]
(0x1000): Status of server 'kwtpocpbis01.solaris.local' is 'name not
resolved'
(Tue Mar 17 14:33:30 2015) [sssd[be[solaris.local]]]
[fo_resolve_service_activate_timeout] (0x2000): Resolve timeout set to 6
seconds
(Tue Mar 17 14:33:30 2015) [sssd[be[solaris.local]]] [get_server_status]
(0x1000): Status of server 'kwtpocpbis01.solaris.local' is 'name not
resolved'
(Tue Mar 17 14:33:30 2015) [sssd[be[solaris.local]]] [resolv_is_address]
(0x4000): [kwtpocpbis01.solaris.local] does not look like an IP address
(Tue Mar 17 14:33:30 2015) [sssd[be[solaris.local]]]
[resolv_gethostbyname_step] (0x2000): Querying files
(Tue Mar 17 14:33:30 2015) [sssd[be[solaris.local]]]
[resolv_gethostbyname_files_send] (0x0100): Trying to resolve A record of
'kwtpocpbis01.solaris.local' in files
(Tue Mar 17 14:33:30 2015) [sssd[be[solaris.local]]]
[set_server_common_status] (0x0100): Marking server
'kwtpocpbis01.solaris.local' as 'resolving name'
(Tue Mar 17 14:33:30 2015) [sssd[be[solaris.local]]]
[set_server_common_status] (0x0100): Marking server
'kwtpocpbis01.solaris.local' as 'name resolved'
(Tue Mar 17 14:33:30 2015) [sssd[be[solaris.local]]]
[be_resolve_server_process] (0x1000): Saving the first resolved server
(Tue Mar 17 14:33:30 2015) [sssd[be[solaris.local]]]
[be_resolve_server_process] (0x0200): Found address for server
kwtpocpbis01.solaris.local: [172.16.107.244] TTL 7200
(Tue Mar 17 14:33:30 2015) [sssd[be[solaris.local]]] [sss_ldap_init_send]
(0x4000): Using file descriptor [22] for LDAP connection.
(Tue Mar 17 14:33:30 2015) [sssd[be[solaris.local]]] [sss_ldap_init_send]
(0x0400): Setting 6 seconds timeout for connecting
(Tue Mar 17 14:33:30 2015) [sssd[be[solaris.local]]]
[sdap_ldap_connect_callback_add] (0x1000): New LDAP connection to
[ldap://kwtpocpbis01.solaris.local:389/??base] with fd [22].
(Tue Mar 17 14:33:30 2015) [sssd[be[solaris.local]]]
[sdap_get_rootdse_send] (0x4000): Getting rootdse
(Tue Mar 17 14:33:30 2015) [sssd[be[solaris.local]]] [sdap_print_server]
(0x2000): Searching 172.16.107.244
(Tue Mar 17 14:33:30 2015) [sssd[be[solaris.local]]]
[sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with
[(objectclass=*)][].
(Tue Mar 17 14:33:30 2015) [sssd[be[solaris.local]]]
[sdap_get_generic_ext_step] (0x1000): Requesting attrs: [*]
(Tue Mar 17 14:33:30 2015) [sssd[be[solaris.local]]]
[sdap_get_generic_ext_step] (0x1000): Requesting attrs: [altServer]
(Tue Mar 17 14:33:30 2015) [sssd[be[solaris.local]]]
[sdap_get_generic_ext_step] (0x1000): Requesting attrs: [namingContexts]
(Tue Mar 17 14:33:30 2015) [sssd[be[solaris.local]]]
[sdap_get_generic_ext_step] (0x1000): Requesting attrs: [supportedControl]
(Tue Mar 17 14:33:30 2015) [sssd[be[solaris.local]]]
[sdap_get_generic_ext_step] (0x1000): Requesting attrs: [supportedExtension]
(Tue Mar 17 14:33:30 2015) [sssd[be[solaris.local]]]
[sdap_get_generic_ext_step] (0x1000): Requesting attrs: [supportedFeatures]
(Tue Mar 17 14:33:30 2015) [sssd[be[solaris.local]]]
[sdap_get_generic_ext_step] (0x1000): Requesting attrs:
[supportedLDAPVersion]
(Tue Mar 17 14:33:30 2015) [sssd[be[solaris.local]]]
[sdap_get_generic_ext_step] (0x1000): Requesting attrs:
[supportedSASLMechanisms]
(Tue Mar 17 14:33:30 2015) [sssd[be[solaris.local]]]
[sdap_get_generic_ext_step] (0x1000): Requesting attrs:
[domainControllerFunctionality]
(Tue Mar 17 14:33:30 2015) [sssd[be[solaris.local]]]
[sdap_get_generic_ext_step] (0x1000): Requesting attrs:
[defaultNamingContext]
(Tue Mar 17 14:33:30 2015) [sssd[be[solaris.local]]]
[sdap_get_generic_ext_step] (0x1000): Requesting attrs: [lastUSN]
(Tue Mar 17 14:33:30 2015) [sssd[be[solaris.local]]]
[sdap_get_generic_ext_step] (0x1000): Requesting attrs:
[highestCommittedUSN]
(Tue Mar 17 14:33:30 2015) [sssd[be[solaris.local]]]
[sdap_get_generic_ext_step] (0x2000): ldap_search_ext called, msgid = 1
(Tue Mar 17 14:33:30 2015) [sssd[be[solaris.local]]] [ad_online_cb]
(0x0400): The AD provider is online
(Tue Mar 17 14:33:30 2015) [sssd[be[solaris.local]]]
[sdap_id_op_connect_step] (0x4000): waiting for connection to complete
(Tue Mar 17 14:33:30 2015) [sssd[be[solaris.local]]]
[delayed_online_authentication_callback] (0x0200): Backend is online,
starting delayed online authentication.


On Tue, Mar 17, 2015 at 2:23 PM, Ben .T.George bentech4...@gmail.com
wrote:

 HI

 i have changed like this:

 [root@kwtpocpbis01 yum.repos.d]# more /etc/sssd/sssd.conf
 [domain/solaris.local]
 cache_credentials = True
 krb5_store_password_if_offline = True
 ipa_domain = solaris.local
 id_provider = ipa
 auth_provider = ipa
 access_provider = ipa
 ipa_hostname = kwtpocpbis01.solaris.local
 chpass_provider = ipa
 ipa_server = kwtpocpbis01.solaris.local
 ipa_server_mode = True
 ldap_tls_cacert = /etc/ipa/ca.crt
 debug_level = 10
 [sssd]
 services = nss, sudo, pam, ssh
 config_file_version = 2
 debug_level = 5
 domains = solaris.local
 [nss]
 homedir_substring = /home
 debug_level = 6

 [pam

Re: [Freeipa-users] Only one AD user can able to login to IPA server

Hi

i did kinit

[root@kwtpocpbis01 sssd]# kinit -kt /etc/dirsrv/ds.keytab
kinit: Keytab contains no suitable keys for
host/kwtpocpbis01.solaris.local@SOLARIS.LOCAL while getting initial
credentials


i destroyed and re-created. but still same



On Tue, Mar 17, 2015 at 2:45 PM, Jakub Hrozek jhro...@redhat.com wrote:

 On Tue, Mar 17, 2015 at 02:38:41PM +0300, Ben .T.George wrote:
  here is separated logs:
 
  tail -f sssd_solaris.local.log

 Thank you, see inline:

  (Tue Mar 17 14:35:45 2015) [sssd[be[solaris.local]]] [sdap_get_tgt_recv]
  (0x0400): Child responded: 14 [Decrypt integrity check failed], expired
 on
  [0]
  (Tue Mar 17 14:35:45 2015) [sssd[be[solaris.local]]] [sdap_kinit_done]
  (0x0100): Could not get TGT: 14 [Bad address]
  (Tue Mar 17 14:35:45 2015) [sssd[be[solaris.local]]]
 [sdap_cli_kinit_done]
  (0x0400): Cannot get a TGT: ret [1432158219](Authentication Failed)
  (Tue Mar 17 14:35:45 2015) [sssd[be[solaris.local]]] [fo_set_port_status]
  (0x0100): Marking port 0 of server 'kwtpocpbis01.solaris.local' as 'not
  working'
  (Tue Mar 17 14:35:45 2015) [sssd[be[solaris.local]]] [fo_set_port_status]
  (0x0400): Marking port 0 of duplicate server 'kwtpocpbis01.solaris.local'
  as 'not working'
  (Tue Mar 17 14:35:45 2015) [sssd[be[solaris.local]]]
 [sdap_handle_release]
  (0x2000): Trace: sh[0x7f6b7d2c3140], connected[1], ops[(nil)],
  ldap[0x7f6b7d265a00], destructor_lock[0], release_memory[0]
  (Tue Mar 17 14:35:45 2015) [sssd[be[solaris.local]]]
  [remove_connection_callback] (0x4000): Successfully removed connection
  callback.
  (Tue Mar 17 14:35:45 2015) [sssd[be[solaris.local]]]
  [check_online_callback] (0x0100): Backend returned: (3, 0, NULL)
  [Internal Error (Success)]

 So it seems the keytab is wrong, you can also test the keytab validity
 with kinit -k..

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] Only one AD user can able to login to IPA server

: LSA_POLICY_CREATE_PRIVILEGE
   0: LSA_POLICY_SET_DEFAULT_QUOTA_LIMITS
   0: LSA_POLICY_SET_AUDIT_REQUIREMENTS
   0: LSA_POLICY_AUDIT_LOG_ADMIN
   0: LSA_POLICY_SERVER_ADMIN
   0: LSA_POLICY_LOOKUP_NAMES
   0: LSA_POLICY_NOTIFICATION
rpc request data:
[] 00 00 02 00 01 00 00 00   00 00 00 00 01 00 00 00    
[0010] 00 00 00 00 00 00 00 00   00 00 00 00 00 00 00 00    
[0020] 00 00 00 00 00 00 00 00   04 00 02 00 00 00 00 00    
[0030] 00 00 00 00 00 00 00 02
s4_tevent: Schedule immediate event dcerpc_io_trigger: 0x7f5a642b3a00
s4_tevent: Added timed event dcerpc_timeout_handler: 0x7f5a64093810
s4_tevent: Run immediate event dcerpc_io_trigger: 0x7f5a642b3a00
s4_tevent: Schedule immediate event dcerpc_io_trigger: 0x7f5a642b3a00
s4_tevent: Run immediate event dcerpc_io_trigger: 0x7f5a642b3a00
rpc fault: WERR_ACCESS_DENIED
s4_tevent: Destroying timer event 0x7f5a64093810 dcerpc_timeout_handler
s4_tevent: Schedule immediate event tevent_req_trigger: 0x7f5a64093560
s4_tevent: Run immediate event tevent_req_trigger: 0x7f5a64093560
[Wed Mar 18 08:10:19.541586 2015] [:error] [pid 15176] ipa: DEBUG: WSGI
wsgi_execute PublicError: Traceback (most recent call last):
[Wed Mar 18 08:10:19.541617 2015] [:error] [pid 15176]   File
/usr/lib/python2.7/site-packages/ipaserver/rpcserver.py, line 349, in
wsgi_execute
[Wed Mar 18 08:10:19.541624 2015] [:error] [pid 15176] result =
self.Command[name](*args, **options)
[Wed Mar 18 08:10:19.541627 2015] [:error] [pid 15176]   File
/usr/lib/python2.7/site-packages/ipalib/frontend.py, line 439, in __call__
[Wed Mar 18 08:10:19.541631 2015] [:error] [pid 15176] ret =
self.run(*args, **options)
[Wed Mar 18 08:10:19.541634 2015] [:error] [pid 15176]   File
/usr/lib/python2.7/site-packages/ipalib/frontend.py, line 754, in run
[Wed Mar 18 08:10:19.541637 2015] [:error] [pid 15176] return
self.execute(*args, **options)
[Wed Mar 18 08:10:19.541640 2015] [:error] [pid 15176]   File
/usr/lib/python2.7/site-packages/ipalib/plugins/trust.py, line 472, in
execute
[Wed Mar 18 08:10:19.541643 2015] [:error] [pid 15176] full_join =
self.validate_options(*keys, **options)
[Wed Mar 18 08:10:19.541646 2015] [:error] [pid 15176]   File
/usr/lib/python2.7/site-packages/ipalib/plugins/trust.py, line 582, in
validate_options
[Wed Mar 18 08:10:19.541650 2015] [:error] [pid 15176]
self.trustinstance = ipaserver.dcerpc.TrustDomainJoins(self.api)
[Wed Mar 18 08:10:19.541656 2015] [:error] [pid 15176]   File
/usr/lib/python2.7/site-packages/ipaserver/dcerpc.py, line 1127, in
__init__
[Wed Mar 18 08:10:19.541660 2015] [:error] [pid 15176]
self.__populate_local_domain()
[Wed Mar 18 08:10:19.541663 2015] [:error] [pid 15176]   File
/usr/lib/python2.7/site-packages/ipaserver/dcerpc.py, line 1136, in
__populate_local_domain
[Wed Mar 18 08:10:19.541666 2015] [:error] [pid 15176]
ld.retrieve(installutils.get_fqdn())
[Wed Mar 18 08:10:19.541669 2015] [:error] [pid 15176]   File
/usr/lib/python2.7/site-packages/ipaserver/dcerpc.py, line 826, in
retrieve
[Wed Mar 18 08:10:19.541672 2015] [:error] [pid 15176] raise
assess_dcerpc_exception(num=num, message=message)
[Wed Mar 18 08:10:19.541675 2015] [:error] [pid 15176] ACIError:
Insufficient access: Gettext('CIFS server denied your credentials',
domain='ipa', localedir=None)
[Wed Mar 18 08:10:19.541678 2015] [:error] [pid 15176]
[Wed Mar 18 08:10:19.541970 2015] [:error] [pid 15176] ipa: INFO:
[jsonserver_session] admin@SOLARIS.LOCAL: trust_add(u'infra.com',
trust_type=u'ad', realm_admin=u'Administrator', realm_passwd=u'',
all=False, raw=False, version=u'2.113'): ACIError
[Wed Mar 18 08:10:19.542594 2015] [:error] [pid 15176] ipa: DEBUG: reading
ccache data from file /var/run/ipa_memcached/krbcc_15176
[Wed Mar 18 08:10:19.542847 2015] [:error] [pid 15176] ipa: DEBUG: store
session: session_id=15b334c24b28c1e228c1e843efb0bf86
start_timestamp=2015-03-18T08:06:18 access_timestamp=2015-03-18T08:10:19
expiration_timestamp=2015-03-18T08:30:17
[Wed Mar 18 08:10:19.545479 2015] [:error] [pid 15176] ipa: DEBUG:
Destroyed connection context.ldap2



On Tue, Mar 17, 2015 at 9:30 PM, Alexander Bokovoy aboko...@redhat.com
wrote:

 On Tue, 17 Mar 2015, Ben .T.George wrote:

 Hi

 i did kinit

 [root@kwtpocpbis01 sssd]# kinit -kt /etc/dirsrv/ds.keytab
 kinit: Keytab contains no suitable keys for
 host/kwtpocpbis01.solaris.local@SOLARIS.LOCAL while getting initial
 credentials


 i destroyed and re-created. but still same

 What did you destroy?


kdestroy was the command i was talking about



 Why did you need to touch /etc/dirsrv/ds.keytab at all? It contains key
 for ldap/kwtpocpbis01.solaris.local@SOLARIS.LOCAL that your LDAP server
 is using. It has nothing to do with your host/... principal.


 If your sssd cannot authenticate against AD DC, it means trust is *not*
 working and anything else

Re: [Freeipa-users] solaris 10 ad authentication happening with only one user

2015-03-16 Thread Ben .T.George

HI

the user Ben is from Ad, how can i assign shell to that user.?

Regards,
Ben

On Sun, Mar 15, 2015 at 7:14 PM, Gianluca Cecchi gianluca.cec...@gmail.com
wrote:


 Il 15/Mar/2015 11:04 Ben .T.George bentech4...@gmail.com ha scritto:

 
  here is the getent passwd:
 
  skipped
  nobody4:x:65534:65534:SunOS 4.x NFS Anonymous Access User:/:
  b...@infra.com:x:531001104:531001104:ben:/home/infra.com/ben:
  auth:x:64348:64348:auth auth:/home/auth:/bin/sh
  shyam:x:64347:64347:shyam A:/export/home/shyam:/bin/bash
  jude:x:64346:64346:jude joseph:/export/home/jude:/bin/bash
  admin:x:64340:64340:Administrator:/home/admin:/bin/bash
 
  user ben is from AD and can able to su to that user.i have tried with
 other users and it's not happening.

  AD authentication is working some level and it restricted to only one
 user.
 
  b...@infra.com:x:531001104:531001104:ben:/home/infra.com/ben:
  auth:x:64348:64348:auth auth:/home/auth:/bin/sh
  shyam:x:64347:64347:shyam A:/export/home/shyam:/bin/bash
  jude:x:64346:64346:jude joseph:/export/home/jude:/bin/bash
  admin:x:64340:64340:Administrator:/home/admin:/bin/bash
 
  other than user ben all other users are local IPA users.
 
  how can i troubleshot this issue
 
 To be able to login, the user needs to have a shell that is the last field
 of the passed line that in your case is empty for Ben

 Gianluca

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

[Freeipa-users] solaris to free IPA user issue

2015-03-15 Thread Ben .T.George

HI

i am using free ipa 4.1.2 on centos 7.

from root user, i can able to switch to IPA user : su ben

but from any other user if i try that, it's asking for password. if i gave
the correct passord also, its not accepting .This is what i am getting

bash-3.2$ su jude
Password:
su: Sorry

and on log :

Mar 15 11:21:05 kwtpocpbis02.solaris.local su: [ID 810491 auth.crit] 'su
jude' failed for root on /dev/pts/1


please help me to fic this issue..

Regards,
Ben
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] how can i create home directories automatically on solaris while IPA user login

2015-03-12 Thread Ben .T.George

i tried both method and still it's not creating the home directories

regards,
Ben

On Wed, Mar 11, 2015 at 11:35 PM, sipazzo sipa...@yahoo.com wrote:

This is how use the automounter to automatically create home directories
for ipa users under /export/home/ and mount them under /home/ on Solaris
10, as well as copy over the profile files and assign appropriate owner and
group:

We first created a service account called auth in ipa to allow ldap
lookups with no password expiration

On the clients create a mkhomedir script in /usr/local/adm (or where
ever you like):
#!/bin/ksh -p

HOMEDIRPATH=/home

PHYSICALDIRPATH=/export/home

hdir=~$1

phdir=$PHYSICALDIRPATH/$1

if [ -d $phdir ]; then
echo localhost:$phdir
exit
fi

mkdir -p $phdir

#Perform ldap lookup to get user and group of logged in user
GID=`ldapsearch -h idmserver.example.com -D
uid=auth,cn=users,cn=accounts,dc=example,d
c=com -w 'authpassword' -b cn=users,cn=accounts,dc=example,dc=com
(uid=$1)
| grep gid | cut -d -f2`

#Copy profile files
cp /etc/skel/.bash_profile $phdir/.bash_profile
cp /etc/skel/.bashrc $phdir/.bashrc
cp /etc/skel/.profile $phdir/.profile
cp /etc/skel/.vimrc $phdir/.vimrc

#Change the owner and group to logged in user
chown -R $1:$GID $phdir

echo localhost:$phdir

##END

You need to change permissions on the mkhomedir script to 755

Login to client directly as root so you can move home directories around
(edit /etc/ssh/sshd_config if needed to allow this)

Ensure no one else is logged in
Ensure nothing else is mounted in /export/home
Copy home directories to /export/home
rsync -av /home/ /export/home/

Add this line to the /etc/auto_master file so the mkhomedir script runs
at login
/home /usr/local/adm/mkhomedir

Remove original /home/ directories
rm -rf /home/*

Restart autofs so the change takes effect
svcadm restart autofs

Make sure you change your sshd_config back if you don't wish to allow root
ssh access.
--
*From:* freeipa-users-boun...@redhat.com [mailto:
freeipa-users-boun...@redhat.com] *On Behalf Of *Ben .T.George
*Sent:* Wednesday, March 11, 2015 11:22 AM
*To:* dpal
*Cc:* freeipa-users
*Subject:* Re: [Freeipa-users] how can i create home directories
automatically on solaris while IPA user login

from BZ

While we value your interest in IPA Solaris support, the implementation
of the DUA profile is not on our nearest schedule at the moment. We lack
both knowledge and resources to focus on integration with Solaris. This is
where we need a help (ideally patches) and contribution from the community
to help us push these features in.

I checked your example DUAConfigProfile and I think it cannot be just added
to FreeIPA right away. E.g. for defaultServerList or preferredServerList, you
would need to expand installers and ipa-replica-manage to handle these lists
and update them when replica is added or updated to prevent it being
outdated. printers or aliases serviceSearchDescriptor refers to objects not
being available and so on. It is not as straightforward as it seems.

What I think that we can work on is to work together on

http://docs.fedoraproject.org/en-US/Fedora/18/html/FreeIPA_Guide/Configuring_an_IPA_Client_on_Solaris.html#Configuring_an_IPA_Client_on_Solaris_10

... and add all the steps needed to make IPA work on Solaris 10. I could for
example prepare an updated page and you could review it. Would that work for
you?

this what i followed util now. but's not authenticate with AD, IPA user can
login on solaris box

On Wed, Mar 11, 2015 at 9:11 PM, Dmitri Pal d...@redhat.com wrote:
On 03/11/2015 01:56 PM, Ben .T.George wrote:

yea , i saw that mail thread and he claims that he achieved somehow. but
not clear.

and the steps mentioned is too technical for me. :) as i am very new to
IPA it's bit confusing.

later that thread also closed without proper explanation.

i think you guys can contact him to change existing wiki :) as there are
many solaris related documents which is pretty old.

anyway still waiting for rply

Have you found the BZ? They are very detailed.
https://bugzilla.redhat.com/show_bug.cgi?id=815515
The DUA profile is attached to the bug.

Regards,
Ben

On Wed, Mar 11, 2015 at 8:49 PM, Dmitri Pal d...@redhat.com wrote:
On 03/11/2015 01:18 PM, Ben .T.George wrote:

thanks for the rply.

even i tried native auto_master file with directory checking script. if i
feed the user manually to the script, the directory is creating and while
login request comes, it didn't.

i don't think no one did full solaris integration util now as i asked many
questions related to that.

now i am little bit confident up to this level. and if everything is
working fine, i will try to create automated script for IPA join

I really do not know Solaris that well. There are some threads from this
and last week about

Re: [Freeipa-users] how can i create home directories automatically on solaris while IPA user login

2015-03-12 Thread Ben .T.George

HI Siggi,

thanks for the detailed information.

how can i apply this DUA profile? can you please give me the steps to apply
this.

my current stage is, i can able to login to solaris 10 box with AD user.
only thing from command like without - in su

Regards,
Ben

On Thu, Mar 12, 2015 at 4:00 PM, Sigbjorn Lie sigbj...@nixtra.com wrote:

Hi,

Yes the DUA profile needs manually editing and updating as IPA servers are
added or removed. Ideally this would be managed by ipa-replica-manage,
however as I was advised in the BZ, Red Hat does not have the knowledge or
resources to focus on integration with Solaris, which is understandable. :)

The DUA profile I’ve uploaded to the BZ is a copy (with server names
edited), of the DUA profile I1ve used at several environments when
configuring Solaris 10 to work with IPA, so unless there are typos I
haven’t discovered, it would work ok. :)

As for the auto mount, Linux uses “.” between auto and the map name, such
as auto.master, auto.home, etc. And Solaris uses “_” between the auto and
the map name, such as auto_master, auto_home.

This can be worked around in the DUA profile by adding a
searchServiceDescriptor for each auto mounter map, such as
serviceSearchDescriptor:
auto_master:automountMapName=auto.master,cn=defualt,cn=automount,dc=ix,dc=test,dc=com”.

What I found as the best middle ground here, was to keep the master name
auto.master and have a serviceSearchDescriptor in the DUA profile for
auto.master, and have the remaining maps in IPA with “_”as the separator.
This works the best as Linux will look for auto.master by default, and be
happy with the other maps being referred to with “_”as separator. Solaris
seem to require that all the maps use “_”as seperator, unless
serviceSearchDescriptor entries are added for each map.

I hope this was what you we’re looking for?

Regards,
Siggi

On 11 Mar 2015, at 19:39, Dmitri Pal d...@redhat.com wrote:

Hello,

Is there any chance you can help this guy on the FreeIPA list?

Thanks
Dmitri

Original Message Subject: Re: [Freeipa-users] how can
i create home directories automatically on solaris while IPA user login Date:
Wed, 11 Mar 2015 21:22:02 +0300 From: Ben .T.George
bentech4...@gmail.com bentech4...@gmail.com Reply-To:
bentech4...@gmail.com To: dpal d...@redhat.com d...@redhat.com CC:
freeipa-users
freeipa-users@redhat.com freeipa-users@redhat.com

from BZ

What I think that we can work on is to work together
onhttp://docs.fedoraproject.org/en-US/Fedora/18/html/FreeIPA_Guide/Configuring_an_IPA_Client_on_Solaris.html#Configuring_an_IPA_Client_on_Solaris_10
... and add all the steps needed to make IPA work on Solaris 10. I could for
example prepare an updated page and you could review it. Would that work for
you?

this what i followed util now. but's not authenticate with AD, IPA user can
login on solaris box

On Wed, Mar 11, 2015 at 9:11 PM, Dmitri Pal d...@redhat.com wrote:

On 03/11/2015 01:56 PM, Ben .T.George wrote:

yea , i saw that mail thread and he claims that he achieved somehow.
but not clear.

and the steps mentioned is too technical for me. :) as i am very new
to IPA it's bit confusing.

later that thread also closed without proper explanation.

i think you guys can contact him to change existing wiki :) as there
are many solaris related documents which is pretty old.

anyway still waiting for rply

Have you found the BZ? They are very detailed.
https://bugzilla.redhat.com/show_bug.cgi?id=815515
The DUA profile is attached to the bug.

Regards,
Ben

On Wed, Mar 11, 2015 at 8:49 PM, Dmitri Pal d...@redhat.com wrote:

On 03/11/2015 01:18 PM, Ben .T.George wrote:

thanks for the rply.

even i tried native auto_master file with directory checking script.
if i feed the user manually to the script, the directory is creating and
while login request comes, it didn't.

i don't think no one did full solaris integration util now as i asked
many questions related to that.

now i am little bit confident up to this level. and if everything is
working fine, i will try to create automated script for IPA join

Re: [Freeipa-users] how can i create home directories automatically on solaris while IPA user login

HI

thanks for the rply.

even i tried native auto_master file with directory checking script. if i
feed the user manually to the script, the directory is creating and while
login request comes, it didn't.

i don't think no one did full solaris integration util now as i asked many
questions related to that.

now i am little bit confident up to this level. and if everything is
working fine, i will try to create automated script for IPA join

Regards,
Ben



On Wed, Mar 11, 2015 at 7:32 PM, Dmitri Pal d...@redhat.com wrote:

  On 03/11/2015 09:50 AM, Ben .T.George wrote:

 HI

  i can able to reach upto level that IPA user can able to login on
 solaris box,

  but how can i create home directories automatically on solaris while IPA
 user login.

  even i change the shell in IPA web interface that is getting affected. i
 saw some option in IPA 3.3 web interface like automount and that is not in
 IPA 4.1.2


 All the options are still there. The menus got re-arranged a bit.
 Hopefully someone with a Solaris knowledge will help you with the rest.


  please anyone tell me where it is and how can i achieve this

  regards,
 Ben




 --
 Thank you,
 Dmitri Pal

 Sr. Engineering Manager IdM portfolio
 Red Hat, Inc.


 --
 Manage your subscription for the Freeipa-users mailing list:
 https://www.redhat.com/mailman/listinfo/freeipa-users
 Go to http://freeipa.org for more info on the project

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] how can i create home directories automatically on solaris while IPA user login

Hi Naxto,

i think your solutions will work in my case. sems like both os's are same.
using opensolaris

anyway let me try this and will let you know the status

Thanks  regards,
Ben

On Wed, Mar 11, 2015 at 10:51 PM, Natxo Asenjo natxo.ase...@gmail.com
wrote:

 On Wed, Mar 11, 2015 at 8:36 PM, Rob Crittenden rcrit...@redhat.com
 wrote:

 Ben .T.George wrote:
  HI
 
  thanks for the rply.
 
  even i tried native auto_master file with directory checking script. if
  i feed the user manually to the script, the directory is creating and
  while login request comes, it didn't.
 
  i don't think no one did full solaris integration util now as i asked
  many questions related to that.
 
  now i am little bit confident up to this level. and if everything is
  working fine, i will try to create automated script for IPA join

 automount is not a technology that automatically creates directories, it
 just automatically mounts them on demand.

 I'm not aware of a way to automatically create directories on new-user
 logins in Solaris.


 I have not used 'official' solaris but using omnios (open solaris
 derivative) I have used this with their automounter:

 http://omnios.omniti.com/wiki.php/GeneralAdministration#Addinglocalusers

 Quite nifty. It should work with solaris as well (well, maybe with a
 little work).

 --
 regards,
 natxo

 --
 Manage your subscription for the Freeipa-users mailing list:
 https://www.redhat.com/mailman/listinfo/freeipa-users
 Go to http://freeipa.org for more info on the project

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] how can i create home directories automatically on solaris while IPA user login

from BZ

While we value your interest in IPA Solaris support, the implementation of
the DUA profile is not on our nearest schedule at the moment. We lack both
knowledge and resources to focus on integration with Solaris. This is where
we need a help (ideally patches) and contribution from the community to
help us push these features in.

I checked your example DUAConfigProfile and I think it cannot be just
added to FreeIPA right away. E.g. for defaultServerList or
preferredServerList, you would need to expand installers and
ipa-replica-manage to handle these lists and update them when replica
is added or updated to prevent it being outdated. printers or aliases
serviceSearchDescriptor refers to objects not being available and so
on. It is not as straightforward as it seems.

What I think that we can work on is to work together
onhttp://docs.fedoraproject.org/en-US/Fedora/18/html/FreeIPA_Guide/Configuring_an_IPA_Client_on_Solaris.html#Configuring_an_IPA_Client_on_Solaris_10
... and add all the steps needed to make IPA work on Solaris 10. I
could for example prepare an updated page and you could review it.
Would that work for you?

this what i followed util now. but's not authenticate with AD, IPA
user can login on solaris box

On Wed, Mar 11, 2015 at 9:11 PM, Dmitri Pal d...@redhat.com wrote:

On 03/11/2015 01:56 PM, Ben .T.George wrote:

yea , i saw that mail thread and he claims that he achieved somehow. but
not clear.

and the steps mentioned is too technical for me. :) as i am very new to
IPA it's bit confusing.

later that thread also closed without proper explanation.

i think you guys can contact him to change existing wiki :) as there are
many solaris related documents which is pretty old.

anyway still waiting for rply

Have you found the BZ? They are very detailed.
https://bugzilla.redhat.com/show_bug.cgi?id=815515
The DUA profile is attached to the bug.

Regards,
Ben

On Wed, Mar 11, 2015 at 8:49 PM, Dmitri Pal d...@redhat.com wrote:

On 03/11/2015 01:18 PM, Ben .T.George wrote:

thanks for the rply.

even i tried native auto_master file with directory checking script. if
i feed the user manually to the script, the directory is creating and while
login request comes, it didn't.

i don't think no one did full solaris integration util now as i asked
many questions related to that.

now i am little bit confident up to this level. and if everything is
working fine, i will try to create automated script for IPA join

I really do not know Solaris that well. There are some threads from this
and last week about Solaris. You can find them in the mail archive for
March.
There are pointers to wikis and bugzillas in those threads. The bugzilla
bugs have some extended info on how to configure Solaris clients. They were
pretty detailed. May be they have the automount info you are looking for.

Regards,
Ben

On Wed, Mar 11, 2015 at 7:32 PM, Dmitri Pal d...@redhat.com wrote:

On 03/11/2015 09:50 AM, Ben .T.George wrote:

i can able to reach upto level that IPA user can able to login on
solaris box,

but how can i create home directories automatically on solaris while
IPA user login.

even i change the shell in IPA web interface that is getting affected.
i saw some option in IPA 3.3 web interface like automount and that is not
in IPA 4.1.2

All the options are still there. The menus got re-arranged a bit.
Hopefully someone with a Solaris knowledge will help you with the rest.

please anyone tell me where it is and how can i achieve this

regards,
Ben

--
Thank you,
Dmitri Pal

Sr. Engineering Manager IdM portfolio
Red Hat, Inc.

--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

--
Thank you,
Dmitri Pal

Sr. Engineering Manager IdM portfolio
Red Hat, Inc.

--
Thank you,
Dmitri Pal

Sr. Engineering Manager IdM portfolio
Red Hat, Inc.

--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] how can i create home directories automatically on solaris while IPA user login

HI

yea , i saw that mail thread and he claims that he achieved somehow. but
not clear.

and the  steps mentioned is too technical for me. :) as i am very new to
IPA it's bit confusing.

later that thread also closed without proper explanation.

i think you guys can contact him to change existing wiki :) as there are
many solaris related documents which is pretty old.

anyway still waiting for rply

Regards,
Ben

On Wed, Mar 11, 2015 at 8:49 PM, Dmitri Pal d...@redhat.com wrote:

  On 03/11/2015 01:18 PM, Ben .T.George wrote:

 HI

  thanks for the rply.

  even i tried native auto_master file with directory checking script. if
 i feed the user manually to the script, the directory is creating and while
 login request comes, it didn't.

  i don't think no one did full solaris integration util now as i asked
 many questions related to that.

  now i am little bit confident up to this level. and if everything is
 working fine, i will try to create automated script for IPA join


 I really do not know Solaris that well. There are some threads from this
 and last week about Solaris. You can find them in the mail archive for
 March.
 There are pointers to wikis and bugzillas in those threads. The bugzilla
 bugs have some extended info on how to configure Solaris clients. They were
 pretty detailed. May be they have the automount info you are looking for.



  Regards,
 Ben



 On Wed, Mar 11, 2015 at 7:32 PM, Dmitri Pal d...@redhat.com wrote:

  On 03/11/2015 09:50 AM, Ben .T.George wrote:

 HI

  i can able to reach upto level that IPA user can able to login on
 solaris box,

  but how can i create home directories automatically on solaris while
 IPA user login.

  even i change the shell in IPA web interface that is getting affected.
 i saw some option in IPA 3.3 web interface like automount and that is not
 in IPA 4.1.2


  All the options are still there. The menus got re-arranged a bit.
 Hopefully someone with a Solaris knowledge will help you with the rest.


  please anyone tell me where it is and how can i achieve this

  regards,
 Ben




  --
 Thank you,
 Dmitri Pal

 Sr. Engineering Manager IdM portfolio
 Red Hat, Inc.


 --
 Manage your subscription for the Freeipa-users mailing list:
 https://www.redhat.com/mailman/listinfo/freeipa-users
 Go to http://freeipa.org for more info on the project




 --
 Thank you,
 Dmitri Pal

 Sr. Engineering Manager IdM portfolio
 Red Hat, Inc.


-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

[Freeipa-users] how can i create home directories automatically on solaris while IPA user login

HI

i can able to reach upto level that IPA user can able to login on solaris
box,

but how can i create home directories automatically on solaris while IPA
user login.

even i change the shell in IPA web interface that is getting affected. i
saw some option in IPA 3.3 web interface like automount and that is not in
IPA 4.1.2

please anyone tell me where it is and how can i achieve this

regards,
Ben
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] IPA web ui always giving Your session has expired. Please re-login.

2015-03-09 Thread Ben .T.George

HI thanks

sure this is the only place i can ask questions :)

but i don't know from where i am getting that basic authentication window
like .htaccess based. i think when i tried from chome only i got this window



On Mon, Mar 9, 2015 at 2:21 PM, Martin Kosek mko...@redhat.com wrote:

 Ok, thanks for information. I would still love to know the real root
 cause, but
 we will now find it now I assume.

 Of this issue re-appears, let us know :-)

 Thanks,
 Martin

 On 03/09/2015 09:10 AM, Ben .T.George wrote:
  Hi Martin,
 
  thanks for your replay.
 
  yesterday i did lot of this  to fix this issue.
 
  the issue has been solved by kdestroy and re-initiate the ticket.
 
  after that restarted ipa service, it got worked
 
  Regards,
  ben
 
  On Mon, Mar 9, 2015 at 10:57 AM, Martin Kosek mko...@redhat.com wrote:
 
  Thanks for all the data. So it looks like your browser properly forward
 the
  session cookie, but it is not recognized on the server even though it
 was
  stored before.
 
  Especially these lines are strange:
 
  [Sun Mar 08 13:16:29.909637 2015] [:error] [pid 3004] ipa: DEBUG: store
  session: session_id=4803e184cecb42f2e326391dbb09443d
  start_timestamp=2015-03-08T13:15:12 access_timestamp=2015-03-08T13:16:29
  expiration_timestamp=2015-03-08T13:36:29
  ...
  [Sun Mar 08 13:16:29.921519 2015] [:error] [pid 3003] ipa: DEBUG: found
  session cookie_id = 4803e184cecb42f2e326391dbb09443d
  [Sun Mar 08 13:16:29.921731 2015] [:error] [pid 3003] ipa: DEBUG: no
  session data in cache with id=4803e184cecb42f2e326391dbb09443d,
 generating
  empty session data
 
  We know that ipa_memcached is running. Can you please also check if
 there
  are
  no SELinux errors in /var/log/audit/audit.log preveting Apache from
  looking up
  the session data?
 
  Thanks,
  Martin
 
  On 03/08/2015 11:44 AM, Ben .T.George wrote:
  i was inspecting the page and got below response.
 
  http://s21.postimg.org/itv5hf0h3/asdasd.jpg
 
  http://s3.postimg.org/f6knomt1f/Capture.jpg
 
  please anyone help me to solve this issue. i just want to create one
  local
  user in IPA
 
  On Sun, Mar 8, 2015 at 1:17 PM, Ben .T.George bentech4...@gmail.com
  wrote:
 
  I enabled debugging mode on default.conf and this is what i am getting
  on
  error_log
 
  [Sun Mar 08 13:16:18.204363 2015] [auth_kerb:error] [pid 3065]
 [client
  172.16.107.250:60088] gss_accept_sec_context() failed: An unsupported
  mechanism was requested (, Unknown error), referer:
  https://kwtpocpbis01.solaris.local/ipa/ui/
  [Sun Mar 08 13:16:29.849339 2015] [:error] [pid 3004] ipa: DEBUG:
 WSGI
  wsgi_dispatch.__call__:
  [Sun Mar 08 13:16:29.849458 2015] [:error] [pid 3004] ipa: DEBUG: WSGI
  login_password.__call__:
  [Sun Mar 08 13:16:29.849683 2015] [:error] [pid 3004] ipa: DEBUG:
  Obtaining armor ccache:
  principal=HTTP/kwtpocpbis01.solaris.local@SOLARIS.LOCAL
  keytab=/etc/httpd/conf/ipa.keytab
  ccache=/var/run/ipa_memcached/krbcc_A_admin
  [Sun Mar 08 13:16:29.849830 2015] [:error] [pid 3004] ipa: DEBUG:
  Starting
  external process
  [Sun Mar 08 13:16:29.849923 2015] [:error] [pid 3004] ipa: DEBUG:
  args='/usr/bin/kinit' '-kt' '/etc/httpd/conf/ipa.keytab'
  'HTTP/kwtpocpbis01.solaris.local@SOLARIS.LOCAL'
  [Sun Mar 08 13:16:29.868747 2015] [:error] [pid 3004] ipa: DEBUG:
  Process
  finished, return code=0
  [Sun Mar 08 13:16:29.868858 2015] [:error] [pid 3004] ipa: DEBUG:
  stdout=
  [Sun Mar 08 13:16:29.868955 2015] [:error] [pid 3004] ipa: DEBUG:
  stderr=
  [Sun Mar 08 13:16:29.869120 2015] [:error] [pid 3004] ipa: DEBUG:
  Starting
  external process
  [Sun Mar 08 13:16:29.869204 2015] [:error] [pid 3004] ipa: DEBUG:
  args='/usr/bin/kinit' 'admin@SOLARIS.LOCAL' '-T'
  '/var/run/ipa_memcached/krbcc_A_admin'
  [Sun Mar 08 13:16:29.902181 2015] [:error] [pid 3004] ipa: DEBUG:
  Process
  finished, return code=0
  [Sun Mar 08 13:16:29.902269 2015] [:error] [pid 3004] ipa: DEBUG:
  stdout=Password for admin@SOLARIS.LOCAL:
  [Sun Mar 08 13:16:29.902278 2015] [:error] [pid 3004]
  [Sun Mar 08 13:16:29.902328 2015] [:error] [pid 3004] ipa: DEBUG:
  stderr=
  [Sun Mar 08 13:16:29.902427 2015] [:error] [pid 3004] ipa: DEBUG:
 kinit:
  principal=admin@SOLARIS.LOCAL returncode=0, stderr=
  [Sun Mar 08 13:16:29.902483 2015] [:error] [pid 3004] ipa: DEBUG:
  Cleanup
  the armor ccache
  [Sun Mar 08 13:16:29.902560 2015] [:error] [pid 3004] ipa: DEBUG:
  Starting
  external process
  [Sun Mar 08 13:16:29.902621 2015] [:error] [pid 3004] ipa: DEBUG:
  args='/usr/bin/kdestroy' '-A' '-c'
  '/var/run/ipa_memcached/krbcc_A_admin'
  [Sun Mar 08 13:16:29.908045 2015] [:error] [pid 3004] ipa: DEBUG:
  Process
  finished, return code=0
  [Sun Mar 08 13:16:29.908121 2015] [:error] [pid 3004] ipa: DEBUG:
  stdout=
  [Sun Mar 08 13:16:29.908173 2015] [:error] [pid 3004] ipa: DEBUG:
  stderr=
  [Sun Mar 08 13:16:29.908348 2015] [:error] [pid 3004] ipa: DEBUG:
 found
  session cookie_id = 4803e184cecb42f2e326391dbb09443d
  [Sun Mar 08 13:16:29.908647 2015] [:error

Re: [Freeipa-users] IPA web ui always giving Your session has expired. Please re-login.

2015-03-09 Thread Ben .T.George

Hi Martin,

thanks for your replay.

yesterday i did lot of this  to fix this issue.

the issue has been solved by kdestroy and re-initiate the ticket.

after that restarted ipa service, it got worked

Regards,
ben

On Mon, Mar 9, 2015 at 10:57 AM, Martin Kosek mko...@redhat.com wrote:

 Thanks for all the data. So it looks like your browser properly forward the
 session cookie, but it is not recognized on the server even though it was
 stored before.

 Especially these lines are strange:

 [Sun Mar 08 13:16:29.909637 2015] [:error] [pid 3004] ipa: DEBUG: store
 session: session_id=4803e184cecb42f2e326391dbb09443d
 start_timestamp=2015-03-08T13:15:12 access_timestamp=2015-03-08T13:16:29
 expiration_timestamp=2015-03-08T13:36:29
 ...
 [Sun Mar 08 13:16:29.921519 2015] [:error] [pid 3003] ipa: DEBUG: found
 session cookie_id = 4803e184cecb42f2e326391dbb09443d
 [Sun Mar 08 13:16:29.921731 2015] [:error] [pid 3003] ipa: DEBUG: no
 session data in cache with id=4803e184cecb42f2e326391dbb09443d, generating
 empty session data

 We know that ipa_memcached is running. Can you please also check if there
 are
 no SELinux errors in /var/log/audit/audit.log preveting Apache from
 looking up
 the session data?

 Thanks,
 Martin

 On 03/08/2015 11:44 AM, Ben .T.George wrote:
  i was inspecting the page and got below response.
 
  http://s21.postimg.org/itv5hf0h3/asdasd.jpg
 
  http://s3.postimg.org/f6knomt1f/Capture.jpg
 
  please anyone help me to solve this issue. i just want to create one
 local
  user in IPA
 
  On Sun, Mar 8, 2015 at 1:17 PM, Ben .T.George bentech4...@gmail.com
 wrote:
 
  I enabled debugging mode on default.conf and this is what i am getting
 on
  error_log
 
  [Sun Mar 08 13:16:18.204363 2015] [auth_kerb:error] [pid 3065] [client
  172.16.107.250:60088] gss_accept_sec_context() failed: An unsupported
  mechanism was requested (, Unknown error), referer:
  https://kwtpocpbis01.solaris.local/ipa/ui/
  [Sun Mar 08 13:16:29.849339 2015] [:error] [pid 3004] ipa: DEBUG: WSGI
  wsgi_dispatch.__call__:
  [Sun Mar 08 13:16:29.849458 2015] [:error] [pid 3004] ipa: DEBUG: WSGI
  login_password.__call__:
  [Sun Mar 08 13:16:29.849683 2015] [:error] [pid 3004] ipa: DEBUG:
  Obtaining armor ccache:
  principal=HTTP/kwtpocpbis01.solaris.local@SOLARIS.LOCAL
  keytab=/etc/httpd/conf/ipa.keytab
  ccache=/var/run/ipa_memcached/krbcc_A_admin
  [Sun Mar 08 13:16:29.849830 2015] [:error] [pid 3004] ipa: DEBUG:
 Starting
  external process
  [Sun Mar 08 13:16:29.849923 2015] [:error] [pid 3004] ipa: DEBUG:
  args='/usr/bin/kinit' '-kt' '/etc/httpd/conf/ipa.keytab'
  'HTTP/kwtpocpbis01.solaris.local@SOLARIS.LOCAL'
  [Sun Mar 08 13:16:29.868747 2015] [:error] [pid 3004] ipa: DEBUG:
 Process
  finished, return code=0
  [Sun Mar 08 13:16:29.868858 2015] [:error] [pid 3004] ipa: DEBUG:
 stdout=
  [Sun Mar 08 13:16:29.868955 2015] [:error] [pid 3004] ipa: DEBUG:
 stderr=
  [Sun Mar 08 13:16:29.869120 2015] [:error] [pid 3004] ipa: DEBUG:
 Starting
  external process
  [Sun Mar 08 13:16:29.869204 2015] [:error] [pid 3004] ipa: DEBUG:
  args='/usr/bin/kinit' 'admin@SOLARIS.LOCAL' '-T'
  '/var/run/ipa_memcached/krbcc_A_admin'
  [Sun Mar 08 13:16:29.902181 2015] [:error] [pid 3004] ipa: DEBUG:
 Process
  finished, return code=0
  [Sun Mar 08 13:16:29.902269 2015] [:error] [pid 3004] ipa: DEBUG:
  stdout=Password for admin@SOLARIS.LOCAL:
  [Sun Mar 08 13:16:29.902278 2015] [:error] [pid 3004]
  [Sun Mar 08 13:16:29.902328 2015] [:error] [pid 3004] ipa: DEBUG:
 stderr=
  [Sun Mar 08 13:16:29.902427 2015] [:error] [pid 3004] ipa: DEBUG: kinit:
  principal=admin@SOLARIS.LOCAL returncode=0, stderr=
  [Sun Mar 08 13:16:29.902483 2015] [:error] [pid 3004] ipa: DEBUG:
 Cleanup
  the armor ccache
  [Sun Mar 08 13:16:29.902560 2015] [:error] [pid 3004] ipa: DEBUG:
 Starting
  external process
  [Sun Mar 08 13:16:29.902621 2015] [:error] [pid 3004] ipa: DEBUG:
  args='/usr/bin/kdestroy' '-A' '-c'
 '/var/run/ipa_memcached/krbcc_A_admin'
  [Sun Mar 08 13:16:29.908045 2015] [:error] [pid 3004] ipa: DEBUG:
 Process
  finished, return code=0
  [Sun Mar 08 13:16:29.908121 2015] [:error] [pid 3004] ipa: DEBUG:
 stdout=
  [Sun Mar 08 13:16:29.908173 2015] [:error] [pid 3004] ipa: DEBUG:
 stderr=
  [Sun Mar 08 13:16:29.908348 2015] [:error] [pid 3004] ipa: DEBUG: found
  session cookie_id = 4803e184cecb42f2e326391dbb09443d
  [Sun Mar 08 13:16:29.908647 2015] [:error] [pid 3004] ipa: DEBUG: found
  session data in cache with id=4803e184cecb42f2e326391dbb09443d
  [Sun Mar 08 13:16:29.908728 2015] [:error] [pid 3004] ipa: DEBUG:
  finalize_kerberos_acquisition: login_password
  ccache_name=FILE:/var/run/ipa_memcached/krbcc_3004
  session_id=4803e184cecb42f2e326391dbb09443d
  [Sun Mar 08 13:16:29.908824 2015] [:error] [pid 3004] ipa: DEBUG:
 reading
  ccache data from file /var/run/ipa_memcached/krbcc_3004
  [Sun Mar 08 13:16:29.909319 2015] [:error] [pid 3004] ipa: DEBUG:
  get_credential_times: principal=krbtgt/SOLARIS.LOCAL@SOLARIS.LOCAL

Re: [Freeipa-users] IPA web ui always giving Your session has expired. Please re-login.

this is the error mesage i am getting on httpd/error_log

[Sun Mar 08 13:02:02.965470 2015] [auth_kerb:error] [pid 2922] [client
172.16.107
.250:60005]
gss_accept_sec_context() failed: An unsupported mechanism was request

  ed (, Unknown error), referer:
https://kwtpocpbis01.solaris.local/ipa/ui/

On Sun, Mar 8, 2015 at 12:48 PM, Ben .T.George bentech4...@gmail.com
wrote:

 Hi i checked the services and below is my output

 [root@kwtpocpbis01 ipa_memcached]# ps -ef | grep  ipa_memcached
 apache2079 1  0 11:11 ?00:00:00 /usr/bin/memcached -d -s
 /var/run/ipa_memcached/ipa_memcached -u apache -m 64 -c 1024 -P
 /var/run/ipa_memcached/ipa_memcached.pid
 root  2801  2504  0 12:48 pts/000:00:00 grep --color=auto
 ipa_memcached

 [root@kwtpocpbis01 ipa_memcached]# ipactl status
 Directory Service: RUNNING
 krb5kdc Service: RUNNING
 kadmin Service: RUNNING
 named Service: RUNNING
 ipa_memcached Service: RUNNING
 httpd Service: RUNNING
 pki-tomcatd Service: RUNNING
 smb Service: RUNNING
 winbind Service: RUNNING
 ipa-otpd Service: RUNNING
 ipa-dnskeysyncd Service: RUNNING
 ipa: INFO: The ipactl command was successful


 On Sun, Mar 8, 2015 at 10:54 AM, Ben .T.George bentech4...@gmail.com
 wrote:

 HI

 i have free IPA 4.1.2 installed.

 my web ui always giving Your session has expired. Please re-login. even
 i tried from different computer.different browsers..

 how can i fix this.?



-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] IPA web ui always giving Your session has expired. Please re-login.

Hi i checked the services and below is my output

[root@kwtpocpbis01 ipa_memcached]# ps -ef | grep  ipa_memcached
apache2079 1  0 11:11 ?00:00:00 /usr/bin/memcached -d -s
/var/run/ipa_memcached/ipa_memcached -u apache -m 64 -c 1024 -P
/var/run/ipa_memcached/ipa_memcached.pid
root  2801  2504  0 12:48 pts/000:00:00 grep --color=auto
ipa_memcached

[root@kwtpocpbis01 ipa_memcached]# ipactl status
Directory Service: RUNNING
krb5kdc Service: RUNNING
kadmin Service: RUNNING
named Service: RUNNING
ipa_memcached Service: RUNNING
httpd Service: RUNNING
pki-tomcatd Service: RUNNING
smb Service: RUNNING
winbind Service: RUNNING
ipa-otpd Service: RUNNING
ipa-dnskeysyncd Service: RUNNING
ipa: INFO: The ipactl command was successful


On Sun, Mar 8, 2015 at 10:54 AM, Ben .T.George bentech4...@gmail.com
wrote:

 HI

 i have free IPA 4.1.2 installed.

 my web ui always giving Your session has expired. Please re-login. even
 i tried from different computer.different browsers..

 how can i fix this.?

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] IPA web ui always giving Your session has expired. Please re-login.

 access_timestamp=2015-03-08T13:16:29
expiration_timestamp=1970-01-01T03:00:00
[Sun Mar 08 13:16:29.922191 2015] [:error] [pid 3003] ipa: DEBUG: no
ccache, need login
[Sun Mar 08 13:16:29.922265 2015] [:error] [pid 3003] ipa: DEBUG:
jsonserver_session: 401 Unauthorized need login


On Sun, Mar 8, 2015 at 1:02 PM, Ben .T.George bentech4...@gmail.com wrote:

 this is the error mesage i am getting on httpd/error_log

 [Sun Mar 08 13:02:02.965470 2015] [auth_kerb:error] [pid 2922] [client
 172.16.107
 .250:60005]
 gss_accept_sec_context() failed: An unsupported mechanism was request

   ed (, Unknown error), referer:
 https://kwtpocpbis01.solaris.local/ipa/ui/

 On Sun, Mar 8, 2015 at 12:48 PM, Ben .T.George bentech4...@gmail.com
 wrote:

 Hi i checked the services and below is my output

 [root@kwtpocpbis01 ipa_memcached]# ps -ef | grep  ipa_memcached
 apache2079 1  0 11:11 ?00:00:00 /usr/bin/memcached -d -s
 /var/run/ipa_memcached/ipa_memcached -u apache -m 64 -c 1024 -P
 /var/run/ipa_memcached/ipa_memcached.pid
 root  2801  2504  0 12:48 pts/000:00:00 grep --color=auto
 ipa_memcached

 [root@kwtpocpbis01 ipa_memcached]# ipactl status
 Directory Service: RUNNING
 krb5kdc Service: RUNNING
 kadmin Service: RUNNING
 named Service: RUNNING
 ipa_memcached Service: RUNNING
 httpd Service: RUNNING
 pki-tomcatd Service: RUNNING
 smb Service: RUNNING
 winbind Service: RUNNING
 ipa-otpd Service: RUNNING
 ipa-dnskeysyncd Service: RUNNING
 ipa: INFO: The ipactl command was successful


 On Sun, Mar 8, 2015 at 10:54 AM, Ben .T.George bentech4...@gmail.com
 wrote:

 HI

 i have free IPA 4.1.2 installed.

 my web ui always giving Your session has expired. Please re-login.
 even i tried from different computer.different browsers..

 how can i fix this.?




-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

[Freeipa-users] IPA web ui always giving Your session has expired. Please re-login.

HI

i have free IPA 4.1.2 installed.

my web ui always giving Your session has expired. Please re-login. even i
tried from different computer.different browsers..

how can i fix this.?
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] IPA web ui always giving Your session has expired. Please re-login.