[Freeipa-users] Re: ID view is not overriding user attributes

(Wed Aug 9 04:20:14 2017) [sssd[be[ipa.corp.example.com]]] [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with [(&(objectClass=ipaUserOverride)(uid=supratik.goswami))][cn=Default Trust View,cn=views,cn=accounts,dc=ipa,dc=corp,dc=example,dc=com] What I could see here is that it is s

[Freeipa-users] ID view is not overriding user attributes

Hello everyone, I have a trust setup between AD and IPA, I have created a user in the "Default Trust View" and updated the ssh public keys for that user. When I am trying to login to any Linux system using the ad user it is not able to find the keys. Here is the sshd debug log. Aug 9 03:04:01

[Freeipa-users] Re: expired certificates - pki-tomcat not running

On Tue, Aug 08, 2017 at 11:40:54AM -0400, Rob Crittenden wrote: > Michael Gusek via FreeIPA-users wrote: > > Hi Fraser, > > > > at the moment, i can't provide this logfile, i've moved that back to > > have only new log lines. But a new new logfile is not created ??? In my > > old logfile i have so

[Freeipa-users] Re: mod_ldap apache

Hi ivars Many thanks that's just what I was looking for. Sorry about the iPad it should be ipa but it seems I am a victim of autocorrect 🤣 Regards Per Sent from my Commodore 64 > On 8 Aug 2017, at 18:07, Ivars Strazdiņš via FreeIPA-users > wrote: > > Hi Per, > could you define “working

[Freeipa-users] Re: Correcting errors in the CA master certificate

Cool. We'll work on this some more and let you know how The Gathering goes. ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org

[Freeipa-users] Re: Correcting errors in the CA master certificate

Scott Stevson via FreeIPA-users wrote: > Thanks, Rob. > > Unfortunately my test in staging resulted in an expired dogtag cert. The > staging environment didn't have any certificates that were due to expire soon > so I updated the xmlrpc_server variable on one of the four IPA hosts we have > to

[Freeipa-users] Re: Correcting errors in the CA master certificate

Thanks, Rob. Unfortunately my test in staging resulted in an expired dogtag cert. The staging environment didn't have any certificates that were due to expire soon so I updated the xmlrpc_server variable on one of the four IPA hosts we have to another one in the same AWS region and restarted c

[Freeipa-users] Re: Failed Upgrade?

On 8/7/17 1:44 AM, thierry bordaz wrote: On 08/07/2017 09:22 AM, Florence Blanc-Renaud via FreeIPA-users wrote: On 08/04/2017 11:02 PM, Ian Harding via FreeIPA-users wrote: On 8/4/17 2:16 AM, Florence Blanc-Renaud wrote: On 08/03/2017 11:13 PM, Ian Harding via FreeIPA-users wrote: On 08/0

[Freeipa-users] Re: Correcting errors in the CA master certificate

Scott Stevson via FreeIPA-users wrote: > Hey Rob, > > It's the NSSDB cert. Here's some console output that might be helpful. > > PROD [root@server-ns-1 var]# getcert list | grep -A10 20150827000358 > Request ID '20150827000358': > status: MONITORING > ca-error: Server at > "http://s

[Freeipa-users] Re: mod_ldap apache

Hi Per, could you define “working configuration” requirements and what’s iPad specific? Anyway, below is my setup with Centos Apache to authenticate against IPA via LDAP using either username (uid) or e-mail. No Kerberos or GSSAPI used, just “pure” LDAP. Please note, IPA group “shareusers” member

[Freeipa-users] Re: FIPA OTP 2FA

saidireddy ranabothu via FreeIPA-users writes: > I have enabled password+OTP authentication for a user and able to sync > tokens and SSH. > > While ssh to server using FIPA credentials it's asking authentication in > two steps as First Factor and Second Factor . > > But i just want to give it in

[Freeipa-users] Re: HBAC vs Sudo

On 08/08/2017 12:02 PM, Steve Weeks via FreeIPA-users wrote: We are running FreeIPA 4.4. Even though sudo is listed as one of the services in the HBAC rule, it seems like only the Sudo rules are what really controls sudo. Sudo ignores what is in the HBAC rules. Is this expected behavior? It

[Freeipa-users] Re: Correcting errors in the CA master certificate

Hey Rob, It's the NSSDB cert. Here's some console output that might be helpful. PROD [root@server-ns-1 var]# getcert list | grep -A10 20150827000358 Request ID '20150827000358': status: MONITORING ca-error: Server at "http://server-ns-1.our.domain.local:9180/ca/ee/ca/profileSubm

[Freeipa-users] HBAC vs Sudo

We are running FreeIPA 4.4. Even though sudo is listed as one of the services in the HBAC rule, it seems like only the Sudo rules are what really controls sudo. Sudo ignores what is in the HBAC rules. Is this expected behavior? It doesn't really which way it really works, we are more concerned

[Freeipa-users] Re: Creating certificate for master domain

Rafał Wądołowski via FreeIPA-users wrote: > We have host which is registered and have http service with one domain > e.g. xyz.intra.example.com. > > But we want to add another site with domain intra.example.com, and we > need to enroll certificate for that domain, but we can't because the > hostna

[Freeipa-users] Re: expired certificates - pki-tomcat not running

Michael Gusek via FreeIPA-users wrote: > Hi Fraser, > > at the moment, i can't provide this logfile, i've moved that back to > have only new log lines. But a new new logfile is not created ??? In my > old logfile i have some lines after switch to basic auth, but before > setting time to past: > T

[Freeipa-users] reverse zone after install?

Hi All, If you setup DNS but did not enable the reverse zone during the initial install, is there a way to add/enable it after the fact? I can script adding in all the PTR records, but wanted to find out how to create/enable the reverse zone once you have already installed. Thanks K ___

[Freeipa-users] Unable to login with AD users

Hello, I have created a FreeIPA solution using Red Hat’s IDM product. FreeIPA version: 4.5.0 OS version: RHEL 7.4 I have successfully installed the server portion and can authenticate to it using local IDM users, such as the ‘admin’ user. I have created a one-way trust between the IPA realm and

[Freeipa-users] Re: expired certificates - pki-tomcat not running

Hi Fraser, at the moment, i can't provide this logfile, i've moved that back to have only new log lines. But a new new logfile is not created ??? In my old logfile i have some lines after switch to basic auth, but before setting time to past: [07/Aug/2017:14:16:22][localhost-startStop-1]: CMSEngi

[Freeipa-users] Re: Creating certificate for master domain

We have host which is registered and have http service with one domain e.g. xyz.intra.example.com. But we want to add another site with domain intra.example.com, and we need to enroll certificate for that domain, but we can't because the hostname of these host is xyz.intra.example.com. Is it poss

[Freeipa-users] Re: Cannot access Web UI after IPA upgrade to 4.5

Hello Gustavo, On 08/07/2017 04:20 PM, Gustavo Berman via FreeIPA-users wrote: Hi there, Today we upgraded to the latest IPA 4.5, log says it upgraded just fine, ipa seems to authenticate allright, but web ui fails with: Operations Error Some operations failed.

[Freeipa-users] Re: SUDO Rules not getting processed

Are you 100% sure that you have a line like "sudoers: files sss" in your /etc/nsswitch.conf? Am 7. August 2017 11:10:56 MESZ schrieb Alka Murali via FreeIPA-users : >Hello Team, > >Have checked all the logs, and the SSSD Logs are saying that it is >processing the sudo rules which I have configur

[Freeipa-users] Re: Failed Upgrade?

On 08/07/2017 09:22 AM, Florence Blanc-Renaud via FreeIPA-users wrote: On 08/04/2017 11:02 PM, Ian Harding via FreeIPA-users wrote: On 8/4/17 2:16 AM, Florence Blanc-Renaud wrote: On 08/03/2017 11:13 PM, Ian Harding via FreeIPA-users wrote: On 08/03/2017 12:28 AM, Florence Blanc-Renaud wrot

[Freeipa-users] Re: Chrome 58 Doesn't Trust SSL Certificates Signed by FreeIPA

I think this has resolved itself on its own after the update to RHEL 7.4. So that was a pleasant surprise. On Wed, Aug 2, 2017 at 8:53 AM, Prasun Gera wrote: > I think the path that is triggered first is from the following code: > > if new_cert == old_cert: > > syslog.syslog(syslog.LOG_I

[Freeipa-users] Re: Extended Schema attributes missing

Great, thanks! On Aug 4, 2017 11:58 PM, "Alexander Bokovoy" wrote: > On pe, 04 elo 2017, Kristian Petersen via FreeIPA-users wrote: > >> Alexander, >> >> That was it! I had seen this before at a previous place of employment, >> but >> couldn't recall enough of what we'd done there to fix it. Y

[Freeipa-users] remove ipa-dns-server ?

Hello, CentOS 7.3 what is the best way to remove a installed ipa-dns-server? I can't found any helpful Doc's for this only for installing the server I found Docs Thanks for the Help, -- mit freundlichen Grüssen / best regards, Günther J. Niederwimmer

[Freeipa-users] Re: howto replace an externally signed CA

On 08/08/2017 02:31 PM, Harald Dunkel via FreeIPA-users wrote: Hi Flo, On Wed, 2 Aug 2017 16:24:00 +0200 Florence Blanc-Renaud wrote: Hi, You can follow the steps described here: https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Linux_Domain_Identity_Authenticatio

[Freeipa-users] Re: Using AWS ELB with 2 FreeIPA servers

You may be over complicating things by using a load balancer, IPA does a fairly good job of balancing things itself, for example the default SSSD config is to have this: ipa_server = _srv_, meaning it will select which host to communicate with via the DNS service records, which are automatically

[Freeipa-users] Using AWS ELB with 2 FreeIPA servers

I set up a FreeIPA master and replica behind an elastic load balancer in AWS cloud. FreeIPA Clients will be contacting the replica and the master sever through the load balancer so the dns name used when configurting the clients is the ELB CNAME. The problem is when retreiving ldap data and duri

[Freeipa-users] FIPA OTP 2FA

Hello all, I have enabled password+OTP authentication for a user and able to sync tokens and SSH. While ssh to server using FIPA credentials it's asking authentication in two steps as First Factor and Second Factor . But i just want to give it in a single line password ,Can any one suggest how t

[Freeipa-users] Re: howto replace an externally signed CA

Hi Flo, On Wed, 2 Aug 2017 16:24:00 +0200 Florence Blanc-Renaud wrote: > Hi, > > You can follow the steps described here: > https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Linux_Domain_Identity_Authentication_and_Policy_Guide/cert-renewal.html#manual-cert-renewal-

[Freeipa-users] Re: expired certificates - pki-tomcat not running

On Tue, Aug 08, 2017 at 01:52:40PM +0200, Michael Gusek via FreeIPA-users wrote: > Hello, > > we run in a problem with expired certificates: > > > getcert list (sample show only one expired certificate) > ... > Request ID '20170202144747': > status: MONITORING > stuck: no > key pair storage

[Freeipa-users] mod_ldap apache

Hi All Does anyone have any working mod_ldap configuration for Centos 7 with apache 2.4.6 with iPad to share? Regards Per ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@list

[Freeipa-users] Re: Cannot access Web UI after IPA upgrade to 4.5

Pavel, Thanks for the help, that solved the problem. Now I can access the web ui. The upgrade took place yesterday and it was a release upgrade from rhel 7.3 (last update was last week) to rhel 7.4 (so we had a lot of package updates): ID | Command line | Date and time| Action(

[Freeipa-users] expired certificates - pki-tomcat not running

Hello, we run in a problem with expired certificates: > getcert list (sample show only one expired certificate) ... Request ID '20170202144747': status: MONITORING stuck: no key pair storage: type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',token='NSS Certificate DB',pinfile='/etc/

[Freeipa-users] Re: Unable to SSH into Linux machine using AD user

Hi Jakub, After some troubleshooting, it turned out to be an issue with the permission of krb5.conf, after changing the permission it is working fine. Thanks for your help. On Mon, Aug 7, 2017 at 5:09 PM, Jakub Hrozek wrote: > > On 7 Aug 2017, at 10:42, Supratik Goswami > wrote: > > SSSD vers

[Freeipa-users] Re: Cannot access Web UI after IPA upgrade to 4.5

On 08/07/2017 07:01 PM, Gustavo Berman via FreeIPA-users wrote: Hello Pavel On Mon, Aug 7, 2017 at 12:40 PM, Pavel Vomacka > wrote: Hello Gustavo, From what I can see, the issue would be PROTOCOL ERROR in whoami command. Could you please check whethe