[Freeipa-users] Re: Cannot connect to the server, please check API accesibility (certificate, API, proxy, etc.)

2019-07-22 Thread Yusuf Shamim via FreeIPA-users
> On su, 21 heinä 2019, Ben Schofield via FreeIPA-users wrote: > > The error above says that a client is not trusting CA certificate. So > the problem is on the client side, not a server one. > > Like Flo said, check whether /etc/ipa/ca.crt is readable and is > available for a client that uses it

[Freeipa-users] Re: How can I add an additional certificate for a different domain name?

2019-07-22 Thread Rob Crittenden via FreeIPA-users
Raul Gomez via FreeIPA-users wrote: > Hello list, > > I'm facing a new issue here. My FreeIPA setup has several domains, one for > each different environments it provides authentication to, and listening on a > different network interface on the same servers for each environment > (something li

[Freeipa-users] How can I add an additional certificate for a different domain name?

2019-07-22 Thread Raul Gomez via FreeIPA-users
Hello list, I'm facing a new issue here. My FreeIPA setup has several domains, one for each different environments it provides authentication to, and listening on a different network interface on the same servers for each environment (something like 192.168.0.0/24 for production, 192.168.2.0/24

[Freeipa-users] Re: Cannot connect to the server, please check API accesibility (certificate, API, proxy, etc.)

2019-07-22 Thread Yusuf Shamim via FreeIPA-users
> Ben Schofield via FreeIPA-users wrote: > > I think the certificate error might be a red herring. The other requests > look like they are working fine. You could double-check this by trying > again on a quiet system to confirm that no errors are thrown. > > I looked at the client side you had pr

[Freeipa-users] Re: Cannot connect to the server, please check API accesibility (certificate, API, proxy, etc.)

2019-07-22 Thread Yusuf Shamim via FreeIPA-users
> On 7/22/19 12:22 AM, Ben Schofield via FreeIPA-users wrote: > Hi, > I would check the permissions of the file /etc/ipa/ca.crt on the client > (the host where you run ipa user-find). 0644 is expected. If SElinux is > enabled, it should have unconfined_u:object_r:etc_t:s0. > Does this file contai

[Freeipa-users] Re: Random [Preauthentication failed] error in krb5

2019-07-22 Thread Raul Gomez via FreeIPA-users
Hello! I've checked firewall, ports and routes but it looked fine, BUT by checking this I've found A LOT of packet loss in the network interfaces and after looking further I decided to move my server VMs to another virtualization cluster. After moving them and forcing a DB reinitialization, ev

[Freeipa-users] 2FA alternatives

2019-07-22 Thread Andrew Meyer via FreeIPA-users
I think I have emailed about this recently before but is there a way other than using RADIUS to use a 3rd party 2FA provider (Duo, Authy or RSA) with the current version of FreeIPA?  I know that you could easily add it using 4.0 and 4.1 ( I could be wrong on the version).  If not is that suppo

[Freeipa-users] Re: Ad integration

2019-07-22 Thread Andrew Meyer via FreeIPA-users
Excellent thank you! On Monday, July 22, 2019, 12:01:53 PM CDT, François Cami wrote: On Mon, Jul 22, 2019 at 6:51 PM Andrew Meyer via FreeIPA-users wrote: > > [andrew.meyer@freeipa01 ~]$ id james.kirk > id: james.kirk: no such user > [andrew.meyer@freeipa01 ~]$ id william.riker > id: w

[Freeipa-users] Re: OPENSTACK INSTEANCE AUTO REGISTER ON IPA SERVER DOMAIN

2019-07-22 Thread Rob Crittenden via FreeIPA-users
Christophe TREFOIS via FreeIPA-users wrote: > In my view, you should put the ipa-client-install parts in the user-data > script and perhaps use the community templates of foreman as a starting > point. > > https://github.com/theforeman/community-templates/blob/develop/provisioning_templates/user_d

[Freeipa-users] Re: Ad integration

2019-07-22 Thread François Cami via FreeIPA-users
On Mon, Jul 22, 2019 at 6:51 PM Andrew Meyer via FreeIPA-users wrote: > > [andrew.meyer@freeipa01 ~]$ id james.kirk > id: james.kirk: no such user > [andrew.meyer@freeipa01 ~]$ id william.riker > id: william.riker: no such user > [andrew.meyer@freeipa01 ~]$ Try "id user@DOMAIN" like this: id jame

[Freeipa-users] Re: Ad integration

2019-07-22 Thread Andrew Meyer via FreeIPA-users
[andrew.meyer@freeipa01 ~]$ id james.kirkid: james.kirk: no such user[andrew.meyer@freeipa01 ~]$ id william.rikerid: william.riker: no such user[andrew.meyer@freeipa01 ~]$  Unless I neec to use ipa users-find command. On Monday, July 22, 2019, 11:47:12 AM CDT, Alexander Bokovoy wrote:

[Freeipa-users] Re: Ad integration

2019-07-22 Thread Alexander Bokovoy via FreeIPA-users
On ma, 22 heinä 2019, Andrew Meyer via FreeIPA-users wrote: Once this is done I should be able to do id user.name and get the Active Directory user correct? Resolving users is unrelated to mapping groups. You should be able to resolve users already. -- / Alexander Bokovoy Sr. Principal Softwa

[Freeipa-users] Re: Ad integration

2019-07-22 Thread Andrew Meyer via FreeIPA-users
Once this is done I should be able to do id user.name and get the Active Directory user correct? On Monday, July 22, 2019, 11:03:10 AM CDT, Alexander Bokovoy wrote: On ma, 22 heinä 2019, Andrew Meyer wrote: >0;47m  Getting this:                                                         

[Freeipa-users] Re: OPENSTACK INSTEANCE AUTO REGISTER ON IPA SERVER DOMAIN

2019-07-22 Thread Christophe TREFOIS via FreeIPA-users
In my view, you should put the ipa-client-install parts in the user-data script and perhaps use the community templates of foreman as a starting point. https://github.com/theforeman/community-templates/blob/develop/provisioning_templates/user_data/kickstart_default_user_data.erb

[Freeipa-users] Re: Ad integration

2019-07-22 Thread Alexander Bokovoy via FreeIPA-users
On ma, 22 heinä 2019, Andrew Meyer wrote: 0;47m Getting this: [andrew.meyer@freeipa01 ~]$ sudo ipa trust-find  --- 1 trust matche

[Freeipa-users] Re: Ad integration

2019-07-22 Thread John Keates via FreeIPA-users
So the name is MEYERAD but you typed MEYER-AD. Remove the dash from your earlier command and it should work. John > On 22 Jul 2019, at 17:48, Andrew Meyer via FreeIPA-users > wrote: > > Getting this: > > [andrew.meyer@freeipa01 ~]$ sudo ipa trust-find > --- > 1 trust matched >

[Freeipa-users] Re: Ad integration

2019-07-22 Thread Andrew Meyer via FreeIPA-users
Getting this: [andrew.meyer@freeipa01 ~]$ sudo ipa trust-find ---1 trust matched---  Realm name: ad.meyer.local  Domain NetBIOS name: MEYERAD  Domain Security Identifier: S-1-5-21-1219070868-1303614073-2179474410  Trust type: Active Directory domain--

[Freeipa-users] Re: ipa: ERROR: Certificate operation cannot be completed: Unable to communicate with CMS (404)

2019-07-22 Thread Rob Crittenden via FreeIPA-users
Harald Dunkel via FreeIPA-users wrote: > Hi Rob, > > On 7/19/19 7:25 PM, Rob Crittenden wrote: >> >> The log doesn't seem to say which cert isn't found. You could try again >> and see what is being logged to find out what cert can't be found, and >> potentially why. >> > > This might be interesti

[Freeipa-users] Re: Automounting homeshares partially stopped working

2019-07-22 Thread Alexander Bokovoy via FreeIPA-users
On ma, 22 heinä 2019, Rolf Linder via FreeIPA-users wrote: Thanks very much for this information! we have configured our client (putty) configuration with these options: connection => SSH => auth => GSSAPI: attempt GSSAPI auth: enabled attempt GSSAPI key exchange: enabled allow GSSAPI credenti

[Freeipa-users] Re: Ad integration

2019-07-22 Thread John Keates via FreeIPA-users
What does the AD Trust list in IPA show for the AD domain you should be using? The same one? Or a different notation? John > On 22 Jul 2019, at 17:13, Andrew Meyer via FreeIPA-users > wrote: > > Hello, > I am working on setting up FreeIPA with AD integration and seem to be running > into an

[Freeipa-users] Re: Ad integration

2019-07-22 Thread Alexander Bokovoy via FreeIPA-users
On ma, 22 heinä 2019, Andrew Meyer via FreeIPA-users wrote: Hello, I am working on setting up FreeIPA with AD integration and seem to be running into an issue.  Its possible that I am also doing something wrong. I am

[Freeipa-users] Re: Automounting homeshares partially stopped working

2019-07-22 Thread Rolf Linder via FreeIPA-users
Thanks very much for this information! we have configured our client (putty) configuration with these options: connection => SSH => auth => GSSAPI: attempt GSSAPI auth: enabled attempt GSSAPI key exchange: enabled allow GSSAPI credential delegation: enabled this is our setup we used in the past

[Freeipa-users] Ad integration

2019-07-22 Thread Andrew Meyer via FreeIPA-users
Hello,I am working on setting up FreeIPA with AD integration and seem to be running into an issue.  Its possible that I am also doing something wrong. I am setting it up to talk to MS Windows Server 2012r2.  Following directions on https://www.freeipa.org/page/Active_Directory_trust_setup  I have

[Freeipa-users] Re: Automounting homeshares partially stopped working

2019-07-22 Thread Alexander Bokovoy via FreeIPA-users
On ma, 22 heinä 2019, Rolf Linder via FreeIPA-users wrote: hi We've tested various scenarios all ending in more or less the same output: if using Keberos-Auth to access a remote NFS share it is only working if you access the server using password authentication (that is providing the password an

[Freeipa-users] Re: ipa: ERROR: Certificate operation cannot be completed: Unable to communicate with CMS (404)

2019-07-22 Thread Harald Dunkel via FreeIPA-users
Hi Rob, On 7/19/19 7:25 PM, Rob Crittenden wrote: The log doesn't seem to say which cert isn't found. You could try again and see what is being logged to find out what cert can't be found, and potentially why. This might be interesting. An ipactl restart gave me this in /var/log/messages: J

[Freeipa-users] Re: Automounting homeshares partially stopped working

2019-07-22 Thread Rolf Linder via FreeIPA-users
...okay, to provide some login output here, may it help... (Kerberos SSO login from windows machine to linux server - not functional in terms of NFS share access; note permission denied share is mounted, access is denied) Using username "USPLAB\rlinder". Last login: Mon Jul 22 16:23:10 201

[Freeipa-users] Re: Automounting homeshares partially stopped working

2019-07-22 Thread Ronald Wimmer via FreeIPA-users
On 22.07.19 16:25, Rob Crittenden wrote: [...] An assumption here since your workflow isn't completely clear but do you actually have a ticket on the Linux machine after sshing in from Windows? Sure seems like you don't. The affected users do not have any Kerberos ticket on the target machine.

[Freeipa-users] Re: Automounting homeshares partially stopped working

2019-07-22 Thread Rolf Linder via FreeIPA-users
hi We've tested various scenarios all ending in more or less the same output: if using Keberos-Auth to access a remote NFS share it is only working if you access the server using password authentication (that is providing the password and then having Kerberos tickets). Our tested scenarios wer

[Freeipa-users] Re: Automounting homeshares partially stopped working

2019-07-22 Thread Rob Crittenden via FreeIPA-users
Ronald Wimmer wrote: > On 22.07.19 16:18, Rob Crittenden wrote: >> Rolf Linder via FreeIPA-users wrote: >>> Hi all >>> >>> We've seen the same issue at our site too. >>> Kerberos SSO logins do not work for (remote) NFS access anymore. We >>> can access the share when using password login (or after

[Freeipa-users] Re: Automounting homeshares partially stopped working

2019-07-22 Thread Ronald Wimmer via FreeIPA-users
On 22.07.19 16:18, Rob Crittenden wrote: Rolf Linder via FreeIPA-users wrote: Hi all We've seen the same issue at our site too. Kerberos SSO logins do not work for (remote) NFS access anymore. We can access the share when using password login (or after SSO login by using kinit). Any hints wou

[Freeipa-users] Re: Automounting homeshares partially stopped working

2019-07-22 Thread Rob Crittenden via FreeIPA-users
Rolf Linder via FreeIPA-users wrote: > Hi all > > We've seen the same issue at our site too. > Kerberos SSO logins do not work for (remote) NFS access anymore. We can > access the share when using password login (or after SSO login by using > kinit). Any hints would be greatly appreciated... Yo

[Freeipa-users] Re: Cannot connect to the server, please check API accesibility (certificate, API, proxy, etc.)

2019-07-22 Thread Rob Crittenden via FreeIPA-users
Ben Schofield via FreeIPA-users wrote: > Yep, all services are running. This is from the Apache error log, right after > login and trying to load the Users page: > > [Mon Jul 22 10:12:35.083278 2019] [:error] [pid 14474] ipa: DEBUG: WSGI > wsgi_dispatch.__call__: > [Mon Jul 22 10:12:35.083381 20

[Freeipa-users] OPENSTACK INSTEANCE AUTO REGISTER ON IPA SERVER DOMAIN

2019-07-22 Thread NAZAN CENGIZ via FreeIPA-users
Hi, We have a RedHat Openstack (Queens) lab and IPA Server. We installing IPA Client a Openstack insteance then on insteance is adding DNS on IPA server as below. openstack server create --image image1 --flavor onap_worker_flavor --key-name onapkeypair --network onapnet1 --security-group onaps

[Freeipa-users] Re: Seeking URLs/docs/tips on handling UPN change in a complex already-trusted AD topology

2019-07-22 Thread Jakub Hrozek via FreeIPA-users
On Mon, Jul 22, 2019 at 07:26:19AM -0400, Chris Dagdigian via FreeIPA-users wrote: > Hi folks, > > Environment:   AWS-based FreeIPA cluster with it's own unique realm/domain > that is bound to the AD domain of the real COMPANY.COM and a fairly complex > forest > > We have a functional FreeIPA sy

[Freeipa-users] Seeking URLs/docs/tips on handling UPN change in a complex already-trusted AD topology

2019-07-22 Thread Chris Dagdigian via FreeIPA-users
Hi folks, Environment:   AWS-based FreeIPA cluster with it's own unique realm/domain that is bound to the AD domain of the real COMPANY.COM and a fairly complex forest We have a functional FreeIPA system at the moment where AD users from COMPANY.COM can login - via  @CHILD-DOMAIN.COMPANY.C

[Freeipa-users] FreeIPA & Puppet

2019-07-22 Thread Christian Reiss via FreeIPA-users
Hey folks, I read it's possible to attach Puppet CA to the FreeIPA CA. The only howtos our there were pretty dated; they either state super old Puppetserver components (puppet server, which was abolished in like 3.x), CentOS5 or even FreeIPAs inability to run more than one CA. For the lack of any

[Freeipa-users] Re: Cannot connect to the server, please check API accesibility (certificate, API, proxy, etc.)

2019-07-22 Thread Alexander Bokovoy via FreeIPA-users
On su, 21 heinä 2019, Ben Schofield via FreeIPA-users wrote: Yep, all services are running. This is from the Apache error log, right after login and trying to load the Users page: [Mon Jul 22 10:12:36.022673 2019] [:error] [pid 14475] ipa: DEBUG: Destroyed connection context.ldap2_140655759869

[Freeipa-users] Re: Cannot connect to the server, please check API accesibility (certificate, API, proxy, etc.)

2019-07-22 Thread Florence Blanc-Renaud via FreeIPA-users
On 7/22/19 12:22 AM, Ben Schofield via FreeIPA-users wrote: Yep, all services are running. This is from the Apache error log, right after login and trying to load the Users page: [Mon Jul 22 10:12:35.083278 2019] [:error] [pid 14474] ipa: DEBUG: WSGI wsgi_dispatch.__call__: [Mon Jul 22 10:12:3