[Freeipa-users] Re: kinit: Cannot find KDC for realm "mgmt-062-ad.internal2.example....@nternal2.example.com" while getting initial credentials

Am Tue, May 11, 2021 at 07:08:40PM - schrieb pxg51214 r via FreeIPA-users: > Hello, > I apologize if this has been previously resolved. I am new to FreeIPA > product. Our ops team has created a keytab (please kindly see below for the > command used) > on a Windows AD server. I copied the

[Freeipa-users] kinit: Cannot find KDC for realm "mgmt-062-ad.internal2.example....@nternal2.example.com" while getting initial credentials

Hello, I apologize if this has been previously resolved. I am new to FreeIPA product. Our ops team has created a keytab (please kindly see below for the command used) on a Windows AD server. I copied the keytab file, along with the KDC and root-CA certificates to a RedHat Linux added a second

[Freeipa-users] Re: ID views/override issues for AD trust

Am Tue, May 11, 2021 at 03:09:54PM - schrieb iulian roman via FreeIPA-users: > That was a good hint ! Actually it does return the gid when I run > getent group . And after I run the getent group > on the client side, I can run as well id . Hi, can you give some more details about the

[Freeipa-users] Re: Is there an owner or manager of this list?

See https://lists.fedorahosted.org/admin/lists/freeipa-users.lists.fedorahosted.org/ -- Sam Morris PGP: rsa4096/CAAA AA1A CA69 A83A 892B 1855 D20B 4202 5CDA 27B9 ___ FreeIPA-users mailing list --

[Freeipa-users] Re: ID views/override issues for AD trust

Hi,  There is indeed a mapping of ad groups to IdM posix groups.  On Tuesday, May 11, 2021, 5:31 PM, John Desantis wrote: Iulian, > So, only after I run getent group on the ipa clients  I can list > the user attributes. This sounds somewhat similar to behavior I ran into initially in our

[Freeipa-users] Re: ID views/override issues for AD trust

Iulian, > So, only after I run getent group on the ipa clients I can list > the user attributes. This sounds somewhat similar to behavior I ran into initially in our development deployment. For the users that aren't immediately able to be resolved on the clients, are they mapped to any IdM

[Freeipa-users] Is there an owner or manager of this list?

If so, who can I contact? Thanks. Steve ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct:

[Freeipa-users] Re: ID views/override issues for AD trust

That was a good hint ! Actually it does return the gid when I run getent group . And after I run the getent group on the client side, I can run as well id . So, only after I run getent group on the ipa clients I can list the user attributes. Any idea what needs to be changed in order to

[Freeipa-users] Re: Encryption type errors with AD cross-forest trust

> On ti, 11 touko 2021, Owen Vincent via FreeIPA-users wrote: > > I wonder where does it try to perform this operation -- on AD side or on > IPA side. > This was on the AD side. Our AD Admin opened the TDO in the ADSI Editor and tried to manually set the value of msDS-SupportedEncryptedTypes,

[Freeipa-users] Re: ID views/override issues for AD trust

Am Tue, May 11, 2021 at 02:28:49PM - schrieb iulian roman via FreeIPA-users: > Hello everybody, > > I try to override some uid and gid for AD users in Idm (I added all > users for which I need to override attributes in Default Trust View) > and although everything works properly on both IdM

[Freeipa-users] Re: Encryption type errors with AD cross-forest trust

On ti, 11 touko 2021, Owen Vincent via FreeIPA-users wrote: On ti, 11 touko 2021, Owen Vincent via FreeIPA-users wrote: Yes, this is significant info. OK, this might explain *WHY* it happens. When shared secret is used to create the trust, we have no credentials to force the encryption types on

[Freeipa-users] ID views/override issues for AD trust

Hello everybody, I try to override some uid and gid for AD users in Idm (I added all users for which I need to override attributes in Default Trust View) and although everything works properly on both IdM server and replica, I cannot query the users on the ipa clients. Any other users (which

[Freeipa-users] Re: Encryption type errors with AD cross-forest trust

> On ti, 11 touko 2021, Owen Vincent via FreeIPA-users wrote: > > Yes, this is significant info. OK, this might explain *WHY* it happens. > When shared secret is used to create the trust, we have no credentials > to force the encryption types on the TDO and we rely on the defaults in > AD to do

[Freeipa-users] Re: posix and non-posix AD users

Thank you for the clear explanation Sumit. I thought i can avoid id-override (for some issues which I will highlight on a new thread) , but I'll try to configure and see how reliable it will be in my environment. ___ FreeIPA-users mailing list --

[Freeipa-users] Re: Problem with Client Installs on Centos 7

So, I ran across an article on how to install the client manually on the Red Hat site. https://access.redhat.com/articles/2622831 Thank you Red Hat technical writing team. Without it we would've had to dump FreeIPA on our project. As far as I can tell, what was missing was the correct

[Freeipa-users] Re: Encryption type errors with AD cross-forest trust

On ti, 11 touko 2021, Owen Vincent via FreeIPA-users wrote: On ti, 11 touko 2021, Owen Vincent via FreeIPA-users wrote: The attribute should be correct. When doing ldapsearch -Y GSSAPI -h dc.ad.test -b dc=ad,dc=test '(trustPartner=ipa.test)' I see 'msDS-SupportedEncryptionTypes: 28', so for

[Freeipa-users] Re: Encryption type errors with AD cross-forest trust

> On ti, 11 touko 2021, Owen Vincent via FreeIPA-users wrote: > > The attribute should be correct. When doing > > ldapsearch -Y GSSAPI -h dc.ad.test -b dc=ad,dc=test > '(trustPartner=ipa.test)' > > I see 'msDS-SupportedEncryptionTypes: 28', so for me a normal > 'ipa trust-add' adds it

[Freeipa-users] Re: Problem with Client Installs on Centos 7

>>>What do any of the logs say? I found something interesting in the secure log. Failed password for invalid user admin(a)XYZ.COM from >>>Server address> port 50203 ssh2 I was wrong. My network guys are telling me it's the ip address of the machine I am trying to login from.

[Freeipa-users] Re: Encryption type errors with AD cross-forest trust

On ti, 11 touko 2021, Owen Vincent via FreeIPA-users wrote: Hi Alexander, Thank you for your response. On ma, 10 touko 2021, Owen Vincent via FreeIPA-users wrote: That checkbox is a red herring. It’s good to know that the checkbox is a red herring, but before I stop worrying about it

[Freeipa-users] Re: [SSSD-users] Re: Announcing SSSD 2.5.0

On 5/10/21 8:10 PM, Joakim Tjernlund wrote: On Mon, 2021-05-10 at 16:01 +, Joakim Tjernlund wrote: On Mon, 2021-05-10 at 17:48 +0200, Pavel Březina wrote: On 5/10/21 5:12 PM, Joakim Tjernlund wrote: On Mon, 2021-05-10 at 14:53 +, Joakim Tjernlund wrote: I decided to test new sssd/KCM

[Freeipa-users] Re: Encryption type errors with AD cross-forest trust

Hi Alexander, Thank you for your response. > On ma, 10 touko 2021, Owen Vincent via FreeIPA-users wrote: > > That checkbox is a red herring. It’s good to know that the checkbox is a red herring, but before I stop worrying about it entirely, I have one clarifying question: I understood from