[Freeipa-users] Re: Kerberos appears to be broken on a FreeIPA server on CentOS 7.8

Vinícius Ferrão writes: > [10/Feb/2021:23:05:57.501853962 -0300] conn=92 op=1 RESULT err=49 tag=97 > nentries=0 etime=0.001927716 - SASL(-1): generic failure: GSSAPI Error: > Unspecified GSS failure. Minor code may provide more information (Cannot > create replay cache file /var/tmp/ldap_389:

[Freeipa-users] Re: IPA Kerberos Trust problem with Windows Update kb4586830

Alexander Bokovoy writes: > Details for CVE-2020-17049 are still not public so we can only guess > what is the problem. It also means MIT Kerberos cannot be fixed unless > we'll get to know what is the real problem. > > Robbie, was this raised with the upstream beyond our recent discussion > on #

[Freeipa-users] Re: External & Letsencrypt Certificate | Failed on IPA update.

Faraz Younus writes: > Yes /tmp is writable for everyone. > > drwxrwxrwt. root root 4.0K tmp > > [root@ipa5 centos]# kinit admin > > Password for ad...@fixedandmobile.com: > > > The output for /etc/krb5.keytab > > > [root@ipa5 centos]# klist -kt /etc/krb5.keytab > > Keytab name: FILE:/etc/krb5.ke

[Freeipa-users] Re: External & Letsencrypt Certificate | Failed on IPA update.

Faraz Younus writes: > Robbie Harwood wrote: >> Faraz Younus writes: >> >>> Hello , >>> >>> I'm getting failed when updating new certificate whether it is external & >>> Letsencrypt. Previously I was installing successfully letsencrypt >>> certificate 15 days ago. >>> >>> I'm following below git

[Freeipa-users] Re: External & Letsencrypt Certificate | Failed on IPA update.

Faraz Younus via FreeIPA-users writes: > Hello , > > I'm getting failed when updating new certificate whether it is external & > Letsencrypt. Previously I was installing successfully letsencrypt > certificate 15 days ago. > > I'm following below github repo to setup freeipa. > > https://github.co

[Freeipa-users] Re: freeIPA in a complex multi-subnet, multi-domain, multi-identity provider lab environment

Todd Grayson via FreeIPA-users writes: > Thanks Rob, Thanks Angus, > > I am aware of how to point the client to the specific IPA server, what > I'm struggling more with is freeIPA in an environment where its not > using DNS for domain and realm resolution for kerberos, which does > work today.

[Freeipa-users] Re: Traffic from client to server through management's interface

Daniel PC via FreeIPA-users writes: > I would like to know what do you think about using the management > network (eth1) to enable the flow from clients to IPA servers? My > company is concerned about using the production network interface > (eth0) and is considering doing everything on the secon

[Freeipa-users] Re: Help in understanding multiple KVNO versions in keytab file

Kevin Vasko via FreeIPA-users writes: > Hello, > > I’m trying to understand when/how the different KVNO versions in a > file should or shouldn’t work. We have a Dell EMC Unity box that’s > giving us fits on what it will accept for a keytab file with different > KVNO versions. I’m not sure if I’

[Freeipa-users] Re: Kerberos troubles

Nicholas DeMarco via FreeIPA-users writes: > Here is better detail: > > We're having issue with kerberos and ipa client. > > While running ipa-client-install, when prompted for user who is authorized > to enroll we enter admin and his password but get "Preauthentication > failed". At no point in

[Freeipa-users] Re: files to omit from backup

Charles Hedrick via FreeIPA-users writes: > We currently do rsync backups of our server. On an MIT server, you’d > want to omit the stash file. But IPA doesn’t use that. Is there > anything like that that should be omitted? I’m not sure just how > freeipa bootstraps trust when it starts up. In I

[Freeipa-users] Re: "FreeIPA" server ipa-dnskeysyncd.service failed

Navi Aujla via FreeIPA-users writes: > Admin, Please delete this post to remove the sensitive information 1. This is email; you can't delete messages that have already been said. 2. There's no sensitive information in your post, unless you consider hostnames sensitive. If so, I encourage you t

[Freeipa-users] Re: kinit: Pre-authentication failed: Invalid argument while getting initial credentials

John Louis via FreeIPA-users writes: > Thanks. These are very similar to what was provided in the beginning. Here > is exactly what you asked: > > # KRB5_TRACE=/dev/stderr kinit admin > [1567] 1579125111.129826: Getting initial credentials for admin@REALM > [1567] 1579125111.129828: Sending un

[Freeipa-users] Re: kinit: Pre-authentication failed: Invalid argument while getting initial credentials

John Louis via FreeIPA-users writes: > Thanks for the explanation. Here they are; > > # kinit admin > kinit: Pre-authentication failed: Invalid argument while getting initial > credentials Show with KRB5_TRACE output please. (KRB5_TRACE=/dev/stderr kinit admin) Thanks, --Robbie signature.a

[Freeipa-users] Re: kinit: Pre-authentication failed: Invalid argument while getting initial credentials

John Louis via FreeIPA-users writes: > Thanks. Yea all this is installed on one server. I just blocked udp > access on the firewall per your suggestion. > > I have pasted the entire log at > > https://pastebin.com/FD3JxiMs > > Lines like "TCP client 1.3.5.17.56660 wants 1195725856 bytes, cap is

[Freeipa-users] Re: kinit: Pre-authentication failed: Invalid argument while getting initial credentials

John Louis via FreeIPA-users writes: > Thanks so much. > > /var/log/krb5kdc.log only contain the following few kind of lines, not > necessarily in chronological order, and they repeated many times, so I > just copied one line for each kind, but keep in mind each of them > repeated many times: It

[Freeipa-users] Re: kinit: Pre-authentication failed: Invalid argument while getting initial credentials

John Louis via FreeIPA-users writes: > Hi, on CentOS 7 I installed Freeipa using "yum install ipa-server". > Everything including client is on the same machine itself. All went well, I > can now login to the web as "admin" and create user account etc. And "kinit > admin", "kinit list" etc a

[Freeipa-users] Re: [EXTERNAL] have users reset password

Dirk Streubel via FreeIPA-users writes: > Hello Rob, > > just for my understanding, when kpasswd and passwd change the password > of the IPA / IDM User, how notice the IPA/IDM Server the change? They share a database (LDAP) for storage of that information, so the change happens for both at the s

[Freeipa-users] Re: using SPAKE

Charles Hedrick writes: > Thanks. So if we’re going to continue using FAST, it would be nice to > get “kinit -n” working properly. > > We currently use external certificates. The KDC generates certificates > for kinit -n if we don’t supply an external cert, and they work, but > then I have to get

[Freeipa-users] Re: using SPAKE

Charles Hedrick via FreeIPA-users writes: > I’d like to avoid having to use a second cache to armor 2FA > requests. My impression was that SPAKE was supposed to fix this. I > just installed a new kdc (replica of an old one) in Centos 8. It > understands SPAKE, offering it as preauthebtication for

[Freeipa-users] Re: reinstall freeIPA server without loosing data

Albert Szostkiewicz via FreeIPA-users writes: > Thanks for reply Rob! > >> /var/log/krb5kdc.log might have more details on the GSS failures, or the >> journal. > > Yeah, I've checked that as well. Unfortunately 'Preauthentication > failed' Was no more explanatory to me. Here, it means that a mis

[Freeipa-users] Re: NFS failure after upgrade

Petros Triantafyllidis via FreeIPA-users writes: > Hi all, >   I have a setup with two servers running CenOS 7.6 which I updated > recently to ipa-server-4.6.4-10.el7.centos.6.x86_64. The update > apparently completed successfully and after that I went through the > update of several clients

[Freeipa-users] Re: Automounting homeshares partially stopped working

Ronald Wimmer via FreeIPA-users writes: > Some days ago a strange problem struck us. When colleagues access a > server using an ipa-automounted share from a Windows client they can > logon to such a server using a Kerberos ticket but they cannot access > their NFS-automounted home-share anymor

[Freeipa-users] Re: Error when trying to login on a CentOS 6 and OTP Token is enabled but not enforced in an account

Raul Gomez via FreeIPA-users writes: > Hello list! > > I'm new to FreeIPA, so probably this is something that has an easy fix but I > can't find a way around it. > > I have an environment where there are several CentOS 6 and CentOS 7 machines > and I'm trying to centralize the user authenticati

[Freeipa-users] Re: IdM + AD - restrict KDC servers for login

Jean Figarella via FreeIPA-users writes: > Hello all, > > In a IdM + AD trust setup; has anyone ever had the need to restrict > IPA client logins to a specific Active Directory server when using > their AD credentials? > > The problem I am having is that the one of my clients has a AD cluster > a

[Freeipa-users] Re: Introducing ipa-healthcheck

Rob Crittenden via FreeIPA-users writes: > Dirk Streubel via FreeIPA-users wrote: >> Hello Rob, >> >> Am 14.06.19 um 22:33 schrieb Rob Crittenden: >>> Dirk Streubel wrote: Hello Rob, second try ;) [root@ipaserver ~]# ipa-healthcheck --source ipahealthcheck.ipa.host

[Freeipa-users] Re: Smartcard host login w/ Third-Party CA and PKINIT

Khurrum Maqb via FreeIPA-users writes: > That worked! Thanks so much! I can login and successfully receive a kerberos > ticket when using a smartcard to login. > I also added the following to /etc/krb5.conf to match only a single cert for > pkinit > > pkinit_cert_match = &&msScLogin,clientAuthd

[Freeipa-users] Re: OTP check via API

Adam Bishop via FreeIPA-users writes: > Is there an API endpoint I can use to perform OTP verification without > the users password (i.e. just with their DN or uid)? > > I've got a non-web application with its own authentication system that > I'd like to add MFA to, and I'd rather avoid copying t

[Freeipa-users] Re: secure freeipa exposed to internet

Stepan Vardanyan via FreeIPA-users writes: > Hello, > > I've proposed to migrate from OpenLDAP to FreeIPA solution in my >organization because the former did not met our requirements as we >moving to Single Sign On. We migrated to FreeIPA but set it up with >internal DNS name. This was dumb decis

[Freeipa-users] Re: urgent help needed, ipa unusable after short power cut

Marisa Sandhoff via FreeIPA-users writes: > [18/Mar/2019:14:36:27.577557647 +0100] - ERR - set_krb5_creds - Could > not get initial credentials for principal > [ldap/ipa2.pleiades.uni-wuppertal...@pleiades.uni-wuppertal.de] in > keytab [FILE:/etc/dirsrv/ds.keytab]: -1765328324 (Generic error (see

[Freeipa-users] Re: Login WebUI fails

74cmonty via FreeIPA-users writes: > Do you recommend to file a bug? > Can you share some instructions how to do this? > I'm not familiar with the process on Fedora. Fedora uses Red Hat's bugzilla: https://bugzilla.redhat.com/ IPA upstream uses Fedora's pagure: https://pagure.io/freeipa/ Than

[Freeipa-users] Re: Login WebUI fails

74cmonty via FreeIPA-users writes: > let me share some additional information on this issue before filing a bug. > > I checked the log files for errors but didn't detect anything. Then I > verified if any service was failing, but everything was running. > > After this I tried to restart ipa.ser

[Freeipa-users] Re: Login WebUI fails

74cmonty via FreeIPA-users writes: > let me share some additional information on this issue before filing a bug. > > I checked the log files for errors but didn't detect anything. Then I > verified if any service was failing, but everything was running. > > After this I tried to restart ipa.ser

[Freeipa-users] Re: Login WebUI fails

74cmonty via FreeIPA-users writes: > let me share some additional information on this issue before filing a bug. > > I checked the log files for errors but didn't detect anything. Then I > verified if any service was failing, but everything was running. > > After this I tried to restart ipa.ser

[Freeipa-users] Re: Login WebUI fails

74cmonty via FreeIPA-users writes: > Solved. > /var/log was 100% full. I'm glad to hear it's solved! However, /var/log filling up shouldn't fail authentication (and definitely not with *that* error message). Do you mind filing a bug report? Thanks, --Robbie signature.asc Description: PGP s

[Freeipa-users] Re: kinit: Password incorrect while getting initial credentials

nandha kumar via FreeIPA-users writes: > Hi Robbie, > > Yes, I am able to kinit the administrator account > > Yes. My password is correct and even I check for other 4 AD users, it > gives the same error I don't know that there's much I can offer you here. AD says the password is wrong. You cou

[Freeipa-users] Re: kinit: Password incorrect while getting initial credentials

nandha kumar writes: > I am running redhat 7.5 with freeipa 4.5 . I have established AD one > way sync using password. I am able to ssh the ipa client and ipa > server with windows administrator account , But when I try to login > with normal AD user I am receiving the error " kinit: Password > i

[Freeipa-users] Re: Service named-pkcs11.service on replica reports error: Failed to get initial credentials (TGT) using principal 'DNS/ipa-replica.example.com' and keytab 'FILE:/etc/named.keytab' (Ge

74cmonty via FreeIPA-users writes: > Hi, > > when I start service `named-pkcs11.service` on replica server I get these > error messages: > ``` > Dez 29 17:33:28 ipa-replica.example.com named-pkcs11[3936]: Failed to get > initial credentials (TGT) using principal 'DNS/ipa-replica.example.com' a

[Freeipa-users] Re: FreeIPA not working (Segfault in Kerberos) after upgrading to Fedora 29

Patrick Dung via FreeIPA-users writes: > Hello, After upgrading to Fedora 29, Kerberos on the primary Free IPA > is not working. Another FreeIPA replica failed to start. It is because > Kerberos (GSSAPI) is not working and ns-slapd cannot > start. Replication agreement cannot be established via K

[Freeipa-users] Re: Moving IPA master to a new server fails to start krb5kdc

Kees Bakker writes: > On 17-12-18 20:44, Robbie Harwood wrote: >> Kees Bakker via FreeIPA-users >> writes: >> >>> Sure I understand that, but this error in /var/log/krb5kdc.log is basically >>> all I have. >>> krb5kdc: Server error - while fetching master key K/M for realm GHS.NL >> >> What are

[Freeipa-users] Re: Moving IPA master to a new server fails to start krb5kdc

Kees Bakker via FreeIPA-users writes: > Sure I understand that, but this error in /var/log/krb5kdc.log is basically > all I have. > krb5kdc: Server error - while fetching master key K/M for realm GHS.NL What are the permissions on your stash file? Does a checksum match the old replica? Thanks,

[Freeipa-users] Re: Replica won't start

Bret Wortman via FreeIPA-users writes: > So I started working through the guide below and most of thesteps just > worked. No errors, which was odd. For example: > > # kinit -kt /etc/named.keytab DNS/ipa3.my.net > # klist > Ticket cache: KEYRING:persistent:0:0 > Default principal: DNS/ipa3.my

[Freeipa-users] Re: Getting access denied when using kerberos when mounting nfs share

Kevin Vasko via FreeIPA-users writes: > I followed these instructions to enable kerberos within my realm/domain. > > My FreeIPA, NFS server and my NFS client is CentOS 7.4 > > https://docs.fedoraproject.org/en-US/Fedora/18/html/FreeIPA_Guide/kerb-nfs.html > > I’m completely stuck in that when I

[Freeipa-users] Re: Cannot start FreeIPA master - procedure for cleaning up?

Callum Smith via FreeIPA-users writes: > Dear Rob, > > Thanks for the fast reply, I think there's something really wrong with > the hostname that's configured for the box (that'll teach me for using > Ansible), and it's trying to auth locally when it's not running yet. > > krb5kdc.log > > Nov 01

[Freeipa-users] Re: Insufficient access: SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (Ticket expired)

lune voo via FreeIPA-users writes: > Hello ! > > I contact you because I have a random problem with my 3.0.0.47 FreeIPA > server. > > Sometimes, suddenly, I cannot use anymore the REST API and I got the > following errors when I try things like ipa user-show : > Insufficient access: SASL(-1): ge

[Freeipa-users] Re: kpasswd: Client not found in Kerberos database getting initial ticket

lune voo writes: > Hello Robbie. > > That's also the strange part, the kpasswd does not work after that. Can you post kerb logs for the failure? Thanks, --Robbie signature.asc Description: PGP signature ___ FreeIPA-users mailing list -- freeipa-user

[Freeipa-users] Re: kpasswd: Client not found in Kerberos database getting initial ticket

lune voo via FreeIPA-users writes: > Hello everyone. > > I send you this mail because I encountered a strange problem trying to set > a password for a user I just created. > > First, I created the user with ipa user-add and for the following result : > Added user > > Then I added this user into

[Freeipa-users] Re: Auth issue on a specific service

Sylvain Coutant via FreeIPA-users writes: > Sep 19 15:57:00 ds-01.auth.example.com krb5kdc[1451](info): AS_REQ (8 > etypes {18 17 20 19 16 23 25 26}) x.x.x.x: NEEDED_PREAUTH: > x...@auth.example.com for krbtgt/auth.example@auth.example.com, > Additional pre-authentication required > Sep 19 15

[Freeipa-users] Re: NFS4+Krb5 random EIO errors

Gary Molenkamp via FreeIPA-users writes: > We are seeing random EIO errors when opening files on workstation > clients that, so far, can only be resolved with a reboot of the client. > > Environment: > > 2x replicated IPA servers,  Centos 7.5 w/ freeipa 4.5.4-10.el7 > > NFS server:  Centos 7.5 >

[Freeipa-users] Re: Kerberized SSH SSO

Ryan Slominski via FreeIPA-users writes: > [root@testclient2 ~]# /usr/sbin/sshd -ddd -p 2 ... > debug1: Unspecified GSS failure. Minor code may provide more information > No key table entry found matching host/testclient2@ Your KDC thinks this machine is called testclient2.example.com, wh

[Freeipa-users] Re: [Ubuntu 18.04] Inappropriate directory permission caused inability signing into webui on a fresh install

Quan Zhou via FreeIPA-users writes: > It took me a few days to figure out that it was the `/var/lib/krb5kdc` > directory whom has no execution perms set, so that the contents within > cannot be accessed by the wsgi process that caused the problem, after > 'sudo chmod a+x /var/lib/krb5kdc' the pro

[Freeipa-users] Re: Kerberized SSH SSO

Ryan Slominski via FreeIPA-users writes: > [testuser@testclient1 ssh]$ ssh -vvv testclient2.example.com [snip] > debug1: Authentications that can continue: > publickey,gssapi-keyex,gssapi-with-mic,password,keyboard-interactive > debug3: start over, passed a different list > publickey,gssapi-k

[Freeipa-users] Re: Can we install LDAP only

None via FreeIPA-users writes: > Can we only install LDAP related components, with Kerberos? How? Not using freeIPA - freeIPA is mostly all or nothing. MIT has some documentation on how to install a KDC with openLDAP: http://web.mit.edu/kerberos/krb5-devel/doc/admin/conf_ldap.html Please note,

[Freeipa-users] Re: How to investigate error "Cannot contact any KDC for realm" when it occured randomly ?

lune voo via FreeIPA-users writes: > I'm using Freeipa 3.0 in RHEL6.6 with sssd. This version is pretty old, so I'm not sure how much support you're going to get, but some thoughts: > I send you this mail because I have sometimes errors "Cannot contact > any KDC for realm". When I retry it work

[Freeipa-users] Re: Kerberos Utilities Integration

hedrick--- via FreeIPA-users writes: > Here are our instructions for setting passwords to not expire. With obvious > adjustments it should let you set any expiration > > To allow staff to set password that don't expire, in GUI > > • add permission Rutgers set expiration, write, type user,

[Freeipa-users] Re: Kerberos Utilities Integration

Ryan Slominski via FreeIPA-users writes: > What is the status of the IPA integration with Kerberos utilities such > as kadmin (kadmin.local) and kdb5_util? Can they be used or are they > not supported. If not supported maybe they should report an error or > warning. They *can* be used, but it'

[Freeipa-users] Re: rotate host keytabs

Charles Hedrick writes: > I can see only one possible advantage. If someone becomes root and > steals your keytab, regular rotation will limit how long the > compromise lasts. Of course that assumes that you fix the problem that > allowed them to become root in the first place. And that they don

[Freeipa-users] Re: ipa commands run from cron with keytab sometimes failing

Roderick Johnstone via FreeIPA-users writes: > [Wed Jun 13 21:30:04.437056 2018] [:error] [pid 29635] ipa: INFO: 401 > Unauthorized: Insufficient access: SASL(-1): generic failure: GSSAPI > Error: The referenced context has expired (Success) This depends slightly on what SASL was trying to do

[Freeipa-users] Re: rotate host keytabs

Natxo Asenjo via FreeIPA-users writes: > does anybody rotate host keytabs? Is it worth it security-wise? Hi, krb5 maintainer here. Keytab rotation is ugly. I recommend not doing it if you can avoid it largely because one of two things will happen: - All clients who have credentials against th

[Freeipa-users] Re: obtaining initial ticket via keytab

None via FreeIPA-users writes: >> Josh writes: >> >> >> Destroy the keytab. Recreate using ipa-getkeytab. > > I can't use ipa-getkeytab at the moment. Is getting keytab via ktutil > not possible at all? Any technical details about it? How can you use ktutil but not ipa-getkeytab? Maybe let'

[Freeipa-users] Re: obtaining initial ticket via keytab

Josh via FreeIPA-users writes: > On 05/10/2018 10:26 AM, Rob Crittenden wrote: >> Josh via FreeIPA-users wrote: >>> Greetings, >>> >>> I am trying to follow steps at https://kb.iu.edu/d/aumh to create >>> freeipa admin keytab to use in some scripts but getting an error >>> >>> kinit: Preauthenti

[Freeipa-users] Re: Login popups on WebUI login screen

Jacob Block via FreeIPA-users writes: > I can at least confirm the behavior is the same on default FreeIPA 4.5 > with IE or Chrome on Windows 7, and Firefox also does not create the > login prompt as was pointed out in the previous conversations. With > the upstream patch to mod_auth_gssapi it wo

[Freeipa-users] Re: 2FA and kinit

John Ratliff via FreeIPA-users writes: > I'm having problems with kinit and a 2FA enabled account. > > When I run kinit by itself, it says 'kinit: Generic preauthentication > failure while getting initial credentials'. > > I saw on the wiki where that problem is solved by doing one of two > thi

[Freeipa-users] Re: restricting shells

Rob Crittenden via FreeIPA-users writes: > Charles Hedrick via FreeIPA-users wrote: > >> One of my staff made a typo in his shell in “ipa user-mod —shell” It >> can be hard to recover from, since you can’t login. >> >> Is there a way to restrict what they can use? Traditionally only >> shells in

[Freeipa-users] Re: freeipa-client joins keep failing : Cannot find KDC for realm

Chris Moody writes: > On 1/17/18 8:27 AM, Robbie Harwood wrote: >> Chris Moody writes: >> >>> Thanks for taking a look gents.  Ask and ye shall receive.  :) >>> >>> -Chris >>> >>> ===[ CLI output ]== >>> root@sfca-do-1:~# ipa-client-install -p admin --mkhomedir >>> --hostname=`hostname`

[Freeipa-users] Re: freeipa-client joins keep failing : Cannot find KDC for realm

Chris Moody writes: > Thanks for taking a look gents.  Ask and ye shall receive.  :) > > -Chris > > ===[ CLI output ]== > root@sfca-do-1:~# ipa-client-install -p admin --mkhomedir > --hostname=`hostname` > Discovery was successful! > Client hostname: sfca-do-1.xyz.com > Realm: IPA.xyz.COM

[Freeipa-users] Re: FreeIPA NFS Automount with Kerberos troubleshooting help needed

Jobka Wohin writes: > so why is it working with the home folders then? > > i thought also this gets fixed by my manual systemctl restart rpc-gssd ? I'm not really sure, sorry. You might have more luck asking NFS folks? > if this is the error i think apparmor is involved in this…. Is it possib

[Freeipa-users] Re: freeipa-client joins keep failing : Cannot find KDC for realm

Chris Moody via FreeIPA-users writes: > 2018-01-15T21:55:24Z INFO Configured /etc/krb5.conf for IPA realm > IPA.XYZ.COM > 2018-01-15T21:55:24Z DEBUG Starting external process > 2018-01-15T21:55:24Z DEBUG args=keyctl search @s user > ipa_session_cookie:host/sfca-do-1.xyz@ipa.xyz.com > 2018-01-

[Freeipa-users] Re: FreeIPA NFS Automount with Kerberos troubleshooting help needed

jcccb via FreeIPA-users writes: > Jan 12 15:25:12 nfs_server systemd[1]: Starting Kernel Module supporting > RPCSEC_GSS... > Jan 12 15:25:12 nfs_server systemd[1]: Starting Preprocess NFS > configuration... > Jan 12 15:25:12 nfs_server systemd[1]: auth-rpcgss-module.service: main > process ex

[Freeipa-users] Re: FreeIPA NFS Automount with Kerberos troubleshooting help needed

jcccb via FreeIPA-users writes: > freeipa-server is an fedora27 with selinux active but i cant see any > errors in the logs while restarting autofs service so far What OS/package versions is everything? Thanks, --Robbie signature.asc Description: PGP signature ___

[Freeipa-users] Re: help : Enrolled a FreeIPA client but unable to login to it via SSH

Aravindh Sampathkumar via FreeIPA-users writes: > localmachine > ssh admin@c10b01 > > It keeps repeating the password prompts in spite of supplying the > correct password. No meaningful errors thrown either. Please increase the verbosity of ssh (i.e., add -vvv or so). Thanks, --Robbie signat

[Freeipa-users] Re: FreeIPA NFS Automount with Kerberos troubleshooting help needed

jcccb via FreeIPA-users writes: > I got an FreeIPA Server (F27) up and running on a proxmox host in a vm > fine so far with an Centos client as an NFS-Server. I setup a second > ubuntu client (17.10) with indirect mounts for home an some storage > folders. The home automount points are working

[Freeipa-users] Re: Error ipa-replica-install on LXC (was The ipa-replica-install command failed, exception: ValidationError: invalid 'dnszoneidnsname': only master zones can contain records)

Alex Corcoles via FreeIPA-users writes: > Maybe this is a bug in the definition of gssproxy? Should it be a Wants= > instead of a Requires=? And anyway something else is broken with proc-fs-nfsd to boot. Thanks, --Robbie signature.asc Description: PGP signature ___

[Freeipa-users] Re: Error ipa-replica-install on LXC (was The ipa-replica-install command failed, exception: ValidationError: invalid 'dnszoneidnsname': only master zones can contain records)

Alex Corcoles via FreeIPA-users writes: > Maybe this is a bug in the definition of gssproxy? Should it be a Wants= > instead of a Requires=? No, it's a bug I will have fixed in 7.5. The requirement needs to be from proc-fs-nfsd on gssproxy, not the other way around, because gssproxy doesn't req

[Freeipa-users] Re: ipa-client-install - error - Failed to obtain host TGT: Major (851968)

lejeczek via FreeIPA-users writes: > On 08/01/18 08:46, Florence Blanc-Renaud wrote: >> On 01/06/2018 08:51 PM, lejeczek via FreeIPA-users wrote: >>> >>> $ ipa-client-install --no-ntp --force-join >>> Discovery was successful! >>> ... >>> Also note that following ports are necessary for >>> ipa-

[Freeipa-users] Re: Error ipa-replica-install on LXC (was The ipa-replica-install command failed, exception: ValidationError: invalid 'dnszoneidnsname': only master zones can contain records)

Alex Corcoles via FreeIPA-users writes: > Jan 10 18:47:02 ctipa.h2.int.pdp7.net systemd[1]: Dependency failed for > GSSAPI Proxy Daemon. > -- Subject: Unit gssproxy.service has failed > -- Defined-By: systemd > -- Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel > -- > -- Uni

[Freeipa-users] Re: Promote new CA master after failure?

Jonathan Kelley via FreeIPA-users writes: > I've got ipa-server 4.5.0. This is topology with 2 servers and and lost my > primary. I found this guide "Promote CA to Renewal and CRL Master Procedure > in FreeIPA 4.0 or later >

[Freeipa-users] Re: ipa-client-install - error - Failed to obtain host TGT: Major (851968)

lejeczek via FreeIPA-users writes: > $ ipa-client-install --no-ntp --force-join > > krb5kdc[1560686](info): preauth (encrypted_timestamp) verify > failure: Preauthentication failed > > But after many tries(randomly) suddenly it would succeed. Do the clocks match on the client and server? Than

[Freeipa-users] Re: How to disable browser-based Kerberos?

Anthony Clark via FreeIPA-users writes: > Please ignore, bad copy and paste. > > Version 22 of the ipa.conf (the second pasted config section) is the one > that works correctly. > > Is there a way to disable Kerberos browser-side popup password box in > version 27 of the ipa.conf file? My apache

[Freeipa-users] Re: I can't login with ipa user

"Miguel Angel Coa M. via FreeIPA-users" writes: > I'm connect my Centos 5.6 to IPA server (VERSION: 4.5.0). The > connection with ipa-client is ok, but i try login with ipa user from > server client but say ".. user does not exist" > > [root@av125 ~]# su - pruebas.sistemas > su: user pruebas.

[Freeipa-users] Re: Kerberized NFS on two identical VMs. But mounting works only from one.

Ray via FreeIPA-users writes: > I run FreeIPA across a few sites with five replicted servers. The IPA > version is the current CentOS one: 4.5.0-21 > > At two of those sites a kerberized NFS service is offered to the > client machines. All clients and servers involved in the are CentOS > 7.4 boxe

[Freeipa-users] Re: adding service

Andrew Meyer via FreeIPA-users writes: > [root@asm-rancid02 keytabs]# ipa-getkeytab -s > asm-rancid02.mgt.asm.borg.local. -p radius/asm-rancid02.mgt.asm.borg.local -k > /etc/krb5.keytab > Unable to initialize STARTTLS session > Failed to bind to server! > Retrying with pre-4.0 keytab retrieval

[Freeipa-users] Re: ERROR: did not receive Kerberos credentials

"Carl Gola" writes: > I'm not sure what's printing Done! either > > Here is a fresh kinit and klist afterwards > > [gola-us@test-nfs-prod-1 ~]$ kinit gola-us > Password for gola-us@test.LOCAL: > > Done! > New ticket is stored in cache file /home/rusers/gola-us/krb5cc_gola-us > [gola-us@test-nfs-p

[Freeipa-users] Re: ERROR: did not receive Kerberos credentials

Carl Gola via FreeIPA-users writes: > Receiving the following error when trying to run ipa commands > > [gola-us@test-nfs-prod-1 ~]$ kinit gola-us > Password for gola-us@test.LOCAL: > > Done! What's printing "Done!" here? kinit doesn't do that that I'm aware. > New ticket is stored in cache fi

[Freeipa-users] Re: mysql and freeipa

Alexander Bokovoy writes: > On ti, 31 loka 2017, Gordon Messmer via FreeIPA-users wrote: >> On 10/31/2017 03:44 PM, Andrew Meyer via FreeIPA-users wrote: >> >>> I've been following this website: >>> FreeIPA: Giving permissions to service accounts. — Firstyear's >>> blog-a-log >>>

[Freeipa-users] Re: One Machine not allowing kerberos auth

Jeremy Utley writes: > New FreeIPA deployment, and i have one server that is not allowing > Kerberos to handle authentication, but instead is prompting for > password with a valid kerberos ticket. All other machines are working > normally. I've double-checked the /etc/ssh/sshd_config file, > ide

[Freeipa-users] Re: Replica failure, could not perform interactive bind ... [GSSAPI]

Kees Bakker writes: > Since I've setup a replica it gives errors like these: > > [17/Oct/2017:11:36:55 +0200] slapd_ldap_sasl_interactive_bind - Error: could > not perform interactive bind for id [] mech [GSSAPI]: LDAP error -2 (Local > error) (SASL(-1): generic failure: GSSAPI Error: Unspecifie

[Freeipa-users] Re: IPA server upgrade fails with KDC error

Alexander Bokovoy writes: > On ti, 17 loka 2017, Johannes Brandstetter via FreeIPA-users wrote: >> >> I'm trying to upgrade FreeIPA through ipa-server-upgrade from 4.4 to >> 4.5. The command fails with an "ACIError: Insufficient access:" . I >> find in the kdc log that it complains about " Databa

[Freeipa-users] Re: IPA policy creation

Rob Crittenden writes: > Mark Haney via FreeIPA-users wrote: > >> Due to people not documenting squat here over years, one of our >> servers configurations got jacked up when I migrated it from OpenLDAP >> to IPA. This is a CentOS 6 server that runs RANCID to pull customer >> edge router configs.

[Freeipa-users] Re: Can't log on using password when /tmp is full

Marius Bjørnstad via FreeIPA-users writes: > When /tmp is full, it is impossible to authenticate with > Kerberos. Login with password over SSH and sudo don't work. Login with > ssh key works fine. Here is the output in the system log when I try to > log on via SSH with password auth (this is on R

[Freeipa-users] Re: "Clock skew too great" when mounting NFS with krb

Troels Hansen via FreeIPA-users writes: > We have discovered that Hyper-V is a s bad as always and that its > almost impossible to have a sync'ed hardware and software time, and > that some servers (still not on IPA) have a time diff of several > hours. I don't know what "hardware" and "software

[Freeipa-users] Re: Krb5.conf only sees first two kdc servers

pgb 205 via FreeIPA-users writes: > Here is the log that I sent in yesterday. With server1 and server2 > down, but server3 up. > > kdc=server1 > kdc=server2 > kdc=server3 > kdc_master=server1 > kdc_master=server2 > kdc_master=server3 kdc_master isn't a valid directive for krb5.conf (we call it ma

[Freeipa-users] Re: Preauthentication failed - what does this mean?

Detlev Habicht via FreeIPA-users writes: > Hi, > > i have maybe an IPA server which is a little bit broken (My NFS > services don’t work, i can’t mount - the rest is working.). > > I see this messages: > > ipa-client-install: > Kerberos authentication failed: Major (851968): Unspecified GSS fail

[Freeipa-users] Re: Kerberos key having multiple sever entries

Bhavin Vaidya via FreeIPA-users writes: > We have Kerberos authentication failing on our replica server as well > as client. We are also not able to add any more client or replica > server. > > Master FreeIPA server ds01:/etc/krb5.keytab, we get multiple entries. > > [root@ds01 log]# klist -kt /e

[Freeipa-users] Re: Cronjob requesting krb tickets

Anton Semjonov writes: >>> It's much simpler to use a keytab for your service and let Kerberos >>> acquire a TGT automatically. You can either place the keytab in a >>> special location, set the env var KRB5_CLIENT_KTNAME or use GSSProxy to >>> handle the keytab for you. With a client keytab, you

[Freeipa-users] Re: Overcoming hurdles installing freeipa-server on ubuntu 17.10

Robbie Harwood via FreeIPA-users writes: > David Harvey via FreeIPA-users writes: > >> sudo mkdir /etc/krb5.conf.d/ >> #Apparently this is expected by ipa-server to have been generated by one of >> the kerberos packages but is not.. > > There's a PR open for t

[Freeipa-users] Re: Overcoming hurdles installing freeipa-server on ubuntu 17.10

David Harvey via FreeIPA-users writes: > sudo mkdir /etc/krb5.conf.d/ > #Apparently this is expected by ipa-server to have been generated by one of > the kerberos packages but is not.. There's a PR open for this in [1]. Since it hasn't merged, though, it's probably not going to get a backport.