Re: [Freeipa-users] [SOLVED] Do not upgrade FreeIPA deployments to Fedora 20 final (yet)

Hello, We have good news for you. Both 389-ds-base-1.3.2.9-1.fc20 and slapi-nis-0.52-1.fc20 are now in Fedora 20 stable repository. The only remaining issue in 389-ds-base is https://fedorahosted.org/389/ticket/47656, but this sahould not be a show stopper for upgrading to Fedora 20. I lifted the

Re: [Freeipa-users] Cannot loging via SSH with AD user TO IPA Domain.

On Fri, Jan 03, 2014 at 12:33:16AM +0200, Genadi Postrilko wrote: > Here are the *sssd.log, **sssd_nss.log. *Other logs where empty of did not > contain the output for the relevant log in. > > https://gist.github.com/anonymous/8228284 According to gist, you only provided the debug logs from the [

Re: [Freeipa-users] AD - Freeipa trust confusion

On Thu, Jan 02, 2014 at 08:06:31PM +, Andrew Holway wrote: > /var/log/sssd/* > this is using bob@host (prattle.com is the windows domain) > https://gist.github.com/anonymous/ff817a251948ff58bdb1 > > this is using b...@prattle.com@host (prattle.com is the windows domain) Thanks, these logs hav

Re: [Freeipa-users] AD - Freeipa trust confusion

On Fri, Jan 03, 2014 at 12:29:11PM +0100, Jakub Hrozek wrote: > On Thu, Jan 02, 2014 at 08:06:31PM +, Andrew Holway wrote: > > /var/log/sssd/* > > this is using bob@host (prattle.com is the windows domain) > > https://gist.github.com/anonymous/ff817a251948ff58bdb1 > > > > this is using b...@pr

Re: [Freeipa-users] FreeIPA Security issue : Anonymous user can fetch user details from IPA without authenticating

On 01/03/2014 02:23 AM, Will Sheldon wrote: This is cause for concern. Is there a hardening / best practices for production guide anywhere, did I miss a section of the documentation? What else do I need to secure? I understand that there is a tradeoff between security and compatibility, but ma

Re: [Freeipa-users] AD - Freeipa trust confusion

On Fri, 2014-01-03 at 12:29 +0100, Jakub Hrozek wrote: > On Thu, Jan 02, 2014 at 08:06:31PM +, Andrew Holway wrote: > > /var/log/sssd/* > > this is using bob@host (prattle.com is the windows domain) > > https://gist.github.com/anonymous/ff817a251948ff58bdb1 > > > > this is using b...@prattle.c

Re: [Freeipa-users] AD - Freeipa trust confusion

>> To generate the winbind logs on the server, can you do 'smbcontrol winbindd >> debug 100', then request the trusted user. The winbind logs would be at >> /var/log/samba/log.w* I truncated all of the files in /var/log/samba and then make a single login attempt. These are the files that were non

Re: [Freeipa-users] AD - Freeipa trust confusion

> or simply run wbinfo on the server to check winbindd can properly > retrieve users before moving back to testing on client. [r...@ipa.wibble.com ~]# wbinfo -i b...@prattle.com failed to call wbcGetpwnam: WBC_ERR_DOMAIN_NOT_FOUND Could not get info for user b...@prattle.com Would this be an app

Re: [Freeipa-users] Cannot loging via SSH with AD user TO IPA Domain.

Here are the other logs as well (ldap_child.log, sssd_pac.log, sssd_ssh.log). https://gist.github.com/anonymous/8242061 I attempted to log in (as administra...@addc.com) at 9:04. Thanks for the help. ___ Freeipa-users mailing list Freeipa-users@redhat

Re: [Freeipa-users] FreeIPA Security issue : Anonymous user can fetch user details from IPA without authenticating

Thanks Petr, that certainly makes sense from the point of view of functionality. I do think the default is sane, but there are a lot of possible deployment scenarios and my concern is that a junior or time poor admin looking to implement a trusted, secure solution should be made aware of any poten

Re: [Freeipa-users] AD - Freeipa trust confusion

[r...@ipa.wibble.com ~]# wbinfo --all-domains BUILTIN WIBBLE PRATTLE [r...@ipa.wibble.com ~]# wbinfo --own-domain WIBBLE On 3 January 2014 15:06, Andrew Holway wrote: >> or simply run wbinfo on the server to check winbindd can properly >> retrieve users before moving back to testing on client. >

Re: [Freeipa-users] FreeIPA Security issue : Anonymous user can fetch user details from IPA without authenticating

On 01/03/2014 12:50 PM, Will Sheldon wrote: > Thanks Petr, that certainly makes sense from the point of view of > functionality. > > I do think the default is sane, but there are a lot of possible > deployment scenarios and my concern is that a junior or time poor > admin looking to implement a tru

Re: [Freeipa-users] FreeIPA Security issue : Anonymous user can fetch user details from IPA without authenticating

On Fri, Jan 3, 2014 at 10:29 AM, Dmitri Pal wrote: > On 01/03/2014 12:50 PM, Will Sheldon wrote: > > Thanks Petr, that certainly makes sense from the point of view of > functionality. > > I do think the default is sane, but there are a lot of possible deployment > scenarios and my concern is th

Re: [Freeipa-users] FreeIPA Security issue : Anonymous user can fetch user details from IPA without authenticating

On 01/03/2014 02:33 PM, Stephen Ingram wrote: > On Fri, Jan 3, 2014 at 10:29 AM, Dmitri Pal > wrote: > > On 01/03/2014 12:50 PM, Will Sheldon wrote: >> Thanks Petr, that certainly makes sense from the point of view of >> functionality. >> >> I do think the d

Re: [Freeipa-users] FreeIPA Security issue : Anonymous user can fetch user details from IPA without authenticating

On Fri, Jan 3, 2014 at 11:37 AM, Dmitri Pal wrote: > On 01/03/2014 02:33 PM, Stephen Ingram wrote: > > On Fri, Jan 3, 2014 at 10:29 AM, Dmitri Pal wrote: > >> On 01/03/2014 12:50 PM, Will Sheldon wrote: >> >> Thanks Petr, that certainly makes sense from the point of view of >> functionality.

[Freeipa-users] Globalsign External CA Certificate Import Failure

When attempting to run the second part of the installation with an external CA (Globalsign) using my signed certificate and CA certificate chain I get the following; [root@ldapm6x00 ~]# ipa-server-install --external_cert_file=/root/ldapm6x00.sun.weather.com.crt --external_ca_file=/root/sun.we

[Freeipa-users] freeipa remote commands

Hi Experts , I am trying to run a script from a remote server which creates user principals and generate keytabs on my ipa server installed on CentOS6.5 ipav3 . The issue that I am getting is that when i run the same script from the terminal of the remote server it runs fine and retrieves the

Re: [Freeipa-users] Globalsign External CA Certificate Import Failure

James Scollard wrote: When attempting to run the second part of the installation with an external CA (Globalsign) using my signed certificate and CA certificate chain I get the following; [root@ldapm6x00 ~]# ipa-server-install --external_cert_file=/root/ldapm6x00.sun.weather.com.crt --external_c

Re: [Freeipa-users] freeipa remote commands

Zulkifal Ahmad wrote: Hi Experts , I am trying to run a script from a remote server which creates user principals and generate keytabs on my ipa server installed on CentOS6.5 ipav3 . The issue that I am getting is that when i run the same script from the terminal of the remote server it runs fine

Re: [Freeipa-users] Globalsign External CA Certificate Import Failure

Thanks for the reply, Version: Package freeipa-server-3.3.3-2.fc19.x86_64 already installed and latest version... I'm not sure I understand the answer. I created the CSR and they signed it using their automation, and returned the new ones to me for installation, which failed. SUN.WEATHER.C

Re: [Freeipa-users] Globalsign External CA Certificate Import Failure

On 01/03/2014 04:13 PM, James Scollard wrote: > Thanks for the reply, > > Version: > > Package freeipa-server-3.3.3-2.fc19.x86_64 already installed and > latest version... > > I'm not sure I understand the answer. > > I created the CSR and they signed it using their automation, and > returned the n

Re: [Freeipa-users] freeipa remote commands

On 01/03/2014 04:01 PM, Rob Crittenden wrote: > Zulkifal Ahmad wrote: >> Hi Experts , >> I am trying to run a script from a remote server which creates user >> principals and generate keytabs on my ipa server installed on CentOS6.5 >> ipav3 . The issue that I am getting is that when i run the same