Re: [Freeipa-users] Enrolling client to second IPA server

On Tue, 07 Jan 2014, Jan Pazdziora wrote: For testing purposes, I'd like to enroll my already IPA-enrolled client to another IPA server, with different domain. My goal is to then use Kerberos authencation in applications to use the second realm and PAM authentication in applications to go to the

Re: [Freeipa-users] AD - Freeipa trust confusion

On Fri, 03 Jan 2014, Simo Sorce wrote: On Fri, 2014-01-03 at 12:29 +0100, Jakub Hrozek wrote: On Thu, Jan 02, 2014 at 08:06:31PM +, Andrew Holway wrote: > /var/log/sssd/* > this is using bob@host (prattle.com is the windows domain) > https://gist.github.com/anonymous/ff817a251948ff58bdb1 > >

[Freeipa-users] Enrolling client to second IPA server

For testing purposes, I'd like to enroll my already IPA-enrolled client to another IPA server, with different domain. My goal is to then use Kerberos authencation in applications to use the second realm and PAM authentication in applications to go to the second domain in sssd while leaving the fir

Re: [Freeipa-users] FreeIPA Security issue : Anonymous user can fetch user details from IPA without authenticating

I’m not too concerned on the default as long as the user is warned (or even maybe asked) at install time. Kind regards, Will Sheldon +1.778-689-1244 On Monday, January 6, 2014 at 1:57 PM, Sigbjorn Lie wrote: > On 03/01/14 20:33, Stephen Ingram wrote: > > On Fri, Jan 3, 2014 at 10:29 AM, D

Re: [Freeipa-users] EXTERNAL: Re: NIS Compat issues

Joseph, Matthew (EXP) wrote: Hello, I can add the old UNIX servers using NIS to the secondary IPA server but not the primary. The servers can ping the primary with no issues. I didn't think the IPA servers could run ypcat? Either way neither of the servers can run the ypcat commands. Can't

Re: [Freeipa-users] Cannot loging via SSH with AD user TO IPA Domain.

sssd_example.com.log after changing the debug level: https://gist.github.com/anonymous/8290381#file-sssd_example-com-log [genadi@ipaserver root]$ wbinfo -u (no output) [genadi@ipaserver root]$ wbinfo -g admins editors default smb group ad_users ad_admins [genadi@ipaserver root]$ wbinfo --trusted

Re: [Freeipa-users] AD - Freeipa trust confusion

On Fri, 03 Jan 2014, Andrew Holway wrote: To generate the winbind logs on the server, can you do 'smbcontrol winbindd debug 100', then request the trusted user. The winbind logs would be at /var/log/samba/log.w* I truncated all of the files in /var/log/samba and then make a single login attempt

Re: [Freeipa-users] FreeIPA Security issue : Anonymous user can fetch user details from IPA without authenticating

On 03/01/14 20:33, Stephen Ingram wrote: On Fri, Jan 3, 2014 at 10:29 AM, Dmitri Pal > wrote: On 01/03/2014 12:50 PM, Will Sheldon wrote: Thanks Petr, that certainly makes sense from the point of view of functionality. I do think the default is sane, but

Re: [Freeipa-users] named failure: REQUIRE(pthread_kill(ldap_inst->watcher...) failed

On 06/01/14 21:53, Alexandre Ellert wrote: Do you see any messages complaining about broken connection or something like that? Did the server worked fine before the reload? The server worked fine before reload (caused by logrotate). I've searched in log file /var/log/dirsrv/*, /var/log/message

Re: [Freeipa-users] named failure: REQUIRE(pthread_kill(ldap_inst->watcher...) failed

> We need more information about your configuration. Please add details > mentioned at > > https://fedorahosted.org/bind-dyndb-ldap/wiki/BugReporting#Aboutyouroperatingsystemdistribution > > and > > https://fedorahosted.org/bind-dyndb-ldap/wiki/BugReporting#Abouttheplugin What distribution/ve

Re: [Freeipa-users] EXTERNAL: Re: NIS Compat issues

Hello, I can add the old UNIX servers using NIS to the secondary IPA server but not the primary. The servers can ping the primary with no issues. I didn't think the IPA servers could run ypcat? Either way neither of the servers can run the ypcat commands. Nope, ypbind was stopped when those er

Re: [Freeipa-users] Globalsign External CA Certificate Import Failure

On 01/06/2014 12:25 PM, James Scollard wrote: > I have it now. The --dirsrv_pkcs12 option seems to like pkcs7 > formatted certificates, but the person who issued it did not set a > password, so FreeIPA will not let me install it to know if it works > for sure. I am having the certificate reissued

Re: [Freeipa-users] Globalsign External CA Certificate Import Failure

I have it now. The --dirsrv_pkcs12 option seems to like pkcs7 formatted certificates, but the person who issued it did not set a password, so FreeIPA will not let me install it to know if it works for sure. I am having the certificate reissued again with a password in pkcs12 format and all sh

Re: [Freeipa-users] Globalsign External CA Certificate Import Failure

James Scollard wrote: That makes absolute perfect sense. Thanks for the clarification. Unfortunately I have an new issue now. Globalsign has issued me a pkcs7 certificate. FreeIPA does not recognize the format: [root@ldapm6x00 ~]# ipa-server-install --dirsrv_pkcs7=/root/ldapm6x00.sun.weather.

Re: [Freeipa-users] Globalsign External CA Certificate Import Failure

That makes absolute perfect sense. Thanks for the clarification. Unfortunately I have an new issue now. Globalsign has issued me a pkcs7 certificate. FreeIPA does not recognize the format: [root@ldapm6x00 ~]# ipa-server-install --dirsrv_pkcs7=/root/ldapm6x00.sun.weather.com.pkcs7 --http_pk

Re: [Freeipa-users] FreeIPA Server Install - Why --no-ntp?

On Mon, 2014-01-06 at 09:08 +0100, Petr Spacek wrote: > On 23.12.2013 21:57, Simo Sorce wrote: > > On Mon, 2013-12-23 at 12:57 -0700, Jason Becker wrote: > >> Section 2.1.4.5. NTP in the Fedora 18 / 3.1.5 Guide states: > >> > >> "If a server is being installed on a virtual machine, that server *sho

Re: [Freeipa-users] named failure: REQUIRE(pthread_kill(ldap_inst->watcher...) failed

Hello! On 1.1.2014 00:45, Dmitri Pal wrote: On 12/30/2013 04:48 AM, Alexandre Ellert wrote: This night, named crashed on my IPA server (Centos 6.5) : Dec 29 02:27:02 ipa-master named[1537]: received control channel command 'reload' Dec 29 02:27:03 ipa-master named[1537]: ldap_helper.c:640: REQ

Re: [Freeipa-users] AD - Freeipa trust confusion

On Fri, Jan 03, 2014 at 02:05:58PM +, Andrew Holway wrote: > >> To generate the winbind logs on the server, can you do 'smbcontrol winbindd > >> debug 100', then request the trusted user. The winbind logs would be at > >> /var/log/samba/log.w* > > I truncated all of the files in /var/log/samba

Re: [Freeipa-users] Globalsign External CA Certificate Import Failure

Hi, On 3.1.2014 22:13, James Scollard wrote: Thanks for the reply, Version: Package freeipa-server-3.3.3-2.fc19.x86_64 already installed and latest version... I'm not sure I understand the answer. I created the CSR and they signed it using their automation, and returned the new ones to me fo

Re: [Freeipa-users] Cannot loging via SSH with AD user TO IPA Domain.

On Fri, Jan 03, 2014 at 07:29:54PM +0200, Genadi Postrilko wrote: > Here are the other logs as well (ldap_child.log, sssd_pac.log, > sssd_ssh.log). > > https://gist.github.com/anonymous/8242061 > > I attempted to log in (as administra...@addc.com) at 9:04. > > Thanks for the help. > You need t

Re: [Freeipa-users] FreeIPA Server Install - Why --no-ntp?

On 23.12.2013 21:57, Simo Sorce wrote: On Mon, 2013-12-23 at 12:57 -0700, Jason Becker wrote: Section 2.1.4.5. NTP in the Fedora 18 / 3.1.5 Guide states: "If a server is being installed on a virtual machine, that server *should not* run an NTP server. To disable NTP for FreeIPA, use the *--no-n