Re: [Freeipa-users] Oracle Linux 5.5 - Legacy Question

2015-11-23 Thread Jakub Hrozek
On Sat, Nov 21, 2015 at 02:21:52AM +, Jeffrey Stormshak wrote: > Rob - > Here’s the test configurations/data when I manipulate the BINDDN/BINDPW > fields to get get both AUTH and SUDO to work in Linux 5.5. I have three > questions below that I would like to get your comments on or see what

Re: [Freeipa-users] service account for ovirt

2015-11-23 Thread Martin Kosek
On 11/20/2015 08:16 PM, Rob Verduijn wrote: > Hello, > > I've tested the solution you suggested it doesnt work > I think ovirt-engine looks for the other users in the same context as > the bind user, it will ofcourse find not many there, Ah, I see. oVirt apparently expects the users to be only

[Freeipa-users] Unspecified GSS failure. No credentials cache found

2015-11-23 Thread Roberto Cornacchia
Hi there, Although I can't see anything failing, the logs of all clients in my IPA domain (FC22, freeipa 4.1.4) contain lots of these failures every day: nov 23 10:43:34 hadron.hq.example.com gssproxy[742]: (OID: { 1 2 840 113554 1 2 2 }) Unspecified GSS failure. Minor code may provide more

Re: [Freeipa-users] web ui runtime error

2015-11-23 Thread Petr Vobornik
On 11/23/2015 04:44 AM, Orion Poplawski wrote: Trying to install freeipa-server on Fedora 23. When I try to connect to the web UI from a non-domain EL7 client with firefox I get: Runtime error Web UI got in unrecoverable state during "init" phase Technical details: The operation is insecure.

[Freeipa-users] FreeIPA en Domain Trust

2015-11-23 Thread Winfried de Heiden
Hi all, For some reason, we only want to use the Active Directory user from an Active Directory using a Trust. (groups like "Domain Users"  are of no use...) Is it possible to ignore (hide) ALL groups from a particular Domain (trust)/

Re: [Freeipa-users] connection problems after reboot with unusual setting (Ubuntu 14.04 + freeipa docker)

2015-11-23 Thread Martin Babinsky
On 11/20/2015 04:44 PM, Karl Forner wrote: Hello, My server runs ubuntu 14.04 and uses sssd 1.12.5-1~trusty1. The freeipa server runs inside a docker (an adelton/freeipa-server), and the docker host pretends to be the freeIPA server by forwarding the appropriate ports. This works very fine.

Re: [Freeipa-users] connection problems after reboot with unusual setting (Ubuntu 14.04 + freeipa docker)

2015-11-23 Thread Jan Pazdziora
On Fri, Nov 20, 2015 at 04:44:38PM +0100, Karl Forner wrote: > > My server runs ubuntu 14.04 and uses sssd 1.12.5-1~trusty1. > The freeipa server runs inside a docker (an adelton/freeipa-server), and > the docker host pretends to be the freeIPA server by forwarding the > appropriate ports. Is

Re: [Freeipa-users] web ui runtime error

2015-11-23 Thread Orion Poplawski
On 11/23/2015 04:50 AM, Petr Vobornik wrote: On 11/23/2015 04:44 AM, Orion Poplawski wrote: Trying to install freeipa-server on Fedora 23. When I try to connect to the web UI from a non-domain EL7 client with firefox I get: Runtime error Web UI got in unrecoverable state during "init" phase

Re: [Freeipa-users] Oracle Linux 5.5 - Legacy Question

2015-11-23 Thread Jeffrey Stormshak
Jakub/Rob - Thanks for the feedback. I was finally able to ditch the ‘binddn’ and was able to get SSL working upon upgrading the OpenSSL from the 5.5 base to the one supplied in 5.7 base. The SSL is fully authenticating and with sudo access. However, I’m riddled by the following item below.

Re: [Freeipa-users] Oracle Linux 5.5 - Legacy Question

2015-11-23 Thread Rob Crittenden
Jeffrey Stormshak wrote: > Jakub/Rob - > Thanks for the feedback. I was finally able to ditch the ‘binddn’ and > was able to get SSL working upon upgrading the OpenSSL from the 5.5 base > to the one supplied in 5.7 base. The SSL is fully authenticating and > with sudo access. However, I’m

Re: [Freeipa-users] Active Directory Integration and limitations

2015-11-23 Thread Simo Sorce
On Wed, 2015-11-18 at 11:46 +0100, Domineaux Philippe wrote: > Here is my environment : > > 1 Windows Domain > Windows workstations > Windows servers > Multiple linux domains > Linux workstations > Linux servers > > Here is my goal : > > All users are centralized in the Active Directory. >

[Freeipa-users] hbac service allowed despite not listed

2015-11-23 Thread Winfried de Heiden
Hi all, I created some hbac rule on freeipa-server 4.1.4 on Fedora 22 # ipa hbacrule-show testuser   Rule name: testuser   Enabled: TRUE   Users: testuser   Hosts: fedora23-server.blabla.bla   Services: sshd Hence, "

Re: [Freeipa-users] "ASN.1 structure is missing a required field" - what is missing?

2015-11-23 Thread Simo Sorce
On Tue, 2015-11-17 at 21:36 -0500, Marc Boorshtein wrote: > I'm putting together a java kerberos client and am having an issue > getting a SGT form IPA. I get a TGT without issue, but when I submit > the TGS-REQ I get the following errors in the ipa log: > > Nov 17 20:53:15 freeipa.rhelent.lan

Re: [Freeipa-users] Fwd: Re: FreeIPA en Domain Trust

2015-11-23 Thread Jakub Hrozek
On Mon, Nov 23, 2015 at 04:43:11PM +0100, Winfried de Heiden wrote: >Hi all, > >One motivation: the customer demands like this... Yes, but why? It doesn't make sense to me.. >Also: ignore Windows specific group info which is not important for the >Linux domain >Also: too

Re: [Freeipa-users] "ASN.1 structure is missing a required field" - what is missing?

2015-11-23 Thread Marc Boorshtein
We actually tracked it down. The problem was the Authenticator was missing the authenticatorkvno field per the RFC. Once we set that to 5 we got past this issue. IPA 4.1 on CentOS7 Thanks Marc Boorshtein CTO Tremolo Security marc.boorsht...@tremolosecurity.com On Mon, Nov 23, 2015 at 10:38

Re: [Freeipa-users] freeipa harware appliance

2015-11-23 Thread Martin Basti
On 20.11.2015 18:37, Karl Forner wrote: Thanks Martin. My expected numbers: users ~ 50 max, concurrent clients/sessions < 20, hosts < 20. I was thinking about a server with an old intel cpu, 4Gb RAM and smal HDD or USB key-based storage + an ethernet port. I have no idea if it is a common

[Freeipa-users] [Solved] Re: "ASN.1 structure is missing a required field" - what is missing?

2015-11-23 Thread Simo Sorce
On Mon, 2015-11-23 at 10:41 -0500, Marc Boorshtein wrote: > We actually tracked it down. The problem was the Authenticator was > missing the authenticatorkvno field per the RFC. Once we set that to > 5 we got past this issue. Ok, then we'll considered this solved, thanks for following up.

[Freeipa-users] Fwd: Re: FreeIPA en Domain Trust

2015-11-23 Thread Winfried de Heiden
Hi all, One motivation: the customer demands like this... Also: ignore Windows specific group info which is not important for the Linux domain Also: too much groups! If it's a sssd thing, this might be solved on the

Re: [Freeipa-users] hbac service allowed despite not listed

2015-11-23 Thread Jakub Hrozek
On Mon, Nov 23, 2015 at 04:55:31PM +0100, Winfried de Heiden wrote: >Hi all, > >I created some hbac rule on freeipa-server 4.1.4 on Fedora 22 > ># ipa hbacrule-show testuser >  Rule name: testuser >  Enabled: TRUE >  Users: testuser >  Hosts:

Re: [Freeipa-users] hbac service allowed despite not listed

2015-11-23 Thread Sumit Bose
On Mon, Nov 23, 2015 at 05:16:26PM +0100, Jakub Hrozek wrote: > On Mon, Nov 23, 2015 at 04:55:31PM +0100, Winfried de Heiden wrote: > >Hi all, > > > >I created some hbac rule on freeipa-server 4.1.4 on Fedora 22 > > > ># ipa hbacrule-show testuser > >  Rule name: testuser > >