Re: [Freeipa-users] change CA subject or "friendly name"?

2016-04-18 Thread Jan Cholasta
Hi, On 12.4.2016 01:08, Fraser Tweedale wrote: On Mon, Apr 11, 2016 at 11:43:17AM -0400, Anthony Clark wrote: Hello All, I'm in the process of deploying FreeIPA 4 in a development environment. One of my testers has imported the ca.pem file into Windows, and indicates that it displays as:

Re: [Freeipa-users] Adding FreeIPA to an existing infrastructure

2016-04-18 Thread Jan Cholasta
On 18.4.2016 12:20, Martin Kosek wrote: On 04/12/2016 12:14 PM, Remco Kranenburg wrote: Thanks for all the pointers. I'm tentatively moving forward with a CA-less and DNS-less IPA server, with Letsencrypt certificates. I think this is also the setup that is used by the demo at

Re: [Freeipa-users] NEEDED_PREAUTH: Additional pre-authentication required - User can't access any centos server

2016-04-18 Thread Sumit Bose
On Mon, Apr 18, 2016 at 03:08:28PM +, Gady Notrica wrote: > Hi guys, > > >From the ipa server, I am having issue with the single user. Everyone else > >is fine, just this one single user and no help anywhere online. > > Please help! > > Thank you > > Apr 15 15:43:36 ipa.domain.com

Re: [Freeipa-users] NEEDED_PREAUTH: Additional pre-authentication required - User can't access any centos server

2016-04-18 Thread Gady Notrica
Hi Rob, Thanks for the reply. I did reset the user password multiple times to a simple password, still having same issue. Gady -Original Message- From: Rob Crittenden [mailto:rcrit...@redhat.com] Sent: April 18, 2016 2:25 PM To: Gady Notrica; freeipa-users@redhat.com Subject: Re:

Re: [Freeipa-users] NEEDED_PREAUTH: Additional pre-authentication required - User can't access any centos server

2016-04-18 Thread Rob Crittenden
Gady Notrica wrote: Hi guys, From the ipa server, I am having issue with the single user. Everyone else is fine, just this one single user and no help anywhere online. Please help! Decrypt integrity check failed almost always means bad password. rob Thank you Apr 15 15:43:36

[Freeipa-users] Account/password expirations

2016-04-18 Thread Steve Huston
Following instructions in https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Deployment_Guide/sssd-pwd-expiry.html sort-of works to get this done, but I wonder if there's a better way to do it. My goal is twofold: when users are created, they will be required to have a

[Freeipa-users] NEEDED_PREAUTH: Additional pre-authentication required - User can't access any centos server

2016-04-18 Thread Gady Notrica
Hi guys, >From the ipa server, I am having issue with the single user. Everyone else is >fine, just this one single user and no help anywhere online. Please help! Thank you Apr 15 15:43:36 ipa.domain.com krb5kdc[2568](info): AS_REQ (6 etypes {18 17 16 23 25 26}) 172.20.10.40: NEEDED_PREAUTH:

Re: [Freeipa-users] Username attribute in trusted domain

2016-04-18 Thread Jakub Hrozek
On Mon, Apr 18, 2016 at 01:47:04PM +, Brook, Andy [CRI] wrote: > > On 4/18/16, 5:03 AM, "freeipa-users-boun...@redhat.com on behalf of Jakub > Hrozek" > wrote: > > >On Fri, Apr 15, 2016 at 08:01:06PM +, Brook, Andy

Re: [Freeipa-users] Username attribute in trusted domain

2016-04-18 Thread Brook, Andy [CRI]
On 4/18/16, 5:03 AM, "freeipa-users-boun...@redhat.com on behalf of Jakub Hrozek" wrote: >On Fri, Apr 15, 2016 at 08:01:06PM +, Brook, Andy [CRI] wrote: >> We’re trying to setup FreeIPA to be a good provider of UIDs and

Re: [Freeipa-users] ipa -v ping lies about the cert database

2016-04-18 Thread Timo Aaltonen
18.04.2016, 10:14, David Kupka kirjoitti: > On 15/04/16 15:16, Harald Dunkel wrote: >> Hi David, >> >>> Hello Harri, >>> >>> the FreeIPA certificate database is stored in /etc/ipa/nssdb, by >>> default the permissions are set to: >>> >>> $ ls -dl /etc/ipa/nssdb/ >>> drwxr-xr-x. 2 root root 73 Apr

Re: [Freeipa-users] howto ldapsearch for disabled/enabled users?

2016-04-18 Thread Martin Kosek
On 04/15/2016 04:06 PM, Harald Dunkel wrote: > Hi David, > > On 04/15/16 15:11, David Kupka wrote: >> >> Hello Harri, >> >> the attribute you're looking for is 'nsaccountlock'. This command should >> give you uids of all disabled users: >> >> $ ldapsearch -LLL -Y GSSAPI -b

Re: [Freeipa-users] How to set passwords which never expire ?

2016-04-18 Thread Martin Kosek
On 04/12/2016 02:10 PM, dbisc...@hrz.uni-kassel.de wrote: > Hi, > > On Tue, 12 Apr 2016, bahan w wrote: > >> I am using FreeIPA 3.0 and I would like, for specific accounts, to set >> passwords unexpirables. >> >> I tried to set a pwpolicy for this with the option maxage set to 0, but it >> did

Re: [Freeipa-users] Adding FreeIPA to an existing infrastructure

2016-04-18 Thread Martin Kosek
On 04/12/2016 12:14 PM, Remco Kranenburg wrote: > Thanks for all the pointers. I'm tentatively moving forward with a CA-less and > DNS-less IPA server, with Letsencrypt certificates. I think this is also the > setup that is used by the demo at . Is > there

Re: [Freeipa-users] Username attribute in trusted domain

2016-04-18 Thread Jakub Hrozek
On Fri, Apr 15, 2016 at 08:01:06PM +, Brook, Andy [CRI] wrote: > We’re trying to setup FreeIPA to be a good provider of UIDs and GIDs for our > mostly RHEL systems. Overall, that works great. The issue I’m running into is > that we need to have the same consistent UIDs and GIDs for our