Re: [Freeipa-users] HBAC access denied, all AD groups not detected

2016-05-17 Thread Lachlan Musicman
It's worth noting that, in difference to the bug report: 1. We aren't making changes to the overrides. The overrides exist, they just aren't propagating evenly or consistently. 2. We are seeing these errors in the various logs: sssd_DOMAIN.log:(Wed May 18 09:00:01 2016) [sssd[be[DOMAIN]]] [sysdb

Re: [Freeipa-users] HBAC access denied, all AD groups not detected

2016-05-17 Thread Lachlan Musicman
Hmmm, I also now see https://fedorahosted.org/sssd/ticket/2642 and https://bugzilla.redhat.com/show_bug.cgi?id=1217127 Versions being run: sssd-client-1.13.0-40.el7_2.4.x86_64 sssd-ad-1.13.0-40.el7_2.4.x86_64 sssd-proxy-1.13.0-40.el7_2.4.x86_64 sssd-1.13.0-40.el7_2.4.x86_64 sssd-common-1.13.0-40

Re: [Freeipa-users] How to determine cause/source of user lockout?

2016-05-17 Thread Prasun Gera
If it's the admin account, there would be a pretty good likelihood of bruteforce attempts if your server is on the internet. One option is to rename it to something else. On 17 May 2016 11:36 a.m., "Rich Megginson" wrote: > On 05/17/2016 08:18 AM, Rob Crittenden wrote: > >> John Duino wrote: >> >

Re: [Freeipa-users] Read-only permission with no authentication

2016-05-17 Thread Rob Crittenden
Alexander Bokovoy wrote: On Tue, 17 May 2016, Stephen Berg (Contractor) wrote: I'm trying to set up an account that will only have read permissions to FreeIPA's user and host info to get some automated documentation tasks running. Basically I want to set up a cron job on a FreeIPA server that w

Re: [Freeipa-users] Unable to enumerate IPA users from AD side of 2-way trust due to kerberos error

2016-05-17 Thread Alexander Bokovoy
On Tue, 17 May 2016, John Meyers wrote: All, I have established a 2-way forest trust between FreeIPA (4.2.4-1.fc23) and AD (Windows 2012R2). The IPA side works perfect and AD users can authenticate against IPA resources. However, when one tries to add an IPA user or group to a Windows permissi

[Freeipa-users] Unable to enumerate IPA users from AD side of 2-way trust due to kerberos error

2016-05-17 Thread John Meyers
All, I have established a 2-way forest trust between FreeIPA (4.2.4-1.fc23) and AD (Windows 2012R2). The IPA side works perfect and AD users can authenticate against IPA resources. However, when one tries to add an IPA user or group to a Windows permission set (e.g. an NTFS ACL or user right), W

Re: [Freeipa-users] Read-only permission with no authentication

2016-05-17 Thread Alexander Bokovoy
On Tue, 17 May 2016, Stephen Berg (Contractor) wrote: I'm trying to set up an account that will only have read permissions to FreeIPA's user and host info to get some automated documentation tasks running. Basically I want to set up a cron job on a FreeIPA server that will read info using the

[Freeipa-users] Read-only permission with no authentication

2016-05-17 Thread Stephen Berg (Contractor)
I'm trying to set up an account that will only have read permissions to FreeIPA's user and host info to get some automated documentation tasks running. Basically I want to set up a cron job on a FreeIPA server that will read info using the ipa command line tools like "ipa user-find", "ipa user

Re: [Freeipa-users] win2012 r2 and trust type = realm

2016-05-17 Thread Alexander Bokovoy
On Tue, 17 May 2016, lejeczek wrote: On Tue, 2016-05-17 at 17:10 +0300, Alexander Bokovoy wrote: On Tue, 17 May 2016, lejeczek wrote: > hi users/devs > > I've used wiki pages to set AD - IPA trust, and it always end up > being > realm type of trust (@ AC DC end) whereas wiki shows forest type. >

Re: [Freeipa-users] How to determine cause/source of user lockout?

2016-05-17 Thread Rich Megginson
On 05/17/2016 08:18 AM, Rob Crittenden wrote: John Duino wrote: Is there a (relatively easy) way to determine what is causing a user account to be locked out? The admin account on our 'primary' ipa host is locked out frequently, but somewhat randomly; sometimes it will be less than 5 minutes it

Re: [Freeipa-users] IPA vulnerability management SSL

2016-05-17 Thread Sean Hogan
Hello, This is an older thread now but our mitigation guys found a solution in fixing this that I think you all may want as the output has now changed from the 13 ciphers that would not change to the below. Its a rather easy fix as well and possible I missed it with assumptions. You need to

Re: [Freeipa-users] win2012 r2 and trust type = realm

2016-05-17 Thread lejeczek
On Tue, 2016-05-17 at 17:10 +0300, Alexander Bokovoy wrote: > On Tue, 17 May 2016, lejeczek wrote: > > hi users/devs > > > > I've used wiki pages to set AD - IPA trust, and it always end up > > being > > realm type of trust (@ AC DC end) whereas wiki shows forest type. > > What am I doing wrong? >

Re: [Freeipa-users] Stuck at CA_UNREACHABLE and NEED_CSR_GEN_PIN

2016-05-17 Thread Rob Crittenden
Adam Kaczka wrote: I found from [root@host pki-ca]# tail -n 100 /var/log/pki-ca/system that CA chain is missing; so I am thinking I may have to use |ipa-server-certinstall| to reinstall the two certs. I really doubt it. I'm not sure what can't be found, maybe one of the dogtag devs has an idea

Re: [Freeipa-users] How to determine cause/source of user lockout?

2016-05-17 Thread Rob Crittenden
John Duino wrote: Is there a (relatively easy) way to determine what is causing a user account to be locked out? The admin account on our 'primary' ipa host is locked out frequently, but somewhat randomly; sometimes it will be less than 5 minutes it is available, and other times several hours. i

Re: [Freeipa-users] win2012 r2 and trust type = realm

2016-05-17 Thread Alexander Bokovoy
On Tue, 17 May 2016, lejeczek wrote: hi users/devs I've used wiki pages to set AD - IPA trust, and it always end up being realm type of trust (@ AC DC end) whereas wiki shows forest type. What am I doing wrong? Probably because you are choosing wrong type of trust on AD side. Remove any trust

Re: [Freeipa-users] Renable 7389 port on multimaster

2016-05-17 Thread Rob Crittenden
barry...@gmail.com wrote: Hi : 2 servers configured as multi master nut one of them cannot telnet 7389 how can I check and renable it ? Server cannot telnet 7389 should I reinstall CA service ...is it rerelated ? Directory Service: RUNNING KDC Service: RUNNING KPASSWD Service: RUNNING M

[Freeipa-users] Changing spec.page_length?

2016-05-17 Thread Jeffery Harrell
Is there a “soft” way to change the number of rows in tables like the hosts and DNS records search facets? I think I’d happily trade a little interactivity when going from one facet to another for the ability to see four or five times as much information on a single screen at once. I get that I

Re: [Freeipa-users] Can't set nsslapd-sizelimit

2016-05-17 Thread Ludwig Krispenz
On 05/17/2016 12:49 PM, Ludwig Krispenz wrote: On 05/16/2016 11:19 PM, Giuseppe Sarno wrote: Hello, I am new to freeIPA and I am recently working on a project to integrate freeIPA with some legacy application which uses LDAP for user management. I have initially created our own ldap stru

[Freeipa-users] win2012 r2 and trust type = realm

2016-05-17 Thread lejeczek
hi users/devs I've used wiki pages to set AD - IPA trust, and it always end up being realm type of trust (@ AC DC end) whereas wiki shows forest type. What am I doing wrong? I think I must be doing something wrong for having that trust established (or I least I think I have it) when @IPA end I do:

Re: [Freeipa-users] a user delegated to control a OU and realmd join - how..

2016-05-17 Thread Simo Sorce
On Tue, 2016-05-17 at 09:27 +0100, lejeczek wrote: > On Fri, 2016-05-13 at 15:14 +0200, Sumit Bose wrote: > > On Wed, May 11, 2016 at 05:17:03PM +0100, lejeczek wrote: > > > .. if possible, would you know? > > > hi everybody, > > > I'm trying, and hoping it is possible to realm join an AD but is >

Re: [Freeipa-users] HBAC access denied, all AD groups not detected

2016-05-17 Thread Jakub Hrozek
On Tue, May 17, 2016 at 03:08:37PM +1000, Lachlan Musicman wrote: > FWIW, > > We are seeing the issues that are described here: > > https://www.redhat.com/archives/freeipa-users/2015-December/msg00046.html > > I was about to write when I found this, it explains exactly what I am > seeing - right

Re: [Freeipa-users] Can't set nsslapd-sizelimit

2016-05-17 Thread Alexander Bokovoy
On Mon, 16 May 2016, Giuseppe Sarno wrote: Hello, I am new to freeIPA and I am recently working on a project to integrate freeIPA with some legacy application which uses LDAP for user management. I have initially created our own ldap structure and I tried to run the code against freeIPA/389DS. W

Re: [Freeipa-users] Can't set nsslapd-sizelimit

2016-05-17 Thread Ludwig Krispenz
On 05/16/2016 11:19 PM, Giuseppe Sarno wrote: Hello, I am new to freeIPA and I am recently working on a project to integrate freeIPA with some legacy application which uses LDAP for user management. I have initially created our own ldap structure and I tried to run the code against freeIP

Re: [Freeipa-users] Can't set nsslapd-sizelimit

2016-05-17 Thread Petr Spacek
On 16.5.2016 23:19, Giuseppe Sarno wrote: > Hello, > I am new to freeIPA and I am recently working on a project to integrate > freeIPA with some legacy application which uses LDAP for user management. > I have initially created our own ldap structure and I tried to run the code > against freeIPA/

Re: [Freeipa-users] Can't set nsslapd-sizelimit

2016-05-17 Thread Martin Babinsky
On 05/16/2016 11:19 PM, Giuseppe Sarno wrote: Hello, I am new to freeIPA and I am recently working on a project to integrate freeIPA with some legacy application which uses LDAP for user management. I have initially created our own ldap structure and I tried to run the code against freeIPA/389D

Re: [Freeipa-users] IPA as subdomain, part of AD ?

2016-05-17 Thread Petr Spacek
On 16.5.2016 19:59, Simo Sorce wrote: > On Mon, 2016-05-16 at 17:00 +0100, lejeczek wrote: >> hi users/devel >> >> I'm trying to grasp the concepts - can IPA be plugged into AD domain, >> be part of it as a subdomain? > > No, the only trust type we handle is a Forest level trust, so FreeIPA > need

Re: [Freeipa-users] a user delegated to control a OU and realmd join - how..

2016-05-17 Thread lejeczek
On Fri, 2016-05-13 at 15:14 +0200, Sumit Bose wrote: > On Wed, May 11, 2016 at 05:17:03PM +0100, lejeczek wrote: > > .. if possible, would you know? > > hi everybody, > > I'm trying, and hoping it is possible to realm join an AD but is > > such a > > way so I tap my IPA into specific OU within that

Re: [Freeipa-users] Mac OS 10.11.4 issue: Cannot change expired Kerberos passwords on GUI login

2016-05-17 Thread Răzvan Corneliu C.R. VILT
> I have some questions for the author himself or anyone who has replicated > his work: > > - Which OS X versions has this been tested on? 10.6.7 through 10.10.4 (latest Snow Leopard through latest Yosemite in May 2015). The client had two Snow Leopards, one or two Lions, 10 Mountain Lions a

[Freeipa-users] HBAC access denied, all AD groups not detected

2016-05-17 Thread Lachlan Musicman
FWIW, We are seeing the issues that are described here: https://www.redhat.com/archives/freeipa-users/2015-December/msg00046.html I was about to write when I found this, it explains exactly what I am seeing - right down to the "impossible to reproduce because it's so (seemingly) random". I am

Re: [Freeipa-users] AD Primary Groups are ignored in FreeIPA?

2016-05-17 Thread Simpson Lachlan
> -Original Message- > From: freeipa-users-boun...@redhat.com [mailto:freeipa-users- > boun...@redhat.com] On Behalf Of Alexander Bokovoy > Sent: Monday, 16 May 2016 11:46 PM > To: Lachlan Musicman > Cc: freeipa-users@redhat.com > Subject: Re: [Freeipa-users] AD Primary Groups are ignored i

Re: [Freeipa-users] AD Primary Groups are ignored in FreeIPA?

2016-05-17 Thread Alexander Bokovoy
On Tue, 17 May 2016, Simpson Lachlan wrote: >I feel like it would be an obvious need - to translate or override AD >primary groups to FreeIPA groups, but this doesn't seem possible. There is only one primary group for a user. For Kerberos operations we currently don't take ID overrides into accou

[Freeipa-users] Renable 7389 port on multimaster

2016-05-17 Thread barrykfl
Hi : 2 servers configured as multi master nut one of them cannot telnet 7389 how can I check and renable it ? Server cannot telnet 7389 should I reinstall CA service ...is it rerelated ? Directory Service: RUNNING KDC Service: RUNNING KPASSWD Service: RUNNING MEMCACHE Service: RUNNING HTT

Re: [Freeipa-users] AD Primary Groups are ignored in FreeIPA?

2016-05-17 Thread Simpson Lachlan
> -Original Message- > From: freeipa-users-boun...@redhat.com [mailto:freeipa-users- > boun...@redhat.com] On Behalf Of Martin Kosek > Sent: Monday, 16 May 2016 11:28 PM > To: Lachlan Musicman; freeipa-users@redhat.com > Subject: Re: [Freeipa-users] AD Primary Groups are ignored in FreeIPA?

[Freeipa-users] How to determine cause/source of user lockout?

2016-05-17 Thread John Duino
Is there a (relatively easy) way to determine what is causing a user account to be locked out? The admin account on our 'primary' ipa host is locked out frequently, but somewhat randomly; sometimes it will be less than 5 minutes it is available, and other times several hours. ipa user-status admin

Re: [Freeipa-users] Stuck at CA_UNREACHABLE and NEED_CSR_GEN_PIN

2016-05-17 Thread Adam Kaczka
I found from [root@host pki-ca]# tail -n 100 /var/log/pki-ca/system that CA chain is missing; so I am thinking I may have to use ipa-server-certinstall to reinstall the two certs. 5135.main - [27/Jan/2016:14:10:14 EST] [3] [3] CASigningUnit: Object certificate not found. Error org.mozilla.jss.cryp

Re: [Freeipa-users] IPA and RSA

2016-05-17 Thread Sean Hogan
Forgot to mention this is for ipa-server-3.0.0-47.el6_7.1.x86_64 Thanks Sean Hogan From: Sean Hogan/Durham/IBM@IBMUS To: freeipa-users Date: 05/16/2016 04:01 PM Subject:[Freeipa-users] IPA and RSA Sent by:freeipa-users-boun...@redhat.com Hello all, New req com

[Freeipa-users] Can't set nsslapd-sizelimit

2016-05-17 Thread Giuseppe Sarno
Hello, I am new to freeIPA and I am recently working on a project to integrate freeIPA with some legacy application which uses LDAP for user management. I have initially created our own ldap structure and I tried to run the code against freeIPA/389DS. While running this example I noticed that 389