[Freeipa-users] is an IPA Server, but it might be unknown, foreign or previously deleted one

my previous setup wassrv2->replica srv1->srv2 I have removed replica and set it up with the one with identical hostname.Now   I have replication from srv1->replica and am trying to create another agreement from srv2=>replica but i am getting the error message above. My guess is that old hostname i

Re: [Freeipa-users] unable to auth to IPA Web panel as trusted user (4.2)

On Thu, 04 Aug 2016, Jake wrote: Hey All, I've added external enterprise admins to my local admins group, however I cannot authenticate to the IPA web interface (nor can I request kerberos spn's to generate dogtag certs even if authenticated on a ipa client). Not possible right now. Is it poss

Re: [Freeipa-users] Active directory integration with FreeIPA domain

On Thu, 04 Aug 2016, Matt Comben wrote: Hi all, TLDR - Is it possible to sync users FROM FreeIPA TO 'AD' TLDR - No. I've started introducing FreeIPA into our network (which is currently LDAP with linux clients) and migration client servers to authenticate against FreeIPA (which has been work

[Freeipa-users] unable to auth to IPA Web panel as trusted user (4.2)

Hey All, I've added external enterprise admins to my local admins group, however I cannot authenticate to the IPA web interface (nor can I request kerberos spn's to generate dogtag certs even if authenticated on a ipa client). Is it possible to use external ldap credentials to manage the IPA A

Re: [Freeipa-users] How to delete a managed group [SOLVED]

On 03/08/2016 14:13, Rob Crittenden wrote: > Bob Hinton wrote: >> On 03/08/2016 07:15, Petr Spacek wrote: >>> On 3.8.2016 00:58, Bob Hinton wrote: Hi, Something went wrong when trying to restore some preserved users so I deleted them and then tried to recreate them. This failed

Re: [Freeipa-users] Certificate Issues

Adam Lewis wrote: Yup. I'm currently still sitting back in time. But any time I try to resubmit either the ipaCert or the subsystemCert it errors out. getcert list shows : ca-error: Server at "https://ipa.local.domain:9443/ca/agent/ca/profileProcess"; replied: 1: Authentication Error And the de

[Freeipa-users] Active directory integration with FreeIPA domain

Hi all, TLDR - Is it possible to sync users FROM FreeIPA TO 'AD' I've started introducing FreeIPA into our network (which is currently LDAP with linux clients) and migration client servers to authenticate against FreeIPA (which has been working great). In the past couple of weeks, we were forc

Re: [Freeipa-users] IPA and FIPS 140-2

Anon Lister wrote: I'd also like to throw in that the requirements you are facing are likely requiring FIPS Certified, not just compliant, as I'm somewhat familiar with them. (800-53 or 800-171) Essentially it will have to fall back on the FIPS compliant openssl implementation, however I believe

[Freeipa-users] kerberos auth from windows (windows 10 to cent7 with ipa4.2)

Hey All, Has anyone come across this issue when attempting to use kerberos auth from windows. PS C:\Users\jevans> ssh -V OpenSSH_7.1p2, OpenSSL 1.0.2h 3 May 2016 running command: ssh ipaclient.ipa.example.com -K -v -oGSSAPIDelegateCredentials=yes -oGSSAPIAuthentication=yes debug1: Next

Re: [Freeipa-users] Querying the dir srv

Thanks Ben.. appreciated.. will give it a go. Do you guys recommend any specific ldap viewer to view the internals? I was looking at apache dir studio I think it was... but needs java and I don't want to add java to a server that does not have it increasing the mitigation/vulnerability factor o

Re: [Freeipa-users] IPA and FIPS 140-2

Is there any indication of a timeframe for it to become FIPS compliant? If we are talking weeks, rather than years... Michael Sean Conley From: Rob Crittenden To: Michael Sean Conley , freeipa-users@redhat.com Date: 08/04/2016 11:37 AM Subject:Re: [Freeipa-users]

Re: [Freeipa-users] IPA and FIPS 140-2

Sorry, certified openssl implementation* On Aug 4, 2016 9:38 AM, "Anon Lister" wrote: > I'd also like to throw in that the requirements you are facing are likely > requiring FIPS Certified, not just compliant, as I'm somewhat familiar with > them. (800-53 or 800-171) > > Essentially it will have

Re: [Freeipa-users] IPA and FIPS 140-2

I'd also like to throw in that the requirements you are facing are likely requiring FIPS Certified, not just compliant, as I'm somewhat familiar with them. (800-53 or 800-171) Essentially it will have to fall back on the FIPS compliant openssl implementation, however I believe there are other cryp

Re: [Freeipa-users] IPA and FIPS 140-2

Michael Sean Conley wrote: Does ANYONE have any experience getting IPA to work with FIPS? We're trying desperately to get this going, as we have some requirements that the Identity Management Tool we choose must be FIPS 140-2 compliant. No, it doesn't work in FIPS mode yet. If you open a suppo

[Freeipa-users] IPA and FIPS 140-2

Does ANYONE have any experience getting IPA to work with FIPS? We're trying desperately to get this going, as we have some requirements that the Identity Management Tool we choose must be FIPS 140-2 compliant. GGHHH Michael Sean Conley-- Manage your subscription for the Freeipa-users ma

Re: [Freeipa-users] FreeIPA and AD trusts on the same DNS domain

Greetings! Thanks for clarifying. That makes more sense now. I'm still not sure what sorts of headaches I would be running into if I do have FreeIPA and AD both managing servers in the company.com domain. Somehow I need to find out if these are just mild headaches, or if they are i

Re: [Freeipa-users] Querying the dir srv

On 08/04/2016 11:31 AM, Sean Hogan wrote: Hi All, Where can I find information about the IPA schema as in what = what in the dir srv? I do not have a ldap viewer. I am looking to pull specific info from it such as a list of servers that have enrolled = true and have been playing with ldapsear

Re: [Freeipa-users] Login Troubles with Centos7 and external users (4.2.0-15.0.1.el7.centos.17)

Jakub, Resolved seems to be working (I swear restarting sssd and adding the debug line does some magic), the sssd performance blog worked out quite well. I did not need to make any changes to my trust relationship, re-running the ad trust setup steps and restarting sssd did the trick. Thank You

[Freeipa-users] Querying the dir srv

Hi All, Where can I find information about the IPA schema as in what = what in the dir srv? I do not have a ldap viewer. I am looking to pull specific info from it such as a list of servers that have enrolled = true and have been playing with ldapsearch to no avail. Sean Hogan -- Mana

Re: [Freeipa-users] label for public keys

Wow, that's actually pretty obvious. That works, thanks! On 4 August 2016 at 17:10, Jan Pazdziora wrote: > On Thu, Aug 04, 2016 at 05:01:00PM +0200, Tiemen Ruiten wrote: > > > > Currently it is possible to add multiple SSH-keys for a single user in > > FreeIPA. We are using this capability to gr

Re: [Freeipa-users] label for public keys

On Thu, Aug 04, 2016 at 05:01:00PM +0200, Tiemen Ruiten wrote: > > Currently it is possible to add multiple SSH-keys for a single user in > FreeIPA. We are using this capability to grant access to multiple > contractors under a single user (so user company1, with keys A, B, C to > give access to t

[Freeipa-users] label for public keys

Hello, Currently it is possible to add multiple SSH-keys for a single user in FreeIPA. We are using this capability to grant access to multiple contractors under a single user (so user company1, with keys A, B, C to give access to three persons at company1). Unfortunately it's not possible to lab

Re: [Freeipa-users] SSH auth failing in IPA trust

On Thu, Aug 04, 2016 at 03:39:26PM +0200, Troels Hansen wrote: > Hmm, was too fast. > > ldap_user_principal = nosuchattr > subdomain_inherit = ldap_user_principal > > Works, but ONLY from the IPA server. > > If I do the same from a client, I still get: > > (Thu Aug 4 15:32:05 2016) [[sssd[krb5

Re: [Freeipa-users] SSH auth failing in IPA trust

Hmm, was too fast. ldap_user_principal = nosuchattr subdomain_inherit = ldap_user_principal Works, but ONLY from the IPA server. If I do the same from a client, I still get: (Thu Aug 4 15:32:05 2016) [[sssd[krb5_child[16374 [get_and_save_tgt] (0x0020): 1234: [-1765328378][Client 'drext...

Re: [Freeipa-users] SSH auth failing in IPA trust

Solved it myself. http://www.redhat.com/archives/freeipa-users/2016-May/msg00209.html Apparently its well known, and will be solved in 7.3 - On Aug 4, 2016, at 1:56 PM, Troels Hansen t...@casalogic.dk wrote: > Hmm, well, yes, it did: > > (Thu Aug 4 13:46:58 2016) [[sssd[krb5_child[181

Re: [Freeipa-users] SSH auth failing in IPA trust

Hmm, well, yes, it did: (Thu Aug 4 13:46:58 2016) [[sssd[krb5_child[18121 [unpack_buffer] (0x0100): cmd [249] uid [1349938498] gid [1349938498] validate [true] enterprise principal [false] offline [false] UPN [drext...@dr.dk] (Thu Aug 4 13:46:58 2016) [[sssd[krb5_child[18121 [k5c_setup

Re: [Freeipa-users] Cannot add external group from Active Directory two-way trust

On Wed, Aug 03, 2016 at 09:44:26PM +, Gregory Koch wrote: > I've been following the documentation at > https://www.freeipa.org/page/Active_Directory_trust_setup and I was able to > establish a two-way forest trust with Active Directory. I'm getting stuck > when mapping external AD groups in

Re: [Freeipa-users] SSH auth failing in IPA trust

On Thu, Aug 04, 2016 at 12:57:40PM +0200, Troels Hansen wrote: > Hi, we have set up IPA in a AD trust and is about 90% done, but still have > one problem using SSH login. > > Kerberos works: > # kdestroy > # kinit drext...@net.dr.dk > Password for drext...@net.dr.dk: > # klist > Ticket cach

Re: [Freeipa-users] Client is using only one of two servers

On Thu, Aug 04, 2016 at 12:28:33PM +0200, Petr Vobornik wrote: > On 08/04/2016 11:48 AM, Keller, Mario wrote: > > Hello, > > > > I've setup two ipa-servers on RHEL 7 that are up an running. Replication is > > also working. > > > > #ipa-replica-manage list > > Directory Manager password: > > >

[Freeipa-users] SSH auth failing in IPA trust

Hi, we have set up IPA in a AD trust and is about 90% done, but still have one problem using SSH login. Kerberos works: # kdestroy # kinit drext...@net.dr.dk Password for drext...@net.dr.dk: # klist Ticket cache: KEYRING:persistent:0:0 Default principal: drext...@net.dr.dk Valid starting

Re: [Freeipa-users] Deleted Replica Problems

On 08/03/2016 08:06 PM, Ian Harding wrote: > I deleted a replica that had a corrupted ldap database and it caused > some problems. I'm now getting the dreaded What do you mean by "deleted"? Ran `ipa-replica-mange del $server`? Removed the machine completely? Or something else? > > [root@edinbur

Re: [Freeipa-users] Client is using only one of two servers

On 08/04/2016 11:48 AM, Keller, Mario wrote: > Hello, > > I've setup two ipa-servers on RHEL 7 that are up an running. Replication is > also working. > > #ipa-replica-manage list > Directory Manager password: > > s-fcbg-ipa2.ipa.cornelsen.de: master > s-onli-ipa1.ipa.cornelsen.de: master > >

[Freeipa-users] Cannot add external group from Active Directory two-way trust

I've been following the documentation at https://www.freeipa.org/page/Active_Directory_trust_setup and I was able to establish a two-way forest trust with Active Directory. I'm getting stuck when mapping external AD groups into a POSIX group (the "Allow access for users from AD domain to prote

[Freeipa-users] Client is using only one of two servers

Hello, I've setup two ipa-servers on RHEL 7 that are up an running. Replication is also working. #ipa-replica-manage list Directory Manager password: s-fcbg-ipa2.ipa.cornelsen.de: master s-onli-ipa1.ipa.cornelsen.de: master Both servers running ipa-server-4.2 : rpm -qa | grep ipa-server ipa-

Re: [Freeipa-users] FreeIPA and AD trusts on the same DNS domain

On Wed, 2016-08-03 at 15:22 -0500, Alston, David wrote: > Greetings! > > >> 2. Active Directory must never know anything about a DNS domain > > >> freeipa.company.com (I'm not sure why) > > > Correct because if that happened then AD considers the whole > subdomain as part of its realm and trust

Re: [Freeipa-users] ipa-server-install --external-cert-file and exporting dogtag certificates

On 08/03/2016 07:54 PM, Richard Harmonson wrote: On Wed, Aug 3, 2016 at 12:49 AM, Florence Blanc-Renaud mailto:f...@redhat.com>> wrote: On 08/02/2016 04:52 AM, Richard Harmonson wrote: On Mon, Aug 1, 2016 at 10:15 AM, Petr Vobornik mailto:pvobo...@redhat.com>

Re: [Freeipa-users] Login Troubles with Centos7 and external users (4.2.0-15.0.1.el7.centos.17)

On Wed, Aug 03, 2016 at 08:38:00PM -0400, Jake wrote: > Thanks Jakub, > turns out 'getent password usern...@legacy.example.org' only works on 1 of > the 4 ipa servers (the one I created the domain trust with). OK, then we need to first fix all the servers before proceeding to the clients. > > I

Re: [Freeipa-users] FreeIPA and AD trusts on the same DNS domain

On 3.8.2016 22:22, Alston, David wrote: > Greetings! > >>> 2. Active Directory must never know anything about a DNS domain >>> freeipa.company.com (I'm not sure why) >> Correct because if that happened then AD considers the whole subdomain as >> part of its realm and trust routing will not work.