hi rob,
>> i'm a bit puzzled by the following: i want to retrieve a user keytab
>> using ipa-getkeytab -r (since the keytab for the same user was already
>> retrieved on another host).
>>
>> when doing so, i get
>>
>> Failed to parse result: Insufficient access rights
>>
>> however, i can get the
hi all,
(this is IPA 4.4.0-14.el7.centos.4)
i'm a bit puzzled by the following: i want to retrieve a user keytab
using ipa-getkeytab -r (since the keytab for the same user was already
retrieved on another host).
when doing so, i get
Failed to parse result: Insufficient access rights
however, i
hi all,
i'm trying to setup a one-sided trust with an AD, following
https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Windows_Integration_Guide/trust-groups.html
the trust is setup and seems to work (i get IPA service token using kvno
and an AD kerberos credential), "i
wrote:
> On 16.11.2016 18:26, Stijn De Weirdt wrote:
>> hi petr,
>>
>>>>>> this is a different question: what can we do such that compromised host
>>>>>> can do a little as possible if the admin doesn't (yet) know the host is
>>>
hi petr,
this is a different question: what can we do such that compromised host
can do a little as possible if the admin doesn't (yet) know the host is
compromised.
the default policy allows way too much.
>>>
>>> For any useful advice we need more details.
>>>
>>> What ar
>> this is a different question: what can we do such that compromised host
>> can do a little as possible if the admin doesn't (yet) know the host is
>> compromised.
>>
>> the default policy allows way too much.
>
> For any useful advice we need more details.
>
> What are the operations you want
hi martin,
>>> we are looking how to configure whatever relevant policy to minimise the
>>> impact of compromised IPA hosts (ie servers with a valid host keytab).
>>>
>>> in particular, it looks like it possible to retrieve any user token once
>>> you have access to a valid host keytab.
>>>
>>> we
>> we are looking how to configure whatever relevant policy to minimise the
>> impact of compromised IPA hosts (ie servers with a valid host keytab).
>>
>> in particular, it looks like it possible to retrieve any user token once
>> you have access to a valid host keytab.
>>
>> we're aware that the
hi all,
we are looking how to configure whatever relevant policy to minimise the
impact of compromised IPA hosts (ie servers with a valid host keytab).
in particular, it looks like it possible to retrieve any user token once
you have access to a valid host keytab.
we're aware that the default IP
so the trick is to first login with the random password, it will prompt
to renew it, and with a new password set, you can retrieve a usable keytab.
stijn
>
> i'm trying to create a keytab for a user via FreeIPA
>
> user was added via ipa user-add --random; keytab retrieved using
> ipa-getkeytab
hi all,
i'm trying to create a keytab for a user via FreeIPA
user was added via ipa user-add --random; keytab retrieved using
ipa-getkeytab (using admin credentials)
klist -k list shows a number of entries for same KVNO
however, i cannot get any credentials using kinit -kt
it always returns:
"
hi simon,
ok, that's pity. the problem we are trying to solve is teh following: we
are going to setup a new krb5 realm with IPA and we would like to
explore methods to have our users authenticate against this realm (well,
the kinit otherusername@IPA part) using methods that existing/available
fo
sword verification step from IPA is
handed over to AD somehow?).
anyway, hints are welcome
stijn
On 07/09/2014 11:23 PM, Simo Sorce wrote:
On Wed, 2014-07-09 at 18:38 +0200, Stijn De Weirdt wrote:
hi all,
we are investigating the possibility to use an existing and valid AD
token to obtain a
hi all,
we are investigating the possibility to use an existing and valid AD
token to obtain a token from a realm under FreeIPA (3.3.3 from el7),
without having to setup the full IPA AD cross realm trust. (in
particular, to avoid that AD has to trust the IPA setup; and with the
goal that we c
hi all,
IMO we should not treat the OTP we set for the host enrollment as a
kerberos password.
I would rather record a time of the creation and validity period when
the password is set in two new attributes. The validity period should be
optional and if not provided copied from a system wide pol
hi alexander,
ity would be good anyway to have a script that checks all hosts that
have not enrolled yet how old the issued password is (even after
expiration). very useful to spot the state of ongoing deployments and
to spot problems. how can one obtain the creation time of the
password? fetch
hi rob,
i'm trying to write my own FreeIPA plugin (for frontend cli usage), and
so far so good, but i'm stuck on 2 issues:
- is it possible to have the plugin use a dedicated or additional log
file? i can manipulate the log manager, but maybe there's a proper API
in freeipa for it; similar to th
hi all,
i'm trying to write my own FreeIPA plugin (for frontend cli usage), and
so far so good, but i'm stuck on 2 issues:
- is it possible to have the plugin use a dedicated or additional log
file? i can manipulate the log manager, but maybe there's a proper API
in freeipa for it; similar to
hi alexander,
No real password is in the kickstart file, OTP will turn itself off
automatically on enrollment and time has to be within the window of
opportunity.
but the password itself is still valid if the install failed and
someone else tries to use it.
Right. Nobody actually prevents you
hi alexander,
No, because then you have to either ship keytabs around during
provisioning or hardcode that user's password in the kickstart and
they are already nervous about doing that for the OTP.
This topic raises regularly on IRC. My suggestion was to create these
one time passwords based o
53 PM, Alexander Bokovoy wrote:
On Mon, 24 Mar 2014, Stijn De Weirdt wrote:
hi dmitri,
The whole idea of the host passwords is to be added as a part of the
provisioning workflow so it should be seconds anyways.
We created a "smart proxy" for Foreman (provisioning system) to drive
ho
https://fedorahosted.org/freeipa/ticket/4272
On 03/24/2014 08:44 PM, Stijn De Weirdt wrote:
hi dmitri,
The whole idea of the host passwords is to be added as a part of the
provisioning workflow so it should be seconds anyways.
We created a "smart proxy" for Foreman (provisioning
hi rob,
You can only specify password policy for User Groups, not host groups,
so there is no way to do this currently. It also isn't that
fine-grained. The minimum lifetime is 1 hour, the minimum of the maximum
lifetime is 1 day.
I don't see why support for Host Groups (and therefore Hosts) ca
hi dmitri,
The whole idea of the host passwords is to be added as a part of the
provisioning workflow so it should be seconds anyways.
We created a "smart proxy" for Foreman (provisioning system) to drive
host creation. It just landed upstream (first version) last week.
Any chance you can use or
hi all,
i'm trying to limit the minimum and maximum lifetime of passwords (in
particular the random password when a host is added; but i guess this
more general).
(i'm using ipa 3.0 from el6 and also looking at 3.3 from rhel7 beta, but
the relevant code seems the same or at least very simila
hi will,
I am running FreeIPA 3.0 server on Centos 6.4. This provides authentication for
Linux workstations, HPC cluster and file server.
We have some Windows XP machines that need to be able to map a CIFS share, but
these cannot have any clients installed due to being specialist data
acquis
hi all,
what minimal OS is targeted for freeipa 3.2: FC19 or FC18?
stijn
On 04/02/2013 06:32 PM, Martin Kosek wrote:
The FreeIPA team is proud to announce a first PRERELEASE of FreeIPA v3.2.0. We
would like to welcome any early testers of this prerelase to provide us
feedback and help us stab
thanks for the info. i'll setup a test with current branch and see if
that works for us.
stijn
On 03/26/2013 01:52 PM, Alexander Bokovoy wrote:
On Tue, 26 Mar 2013, Stijn De Weirdt wrote:
hi all,
how can one add more domains to the same (existing) realm with ipa? we
would like to
hi all,
how can one add more domains to the same (existing) realm with ipa? we
would like to bring multiple networks (some private, some public) under
a single realm. as far as i understand krb5.conf, it means creating the
following domain_realm section
[domain_realm]
.domain1 = REALM
.dom
i'll get back to the previous part later, wehn i can test it (thanks petr!)
i guess the timestamps are somehwere in the ldap schema, i would like to know
where or how i can find them.
and if possible, how to do that using the ipalib python api.
btw, is it correct for me to assume that when has
hi all,
(i'm new to freeipa, so it's possible i missed some docs here and there ;)
i'm looking to add hosts with some secret password to ipa, then during
kickstart install they use this password to run ipa-client-install.
what i would like to do, is to check for all hosts which have a passwor
31 matches
Mail list logo
