Hi,
we have done some additional testing and debugging.
It seems there some problems with the extdom-extop plugin in the directory
server.
If we set ignore_group_members, the first request get a good response.
(tested by: server: sssctl cache-remove -p -s -o ; sleep 1; stop-dirsrv ; sleep
1; s
Well, after poking around with the dates and a few restarts of services,
IPA now starts seemingly cleanly at the current date, although the clients
still don't seem to want to trust the CA, and I'm still seeing the old cert
crop up.
If I look at the cert that wasn't updating before, it now seems t
Hello everyone,
I'm trying to add a CentOS 7 64bit host to our FreeIPA domain.
Client FreeIPA is 4.5.4-10
Server FreeIPA is 4.4.0
Client FreeIPA rpms:
ipa-common-4.5.4-10.el7.centos.3.noarch
python-ipaddress-1.0.16-2.el7.noarch
python2-ipalib-4.5.4-10.el7.centos.3.noarch
ipa-client-4.5.4-10.el7.
sssd_nss.log during attempted lookup of slyme...@grinnell.edu account:
https://pastebin.com/gLFnhZ9s
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora C
To the /etc/krb5.conf file on the client, I changed from this:
[realms]
CS.GRINNELL.EDU = {
kdc = ipa.cs.grinnell.edu:88
master_kdc = ipa.cs.grinnell.edu:88
admin_server = ipa.cs.grinnell.edu:749
kpasswd_server = ipa.cs.grinnell.edu:464
default_domain = cs.grinnell.edu
pk
On Wed, Jul 11, 2018 at 09:07:41PM -, Mike Conner via FreeIPA-users wrote:
> No, the lookups fail on both the server and the client.
Can you post logs of a failing lookup on the server? You would add
debug_level to the [nss] and [domain] section in sssd.conf and run the
lookup..
__
No, the lookups fail on both the server and the client.
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: https://getfedora.org/code-of
On Wed, Jul 11, 2018 at 08:36:43PM -, Mike Conner via FreeIPA-users wrote:
> I have an issue where i've established the AD trust and am able to lookup
> my own account and about 30 others, but all others fail. I've compared
> AD attributes across accounts and can't find anything that is notabl
On Wed, Jul 11, 2018 at 08:30:16PM -, Mike Conner via FreeIPA-users wrote:
> So you're saying the client is probably not finding the AD KDC through DNS
> SRV calls?
Not necessarily not finding, but perhaps the AD KDCs the client
discovers are slow to respond?
What exactly were the changes t
I have an issue where i've established the AD trust and am able to lookup my
own account and about 30 others, but all others fail. I've compared AD
attributes across accounts and can't find anything that is notably different.
I've seen messages about making sure that groups can resolve, but I d
So you're saying the client is probably not finding the AD KDC through DNS SRV
calls? I think that I've tested all the DNS configs that are called for in the
documentation. What could I do to test whether the AD realm's KDC is being
discovered?
Here's what I've tried to see if the dns is correc
Hi IPA Users,
I have a custom PHP script on the same Apache HTTPD server as used by IPA and
the script attempts to make a request to the IPA Server's JSON endpoint using
PHP's libcurl and a custom service principal. However, the request is coming
across as the IPA HTTP service principal, not
Actually, I wonder if this is related.
>From journalctl -xe:
> Jul 11 16:40:01 ipa.services.COMPANY audit[10280]: USER_ACCT pid=10280 uid=0
> auid=4294967295 ses=4294967295 subj=system_u:system_r:crond_t:s0-s0:c0.c1023
> msg='op=PAM:accounting grantors=pam_access,pam_unix,pam_localuser
> acct
Hey,
Sorry for the delay, I couldn't reproduce the issue at the time, but
it's happening now.
Yes, gssproxy is running:
> # systemctl status gssproxy.service
> ● gssproxy.service - GSSAPI Proxy Daemon
> Loaded: loaded (/usr/lib/systemd/system/gssproxy.service; disabled; vendor
> preset: disab
On Wed, Jul 11, 2018 at 03:56:22PM -, Mike Conner via FreeIPA-users wrote:
> This is now working after adding a stanza for the AD realm in /etc/krb5.conf
> file. Should that be necessary?
Did you also add the KDCs for the AD realm?
I'm asking because by default, sssd on the client does not
This is now working after adding a stanza for the AD realm in /etc/krb5.conf
file. Should that be necessary?
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.or
Also for the last version 2.1.0 I realized that can be created with this:
cp templates/install/pam/ipsilon.pamd /etc/pam.d/ipsilon
Thanks & Regards.
__
-Original Message-
From: Alexander Bokovoy
Sent: Wednesday, July 11, 2018 14:08
To: FreeIPA users list
Cc:
Thanks for the info. Unfortunately my version doesn’t have it, but googling I
found this:
https://bugzilla.redhat.com/show_bug.cgi?id=1348585
In my version is used 'remote' service.
Thanks & Regards.
-Original Message-
From: Alexander Bokovoy
Sent: Wednesday, July 11, 2018 14:08
To:
Hi again,
I tried to connect two of my replicas, but could not:
Executed from replica2:
`ipa-replica-manage connect -v replica1.example.com replica2.example.com`
Connection unsuccessful: replica2.example.com is an IPA Server, but it might be
unknown, foreign or previously deleted one.
If I in
On ke, 11 heinä 2018, skrawczenko--- via FreeIPA-users wrote:
Unfortunately, can't see anything suspicious in krb5kdc.log
Multiple hosts request TGT in NEEDED_PREAUTH:host/ - ISSUE dialogs.
No errors and 'admin' is not encountered anywhere.
I'm having a concern that older machines could have b
On ke, 11 heinä 2018, SOLER SANGUESA Miguel via FreeIPA-users wrote:
I have added the service on IPA and changed on the HBAC rule form "any
service" to "ipsilon", but now I can not login on ipsilon. Also I've
checked that there is no '/etc/pam.d/ipsilon' file.
On my Ipsilon server (based on Fed
Unfortunately, can't see anything suspicious in krb5kdc.log
Multiple hosts request TGT in NEEDED_PREAUTH:host/ - ISSUE dialogs.
No errors and 'admin' is not encountered anywhere.
I'm having a concern that older machines could have been enrolled (ipa-client)
with admin user.
Could you suggest wh
As an update - just in case somebody comes across this thread in the future
I copied the environment to a test rig and performed the surgery as
proposed. And it worked. I was able to promote a new replica.
For those really interested in the details, here's the series of steps I
performed - some s
I have added the service on IPA and changed on the HBAC rule form "any service"
to "ipsilon", but now I can not login on ipsilon. Also I've checked that there
is no '/etc/pam.d/ipsilon' file.
Thanks & Regards.
-Original Message-
From: Alexander Bokovoy
Sent: Tuesday, July 10, 2018 15:
24 matches
Mail list logo
