It's impossible to say without any details.
What details do you need?
What does login mean? It seems to mean ssh but it's unclear.
A ssh login. A local machine login. All of the above.
What output do you get?
Invalid password. But I know it's the correct password, and I try with
Steve Reed via FreeIPA-users wrote:
> Also, I get the same response on clients that I cannot login with the FreeIPA
> (LDAP accounts) , but i can login to Kerberos with my fixed krb5.conf file.
>
> So I still have the problem even with that command returning what I reported
> above. Kerberos is
On 5/10/21 10:58 AM, Harry Coin via FreeIPA-users wrote:
> In a completely fresh install of freeipa-server, f34, my logs are filled with
>
> certmonger[5754]: usr/lib/api/apiutil.c Could not open
> /run/lock/opencryptoki/LCK..APIlock
I get similar messages from certutil, certmonger and pk12util
Also, I get the same response on clients that I cannot login with the FreeIPA
(LDAP accounts) , but i can login to Kerberos with my fixed krb5.conf file.
So I still have the problem even with that command returning what I reported
above. Kerberos is working fine, but I can't login as admin on t
Steve Reed via FreeIPA-users wrote:
> Where would that be? Which file for Centos 7?
This is DNS. It is not server-specific. It is handled by who/whatever
handles DNS for your zone(s).
rob
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahost
Where would that be? Which file for Centos 7?
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/
This shows the records you *should* have available. Compare this to
those that actually exist.
rob
Steve Reed via FreeIPA-users wrote:
> [root@ozservices installer]# ipa dns-update-system-records --dry-run
> IPA DNS records:
> _kerberos-master._tcp.cs.ssds. 86400 IN SRV 0 100 88 ozservices.
On 5/10/21 10:58 AM, Harry Coin via FreeIPA-users wrote:
> In a completely fresh install of freeipa-server, f34, my logs are filled with
>
> certmonger[5754]: usr/lib/api/apiutil.c Could not open
> /run/lock/opencryptoki/LCK..APIlock
> ___
Just now:
#
on a clean install on f34 of freeipa server with dns:
After enabling dnssec on a zone, to avoid thousands of lines appear in
the logs like:
May 10 12:12:45 registry1.1.quietfountain.com named[11774]:
File.cpp(94): Could not open the file (Permission denied):
/var/lib/ipa/dnssec/tokens/2bf061ad-f
On 5/10/21 11:21 AM, Alexander Bokovoy wrote:
> On ma, 10 touko 2021, Harry G. Coin wrote:
>>
>> On 5/10/21 10:30 AM, Alexander Bokovoy wrote:
>>> On ma, 10 touko 2021, Harry G. Coin wrote:
On 5/10/21 9:55 AM, Alexander Bokovoy wrote:
> On ma, 10 touko 2021, Harry G. Coin wrote:
On ma, 10 touko 2021, Harry G. Coin wrote:
On 5/10/21 10:30 AM, Alexander Bokovoy wrote:
On ma, 10 touko 2021, Harry G. Coin wrote:
On 5/10/21 9:55 AM, Alexander Bokovoy wrote:
On ma, 10 touko 2021, Harry G. Coin wrote:
On 5/10/21 8:31 AM, Alexander Bokovoy wrote:
On su, 09 touko 2021, Ha
On 5/10/21 10:30 AM, Alexander Bokovoy wrote:
> On ma, 10 touko 2021, Harry G. Coin wrote:
>>
>> On 5/10/21 9:55 AM, Alexander Bokovoy wrote:
>>> On ma, 10 touko 2021, Harry G. Coin wrote:
On 5/10/21 8:31 AM, Alexander Bokovoy wrote:
> On su, 09 touko 2021, Harry G. Coin via FreeIPA-
In a completely fresh install of freeipa-server, f34, my logs are filled with
certmonger[5754]: usr/lib/api/apiutil.c Could not open
/run/lock/opencryptoki/LCK..APIlock
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscrib
On 5/10/21 5:12 PM, Joakim Tjernlund wrote:
On Mon, 2021-05-10 at 14:53 +, Joakim Tjernlund wrote:
I decided to test new sssd/KCM and this is what I get:
- ssh from non sssd/krb machine to new sssd machine, entered password
~ $ klist
Ticket cache: KCM:1001
Default principal: jo...@infinera.
On ma, 10 touko 2021, Harry G. Coin wrote:
On 5/10/21 9:55 AM, Alexander Bokovoy wrote:
On ma, 10 touko 2021, Harry G. Coin wrote:
On 5/10/21 8:31 AM, Alexander Bokovoy wrote:
On su, 09 touko 2021, Harry G. Coin via FreeIPA-users wrote:
On f34, freeipa-server 4.9.3-2: Upon choosing any act
On 5/10/21 9:55 AM, Alexander Bokovoy wrote:
> On ma, 10 touko 2021, Harry G. Coin wrote:
>>
>> On 5/10/21 8:31 AM, Alexander Bokovoy wrote:
>>> On su, 09 touko 2021, Harry G. Coin via FreeIPA-users wrote:
On f34, freeipa-server 4.9.3-2: Upon choosing any action using a
logged-in UI tha
On ma, 10 touko 2021, Harry G. Coin wrote:
On 5/10/21 8:31 AM, Alexander Bokovoy wrote:
On su, 09 touko 2021, Harry G. Coin via FreeIPA-users wrote:
On f34, freeipa-server 4.9.3-2: Upon choosing any action using a
logged-in UI that has been left idle for some hours, browsers lock a
display 'i
On 5/10/21 8:31 AM, Alexander Bokovoy wrote:
> On su, 09 touko 2021, Harry G. Coin via FreeIPA-users wrote:
>> On f34, freeipa-server 4.9.3-2: Upon choosing any action using a
>> logged-in UI that has been left idle for some hours, browsers lock a
>> display 'internal server error' (at least on f
On ma, 10 touko 2021, Owen Vincent via FreeIPA-users wrote:
Hi everyone,
Up front, a tl;dr, we are having trouble getting our FreeIPA
cross-forest trust to allow us to authenticate AD users on our Linux
machines using ssh. It seems like the AD is only allowing RC4
encryption and won’t allow us t
On 10-05-2021 15:35, Alexander Bokovoy wrote:
On ma, 10 touko 2021, Kees Bakker via FreeIPA-users wrote:
On 10-05-2021 14:45, Rob Crittenden wrote:
Kees Bakker via FreeIPA-users wrote:
Hi,
Trying to upgrade CentOS 7 tot CentOS 8, following the various hints on
the internet. Executing this com
Today I had a web session with some collegues trying to log in with an
AD user on an IPA client system. We found out that the user account was
expired. After having reactivated that particular user we still saw "AD
user account expired" in the SSSD logs of that system. Which settings
can I use
# SSSD 2.5.0
The SSSD team is proud to announce the release of version 2.5.0 of the
System Security Services Daemon. The tarball can be downloaded from:
https://github.com/SSSD/sssd/releases/tag/2.5.0
See the full release notes at:
https://sssd.io/release-notes/sssd-2.5.0.html
RPM packa
[root@ozservices installer]# ipa dns-update-system-records --dry-run
IPA DNS records:
_kerberos-master._tcp.cs.ssds. 86400 IN SRV 0 100 88 ozservices.cs.ssds.
_kerberos-master._udp.cs.ssds. 86400 IN SRV 0 100 88 ozservices.cs.ssds.
_kerberos._tcp.cs.ssds. 86400 IN SRV 0 100 88 ozservi
Also, dig xyz.com returns the server information.
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-
On ma, 10 touko 2021, Kees Bakker via FreeIPA-users wrote:
On 10-05-2021 14:45, Rob Crittenden wrote:
Kees Bakker via FreeIPA-users wrote:
Hi,
Trying to upgrade CentOS 7 tot CentOS 8, following the various hints on
the internet. Executing this command fails
# dnf --releasever=8 --allowerasing
On su, 09 touko 2021, Harry G. Coin via FreeIPA-users wrote:
On f34, freeipa-server 4.9.3-2: Upon choosing any action using a
logged-in UI that has been left idle for some hours, browsers lock a
display 'internal server error' (at least on firefox) instead of a
log-in page, or the desired page.
Ah, after I did a kinit login.
It came back with the information on the server.
It won't work on the clients because they didn't install properly.
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to fr
It says:
ipa: ERROR: did not receive Kerberos credentials
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct:
https://docs.fedoraprojec
On 10-05-2021 15:06, Kees Bakker via FreeIPA-users wrote:
On 10-05-2021 14:45, Rob Crittenden wrote:
Kees Bakker via FreeIPA-users wrote:
Hi,
Trying to upgrade CentOS 7 tot CentOS 8, following the various hints on
the internet. Executing this command fails
# dnf --releasever=8 --allowerasing
On 10-05-2021 14:45, Rob Crittenden wrote:
Kees Bakker via FreeIPA-users wrote:
Hi,
Trying to upgrade CentOS 7 tot CentOS 8, following the various hints on
the internet. Executing this command fails
# dnf --releasever=8 --allowerasing --setopt=deltarpm=false distro-sync
...
Running transaction
Please keep responses on the list.
Scott Reed wrote:
> Hi Rob,
>
>
>
> The FreeIPA accounts are using LDAP for logins to clients, right?
> That’s what I’ve understood. Is that wrong?
SSSD uses the host keytab to authenticate so if Kerberos isn't working
then that would be affected.
> The r
Kees Bakker via FreeIPA-users wrote:
> Hi,
>
> Trying to upgrade CentOS 7 tot CentOS 8, following the various hints on
> the internet. Executing this command fails
>
> # dnf --releasever=8 --allowerasing --setopt=deltarpm=false distro-sync
> ...
> Running transaction check
> Error: transaction ch
Hi Steve,
I'm not sure if I understand exactly what's happening but it sound's like a DNS
issue. The records FreeIPA/IdM needs are fairly extensive. you can print them
out with the following command:
ipa dns-update-system-records --dry-run
You might need to go through and systematically add th
Hi Mark,
I haven't used Solaris, but it's possible that it's default configuration (or
some additional configuration) prevents the use of RSA. Based on the error,
"RSA key is not allowed", it seems likely that RSA-keys are not allowed at all
or there is a minimum key length (3072, 4096) and you
Hi Rob,
The FreeIPA accounts are using LDAP for logins to clients, right? That’s what
I’ve understood. Is that wrong?
The reason that I am forcing Kerberos realm is that the discovery does not
properly configure the krb5.conf, and it fails because it says it can’t contact
the KDC for the Rea
Hi everyone,
Up front, a tl;dr, we are having trouble getting our FreeIPA cross-forest trust
to allow us to authenticate AD users on our Linux machines using ssh. It seems
like the AD is only allowing RC4 encryption and won’t allow us to enable AES
encryption. The “the other domain supports Ker
Hi,
we are integrating a number of Solaris 11 servers into our FreeIPA deployment.
The solution requires SSH key based authentication for user access to the
Solaris 11 servers. We have password authentication working correctly with
FreeIPA using a proxy user (Solaris cllient) binding to a servi
Am Fri, May 07, 2021 at 04:11:33PM - schrieb iulian roman via FreeIPA-users:
> Yes, it is correct and this is exactly what I observed in the tests
> (if ipa-ad-trust-posix is not mentioned, the uidNumber and gidNumber
> are ignored) and the one within the range is generated.
> The situation I
38 matches
Mail list logo
