Hi , I would like to implement SSO for my Linux+Windows2012 machines with MFA.
I have installed FreeIPA, it works well for my Linux client authentication
with OTP enabled. However, for Windows client, I can only make it works with
FreeIPA without OTP.
The Windows machines are 2012 R2 without
On to, 11 touko 2017, Felix Chu wrote:
Hi , I would like to implement SSO for my Linux+Windows2012 machines
with MFA.
I have installed FreeIPA, it works well for my Linux client
authentication with OTP enabled. However, for Windows client, I can
only make it works with FreeIPA without OTP.
Th
On 10.05.2017 18:38, Jason Sherrill wrote:
Hello,
I've recently implemented freeIPA in a mixed environment of Mac OS
10.12 and Windows 10 with limited issues!
One issue is that updating the reverse zone via nsupdate works without
issue, updating to the forward zone results in a REFUSED sta
On 10.05.2017 22:42, Michael Plemmons wrote:
I am currently running 4.4.0 on a three node cluster. My domain level
is currently 0 on all three nodes. Is there a reason to keep the
domain level at 0? I do not plan on adding any older versions of IPA
into the cluster. Is there anything I ne
Hello,
comments inline
On 11.05.2017 06:06, Robert L. Harris wrote:
Sigh... Sorry, it's been a long day, I thought I put that log in the
first pastebin. It's in this one: https://pastebin.com/18PAXXNS
Could you please provide journalctl -u httpd and /var/log/httpd/error_log ?
Also,
On Thu, May 11, 2017 at 01:29:33PM +0200, tuxderlinuxfuch...@gmail.com wrote:
> Hello,
>
> I have attached the requested files.
The logs indicate that access was granted by SSSD and that gdm even
called pam_open_session.
Did gdm login worked with the 'allow all' rule? Are there any other
hints i
Thank you for the reply. Is there a specific order I should perform the DL
upgrade? Should I upgrade the master first then the replicas? Does the
IPA service need to be restarted after the DL upgrade?
*Mike Plemmons | Senior DevOps Engineer | CROSSCHX*
614.427.2411
mike.plemm...@crosschx.com
Hello
I am trying to setup an IPA configuration at an remote site. I got the
ssh-connection working with a 6.6 client ( ipa-client version 3.0.0), but I
can't get it working with a 7.3 client ( ipa-client version 4.4.0 ).
Version of the server is 4.4.0.
Can some help me with this problem.
>Fr
On Thu, May 11, 2017 at 01:07:25PM +, Berkouwer, Walter wrote:
> Hello
>
> I am trying to setup an IPA configuration at an remote site. I got the
> ssh-connection working with a 6.6 client ( ipa-client version 3.0.0), but I
> can't get it working with a 7.3 client ( ipa-client version 4.4.0
Please keep freeipa-users in CC
Snapshot is always better, so I suggest to use it. Otherwise there is an
option --ignore-last-of-role to unblock uninstallation.
Martin
On 11.05.2017 16:00, Robert L. Harris wrote:
Looks like you hit it, apache didn't have a group:
-- Logs begin at Wed 2017
I got my answer. I did not have to restart any services. I ran the
domainlevel-set command on the master and it propagated to all cluster
nodes. I verified this by running domainlevel-get on each server and they
all showed 1.
*Mike Plemmons | Senior DevOps Engineer | CROSSCHX*
614.427.2411
m
Hi,
After an upgrade to Centos 7.3.1611 with “yum update", we started seeing the
following messages in the logs:
“””
May 9 21:58:28 inf01 ns-slapd[4323]: [09/May/2017:21:58:28.519724479 +]
NSMMReplicationPlugin - changelog program -
agmt="cn=cloneAgreement1-inf02.dev.ecobee.com-pki-tomcat"
Odd, must have clicked reply instead of reply-all.
Anyway, I did the revert and re-install. Actual install went through fine
then the "ipa-server-install" ran until this:
[8/9]: restoring configuration
[9/9]: starting directory server
Done.
Restarting the directory server
Restarting the KDC
I have attached the syslog with gdm debug mode enabled
On 11-May-17 1:54 PM, Sumit Bose wrote:
> On Thu, May 11, 2017 at 01:29:33PM +0200, tuxderlinuxfuch...@gmail.com wrote:
>> Hello,
>>
>> I have attached the requested files.
> The logs indicate that access was granted by SSSD and that gdm even
Thanks your info. So it means we cannot use FreeIPA server if we require MFA
under Windows 2012?
Because our environment is under PCI-DSS cert, PCI-DSS 3.2 has new requirement
forcing MFA on non-console access to servers. That's why we look for FreeIPA.
-Original Message-
From: Alexand
On pe, 12 touko 2017, Felix Chu wrote:
Thanks your info. So it means we cannot use FreeIPA server if we
require MFA under Windows 2012?
Because our environment is under PCI-DSS cert, PCI-DSS 3.2 has new
requirement forcing MFA on non-console access to servers. That's why we
look for FreeIPA.
We
Folks,
let's say I am user thomas, and user "temp1" already marked as "disabled"
on FreeIPA, but tho...@domain.com is on /home/temp1/.k5login list, how come
I could still "sudo su - temp1"? It seems skip the checking on FreeIPA even
account is disabled. Did I miss any setting or it's normal?
--
M
On Fri, May 12, 2017 at 12:50:08AM +0200, tuxderlinuxfuch...@gmail.com wrote:
> I have attached the syslog with gdm debug mode enabled
>
>
> On 11-May-17 1:54 PM, Sumit Bose wrote:
> > On Thu, May 11, 2017 at 01:29:33PM +0200, tuxderlinuxfuch...@gmail.com
> > wrote:
> >> Hello,
> >>
> >> I have
On pe, 12 touko 2017, Thomas Lau wrote:
Folks,
let's say I am user thomas, and user "temp1" already marked as "disabled"
on FreeIPA, but tho...@domain.com is on /home/temp1/.k5login list, how come
I could still "sudo su - temp1"? It seems skip the checking on FreeIPA even
account is disabled. Di
On Fri, May 12, 2017 at 09:35:40AM +0300, Alexander Bokovoy wrote:
> On pe, 12 touko 2017, Thomas Lau wrote:
> > Folks,
> >
> > let's say I am user thomas, and user "temp1" already marked as "disabled"
> > on FreeIPA, but tho...@domain.com is on /home/temp1/.k5login list, how come
> > I could stil
On Fri, May 12, 2017 at 08:41:07AM +0200, Sumit Bose wrote:
> On Fri, May 12, 2017 at 09:35:40AM +0300, Alexander Bokovoy wrote:
> > On pe, 12 touko 2017, Thomas Lau wrote:
> > > Folks,
> > >
> > > let's say I am user thomas, and user "temp1" already marked as "disabled"
> > > on FreeIPA, but tho.
21 matches
Mail list logo
