Can see AD Users on the FreeIPA Server itself, but not on connected client
by tolotos@gmail.com
Hi,
we have a setup with a Forest Trust to an AD Domain.
Everything looks good on the FreeIPA Servers itself. We can see User information if we do "getent passwd user(a)ad.domain" or "id user(a)ad.domain" or "sssctl user-checks user(a)ad.domain".
But on a connected client, we get only the user of the ipa domain and no user information on ad user.
In the logs, we found no obvious error.
The only thing we see in sssd.log is:
(Tue Jul 10 16:19:27 2018) [sssd[be[ipa.domain]]] [delayed_online_authentication_callback] (0x0200): Backend is online, starting delayed online authentication.
(Tue Jul 10 16:19:28 2018) [sssd[be[ipa.domain]]] [dp_get_account_info_handler] (0x0200): Got request for [0x1][BE_REQ_USER][name=user(a)ad.domain]
(Tue Jul 10 16:19:28 2018) [sssd[be[ipa.domain]]] [ipa_s2n_exop_done] (0x0040): ldap_extended_operation result: No such object(32), (null).
(Tue Jul 10 16:19:28 2018) [sssd[be[ipa.domain]]] [ipa_s2n_get_user_done] (0x0040): s2n exop request failed.
Best Regards,
Axel
5 years, 2 months
PTR?
by Kat
Hi
If this is set:
Allow PTR sync: TRUE
Then why, when a host is added with ipa host-add, does only the forward
DNS record get set and not the PTR?
Anywhere else to look?
Thanks
5 years, 2 months
Permission to allow user to list DNS zones
by John Petrini
Hello List,
Can anyone give me some guidance on how to create a permission that allows
a user to list (search) DNS zones? I know how to setup per-zone permissions
using dnszone-add-permission but in this case I just want the user to be
able to get a list of zones, not modify individual zones.
Thanks,
John
5 years, 2 months
System Account for Client Enrollment
by Peter Tselios
Hello,
I want to create an IPA "system" account that will be able to enroll clients (nothing else). There a discussion (around 2016) but it looks that is not relevant with the FreeIPA 4.5. Also, I cannot find anything in the Red Hat's KB.
So, what is the correct way to create a system account that will join hosts in the IdM domain?
5 years, 2 months
SSO issue on freeipa client
by tarak sinha
Hi Team,
I am not able to ssh my ipaclient host with SSO, it was working few days
back.
Here it is SSH debug:- Any suggestion will be much appreciated.
debug1: Authentications that can continue:
publickey,gssapi-keyex,gssapi-with-mic,password
debug3: start over, passed a different list
publickey,gssapi-keyex,gssapi-with-mic,password
debug3: preferred gssapi-with-mic,publickey,keyboard-interactive,password
debug3: authmethod_lookup gssapi-with-mic
debug3: remaining preferred: publickey,keyboard-interactive,password
debug3: authmethod_is_enabled gssapi-with-mic
debug1: Next authentication method: gssapi-with-mic
debug3: Trying to reverse map address 10.21.113.217.
debug2: we sent a gssapi-with-mic packet, wait for reply
debug1: Delegating credentials
debug1: Delegating credentials
debug1: Unspecified GSS failure. Minor code may provide more information
Generic error (see e-text)
debug1: Authentications that can continue:
publickey,gssapi-keyex,gssapi-with-mic,password
debug2: we sent a gssapi-with-mic packet, wait for reply
debug1: Authentications that can continue:
publickey,gssapi-keyex,gssapi-with-mic,password
debug2: we sent a gssapi-with-mic packet, wait for reply
debug1: Authentications that can continue:
publickey,gssapi-keyex,gssapi-with-mic,password
debug2: we did not send a packet, disable method
debug3: authmethod_lookup publickey
debug3: remaining preferred: keyboard-interactive,password
debug3: authmethod_is_enabled publickey
debug1: Next authentication method: publickey
debug1: Trying private key: /uhome/tsinha/.ssh/id_rsa
debug3: no such identity: /uhome/tsinha/.ssh/id_rsa
debug1: Trying private key: /uhome/tsinha/.ssh/id_dsa
debug3: no such identity: /uhome/tsinha/.ssh/id_dsa
debug2: we did not send a packet, disable method
debug3: authmethod_lookup password
debug3: remaining preferred: ,password
debug3: authmethod_is_enabled password
debug1: Next authentication method: password
5 years, 2 months
Lost Password
by John Ball
Hello All - Our previous employee that set up the Admin and password to
login to our https://ipa-1.int.dplcl.com url, the password is not working.
How can I reset this animal
Many Thanks,
Regards,
John
5 years, 2 months
Using multiple hostnames in freeipa https, ldap, kerberos kdc certificates
by Anvar Kuchkartaev
Hello everyone,
I am planning to deploy replica of freeipa to AWS, and I have following
idea:
* Lets say freeipa domain is example.com
* freeipa domain has it's own CA
* all aws hosts will get hostname automatically over dhcp options in
vpc like ip-xxx-xxx-xxx-xxx.aws.example.com
* Freeipa replica will be reachable one internal IP and one elastic
IP, internal IP will be reachable with hostname ipa.aws.example.com,
external one (elastic IP) will be reachable ipa.example.com, DNS
autodiscovery records will do the rest.
I cannot resolve one part, when using different hostnames, I might run
into TLS, STARTTLS issue, since ipa apache, ldap, kerberos kdc
certificates are issued automatically only to one hostname.
I would like to ask if it is possible to replace ipa apache, ldap,
kerberos kdc certificates with SAN certificates that supports multiple
hostnames?
Thanks,
--
Anvar Kuchkartaev
anvar(a)aegissec.net
5 years, 2 months
using multiple hostnames in freeipa https, ldap, kerberos kdc certificates
by Anvar Kuchkartaev
Hello everyone,
I am planning to deploy replica of freeipa to AWS, and I have following
idea:
* Lets say freeipa domain is example.com
* freeipa domain has it's own CA
* all aws hosts will get hostname automatically over dhcp options in
vpc like ip-xxx-xxx-xxx-xxx.aws.example.com
* Freeipa replica will be reachable one internal IP and one elastic
IP, internal IP will be reachable with hostname ipa.aws.example.com,
external one (elastic IP) will be reachable ipa.example.com, DNS
autodiscovery records will do the rest.
I cannot resolve one part, when using different hostnames, I might run
into TLS, STARTTLS issue, since ipa apache, ldap, kerberos kdc
certificates are issued automatically only to one hostname.
I would like to ask if it is possible to replace ipa apache, ldap,
kerberos kdc certificates with SAN certificates that supports multiple
hostnames?
Thanks,
--
Anvar Kuchkartaev
anvar(a)aegissec.net
5 years, 2 months
