I'd love to use FreeIPA for all of our auth needs (wifi, samba, backups
etc) but I'm a little lost on the configuration of the default groups.
I have my admin user in the 'admins' group and my test user in the
'ipausers' group, but I can't see any permissions or roles or policies that
define permissions in those groups. Logged in as the admin user, I can
change all settings but as my test user, I cannot change anything.
I also see 'editors' but can't see exactly what permissions this group has.
Am I missing something or somewhere where I can change these permissions?
I'm having problems with kinit and a 2FA enabled account.
When I run kinit by itself, it says 'kinit: Generic preauthentication
failure while getting initial credentials'.
I saw on the wiki where that problem is solved by doing one of two
things. You can login with the admin account (or some other non-2FA
account). When I do that, it asks for the OTP, but then I get a similar
Ticket cache: FILE:/tmp/krb5cc_760400007
Default principal: admin(a)IDM.XXX.NET
Valid starting Expires Service principal
02/06/2018 15:58:04 02/07/2018 15:57:52 krbtgt/IDM.XXX.NET(a)IDM.XXX.NET
$ kinit -T FILE:/tmp/krb5cc_760400007 jratliff
Enter OTP Token Value:
kinit: Preauthentication failed while getting initial credentials
The same thing happens when I try to do the anonymous authentication.
I put the output of KRB5_TRACE here https://pastebin.com/jpPDVUXi
This happens on the CentOS 7.4 IdM server (Running 4.5 IPA) and a Debian
9 IdM client machine.
Thanks for any assistance.
I just got FreeIPA added as a client and then I tried to promote it as a replica. I got the following error:
Done configuring kadmin.
Configuring directory server (dirsrv)
[1/3]: configuring TLS for DS instance
[error] RuntimeError: Certificate issuance failed (CA_REJECTED)
Your system may be partly configured.
Run /usr/sbin/ipa-server-install --uninstall to clean up.
ipa.ipapython.install.cli.install_tool(CompatServerReplicaInstall): ERROR Certificate issuance failed (CA_REJECTED)
ipa.ipapython.install.cli.install_tool(CompatServerReplicaInstall): ERROR The ipa-replica-install command failed. See /var/log/ipareplica-install.log for more information
I m reading this :
It need create a service ac under
BUt which file ldif I should point to ? or just ignore use anther
ldapmodify -f <path/to/ldif> or ldapmodify -x -D ..??
userPassword: <The service account password>
ldapmodify -f <path/to/ldif> -D 'cn=Directory Manager' -W -H ldap://host.ipa
ldapwhoami -Z -D 'krbprincipalname=radius/
I recently upgraded to version 4.5 of FreeIPA. I only upgraded the server, not the clients. Do my clients now have to use pkinit? Or is it optional? How can I check what is being used? I’m concerned that if the environment now is so certificate centric, I will someday be locked out because some certificate has expired.
I have freeipa with AD trust.
I want to setup Nextcloud with ipa and ad users.
Ldap in cn=compat,dc=dom,dc=lan doesnt have memberOf atribute.
I setup ipsilon (https://ipsilon-project.org/) for SSO and SAML autentification.
Autentification with login and password works
But i have local domain for ipsilon and nextcloud and kerberos DOM.LAN and internet domain domain.ru
So, when I go to nextcloud with my kerberos tiket, i get 500 internal error.
Maybe anybody knows how correct this mistake?
С уважением, Николай.
I'm sorry for a dumb question, but i cant find documentation on ldif file syntax, that can be used for unattended installation like ipa-server-install --dirsrv-config-file params.ldif. Can someone point me to this doc or share the example of this file?
Anyone has exp to use freeipa 4.0 above as radius server ? e.g want wifi
use radius everyone carry ldap password.
How to implement ? need special plugin ? seem it need new
attribute can generate harsh password and syn with LDAP together ?
Thx and Regards