[Freeipa-users] Free ipa Configurations

Tue Nov 11 07:07:50 UTC 2014

well I dont know how or what command to use to display the logs, could you teach me how? , but yes the network.negotiate-auth.trusted-uris has the same domain name which is example.com this is on the server side only

while on the client side, even though the network.negotiate-auth.trusted-uris is configured correctly, the web UI can't be accessed so its a really weird scenario. but the registration of the ipa client to the server says its successful. 

TIA 

On Tuesday, November 11, 2014 2:56 PM, Martin Kosek <mkosek at redhat.com> wrote:

On 11/11/2014 06:37 AM, Rolf Nufable wrote:
> or could you guys direct me or guide me on how to deploy this ipa server? I've been successful deploying ipa version 3.3.5 before but this 4.0 and above series is really giving me a headache 

Hm, that is worrying. FreeIPA 4.0+ should definitely not be more difficult to
deploy, on the contrary, it should be much cooler than 3.3.

> On Tuesday, November 11, 2014 1:24 PM, Rolf Nufable <rolf_16_nufable at yahoo.com> wrote:
>  
> 
> 
> well I'll try them now, my sssd config only consists of these lines added to the sudo area 
> 
> sudo_provider = ldap
> ldap_uri = ldap://myipaserver.example.com
> ldap_sudo_search_base = ou=sudoers,dc=example,dc=com
> ldap_sasl_mech = GSSAPI
> ldap_sasl_authid = host/myipaserver.example.com
> ldap_sasl_realm = EXAMPLE.COM
> krb_server = myipaserver.example.com

BWT, with FreeIPA 4.0+ / RHEL-6.6+ / recent Fedoras you can use "ipa" sudo
provider. Actually, FreeIPA 4.0+ clients do that for you.

More info here:
https://www.freeipa.org/images/7/77/Freeipa30_SSSD_SUDO_Integration.pdf
https://fedorahosted.org/freeipa/ticket/3358

> plus another question why is it that when I invoke the kinit admin command for the kerberos I couldnt access the web UI and keeps asking me to configure my web browser ( firefox) though I've already configured it many times.. 

Are you sure that network.negotiate-auth.trusted-uris in about:config
correctly? Are you saying that your Firefox works with FreeIPA 3.3 server but
not with FreeIPA 4.0+? What is the domain of the FreeIPA 4.0+ server and what
is the setting of network.negotiate-auth.trusted-uris?

In any case, it is still hard to advise as I still did not see any related
logs, error messages or actual real errors preventing you from enrolling FreeIPA.

Thanks,
Martin

> 
> 
> TIA 
> 
> 
> 
> On Monday, November 10, 2014 8:41 PM, Jakub Hrozek <jhrozek at redhat.com> wrote:
>  
> 
> 
> On Mon, Nov 10, 2014 at 12:56:00PM +0100, Martin Kosek wrote:
> 
>> On 11/10/2014 02:05 AM, Rolf
>  Nufable wrote:
>>> Hello 
>>>
>>> I have tons of questions on why free ipa wont't work on my network , I've been using fedora 20 as the os for the server and client free ipa .
>>>
>>> I deployed freeipa 4.0.3 at the server side and freeipa 4.1.0 for the client side using 2 VM's at first it was okay, got it connected and used ldap to pass sudo for the client side, but when I finally deployed it in our real network consisting of an esxi server and one work station having the same versions of free ipa for server and client, the error that I'm getting is that " the user does not exist " when I invoked the " su - ( user ) " command, so My question is how can I solve this problem?? I've been at it for 3 weeks now ..
>>
>> I assume this is on Fedora 20, running from the mkosek/freeipa Copr repo. I
>> assume this is a problem in SSSD client part, if the user cannot be found.
>> CCing Lukas and Jakub to advise.
> 
> Sorry, I skipped this thread b/c the subject didn't look like it was
> SSSD-related.
> 
> I think we need to examine SSSD logs...
> 
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20141110/4ba88de3/attachment.htm>