@stacksofplates said in FreeIPA Server & Client:

@AlyRagab said in FreeIPA Server & Client:

But now regarding this setup , if the user login on a machine and saved his files on his home directory , when he logs again on other machine he will not get his files , so how can we make all user's files saved on the server and the client just is mounting his home directory ?.

If you set up an NFS server and use ipa-client-automount you can set it up on the client. You have to set up the auto mount in FreeIPA first though. For home directories you will want to use an indirect mount.

now i have configured the NFS to export the /home in the same server of the IPA Server ,
should i use the autofs configuration on the client or just the command ipa-client-automount ?
also what i should do from the ipa server ?

@iroal said in OpenVPN and Andriod Mobiles:

I use OpenVpn, pfsense, and can connect fine from my Android Phone, Samsung S5.

I just had to install the user certificate and the OpenVpn App

i am already connected successfully using the user certificate and OpenVPN App in andriod but the main issue is that when i am connected i can not connect to the internet while i can access internet using the same certificate on my PC .also i have tried alot of Mobiles but the same behavior !.

@Dashrender said in OpenVPN and Andriod Mobiles:

Does the android client have any split tunnel options?

how can i check that on the mobile ?

Dears,
i have configured the OpenVPN Server Successfully and i can connect from anywhere to my Network using the OpenVPN Credentials , the problem is related to connecting through OpenVPN Client by Andriod Mobiles as after connecting i got disconnected from the internet and just i can connect to my VPN Resources, Although i have commented the option " push "redirect-gateway def1" .
connecting from PC or laptop can access internet normally.
and the below my server.conf in the VPN Server :

port 1194
proto udp
dev tun

#Certificate Configuration

#ca certificate
ca /etc/openvpn/keys/ca.crt

#Server Certificate
cert /etc/openvpn/keys/server.crt

#Server Key and keep this is secret
key /etc/openvpn/keys/server.key

#See the size a dh key in /etc/openvpn/keys/
dh /etc/openvpn/keys/dh2048.pem

#Internal IP will get when already connect
server 192.168.200.0 255.255.255.0

#this line will redirect all traffic through our OpenVPN
#push "redirect-gateway def1"

#Provide DNS servers to the client, you can use goolge DNS
push "dhcp-option DNS 8.8.8.8"
push "dhcp-option DNS 8.8.4.4"

#Enable multiple client to connect with same key
duplicate-cn

keepalive 20 60
comp-lzo
persist-key
persist-tun
daemon

#enable log
log-append /var/log/myvpn/openvpn.log

#Log Level
verb 3

But now regarding this setup , if the user login on a machine and saved his files on his home directory , when he logs again on other machine he will not get his files , so how can we make all user's files saved on the server and the client just is mounting his home directory ?.

@stacksofplates said in FreeIPA Server & Client:

@AlyRagab said in FreeIPA Server & Client:

i have tested it again :
FreeIPA Server on CentOS 7
FreeIPA Client on Ubuntu 14.04
and everything is working fine now after following this Link
http://www.techs2resolve.in/2015/06/how-to-add-client-to-freeipa-server.html
Thank You All

That's what I usually do. The install process is so fast and easy that it's almost not worth it to troubleshoot problems.

the problem was related to PAM Configuration to allow the authentication by the login screen

i have tested it again :
FreeIPA Server on CentOS 7
FreeIPA Client on Ubuntu 14.04
and everything is working fine now after following this Link
http://www.techs2resolve.in/2015/06/how-to-add-client-to-freeipa-server.html
Thank You All

Your config had the sss module and nsswitch.conf was calling sss, I'm not sure what's missing. I tried your system-auth and password-auth files on one of my machines and they worked.

i will re-install the IPA server and client again and tell you the result

@stacksofplates said in FreeIPA Server & Client:

So this page http://www.freeipa.org/page/Client says SSSD should be backwards compatible. It's just the ipa-admintools that is not backwards compatible.

yes you are right , because when i installed the ipa-admintools then run the command "ipa find-user --all " it showed this error " ipa: ERROR: 2.65 client incompatible with 2.49 server at u'https://ipa.example.com/ipa/xml' "
but now i am thinking that i have to change something related to the PAM Modules that responsible for the authentication through the client login screen but what is that ?

@brianlittlejohn said in FreeIPA Server & Client:

@AlyRagab I have connected Linux Mint, to a CentOS freeIPA server.

if the problem is not related to compatibility issues so may be the problem is related to PAM Configuration , so the question here is did you do any manual configuration to any of the PAM Modules ? , do i need to do for the Module that responsible for the authentication through the login screen in Ubuntu ?.

So what about Ubuntu , i have a client with a lot of ubuntu 14.04 as workstations , do i need to install the FreeIPA on a Ubuntu Server to be compatible with ubuntu workstations ?.

@stacksofplates said in FreeIPA Server & Client:

Another thing to try, do you have the ipa-admintools package installed on your client? If you do, what output do you get if you kinit and then run ipa user-find --all?

the admintools package is installed , but when i tried to run " ipa user-find --all " it shows this error :
[root@client ~]# ipa user-find --all
ipa: ERROR: 2.114 client incompatible with 2.112 server at 'https://ipa.server.local/ipa/xml'

@stacksofplates said in FreeIPA Server & Client:

Did you change the password for the user after you set it?

Can you log into the IPA web interface with that user?

the password is changed in the first login
and also i can access the IPA web interface with that user

i think the main question here is : how can we allow the Enterprise Login ?

@stacksofplates the " /etc/nsswitch.conf "

passwd: files sss
shadow: files sss
group: files sss
#initgroups: files

#hosts: db files nisplus nis dns
hosts: files mdns4_minimal [NOTFOUND=return] dns myhostname

Example - obey only what nisplus tells us...

#services: nisplus [NOTFOUND=return] files
#networks: nisplus [NOTFOUND=return] files
#protocols: nisplus [NOTFOUND=return] files
#rpc: nisplus [NOTFOUND=return] files
#ethers: nisplus [NOTFOUND=return] files
#netmasks: nisplus [NOTFOUND=return] files

bootparams: nisplus [NOTFOUND=return] files

ethers: files
netmasks: files
networks: files
protocols: files
rpc: files
services: files sss

netgroup: files sss

publickey: nisplus

automount: files sss
aliases: files nisplus
sudoers: files sss

==============
also what make the case is very strange is that i can do kinit ldapuser normally and su - user
also getent passwd user
but can not login as ssh or GUI

@stacksofplates the " /etc/pam.d/system-auth "

#%PAM-1.0

This file is auto-generated.

User changes will be destroyed the next time authconfig is run.

auth required pam_env.so
auth sufficient pam_fprintd.so
auth sufficient pam_unix.so nullok try_first_pass
auth requisite pam_succeed_if.so uid >= 1000 quiet_success
auth sufficient pam_sss.so use_first_pass
auth required pam_deny.so

account required pam_unix.so
account sufficient pam_localuser.so
account sufficient pam_succeed_if.so uid < 1000 quiet
account [default=bad success=ok user_unknown=ignore] pam_sss.so
account required pam_permit.so

password requisite pam_pwquality.so try_first_pass local_users_only retry=3 authtok_type=
password sufficient pam_unix.so sha512 shadow nullok try_first_pass use_authtok
password sufficient pam_sss.so use_authtok
password required pam_deny.so

session optional pam_keyinit.so revoke
session required pam_limits.so
-session optional pam_systemd.so
session optional pam_oddjob_mkhomedir.so umask=0077
session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
session required pam_unix.so
session optional pam_sss.so

=================================================

and " /etc/pam.d/password-auth "

#%PAM-1.0

This file is auto-generated.

User changes will be destroyed the next time authconfig is run.

auth required pam_env.so
auth sufficient pam_unix.so nullok try_first_pass
auth requisite pam_succeed_if.so uid >= 1000 quiet_success
auth sufficient pam_sss.so use_first_pass
auth required pam_deny.so

account required pam_unix.so
account sufficient pam_localuser.so
account sufficient pam_succeed_if.so uid < 1000 quiet
account [default=bad success=ok user_unknown=ignore] pam_sss.so
account required pam_permit.so

password requisite pam_pwquality.so try_first_pass local_users_only retry=3 authtok_type=
password sufficient pam_unix.so sha512 shadow nullok try_first_pass use_authtok
password sufficient pam_sss.so use_authtok
password required pam_deny.so

session optional pam_keyinit.so revoke
session required pam_limits.so
-session optional pam_systemd.so
session optional pam_oddjob_mkhomedir.so umask=0077
session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
session required pam_unix.so
session optional pam_sss.so

@stacksofplates also there is no any OTP Configuration on the IPA Server

@stacksofplates i can not login as ssh using the IPA user , after writing the password it gives this error :
Permission denied, please try again

@stacksofplates yes , and here is the content of /etc/sssd/sssd.conf

[domain/server.local]

cache_credentials = True
krb5_store_password_if_offline = True
ipa_domain = server.local
id_provider = ipa
auth_provider = ipa
access_provider = ipa
ipa_hostname = client.server.local
chpass_provider = ipa
ipa_server = srv, ipa.server.local
ldap_tls_cacert = /etc/ipa/ca.crt
[sssd]
services = nss, sudo, pam, ssh

domains = server.local
[nss]
homedir_substring = /home

[pam]

[sudo]

[autofs]

[ssh]

[pac]

[ifp]

Dears,
i have configured FreeIPA Server on CentOS 7 and it seems that it works without any problem,
and i have fedora 23 and Ubuntu 15 to authenticate from the IPA Server,
all configurations done and i can switch to the Ldap user normally ( su - ldapuser ) from shell
but the main problem is that i can not login with that ldapuser through the Desktop Login Screen .
any advice ?.
thanks