Hello,
I have set up IPA on a private network and have hit some bumps
configuring sudo access for the clients.
kinit seems to work fine for both client and server, user and root.
When I load the edited /etc/sssd/sssd.conf and try to change user
passwords I get System is offline, password change
It is a bit strange that your ipa_domain and ipa_hostname are the same. I
think the domain should be just local.
I'd run klist -kt /etc/krb5.keytab to see what principals are in there.
ipa_hostname = 192-168-0-110.local
ipa_server = _srv_, 192-168-0-100.local
Hi,
I'm a little confused. They
Hi,
ipa_domain and ipa_hostname was indeed a config error. Also, using a
.local domain caused all manner of problems.
Thanks all for your help!
Andrew
On 21 October 2013 21:03, Jakub Hrozek jhro...@redhat.com wrote:
On Mon, Oct 21, 2013 at 01:34:17PM -0400, Rob Crittenden wrote:
Andrew
Hello,
I have created two DNS resource records. 51.10.in-addr.arpa. and
test.domain.com. It seems that it does not like to use the
51.10.in-addr.arpa. for addresses. Must I specify each /24? In
addition, if I am adding a host node.subdomain.test.nsslabs.com. It
does not like this either. Must I
:80:3B:A9:1D:5E (ssh-dss),
05:11:9B:EE:D0:7A:BA:9D:BA:48:18:82:84:8F:25:82 (ssh-rsa)
On 28 October 2013 15:20, Rob Crittenden rcrit...@redhat.com wrote:
Andrew Holway wrote:
Hello,
I have created two DNS resource records. 51.10.in-addr.arpa. and
test.domain.com. It seems that it does not like
1800 900 604800 86400
;; Query time: 153 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Mon Oct 28 04:30:39 2013
;; MSG SIZE rcvd: 104
On 28 October 2013 15:33, Andrew Holway andrew.hol...@gmail.com wrote:
Here is some info from FreeIPA . . .
[root@freeipa ~]# ipa host-show
Host name
Sorry, I didn't mean to sent the last mail. However the FreeIPA has
correctly set reverse and forward DNS. I have trimmed it up a bit for
clarity.
Forward DNS for this host is working but reverse DNS is not:
[root@freeipa ~]# dig node002.test.nsslabs.com @localhost
;; QUESTION SECTION:
: 3600
Active zone: TRUE
Allow query: any;
Allow transfer: none;
Number of entries returned 2
On 28 October 2013 15:43, Andrew Holway andrew.hol...@gmail.com wrote:
Sorry, I didn't mean to sent the last mail. However the FreeIPA has
For 6.4 use these instructions.
https://www.redhat.com/archives/freeipa-users/2013-June/msg00064.html
Thanks,
Andrew
On 29 October 2013 13:59, Bret Wortman bret.wort...@damascusgrp.com wrote:
I'm trying to bring some CentOS 6.4 systems into our IPA network, and
everything seems to be
Hello,
I am trying to work out how to organise some domain controllers. I
understand that you can only have one domain controller per domain and
one domain per domain controller.
corp.com is controlled by a corporate active directory. We would like
to create two linux subdomains controlled by
Hello,
I am attempting to set up trust between my test freeipa server at
ipa.wibble.com. and my test AD server at win-5uglhak7rin.prattle.com.
In the GUI I can see the following in Trusts ยป prattle.com.
Realm name: prattle.com
Domain NetBIOS name: PRATTLE
Domain Security Identifier:
-0C090E17,
comment: Error initializing SSL/TLS, data 0, v1db1', 'desc': 'Server
is unavailable'}
Failed to setup winsync replication
On 1 January 2014 22:27, Andrew Holway andrew.hol...@gmail.com wrote:
Hello,
I am attempting to set up trust between my test freeipa server at
ipa.wibble.com
/rpc_handles.c:261(create_rpc_handle_internal)
Jan 2 16:54:13 ipa smbd[12033]: create_policy_hnd: ERROR: too many
handles (2049) on this pipe.
On 2 January 2014 13:41, Dmitri Pal d...@redhat.com wrote:
On 01/02/2014 07:38 AM, Andrew Holway wrote:
I have gotten a little further along with this but am
I turned off all the AD processed on my windows domain controller.
The error did not change.
On 2 January 2014 17:07, Andrew Holway andrew.hol...@gmail.com wrote:
I have taken out the winsync.
[r...@ipa.wibble.com ~]# ipa-replica-manage connect --binddn
cn=administrator,cn=users,dc=prattle
You are still setting up a replication agreement not a trust.
Oh, I am following the redhat documentation here:
https://access.redhat.com/site/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Identity_Management_Guide/managing-sync-agmt.html
This seems to indicate that the directory server
As for AD users we need to look at the client and see what is going on
there. What is your client? Version and component? Is it using latest SSSD?
If not additional steps might be needed. Please provide the details
about the clients. Please start with trying AD users on the IPA server
itself,
result: 32 No such object
# numResponses: 1
On 2 January 2014 20:06, Andrew Holway andrew.hol...@gmail.com wrote:
As for AD users we need to look at the client and see what is going on
there. What is your client? Version and component? Is it using latest SSSD?
If not additional steps might
If you add debug_level = 5 into every section of /etc/sssd/sssd.conf
Restart sssd
Try and log in again
cat /var/log/sssd/*
And paste that somewhere.
On 2 January 2014 21:45, Genadi Postrilko genadip...@gmail.com wrote:
Its a newly installed IPA Server, haven't added any Rules.
The
To generate the winbind logs on the server, can you do 'smbcontrol winbindd
debug 100', then request the trusted user. The winbind logs would be at
/var/log/samba/log.w*
I truncated all of the files in /var/log/samba and then make a single
login attempt. These are the files that were non zero
or simply run wbinfo on the server to check winbindd can properly
retrieve users before moving back to testing on client.
[r...@ipa.wibble.com ~]# wbinfo -i b...@prattle.com
failed to call wbcGetpwnam: WBC_ERR_DOMAIN_NOT_FOUND
Could not get info for user b...@prattle.com
Would this be an
[r...@ipa.wibble.com ~]# wbinfo --all-domains
BUILTIN
WIBBLE
PRATTLE
[r...@ipa.wibble.com ~]# wbinfo --own-domain
WIBBLE
On 3 January 2014 15:06, Andrew Holway andrew.hol...@gmail.com wrote:
or simply run wbinfo on the server to check winbindd can properly
retrieve users before moving back
It actually took me a long time to find this information. It is poorly
documented but this mailing list post works. :)
https://www.redhat.com/archives/freeipa-users/2013-June/msg00064.html
On 13 February 2014 23:17, Todd Maugh tma...@boingo.com wrote:
the documentation is kinda vague on some
Hi Fred,
You can add your public keys to the users profile via the GUI of CLI.
Take contents of the .ssh/id_rsa.pub from your Fedora20 Laptop and
insert it in the GUI.
User - ACCOUNT SETTINGS - SSH public keys - add
http://docs.fedoraproject.org/en-US/Fedora/17/html/FreeIPA_Guide/user-keys.html
Hello,
I am being tasked with setting up freeipa for an organisation. A
replica will be created but they also require a backup / restore
strategy.
Has anyone implemented backup restore? Ideas? Recommendations? Dragons?
Thanks,
Andrew
___
Hello,
I would like to install the root certificate from my freeipa
installation into some browsers and other clients.
If this statement makes sense; does anyone have a guide for this?
Thanks,
Andrew
___
Freeipa-users mailing list
I would like to install the root certificate from my freeipa
installation into some browsers and other clients.
If this statement makes sense; does anyone have a guide for this?
All you need to do is installing http://ipaserver/ipa/config/ca.crt .
Brilliant! Thanks.
Hello,
I would like to use freeipa CA to manage certs for our organisation.
In testing this out I have created an SSL key with the following.
openssl req -out CSR.csr -new -newkey rsa:2048 -nodes -keyout privateKey.key
This CSR I pasted into the service certificate UI and have a tick next
to
What are the certs for?
At the moment for a third party application however we would like to
issue our own certs for everything SSL such as LDAPs or OpenVPN. It is
quite a powerful feature to be able to install an organisations root
key on a clients machine and then be able to bosh out certs at
There are also some good docs and examples in the certmonger git repo in
docs folder and here.
http://docs.fedoraproject.org/en-US/Fedora/15/html/FreeIPA_Guide/certmongerX.html
Hi,
The docs seem to explain quite well how to request a certificate but
not how to actually issue a certificate.
-tracking -i 20140426115309
Else you will see this message:
Certificate at same location is already used by request with nickname
20140426115309.
And here is some official docs I just found:
http://www.freeipa.org/page/Certmonger#OpenSSL
On 26 April 2014 09:02, Andrew Holway andrew.hol...@gmail.com
I realized that you probably want to disable anonymous access to LDAP. It
will prevent random strangers to enumerate all users in your database...
This sounds like a bug no? anonymous access to LDAP?
--
Petr^2 Spacek
___
Freeipa-users mailing
So I am looking at ways of building a distributed user database for
millions of users (specifically 5 million at the moment) and I am thinking
that freeIPA might be a good thing to test for this kind of use case. I
would assume that at least a third of these users would want to
authenticate every
Hello,
Im wondering how we should be handing SSSD for redundant configurations on
our freeipa clients. We have three freeipa servers; how can we make SSSD
check another freeipa in the event that one goes down?
It appears we can do something like the following:
ipa_hostname =
Hi,
I think this is perhaps a bug?
Thanks,
Andrew
On 13 March 2015 at 15:55, Andrew Holway andrew.hol...@gmail.com wrote:
On 13 March 2015 at 15:33, Michael Lasevich mlasev...@gmail.com wrote:
Is SELinux on?
Yes,
ipa-server-install is running in the initrc_t domain but I guess its
,'cvml','freeipa-users-boun...@redhat.com');] *On
Behalf Of *Andrew Holway
*Sent:* Wednesday, March 18, 2015 9:40 AM
*To:* freeipa-users@redhat.com
javascript:_e(%7B%7D,'cvml','freeipa-users@redhat.com');
*Subject:* [Freeipa-users] SSSD in redundant configuration
Hello,
Im
Hello,
I'd like to find our what the minimum role would be to allow a user to join
a new client to freeipa.
Currently our enrol command looks like:
ipa-client-install --force-join --enable-dns-updates -U -p admin -w
:
Thanks,
Andrew
--
Manage your subscription for the Freeipa-users
!!) but we are trying to do all of this
automated with saltstack which is a bit of a challenge.
Thanks,
Andrew
On 20 March 2015 at 09:00, Jakub Hrozek jhro...@redhat.com wrote:
On Thu, Mar 19, 2015 at 10:32:08PM +0100, Andrew Holway wrote:
I wasn't precise enough, I meant the sssd version
Hi,
I am having one of those really annoying pesky troubles.
I add clients to freeipa but the first time I am logging in and trying to
sudo with my freeipa credentials the sudo is not working. If I restart the
SSSD process this usually fixes it but not always. Im going to try and do
some
ldap_sasl_authid = host/test-freeipa-client-3.cloud.domain.de
ldap_sasl_realm = CLOUD.DOMAIN.DE
krb5_server = _srv_
Thanks,
Andrew
On 19 March 2015 at 10:29, Jakub Hrozek jhro...@redhat.com wrote:
On Thu, Mar 19, 2015 at 08:42:42AM +0100, Andrew Holway wrote:
Cool stuff. Thanks.
I
I wasn't precise enough, I meant the sssd version, sorry. But given that
you're on RHEL-7, I think you can switch to:
sudo_provider=ipa
That does indeed seem to work. Thanks!
and remove all the ldap_ config parameters as well as krb5_server.
--
Manage your subscription for the
Hi,
We have a mix of Centos 6 and Centos 7 machines which we would like to
manage with FreeIPA.
I remember that setting up freeipa on Centos 6 can be a bit tricky although
I found this method which works.
https://www.redhat.com/archives/freeipa-users/2013-June/msg00064.html
I imagine the
Hallo
I have a quite odd situation. I am using saltstack to set up freeipa
servers on Centos 7 but I am getting the following error:
failed to create ds instance Command '/usr/sbin/setup-ds.pl --silent
--logfile - -f /tmp/tmp5witgD' returned non-zero exit status 1
Saltstack outputs the command
wrote:
On 03/13/2015 07:43 AM, Andrew Holway wrote:
Hallo
I have a quite odd situation. I am using saltstack to set up freeipa
servers on Centos 7 but I am getting the following error:
failed to create ds instance Command '/usr/sbin/setup-ds.pl --silent
--logfile - -f /tmp/tmp5witgD
Old bug report -
https://bugzilla.redhat.com/show_bug.cgi?format=multipleid=959953
On 13 March 2015 at 15:24, Andrew Holway andrew.hol...@gmail.com wrote:
Hi Dimitri
type=AVC msg=audit(1426243559.181:623): avc: *denied* { create } for
pid=2740 comm=ns-slapd name=imports
scontext
:c0.c1023 root 4503 23.7 4.8
323356 48860 pts/1 S+ 14:53 0:00 /usr/bin/python -E
/sbin/ipa-server-install
On Mar 13, 2015 7:46 AM, Andrew Holway andrew.hol...@gmail.com wrote:
Hallo
I have a quite odd situation. I am using saltstack to set up freeipa
servers on Centos 7 but I am getting
When I look at the SPEC file for freeipa-4.1.3, I see requirements
around Systemd. Is that really a hard requirement, or is it possible to
run newer FreeIPA (that is to say 4.x) on a host that hasn't been
infested by systemd
From an SELinux standpoint systemd is far superior to initd as it
Hi,
As far as I understand it Kerberos service tickets are granted for a user
to access a particular principle (host/service@REALM) and cannot be reused.
Kerberos uses symmetric key cryptography so, if someone were able to access
the memory of the machine, then they may indeed be able to snoop
the password from the database, appends on the OTP
and actually does the auth...
On 1 April 2015 at 13:15, Andrew Holway andrew.hol...@gmail.com wrote:
It is simple to configure OpenVPN with authentication against FreeIPA in
Fedora 21, all the heavy lifting is done by SSSD:
I have to say
Hello FreeIPA people,
I must say that FreeIPA v4 looks very pretty and I am looking forward to
trying out the new features.
I'm wondering what application and tools can be used to authenticate with
the OTP in freeipa. For instance, if we wanted to set up a VPN that uses it
how might we go about
Yes. But stored in LDAP.
Stored in LDAP salted I assume?
--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project
Thanks Alexander.
What happens to the passwords? Are they hashed by Kerberos?
On 1 April 2015 at 15:14, Alexander Bokovoy aboko...@redhat.com wrote:
On Wed, 01 Apr 2015, Andrew Holway wrote:
Please could someone explain to me what is happening internally?
In my head I have the following
Hi Jakub,
Name: ipa-client
Arch: x86_64
Version : 3.3.3
Release : 28.0.1.el7.centos.3
On 19 March 2015 at 17:33, Jakub Hrozek jhro...@redhat.com wrote:
On Thu, Mar 19, 2015 at 03:51:48PM +0100, Andrew Holway wrote:
I am having problems with sudo and using _srv_
Hi,
Were using rabbitmq to shunt bits of data around various systems to provide
better security we would like all of our acmq connections to be
authenticated and encrypted.
I'm looking for appropriate documentation or some friendly guidance of how
server to server SSL authentication is done with
And et voila! It works! Although it does feel a bit hacky :)
I do it the same way as I control my systems and can be sure there is
one user per system for VPN access. Works nicely.
Is it possible to manage key revocation? I understand that this mechanism
is mostly quite broken. How long are
Hello,
Trying to log into the Gui I just get Your session has expired. Please
re-login. Everything else appears to be working.
I cannot find any useful logs.
Cheers,
Andrew
--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go
On Friday, 3 April 2015, Ben .T.George bentech4...@gmail.com wrote:
HI
i was facing the same issue last week and it got fixed now.
always user WUI from firefox. install Kerbros plugin and certificate from
ipa help page
Hi George,
Thanks for the advice. Did you discover the root of the
Hi,
Is it yet possible to use FreeIPA as an identity provider to Google Apps
via SAML. I understand there was some project afoot
Thanks,
Andrew
--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for
(The VM's have ever 4 CPU's and 2GB RAM, we have circa 120 Users/Groups)
Are you using ECC memory?
--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project
In an obviously blatant promotion exercise and attempt to build page
rank
Please could I have some critique on this article?
http://otternetworks.de/tech/freeipa-technical-brief/
Your feedback would be really appreciated
Thanks,
Andrew
--
Manage your subscription for the Freeipa-users
cache somewhere or the system is
a bit borked. :)
On 3 April 2015 at 20:25, Ben .T.George bentech4...@gmail.com wrote:
no, it's because of wrong ticket i guess.
try the steps and let us know the output
On Fri, Apr 3, 2015 at 2:23 PM, Andrew Holway andrew.hol...@gmail.com
wrote
Hello,
After following Alexanders advice to use sssd/pam for OpenVPN with OTP I
have it all working rather nice but with self signed certificates which is
not ideal.
(This is actually amazing btw guys. Like wow. The QR-Codes and the OpenOTP
android app. wtf??!! :)
I'm scratching around trying
On 1 April 2015 at 20:02, Nalin Dahyabhai na...@redhat.com wrote:
On Wed, Apr 01, 2015 at 07:02:56PM +0200, Andrew Holway wrote:
I understand from previous discussions that client certificates are not
yet
supported in FreeIPA, instead I understand one can use service
certificates. From
Hi Gunther,
Typically one would use the freeipa tools to create users.
http://docs.fedoraproject.org/en-US/Fedora/15/html/FreeIPA_Guide/managing-users.html#adding-users
As with any application. Modifying the database underneath is not
recommended.
Thanks,
Andrew
On 19 July 2015 at 17:58,
I'm finding that the new client to be installed is not accepting the
password of my new host enrolment user. This password is working fine with
kinit on other hosts and also working in the GUI.
Any ideas what I am doing wrong here?
On 5 November 2015 at 16:42, Andrew Holway <andrew.
The now dead IPA server is still seen as authoritative for the domain.
[root@freeipa-prod-a-033 centos]# dig NS cloud.foo.com +short
freeipa-prod-b-032.cloud.foo.com.
freeipa-prod-a-033.cloud.foo.com.
freeipa-prod-a-031.cloud.foo.com.
On 5 November 2015 at 17:32, Andrew Holway <andrew.
One of our FreeIPA replicas had its filesystem hosed so we want to remove
it. Can someone show me the sequence of commands to remove a down replica?
Thanks,
Andrew
[root@freeipa-prod-a-033 centos]# ipa-replica-manage list
p11-kit: ipa.p11-kit: x-public-key-info: invalid or unsupported
Thanks!
On 5 November 2015 at 16:18, Rob Crittenden <rcrit...@redhat.com> wrote:
> Andrew Holway wrote:
> > Some time ago I saw an article on how to set up a user that can only
> > enrol clients into freeipa.
> >
> > Does anyone have information on how t
e anything in the logs.
Thanks,
Andrew
On 5 November 2015 at 16:58, Andrew Holway <andrew.hol...@gmail.com> wrote:
> One of our FreeIPA replicas had its filesystem hosed so we want to remove
> it. Can someone show me the sequence of commands to remove a down replica?
>
> Than
Some time ago I saw an article on how to set up a user that can only enrol
clients into freeipa.
Does anyone have information on how to do this because we're currently
using the admin user and this is a bit scary.
Thanks,
Andrew
--
Manage your subscription for the Freeipa-users mailing list:
On 6 November 2015 at 15:28, Petr Vobornik <pvobo...@redhat.com> wrote:
> On 11/05/2015 05:32 PM, Andrew Holway wrote:
>
>> Actually I'm starting to feel like this is a bug. Managed to get the old
>> IPA server back up and ran .
>>
>> "ipa-server-i
Hi,
One of our AWS machines was used in an DOS attack last night and I am
looking for possible attack vectors. AWS tells me it was sending UDP port 0
traffic to a cloudflare address.
This instance had an incorrectly configured AWS security group exposing all
ports.
The server in question is a
With a multi master setup FreeIPA could be considered "resilient" however
this is dependant on some other architectural considerations. For our
customers we deploy two per location and put both servers as entries in
/etc/resolv.conf. As FreeIPA service discovery is done with SRV records
this
Hi,
I assume you are virtualising.
Try adding "tinker panic 0" to /etc/ntp.conf.
It should make it tolerant to heavily drifting virtual clocks.
Cheers,
Andrew
On 10 September 2015 at 13:46, Prasun Gera wrote:
> OS: RHEL 7.1 w IDM
>
> I'm seeing these messages in my
Thats odd. You would normally not need it on bare metal. It could be broken
hardware.
On 10 September 2015 at 14:05, Prasun Gera <prasun.g...@gmail.com> wrote:
> Thanks. I'm not virtualizing though. Should I still add it ?
>
> On Thu, Sep 10, 2015 at 5:02 AM, Andrew Hol
Hi,
When a user changes their password the ipa gui briefly redirects to a login
page. The user often has an impulse to click on the login button which, on
occasion, can seem to cause a mess with the password change.
Anyone else aware of this behaviour?
ta
Andrew
--
Manage your subscription
Hello,
I see that our default installation of IdM is working quite well without
rdns configured (its on AWS). We're not doing anything complicated with it
yet but is there anything that definitely will not work?
Cheers,
Andrew
--
Manage your subscription for the Freeipa-users mailing list:
Hello,
We've been using Freeipa on Centos for a while and found one day that the
replication stuff was broken and that the LDAP database on our pair of IPA
servers was inconsistent. We didn't know how long this had been broken for
but we were not able to repair it either.
We use AWS so we've now
Hi William,
SSSD and FreeIPA have been developed in tandem by pretty much the same
group from Redhat and are both part of the Fedora project (upstream RHEL).
It's unsurprising that SUSE are not mentioning FreeIPA because it is a core
component of RHEL marketed as IDM (
my standard users,
> etc. I can roll back the snapshot, set it at 4Gigs of RAM and re-enable
> selinux and then try again.
>
>
> On Tue, May 16, 2017 at 1:52 PM Andrew Holway <andrew.hol...@gmail.com>
> wrote:
>
>> This is pretty weird. FreeIPA installation normally wor
tabase exist?
>
>
>
> On Tue, May 16, 2017 at 2:12 PM Andrew Holway <andrew.hol...@gmail.com>
> wrote:
>
>> Yea, I would try installing IPA then making the changes that you want. I
>> think SELinux should be left enabled however. It makes admin super fun
t;
>2 Gigs, it's a VM. The VM didn't report any memory issues ( no alarms
> on VMWare )
>
>
> On Tue, May 16, 2017 at 12:29 PM Andrew Holway <andrew.hol...@gmail.com>
> wrote:
>
>> Hallo,
>>
>> How much memory do you have on the machine. I have a s
Hallo,
How much memory do you have on the machine. I have a sneaking suspicion
that you're running out.
Ta,
Andrew
On 16 May 2017 at 17:16, Robert L. Harris wrote:
>
> Last night I rolled back my snapshot. Here's what I have after the yum
> install
>
> "minimal"
Whats up with this wierd spam. This is the only list where I see this.
--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project
83 matches
Mail list logo