[Freeipa-users] IPA Server Upgrade Error
Hello, Currently my server is running on IPA Server Version 4.4. I have tried to upgrade the Version to 4.5 using the ipa-server-upgrade command and got ended with the following error: 2017-09-26T02:27:32Z DEBUG stderr= 2017-09-26T02:27:50Z DEBUG Loading Index file from '/var/lib/ipa/sysrestore/sysrestore.index' 2017-09-26T02:27:53Z DEBUG Starting external process 2017-09-26T02:27:53Z DEBUG args=/usr/bin/certutil -d /etc/dirsrv/slapd-LGA-NET-SG -L -n Server-Cert -a -f /etc/dirsrv/slapd-LGA-NET-SG/pwdfile.txt 2017-09-26T02:27:56Z DEBUG Process finished, return code=255 2017-09-26T02:27:56Z DEBUG stdout= 2017-09-26T02:27:56Z DEBUG stderr=certutil: Could not find cert: Server-Cert : PR_FILE_NOT_FOUND_ERROR: File not found 2017-09-26T02:27:56Z ERROR IPA server upgrade failed: Inspect /var/log/ipaupgrade.log and run command ipa-server-upgrade manually. 2017-09-26T02:27:56Z DEBUG File "/usr/lib/python2.7/site-packages/ipapython/admintool.py", line 172, in execute return_value = self.run() File "/usr/lib/python2.7/site-packages/ipaserver/install/ipa_server_upgrade.py", line 46, in run server.upgrade() File "/usr/lib/python2.7/site-packages/ipaserver/install/server/upgrade.py", line 1913, in upgrade upgrade_configuration() File "/usr/lib/python2.7/site-packages/ipaserver/install/server/upgrade.py", line 1788, in upgrade_configuration certificate_renewal_update(ca, ds, http), File "/usr/lib/python2.7/site-packages/ipaserver/install/server/upgrade.py", line 1018, in certificate_renewal_update ds.start_tracking_certificates(serverid) File "/usr/lib/python2.7/site-packages/ipaserver/install/dsinstance.py", line 1046, in start_tracking_certificates 'restart_dirsrv %s' % serverid) File "/usr/lib/python2.7/site-packages/ipaserver/install/certs.py", line 362, in track_server_cert cert_obj = x509.load_certificate(cert) File "/usr/lib/python2.7/site-packages/ipalib/x509.py", line 119, in load_certificate return cryptography.x509.load_der_x509_certificate(data, default_backend()) File "/usr/lib64/python2.7/site-packages/cryptography/x509/base.py", line 47, in load_der_x509_certificate return backend.load_der_x509_certificate(data) File "/usr/lib64/python2.7/site-packages/cryptography/hazmat/backends/multibackend.py", line 350, in load_der_x509_certificate return b.load_der_x509_certificate(data) File "/usr/lib64/python2.7/site-packages/cryptography/hazmat/backends/openssl/backend.py", line 1185, in load_der_x509_certificate raise ValueError("Unable to load certificate") 2017-09-26T02:27:56Z DEBUG The ipa-server-upgrade command failed, exception: ValueError: Unable to load certificate 2017-09-26T02:27:56Z ERROR Unexpected error - see /var/log/ipaupgrade.log for details: ValueError: Unable to load certificate 2017-09-26T02:27:56Z ERROR The ipa-server-upgrade command failed. See /var/log/ipaupgrade.log for more information --- I am using a third party signed certificate along with my IPA-CA. Is it an issue with my current CA. I can see that while fetching for the certificate, the name given to be "Server-cert" instead of the exact CA name. -- Regards, Alka Murali ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
[Freeipa-users] Re: How to implement sudo for "ALL, !something"
On Mon, 2017-09-25 at 11:00 -0400, Rob Crittenden wrote: > > I'd refer you to the SECURITY NOTES in the sudoers man page to > reconsider this approach. You're referring to giving sudo to all commands and then trying to take some things away? Ya, it's stupid, doesn't actually work and I don't know why it's setup like this (it's from before my time here). I'm going to attempt convincing the organization to change it. For now, we're just testing out if our current crappy rule sets can be replicated within freeipa. Thanks for pointing it out, though! I'll reference this thread in the future. lol -- Ranbir ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
[Freeipa-users] Re: Force 2FA on specific hosts
That might be, but a quick read of the referenced document indicates it may not work the way we want. All users will be using 2FA to access the jump hosts. The way I read it, the Kerberos ticket will indicate that 2FA was used - and by enforcing 2FA on the destination machines, the ticket will still allow them in automatically. What we're looking to possibly do is require 2FA use to the jump host, and then if they go to certain specific hosts, they'll be required to use 2FA again to gain access there. I'll set up a test environment and see what I can figure out. Thanks for the hint! Jeremy Utley On Mon, Sep 25, 2017 at 8:47 AM, Sumit Bose via FreeIPA-users < freeipa-users@lists.fedorahosted.org> wrote: > On Mon, Sep 25, 2017 at 08:25:30AM -0500, Jeremy Utley via FreeIPA-users > wrote: > > Hello all on the list! > > > > Kind of an odd question, but management has asked me to try to find this > > out. We've been rolling out FreeIPA to replace OpenLDAP inside a > > higher-security (PCI Compliant) part of our overall network. One of the > > things we would like to possibly do is require 2FA (using Yubikeys) for > > certain machines within that network, without creating a second FreeIPA > > domain. For example, inside this domain we have jump hosts that will > > require Yubikey 2FA to log in to, and from that point forward, Kerberos > > would be used to move from one machine to another. However, for 2 > specific > > machines, we'd like to require a second 2FA authentication to those to > > provide some additional security. Is this even possible? > > I think what you are looking for is documented here: > https://access.redhat.com/documentation/en-US/Red_Hat_ > Enterprise_Linux/7/html/Linux_Domain_Identity_Authentication_and_Policy_ > Guide/auth-indicators.html > > HTH > > bye, > Sumit > > > > > Thanks, > > > > Jeremy Utley > > > ___ > > FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org > > To unsubscribe send an email to freeipa-users-leave@lists. > fedorahosted.org > ___ > FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org > To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org > ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
[Freeipa-users] Re: [+] Re: ipa-server-install fails on fresh install
I've attached httpd/error_log-20170922.gz I did not look at that file before, so I can't say that it's changed. I've also attached the ipaclient-install.log.gz On 09/25/17 08:56, Rob Crittenden wrote: > John R. Shannon wrote: >> I upgraded to 4.6.1 today. The same problem persists. > > You get the same error in /var/log/httpd/error_log? > > gss_acquire_cred[_from]() failed to get server creds: [Unspecified GSS > failure. Minor code may provide more information ( SPNEGO cannot find > mechanisms to negotiate)] > > rob > >> >> On 09/15/17 13:17, John R. Shannon wrote: >>> Attached >>> >>> On 09/15/17 12:58, Alexander Bokovoy wrote: On pe, 15 syys 2017, Rob Crittenden via FreeIPA-users wrote: > John R. Shannon via FreeIPA-users wrote: >> Attached > > It is failing with "KerberosError: No valid Negotiate header in server > response" > > What package version of freeipa-server do you have? > > This seems like https://pagure.io/freeipa/issue/6773 which was fixed in > 4.5.1 According to ipaserver-install.log, it is IPA version 4.5.3-1.fc26. John, can we see /var/log/httpd/error_log? > > rob >> >> On 09/15/17 11:54, Rob Crittenden via FreeIPA-users wrote: >>> John R. Shannon via FreeIPA-users wrote: Attached in gzip'd form >>> >>> We need /var/log/ipaclient-install.log >>> >>> rob >>> On 09/15/17 11:39, Rob Crittenden via FreeIPA-users wrote: > John R. Shannon via FreeIPA-users wrote: >> Running ipa-server-install I get: >> >> Configuring client side components >> Using existing certificate '/etc/ipa/ca.crt'. >> Client hostname: auth.test.internal.johnrshannon.com >> Realm: TEST.INTERNAL.JOHNRSHANNON.COM >> DNS Domain: test.internal.johnrshannon.com >> IPA Server: auth.test.internal.johnrshannon.com >> BaseDN: dc=test,dc=internal,dc=johnrshannon,dc=com >> >> Skipping synchronizing time with NTP server. >> New SSSD config will be created >> Configured sudoers in /etc/nsswitch.conf >> Configured /etc/sssd/sssd.conf >> trying https://auth.test.internal.johnrshannon.com/ipa/json >> [try 1]: Forwarding 'schema' to json server >> 'https://auth.test.internal.johnrshannon.com/ipa/json' >> No valid Negotiate header in server response >> The ipa-client-install command failed. See >> /var/log/ipaclient-install.log for more information >> ipa.ipapython.install.cli.install_tool(CompatServerMasterInstall): >> ERROR >> >>Configuration of client side components failed! >> >> The system is a fresh, up to date, Fedora 26: >> >> 4.12.12-300.fc26.x86_64 >> >> configured to include the FREE-IPA repository. FREE-IPA was >> installed >> yesterday with: >> >> dnf install freeipa-* >> >> and running ipa-server-install. I'm not sure how to proceed. I >> want to >> use pkinit. >> >> The log file shows that an exception was raised during the >> execution of: >> >> 2017-09-15T14:52:27Z DEBUG args=/usr/sbin/ipa-client-install >> --on-master >> --unattended --domain test.internal.johnrshannon.com --server >> auth.test.internal.johnrshannon.com --realm >> TEST.INTERNAL.JOHNRSHANNON.COM --hostname >> auth.test.internal.johnrshannon.com >> >> > > We need to see /var/log/ipaclient-install.log (gzip if its huge). > > rob > ___ > FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org > To unsubscribe send an email to > freeipa-users-le...@lists.fedorahosted.org > ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org >>> ___ >>> FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org >>> To unsubscribe send an email to >>> freeipa-users-le...@lists.fedorahosted.org >>> >> >> >> >> ___ >> FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org >> To unsubscribe send an email to >> freeipa-users-le...@lists.fedorahosted.org >> > ___ > FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org > To unsubscribe send an email to > freeipa-users-le...@lists.fedorahosted.org >>> >> > -- John R. Shannon j...@johnrshannon.com (208)522-4506
[Freeipa-users] Re: Web UI errors after update to ipa-server 4.5/centos 7.4
Mark Esman via FreeIPA-users wrote: > After upgrading two freeipa servers (replicas of each other) from > ipa-server-4.4.0-14.el7.centos.7.x86_64 to > ipa-server-4.5.0-21.el7.centos.1.2.x86_64 during the recent > Centos 7.3 to 7.4 update, one of the servers is having Web UI errors. > > ipactl status show all services up and running on both servers. > > One of the replicas Web UI works fine, the other throws the following > errors. See if the whoami plugin is configured in cn=config on the non-working master: $ ldapsearch -x -D 'cn=Directory Manager' -W -b cn=config cn=whoami rob ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
[Freeipa-users] Re: How to implement sudo for "ALL, !something"
Ranbir via FreeIPA-users wrote: > On Sun, 2017-09-24 at 02:28 -0400, Ranbir via FreeIPA-users wrote: >> I'm now thoroughly confused! Can anyone lend a hand? > > I think I managed to achieve what I wanted by specifying a "sudo > order". Now I can give the user the ability to run every command as > another user (that that user is allowed to run), with the exceptions of > /bin/su and any shells. > I'd refer you to the SECURITY NOTES in the sudoers man page to reconsider this approach. rob ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
[Freeipa-users] Re: [+] Re: ipa-server-install fails on fresh install
John R. Shannon wrote: > I upgraded to 4.6.1 today. The same problem persists. You get the same error in /var/log/httpd/error_log? gss_acquire_cred[_from]() failed to get server creds: [Unspecified GSS failure. Minor code may provide more information ( SPNEGO cannot find mechanisms to negotiate)] rob > > On 09/15/17 13:17, John R. Shannon wrote: >> Attached >> >> On 09/15/17 12:58, Alexander Bokovoy wrote: >>> On pe, 15 syys 2017, Rob Crittenden via FreeIPA-users wrote: John R. Shannon via FreeIPA-users wrote: > Attached It is failing with "KerberosError: No valid Negotiate header in server response" What package version of freeipa-server do you have? This seems like https://pagure.io/freeipa/issue/6773 which was fixed in 4.5.1 >>> According to ipaserver-install.log, it is IPA version 4.5.3-1.fc26. >>> >>> John, can we see /var/log/httpd/error_log? >>> rob > > On 09/15/17 11:54, Rob Crittenden via FreeIPA-users wrote: >> John R. Shannon via FreeIPA-users wrote: >>> Attached in gzip'd form >> >> We need /var/log/ipaclient-install.log >> >> rob >> >>> >>> On 09/15/17 11:39, Rob Crittenden via FreeIPA-users wrote: John R. Shannon via FreeIPA-users wrote: > Running ipa-server-install I get: > > Configuring client side components > Using existing certificate '/etc/ipa/ca.crt'. > Client hostname: auth.test.internal.johnrshannon.com > Realm: TEST.INTERNAL.JOHNRSHANNON.COM > DNS Domain: test.internal.johnrshannon.com > IPA Server: auth.test.internal.johnrshannon.com > BaseDN: dc=test,dc=internal,dc=johnrshannon,dc=com > > Skipping synchronizing time with NTP server. > New SSSD config will be created > Configured sudoers in /etc/nsswitch.conf > Configured /etc/sssd/sssd.conf > trying https://auth.test.internal.johnrshannon.com/ipa/json > [try 1]: Forwarding 'schema' to json server > 'https://auth.test.internal.johnrshannon.com/ipa/json' > No valid Negotiate header in server response > The ipa-client-install command failed. See > /var/log/ipaclient-install.log for more information > ipa.ipapython.install.cli.install_tool(CompatServerMasterInstall): > ERROR > >Configuration of client side components failed! > > The system is a fresh, up to date, Fedora 26: > > 4.12.12-300.fc26.x86_64 > > configured to include the FREE-IPA repository. FREE-IPA was > installed > yesterday with: > > dnf install freeipa-* > > and running ipa-server-install. I'm not sure how to proceed. I > want to > use pkinit. > > The log file shows that an exception was raised during the > execution of: > > 2017-09-15T14:52:27Z DEBUG args=/usr/sbin/ipa-client-install > --on-master > --unattended --domain test.internal.johnrshannon.com --server > auth.test.internal.johnrshannon.com --realm > TEST.INTERNAL.JOHNRSHANNON.COM --hostname > auth.test.internal.johnrshannon.com > > We need to see /var/log/ipaclient-install.log (gzip if its huge). rob ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org >>> >>> >>> >>> ___ >>> FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org >>> To unsubscribe send an email to >>> freeipa-users-le...@lists.fedorahosted.org >>> >> ___ >> FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org >> To unsubscribe send an email to >> freeipa-users-le...@lists.fedorahosted.org >> > > > > ___ > FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org > To unsubscribe send an email to > freeipa-users-le...@lists.fedorahosted.org > ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org >>> >> > ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
[Freeipa-users] Re: Force 2FA on specific hosts
On Mon, Sep 25, 2017 at 08:25:30AM -0500, Jeremy Utley via FreeIPA-users wrote: > Hello all on the list! > > Kind of an odd question, but management has asked me to try to find this > out. We've been rolling out FreeIPA to replace OpenLDAP inside a > higher-security (PCI Compliant) part of our overall network. One of the > things we would like to possibly do is require 2FA (using Yubikeys) for > certain machines within that network, without creating a second FreeIPA > domain. For example, inside this domain we have jump hosts that will > require Yubikey 2FA to log in to, and from that point forward, Kerberos > would be used to move from one machine to another. However, for 2 specific > machines, we'd like to require a second 2FA authentication to those to > provide some additional security. Is this even possible? I think what you are looking for is documented here: https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Linux_Domain_Identity_Authentication_and_Policy_Guide/auth-indicators.html HTH bye, Sumit > > Thanks, > > Jeremy Utley > ___ > FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org > To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
[Freeipa-users] Force 2FA on specific hosts
Hello all on the list! Kind of an odd question, but management has asked me to try to find this out. We've been rolling out FreeIPA to replace OpenLDAP inside a higher-security (PCI Compliant) part of our overall network. One of the things we would like to possibly do is require 2FA (using Yubikeys) for certain machines within that network, without creating a second FreeIPA domain. For example, inside this domain we have jump hosts that will require Yubikey 2FA to log in to, and from that point forward, Kerberos would be used to move from one machine to another. However, for 2 specific machines, we'd like to require a second 2FA authentication to those to provide some additional security. Is this even possible? Thanks, Jeremy Utley ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
[Freeipa-users] Re: [+] Re: ipa-server-install fails on fresh install
On pe, 22 syys 2017, John R. Shannon via FreeIPA-users wrote: I upgraded to 4.6.1 today. The same problem persists. 1. Can you show /etc/pki/ca-trust/source/ipa.p11-kit? 2. Can you show /var/log/ipaupgrade.log? On 09/15/17 13:17, John R. Shannon wrote: Attached On 09/15/17 12:58, Alexander Bokovoy wrote: On pe, 15 syys 2017, Rob Crittenden via FreeIPA-users wrote: John R. Shannon via FreeIPA-users wrote: Attached It is failing with "KerberosError: No valid Negotiate header in server response" What package version of freeipa-server do you have? This seems like https://pagure.io/freeipa/issue/6773 which was fixed in 4.5.1 According to ipaserver-install.log, it is IPA version 4.5.3-1.fc26. John, can we see /var/log/httpd/error_log? rob On 09/15/17 11:54, Rob Crittenden via FreeIPA-users wrote: John R. Shannon via FreeIPA-users wrote: Attached in gzip'd form We need /var/log/ipaclient-install.log rob On 09/15/17 11:39, Rob Crittenden via FreeIPA-users wrote: John R. Shannon via FreeIPA-users wrote: Running ipa-server-install I get: Configuring client side components Using existing certificate '/etc/ipa/ca.crt'. Client hostname: auth.test.internal.johnrshannon.com Realm: TEST.INTERNAL.JOHNRSHANNON.COM DNS Domain: test.internal.johnrshannon.com IPA Server: auth.test.internal.johnrshannon.com BaseDN: dc=test,dc=internal,dc=johnrshannon,dc=com Skipping synchronizing time with NTP server. New SSSD config will be created Configured sudoers in /etc/nsswitch.conf Configured /etc/sssd/sssd.conf trying https://auth.test.internal.johnrshannon.com/ipa/json [try 1]: Forwarding 'schema' to json server 'https://auth.test.internal.johnrshannon.com/ipa/json' No valid Negotiate header in server response The ipa-client-install command failed. See /var/log/ipaclient-install.log for more information ipa.ipapython.install.cli.install_tool(CompatServerMasterInstall): ERROR Configuration of client side components failed! The system is a fresh, up to date, Fedora 26: 4.12.12-300.fc26.x86_64 configured to include the FREE-IPA repository. FREE-IPA was installed yesterday with: dnf install freeipa-* and running ipa-server-install. I'm not sure how to proceed. I want to use pkinit. The log file shows that an exception was raised during the execution of: 2017-09-15T14:52:27Z DEBUG args=/usr/sbin/ipa-client-install --on-master --unattended --domain test.internal.johnrshannon.com --server auth.test.internal.johnrshannon.com --realm TEST.INTERNAL.JOHNRSHANNON.COM --hostname auth.test.internal.johnrshannon.com We need to see /var/log/ipaclient-install.log (gzip if its huge). rob ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org -- John R. Shannon j...@johnrshannon.com (208)522-4506 ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org -- / Alexander Bokovoy ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
[Freeipa-users] Re: How to set all passwords expired
Michael Gusek via FreeIPA-users wrote: > Hey, > > you can try something like this: > > ipa user-find --sizelimit=0 | grep "Anmeldename:" | awk '{ print $2 }' | > xargs -i 'bash -c "echo password | ipa user-mod {} --passwd"' > > This will reset all passwords to password 'password'. Each user have to > login with new password and have to change that immediately. You can > expand one liner to exclude some accounts with > > ipa user-find --sizelimit=0 | grep "Anmeldename:" | grep -v "admin" | > grep -v "some_account" | awk ... > > "Anmeldename:" fits for an german locale, please change that for your > locale. Another option would be to collect the list of user in a similar way that Michael suggests and then change krbpasswordexpiration to something way in the past to expire the *current* password. Then users won't all have the same or similar password and/or you don't need to distribute new passwords to everyone. The thing is though you need to be Directory Manager to write that attribute so you'd collect all the userids and then you'd need to loop through them using ldapmodify to set a new value. rob > > Micha > > > Am 25.09.2017 um 13:18 schrieb xattab--- via FreeIPA-users: >> Hi! >> >> I changed password police and i need force everyone (excluding one >> directory) to change passwords. >> >> How to implement it ? >> ___ >> FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org >> To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org > > > ___ > FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org > To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org > ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
[Freeipa-users] How to set all passwords expired
Hi! I changed password police and i need force everyone (excluding one directory) to change passwords. How to implement it ? ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org