[Freeipa-users] Lost Password
Hello All - Our previous employee that set up the Admin and password to login to our https://ipa-1.int.dplcl.com url, the password is not working. How can I reset this animal Many Thanks, Regards, John ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/freeipa-users@lists.fedorahosted.org/message/A6OVRL5XXUQBQWLHCCEL7KZXNKS4HMYB/
[Freeipa-users] Re: freeIPa replica setup
Alfredo De Luca via FreeIPA-users wrote: > Hi all. > I need to setup a freeIPA replica and not sure which is the best and > more reliable. > I found a few people preparing the replica from the server others just > installing the replica on another machine with the appropriate > configuration. > > Any info/docs? It depends on the version of IPA (and the knowing the distro would help too). For 4.x+ you want to start with: $ ipa domainlevel-get If it is domain level 1 then you can install the new machine as an IPA client and then promote it to a master by running ipa-replica-install. For domain-level 0 you need to run ipa-replica-prepare on an existing master and then ipa-replica-install on the new master. rob ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/freeipa-users@lists.fedorahosted.org/message/A3472JJ73KRUMXZUZBAEWZ47D7MO62EO/
[Freeipa-users] freeIPa replica setup
Hi all. I need to setup a freeIPA replica and not sure which is the best and more reliable. I found a few people preparing the replica from the server others just installing the replica on another machine with the appropriate configuration. Any info/docs? -- *Alfredo* ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/freeipa-users@lists.fedorahosted.org/message/3XYKBBNWAETR7L3RFCLO7WDKS3XJH2KP/
[Freeipa-users] Re: Getting Synology NAS to play nice with FreeIPA
Hi, we recently had similar issues with integrating FreeIPA. We tried to document everything here: https://blog.cubieserver.de/2018/synology-nas-samba-nfs-and-kerberos-with-freeipa-ldap/ Hopefully this will help. Cheers ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/freeipa-users@lists.fedorahosted.org/message/GCI74D7SLMCFCBT7JS42FBZ7TFUFGBG5/
[Freeipa-users] Re: Running FreeIPA server containers on Ubuntu docker setups / Travis CI
On Thu, Jul 05, 2018 at 02:20:48PM +0200, Jan Pazdziora via FreeIPA-users wrote: > On Thu, Jul 05, 2018 at 02:14:20PM +0200, Jan Pazdziora wrote: > > > > I can reproduce the problem on Fedora for example with > > > > docker run --security-opt=seccomp=unconfined --rm -ti -e > > DEBUG_NO_EXIT=true -e PASSWORD=Secret123 -h ipa.example.test > > freeipa/freeipa-server:fedora-27 -U -r EXAMPLE.TEST --no-ntp > > > > -- the seccomp=unconfined allows the first operation but due to > > lack of CAP_CHOWN, the second one then fails. > > I can "fix" this on Fedora with > > --privileged --security-opt=seccomp=unconfined > > but I don't consider it a good solution for obvious reasons. For the record, I went with --privileged in Travis CI for OSes that need it: https://github.com/freeipa/freeipa-container/blob/master/.travis.yml#L34 CentOS 7 and Fedora rawhide do not, so we are testing at least something unprivileged. -- Jan Pazdziora Senior Principal Software Engineer, Security Engineering, Red Hat ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/freeipa-users@lists.fedorahosted.org/message/2HUHXPXO3LVZEARYCL2TJ7ALVE5MVEQY/
[Freeipa-users] Problem with replication topology after replica removal
Hi I removed a replica but after removal i got 3 undeleted replication agreements I can't delete it with ipa topologysegment-del error returned ipa: ERROR: Server is unwilling to perform: Removal of Segment disconnects topology.Deletion not allowed. ipa host-find Return no results as expected. Is there any way to fix this ? Regards Przemysław Orzechowski ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/freeipa-users@lists.fedorahosted.org/message/N2R6QFCYKDJSN47DAKX4CFMUVATPMNGR/
[Freeipa-users] Re: Integration of samba into a freeipa trust with AD
On pe, 20 heinä 2018, Pierre Labanowski wrote: Le 20/07/2018 à 12:30, Alexander Bokovoy a écrit : On pe, 20 heinä 2018, Pierre Labanowski via FreeIPA-users wrote: Hi, everybody, I have a question about the best pratice use of freeipa with trust AD and/or sync relationship from winsync users. 1/ trust to set up an smb file sharing service via samba, would you advise to integrate it in the IPA realm or in the AD domain? Both are possible, but why one more than the other? in terms of file access performance (metadata, acl ,etc) managed via the smb protocol isn't there a drawback related to samba in royaume ipa to serve users who use a windows client? Read notes on https://www.freeipa.org/page/Howto/Integrating_a_Samba_File_Server_With_IPA NOTE: Only Kerberos authentication will work when accessing Samba shares using this method. This means that Windows clients not joined to Active Directory forest trusted by IPA would not be able to access the shares. This is related to SSSD not yet being able to handle NTLMSSP authentication. NOTE: When a Windows client accesses shares, Windows UI will need to be able to resolve SIDs in access control lists. Inability to do so will affect user experience and the way how applications are expected to work with the share. A set of experiments in 2017 have demonstrated that Microsoft does not test various fall backs around this behavior and only consider the path used by Windows UI to communicate with a Global Catalog service. It is also a 'client-specific' behavior and thus is not subject of a protocol interoperability or being documented anywhere. While for some applications/use cases it may work, it will not work for many others, thus we cannot really qualify it as a supported solution from FreeIPA side. 2/ winsync do you have the same response arguments in the case of a sync between AD and IPA? winsync does not affect your ability to operate a file server for Windows clients because it doesn't help you here at all. It is irrelevant, in other words, to the task. Sorry,I did not speak well, my questions are mainly about performance, for example during a transfer of many small files. Does SID resolution in ACLs impact performance through IPA integration? The second questions on winsync had the same purpose of knowing if the user is on IPA or in trust, have an affects performance. There is no resolution of SIDs in ACLs because when you authenticate, a system token is created by the server, associated with the user connecting and it contains all SIDs this user is a member of or represents, thus ACL checks are done directly using SIDs. -- / Alexander Bokovoy Sr. Principal Software Engineer Security / Identity Management Engineering Red Hat Limited, Finland ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/freeipa-users@lists.fedorahosted.org/message/XWTNEO7VIKW6NNRHEGO25POFATUCE252/
[Freeipa-users] Re: Integration of samba into a freeipa trust with AD
Le 20/07/2018 à 12:30, Alexander Bokovoy a écrit : On pe, 20 heinä 2018, Pierre Labanowski via FreeIPA-users wrote: Hi, everybody, I have a question about the best pratice use of freeipa with trust AD and/or sync relationship from winsync users. 1/ trust to set up an smb file sharing service via samba, would you advise to integrate it in the IPA realm or in the AD domain? Both are possible, but why one more than the other? in terms of file access performance (metadata, acl ,etc) managed via the smb protocol isn't there a drawback related to samba in royaume ipa to serve users who use a windows client? Read notes on https://www.freeipa.org/page/Howto/Integrating_a_Samba_File_Server_With_IPA NOTE: Only Kerberos authentication will work when accessing Samba shares using this method. This means that Windows clients not joined to Active Directory forest trusted by IPA would not be able to access the shares. This is related to SSSD not yet being able to handle NTLMSSP authentication. NOTE: When a Windows client accesses shares, Windows UI will need to be able to resolve SIDs in access control lists. Inability to do so will affect user experience and the way how applications are expected to work with the share. A set of experiments in 2017 have demonstrated that Microsoft does not test various fall backs around this behavior and only consider the path used by Windows UI to communicate with a Global Catalog service. It is also a 'client-specific' behavior and thus is not subject of a protocol interoperability or being documented anywhere. While for some applications/use cases it may work, it will not work for many others, thus we cannot really qualify it as a supported solution from FreeIPA side. 2/ winsync do you have the same response arguments in the case of a sync between AD and IPA? winsync does not affect your ability to operate a file server for Windows clients because it doesn't help you here at all. It is irrelevant, in other words, to the task. Sorry,I did not speak well, my questions are mainly about performance, for example during a transfer of many small files. Does SID resolution in ACLs impact performance through IPA integration? The second questions on winsync had the same purpose of knowing if the user is on IPA or in trust, have an affects performance. I will look in detail at the presentation on global catalog. thx ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/freeipa-users@lists.fedorahosted.org/message/EIYXHSFQ5SIYBOHWLP6UQ4E3RZUNF5IV/
[Freeipa-users] Re: Integration of samba into a freeipa trust with AD
On pe, 20 heinä 2018, Pierre Labanowski via FreeIPA-users wrote: Hi, everybody, I have a question about the best pratice use of freeipa with trust AD and/or sync relationship from winsync users. 1/ trust to set up an smb file sharing service via samba, would you advise to integrate it in the IPA realm or in the AD domain? Both are possible, but why one more than the other? in terms of file access performance (metadata, acl ,etc) managed via the smb protocol isn't there a drawback related to samba in royaume ipa to serve users who use a windows client? Read notes on https://www.freeipa.org/page/Howto/Integrating_a_Samba_File_Server_With_IPA NOTE: Only Kerberos authentication will work when accessing Samba shares using this method. This means that Windows clients not joined to Active Directory forest trusted by IPA would not be able to access the shares. This is related to SSSD not yet being able to handle NTLMSSP authentication. NOTE: When a Windows client accesses shares, Windows UI will need to be able to resolve SIDs in access control lists. Inability to do so will affect user experience and the way how applications are expected to work with the share. A set of experiments in 2017 have demonstrated that Microsoft does not test various fall backs around this behavior and only consider the path used by Windows UI to communicate with a Global Catalog service. It is also a 'client-specific' behavior and thus is not subject of a protocol interoperability or being documented anywhere. While for some applications/use cases it may work, it will not work for many others, thus we cannot really qualify it as a supported solution from FreeIPA side. 2/ winsync do you have the same response arguments in the case of a sync between AD and IPA? winsync does not affect your ability to operate a file server for Windows clients because it doesn't help you here at all. It is irrelevant, in other words, to the task. -- / Alexander Bokovoy Sr. Principal Software Engineer Security / Identity Management Engineering Red Hat Limited, Finland ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/freeipa-users@lists.fedorahosted.org/message/T4NVDNJ7CDHIEVERVHBXFBQE22KMSSKS/
[Freeipa-users] Integration of samba into a freeipa trust with AD
Hi, everybody, I have a question about the best pratice use of freeipa with trust AD and/or sync relationship from winsync users. 1/ trust to set up an smb file sharing service via samba, would you advise to integrate it in the IPA realm or in the AD domain? Both are possible, but why one more than the other? in terms of file access performance (metadata, acl ,etc) managed via the smb protocol isn't there a drawback related to samba in royaume ipa to serve users who use a windows client? 2/ winsync do you have the same response arguments in the case of a sync between AD and IPA? Thx Pierre ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/freeipa-users@lists.fedorahosted.org/message/NFP2REGBDW3U2UFLDBJOKKK6GDTTVBNM/
[Freeipa-users] Re: IPA users and local groups question
Wow thanks for the quick reply Jakub. Much appreciated. ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/freeipa-users@lists.fedorahosted.org/message/5Y6I6YU7N5DWWDHMAIPCCCRB63Q4J5B5/
[Freeipa-users] Re: IPA users and local groups question
On Fri, Jul 20, 2018 at 09:55:37AM -, David McDaniel via FreeIPA-users wrote: > > I’m afraid the answer is ‘possible in general, but not with the versions > > you are running’, > > see https://sourceware.org/glibc/wiki/Proposals/GroupMerging and > > https://sgallagh.wordpress.com/2016/01/28/remote-group-merging-for-fedora/ > > Jakub > Our use case for group merge functionality is very much as Jeff describeds > above. Have been digging around looking for definitive requirements and > proper configuration. > What are the required freeipa/sssd, RHEL and glibc versions for group merging > functionality? Our IdM servers are RHEL 7.4, freeipa 4.5, sssd 1.16 and > client's are mix of RHEL 6.9, 7.2 and 7.4. Thank you glibc should support this since 7.4: https://bugzilla.redhat.com/show_bug.cgi?id=1298975 ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/freeipa-users@lists.fedorahosted.org/message/INVKAD4MMCJY6YTT5OLNBDKC67IBIK43/
[Freeipa-users] Re: IPA users and local groups question
> I’m afraid the answer is ‘possible in general, but not with the versions you > are running’, > see https://sourceware.org/glibc/wiki/Proposals/GroupMerging and > https://sgallagh.wordpress.com/2016/01/28/remote-group-merging-for-fedora/ Jakub Our use case for group merge functionality is very much as Jeff describeds above. Have been digging around looking for definitive requirements and proper configuration. What are the required freeipa/sssd, RHEL and glibc versions for group merging functionality? Our IdM servers are RHEL 7.4, freeipa 4.5, sssd 1.16 and client's are mix of RHEL 6.9, 7.2 and 7.4. Thank you ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/freeipa-users@lists.fedorahosted.org/message/RSWTDJKSMG3MM23SCRBSQQ3NM24YZEIG/
[Freeipa-users] Re: AD and IPA integration
On Thu, Jul 19, 2018 at 11:13:38PM +0700, Николай Савельев via FreeIPA-users wrote: > I changed password AD users. > I can't login on ipa servers with new password, but can - with old. Why? > I tried restart ipa services and reinitializing trust. but it didn't help. Are you sure sssd is not logging you offline? sssctl domain-status can tell you the status of the domains.. ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/freeipa-users@lists.fedorahosted.org/message/FQY2EY6I52IIKKDYDHDSG4R2I33N5UDE/