date:20190417

[Freeipa-users] Re: Logon returns Insufficient system resources exist to complete the requested service.

2019-04-17 Thread Rob Crittenden via FreeIPA-users

Vex Mage via FreeIPA-users wrote:
> Hello,
> 
>      I've personally been using FreeIPA for some time and I love it
> immensely. I thought I'd start a post here due to the direction my
> troubleshooting has gone instead of the Samba mailing list. Allow me to
> explain what I've done, why I've done it and then the problem I'm having.
> 
>      I just recently started working for a school and the school has
> some Windows labs. A problem that has come to my attention is that the
> OpenLDAP to Samba3 NT4 domain they've been using for years is no longer
> compatible with Windows 10. To dispel any illusion, I'm not trying to
> get the NT4 domain working nice with Windows 10. Additionally Samba4 has
> changed its design structure such that OpenLDAP, or really any LDAP
> server except Samba4's internal LDAP server, will no longer work for the
> Active Directory.
> 
>      The school would like the Windows machines in the labs to
> authenticate students via their OpenLDAP credentials. I am open to
> alternatives but the closest thing I found was adding local users on
> each Windows workstation and having them authenticate to the FreeIPA
> server. The problem here is that users will continually be added and
> deleted. The Samba project would have us go all in with Samba4's
> internal LDAP server. While I'm not directly knocking that, since from
> my testing it seems to be quite functional, the upheaval would be
> tremendous. Fortunately we were already looking into switching to 389
> before I came on so I've been touting the possibility of replacing
> OpenLDAP with FreeIPA before this Samba4 issue. A solution I thought
> should work is to use a trust between a FreeIPA (IPA) and a Samba4
> Active Directory (AD). I've since configured both and have created that
> trust.
> 
>      I have a Windows 10 machine connected to the Samba4 domain. When I
> attempt to logon with an account from the IPA domain I am presented with
> "Insufficient system resources exist to complete the requested service."
> At first I took this message at face value and increased the memory of
> the workstation from which I'm trying to logon. There are few results
> from a Google search about this error without focusing on local memory.
> After reading and troubleshooting I believe this is a failure may be in
> the Kerberos InitializeSecurityContext function that's producing
> SEC_E_INSUFFICIENT_MEMORY, specifically on the Windows workstation and
> seemingly not coming from Samba4 AD.
> 
>      A couple things I've noticed; when I attempt to login as user@ipa
> if the password is wrong Windows tell me my password is incorrect. If I
> use the correct password I'm presented with that "Insufficient system
> resources exist to complete the requested service." The Event Viewer
> only shows me a generic logon error message. When I look at the Kerberos
> logs on both systems I see on AD that the 'Realm not local to KDC' and a
> 'No matching key in entry' but on IPA I see 'Additional
> pre-authentication required', then AS_REQ ISSUE and finally TGS_REQ ISSUE.
> 
>      I continued to do a tcpdump on port 88 to see who was directly
> communicating to the FreeIPA server and I found that the Windows
> workstation was making a direct Kerberos request. I then expanded my
> tcpdump to include all traffic from the workstation and upon another
> logon attempt only port 88 was used to communicate to FreeIPA. I
> therefore think that this is a Kerberos specific problem and not
> necessarily a Samba4 problem. Unfortunately I'm not knowledgeable enough
> in Kerberos to identify what's going on.
> 
>      I don't know what information I should present, such as configs or
> logs. Whatever is needed I can provide. I greatly appreciate any help,
> advice or potentially other non management nightmare solutions! Thank
> you all very much!
> 
> [root@freeipa-dev log]# ipa trustdomain-find ad.school.edu
> 
>   Domain name: ad.school.edu 
>   Domain NetBIOS name: AD
>   Domain Security Identifier: S-1-5-21-276971437-2632767696-819257926
>   Domain enabled: True
> 
> Number of entries returned 1
> 

It is probably due to the lack of Global Catalog on the IPA side.

rob
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org

[Freeipa-users] Logon returns Insufficient system resources exist to complete the requested service.

2019-04-17 Thread Vex Mage via FreeIPA-users

Hello,

 I've personally been using FreeIPA for some time and I love it
immensely. I thought I'd start a post here due to the direction my
troubleshooting has gone instead of the Samba mailing list. Allow me to
explain what I've done, why I've done it and then the problem I'm having.

 I just recently started working for a school and the school has some
Windows labs. A problem that has come to my attention is that the OpenLDAP
to Samba3 NT4 domain they've been using for years is no longer compatible
with Windows 10. To dispel any illusion, I'm not trying to get the NT4
domain working nice with Windows 10. Additionally Samba4 has changed its
design structure such that OpenLDAP, or really any LDAP server except
Samba4's internal LDAP server, will no longer work for the Active Directory.

 The school would like the Windows machines in the labs to authenticate
students via their OpenLDAP credentials. I am open to alternatives but the
closest thing I found was adding local users on each Windows workstation
and having them authenticate to the FreeIPA server. The problem here is
that users will continually be added and deleted. The Samba project would
have us go all in with Samba4's internal LDAP server. While I'm not
directly knocking that, since from my testing it seems to be quite
functional, the upheaval would be tremendous. Fortunately we were already
looking into switching to 389 before I came on so I've been touting the
possibility of replacing OpenLDAP with FreeIPA before this Samba4 issue. A
solution I thought should work is to use a trust between a FreeIPA (IPA)
and a Samba4 Active Directory (AD). I've since configured both and have
created that trust.

 I have a Windows 10 machine connected to the Samba4 domain. When I
attempt to logon with an account from the IPA domain I am presented with
"Insufficient system resources exist to complete the requested service." At
first I took this message at face value and increased the memory of the
workstation from which I'm trying to logon. There are few results from a
Google search about this error without focusing on local memory. After
reading and troubleshooting I believe this is a failure may be in the
Kerberos InitializeSecurityContext function that's producing
SEC_E_INSUFFICIENT_MEMORY, specifically on the Windows workstation and
seemingly not coming from Samba4 AD.

 A couple things I've noticed; when I attempt to login as user@ipa if
the password is wrong Windows tell me my password is incorrect. If I use
the correct password I'm presented with that "Insufficient system resources
exist to complete the requested service." The Event Viewer only shows me a
generic logon error message. When I look at the Kerberos logs on both
systems I see on AD that the 'Realm not local to KDC' and a 'No matching
key in entry' but on IPA I see 'Additional pre-authentication required',
then AS_REQ ISSUE and finally TGS_REQ ISSUE.

 I continued to do a tcpdump on port 88 to see who was directly
communicating to the FreeIPA server and I found that the Windows
workstation was making a direct Kerberos request. I then expanded my
tcpdump to include all traffic from the workstation and upon another logon
attempt only port 88 was used to communicate to FreeIPA. I therefore think
that this is a Kerberos specific problem and not necessarily a Samba4
problem. Unfortunately I'm not knowledgeable enough in Kerberos to identify
what's going on.

 I don't know what information I should present, such as configs or
logs. Whatever is needed I can provide. I greatly appreciate any help,
advice or potentially other non management nightmare solutions! Thank you
all very much!

[root@freeipa-dev log]# ipa trustdomain-find ad.school.edu
  Domain name: ad.school.edu
  Domain NetBIOS name: AD
  Domain Security Identifier: S-1-5-21-276971437-2632767696-819257926
  Domain enabled: True

Number of entries returned 1



-- 
Vex
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org

[Freeipa-users] Re: Directory manager password best practices

2019-04-17 Thread Rob Crittenden via FreeIPA-users

Ian Pilcher wrote:
> On 4/17/19 9:45 AM, Rob Crittenden wrote:
>> https://www.freeipa.org/page/Howto/Change_Directory_Manager_Password
> 
> That page says:
> 
>  The following procedure is only applicable to FreeIPA 3.2.1 or older.
>  Since FreeIPA 3.2.2 (and ticket #3594), the procedure is automated as a
>  part of preparing a replica info file by using ipa-replica-prepare
> 
> So it's really not clear what one is supposed to do for 4.6.
> 

Sorry, I guess it's not clear that in subsequent versions you just need
to follow
https://directory.fedoraproject.org/docs/389ds/howto/howto-resetdirmgrpassword.html

I'll see about clarifying that.

rob
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org

[Freeipa-users] Re: Directory manager password best practices

2019-04-17 Thread Ian Pilcher via FreeIPA-users


On 4/17/19 9:45 AM, Rob Crittenden wrote:

https://www.freeipa.org/page/Howto/Change_Directory_Manager_Password


That page says:

 The following procedure is only applicable to FreeIPA 3.2.1 or older.
 Since FreeIPA 3.2.2 (and ticket #3594), the procedure is automated as a
 part of preparing a replica info file by using ipa-replica-prepare

So it's really not clear what one is supposed to do for 4.6.

--

Ian Pilcher arequip...@gmail.com
 "I grew up before Mark Zuckerberg invented friendship" 

___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org

[Freeipa-users] Re: Password expired

2019-04-17 Thread dbischof--- via FreeIPA-users


Hi Mustafa,

On Wed, 17 Apr 2019, mustafa taha via FreeIPA-users wrote:


i want to ask  , if there a way  allows the admin to provide  an account with
password expired after certain of time.   and after a certain time
the password will  not valid .  i see there  is field named " Password
expiration" , how can i control it for specified  user ?


you could create a new group and set the desired "Max lifetime" in "Policy" ->
"Password Policies" for this group. If you add users to this group, their
(next) password will expire after whatever you set as "Max lifetime", instead
of the default 180 days.


Mit freundlichen Gruessen/With best regards,

--Daniel.
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org

[Freeipa-users] Re: Directory manager password best practices

2019-04-17 Thread Rob Crittenden via FreeIPA-users

Ian Pilcher via FreeIPA-users wrote:
> On 4/16/19 10:14 PM, Rob Crittenden wrote:
>> It isn't a huge deal to change the DM password but in practice you'd
>> want to do it on all masters (not replicated) so while not the end of
>> the world it can be at best annoying.
> 
> We'll only have a single master, so that doesn't sound too bad.
> 
>> Though with root DM can be reset so with having a crappy root password
>> in effect it doesn't matter what DM is (e.g. someone could already have
>> the keys to the Kingdom).
> 
> Right.  I'm hoping to tighten up the root/admin password situation, but
> that will have to wait until I can get some consensus from the remainder
> of my team.  Changing those passwords is a known, straightforward
> process, though.
> 
> In contrast, a fair bit of Googling leaves me unsure what the DM
> password change procedure even is for IPA 4.6.
> 
>> I'd set both to something(s) you can remember. When you need it the last
>> thing you'll want to do is run around resetting it.
> 
> My experience is that the Directory Manager password is used very
> infrequently, so the odds of remembering it (if it is different than the
> admin password) are very low.
> 

https://www.freeipa.org/page/Howto/Change_Directory_Manager_Password

rob
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org

[Freeipa-users] Re: Password expired

2019-04-17 Thread Rob Crittenden via FreeIPA-users

François Cami via FreeIPA-users wrote:
> Hi,
> 
> On Wed, Apr 17, 2019 at 4:33 PM mustafa taha via FreeIPA-users
>  wrote:
>>
>> Hi
>>
>> i want to ask  , if there a way  allows the admin to provide  an account 
>> with password expired after certain of time.   and after a certain 
>> time the password will  not valid .
>> i see there  is field named " Password expiration" , how can i control it 
>> for specified  user ?
> 
> "ipa help commands" would list all the commands you can use.
> 
> I think what you want to achieve can be done with:
> "ipa user-mod LOGIN --password-expiration=DATETIME"

Or if you want the account to be not usable at all after a certain date
use --principal-expiration=DATETIME.

rob
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org

[Freeipa-users] Re: Password expired

2019-04-17 Thread François Cami via FreeIPA-users

Hi,

On Wed, Apr 17, 2019 at 4:33 PM mustafa taha via FreeIPA-users
 wrote:
>
> Hi
>
> i want to ask  , if there a way  allows the admin to provide  an account with 
> password expired after certain of time.   and after a certain time 
> the password will  not valid .
> i see there  is field named " Password expiration" , how can i control it for 
> specified  user ?

"ipa help commands" would list all the commands you can use.

I think what you want to achieve can be done with:
"ipa user-mod LOGIN --password-expiration=DATETIME"

François

> ___
> FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
> To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
> Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
> List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
> List Archives: 
> https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org

[Freeipa-users] Password expired

2019-04-17 Thread mustafa taha via FreeIPA-users

Hi  

i want to ask  , if there a way  allows the admin to provide  an account with 
password expired after certain of time.   and after a certain time the 
password will  not valid .
i see there  is field named " Password expiration" , how can i control it for 
specified  user ? 
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org

[Freeipa-users] Re: Directory manager password best practices

2019-04-17 Thread Ian Pilcher via FreeIPA-users


On 4/16/19 10:14 PM, Rob Crittenden wrote:

It isn't a huge deal to change the DM password but in practice you'd
want to do it on all masters (not replicated) so while not the end of
the world it can be at best annoying.


We'll only have a single master, so that doesn't sound too bad.


Though with root DM can be reset so with having a crappy root password
in effect it doesn't matter what DM is (e.g. someone could already have
the keys to the Kingdom).


Right.  I'm hoping to tighten up the root/admin password situation, but
that will have to wait until I can get some consensus from the remainder
of my team.  Changing those passwords is a known, straightforward
process, though.

In contrast, a fair bit of Googling leaves me unsure what the DM
password change procedure even is for IPA 4.6.


I'd set both to something(s) you can remember. When you need it the last
thing you'll want to do is run around resetting it.


My experience is that the Directory Manager password is used very
infrequently, so the odds of remembering it (if it is different than the
admin password) are very low.

--

Ian Pilcher arequip...@gmail.com
 "I grew up before Mark Zuckerberg invented friendship" 

___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org

[Freeipa-users] Re: Best practice backuping freeipa in docker

2019-04-17 Thread Petar Kozić via FreeIPA-users

Thank you !

*—*

*Petar Kozić*


On April 17, 2019 at 10:07:18 AM, Brian Topping (brian.topp...@gmail.com)
wrote:

Hi Petar, I’m sorry I can’t be of more help. Backups are something I’m
presently working on, but starting with the persistent volumes underlying
all containers rather than the specifics of a container. Once I get that
working, I’m going to look at each container to figure out snapshot
specifics like this.

In general, I’m planning to snapshot inside the container as a local cron
job, then back up the persistent volume without too much regard for its
state when the backup happens. On restore, the data may be considered
corrupt until it is reset to the last snapshot, but this decouples the
in-container semantics from the persistent volume processes.

It’s very database-specific what this means in real life, having a lot of
snapshots in a database can sometimes mean that database gets huge. This
may or may not be a problem for different organizations because if the
snapshots are copy-on-write and the copies are separate files, an
incremental backup program can easily see that the base files did not
change.

I was not aware there were scripts in existence, I’ll definitely want to
look at them before too long.

Sent from my iPhone

On Apr 17, 2019, at 00:54, Petar Kozić  wrote:

Brian,
thank you very much on answer.
Can you tell me how can I check does it 389 DB consistent, and can I use
freeipa backup-scripts for DB backup in docker or that is unnecessarily ?


*—*

*Petar Kozić*


On April 16, 2019 at 7:17:56 PM, Brian Topping (brian.topp...@gmail.com)
wrote:

On Apr 16, 2019, at 5:58 AM, Petar Kozić via FreeIPA-users <
freeipa-users@lists.fedorahosted.org> wrote:

Hi folks.
I’m using freeipa in docker on one VM machine and for now, I satisfied how
that works, but I worried about backup.
Can someone tell me what is best practice for backup ipa which works in
docker?


One upside of Docker is a very clear picture of what will be saved across
reboots. If the container reboots cleanly, the saved data must (by
definition) be on a persistent volume somewhere. (I’m sure as soon as I say
that, someone will have an exception to such a rule of thumb, but it works
for me…)

When backing up databases, the key is to generate some kind of checkpoint.
Regardless of the state your backup software catches the data when it does
it’s pass, the checkpoint is a state that the database is internally
consistent. For the most part, files outside the 389 database are
configuration oriented and will not be changing with a running system.
Other organizations use things like Git to store configurations to even
avoid that problem.

tl;dr: Checkpoint the database before you back up, and you should be fine.
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org

[Freeipa-users] Re: Best practice backuping freeipa in docker

2019-04-17 Thread Brian Topping via FreeIPA-users

Hi Petar, I’m sorry I can’t be of more help. Backups are something I’m 
presently working on, but starting with the persistent volumes underlying all 
containers rather than the specifics of a container. Once I get that working, 
I’m going to look at each container to figure out snapshot specifics like this. 

In general, I’m planning to snapshot inside the container as a local cron job, 
then back up the persistent volume without too much regard for its state when 
the backup happens. On restore, the data may be considered corrupt until it is 
reset to the last snapshot, but this decouples the in-container semantics from 
the persistent volume processes. 

It’s very database-specific what this means in real life, having a lot of 
snapshots in a database can sometimes mean that database gets huge. This may or 
may not be a problem for different organizations because if the snapshots are 
copy-on-write and the copies are separate files, an incremental backup program 
can easily see that the base files did not change. 

I was not aware there were scripts in existence, I’ll definitely want to look 
at them before too long. 

Sent from my iPhone

> On Apr 17, 2019, at 00:54, Petar Kozić  wrote:
> 
> Brian,
> thank you very much on answer. 
> Can you tell me how can I check does it 389 DB consistent, and can I use 
> freeipa backup-scripts for DB backup in docker or that is unnecessarily ?
> 
> 
> —
> 
> Petar Kozić
> 
> 
>> On April 16, 2019 at 7:17:56 PM, Brian Topping (brian.topp...@gmail.com) 
>> wrote:
>> 
>>> On Apr 16, 2019, at 5:58 AM, Petar Kozić via FreeIPA-users 
>>>  wrote:
>>> 
>>> Hi folks.
>>> I’m using freeipa in docker on one VM machine and for now, I satisfied how 
>>> that works, but I worried about backup.
>>> Can someone tell me what is best practice for backup ipa which works in 
>>> docker?
>> 
>> One upside of Docker is a very clear picture of what will be saved across 
>> reboots. If the container reboots cleanly, the saved data must (by 
>> definition) be on a persistent volume somewhere. (I’m sure as soon as I say 
>> that, someone will have an exception to such a rule of thumb, but it works 
>> for me…)
>> 
>> When backing up databases, the key is to generate some kind of checkpoint. 
>> Regardless of the state your backup software catches the data when it does 
>> it’s pass, the checkpoint is a state that the database is internally 
>> consistent. For the most part, files outside the 389 database are 
>> configuration oriented and will not be changing with a running system. Other 
>> organizations use things like Git to store configurations to even avoid that 
>> problem.
>> 
>> tl;dr: Checkpoint the database before you back up, and you should be fine.
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org

[Freeipa-users] Re: Best practice backuping freeipa in docker

2019-04-17 Thread Petar Kozić via FreeIPA-users

Brian,
thank you very much on answer.
Can you tell me how can I check does it 389 DB consistent, and can I use
freeipa backup-scripts for DB backup in docker or that is unnecessarily ?


*—*

*Petar Kozić*


On April 16, 2019 at 7:17:56 PM, Brian Topping (brian.topp...@gmail.com)
wrote:

On Apr 16, 2019, at 5:58 AM, Petar Kozić via FreeIPA-users <
freeipa-users@lists.fedorahosted.org> wrote:

Hi folks.
I’m using freeipa in docker on one VM machine and for now, I satisfied how
that works, but I worried about backup.
Can someone tell me what is best practice for backup ipa which works in
docker?


One upside of Docker is a very clear picture of what will be saved across
reboots. If the container reboots cleanly, the saved data must (by
definition) be on a persistent volume somewhere. (I’m sure as soon as I say
that, someone will have an exception to such a rule of thumb, but it works
for me…)

When backing up databases, the key is to generate some kind of checkpoint.
Regardless of the state your backup software catches the data when it does
it’s pass, the checkpoint is a state that the database is internally
consistent. For the most part, files outside the 389 database are
configuration oriented and will not be changing with a running system.
Other organizations use things like Git to store configurations to even
avoid that problem.

tl;dr: Checkpoint the database before you back up, and you should be fine.
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org

[Freeipa-users] Re: KDE administration not working for freeipa user

2019-04-17 Thread Sumit Bose via FreeIPA-users

On Tue, Apr 16, 2019 at 07:49:40PM -0700, Brian Watson | Watsontech.net via 
FreeIPA-users wrote:
> Hello,
> 
> I have freeipa server (centos7) setup. I installed freeipa-client on my KDE
> Neon laptop. I can sign in with my freeipa user and am able to use sudo.
> But when asked for password whilst doing KDE administration, it does not
> work.
> 
> Any logs I should check?

Hi,

maybe you can check if there PAM related messages in /var/log/secure or
the journal around the time you are giving the password for KDE
administration. If e.g. a special PAM service is used by KDE and you are
using HBAC you might need to add this service to a rule which allows
access.

HTH

bye,
Sumit

> ___
> FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
> To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
> Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
> List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
> List Archives: 
> https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org

[Freeipa-users] Re: Logon returns Insufficient system resources exist to complete the requested service.

[Freeipa-users] Logon returns Insufficient system resources exist to complete the requested service.

[Freeipa-users] Re: Directory manager password best practices

[Freeipa-users] Re: Directory manager password best practices

[Freeipa-users] Re: Password expired

[Freeipa-users] Re: Directory manager password best practices

[Freeipa-users] Re: Password expired

[Freeipa-users] Re: Password expired

[Freeipa-users] Password expired

[Freeipa-users] Re: Directory manager password best practices

[Freeipa-users] Re: Best practice backuping freeipa in docker

[Freeipa-users] Re: Best practice backuping freeipa in docker

[Freeipa-users] Re: Best practice backuping freeipa in docker

[Freeipa-users] Re: KDE administration not working for freeipa user

14 matches

Site Navigation

Mail list logo

Footer information