[Freeipa-users] FreeIPA with multiple domains not mappings ids correctly on NFS
Hello, I’ve got FreeIPA setup where I have multiple domains for client machines depending on their geography. For example, ca.example.com, and ny.example.com. I have a NFS server in nfs-server.ny.example.com and users mapping the NFS server on their clients from ny.example.com and ca.example.com. Users in ny.example.com show files owner:group just fine but users in ca.example.com everything on the nfs server shows nobody:nogroup or nobody: 4294967294 On the clients I’m seeing this issue on I see these error messages in the log. Oct 4 16:53:14 aiml1 nfsidmap[7867]: nss_getpwnam: name ‘u...@ny.example.com' does not map into domain 'ca.example.com’ I did some googling and people are saying to add the domain to /etc/idmapd.conf but since I already have multiple domains (3 actually) I don’t see how this will work for all instances unless I can add multiple domains. I don’t see an obvious way to add multiple domains. Is there a clean way to handle this? -Kevin___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
[Freeipa-users] Re: Remove stale server entry from LDAP
Angus Clarke via FreeIPA-users wrote: > Hi all > > After decommissioning 2 IPA servers some time back (reduced from 8 to 6) > I recently noticed that one of the decommissioned servers still appears > when issuing commands like "ipa server-find." It only appears on 2 of > the existing servers, not the other 4. > > "ipa server-del" and "ipa-replica-manage del" both report "server not > found" for the decomm'ed server entry, when issued on any of the 6 IPA > servers. > > So I suspect I have some stale LDAP entry left behind from the > decommission process (I forget exactly what process I followed, it was > over a year ago) and was thinking about deleting that entry from LDAP. > > Not having much familiarity with LDAP, I found a post here from the > venerable Rob which tells me how to find such entries (with a bit of > fumbling with grep!) and indeed I see the entry on the 2 IPA servers but > not the other 4. > https://www.redhat.com/archives/freeipa-users/2015-December/msg00089.html > > > [root@ipa6 ~]# ldapsearch -Y GSSAPI -b cn=computers,cn=accounts,dc=dom > "krbprincipalkey=*" dn 2>/dev/null | grep ipa7.example.dom > # ipa7.example.dom + 9554ab01-42e811e8-a6dce53f-3a18cb6e, computers, acc > dn: fqdn=ipa7.example.dom+nsuniqueid=9554ab01-42e811e8-a6dce53f-3a18cb6 This is a replication conflict entry. You can use ldapdelete or ldapmodify to remove it. rob ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
[Freeipa-users] Remove stale server entry from LDAP
Hi all After decommissioning 2 IPA servers some time back (reduced from 8 to 6) I recently noticed that one of the decommissioned servers still appears when issuing commands like "ipa server-find." It only appears on 2 of the existing servers, not the other 4. "ipa server-del" and "ipa-replica-manage del" both report "server not found" for the decomm'ed server entry, when issued on any of the 6 IPA servers. So I suspect I have some stale LDAP entry left behind from the decommission process (I forget exactly what process I followed, it was over a year ago) and was thinking about deleting that entry from LDAP. Not having much familiarity with LDAP, I found a post here from the venerable Rob which tells me how to find such entries (with a bit of fumbling with grep!) and indeed I see the entry on the 2 IPA servers but not the other 4. https://www.redhat.com/archives/freeipa-users/2015-December/msg00089.html [root@ipa6 ~]# ldapsearch -Y GSSAPI -b cn=computers,cn=accounts,dc=dom "krbprincipalkey=*" dn 2>/dev/null | grep ipa7.example.dom # ipa7.example.dom + 9554ab01-42e811e8-a6dce53f-3a18cb6e, computers, acc dn: fqdn=ipa7.example.dom+nsuniqueid=9554ab01-42e811e8-a6dce53f-3a18cb6 Assuming this is the right thing to do, I could do with some advice on how to delete this entry from the 2 LDAP servers. Thanks in advance Angus ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
[Freeipa-users] Re: Migration FreeIPA to another server
Hi, On Fri, Oct 4, 2019 at 8:51 AM Petar Kozić via FreeIPA-users wrote: > > Ok, can someone share some relevant information about this, how I can do that? > Some step-by-step guide or similar? The official documentation is available at: https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/linux_domain_identity_authentication_and_policy_guide/install-replica The same steps would apply to RHEL8-based replica as well. Please do not uninstall your first IPA master and recycle your container before all its roles are migrated over. For instance please install your replica with a CA, and a KRA if you've installed this as well. HTH François > Thanks. > > — > Petar Kozic > > Hello, > > > > AFAIK you should create a replica on the VPS (with all the IPA services that > have the actual server) and once it will be ready, you should decommission > the actual server. > > > > Thanks & Regards. > > ___ > FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org > To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org > Fedora Code of Conduct: > https://docs.fedoraproject.org/en-US/project/code-of-conduct/ > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines > List Archives: > https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org > > ___ > FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org > To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org > Fedora Code of Conduct: > https://docs.fedoraproject.org/en-US/project/code-of-conduct/ > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines > List Archives: > https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
[Freeipa-users] Re: Migration FreeIPA to another server
Ok, can someone share some relevant information about this, how I can do that? Some step-by-step guide or similar? Thanks. *—* *Petar Kozic* Hello, AFAIK you should create a replica on the VPS (with all the IPA services that have the actual server) and once it will be ready, you should decommission the actual server. Thanks & Regards. ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org