[Freeipa-users] Disaster Recovery Architecture for IPA servers setup replicating in full mesh
Hi All, Could anyone please share a Disaster Recovery Architecture for IPA servers setup replicating in full mesh with the details of backup and restore procedure. Regards, sgarg ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
[Freeipa-users] Re: ipa-client password
On 11/2/19 6:04 AM, TomK via FreeIPA-users wrote: Hey All, Given a line like this: ipa-client-install --force-join -p admin -w "*" --fixed-primary --server=idmipa01.nix.mds.xyz --server=idmipa02.nix.mds.xyz --domain=nix.mds.xyz --realm=NIX.MDS.XYZ -U 1) Is there a way to pull the password from a safe store before passing it in or pull from a safe store directly? or 2) Can I specify an unprevilidged user to register with? or 3) Register without the use of a password? Hi, there are multiple ways to authenticate when installing a client: - using the admin user/pwd as you wrote above - using a different user, with Enrollment Administrator Role. - using a random one-time password pre-generated on the server - using client principal from the previous enrollment Please see the chapter "An overview of the Identity Management client installation options" [1] for more details. If you don't want to disclose the admin password, the preferred method would be the one-time password: 1- pre-create the host entry with $ ipa host-add client.domain.com --random This command must be run on a machine already enrolled (for instance the server) and needs an authenticated user with the IT Specialist role or part of the admins group. The output of the command provides the random password. 2- Use this random password in $ ipa-client-install --password pwd This command can be run by any user on the machine to be enrolled, provided he knows the random password. HTH, flo [1] https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/html/installing_identity_management/installing-an-ipa-client-basic-scenario_installing-identity-management#overview-of-the-ipa-client-installation-options Looking to register clients in ways that don't reveal any account passwords with which the registration has occurred with. ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
[Freeipa-users] remove self service privileges/permissions for specific users
Hello, I would like to be able to create a small number of user accounts which are not able to perform any self service (change passwd, set ssh pub keys), while leaving the default self service abilities enabled for most users. It appears that it is not possible to remove or negate permissions via privileges or roles. It also appears that it is not possible to remove the global self service privileges and replace them with a role as it isn't possible to constrain generic privileges to "self". Is that correct? Is there any existing way to achieve non-self-service users? Thanks, -Josh ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
[Freeipa-users] Re: FreeIPA 4.8.1 on Fedora 31 (upgraded from F30) fails to start
Hello Wulf, Oh yes, in your case, the slapd directory server is started but seems not listening on 389/636, according to the log file. On another further look, yes, you are right, the stack trace looks different from the one in Pagure. As a side node, I had tried to install the jss rpm from updates-testing channel (according to Bugzilla #1766451). One of the replica server can complete the ipa-server-upgrade but the pki-tomcat failed to function properly. I had mentioned it in another mail: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org/thread/4HJSWIJQQYZQXUCEDUNZGPEKMOE7Z3MD/ Best regards, Patrick On Sun, Nov 3, 2019 at 6:16 PM Wulf C. Krueger wrote: > Hello Patrick, > > On 2019-11-02 20:54, Patrick Dung via FreeIPA-users wrote: > > I am having the same problem about three days ago. > > Related thread in: > > > https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org/thread/WLBFHI266KKHLF6G2UC4MHR4OLCLR45S/ > > Thanks, I saw that thread while searching but (possibly wrongly) thought > it was a similar but ultimately different problem because as you write > there "I am able to connect to my ldap server port 636 with TLS without > problem." - which I most certainly am not. There's not even anything > listening on 636. > > And the stack traces seem different as well. > > A rather huge difference as well: In the pagure issue, the PKI server is > running whereas mine at least consistently refuses to start. > > Best regards, Wulf > ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
[Freeipa-users] Re: FreeIPA 4.8.1 on Fedora 31 (upgraded from F30) fails to start
Hello Patrick, On 2019-11-02 20:54, Patrick Dung via FreeIPA-users wrote: I am having the same problem about three days ago. Related thread in: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org/thread/WLBFHI266KKHLF6G2UC4MHR4OLCLR45S/ Thanks, I saw that thread while searching but (possibly wrongly) thought it was a similar but ultimately different problem because as you write there "I am able to connect to my ldap server port 636 with TLS without problem." - which I most certainly am not. There's not even anything listening on 636. And the stack traces seem different as well. A rather huge difference as well: In the pagure issue, the PKI server is running whereas mine at least consistently refuses to start. Best regards, Wulf ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
[Freeipa-users] Re: FreeIPA 4.8.1 on Fedora 31 (upgraded from F30) fails to start
Hello Alexander, On 2019-11-03 10:08, Alexander Bokovoy via FreeIPA-users wrote: This looks like https://bugzilla.redhat.com/show_bug.cgi?id=1766451 Do you have updates-testing repository enabled? It should provide an update for jss package. Thanks for the suggestion! Unfortunately, updating to the newer jss (jss-4.6.2-2.fc31.x86_64) didn't fix my issue. Reading 1766451 it seems to be different from what I'm seeing. Best regards, Wulf ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
[Freeipa-users] Re: FreeIPA 4.8.1 on Fedora 31 (upgraded from F30) fails to start
On la, 02 marras 2019, Wulf C. Krueger via FreeIPA-users wrote: Hello, my FreeIPA installation was working well on Fedora 30. After upgrading to F31, though, it fails to start: # ipactl start IPA version error: data needs to be upgraded (expected version '4.8.1-4.fc31', current version '4.8.1-1.fc30') Automatically running upgrade, for details see /var/log/ipaupgrade.log Be patient, this may take a few minutes. Automatic upgrade failed: Update complete Upgrading the configuration of the IPA services [Verifying that root certificate is published] [Migrate CRL publish directory] CRL tree already moved IPA server upgrade failed: Inspect /var/log/ipaupgrade.log and run command ipa-server-upgrade manually. Unexpected error - see /var/log/ipaupgrade.log for details: CalledProcessError: CalledProcessError(Command ['/bin/systemctl', 'start', 'pki-tomcatd@pki-tomcat.service'] returned non-zero exit status 1: 'Job for pki-tomcatd@pki-tomcat.service failed because a timeout was exceeded.\nSee "systemctl status pki-tomcatd@pki-tomcat.service" and "journalctl -xe" for details.\n') The ipa-server-upgrade command failed. See /var/log/ipaupgrade.log for more information See the upgrade log for more details and/or run /usr/sbin/ipa-server-upgrade again Aborting ipactl Logs: ipaupgrade.log: https://mailstation.de/ipa-logs/ipaupgrade.log pki-tomcatd@pki-tomcat log: https://mailstation.de/ipa-logs/pki-tomc...@pki-tomcat.log pki-tomcat-ca-debug log: https://mailstation.de/ipa-logs/pki-tomcat-ca-debug.2019-11-02.log So it looks like the LDAP server isn't reachable but its log says it's running: https://mailstation.de/ipa-logs/dir...@mailstation-de.log There's nothing listening on ports 389 and 636, though. Help would be highly appreciated. This looks like https://bugzilla.redhat.com/show_bug.cgi?id=1766451 Do you have updates-testing repository enabled? It should provide an update for jss package. -- / Alexander Bokovoy Sr. Principal Software Engineer Security / Identity Management Engineering Red Hat Limited, Finland ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org