date:20200203

[Freeipa-users] Re: files to omit from backup

2020-02-03 Thread François Cami via FreeIPA-users

On Mon, Feb 3, 2020 at 10:07 PM Robbie Harwood via FreeIPA-users
 wrote:
>
> Charles Hedrick via FreeIPA-users 
> writes:
>
> > We currently do rsync backups of our server. On an MIT server, you’d
> > want to omit the stash file. But IPA doesn’t use that. Is there
> > anything like that that should be omitted? I’m not sure just how
> > freeipa bootstraps trust when it starts up.
>
> In IPA, we're storing all Kerberos data in LDAP (389ds with a custom
> KDB).  So you'll want to be careful around that - I can't speak to how
> the LDAP storage works, though.

Indeed. Charles, you might want to have a look at:
https://www.freeipa.org/page/Backup_and_Restore

Best regards,
François

> Thanks,
> --Robbie
> ___
> FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
> To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
> Fedora Code of Conduct: 
> https://docs.fedoraproject.org/en-US/project/code-of-conduct/
> List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
> List Archives: 
> https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org

[Freeipa-users] Re: files to omit from backup

2020-02-03 Thread Robbie Harwood via FreeIPA-users

Charles Hedrick via FreeIPA-users 
writes:

> We currently do rsync backups of our server. On an MIT server, you’d
> want to omit the stash file. But IPA doesn’t use that. Is there
> anything like that that should be omitted? I’m not sure just how
> freeipa bootstraps trust when it starts up.

In IPA, we're storing all Kerberos data in LDAP (389ds with a custom
KDB).  So you'll want to be careful around that - I can't speak to how
the LDAP storage works, though.

Thanks,
--Robbie


signature.asc
Description: PGP signature
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org

[Freeipa-users] Framework Use of GSS Proxy

2020-02-03 Thread TC Johnson via FreeIPA-users

Hi,

I'm looking to understand a little better how the framework is using GSS Proxy 
to authenticate the user who is accessing the tools. The information here 
(https://www.freeipa.org/page/Troubleshooting/PrivilegeSeparation) is nice and 
I've been reading through the numerous libraries, python files, and configs... 
but I can't find how they are telling the WSGI app to use GSS to impersonate.

Any guidance is appreciated, reading suggestions, examples, what have you :)
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org

[Freeipa-users] Re: Freeipa unicodepwd generator

2020-02-03 Thread Alexander Bokovoy via FreeIPA-users

I'm currently flying back from FOSDEM, so please forgive me for a short answer 
but I do not recommend you to add unicodepwd storage. That's most likely will 
not help you and will only complicate things when we merge the global catalog 
work we do.

There are still missing parts in FreeIPA and Samba that would have helped to 
make two way trust part properly working. Adding unicodepwd is not one of them, 
for sure. 

- Lucas Diedrich via FreeIPA-users  
wrote:
> Rob, can you confirm if this website https://www.freeipa.org/page/Build is
> the default guide for building freeipa ?
> 
> Em qui., 30 de jan. de 2020 às 16:34, Rob Crittenden 
> escreveu:
> 
> > Lucas Diedrich wrote:
> > > Rob, is this what you talking
> > > about?
> > https://github.com/freeipa/freeipa/tree/master/daemons/ipa-slapi-plugins ?
> >
> > Yes, in ipa-pwd-extop. When a password change comes in we grab the
> > cleartext and generate the other keys from it so that all the passwords
> > in IPA are in sync.
> >
> > rob
> >
> > >
> > >
> > >
> > > Em qui., 30 de jan. de 2020 às 15:41, Rob Crittenden
> > > mailto:rcrit...@redhat.com>> escreveu:
> > >
> > > Lucas Diedrich via FreeIPA-users wrote:
> > > > Thanks RC, right now i'm using lsc-project.org
> > >  
> > > > for that, it has some technical flaws but actually works.
> > > >
> > > > I thought about migrating all users to AD and use passsync, to
> > > replicate
> > > > the password but i didn't know that it was closed to redhat
> > > > subscription. Also thought about creating the plugin over
> > > Directory 389
> > > > but the documentation doesn't seem easy to-do.
> > > >
> > > > Actually i'm strungling to maintain my Freeipa Server with 11k
> > userss
> > > > as the principal manager over here.
> > >
> > > You could probably extend the IPA password plugin to write the
> > > UnicodePwd attribute in the correct format. There are existing
> > examples
> > > in the code such as setting the sambaNTPassword attribute.
> > >
> > > rob
> > >
> > > >
> > > > Thanks.
> > > >
> > > >
> > > >
> > > > Em qua., 29 de jan. de 2020 às 15:59, Rob Crittenden
> > > > mailto:rcrit...@redhat.com>
> > > >> escreveu:
> > > >
> > > > LUCAS GUILHERME DIEDRICH via FreeIPA-users wrote:
> > > > > Hello guys, is there any change for storing the password over
> > > > freeipa it generate an password with the unicodepwd format?
> > > >
> > > > No, it is not supported currently.
> > > >
> > > > >
> > > > > I'm still trying to replicate some users from freeipa to AD,
> > i
> > > > would like to mantain my Freeipa as the principal manager for
> > > users
> > > > and groups.
> > > >
> > > > How are you replicating IPA users to AD?
> > > >
> > > > rob
> > > >
> > > >
> > > >
> > > > ___
> > > > FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
> > > 
> > > > To unsubscribe send an email to
> > > freeipa-users-le...@lists.fedorahosted.org
> > > 
> > > > Fedora Code of Conduct:
> > > https://docs.fedoraproject.org/en-US/project/code-of-conduct/
> > > > List Guidelines:
> > > https://fedoraproject.org/wiki/Mailing_list_guidelines
> > > > List Archives:
> > >
> > https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
> > > >
> > >
> >
> >

-- 
/ Alexander Bokovoy
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org

[Freeipa-users] Re: Freeipa unicodepwd generator

2020-02-03 Thread François Cami via FreeIPA-users

On Mon, Feb 3, 2020 at 6:43 PM Lucas Diedrich via FreeIPA-users
 wrote:
>
> Rob, can you confirm if this website https://www.freeipa.org/page/Build is 
> the default guide for building freeipa ?

Yes, this is the case.
On Fedora 31 the COPR step is not needed.


> Em qui., 30 de jan. de 2020 às 16:34, Rob Crittenden  
> escreveu:
>>
>> Lucas Diedrich wrote:
>> > Rob, is this what you talking
>> > about? 
>> > https://github.com/freeipa/freeipa/tree/master/daemons/ipa-slapi-plugins ?
>>
>> Yes, in ipa-pwd-extop. When a password change comes in we grab the
>> cleartext and generate the other keys from it so that all the passwords
>> in IPA are in sync.
>>
>> rob
>>
>> >
>> >
>> >
>> > Em qui., 30 de jan. de 2020 às 15:41, Rob Crittenden
>> > mailto:rcrit...@redhat.com>> escreveu:
>> >
>> > Lucas Diedrich via FreeIPA-users wrote:
>> > > Thanks RC, right now i'm using lsc-project.org
>> >  
>> > > for that, it has some technical flaws but actually works.
>> > >
>> > > I thought about migrating all users to AD and use passsync, to
>> > replicate
>> > > the password but i didn't know that it was closed to redhat
>> > > subscription. Also thought about creating the plugin over
>> > Directory 389
>> > > but the documentation doesn't seem easy to-do.
>> > >
>> > > Actually i'm strungling to maintain my Freeipa Server with 11k  
>> > userss
>> > > as the principal manager over here.
>> >
>> > You could probably extend the IPA password plugin to write the
>> > UnicodePwd attribute in the correct format. There are existing examples
>> > in the code such as setting the sambaNTPassword attribute.
>> >
>> > rob
>> >
>> > >
>> > > Thanks.
>> > >
>> > >
>> > >
>> > > Em qua., 29 de jan. de 2020 às 15:59, Rob Crittenden
>> > > mailto:rcrit...@redhat.com>
>> > >> escreveu:
>> > >
>> > > LUCAS GUILHERME DIEDRICH via FreeIPA-users wrote:
>> > > > Hello guys, is there any change for storing the password over
>> > > freeipa it generate an password with the unicodepwd format?
>> > >
>> > > No, it is not supported currently.
>> > >
>> > > >
>> > > > I'm still trying to replicate some users from freeipa to AD, i
>> > > would like to mantain my Freeipa as the principal manager for
>> > users
>> > > and groups.
>> > >
>> > > How are you replicating IPA users to AD?
>> > >
>> > > rob
>> > >
>> > >
>> > >
>> > > ___
>> > > FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
>> > 
>> > > To unsubscribe send an email to
>> > freeipa-users-le...@lists.fedorahosted.org
>> > 
>> > > Fedora Code of Conduct:
>> > https://docs.fedoraproject.org/en-US/project/code-of-conduct/
>> > > List Guidelines:
>> > https://fedoraproject.org/wiki/Mailing_list_guidelines
>> > > List Archives:
>> > 
>> > https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
>> > >
>> >
>>
> ___
> FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
> To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
> Fedora Code of Conduct: 
> https://docs.fedoraproject.org/en-US/project/code-of-conduct/
> List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
> List Archives: 
> https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org

[Freeipa-users] Re: Freeipa unicodepwd generator

2020-02-03 Thread Lucas Diedrich via FreeIPA-users

Rob, can you confirm if this website https://www.freeipa.org/page/Build is
the default guide for building freeipa ?

Em qui., 30 de jan. de 2020 às 16:34, Rob Crittenden 
escreveu:

> Lucas Diedrich wrote:
> > Rob, is this what you talking
> > about?
> https://github.com/freeipa/freeipa/tree/master/daemons/ipa-slapi-plugins ?
>
> Yes, in ipa-pwd-extop. When a password change comes in we grab the
> cleartext and generate the other keys from it so that all the passwords
> in IPA are in sync.
>
> rob
>
> >
> >
> >
> > Em qui., 30 de jan. de 2020 às 15:41, Rob Crittenden
> > mailto:rcrit...@redhat.com>> escreveu:
> >
> > Lucas Diedrich via FreeIPA-users wrote:
> > > Thanks RC, right now i'm using lsc-project.org
> >  
> > > for that, it has some technical flaws but actually works.
> > >
> > > I thought about migrating all users to AD and use passsync, to
> > replicate
> > > the password but i didn't know that it was closed to redhat
> > > subscription. Also thought about creating the plugin over
> > Directory 389
> > > but the documentation doesn't seem easy to-do.
> > >
> > > Actually i'm strungling to maintain my Freeipa Server with 11k
> userss
> > > as the principal manager over here.
> >
> > You could probably extend the IPA password plugin to write the
> > UnicodePwd attribute in the correct format. There are existing
> examples
> > in the code such as setting the sambaNTPassword attribute.
> >
> > rob
> >
> > >
> > > Thanks.
> > >
> > >
> > >
> > > Em qua., 29 de jan. de 2020 às 15:59, Rob Crittenden
> > > mailto:rcrit...@redhat.com>
> > >> escreveu:
> > >
> > > LUCAS GUILHERME DIEDRICH via FreeIPA-users wrote:
> > > > Hello guys, is there any change for storing the password over
> > > freeipa it generate an password with the unicodepwd format?
> > >
> > > No, it is not supported currently.
> > >
> > > >
> > > > I'm still trying to replicate some users from freeipa to AD,
> i
> > > would like to mantain my Freeipa as the principal manager for
> > users
> > > and groups.
> > >
> > > How are you replicating IPA users to AD?
> > >
> > > rob
> > >
> > >
> > >
> > > ___
> > > FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
> > 
> > > To unsubscribe send an email to
> > freeipa-users-le...@lists.fedorahosted.org
> > 
> > > Fedora Code of Conduct:
> > https://docs.fedoraproject.org/en-US/project/code-of-conduct/
> > > List Guidelines:
> > https://fedoraproject.org/wiki/Mailing_list_guidelines
> > > List Archives:
> >
> https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
> > >
> >
>
>
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org

[Freeipa-users] Re: FreeIPA 4.8.1 on Fedora 31 (upgraded from F30) fails to start

2020-02-03 Thread Jochen Demmer via FreeIPA-users


Hi,

unfortunately currently there's is no other node, which is why I'm trying to 
update to Fedora 31. I used to replicate between two machines but on got lost.
I installed a new machine which is supposed to work as my new replica but this 
is being virtualized in bhyve / FreeNAS and this doesn't allow Fedora 30 to be 
installed so I'm stuck with Fedora 31.
In the docs it's said that versions between replicas need to be consistent so 
I'm trying to update the only running FreeIPA node (srv107) to Fedora 31 first.

Jochen

On Monday, February 03, 2020 08:36 CET, Florence Blanc-Renaud via FreeIPA-users 
 wrote:
 On 2/2/20 11:30 PM, Jochen Demmer via FreeIPA-users wrote:
> Hi,
>
> this is the outputs:
> [root@srv107 ipa]# openssl x509 -noout -in /var/lib/ipa/ra-agent.pem
> -serial -subject -issuer -nameopt RFC2253
> serial=15
> subject=CN=IPA RA,O=UNIX.domain.NET
> issuer=CN=Certificate Authority,O=UNIX.domain.NET
>
> [root@srv107 ipa]# openssl x509 -noout -in ra-agent.pem -serial -subject
> -issuer -nameopt RFC2253
> serial=15
> subject=CN=IPA RA,O=UNIX.domain.NET
> issuer=CN=Certificate Authority,O=UNIX.domain.NET
> [root@srv107 ipa]# ldapsearch -LLL -o ldif-wrap=no -x -D "cn=directory
> manager" -W -b uid=ipara,ou=people,o=ipaca dn description usercertificate
> Enter LDAP Password:
> dn: uid=ipara,ou=people,o=ipaca
> description: 2;21;CN=Certificate Authority,O=UNIX.domain.NET;CN=IPA
> RA,O=UNIX.domain.NET
> usercertificate::
> MIIDccCCAlqgAwIBAgIBBzANBgkqhkiG9w0BAQsFADA5MRcwFQYDVQQKDA5VTklYLkdPU0lYLk5FVDEeMBwGA1UEAwwVQ2VydGlmaWNhdGUgQXV0aG9yaXR5MB4XDTE2MDcyODE0MTIyMFoXDTE4MDcxODE0MTIyMFowKjEXMBUGA1UECgwOVU5JWC5HT1NJWC5ORVQxDzANBfNVBAMMBklQQSBSQTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAMxnrp8441QA/vzIB/0a9kT5IAH9yACEx8lirOspAOmn8ziFYUvB4idMqd4wKpuIeFhl4LDMN++HJGsfAGbon7LQ0lvlxz16ntdMazfmqSCwgSycroDLJEBHZW0vC6NslOVI808nnc7D+xcrOaGFaisDbjWYFn9LQoBHOAACtgGHmLQWszsQyrZhg0zbhzHoBDfSu6UtyCIuDP4lQ3tZdnNygP1x8cEmCUrAzEl3wqY24aQHMF7RglAb+O7/9A8UURXMi6QwIkbyucPA3Wh+RdHy41xhqDI/bmcq7Nas814PIHjhZQJTT02tdEqYYDgmv/dNqfT/OkYUHNah2Jf8ZL0CAwEAAaOBkzCBkDAfBgNVHSMEGDAWgBROuje6JvS5f3aN0Qk0DRDGjOWHRjA+BggrBgEFBQcBAQQyMDAwLgYIKwYBBQUHMAGGImh0dHA6Ly9zcnYxMDcuZ29zaXgubmV0OjgwL2NhL29jc3AwDgYDVR0PAQH/BAQDAg6wMB0GA1UdJQQWMBQGCCsGAQUFBwMBBggrBgEFBQcDAjANBgkqhkiG9w0BAQsFAAOCAQEAi8CxlPVaFHi7XlT1sSY74WPy9BlZW/Dt9by94wDCs14pZeMalmwkY8iHkvQtTagoS7y/Nq0p7PTHbcr7y9CisiAP+DykYZHdIyBtjrQ37GIADjyXhbYJ+Y90O/J24M2q2t1X8xbSIhxqQ8eN4ICTDHqzBIn2YkAHxT1QkitNIZWlMSWdEImcpmQB5CIU1q8swaK6u1k5ksC4mNwUxkSzi1nr+ixuuIkSDjuC3f1kGOaJGV92fJRk+TbRvP6hxKMY9ITwy0upwcUvO/Sv8kdJ21pJ/VJmxfZDilHW6ZrZtME6zaMUmVCVmchxIV2jTvJ3PCAqly6fI41oOsEoPSYu1Q==
> usercertificate::
> MIIadDCCAlygAwIBAgIBFTANBgkqhkiG9w0BAQsFADA5MRcwFQYDVQQKDA5VTklYLkdPU0lYLk5FVDEeMBwGA1UEAwwVQ2VydGlmaWNhdGUgQXV0aG9yaXR5MB4XDTE4MDYyMDE0MTI1MloXDTIwMDYwOTE0MTI1MlowKjEXMBUGA1UEChMOVU5JWC5HT1NJWC5ORVQxDzANBgNVBAMTBklQQSBSQTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAMxnrp8441QA/vzIB/0a9kT5IAH9yACEx8lirOspAOmn8ziFYUvB4idMqd4wKpuIeFhl4LDMN++HJGsfAGbon7LQ0lvlxz16ntdMazfmqSCwgSycroDLJEBHZW0vC6NslOVI808nnc7D+xcrOaGFaisDbjWYFn9LQoBHOAACtgGHmLQWszsQyrZhg0zbhzHoBDfSu6UtyCIuDP4lQ3tZdnNygP1x8cEmCUrAzEl3wqY24qQHMF7RglAb+O7/9A8UURXMi6QwIkbyucPA3Wh+RdHy41xhqDI/bmcq7Nas814PIHjhZQJTT02tdEqYYDgmv/dNqfT/OkYUHNah2Jf8ZL0CAwEAAaOBlTCBkjAfBgNVHSMEGDAWgBROuje6JvS5f3aN0Qk0DRDGjOWHRjBABggrBgEFBQcBAQQ0MDIwMAYIKwYBBQUHMAGGJGh0dHA6Ly9pcGEtY2EudW5peC5nb3NpeC5uZXQvY2Evb2NzcDAOBgNVHQ8BAf8EBAMCBPAwHQYDVR0lBBYwFAYIKwYBBQUHAwEGCCsGAQUFBwMCMA0GCSqGSIb3DQEBCwUAA4IBAQB+WTlsE5LmEvbfEk/fOlKfwkNv187o/6AtwBxrjvC0D0QobfnxSIgd7R905haHf9fyONYsQKn8mlbghtY3URfGnfYNXJ9ez1pOqoCAlpy5Z5tvDlQMGvVVjk/9pSibTI90noZeMrUE+Tetq45c8ZjFXxcrH4R07xUDRXZg8AXviQMyclUSZbWKsIL7a979Hp13q8sJ8MAod1OhqdP6EOk84AOyRcQuRhv5uEdeDSN4k+4mMSZGnMlKO+0gKnhUIq63/TlW8wp7NhCE+kYdOkF4M0lBYOPE66d/4VdX45soMdp4WphjZMrirarhFJvHpHloUwdoiIFglPvOkvbWndbM
>
>
> I can see that the serial is different but I cannot compare the
> usercertificate attributes since they are not given in the openssl
> command output.
>
Hi,
Serial is 15 on the node srv107 but 21 in LDAP. This means that the cert
was renewed but the local file didn't get updated.
Can you check first which node is your CA renewal master?
$ kinit admin
$ ipa config-show | grep "CA renewal master"
IPA CA renewal master: master.ipa.domain

On this node check that the file /var/lib/ipa/ra-agent.pem and the
content in ldap are consistent. You can do just $ cat
/var/lib/ipa/ra-agent.pem to compare the content of the cert with the
usercertificate attribute of the ldap entry.
If everything is OK on the renewal master, you can copy the file
/var/lib/ipa/ra-agent.pem to the failing node srv107.

HTH,
flo

> Shall I  just adjust the serial and try again?
>
> Jochen
>
>
> On Friday, January 31, 2020 10:29 CET, Florence Blanc-Renaud via
> FreeIPA-users  wrote:
>>
>> This error occurs when IPA framework tries to authenticate to Dogtag CA
>> and it fails. It is using the certificate located in
>> /var/lib/ipa/ra-agent.pem.
>> According to your

[Freeipa-users] Re: files to omit from backup

[Freeipa-users] Re: files to omit from backup

[Freeipa-users] Framework Use of GSS Proxy

[Freeipa-users] Re: Freeipa unicodepwd generator

[Freeipa-users] Re: Freeipa unicodepwd generator

[Freeipa-users] Re: Freeipa unicodepwd generator

[Freeipa-users] Re: FreeIPA 4.8.1 on Fedora 31 (upgraded from F30) fails to start

7 matches

Site Navigation

Mail list logo

Footer information