[Freeipa-users] Re: FreeIPA web session timeout
Thanks That worked -- ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
[Freeipa-users] Re: FreeIPA Upgrade - overwrites custom authselect config
Finn Fysj via FreeIPA-users wrote: >> On Срд, 10 сту 2024, Finn Fysj via FreeIPA-users wrote: >> >> It should tell you what upgrade step is that prior to running the >> command. >> >> I think this is about migration to authselect. Upgrade code considers >> whether migration from authconfig is needed and if we didn't record that >> migration already happened, we perform it. The default configuration is >> 'authselect select sssd with-sudo --force'. >> >> You can avoid re-running this upgrade part by adding a section >> >> [authcfg] >> migrated_to_authselect = True >> >> to /var/lib/ipa/sysupgrade/sysupgrade.state >> >> and rerunning the upgrade. > I don't fully understand why it doesn't check which OS version it is running > and based on that update the migrated_to_authselect value. > Currently on 9.3, and we run authselect as mentioned with custom profile. If you have a custom profile then what would checking for 9.3 help? And note, we don't recommend or support custom profiles. IPA is very opinionated about the configuration it expects. > I also seemed to have misunderstood the Upgrade steps from > https://www.freeipa.org/page/Upgrade, as I thought # ipa-server-upgrade would > upgrade my IPA version to the latest. I can see how you were confused but it's covered in "FreeIPA 3.3.0 or newer" where you run yum update [free]ipa-server. We recommend updating all packages and not just IPA. ipa-server-upgrade runs as part of the package install process. rob -- ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
[Freeipa-users] Re: FreeIPA Upgrade - overwrites custom authselect config
> On Срд, 10 сту 2024, Finn Fysj via FreeIPA-users wrote: > > It should tell you what upgrade step is that prior to running the > command. > > I think this is about migration to authselect. Upgrade code considers > whether migration from authconfig is needed and if we didn't record that > migration already happened, we perform it. The default configuration is > 'authselect select sssd with-sudo --force'. > > You can avoid re-running this upgrade part by adding a section > > [authcfg] > migrated_to_authselect = True > > to /var/lib/ipa/sysupgrade/sysupgrade.state > > and rerunning the upgrade. Is it possible to prevent authselect configuration while installing FreeIPA server? -- ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
[Freeipa-users] Re: FreeIPA Upgrade - overwrites custom authselect config
> On Срд, 10 сту 2024, Finn Fysj via FreeIPA-users wrote: > > It should tell you what upgrade step is that prior to running the > command. > > I think this is about migration to authselect. Upgrade code considers > whether migration from authconfig is needed and if we didn't record that > migration already happened, we perform it. The default configuration is > 'authselect select sssd with-sudo --force'. > > You can avoid re-running this upgrade part by adding a section > > [authcfg] > migrated_to_authselect = True > > to /var/lib/ipa/sysupgrade/sysupgrade.state > > and rerunning the upgrade. I don't fully understand why it doesn't check which OS version it is running and based on that update the migrated_to_authselect value. Currently on 9.3, and we run authselect as mentioned with custom profile. I also seemed to have misunderstood the Upgrade steps from https://www.freeipa.org/page/Upgrade, as I thought # ipa-server-upgrade would upgrade my IPA version to the latest. Anyways, cheers Alexander. -- ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
[Freeipa-users] Re: FreeIPA Upgrade - overwrites custom authselect config
On Срд, 10 сту 2024, Finn Fysj via FreeIPA-users wrote: I've recently tried to run an upgrade of my IPA server (4.10.2) because of some CVE fix for 4.10.3. At the end of upgrade the IPA server tries to run: CalledProcessError(Command ['/usr/bin/authselect', 'select', 'sssd', 'with-sudo', '--force'], why does it do this? It should tell you what upgrade step is that prior to running the command. I think this is about migration to authselect. Upgrade code considers whether migration from authconfig is needed and if we didn't record that migration already happened, we perform it. The default configuration is 'authselect select sssd with-sudo --force'. You can avoid re-running this upgrade part by adding a section [authcfg] migrated_to_authselect = True to /var/lib/ipa/sysupgrade/sysupgrade.state and rerunning the upgrade. The upgrade in my case fails because I've set made following files immutable: /etc/authselect/{password-auth,system-auth}. -- ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue -- / Alexander Bokovoy Sr. Principal Software Engineer Security / Identity Management Engineering Red Hat Limited, Finland -- ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
[Freeipa-users] FreeIPA Upgrade - overwrites custom authselect config
I've recently tried to run an upgrade of my IPA server (4.10.2) because of some CVE fix for 4.10.3. At the end of upgrade the IPA server tries to run: CalledProcessError(Command ['/usr/bin/authselect', 'select', 'sssd', 'with-sudo', '--force'], why does it do this? The upgrade in my case fails because I've set made following files immutable: /etc/authselect/{password-auth,system-auth}. -- ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
[Freeipa-users] Re: Freeipa sudo
HBAC allow_all enabled. I think everything default, only sudo rule from video. I did debug level 3... sssd_dom.loc.log: (2024-01-10 16:14:08): [be[dom.loc]] [sdap_dyndns_dns_addrs_done] (0x0040): [RID#62] Could not receive list of current addresses [5]: Input/output error (2024-01-10 16:14:08): [be[dom.loc]] [ipa_dyndns_sdap_update_done] (0x0040): [RID#62] Dynamic DNS update failed [5]: Input/output error (2024-01-10 16:14:08): [be[dom.loc]] [be_ptask_done] (0x0040): [RID#62] Task [Dyndns update]: failed with [5]: Input/output error ** PREVIOUS MESSAGE WAS TRIGGERED BY THE FOLLOWING BACKTRACE: * (2024-01-10 16:14:08): [be[dom.loc]] [sdap_id_op_destroy] (0x4000): [RID#62] releasing operation connection * (2024-01-10 16:14:08): [be[dom.loc]] [be_ptask_done] (0x0040): [RID#62] Task [Dyndns update]: failed with [5]: Input/output error ** BACKTRACE DUMP ENDS HERE * (2024-01-10 16:14:09): [be[dom.loc]] [ipa_id_get_account_info_orig_done] (0x0080): [RID#69] Object not found, ending request (2024-01-10 16:21:58): [be[dom.loc]] [ipa_hbac_evaluate_rules] (0x0080): [RID#94] Access granted by HBAC rule [allow_all] (2024-01-10 16:21:58): [be[dom.loc]] [ipa_deskprofile_get_config_done] (0x0080): [RID#96] Server doesn't support Desktop Profile. (2024-01-10 16:21:58): [be[dom.loc]] [ipa_hbac_evaluate_rules] (0x0080): [RID#97] Access granted by HBAC rule [allow_all] - sssd_pam.log: (2024-01-10 16:28:09): [pam] [orderly_shutdown] (0x1f7c0): SIGTERM: killing children (2024-01-10 16:28:09): [pam] [orderly_shutdown] (0x1f7c0): Shutting down (status = 0)(2024-01-10 16:28:24): [pam] [server_setup] (0x1f7c0): Starting with deb> (2024-01-10 16:28:25): [pam] [cache_req_common_process_dp_reply] (0x0040): [CID#1] CR #1: Could not get account info [1432158212]: SSSD is offline - journalctl -xe when I trying to close forticlient (doing privileged action) and close auth window: 16:31:26 desktop22043.dom.loc audit[800]: AVC apparmor="ALLOWED" operation="open" class="file" profile="/usr/sbin/sssd" name="/proc/3949/cmdline" pid=800 comm="sssd_nss" requested_mask="r" denied_mask="r" fsuid=0 ouid=0 16:31:26 desktop22043.dom.loc kernel: audit: type=1400 audit(1704889886.433:219): apparmor="ALLOWED" operation="open" class="file" profile="/usr/sbin/sssd" name="/proc/3949/cmdline" pid=800 comm="sssd_nss" requested_mask="r" denied_mask="r" fsuid=0 ouid=0 16:31:26 desktop22043.dom.loc audit[800]: AVC apparmor="ALLOWED" operation="open" class="file" profile="/usr/sbin/sssd" name="/proc/3952/cmdline" pid=800 comm="sssd_nss" requested_mask="r" denied_mask="r" fsuid=0 ouid=0 16:31:26 desktop22043.dom.loc kernel: audit: type=1400 audit(1704889886.497:220): apparmor="ALLOWED" operation="open" class="file" profile="/usr/sbin/sssd" name="/proc/3952/cmdline" pid=800 comm="sssd_nss" requested_mask="r" denied_mask="r" fsuid=0 ouid=0 auth windows closed: 16:33:38 desktop22043.dom.loc polkitd(authority=local)[587]: Operator of unix-session:4 FAILED to authenticate to gain authorization for action org.fortinet.fortitray.quit for unix-process:3948:18923 [sh -c pkexec /bin/bash /opt/forticlient/stop-forticlient.sh] (owned by unix-user:desktop) 16:33:38 desktop22043.dom.loc pkexec[3949]: desktop: Error executing command as another user: Request dismissed [USER=root] [TTY=unknown] [CWD=/home/desktop] [COMMAND=/bin/bash /opt/forticlient/stop-forticlient.sh] 16:33:38 desktop22043.dom.loc Fortitray.desktop[3949]: Error executing command as another user: Request dismissed -- ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
[Freeipa-users] FreeIPA security fix releases
Hello, The FreeIPA team would like to announce the following security fix releases: 4.6.10: https://www.freeipa.org/release-notes/4-6-10.html 4.9.14: https://www.freeipa.org/release-notes/4-9-14.html 4.10.3: https://www.freeipa.org/release-notes/4-10-3.html 4.11.1: https://www.freeipa.org/release-notes/4-11-1.html -- ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
[Freeipa-users] Re: FreeIPA web session timeout
Hi, if you use the format without space kinit_lifetime = 5minutes then it should work. Probably there was some change in one of the libraries parsing the duration string and it does not accept any more the space between the value and the unit. flo On Wed, Jan 10, 2024 at 3:18 AM Ales Rozmarin via FreeIPA-users < freeipa-users@lists.fedorahosted.org> wrote: > Hi Rob, > > I don't know if this is still valid but I try to set seeing timeout on > freeipa 4.9.6 > in /etc/ipa/default.conf > > kinit_lifetime = 5 minutes > > but when I set that I can't login anymore with web. Any Idea why or is in > this version different setting for session timeout. > > Ales > -- > ___ > FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org > To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org > Fedora Code of Conduct: > https://docs.fedoraproject.org/en-US/project/code-of-conduct/ > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines > List Archives: > https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org > Do not reply to spam, report it: > https://pagure.io/fedora-infrastructure/new_issue > -- ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue