[Freeipa-users] Re: CentOS to Ubuntu migration
Satish Patel via FreeIPA-users kirjoitti 19.1.2024 klo 0.46: Folks, We are running 4 freeIPA servers on CentOS 7.x in master-master replication and life is good. But now it's time to say goodbye to CentOS. What can I do to migrate them to Ubuntu OS? Can I create one Ubuntu instance with freeIPA and join my existing freeIPA cluster and slowly retire old CentOS nodes? Just looking for a better way to migrate everything off the CentOS. Just to save you some time: there is no freeipa-server for current Ubuntu releases available, and doesn't look like that'll change anytime soon. -- t -- ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
[Freeipa-users] Re: Seeking an advice on migrating freeipa environment from centos 7 to Almalinux 9
On Пят, 19 сту 2024, Polavarapu Manideep Sai via FreeIPA-users wrote: Hi Team, Seeking an advice on migrating freeipa environment from centos 7 to Almalinux 9 Consider there are 4 servers 1 as IPA master and rest are replicas 1. master.ipa.example.com [centos 7.9 IPA 4.6.8] 2. Replica1.ipa.example.com [centos 7.9 IPA 4.6.8] 3. Replica2.ipa.example.com [centos 7.9 IPA 4.6.8] 4. Replica3.ipa.example.com [centos 7.9 IPA 4.6.8] What is the best approach to migrate it to alma Linux 9 As we all know in place upgrade is not possible Gone through below link, but still looking for an advice, what happens to existing replicas and its ipa clients after promoting Almalinux 8/9 server as IPA master server? does replication work in case of higher version of ipa master[4.10.2, Almalinux] and lower version of ipa replica [4.6.8,Centos 7] ? any impact on functionality of existing replicas servers of [centos 7.9 IPA 4.6.8]? https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/html/migrating_to_identity_management_on_rhel_8/migrate-7-to-8_migrating#doc-wrapper As I tested we can integrate ipa clients of lower version [4.6.8,centso 7] to ipa-server of higher version [4.10.2, Alma linux] As I tested we can't add replica of lower version[4.6.8,centso 7] to ipa-server of higher version[4.10.2, Alma linux] Upgrade all your IPA servers to Alma Linux 8 first, then upgrade them all to Alma Linux 9. There is no other way. It is related to security and crypto policy improvements across RHEL 9. -- / Alexander Bokovoy Sr. Principal Software Engineer Security / Identity Management Engineering Red Hat Limited, Finland -- ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
[Freeipa-users] Re: Allow users from AD trust to run ipa commands
On Пят, 19 сту 2024, Yuriy Halytskyy via FreeIPA-users wrote: Hi, At first I've just created an external group, added the user, and added that group to a role but that didn't work. Then I stumbled across this while googling: ipa idoverrideuser-add 'Default Trust View' username@DOMAIN And it works, the user can use IPA commands with AD kerberos ticket and roles apply properly. But I cannot for the life of me figure out what that did and are there any other consequences. Documentation talks about using ID views to override user properties but this doesn't specify any properties to override. Also, it says the view is applied to all AD users, but in that case why do I need to run that command? You need to look at design pages that most new FreeIPA features have. https://freeipa.readthedocs.io/en/latest/designs/adtrust/admin-ipa-as-trusted-user.html -- / Alexander Bokovoy Sr. Principal Software Engineer Security / Identity Management Engineering Red Hat Limited, Finland -- ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
[Freeipa-users] Seeking an advice on migrating freeipa environment from centos 7 to Almalinux 9
Hi Team, Seeking an advice on migrating freeipa environment from centos 7 to Almalinux 9 Consider there are 4 servers 1 as IPA master and rest are replicas 1. master.ipa.example.com [centos 7.9 IPA 4.6.8] 2. Replica1.ipa.example.com [centos 7.9 IPA 4.6.8] 3. Replica2.ipa.example.com [centos 7.9 IPA 4.6.8] 4. Replica3.ipa.example.com [centos 7.9 IPA 4.6.8] What is the best approach to migrate it to alma Linux 9 As we all know in place upgrade is not possible Gone through below link, but still looking for an advice, what happens to existing replicas and its ipa clients after promoting Almalinux 8/9 server as IPA master server? does replication work in case of higher version of ipa master[4.10.2, Almalinux] and lower version of ipa replica [4.6.8,Centos 7] ? any impact on functionality of existing replicas servers of [centos 7.9 IPA 4.6.8]? https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/html/migrating_to_identity_management_on_rhel_8/migrate-7-to-8_migrating#doc-wrapper As I tested we can integrate ipa clients of lower version [4.6.8,centso 7] to ipa-server of higher version [4.10.2, Alma linux] As I tested we can't add replica of lower version[4.6.8,centso 7] to ipa-server of higher version[4.10.2, Alma linux] Regards Sai DISCLAIMER: The information in this message is confidential and may be legally privileged. It is intended solely for the addressee. Access to this message by anyone else is unauthorized. If you are not the intended recipient, any disclosure, copying, or distribution of the message, or any action or omission taken by you in reliance on it, is prohibited and may be unlawful. Please immediately contact the sender if you have received this message in error. Further, this e-mail may contain viruses and all reasonable precaution to minimize the risk arising there from is taken by OnMobile. OnMobile is not liable for any damage sustained by you as a result of any virus in this e-mail. All applicable virus checks should be carried out by you before opening this e-mail or any attachment thereto. Thank you - OnMobile Global Limited. -- ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
[Freeipa-users] Allow users from AD trust to run ipa commands
Hi, At first I've just created an external group, added the user, and added that group to a role but that didn't work. Then I stumbled across this while googling: ipa idoverrideuser-add 'Default Trust View' username@DOMAIN And it works, the user can use IPA commands with AD kerberos ticket and roles apply properly. But I cannot for the life of me figure out what that did and are there any other consequences. Documentation talks about using ID views to override user properties but this doesn't specify any properties to override. Also, it says the view is applied to all AD users, but in that case why do I need to run that command? Cheers, Yuriy -- ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
[Freeipa-users] Re: Number of concurrent connections are decreased by replication.
Hello Rob, Thank you for the reply. I got the logs, as you commeted. = access log [18/Jan/2024:23:34:13.087718471 +] conn=788 fd=258 slot=258 connection from 52.78.30.18 to 34.84.136.11 [18/Jan/2024:23:34:13.088018506 +] conn=788 op=0 EXT oid="1.3.6.1.4.1.1466.20037" name="start_tls_plugin" [18/Jan/2024:23:34:13.088053934 +] conn=788 op=0 RESULT err=0 tag=120 nentries=0 wtime=0.000228592 optime=0.40018 etime=0.000268106 [18/Jan/2024:23:34:13.158931686 +] conn=788 TLS1.3 128-bit AES-GCM [18/Jan/2024:23:34:13.159223459 +] conn=788 op=-1 fd=258 Disconnect - Bad Ber Tag or uncleanly closed connection - B1 security log { "date": "[18\/Jan\/2024:23:34:13.159227408 +] ", "utc_time": "1705620853.159227408", "event": "TCP_ERROR", "client_ip": "52.78.30.18", "server_ip": "34.84.136.11", "ldap_version": 3, "conn_id": 788, "msg": "Bad Ber Tag or uncleanly closed connection - B1" } = I'm using automember to automatically join new hosts to a specific hostgroup. 0.5K ~ 1K hosts is too many to join one hostgroup? JHK -- ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
[Freeipa-users] CentOS to Ubuntu migration
Folks, We are running 4 freeIPA servers on CentOS 7.x in master-master replication and life is good. But now it's time to say goodbye to CentOS. What can I do to migrate them to Ubuntu OS? Can I create one Ubuntu instance with freeIPA and join my existing freeIPA cluster and slowly retire old CentOS nodes? Just looking for a better way to migrate everything off the CentOS. -- ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
[Freeipa-users] dirsrv cannot start on new replica server
I'm trying to add a new replica server to an existing FreeIPA domain. It is failing to start dirsrv because there is not enough ramdisk for the db cache. This is still a very small domain with less than one dozen users/hosts.Adding the first replica was not a problem about 5 months ago. This is on Rocky Linux 9.3 with all updates. Jan 18 18:27:00 ipa01.msp01.apld.ai ns-slapd[2033]: [18/Jan/2024:18:27:00.227167031 +] - INFO - bdb_config_upgrade_dse_info - create config entry from old config Jan 18 18:27:00 ipa01.msp01.apld.ai ns-slapd[2033]: [18/Jan/2024:18:27:00.229348479 +] - NOTICE - bdb_start_autotune - found 16435108k physical memory Jan 18 18:27:00 ipa01.msp01.apld.ai ns-slapd[2033]: [18/Jan/2024:18:27:00.229942914 +] - NOTICE - bdb_start_autotune - found 15545732k available Jan 18 18:27:00 ipa01.msp01.apld.ai ns-slapd[2033]: [18/Jan/2024:18:27:00.230458948 +] - NOTICE - bdb_start_autotune - cache autosizing: db cache: 1027194k Jan 18 18:27:00 ipa01.msp01.apld.ai ns-slapd[2033]: [18/Jan/2024:18:27:00.230996494 +] - NOTICE - bdb_start_autotune - total cache size: 1051846912 B; Jan 18 18:27:00 ipa01.msp01.apld.ai ns-slapd[2033]: [18/Jan/2024:18:27:00.231761490 +] - ERR - bdb_no_diskspace - No enough space left on device (/dev/shm/slapd-APLD-AI) (361705472 bytes); at least 1157031603 bytes space is needed for db region files Jan 18 18:27:00 ipa01.msp01.apld.ai ns-slapd[2033]: [18/Jan/2024:18:27:00.232231378 +] - ERR - ldbm_back_start - Failed to init database, err=28 Unexpected dbimpl error code The add replica command: # ipa-replica-install -n apld.ai -r APLD.AI -d --setup-dns --server= ipa01.den01.apld.ai --server=ipa02.den01.apld.ai --forwarder=10.53.30.21 --forwarder=10.53.30.22 --setup-ca --setup-adtrust --add-agents --mkhomedir -p {my_otp} I'm guessing something changed between RHEL/Rocky 9.2 and 9.3, and it wants much more RAM for the db here. However, the existing servers have been upgraded to 9.3 and start just fine. I've tried doubling the ram to 16GB, but the problem persists. Any idea what is going on or how to fix this? -Chip -- ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
[Freeipa-users] Re: Number of concurrent connections are decreased by replication.
Jaehwan Kim via FreeIPA-users wrote: > Hello Rob, > > I successfully installed a single FreeIPA server with fedora-39-4.11.0 > docker(container) and tested performance with high host_add rate (14 host_add > per min) by about 1K clients. > > Test procedure is like... > First, I added 500 hosts successfully and waited for about 10 mins. > Then, I tried to add 500 hosts more and I could see ldap disconnection > problem. > > To analyze the problem, I looked into the log and found many logs : > TCP_ERROR", "client_ip": "3.39.196.155", "server_ip": "34.146.187.171", > "ldap_version": 3, "conn_id": 3043, "msg": "Bad Ber Tag or uncleanly closed > connection - B1" } > > Command I used to find out error log is : > cat /var/log/dirsrv/slapd-SAMSUNGSRE-COM/security | grep TCP_ERROR > > Can you please give me a piece of advice? I'd correlate the connection id in the security log to the access log to see what it failed on and if any additional reason was given. I'd guess it is timeout related. A host is generally a prety standalone object not requiring much process in LDAP other than the write. Do you have any automember hostgroups defined? That could definitely have an impact. rob -- ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
[Freeipa-users] Re: Upgrade to FreeIPA 4.9.12 on RHEL 8.9 caused web UI login and ipa command to stop working
Paul Nickerson via FreeIPA-users wrote: > I confirmed that users who had an ipaNTSecurityIdentifier attribute could log > in to the web UI, and those that did not have the ipaNTSecurityIdentifier > attribute could not. > > I found the error in /var/log/dirsrv/slapd-SEMI-EXAMPLE-NET/errors like you > said: > [17/Jan/2024:20:28:09.571195828 +] - ERR - sidgen_task_thread - [file > ipa_sidgen_task.c, line 194]: Sidgen task starts ... > [17/Jan/2024:20:28:09.637675948 +] - ERR - find_sid_for_ldap_entry - > [file ipa_sidgen_common.c, line 522]: Cannot convert Posix ID [156623] > into an unused SID. > [17/Jan/2024:20:28:09.658369523 +] - ERR - do_work - [file > ipa_sidgen_task.c, line 154]: Cannot add SID to existing entry. > [17/Jan/2024:20:28:09.666726494 +] - ERR - sidgen_task_thread - [file > ipa_sidgen_task.c, line 199]: Sidgen task finished [32]. > > I found some nice documentation at https://access.redhat.com/solutions/394763 > > I used this command to see the ranges that I have configured: > ipa idrange-find > > And these two commands to see the UIDs of the users who had not yet been > given SIDs (some were inside the existing range; I think you're correct that > the process stops at the first error): > ldapsearch -H ldap://ipa01.semi.example.net:389/ -x -D "cn=Directory Manager" > -W -b "cn=users,cn=accounts,dc=semi,dc=example,dc=net" > "(!(ipaNTSecurityIdentifier=*))" uidNumber | grep uidNumber | grep -v "# > requesting: " | sed 's/uidNumber: //' | sort -n > ldapsearch -H ldap://ipa01.semi.example.net:389/ -x -D "cn=Directory Manager" > -W -b "cn=deleted > users,cn=accounts,cn=provisioning,dc=semi,dc=example,dc=net" > "(!(ipaNTSecurityIdentifier=*))" uidNumber | grep uidNumber | grep -v "# > requesting: " | sed 's/uidNumber: //' | sort -n > > Here's some documentation on what ID and RID ranges are for: > https://www.freeipa.org/page/V3/ID_Ranges > > After doing a bunch of math and guess and check, I ran this: > ipa idrange-add SEMI.EXAMPLE.NET_US150777_range --base-id=144140 > --range-size=531251000 --rid-base=10100 --secondary-rid-base=63300 > > That gave me an additional range (confirmed with ipa idrange-find). I ran ipa > config-mod --enable-sid --add-sids again, saw no significant errors in > /var/log/dirsrv/slapd-SEMI-EXAMPLE-NET/errors, and confirmed that there were > 0 users left with no ipaNTSecurityIdentifier. > > All users are all set now. Thank you again. Glad to hear it and thank you for your detailed analysis. I think this will be useful to other users that may run into this. rob -- ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
[Freeipa-users] Re: Create IPA user via LDAP
On Чцв, 18 сту 2024, Ronald Wimmer wrote: On 08.01.24 17:58, Alexander Bokovoy wrote: On Пан, 08 сту 2024, Ronald Wimmer wrote: On 02.01.24 17:57, Ronald Wimmer via FreeIPA-users wrote: On 02.01.24 16:27, Rob Crittenden wrote: Ronald Wimmer via FreeIPA-users wrote: On 14.12.23 14:42, Alexander Bokovoy wrote: On Чцв, 14 сне 2023, Ronald Wimmer via FreeIPA-users wrote: In our company we do have an IAM tool for user management. We need to create IPA users via this particular tool. I am aware of all IPA commands or API calls to create/modify or delete a user. As the tool does not support FreeIPA yet they asked if there is a way to manage users by using LDAP only. Could that work? What about attributes like ipaNTSecurityIdentifier, ipaUniqueID or uidNumber? Learn about lifecycle management. This is your way of integrating with such tools bvy creating staged users: https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/9/html/managing_idm_users_groups_hosts_and_access_control_rules/configuring-idm-for-external-provisioning-of-users_managing-users-groups-hosts#doc-wrapper I followed the instructions from the documentation. How could I possibly overcome Dec 19 09:18:39 tipa01.ipatest.mydomain.at ipa-activate-all[836863]: ipa: ERROR: Constraint violation: pre-hashed passwords are not valid I need to set passwords from the external system. You need to enable migration mode (ipa config-mod --enable-migration true). By default a pre-hashed password can only be set once: during the user add operation. Ok. So this would not work for a password change. So if we need to set an initial password and change that particular password in some point in time the only feasible way is the IPA API, right? Can the immediate password expiration be overridden? As we have an upcoming please allow me to ask if I got the point here. I appreciate your support in this matter! I was looking over the code. The only way to accept pre-hashed passwords is when they also have Kerberos keys set. This means you cannot use external LDAP modify/add for that as you cannot create the Kerberos key without knowing a Kerberos master key. So the only other option is to submit a clear-text password: userPassword: {CLEAR}text-password That will be accepted and if bind DN that performed this change is either a cn=Directory Manager or a one from the passsync managers, it would also not be marked for expiration immediately. So. Am I right that our options are to use LDAP with a cleartext passwort or use the IPA API? That's what I wrote you above, yes. -- / Alexander Bokovoy Sr. Principal Software Engineer Security / Identity Management Engineering Red Hat Limited, Finland -- ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
[Freeipa-users] Re: web login failed after upgrade
On Чцв, 18 сту 2024, 彭勇 via FreeIPA-users wrote: when we upgrade ipa-server-4.9.12-9 to ipa-server-4.9.12-11 on RHEL 8, we can't login to web. the web give me message: “Your session has expired. Please log in again.” Read the thread: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org/thread/YIZGY45MPYTPJ6FQXLU6XNS7OBRI6GQU/ we check the error_log [Thu Jan 18 21:56:42.535394 2024] [auth_gssapi:error] [pid 11025:tid 139639453087488] [client 118.184.176.67:30891] Failed to unseal session data!, referer: https://id1.netegn.com/ipa/xml [Thu Jan 18 21:56:43.113937 2024] [wsgi:error] [pid 11021:tid 139639621613312] [remote 118.184.176.67:30891] ipa: INFO: 401 Unauthorized: Insufficient access: SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (Credential cache is empty) [Thu Jan 18 21:56:43.611962 2024] [wsgi:error] [pid 11023:tid 139639621613312] [remote 118.184.176.67:30893] ipa: INFO: 401 Unauthorized: Insufficient access: SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (Credential cache is empty) all three ipa server failed. we can't resolve the problem, we restore the snapshot and it recovery. we install RHEL 9.3 with ipa-server-4.10.2-5,set it as replicator of master ipa server, it has same problem. -- Peng Yong -- / Alexander Bokovoy Sr. Principal Software Engineer Security / Identity Management Engineering Red Hat Limited, Finland -- ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
[Freeipa-users] web login failed after upgrade
when we upgrade ipa-server-4.9.12-9 to ipa-server-4.9.12-11 on RHEL 8, we can't login to web. the web give me message: “Your session has expired. Please log in again.” we check the error_log [Thu Jan 18 21:56:42.535394 2024] [auth_gssapi:error] [pid 11025:tid 139639453087488] [client 118.184.176.67:30891] Failed to unseal session data!, referer: https://id1.netegn.com/ipa/xml [Thu Jan 18 21:56:43.113937 2024] [wsgi:error] [pid 11021:tid 139639621613312] [remote 118.184.176.67:30891] ipa: INFO: 401 Unauthorized: Insufficient access: SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (Credential cache is empty) [Thu Jan 18 21:56:43.611962 2024] [wsgi:error] [pid 11023:tid 139639621613312] [remote 118.184.176.67:30893] ipa: INFO: 401 Unauthorized: Insufficient access: SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (Credential cache is empty) all three ipa server failed. we can't resolve the problem, we restore the snapshot and it recovery. we install RHEL 9.3 with ipa-server-4.10.2-5,set it as replicator of master ipa server, it has same problem. -- Peng Yong -- ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
[Freeipa-users] Re: SSSD LDAP provider fails to fetch nested groups (groups member of groups)
Hi, On Thu, Jan 18, 2024 at 12:03 PM Finn Fysj via FreeIPA-users < freeipa-users@lists.fedorahosted.org> wrote: > I'm experiencing problems on my RHEL 9 instance when looking up members of > group using getent group . I can only get users which has > direct access to a group, and no the "user groups" part of the group. > > > > My sssd.conf: > [domain/] > id_provider = ldap > auth_provider = ldap > chpass_provider = ldap > sudo_provider = ldap > > If your provider is LDAP (and not IPA), you should ask on this mailing list instead: sssd-us...@lists.fedorahosted.org (see https://sssd.io/community.html). flo ldap_uri = ldaps:/ipa.example.com > ldap_schema = rfc2307bis > > ldap_search_base = dc=example,dc=com > ldap_sudo_search_base = ou=sudoers,dc=example,dc=com > ldap_user_search_base = cn=users,cn=accounts,dc=example,dc=com > ldap_group_search_base = cn=groups,cn=accounts,dc=example,dc=com > > [sssd] > services = nss, pam, sudo > domains = default > > [nss] > homedir_substring = /home > > [pam] > > [sudo] > -- > ___ > FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org > To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org > Fedora Code of Conduct: > https://docs.fedoraproject.org/en-US/project/code-of-conduct/ > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines > List Archives: > https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org > Do not reply to spam, report it: > https://pagure.io/fedora-infrastructure/new_issue > -- ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
[Freeipa-users] SSSD LDAP provider fails to fetch nested groups (groups member of groups)
I'm experiencing problems on my RHEL 9 instance when looking up members of group using getent group . I can only get users which has direct access to a group, and no the "user groups" part of the group. My sssd.conf: [domain/] id_provider = ldap auth_provider = ldap chpass_provider = ldap sudo_provider = ldap ldap_uri = ldaps:/ipa.example.com ldap_schema = rfc2307bis ldap_search_base = dc=example,dc=com ldap_sudo_search_base = ou=sudoers,dc=example,dc=com ldap_user_search_base = cn=users,cn=accounts,dc=example,dc=com ldap_group_search_base = cn=groups,cn=accounts,dc=example,dc=com [sssd] services = nss, pam, sudo domains = default [nss] homedir_substring = /home [pam] [sudo] -- ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
[Freeipa-users] Re: Freeipa Ansible Galaxy collection - missing idoverride module from community.general collection.
Hi Rafael, thanks much! this was indeed the case. Works like a charm now. -- ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
[Freeipa-users] Re: Create IPA user via LDAP
On 08.01.24 17:58, Alexander Bokovoy wrote: On Пан, 08 сту 2024, Ronald Wimmer wrote: On 02.01.24 17:57, Ronald Wimmer via FreeIPA-users wrote: On 02.01.24 16:27, Rob Crittenden wrote: Ronald Wimmer via FreeIPA-users wrote: On 14.12.23 14:42, Alexander Bokovoy wrote: On Чцв, 14 сне 2023, Ronald Wimmer via FreeIPA-users wrote: In our company we do have an IAM tool for user management. We need to create IPA users via this particular tool. I am aware of all IPA commands or API calls to create/modify or delete a user. As the tool does not support FreeIPA yet they asked if there is a way to manage users by using LDAP only. Could that work? What about attributes like ipaNTSecurityIdentifier, ipaUniqueID or uidNumber? Learn about lifecycle management. This is your way of integrating with such tools bvy creating staged users: https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/9/html/managing_idm_users_groups_hosts_and_access_control_rules/configuring-idm-for-external-provisioning-of-users_managing-users-groups-hosts#doc-wrapper I followed the instructions from the documentation. How could I possibly overcome Dec 19 09:18:39 tipa01.ipatest.mydomain.at ipa-activate-all[836863]: ipa: ERROR: Constraint violation: pre-hashed passwords are not valid I need to set passwords from the external system. You need to enable migration mode (ipa config-mod --enable-migration true). By default a pre-hashed password can only be set once: during the user add operation. Ok. So this would not work for a password change. So if we need to set an initial password and change that particular password in some point in time the only feasible way is the IPA API, right? Can the immediate password expiration be overridden? As we have an upcoming please allow me to ask if I got the point here. I appreciate your support in this matter! I was looking over the code. The only way to accept pre-hashed passwords is when they also have Kerberos keys set. This means you cannot use external LDAP modify/add for that as you cannot create the Kerberos key without knowing a Kerberos master key. So the only other option is to submit a clear-text password: userPassword: {CLEAR}text-password That will be accepted and if bind DN that performed this change is either a cn=Directory Manager or a one from the passsync managers, it would also not be marked for expiration immediately. So. Am I right that our options are to use LDAP with a cleartext passwort or use the IPA API? -- ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue