[Freeipa-users] ipa-getkeytab during %post
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 morning all... i'm dabbling with automated provisioning of ipa client servers, and i'm a little perplexed on how to add a keytab to a system during the %post section of a kickstart... i've run ipa-client-install -U -p admin -w redhat123 which works perfect, but in order to run ipa-getkeytab i need a tgt, which doesn't appear to be generated during the ipa-client-install. any suggestions on doing this during a post? Dale -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.11 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iQIcBAEBAgAGBQJPMljYAAoJEAJsWS61tB+qi74P/2aNhu4ztqcyhLwBsg7ukYi3 kH+BYA6miuunxwAKbDR7nd3vbL5g2gqjNFUNiD5tVoFSxtKgRPlEizLdQX+BeHJm KOHq51DPNulkf5QeFh9FntTSWxQHr2ow5UgL9z1Xyv4wVhIgkL/L898/TRvY/tmZ JFWX4eaK07EELV64vopqo20bR70F3DFB0Om7RXla45BYFBN/TMvXqmv8qvRe8Ibe IGJNWo+dF9Oc/CCHU5B0+3AeTCVUt//Rlagpdw70h7Y6BJ1vfpn+CgTMcQ80Utip q/CCF887kxL2o6+8zGN2mtEOqjr26+0l2Lh3Tjbx5ADs49VPOMC98Wc18M+IKgaV 3d6x1KrkliBJBMmBK2tdKxl7JnAPG1wkeRWz7UC5k39UzYH8JVw0Gt42M7EV8iv2 xp+/GKhTn5kfL1qv6mv3Dy558+b1iOZSkLpPS8n5b5dfcX4LkLNs/+hunwXyAd3C noW8Wed2ACgh03PavqHCIu11NJjzaSXIAcsemBGF7yDOtaaaI5swkNM8U9WdegjR flTtxlbTyfMhqusZgxHCcEMRWcO6J+Bfv7SPJpO2gF3OEQyT4hLt+6mlf+/kXv4A AdxJLfM9q8MXyvO4Fim1VPw68eyZdpljey+bmP5Fr9LAukeezZRMrKaBKbL0HF5u QfewGFkfvPFJq9PMX2ZH =K4Qv -END PGP SIGNATURE- 0xB5B41FAA.asc Description: application/pgp-keys 0xB5B41FAA.asc.sig Description: PGP signature ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] RHEL 5.7 / 5.8 BETA and KDE crashing SSSD
On Sat, February 4, 2012 14:58, Stephen Gallagher wrote: On Fri, 2012-02-03 at 12:53 +0100, Sigbjorn Lie wrote: On Wed, February 1, 2012 15:04, Simo Sorce wrote: On Wed, 2012-02-01 at 07:28 -0500, Stephen Gallagher wrote: On Wed, 2012-02-01 at 11:02 +0100, Sigbjorn Lie wrote: Hi, Is this more like the expected output? :) No, I'm afraid it's not. That's a log of a legitimate shutdown, not a segmentation fault. (Receiving SIGTERM means that the monitor told the process to exit). Possibly this happened if the time between attaching to the process and typing 'cont' was more than about 30 seconds. The monitor will assume the sssd_be process isn't responding and will kill and restart it. You will know you got the correct results if you see Program received signal SIGSEGV, Segmentation fault. and then you can immediately perform the 'bt full' For better results with gdb I suggest to kill SIGSTOP the monitor before attaching gdb to any of the reponders or the providers, this way the monitor will be prevented from sending termination signals to the children. However, don't do this for long, only for short periods and kill SIGCONT back the monitor immediately after. Please see below. Does this help? Yes, thank you it does. (gdb) bt full #0 sysdb_attrs_get_el_int (attrs=0x6c616d726f6e2d72, name=0x43c75d name, alloc=true, el=0x7fffe9e0dab8) at src/db/sysdb.c:254 e = value optimized out i = value optimized out #1 0x004221d7 in sysdb_attrs_primary_name (sysdb=0xf725e00, attrs=0x6c616d726f6e2d72, ldap_attr=0xf741110 cn, The memory address for attrs here is WAY out of range. That suggests that this is an uninitialized value. _primary=0x7fffe9e0db58) at src/db/sysdb.c:2441 ret = value optimized out rdn_attr = 0x0 rdn_val = 0x0 sysdb_name_el = 0x61 orig_dn_el = value optimized out i = value optimized out tmpctx = 0xf768ce0 __FUNCTION__ = sysdb_attrs_primary_name #2 0x0042290d in sysdb_attrs_primary_name_list (sysdb=0xf725e00, mem_ctx=value optimized out, attr_list=0xf772e20, attr_count=2, ldap_attr=0xf741110 cn, name_list=0x7fffe9e0dc88) at src/db/sysdb.c:2606 ret = 259427552 i = 1 i = 1, so it's the second entry in the attr_list being passed in. My spidey-sense is tingling here. Probably the array is one entry too long above. j = 1 list = value optimized out name = 0xf769580 ac_server-normal __FUNCTION__ = sysdb_attrs_primary_name_list #3 0x2b20c9684456 in sdap_initgr_nested_get_membership_diff ( state=0xf7726f0) at src/providers/ldap/sdap_async_accounts.c:3061 __FUNCTION__ = sdap_initgr_nested_get_membership_diff This is the function that is creating that array (well, actually it's sdap_initgr_nested_get_direct_parents()). So the bug must be occurring here. We're somehow creating an array of two entries but not populating the second one. That said, I'm not sure how that's possible. The code there is very short and seems pretty carefully-written to avoid this possibility. I don't have time today to dig into this any further, but I wanted to get my findings down in an email so that if anyone else wanted to jump on this before I get back to it, they don't have to start from scratch. Hi, Any progress on this? Regards, Siggi ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] ipa-getkeytab during %post
On Wed, Feb 08, 2012 at 11:13:36AM +, Dale Macartney wrote: i'm dabbling with automated provisioning of ipa client servers, and i'm a little perplexed on how to add a keytab to a system during the %post section of a kickstart... i've run ipa-client-install -U -p admin -w redhat123 which works perfect, but in order to run ipa-getkeytab i need a tgt, which doesn't appear to be generated during the ipa-client-install. any suggestions on doing this during a post? The password does not look nice here thou.. echo 'redhat123' | kinit admin -- One might also be able to fetch the ticket as a file and deploy it on the system for usage. Christian ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] ipa-getkeytab during %post
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Thanks Christian I was thinking the same to be honest.. the issue with having a password in a kickstart is obviously that someone can read it in clear text. here I would see the need to use a specific role account with limited ability, but the issue remains the same... its a clear text password and has the ability to read ipa data. I was pondering the idea of fetching a keytab file, however as the system has not yet registered itself into ipa, there is no host data available to be exported to a key.. has anyone performed this kind of task in an environment of their own so far? Dale On 02/08/2012 09:28 AM, Christian Horn wrote: On Wed, Feb 08, 2012 at 11:13:36AM +, Dale Macartney wrote: i'm dabbling with automated provisioning of ipa client servers, and i'm a little perplexed on how to add a keytab to a system during the %post section of a kickstart... i've run ipa-client-install -U -p admin -w redhat123 which works perfect, but in order to run ipa-getkeytab i need a tgt, which doesn't appear to be generated during the ipa-client-install. any suggestions on doing this during a post? The password does not look nice here thou.. echo 'redhat123' | kinit admin -- One might also be able to fetch the ticket as a file and deploy it on the system for usage. Christian -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.11 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iQIcBAEBAgAGBQJPMl2QAAoJEAJsWS61tB+qhMgQAJYPwAWUFr7jNzl5C6qVcAPS 1q8dNniu9atPLzQUQQN596S/8Ca9nrUDtf2O0La5B2ULwq2ljZH7XebWlMzcA+ns 1TL9qfg9baDmhioQx1ACX4VvwT/RUxQtcmWCVOkYxSYJQvd4wH8XeXAS9xzyceix ie0S0apWyhP0Z3TWhhmxJqImBUQf/ddymZHhLPJhOzgqepYvWDRzpX5YuJNcLEag WXsEXOmXxfmj3YTOGkFkX4Fj21fXuHEV6LTcpF7v8kFmSNKPGsAAy5SQL6pTuJVt 2rcVYLuwT/75rX4eTnD2JvWdQtOqTLd/wHv7cYDCrpTT5GDgOIit+KppQHi0VTNe leBoFFz83XF6fvUCCZzDkhdkOw+Dqr14LTag3pwiLvSYSbcksMWPFnpNiP26yYmH neR3Y8MRTwoVn5XF6PqYgGSAb2JXDGKV8KJeVMGWuwkkyxPNUuXwLsCxUqQlfn+h KLintABb1YJn9AXCgA2h1U3QJJ8undqETovcVHyoY+OUYfDCD1T+zAgL4ol6P9N9 kqJGUcF7/EM5DzHh0Doglqx9U1MkXcdXFB/OQHIZ+Xc0PLKTsr7HL2bDdxmAbYoX MgNxK63Vrl10+5m1bAi4jSe3t+hhvagAMXtZ4iW/iuvtDAUllp5JBVQ0CMMh2ClA iCMetup5cwqOHcLsG5n6 =4A+9 -END PGP SIGNATURE- 0xB5B41FAA.asc Description: application/pgp-keys 0xB5B41FAA.asc.sig Description: PGP signature ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] ipa-getkeytab during %post
On Wed, 2012-02-08 at 11:13 +, Dale Macartney wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 morning all... i'm dabbling with automated provisioning of ipa client servers, and i'm a little perplexed on how to add a keytab to a system during the %post section of a kickstart... i've run ipa-client-install -U -p admin -w redhat123 which works perfect, but in order to run ipa-getkeytab i need a tgt, which doesn't appear to be generated during the ipa-client-install. any suggestions on doing this during a post? What version of ipa-client-install are you using ? Newer versions (2.x) should fetch a keytab for your system (needs credentials or OTP password. Simo. -- Simo Sorce * Red Hat, Inc * New York ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] ipa-getkeytab during %post
If you are really trying to go the route of using the password, the best way to accomplish that is to procedurally ADD the host ahead of time with the -random flag to generate a one-time-pass. Then insert that 1 time password dynamically into the kickstart script. If you want to approach the problem from a technical side and not procedural... I don't suppose you have Puppet ? You can utilize puppet to deploy a 'host provisioning' keytab that you then kinit -kt before issuing the other commands that require authentication. When it is finished, delete the keytab. The problem with authentication and complete hands off automation is that you always have to whittle it down to an area of acceptable risk with lots of compensating controls and logging. On Feb 8, 2012, at 6:44 AM, Dale Macartney wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Hi Simo ipa-client-install is provided by the ipa-client rpm. Details below Name: ipa-client Arch: x86_64 Version : 2.1.3 Release : 9.el6 Size: 222 k Repo: installed What I am trying to achieve is these two commands in a post... ipa service-add HTTP/$(hostname) this definitely requires an authenticated user to add i'm sure ipa-getkeytab -s ds01.example.com -p HTTP/$(hostname) -k /etc/squid/krb5.keytab this one I suspect might be able to be retrieved using the host/ principle from the system after running ipa-client-install. Does this help paint a picture? Dale On 02/08/2012 01:49 PM, Simo Sorce wrote: On Wed, 2012-02-08 at 11:13 +, Dale Macartney wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 morning all... i'm dabbling with automated provisioning of ipa client servers, and i'm a little perplexed on how to add a keytab to a system during the %post section of a kickstart... i've run ipa-client-install -U -p admin -w redhat123 which works perfect, but in order to run ipa-getkeytab i need a tgt, which doesn't appear to be generated during the ipa-client-install. any suggestions on doing this during a post? What version of ipa-client-install are you using ? Newer versions (2.x) should fetch a keytab for your system (needs credentials or OTP password. Simo. -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.11 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iQIcBAEBAgAGBQJPMopXAAoJEAJsWS61tB+qyg8QAJPJJB8/9sxjKmKaEreRQyRb NgHUaaY1FRGs7CvtTeSTY177bnVerr8dJGj3nmqMCwlveUEXZS2T8mBWxVpRm/BW HrNR5i9kEIXL6HiaYfZMCVX1pyaxsStCnZJCiBjDDL5PsIX6FCsuUEYX4BGXyLAU s212Ugn46vYY4E5d8Cwi6BS0MW6c9a3yoPXAH4A8JCSjIptYXMuBY8YFHiQLLAPi AID7Q4N3U5FC6B0ahqhL64tAL8EggMkxhJ0Flhz7aWboz14bL7+M+vx3qVxF2W0z WgaO13ai/lTL/jTy1n3dBVegqdACRTgH/K094+iaq96flhBrfzYiDaeCtj9OgoAV ntHJksEPuC2X2lc8IRgzWVFa847+GMYl3YdYt0jflCcRAoWnpsaNW5F4HKG9K2Ob sXEo+/4sSku85Ezu7rJyS5zNn6BfdynxOGfaYqavWK3lyegxpHaIBdxR3YPi9Esm mrRvN3mkfAaUWboxImOJvZTgv+P/jq7CFlokaTGakeJT2N5/HpQADw1haNLDDvoY DFfE3EgkmkT04Lcg+tCxouybYYdWdNSLl86maDsxeIHbyrnHQjgZ+Pw2KsMd1BUD huqromxtFnUoY6DY2cwRFTGFJihkX3/Grai2ojPGFgiNA5H1G1APs5J2i9dafp1x UftjI6x2lzTqQw/BNqLL =mInj -END PGP SIGNATURE- 0xB5B41FAA.asc0xB5B41FAA.asc.sig___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] ipa-getkeytab during %post
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Hi JR I agree with your statement of acceptable risk.. this is my main reason for questioning.. The ideal situation would be to run this as a satellite kickstart snippet for provisioning with kickstart profiles... That way I can utilize the existing provisioning platform for everything. At the moment everything is in dev using scripted kickstarts for testing. Dale On 02/08/2012 03:33 PM, JR Aquino wrote: If you are really trying to go the route of using the password, the best way to accomplish that is to procedurally ADD the host ahead of time with the -random flag to generate a one-time-pass. Then insert that 1 time password dynamically into the kickstart script. If you want to approach the problem from a technical side and not procedural... I don't suppose you have Puppet ? You can utilize puppet to deploy a 'host provisioning' keytab that you then kinit -kt before issuing the other commands that require authentication. When it is finished, delete the keytab. The problem with authentication and complete hands off automation is that you always have to whittle it down to an area of acceptable risk with lots of compensating controls and logging. On Feb 8, 2012, at 6:44 AM, Dale Macartney wrote: Hi Simo ipa-client-install is provided by the ipa-client rpm. Details below Name : ipa-client Arch : x86_64 Version : 2.1.3 Release : 9.el6 Size : 222 k Repo : installed What I am trying to achieve is these two commands in a post... ipa service-add HTTP/$(hostname) this definitely requires an authenticated user to add i'm sure ipa-getkeytab -s ds01.example.com -p HTTP/$(hostname) -k /etc/squid/krb5.keytab this one I suspect might be able to be retrieved using the host/ principle from the system after running ipa-client-install. Does this help paint a picture? Dale On 02/08/2012 01:49 PM, Simo Sorce wrote: On Wed, 2012-02-08 at 11:13 +, Dale Macartney wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 morning all... i'm dabbling with automated provisioning of ipa client servers, and i'm a little perplexed on how to add a keytab to a system during the %post section of a kickstart... i've run ipa-client-install -U -p admin -w redhat123 which works perfect, but in order to run ipa-getkeytab i need a tgt, which doesn't appear to be generated during the ipa-client-install. any suggestions on doing this during a post? What version of ipa-client-install are you using ? Newer versions (2.x) should fetch a keytab for your system (needs credentials or OTP password. Simo. 0xB5B41FAA.asc0xB5B41FAA.asc.sig___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.11 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iQIcBAEBAgAGBQJPMplpAAoJEAJsWS61tB+q294QAJZELZhAD4Xsq8z+q4xbeMdy R9g2XT6WuY0Bi42mTi4EJbcupIiWm3q1etU7mhsXJ7zVRHrzHfCZGz3m5ksYxBdm FTT4Q2zssc2Q1kIH6wp9XobBrXSA+RsZn7huBa+klShLBRGkZTABAJ/DkR7j1yRw Fch1CU9cytXMHXRdJiUaIm8lj38u4mwIZxzU2R7gE3aXUX1p+K9A2uXswPvr4Ouc oHx46bfu4GMGQt9Sek8GeV1YcAGPrH5QT0ChejBalsREuKYx+GbAz6lMW/YA+rdL sfqFS5fkWLlzffw0M5HqGg4JNt2l/KsJsqKLnkwShMCNFy2j0M2dt+gujUCkSBAD wAohFnNerTyC6jypo0oSgvDbBSVo+oZUENeIacQEi8m2EkrgRE1/S3eTAS7SKxOc wbyPZp4JXzqyOQVw2rAKEpRd56qdQV3lCElJB9SMUK73sCL3TSTHJ7NP7pEMeaJs JEfJQCjMgJwI/Ok9v5pskkX8uDF0FYptwcwVze2w+ap/hNahaU8uHQOGnVzTTPU2 eA6d0T6opV7YpNbUczOYsEvTJYDUHqX1sf5lN0DfvSP9l9dncr3jRArkdG6X5kuj 9Yrc+d8cEG5Ol4xD3g3ZvtLhL7VuKEhecLP4xsFgQI8NukcFAfpGrPLBklcFzJ1I wSWQZseFSumVD9glWtMz =NzzG -END PGP SIGNATURE- 0xB5B41FAA.asc Description: application/pgp-keys 0xB5B41FAA.asc.sig Description: PGP signature ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] ipa-getkeytab during %post
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 thanks for the confirmation earlier Rob, that does make a lot of sense. am I right in assuming that to run the following, would not work with a host principle? Presumably I'd need admin priviledges to create a service principle for a host. ipa service-add HTTP/$(hostname) I will be giving this a go for testing sake tonight. Dale On 02/08/2012 04:00 PM, Rob Crittenden wrote: Dale Macartney wrote: Hi JR I agree with your statement of acceptable risk.. this is my main reason for questioning.. The ideal situation would be to run this as a satellite kickstart snippet for provisioning with kickstart profiles... That way I can utilize the existing provisioning platform for everything. At the moment everything is in dev using scripted kickstarts for testing. A host should be able to get keytabs for its own services so you should be able to kinit to the host service principal in /etc/keytab and use ipa-getkeytab. rob Dale On 02/08/2012 03:33 PM, JR Aquino wrote: If you are really trying to go the route of using the password, the best way to accomplish that is to procedurally ADD the host ahead of time with the -random flag to generate a one-time-pass. Then insert that 1 time password dynamically into the kickstart script. If you want to approach the problem from a technical side and not procedural... I don't suppose you have Puppet ? You can utilize puppet to deploy a 'host provisioning' keytab that you then kinit -kt before issuing the other commands that require authentication. When it is finished, delete the keytab. The problem with authentication and complete hands off automation is that you always have to whittle it down to an area of acceptable risk with lots of compensating controls and logging. On Feb 8, 2012, at 6:44 AM, Dale Macartney wrote: Hi Simo ipa-client-install is provided by the ipa-client rpm. Details below Name : ipa-client Arch : x86_64 Version : 2.1.3 Release : 9.el6 Size : 222 k Repo : installed What I am trying to achieve is these two commands in a post... ipa service-add HTTP/$(hostname) this definitely requires an authenticated user to add i'm sure ipa-getkeytab -s ds01.example.com -p HTTP/$(hostname) -k /etc/squid/krb5.keytab this one I suspect might be able to be retrieved using the host/ principle from the system after running ipa-client-install. Does this help paint a picture? Dale On 02/08/2012 01:49 PM, Simo Sorce wrote: On Wed, 2012-02-08 at 11:13 +, Dale Macartney wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 morning all... i'm dabbling with automated provisioning of ipa client servers, and i'm a little perplexed on how to add a keytab to a system during the %post section of a kickstart... i've run ipa-client-install -U -p admin -w redhat123 which works perfect, but in order to run ipa-getkeytab i need a tgt, which doesn't appear to be generated during the ipa-client-install. any suggestions on doing this during a post? What version of ipa-client-install are you using ? Newer versions (2.x) should fetch a keytab for your system (needs credentials or OTP password. Simo. 0xB5B41FAA.asc0xB5B41FAA.asc.sig___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.11 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iQIcBAEBAgAGBQJPMp15AAoJEAJsWS61tB+qHAAP/0oHXXxjZVBO0phBL5+4usEx pho8Rtmx+WlDxl0IQEQQK4mp3aAdgr2LQRxIu+7Q3pU72dJHAbID2S+gUh6qJbd7 WZNLHfst0WVmWfcEquufwFQDEe9OuPoxtLgiR6wWPcTab8ip4KlIoa5dcy77Rv5s 9cUbrtq3qA/tcHHUKQ2qNoIYCQvZOgRJ1VUahfwuCRoTWxWSjaz1tJCrcKrARzie w1cl/Gs5O7pPET6s+LMf7NWYD5AfMxwANRpi7/WusM1vVMWU64BI1S21dqynALvy HfSBmTYfHJoD5gdgLZNmaaq87ygpPcgVt9fD4+d+UgeJGsVzwtj/JCbQldVUF/G7 SUxrd1EoE0idr81Pe56yYhTZQHwXCVhBeYK/Fd6QFok00phTjhs3hrZ+y38PWCwv 1lXjIrTb0a58pvQl46hDbsJlHZ88guQ3911U7t7gMkNn8BeXIc7CSzbmnKoyjv+Y hmJ+I0e8Zhmby2WUTZuZMm1Fnw0ddrJBpln2/QCpTxhEID0QW6J4S1jYRsSCAP4Q lgpnFYo4MJyShOUl445YsPYzX4ZSVXdjceXT1NZgd2liExVnbbmotVJy9SKnE9QA ufI0pYTHiYHn4X17mBGVSgNOE4Hj/KFHSMLsecZi+f+JKGyo/ys+deTqqKTMuK0t 4IueTfkeM50INgD6L9pr =p5cG -END PGP SIGNATURE- 0xB5B41FAA.asc Description: application/pgp-keys 0xB5B41FAA.asc.sig Description: PGP signature ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users