ipa id-range-find didn't find the ranges on the other servers after I added
them on one. It found the primary ranges (managed by ipa-replica-manage) on all
3 systems, but of course they are different.
From: Rob Crittenden
Sent: Monday, May 15, 2023 4:15 PM
To:
[root @ ldap01] ~
$ ipa hbactest --user gr031529 --host deepcore-bastion.uaap.maxar.com --service
ssh
Access granted: True
Matched rules: allow_all
Not matched rules: admins_allow_all
Not matched rules: allow_systemd-user
Not matched rules:
Omar Pagan via FreeIPA-users wrote:
> [root @ ldap01] ~
> $ ipa hbacrule-show deepcore-bastion
> Rule name: deepcore-bastion
> Enabled: True
> User Groups: deepcore, amod-bastion
> Hosts: deepcore-bastion.uaap.maxar.com
>
> [root @ ldap01] ~
> $ ipa group-show amod-bastion
> Group
Charles Hedrick via FreeIPA-users wrote:
> OK, so I see the answer to my problem is to run
>
> ipa config-mod --add-sids --enable-sid
>
> But we have old UIDs that with low numbers. It looks like I need to do
>
> ipa idrange-add CS.RUTGERS.EDU_low_id_range --base-id=1
> --range-size=20
OK, so I see the answer to my problem is to run
ipa config-mod --add-sids --enable-sid
But we have old UIDs that with low numbers. It looks like I need to do
ipa idrange-add CS.RUTGERS.EDU_low_id_range --base-id=1 --range-size=20
--rid-base=2 --secondary-rid-base=3
ipa
On 15/05/2023 19:00, Charles Hedrick via FreeIPA-users wrote:
I just upgraded from redhat 9.0 to 9.2 on a set of kerberos servers,
fortunately a test system. I can't kinit as existing users. If I add a
user I can kinit as them. Changing the password doesn't help. krb5kdc says
May 15 13:58:30
Charles Hedrick via FreeIPA-users wrote:
> is there a way to do a bulk update of existing users? We have this
> issue. I can disable the pac, but that might not be a good long term
> solution
It's in section 12.2 of the linked RHEL 9 documentation.
rob
>
is there a way to do a bulk update of existing users? We have this issue. I can
disable the pac, but that might not be a good long term solution
From: Sam Morris via FreeIPA-users
Sent: Monday, May 15, 2023 8:08 AM
To: FreeIPA users list
Cc: Alexander Bokovoy ;
so, after disabling the `allow_all` I'm having issues... this user is allowed
in the `deepcore-bastion` rule, but he's getting denied:
[root @ ldap01] ~
$ ipa hbactest --user gr031529 --host deepcore-bastion.uaap.maxar.com --service
ssh
-
Access granted: False
I just upgraded from redhat 9.0 to 9.2 on a set of kerberos servers,
fortunately a test system. I can't kinit as existing users. If I add a user I
can kinit as them. Changing the password doesn't help. krb5kdc says
May 15 13:58:30 krb1.cs.rutgers.edu krb5kdc[652884](info): AS_REQ (4 etypes
okay, I think the rule `Matched rules: allow_all` was causing the issue... I
tested after disabling that rule and its working now. How can we close this
ticket?
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe
from: ipa hbacrule-find
```
$ ipa hbacrule-find
7 HBAC rules matched
Rule name: admins_allow_all
Host category: all
Service category: all
Enabled: True
Rule name: allow_all
User category: all
Host category: all
Service category: all
Flo,
I must have made multiple edits before posting last about still
seeing issues. HAving parsed the rundeck config file again, and setting the
appropriate values as suggested, I'm now getting the group membership
information included in the lookups while still using my service account.
Thank
On Mon, May 15, 2023 at 09:28:22AM +0300, Alexander Bokovoy via FreeIPA-users
wrote:
> On su, 14 touko 2023, Sam Morris wrote:
> > On Fri, May 12, 2023 at 06:19:44PM +0100, Sam Morris via FreeIPA-users
> > wrote:
> > > I wonder about the root cause; is this because MIT Kerberos 1.20 always
> > >
Hi,
On Wed, May 10, 2023 at 1:37 PM Omar Pagan via FreeIPA-users <
freeipa-users@lists.fedorahosted.org> wrote:
> Hello,
> I have setup a bastion host with an IPA client in order to control access
> to the bastion host by groups. I have users in different groups, but I
> just got word that
Hi,
On Wed, May 10, 2023 at 1:43 PM Finn Fysj via FreeIPA-users <
freeipa-users@lists.fedorahosted.org> wrote:
> > Hi,
> >
> > if you want to install a RHEL8 or RHEL9 server with the same domain name,
> > the recommended procedure would be to install a RHEL8 replica from your
> > RHEL7 server,
Hi,
On Fri, May 12, 2023 at 5:47 PM Ronald Wimmer wrote:
> On 12.05.23 11:35, Florence Blanc-Renaud via FreeIPA-users wrote:
> > Hi,
> >
> > can you provide more details? Did you use the "Default Trust View"
> > idview or did you create another one? Which attributes did you override
> > for
On su, 14 touko 2023, Sam Morris wrote:
On Fri, May 12, 2023 at 06:19:44PM +0100, Sam Morris via FreeIPA-users wrote:
I wonder about the root cause; is this because MIT Kerberos 1.20 always
wants to include a PAC in its issued TGTs, and it gives up if it can't
retrieve a user's SID from the
18 matches
Mail list logo
