> Chris Cowan via FreeIPA-users wrote:
>
> Can you explain how you did the migration? Private groups are not
> created using migrate-ds. In IPA a "private" group is one where uid=gid
> and the group cannot have members.
Haven't done a full migration, yet. I'm just experimenting in the lab with
Rob, thank you, great insight, the kvno did not match
tried to generate a new one but it fails
kinit admin
ipa-getkeytab -s server1 -p host/serv...@company.com -k /etc/krb5.keytab
Failed to parse result: Internal error while saving keys
Looking in journalctl it shows that "Adjustment limit exceede
I've been trying to debug this for the last couple of days. I can't
find what's wrong. I found that another client whose cert also expired
on 2023-06-07 was in the same SUBMITTING state. The same exact
conditions. Same exact OS, Ubuntu 20.04 LTS. certmonger package is
up-to-date.
I increased certm
T A via FreeIPA-users wrote:
> Florence thanks for the reply.
> There are 2 IPA servers, the one im trying to cert fix on is the CA renewal
> master, server1
>
> I had to redact some details
> #ipa config-show
> Max username length: 32
> Home directory base: /home
> Default shell: /bin/bash
> Def
Florence thanks for the reply.
There are 2 IPA servers, the one im trying to cert fix on is the CA renewal
master, server1
I had to redact some details
#ipa config-show
Max username length: 32
Home directory base: /home
Default shell: /bin/bash
Default users group: ipausers
Default e-mail domain:
Chris Cowan via FreeIPA-users wrote:
> One other issue, I've encountered is in our existing OpenLDAP directory, with
> the private group for the user, the uid != gid.This would be easy to fix
> but we have our legacy gid space interspersed with the other supplemental
> groups we created. Pr
I noticed the $.
The environment in question has used the "/" in group names with AIX and Linux
for 2 decades without incident. It also worked with other proprietary Unix
platforms. (But they're all decommissioned now)
They enforced a rule that all group names had to start with an alpha.
Chris Cowan via FreeIPA-users wrote:
> Would it be possible to loosen the restrictions on group names to allow a
> forward slash?
>
> We are migrating a large OpenLDAP directory, and they adopted a
> pseudo-hierarchical group naming standard using "/".Alphanumerics, and
> [-_.] were allowed
The workaround above seems to fit my needs. But wondering if there's any
unintended consequences, that haven't occurred to me.
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@li
I've got an IPA client on which certmonger is unable to renew a
certificate.
Here are the log messages from certmonger...
2023-06-20 08:24:49 [622035] Certificate submission attempt complete.
2023-06-20 08:24:49 [622035] Child status = 2.
2023-06-20 08:24:49 [622035] Child output:
One other issue, I've encountered is in our existing OpenLDAP directory, with
the private group for the user, the uid != gid.This would be easy to fix
but we have our legacy gid space interspersed with the other supplemental
groups we created. Presently, we're talking about 9K users and 130
Would it be possible to loosen the restrictions on group names to allow a
forward slash?
We are migrating a large OpenLDAP directory, and they adopted a
pseudo-hierarchical group naming standard using "/".Alphanumerics, and
[-_.] were allowed between forward slashes. This was inherited fro
On 20.06.23 16:08, Alexander Bokovoy wrote:
On Tue, 20 Jun 2023, Ronald Wimmer via FreeIPA-users wrote:
On 20.06.23 15:57, Alexander Bokovoy wrote:
On Tue, 20 Jun 2023, Ronald Wimmer via FreeIPA-users wrote:
On 20.06.23 15:45, Rob Crittenden via FreeIPA-users wrote:
Ronald Wimmer via FreeIPA-
On Tue, 20 Jun 2023, Ronald Wimmer via FreeIPA-users wrote:
On 20.06.23 15:57, Alexander Bokovoy wrote:
On Tue, 20 Jun 2023, Ronald Wimmer via FreeIPA-users wrote:
On 20.06.23 15:45, Rob Crittenden via FreeIPA-users wrote:
Ronald Wimmer via FreeIPA-users wrote:
I can and use IPA users on an AI
On 20.06.23 15:57, Alexander Bokovoy wrote:
On Tue, 20 Jun 2023, Ronald Wimmer via FreeIPA-users wrote:
On 20.06.23 15:45, Rob Crittenden via FreeIPA-users wrote:
Ronald Wimmer via FreeIPA-users wrote:
I can and use IPA users on an AIX client. As well as groups. But
somehow
group membership d
On Tue, 20 Jun 2023, Ronald Wimmer via FreeIPA-users wrote:
On 20.06.23 15:45, Rob Crittenden via FreeIPA-users wrote:
Ronald Wimmer via FreeIPA-users wrote:
I can and use IPA users on an AIX client. As well as groups. But somehow
group membership does not seem to be configured correctly...
#
On 20.06.23 15:51, Ronald Wimmer via FreeIPA-users wrote:
On 20.06.23 15:45, Rob Crittenden via FreeIPA-users wrote:
Ronald Wimmer via FreeIPA-users wrote:
I can and use IPA users on an AIX client. As well as groups. But somehow
group membership does not seem to be configured correctly...
# id
Hi,
can you provide more information on your deployment? Do you have a single
IPA server that is providing the CA service or many servers? In the latter
case, which one is the CA renewal master? Are there other expired
certificates?
# kinit admin
# ipa config-show
# getcert list
flo
On Mon, Ju
On 20.06.23 15:45, Rob Crittenden via FreeIPA-users wrote:
Ronald Wimmer via FreeIPA-users wrote:
I can and use IPA users on an AIX client. As well as groups. But somehow
group membership does not seem to be configured correctly...
# id y179768
uid=1246660005(y179768) gid=1246660005(y179768)
#
Ronald Wimmer via FreeIPA-users wrote:
> I can and use IPA users on an AIX client. As well as groups. But somehow
> group membership does not seem to be configured correctly...
>
> # id y179768
> uid=1246660005(y179768) gid=1246660005(y179768)
>
> # lsgroup -R LDAP ipa-aix-g
> ipa-aix-g id=124669
I can and use IPA users on an AIX client. As well as groups. But somehow
group membership does not seem to be configured correctly...
# id y179768
uid=1246660005(y179768) gid=1246660005(y179768)
# lsgroup -R LDAP ipa-aix-g
ipa-aix-g id=1246690508 users= registry=LDAP
Anyone has a hint what cou
21 matches
Mail list logo
