Thanks Rob
Angus
From: Rob Crittenden
Sent: 15 June 2022 14:15
To: FreeIPA users list
Cc: Angus Clarke
Subject: Re: [Freeipa-users] Upgrading from EL7.9 to EL8
Angus Clarke via FreeIPA-users wrote:
> Hello
>
> I am planning the upgrade of one of ou
Hello
I am planning the upgrade of one of our FreeIPA deployments from EL7.9
Previously, we have been quite good at upgrading through OS point upgrades
(7.3, 7.4, 7.5 etc) as this was the advice through that series of FreeIPA
software.
Upgrading our FreeIPAs from EL7.9 today will see me
Task Administrator'.
To limit what you're allowing to the minimum I'd create a new role like
'Hosts can rebuild automember' and add your host(s) to it.
rob
Angus Clarke via FreeIPA-users wrote:
> Hi Alexander
>
>> There are two ways of setting these fields:
>>
>> - p
Rebuild Membership
Task'. There is a related privilege, 'Automember Task Administrator'.
To limit what you're allowing to the minimum I'd create a new role like
'Hosts can rebuild automember' and add your host(s) to it.
rob
Angus Clarke via FreeIPA-users wrote:
> Hi Alexander
>
>> There
automember rebuild membership,cn=tasks,cn=config'.
Thanks a lot
Angus
From: Alexander Bokovoy
Sent: 20 May 2022 13:39
To: FreeIPA users list
Cc: Angus Clarke
Subject: Re: [Freeipa-users] hostgroup automember rules
Hi Angus,
On pe, 20 touko 2022, Angus Clarke via F
Thanks a lot Alexander.
From: Alexander Bokovoy
Sent: 20 May 2022 13:39
To: FreeIPA users list
Cc: Angus Clarke
Subject: Re: [Freeipa-users] hostgroup automember rules
Hi Angus,
On pe, 20 touko 2022, Angus Clarke via FreeIPA-users wrote:
>Hello
>
&g
Thanks a lot Flo.
From: Florence Blanc-Renaud
Sent: 20 May 2022 13:12
To: FreeIPA users list
Cc: Angus Clarke
Subject: Re: [Freeipa-users] hostgroup automember rules
Hi,
On Fri, May 20, 2022 at 11:48 AM Angus Clarke via FreeIPA-users
mailto:freeipa-users
Hello
FreeIPA 4.6.8
We are very happy with hostgroup automember rules based on servername attribute
however one of our internal customers uses a generic servername template for
all of their servers regardless of its function.
So I'm wondering what other attributes I might use for hostgroup
ipa upgrade / Single Level Domain
>
>Hi,
>
>
>On Tue, May 3, 2022 at 11:59 AM Angus Clarke via FreeIPA-users
>mailto:freeipa-users@lists.fedorahosted.org>>
> wrote:
>Hello
>
>We installed our IPA servers back in EL7.2 days and deployed with a single
>level
Angus Clarke via FreeIPA-users
mailto:freeipa-users@lists.fedorahosted.org>>
wrote:
Hello
We installed our IPA servers back in EL7.2 days and deployed with a single
level domain and matching (uppercased) realm. Through various upgrades we are
now at EL7.9 and are aware that the ipa-client-i
Hello
We installed our IPA servers back in EL7.2 days and deployed with a single
level domain and matching (uppercased) realm. Through various upgrades we are
now at EL7.9 and are aware that the ipa-client-install command has become
finickity about single level domains however thus far we have
Hi Akshay
I'm unfamiliar with your specific question (I'm just a user) however the web
interface and command line tools use the API to perform these processes which
in turn get logged to Apache's error_log.
Regards
Angus
From: akshay p via FreeIPA-users
a
convenient resolver or you do resolution via the root nameservers which is
probably a more secure solution.
-Original Message-----
From: Angus Clarke via FreeIPA-users
mailto:angus%20clarke%20via%20freeipa-users%20%3cfreeipa-us...@lists.fedorahosted.org%3e>>
Reply-To: FreeIP
Thanks for sharing Harry, I really appreciate you and everyone else, taking the
time to consider my situation.
Regards
Angus
From: Harry G. Coin via FreeIPA-users
Sent: Tuesday, December 28, 2021 12:17:16 AM
To: freeipa-users@lists.fedorahosted.org
Cc: Harry G.
es
and some private services and that's what you're struggling with. However you
haven't articulated this either.
-Original Message-
From: Angus Clarke via FreeIPA-users
mailto:angus%20clarke%20via%20freeipa-users%20%3cfreeipa-us...@lists.fedorahosted.org%3e>>
Reply-To:
Thanks for your replies, I think I need to focus on internal resolver
configuration and less on public subdomain delegation.
Cheers
Angus
From: Rafael Jeffman
Sent: Monday, 27 December 2021, 11:11 pm
To: Peter Larsen
Cc: Angus Clarke; FreeIPA users list;
Hi Rafael
I appreciate your response but we're (just me?) still lacking in direction as
to how to properly use your software in the real world - to me It feels like an
admins vs devs topic although I could easily be missing something :)
I mention the Microsoft documentation because i haven't
Hi
You could host split view dns so as to only give responses to queries from
certain (your) IP addresses, thus hiding your private DNS information from
general public queries.
Similarly yet more succinctly, you could use a subdomain and delegate the DNS
for that to a private IP in your
AFAIK Oracle still produce RHEL based Linux releases for free, however I
haven't yet migrated to EL8.
Regards
Angus
From: Nico Maas via FreeIPA-users
Sent: 06 September 2021 07:52
To: Ian Willis
Cc: FreeIPA users list ; Timo Aaltonen
; Nico Maas ; Ilya Kogan
Don't shoot me :)
Oracle support FreeIPA as part of their general Linux support package, expected
to be on Oracle Linux of course however I think they offer support for other
Linux OSs too but this might only be through some onboarding phase.
Suse used to support non-suse Linux as well but I
sss_cache -E to invalidate all cache, you can be more refined with other
options.
Regards
Angus
From: Russ Long via FreeIPA-users
Sent: 22 January 2021 16:39
To: freeipa-users@lists.fedorahosted.org
Cc: Russ Long
Subject: [Freeipa-users] Re: Allow "sudo su -
I edited sudoers by hand however it should give you something to aim towards ...
[root@orable76 ~]# grep angus /etc/sudoers
angus ALL=NOPASSWD: /usr/bin/su - appuser
[root@orable76 ~]# su - angus
Last login: Fri Jan 22 17:01:30 CET 2021 on pts/0
[angus@orable76 ~]$ sudo su - appuser
Last
Forward and reverse lookups use the resolver library which is configured
through /etc/nsswitch.conf
As long as files is listed before dns then you should be good:
$ grep ^hosts: /etc/nsswitch.conf
hosts: files dns myhostname
Regards
Angus
From: Dominik
The steps you mention seem fine to me Roberto, Detlev has detailed an
alternative.
If you lose a client and need to rebuild (i.e. you didn't get chance to run the
"--uninstall" option) then you can also just delete the host entry from IPA
through the web gui or ipa command line before running
Thanks for your input Rob - you've said enough to scare me off the topic!
Cheers
Angus
From: Rob Crittenden
Sent: 08 October 2020 20:52
To: FreeIPA users list
Cc: Angus Clarke
Subject: Re: [Freeipa-users] Stop/Disable Apache on IdM servers
Angus Clarke via
Hello
We have a single mesh of FreeIPA servers in several different locations, we
capture logs (apache ErrorLog directive) to a log server in each of those
locations. When auditors ask us questions we have to trawl log servers from all
locations as our IdM administrators might have used any of
Hi Ronald
Look at the "Attribute Editor" tab against a user account in "Active Directory
users and computers." It should be in the list there (uidNumber) amongst other
useful things.
I'm no Microsoft administrator but am aware that this "Attribute Editor" tab is
not listed if you search for
You could build a replica, reinstall your original with Centos and then build
that as a replica. Not too much downtime for your original whilst it is being
rebuilt.
Regards
Angus
From: Boris Behrens via FreeIPA-users
Sent: Friday, September 4, 2020 11:34:02 AM
Hello
We want to give freeipa web ui access to a corporate team, our security guys
insist we hide this behind a reverse proxy, we're putting 2 of our 10 freeipa
servers behind the RP address.
In our initial testing we get the kerberos error "Unable to verify your
Kerberos credentials" in the
Hi
Just a bit of user experience ...
I'm guessing you ran the ipa-client-install program on your client specifying
"--server=ipa01.bos1.domain.com" rather than relying on auto-discovery
(requires SRV DNS records)
If DNS SRV records are not configured and you need to manually specify the IPA
Hi
We run a similar setup (multiple sites, different dns domain per site, 2 IPA
servers per site) without the issues you mention, we're not using DNS discovery
however that shouldn't make a huge difference.
Are you passing --realm=blah to the ipa-client-install command? That and other
options
Hi
At the one end of things you might want to secure your IPA server in your
production network however this might not be reachable from other networks
(your network policy.) At the other end of things you might want to place it in
your most accessible network however then the system is more
passwords for accounts
Angus Clarke via FreeIPA-users wrote:
> Hello
>
> We don't use FreeIPA passwords for user accounts however some accounts
> have had passwords set which is noticed from time to time. I would like
> to revert those account passwords to the point when the user wa
Hello
We don't use FreeIPA passwords for user accounts however some accounts have had
passwords set which is noticed from time to time. I would like to revert those
account passwords to the point when the user was newly added but the password
not yet set.
I don't see anything obvious in the
: Angus Clarke
Subject: Re: [Freeipa-users] EL7 Upgrades
Angus Clarke via FreeIPA-users wrote:
> Hello
>
> Our environment has grown and as additional IPA servers have been added,
> different versions have been deployed. I am looking to bring IPA servers
> up to the latest
Hello
Our environment has grown and as additional IPA servers have been added,
different versions have been deployed. I am looking to bring IPA servers up to
the latest version for EL7 and wanted some guidance or reassurance.
Here are my versions, they are all VMWare VMs:
idm001
Hello
I suggest running the hbactest function, somrthing like:
ipa hbactest --user=user1 --host=fqdn.of.target.server --service=login
Regards
Angus
From: Kristian Petersen via FreeIPA-users
Sent: 16 March 2020 21:57
To: FreeIPA users list
Cc: Kristian
Aaah, for me that is outside of my knowledge.
Regards
Angus
From: Todd Grayson via FreeIPA-users
Sent: Friday, March 6, 2020 11:31:36 PM
To: freeipa-users@lists.fedorahosted.org
Cc: Todd Grayson
Subject: [Freeipa-users] Re: freeIPA in a complex multi-subnet,
Or indeed chose any of your existing DNS domains for the IPA servers, I suspect
changing the domain at a later time might be troublesome, so maybe pick one
that has some assured longevity to it!
Regards
Angus
From: Angus Clarke via FreeIPA-users
Sent: Friday
Hello
As far as I'm aware, Kerberos requires DNS A records for clients and servers.
Could you not just setup freeIPA using its internal DNS using a new domain just
to add the ipa servers to, and then have forwarding between the different DNS
systems? Clients can be under any DNS domain you
Not very helpful I realise but in my experience, moving away from
multi-interfaced servers to single interface was the best thing we ever did. It
took massive change in the tech department to do that but was well worth it
with respect to reduced complexity.
Regards
Angus
As is often the case, ours was an operational experience decision - we already
had a DNS which was already managed by my team.
All the best
Angus
From: Daniel PC via FreeIPA-users
Sent: 16 January 2020 16:19
To: freeipa-users@lists.fedorahosted.org
Cc: Daniel
that it’s probably not practical to keep them for a
long time. It might not be hard to pull out just the things that make changes.
On Jan 15, 2020, at 4:47 PM, Angus Clarke via FreeIPA-users
mailto:freeipa-users@lists.fedorahosted.org>>
wrote:
Just a note from a fellow user ...
Changes made
Just a note from a fellow user ...
Changes made through the API are logged via apache's ErrorLog directive, I've
been using this to some degree of success to answer 3rd party audit queries.
However it does miss things like "which groups was this user a member of when
they were deleted" though
Hello
Not sure if this is more a generic DNS question or not ...
We run FreeIPA 4.6.4 on a RHEL7.6 clone, we do not use FreeIPA DNS and we
currently do not use DNS discovery. I have read this:
Not directly answering your question but sharing some knowledge ...
Similarly our IPA system falls under certain audit conditions, specifically
with regard to user addition/deletion and what goup memberships have been
ammended over some period of time (we base our sudo rules on group
Just some user notes
I really like the IPA server topology graph through the web front end,
visualising the agreements between servers is really useful. You can add or
remove agreements here too, for both domain and CA (for servers that have CA
enabled)
I've deployed 6 IPA servers equally
Sorry that's out of my depth
I took it that you still had a remaining replica, in which case you should be
able to follow the path I mentioned earlier. If so, you just need to understand
the CA situation. I build all my IPA servers in the way I mentioned and specify
--setup-ca on all of them.
Hi
An alternative approach would be to setup your new server as an IPA client and
then to promote it.
On new server:
# ipa-client-install
Followed by
# ipa-replica-install
Check the man pages for options suitable to your environment, otherwise I
specify --setup-ca for all our new IPA
My guess is that you have the domain "intra.example.com" listed in the "search"
order found in /etc/resolv.conf on server ipa1 but not on server mahavishnu.
Regards
Angus
From: Jason Dunham via FreeIPA-users
Sent: Thursday, 17 October 2019, 20:31
To:
Hi all
After decommissioning 2 IPA servers some time back (reduced from 8 to 6) I
recently noticed that one of the decommissioned servers still appears when
issuing commands like "ipa server-find." It only appears on 2 of the existing
servers, not the other 4.
"ipa server-del" and
Hmm, yes I see the problem, when a previously registered node reboots, all the
local configuration is lost however it still has entries in IPA server.
I've not tried running ipa-client-install on such a node but it sounds like you
have and the --force option is achieving what you desire.
Hi
If you just want an audit trail of the FreeIPA server(s) API, then apache's
ErrorLog directive catches all that.
Regards
Angus
From: Fraser Tweedale via FreeIPA-users
Sent: 24 September 2019 11:08
To: Nazan CENGİZ ;
freeipa-users@lists.fedorahosted.org
Hi
Perhaps some boot script to run the ipa-client-install command when a new
instance boots up? I'm not sure how the system would behave if you run the
ipa-client-install command multiple times, should the same machine name boots
more than once.
For HBAC rules you can use "auto-member" to
Hi
A bit late I realise but I noticed ...
https://www.freeipa.org/page/Domain_Levels
(# ipa domainlevel-get)
IPA 4.5 is likely domain level 1. According to the ipa-replica-del man page:
<-- snip
To manage IPA replication agreements in a domain at domain level 1, use IPA CLI
or Web UI, see `ipa
Hi Albert
I use sss_cache to drop a client's cache when testing some change I've applied.
sss_cache -E to drop all cache.
Take a look at the man page for other options.
Regards
Angus
From: Albert Szostkiewicz via FreeIPA-users
Sent: Monday,
Hi Mike
It's prolly too late but you could have tried this as root to identify which
process had port 749 open:
netstat -pan | grep LISTEN | grep 749
Regards
Angus
From: Mike Conner via FreeIPA-users
Sent: Wednesday, September 4, 2019 5:35:57 AM
To:
counts via the web interface.
Regards
Angus
From: Alexander Bokovoy
Sent: 22 August 2019 10:04
To: FreeIPA users list
Cc: Angus Clarke
Subject: Re: [Freeipa-users] Disabled user accounts
On to, 22 elo 2019, Angus Clarke via FreeIPA-users wrote:
>Hi all
>
>Just
Hi all
Just an observation really, some of our users complained that their IdM login
names did not match other systems' - we saw IdM as the easiest place to fix
this (as opposed to modifying local accounts on hundreds of none-IdM enabled
*nix boxes around the estate)
Rightly or wrongly, the
I suspect OP is enquiring about ssh keys.
You need to tell your SSH client about your SSH private key (keep it safe) and
paste the public component of your key pair into the SSH key field in the
FreeIPA web admin screen for the user (the field is about a third of the way
down the screen on the
Hello
Best practises say to deploy 2 - 3 IPA server per site (Deployment
Recommendations) however I've never really understood why. We run 2 IPA servers
in each of our primary DCs and then connect our smaller remote sites to those
IPA servers over IPSEC VPNs. For example, IPA clients in a
Hi all
Excuse my ignorance, can anyone give me some pointers on getting RSA
Authentication Manager 8 to use FreeIPA 4.5 as an identity source over
LDAPS?
Many thanks
Angus
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To
You might find some useful tips here:
https://www.redhat.com/archives/freeipa-users/2014-May/msg00158.html
Not sure if they did drop their other scripts into github (as suggested two
thirds down)
Regards
Angus
On 17 August 2018 at 10:09, Alfredo De Luca via FreeIPA-users <
Thanks Fraser!
On 31 May 2018 at 09:29, Fraser Tweedale via FreeIPA-users <
freeipa-users@lists.fedorahosted.org> wrote:
> My latest blog post looks at how to clean up and install a *new* CA
> within an existing FreeIPA deployment. This handles scenarios were
> a CA installation has failed, or
Main gripe (which doesn't have any plans for resolution) - no facility for
read-only replicas in untrusted sites.
On 8 May 2018 at 12:04, Angus Clarke wrote:
> Hi Duncan
>
> A few things I've learned:
>
> Understand how replication agreements work as part of your
Hi Duncan
A few things I've learned:
Understand how replication agreements work as part of your planning.
Choose a suitable location for the live CA server.
Deploy a replica by promoting an sssd client. Unless you have a reason not
to, always use --setup-ca to the ipa-replica-install command
Hello
We've failed to deploy a replica in a remote DC, initially the CA Master
(ipa_server1) was in a location that this remote DC could not reach so I
moved the CA to a contactable IPA server in another location (ipa_server2.)
I still receive CA_REJECTED however and I suspect we may have hit
Hi
Is there way to lock down a FreeIPA replica so that it can only receive
updates but not make changes to other FreeIPA systems.
Some of our environments are considered less secure than others, our
security team are concerned that a FreeIPA in a less secure environment
might become compromised
68 matches
Mail list logo