[Freeipa-users] Re: Upgrading from EL7.9 to EL8

Thanks Rob Angus From: Rob Crittenden Sent: 15 June 2022 14:15 To: FreeIPA users list Cc: Angus Clarke Subject: Re: [Freeipa-users] Upgrading from EL7.9 to EL8 Angus Clarke via FreeIPA-users wrote: > Hello > > I am planning the upgrade of one of ou

[Freeipa-users] Upgrading from EL7.9 to EL8

Hello I am planning the upgrade of one of our FreeIPA deployments from EL7.9 Previously, we have been quite good at upgrading through OS point upgrades (7.3, 7.4, 7.5 etc) as this was the advice through that series of FreeIPA software. Upgrading our FreeIPAs from EL7.9 today will see me

[Freeipa-users] Re: hostgroup automember rules

Task Administrator'. To limit what you're allowing to the minimum I'd create a new role like 'Hosts can rebuild automember' and add your host(s) to it. rob Angus Clarke via FreeIPA-users wrote: > Hi Alexander > >> There are two ways of setting these fields: >> >> - p

[Freeipa-users] Re: hostgroup automember rules

Rebuild Membership Task'. There is a related privilege, 'Automember Task Administrator'. To limit what you're allowing to the minimum I'd create a new role like 'Hosts can rebuild automember' and add your host(s) to it. rob Angus Clarke via FreeIPA-users wrote: > Hi Alexander > >> There

[Freeipa-users] Re: hostgroup automember rules

automember rebuild membership,cn=tasks,cn=config'. Thanks a lot Angus From: Alexander Bokovoy Sent: 20 May 2022 13:39 To: FreeIPA users list Cc: Angus Clarke Subject: Re: [Freeipa-users] hostgroup automember rules Hi Angus, On pe, 20 touko 2022, Angus Clarke via F

[Freeipa-users] Re: hostgroup automember rules

Thanks a lot Alexander. From: Alexander Bokovoy Sent: 20 May 2022 13:39 To: FreeIPA users list Cc: Angus Clarke Subject: Re: [Freeipa-users] hostgroup automember rules Hi Angus, On pe, 20 touko 2022, Angus Clarke via FreeIPA-users wrote: >Hello > &g

[Freeipa-users] Re: hostgroup automember rules

Thanks a lot Flo. From: Florence Blanc-Renaud Sent: 20 May 2022 13:12 To: FreeIPA users list Cc: Angus Clarke Subject: Re: [Freeipa-users] hostgroup automember rules Hi, On Fri, May 20, 2022 at 11:48 AM Angus Clarke via FreeIPA-users mailto:freeipa-users

[Freeipa-users] hostgroup automember rules

Hello FreeIPA 4.6.8 We are very happy with hostgroup automember rules based on servername attribute however one of our internal customers uses a generic servername template for all of their servers regardless of its function. So I'm wondering what other attributes I might use for hostgroup

[Freeipa-users] Re: EL8 ipa upgrade / Single Level Domain

ipa upgrade / Single Level Domain > >Hi, > > >On Tue, May 3, 2022 at 11:59 AM Angus Clarke via FreeIPA-users >mailto:freeipa-users@lists.fedorahosted.org>> > wrote: >Hello > >We installed our IPA servers back in EL7.2 days and deployed with a single >level

[Freeipa-users] Re: EL8 ipa upgrade / Single Level Domain

Angus Clarke via FreeIPA-users mailto:freeipa-users@lists.fedorahosted.org>> wrote: Hello We installed our IPA servers back in EL7.2 days and deployed with a single level domain and matching (uppercased) realm. Through various upgrades we are now at EL7.9 and are aware that the ipa-client-i

[Freeipa-users] EL8 ipa upgrade / Single Level Domain

Hello We installed our IPA servers back in EL7.2 days and deployed with a single level domain and matching (uppercased) realm. Through various upgrades we are now at EL7.9 and are aware that the ipa-client-install command has become finickity about single level domains however thus far we have

[Freeipa-users] Re: Web service to receive callbacks via HTTP

Hi Akshay I'm unfamiliar with your specific question (I'm just a user) however the web interface and command line tools use the API to perform these processes which in turn get logged to Apache's error_log. Regards Angus From: akshay p via FreeIPA-users

[Freeipa-users] Re: DNS and FreeIPA

a convenient resolver or you do resolution via the root nameservers which is probably a more secure solution. -Original Message----- From: Angus Clarke via FreeIPA-users mailto:angus%20clarke%20via%20freeipa-users%20%3cfreeipa-us...@lists.fedorahosted.org%3e>> Reply-To: FreeIP

[Freeipa-users] Re: DNS and FreeIPA

Thanks for sharing Harry, I really appreciate you and everyone else, taking the time to consider my situation. Regards Angus From: Harry G. Coin via FreeIPA-users Sent: Tuesday, December 28, 2021 12:17:16 AM To: freeipa-users@lists.fedorahosted.org Cc: Harry G.

[Freeipa-users] Re: DNS and FreeIPA

es and some private services and that's what you're struggling with. However you haven't articulated this either. -Original Message- From: Angus Clarke via FreeIPA-users mailto:angus%20clarke%20via%20freeipa-users%20%3cfreeipa-us...@lists.fedorahosted.org%3e>> Reply-To:

[Freeipa-users] Re: DNS and FreeIPA

Thanks for your replies, I think I need to focus on internal resolver configuration and less on public subdomain delegation. Cheers Angus From: Rafael Jeffman Sent: Monday, 27 December 2021, 11:11 pm To: Peter Larsen Cc: Angus Clarke; FreeIPA users list;

[Freeipa-users] Re: DNS and FreeIPA

Hi Rafael I appreciate your response but we're (just me?) still lacking in direction as to how to properly use your software in the real world - to me It feels like an admins vs devs topic although I could easily be missing something :) I mention the Microsoft documentation because i haven't

[Freeipa-users] Re: DNS and FreeIPA

Hi You could host split view dns so as to only give responses to queries from certain (your) IP addresses, thus hiding your private DNS information from general public queries. Similarly yet more succinctly, you could use a subdomain and delegate the DNS for that to a private IP in your

[Freeipa-users] Re: freeIPA Status Debian/Ubuntu

AFAIK Oracle still produce RHEL based Linux releases for free, however I haven't yet migrated to EL8. Regards Angus From: Nico Maas via FreeIPA-users Sent: 06 September 2021 07:52 To: Ian Willis Cc: FreeIPA users list ; Timo Aaltonen ; Nico Maas ; Ilya Kogan

[Freeipa-users] Re: [EXTERNAL] FreeIPA Enterprise or Paid Support

Don't shoot me :) Oracle support FreeIPA as part of their general Linux support package, expected to be on Oracle Linux of course however I think they offer support for other Linux OSs too but this might only be through some onboarding phase. Suse used to support non-suse Linux as well but I

[Freeipa-users] Re: Allow "sudo su - USER" to only the specified user

sss_cache -E to invalidate all cache, you can be more refined with other options. Regards Angus From: Russ Long via FreeIPA-users Sent: 22 January 2021 16:39 To: freeipa-users@lists.fedorahosted.org Cc: Russ Long Subject: [Freeipa-users] Re: Allow "sudo su -

[Freeipa-users] Re: Allow "sudo su - USER" to only the specified user

I edited sudoers by hand however it should give you something to aim towards ... [root@orable76 ~]# grep angus /etc/sudoers angus ALL=NOPASSWD: /usr/bin/su - appuser [root@orable76 ~]# su - angus Last login: Fri Jan 22 17:01:30 CET 2021 on pts/0 [angus@orable76 ~]$ sudo su - appuser Last

[Freeipa-users] Re: Helpo with DNS setup?

Forward and reverse lookups use the resolver library which is configured through /etc/nsswitch.conf As long as files is listed before dns then you should be good: $ grep ^hosts: /etc/nsswitch.conf hosts: files dns myhostname Regards Angus From: Dominik

[Freeipa-users] Re: Reinstalling client's OS

The steps you mention seem fine to me Roberto, Detlev has detailed an alternative. If you lose a client and need to rebuild (i.e. you didn't get chance to run the "--uninstall" option) then you can also just delete the host entry from IPA through the web gui or ipa command line before running

[Freeipa-users] Re: Stop/Disable Apache on IdM servers

Thanks for your input Rob - you've said enough to scare me off the topic! Cheers Angus From: Rob Crittenden Sent: 08 October 2020 20:52 To: FreeIPA users list Cc: Angus Clarke Subject: Re: [Freeipa-users] Stop/Disable Apache on IdM servers Angus Clarke via

[Freeipa-users] Stop/Disable Apache on IdM servers

Hello We have a single mesh of FreeIPA servers in several different locations, we capture logs (apache ErrorLog directive) to a log server in each of those locations. When auditors ask us questions we have to trawl log servers from all locations as our IdM administrators might have used any of

[Freeipa-users] Re: POSIX ids of all AD users

Hi Ronald Look at the "Attribute Editor" tab against a user account in "Active Directory users and computers." It should be in the list there (uidNumber) amongst other useful things. I'm no Microsoft administrator but am aware that this "Attribute Editor" tab is not listed if you search for

[Freeipa-users] Re: migrate IPA server to new OS

You could build a replica, reinstall your original with Centos and then build that as a replica. Not too much downtime for your original whilst it is being rebuilt. Regards Angus From: Boris Behrens via FreeIPA-users Sent: Friday, September 4, 2020 11:34:02 AM

[Freeipa-users] Web UI behind Reverse proxy

Hello We want to give freeipa web ui access to a corporate team, our security guys insist we hide this behind a reverse proxy, we're putting 2 of our 10 freeipa servers behind the RP address. In our initial testing we get the kerberos error "Unable to verify your Kerberos credentials" in the

[Freeipa-users] Re: Multimaster error adding user when one master down.

Hi Just a bit of user experience ... I'm guessing you ran the ipa-client-install program on your client specifying "--server=ipa01.bos1.domain.com" rather than relying on auto-discovery (requires SRV DNS records) If DNS SRV records are not configured and you need to manually specify the IPA

[Freeipa-users] Re: Planing multi-site deployment

Hi We run a similar setup (multiple sites, different dns domain per site, 2 IPA servers per site) without the issues you mention, we're not using DNS discovery however that shouldn't make a huge difference. Are you passing --realm=blah to the ipa-client-install command? That and other options

[Freeipa-users] Re: where to place the freeipa server in a segmented network

Hi At the one end of things you might want to secure your IPA server in your production network however this might not be reachable from other networks (your network policy.) At the other end of things you might want to place it in your most accessible network however then the system is more

[Freeipa-users] Re: Unset passwords for accounts

passwords for accounts Angus Clarke via FreeIPA-users wrote: > Hello > > We don't use FreeIPA passwords for user accounts however some accounts > have had passwords set which is noticed from time to time. I would like > to revert those account passwords to the point when the user wa

[Freeipa-users] Unset passwords for accounts

Hello We don't use FreeIPA passwords for user accounts however some accounts have had passwords set which is noticed from time to time. I would like to revert those account passwords to the point when the user was newly added but the password not yet set. I don't see anything obvious in the

[Freeipa-users] Re: EL7 Upgrades

: Angus Clarke Subject: Re: [Freeipa-users] EL7 Upgrades Angus Clarke via FreeIPA-users wrote: > Hello > > Our environment has grown and as additional IPA servers have been added, > different versions have been deployed. I am looking to bring IPA servers > up to the latest

[Freeipa-users] EL7 Upgrades

Hello Our environment has grown and as additional IPA servers have been added, different versions have been deployed. I am looking to bring IPA servers up to the latest version for EL7 and wanted some guidance or reassurance. Here are my versions, they are all VMWare VMs: idm001

[Freeipa-users] Re: Some users unable to log in to host

Hello I suggest running the hbactest function, somrthing like: ipa hbactest --user=user1 --host=fqdn.of.target.server --service=login Regards Angus From: Kristian Petersen via FreeIPA-users Sent: 16 March 2020 21:57 To: FreeIPA users list Cc: Kristian

[Freeipa-users] Re: freeIPA in a complex multi-subnet, multi-domain, multi-identity provider lab environment

Aaah, for me that is outside of my knowledge. Regards Angus From: Todd Grayson via FreeIPA-users Sent: Friday, March 6, 2020 11:31:36 PM To: freeipa-users@lists.fedorahosted.org Cc: Todd Grayson Subject: [Freeipa-users] Re: freeIPA in a complex multi-subnet,

[Freeipa-users] Re: freeIPA in a complex multi-subnet, multi-domain, multi-identity provider lab environment

Or indeed chose any of your existing DNS domains for the IPA servers, I suspect changing the domain at a later time might be troublesome, so maybe pick one that has some assured longevity to it! Regards Angus From: Angus Clarke via FreeIPA-users Sent: Friday

[Freeipa-users] Re: freeIPA in a complex multi-subnet, multi-domain, multi-identity provider lab environment

Hello As far as I'm aware, Kerberos requires DNS A records for clients and servers. Could you not just setup freeIPA using its internal DNS using a new domain just to add the ipa servers to, and then have forwarding between the different DNS systems? Clients can be under any DNS domain you

[Freeipa-users] Re: Traffic from client to server through management's interface

Not very helpful I realise but in my experience, moving away from multi-interfaced servers to single interface was the best thing we ever did. It took massive change in the tech department to do that but was well worth it with respect to reduced complexity. Regards Angus

[Freeipa-users] Re: Integrated DNS - best solution to unique domain

As is often the case, ours was an operational experience decision - we already had a DNS which was already managed by my team. All the best Angus From: Daniel PC via FreeIPA-users Sent: 16 January 2020 16:19 To: freeipa-users@lists.fedorahosted.org Cc: Daniel

[Freeipa-users] Re: Where is the "Audit" in IPA?

that it’s probably not practical to keep them for a long time. It might not be hard to pull out just the things that make changes. On Jan 15, 2020, at 4:47 PM, Angus Clarke via FreeIPA-users mailto:freeipa-users@lists.fedorahosted.org>> wrote: Just a note from a fellow user ... Changes made

[Freeipa-users] Re: Where is the "Audit" in IPA?

Just a note from a fellow user ... Changes made through the API are logged via apache's ErrorLog directive, I've been using this to some degree of success to answer 3rd party audit queries. However it does miss things like "which groups was this user a member of when they were deleted" though

[Freeipa-users] DNS discovery / locations

Hello Not sure if this is more a generic DNS question or not ... We run FreeIPA 4.6.4 on a RHEL7.6 clone, we do not use FreeIPA DNS and we currently do not use DNS discovery. I have read this:

[Freeipa-users] Re: SOC documentation

Not directly answering your question but sharing some knowledge ... Similarly our IPA system falls under certain audit conditions, specifically with regard to user addition/deletion and what goup memberships have been ammended over some period of time (we base our sudo rules on group

[Freeipa-users] Re: number of topology segments for 3 servers clean setup?

Just some user notes I really like the IPA server topology graph through the web front end, visualising the agreements between servers is really useful. You can add or remove agreements here too, for both domain and CA (for servers that have CA enabled) I've deployed 6 IPA servers equally

[Freeipa-users] Re: Full Server backup fails with IPA version error

Sorry that's out of my depth I took it that you still had a remaining replica, in which case you should be able to follow the path I mentioned earlier. If so, you just need to understand the CA situation. I build all my IPA servers in the way I mentioned and specify --setup-ca on all of them.

[Freeipa-users] Re: Full Server backup fails with IPA version error

Hi An alternative approach would be to setup your new server as an IPA client and then to promote it. On new server: # ipa-client-install Followed by # ipa-replica-install Check the man pages for options suitable to your environment, otherwise I specify --setup-ca for all our new IPA

[Freeipa-users] Re: FreeIPA new network with DNS

My guess is that you have the domain "intra.example.com" listed in the "search" order found in /etc/resolv.conf on server ipa1 but not on server mahavishnu. Regards Angus From: Jason Dunham via FreeIPA-users Sent: Thursday, 17 October 2019, 20:31 To:

[Freeipa-users] Remove stale server entry from LDAP

Hi all After decommissioning 2 IPA servers some time back (reduced from 8 to 6) I recently noticed that one of the decommissioned servers still appears when issuing commands like "ipa server-find." It only appears on 2 of the existing servers, not the other 4. "ipa server-del" and

[Freeipa-users] Re: Manually join machines in stateless environment

Hmm, yes I see the problem, when a previously registered node reboots, all the local configuration is lost however it still has entries in IPA server. I've not tried running ipa-client-install on such a node but it sounds like you have and the --force option is achieving what you desire.

[Freeipa-users] Re: log dispatching for IPA servers

Hi If you just want an audit trail of the FreeIPA server(s) API, then apache's ErrorLog directive catches all that. Regards Angus From: Fraser Tweedale via FreeIPA-users Sent: 24 September 2019 11:08 To: Nazan CENGİZ ; freeipa-users@lists.fedorahosted.org

[Freeipa-users] Re: Manually join machines in stateless environment

Hi Perhaps some boot script to run the ipa-client-install command when a new instance boots up? I'm not sure how the system would behave if you run the ipa-client-install command multiple times, should the same machine name boots more than once. For HBAC rules you can use "auto-member" to

[Freeipa-users] Re: remove bad replica from list not working

Hi A bit late I realise but I noticed ... https://www.freeipa.org/page/Domain_Levels (# ipa domainlevel-get) IPA 4.5 is likely domain level 1. According to the ipa-replica-del man page: <-- snip To manage IPA replication agreements in a domain at domain level 1, use IPA CLI or Web UI, see `ipa

[Freeipa-users] Re: ipausers unable to sudo

Hi Albert I use sss_cache to drop a client's cache when testing some change I've applied. sss_cache -E to drop all cache. Take a look at the man page for other options. Regards Angus From: Albert Szostkiewicz via FreeIPA-users Sent: Monday,

[Freeipa-users] Re: kadmin service fails to start

Hi Mike It's prolly too late but you could have tried this as root to identify which process had port 749 open: netstat -pan | grep LISTEN | grep 749 Regards Angus From: Mike Conner via FreeIPA-users Sent: Wednesday, September 4, 2019 5:35:57 AM To:

[Freeipa-users] Re: Disabled user accounts

counts via the web interface. Regards Angus From: Alexander Bokovoy Sent: 22 August 2019 10:04 To: FreeIPA users list Cc: Angus Clarke Subject: Re: [Freeipa-users] Disabled user accounts On to, 22 elo 2019, Angus Clarke via FreeIPA-users wrote: >Hi all > >Just

[Freeipa-users] Disabled user accounts

Hi all Just an observation really, some of our users complained that their IdM login names did not match other systems' - we saw IdM as the easiest place to fix this (as opposed to modifying local accounts on hundreds of none-IdM enabled *nix boxes around the estate) Rightly or wrongly, the

[Freeipa-users] Re: Windows Integration - Using SSH Without Passwords

I suspect OP is enquiring about ssh keys. You need to tell your SSH client about your SSH private key (keep it safe) and paste the public component of your key pair into the SSH key field in the FreeIPA web admin screen for the user (the field is about a third of the way down the screen on the

[Freeipa-users] Re: secure freeipa exposed to internet

Hello Best practises say to deploy 2 - 3 IPA server per site (Deployment Recommendations) however I've never really understood why. We run 2 IPA servers in each of our primary DCs and then connect our smaller remote sites to those IPA servers over IPSEC VPNs. For example, IPA clients in a

[Freeipa-users] RSA using FreeIPA as an identity source

Hi all Excuse my ignorance, can anyone give me some pointers on getting RSA Authentication Manager 8 to use FreeIPA 4.5 as an identity source over LDAPS? Many thanks Angus ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To

[Freeipa-users] Re: Changing domain name

You might find some useful tips here: https://www.redhat.com/archives/freeipa-users/2014-May/msg00158.html Not sure if they did drop their other scripts into github (as suggested two thirds down) Regards Angus On 17 August 2018 at 10:09, Alfredo De Luca via FreeIPA-users <

[Freeipa-users] Re: [BLOG] Replacing a lost or broken CA in FreeIPA

Thanks Fraser! On 31 May 2018 at 09:29, Fraser Tweedale via FreeIPA-users < freeipa-users@lists.fedorahosted.org> wrote: > My latest blog post looks at how to clean up and install a *new* CA > within an existing FreeIPA deployment. This handles scenarios were > a CA installation has failed, or

[Freeipa-users] Re: Overall users experience with Free-IPA

Main gripe (which doesn't have any plans for resolution) - no facility for read-only replicas in untrusted sites. On 8 May 2018 at 12:04, Angus Clarke wrote: > Hi Duncan > > A few things I've learned: > > Understand how replication agreements work as part of your

[Freeipa-users] Re: Overall users experience with Free-IPA

Hi Duncan A few things I've learned: Understand how replication agreements work as part of your planning. Choose a suitable location for the live CA server. Deploy a replica by promoting an sssd client. Unless you have a reason not to, always use --setup-ca to the ipa-replica-install command

[Freeipa-users] ipa-replica-install CA_REJECTED

Hello We've failed to deploy a replica in a remote DC, initially the CA Master (ipa_server1) was in a location that this remote DC could not reach so I moved the CA to a contactable IPA server in another location (ipa_server2.) I still receive CA_REJECTED however and I suspect we may have hit

[Freeipa-users] read only replicants

Hi Is there way to lock down a FreeIPA replica so that it can only receive updates but not make changes to other FreeIPA systems. Some of our environments are considered less secure than others, our security team are concerned that a FreeIPA in a less secure environment might become compromised