wrote:
Christian Reiss via FreeIPA-users wrote:
Hey folks,
happyily using FreeIPA in my personal hobbyist space across 50vms and 8
hosts. It worked like a charm. Ever since a few days ago I am unable to
delete hosts, disabling/ enabling users for example works, but not
deleting hosts. I am using
Hey folks,
happyily using FreeIPA in my personal hobbyist space across 50vms and 8
hosts. It worked like a charm. Ever since a few days ago I am unable to
delete hosts, disabling/ enabling users for example works, but not
deleting hosts. I am using AlmaLinux 8 with vendor-supplied FreeIPA
Hey folks,
I am running into a bit of trouble installing the FreeIPA Client on
XCP-NG (https://xcp-ng.org/, Fork of XenServer). They are based on CentOS 7.
Running "yum install --enablerepo=epel,base freeipa-client" results in this:
--> Running transaction check
---> Package
Ugh,
there is even a document for my *precise* issue. I feel special now.
Anyway, your commands helped and everything is workin a-o-kay.
Thank you folks soo much!
-Chris.
On 07/04/2020 14:15, Florence Blanc-Renaud wrote:
>>
> You can use
> $ ipa config-mod --ca-renewal-master=xxx
> for the CA
Hey,
I converted my 3 server setup within a day and without any (visible)
hiccup(s). Thank you for that!
The only issue is that I do not have any CA or CRL Server anymore. The
first Server (no1, updated last) warned me, but I was unable to
designate any other to this role.
Any pointer on how to
Hey folks,
Running a 3-node FreeIPA Installation. All is well, but I am now
upgrading all VMs, including my three IPA Servers from Centos 7 to 8.
As the Upgrade for Centos 7 to 8 is a complete reinstall I would need
to, one at a time, upgrade an IPA server. The IP and FQDN would remain
the same.
Hey Angus,
thanks for replying. Allow me to reply inline:
On 06/12/2019 16:00, Angus Clarke wrote:
Have you checked your times are in sync within 5 minutes?
Yes. And it's monitored.
Have you checked DNS is working for all node entries between all nodes?
Yes. And it's monitored. Even PTR
Hey folks,
Really quick question. If a host, say web01.example.com is online, in
IPA et all but serving supremecustomer.com and I would need a
(ipa-signed, which suffices) cert, would this be the right way?
Assumptions: - All commands executed on web01.example.com
- /etc/ssl/ipa &
Hey,
auto membership. Perfect.
Yes that was what I was looking for. The fixed group does not change,
and with that I can do precisely that.
Thanks!
-Christina ;)
On 29/07/2019 17:47, Simo Sorce wrote:
> Christina,
> the easiest way to handle your situation is to create a new group for
> allowed
Hey,
I take it this is not possible an no one does this?
-Chris.
On 26/07/2019 17:00, Christian Reiss via FreeIPA-users wrote:
> Hey folks,
>
> We are running a lot of server, we nearly exhausted and allocated our
> /29 ipv6 allocation*.
>
> Let's say we have 10 really
Hey folks,
Would it be possible to get FreeIPA to sign an arbitrary, non IPA
managed CA? Background: Before FreeIPA we enrolled our own CA for
internal services and imported the CA into the browsers, which worked
like a charm. Now with FreeIPA we would have to import two CAs into the
browsers and
Hey folks,
We are running a lot of server, we nearly exhausted and allocated our
/29 ipv6 allocation*.
Let's say we have 10 really, really important servers that only a
handful of people should be able to access. Everyone else not.
So I have a fixed group of known "critical servers" and a
Hey folks,
I read it's possible to attach Puppet CA to the FreeIPA CA.
The only howtos our there were pretty dated; they either state super old
Puppetserver components (puppet server, which was abolished in like
3.x), CentOS5 or even FreeIPAs inability to run more than one CA.
For the lack of
Spot on.
In my tests I created a VM an in which I also created (by anaconda) my
username with a different uid. On live systems this does not pose an issue.
So, self-created non-issue.
Thanks! :)
-Chris.
On 01/07/2019 15:56, Charles Hedrick wrote:
> It’s hard to guess without seeing your
Hey folks,
after testing servers, replications et all (all with awesome success) I
am getting to test with clients.
Everything is working except Fedora 30 (Workstation, not Server). I can
do the usual ipa-client-install dance, which will create the kerberos
information. I can get a kerberos
Hey,
Thanks!
Got the third node up and running; all is fine.
Now time to test-drive the setup. :)
Thanks all and everyone! :)
-Chris.
On 25/06/2019 18:55, François Cami wrote:
> Hi Chris,
>
> Apologies for the late reply.
[...]
> Cheers
> François
>
--
Christian Reiss -
ian,
>
> On Sat, Jun 22, 2019 at 12:13 AM Christian Reiss via FreeIPA-users
> wrote:
>>
>> Hey folks,
>>
>> In my Test-Setup I have the following:
>>
>> srv1.auth.alpha-labs.net
>> srv2.auth.alpha-labs.net
>> srv3.auth.alpha-labs.net
>
Hey folks,
In my Test-Setup I have the following:
srv1.auth.alpha-labs.net
srv2.auth.alpha-labs.net
srv3.auth.alpha-labs.net
srv1 is the freshly installed master.
srv2 is a client, promoted to replication via ipa-replica-install.
srv3 failed with ipa-replica-install. Now I can't proceed past:
in ds for directory service isn’t a complete picture
>>> either, you’d probably end up with ipa.company.com
>>> <http://ipa.company.com>
>>> <http://ipa.company.com> if you wanted to do it ‘right’)
>>>
>>> For public use, I’d suggest using kdcpr
main names for TCP/IP communication,
> that is not connected to what you set in IPA. So if you have IPA setup,
> you can always make an extra DNS record called kerberos.company.com
> <http://kerberos.company.com>, point it to an IP, hand then internally
> NAT tha
> Something else: what is your goal? Is this IPA setup for internal use,
> public use, end-users, admin-users, workstations, servers, web applications?
>
> John
>
>> On 17 Jun 2019, at 11:49, Christian Reiss via FreeIPA-users
>> > <mailto:freeipa-users@lists.fedorahosted.
r own password and manage MFA.
> For everything else (i.e. SSO, SAML etc.) we often use something else that
> talks to IPA, like Keycloak, because the IPA WebUI itself is really not going
> to give a user any useful functionality; it’s more of an operator and admin
> thing.
>
>
Hey folks,
I just recently began planning the deployment of FreeIPA and have
successfully made several test setups. Next step would be to integrate
this in our new datacenter; so we are starting there from scratch.
I understand HA on the server side. What boogles my head is HA on the
*client*
23 matches
Mail list logo
