On Mon, Sep 20, 2021 at 09:16:20AM -, iulian roman via FreeIPA-users wrote:
> Does anybody know if it is possible to have sudo rules in
> FreeIPA for local accounts (accounts which are in /etc/passwd) ?
If you want to have local sudo rules, just define them normally.
If you want to have sudo
On Wed, Sep 15, 2021 at 10:57:55AM -0400, Rob Crittenden via FreeIPA-users
wrote:
> Dominik Vogt via FreeIPA-users wrote:
> > However, host key files in rsa and ecdsa format keep reappearing.
> > I'm not exactly sure when this happens. Does it have something to
> > do wit
> Dominik Vogt via FreeIPA-users wrote:
> > However, host key files in rsa and ecdsa format keep reappearing.
> > I'm not exactly sure when this happens. Does it have something to
> > do with sssd?
>
> I believe sshd generates keys on startup if the
I have a problem with ssh host keys being automatically
generated(?). Our installation process looks like this:
1) Install IdM server and clients.
2) Generate ssh host keys for all machines in a special way
because of a requirement about available entropy that is not
3) Distribute the new
On Wed, Aug 04, 2021 at 04:30:56PM -0400, Rob Crittenden via FreeIPA-users
wrote:
> Dominik Vogt via FreeIPA-users wrote:
> > For our setup on RHEL8.1, the password hashing algorithm needs to
> > be changed:
> >
> > 1. Run ipa-server-install with -a and -p opti
On Tue, Aug 03, 2021 at 09:22:19AM -, Sam Morris via FreeIPA-users wrote:
> You can set this option:
> https://access.redhat.com/documentation/en-us/red_hat_directory_server/11/html/administration_guide/setting_a_minimum_strength_factor
>
> But it breaks one or two things that may or may not
For our setup on RHEL8.1, the password hashing algorithm needs to
be changed:
1. Run ipa-server-install with -a and -p options.
2. Use ldapmodify to change passwordStorageScheme.
Now, the "admin" user's password needs to be rehashed with the new
algorithm. What is the proper procedure to do
As far as I underrstand, the vanilla installation of the freeipa
server allows clients to communicate with the LDAP server with or
without SSL. We need to configure both, clients to always use
SSL, and the server to reject non-SSL communication attempts.
Where can I find the relevant
On Tue, May 18, 2021 at 03:06:39PM +0200, Sumit Bose via FreeIPA-users wrote:
> Am Tue, May 18, 2021 at 11:44:57AM +0100 schrieb Dominik Vogt via
> FreeIPA-users:
> > Using freeipa from RHEL8.1, we need to set up the ipa-clients in a
> > way that login is only possible if
Using freeipa from RHEL8.1, we need to set up the ipa-clients in a
way that login is only possible if the ipa-server can be
contacted. Local logi from the cache must be impossible. Is
there a way to achieve this?
Ciao
Dominik ^_^ ^_^
--
Dominik Vogt
On Thu, May 13, 2021 at 01:52:18PM -, Sam Morris via FreeIPA-users wrote:
> What does 'sudo -l -U ext' say?
# sudo -l -U ext
User ext is not allowed to run sudo on
(Restarting sssd does not help.)
If I define a rule for that user with visudo, that works fine and
is shown in the output
Using freeipa from RHEL8.1, I try to create sudo rules (from the
GUI).
* "foo" and "bar" are ipa users
* "ext" is a local user present on all machines
The rule
allow user "foo" to run "/bin/bash" on any host as user "bar"
works fine, i.e. I can log in as "foo" and run
# su - foo
$
Hi Folks,
I need some hints on the following scanario:
* We have a cluster of ipa clients and an ipa server.
* There is an _ipa_ user with the name "BIGBOSS".
* There is also a machine EXT that may be connected to the cluster
for maintenance purposes, but it is not an ipa client.
Some
On Wed, Apr 28, 2021 at 02:57:08PM +0300, Alexander Bokovoy via FreeIPA-users
wrote:
> On ke, 28 huhti 2021, Dominik Vogt via FreeIPA-users wrote:
> > So there is no way to prevent that someone issues administrative
> > ipa command from any host, except by keeping the password secr
On Wed, Apr 28, 2021 at 01:10:08PM +0300, Alexander Bokovoy via FreeIPA-users
wrote:
> On ke, 28 huhti 2021, Dominik Vogt via FreeIPA-users wrote:
> > What is the correct way to disable "kinit admin" on all ipa
> > clients? In our setup, becoming admin should only possi
On Wed, Apr 28, 2021 at 01:18:20PM +0300, Alexander Bokovoy via FreeIPA-users
wrote:
> On ke, 28 huhti 2021, Dominik Vogt via FreeIPA-users wrote:
> > On Wed, Apr 28, 2021 at 12:59:36PM +0300, Alexander Bokovoy via
> > FreeIPA-users wrote:
> > > Dynamic DN
On Wed, Apr 28, 2021 at 12:59:36PM +0300, Alexander Bokovoy via FreeIPA-users
wrote:
> On ke, 28 huhti 2021, Dominik Vogt via FreeIPA-users wrote:
> > We install a freeipa-server with a constant set of clients that
> > never changes, and install the DNS server with ipa-server-insta
What is the correct way to disable "kinit admin" on all ipa
clients? In our setup, becoming admin should only possible on the
ipa server. (Everything is done by scripts runn through ssh;
nobody ever logs in to the server directly.)
Ciao
Dominik ^_^ ^_^
--
Dominik Vogt
We install a freeipa-server with a constant set of clients that
never changes, and install the DNS server with ipa-server-install.
Dynamic DNS updates are automatically enabled.
I'm not sure what the best way is to get rid of the dynamic update
capabilities completely. During installation
We want to generate the initial passwords at random. Is there a
non-interactive method of telling ipa-server-install the passwords
(-a and -p options) that does not require putting them on the
command line? An environment variable would be fine, but
passwords must not be visible in the process
Installing the ipa-server on our VMs takes about 13 to 14 minutes.
We have to do this often during development. Stupid question: Is
there a way to speed this up substantially? More memory, more
CPUs or whatever?
Ciao
Dominik ^_^ ^_^
--
Dominik Vogt
On Fri, Jan 22, 2021 at 05:11:43PM -, Russ Long via FreeIPA-users wrote:
> OK, OK, I had a bad title, but as I mentioned in my original
> message, I've also tried creating a sudo rule that allows all
> commands to be run as
>
> "USER". Anyways, I'm now on to trying to figure out how to make
>
On Fri, Jan 22, 2021 at 03:33:50PM -, Russ Long via FreeIPA-users wrote:
> I'm trying to come up with a Sudo rule that will allow a user to
> "su" to only a single specified user. I need to give a DBA access
> to the oracle user account.
>
> This serverfault article details exactly what I want
ipa-client-install has the --mkhomedir option based on
pam_mkhomedir. RHEL8 seems to prefer oddjob-mkhomedir instead.
What's the recommended method for RHEL8.x please?
Ciao
Dominik ^_^ ^_^
--
Dominik Vogt
___
FreeIPA-users mailing list --
For the moment we're stuck with RHEL8.1. The ansible-freeipa
package there (0.1.6-4) does not seem to include the "ipaconf" and
"iparole" modules (maybe others). Are they missing, in a
different package or do we need to upgrade to a newer RHEL
version?
Ciao
Dominik ^_^ ^_^
--
Dominik Vogt
On Fri, Jan 08, 2021 at 04:04:16PM +0100, Thomas Woerner via FreeIPA-users
wrote:
> > > I'd second the suggestion to use ansible-freeipa's ipaconfig module.
> >
> > Okay, I'll take a look at that. Sounds much better than the
> > modules coming with Ansible. Is it considered to be a part of
> >
On Fri, Jan 08, 2021 at 11:31:28AM -0300, Rafael Jeffman wrote:
> On Fri, Jan 8, 2021 at 11:03 AM Dominik Vogt via FreeIPA-users <
> freeipa-users@lists.fedorahosted.org> wrote:
>
> > We have to set up the ipa-server with Ansible scripts, but there
> > isn't a module f
On Fri, Jan 08, 2021 at 03:17:39PM +0100, Ulrich-Lorenz Schlüter via
FreeIPA-users wrote:
> > > On 1/8/21 3:02 PM, Dominik Vogt via FreeIPA-users wrote:
> > > >
> > > > - name: ...
> > > > shell: ipa config-mod --ipaselinuxusermaporder=&qu
On Fri, Jan 08, 2021 at 03:09:14PM +0100, Thomas Woerner via FreeIPA-users
wrote:
>
> On 1/8/21 3:02 PM, Dominik Vogt via FreeIPA-users wrote:
> > We have to set up the ipa-server with Ansible scripts, but there
> > isn't a module for everything. For example,
We have to set up the ipa-server with Ansible scripts, but there
isn't a module for everything. For example, this command needs to
be executed.
- name: ...
shell: ipa config-mod --ipaselinuxusermaporder="..."
However, that doesn't work (using either the "root" or ipa "admin"
accounts)
On Wed, Jan 06, 2021 at 11:52:51AM -0500, Rob Crittenden via FreeIPA-users
wrote:
> Dominik Vogt via FreeIPA-users wrote:
> > We've set up an ipa-server without DNS, using an /etc/hosts file,
> > as was suggested in an older thread:
> >
> >
> > https://w
We've set up an ipa-server without DNS, using an /etc/hosts file,
as was suggested in an older thread:
https://www.mail-archive.com/freeipa-users@lists.fedorahosted.org/msg10991.html
There's no DNS at all available, and /etc/nsswitch contains the
defaults ("hosts: files dns myhostname", but
On Thu, Dec 31, 2020 at 07:43:48AM +, Angus Clarke via FreeIPA-users wrote:
> Forward and reverse lookups use the resolver library which is configured
> through /etc/nsswitch.conf
> As long as files is listed before dns then you should be good:
>
> $ grep ^hosts: /etc/nsswitch.conf
> hosts:
On Wed, Dec 30, 2020 at 04:20:53PM +0100, François Cami wrote:
> On Wed, Dec 30, 2020 at 2:55 PM Dominik Vogt via FreeIPA-users <
> freeipa-users@lists.fedorahosted.org> wrote:
> > we need to install ipa-server on a box running RHEL8, say
> > server.foo.bar.baz, 192.168.123
Hi folks,
we need to install ipa-server on a box running RHEL8, say
server.foo.bar.baz, 192.168.123.45. ipa-server-install needs
working name resolution for that host, and as there is no other
machine installed yet, this server must run named to provide it.
Is there some working sample
Hi Folks,
whats the authoritative place to look for documentation of the
ipa-server's LDAP database please? (The structure of the
database.)
Ciao
Dominik ^_^ ^_^
--
Dominik Vogt
___
FreeIPA-users mailing list --
Background:
On an ipa-client, our customer wants to implement login to a
custom made service using the poco c++ library. There's something
about ldap authenticators on this page:
pocoproject.org/pro/docs/00400-OSPAuth.html
The customer already hat this implemented with a non-ipa LDAP
setup,
On Tue, Oct 06, 2020 at 01:59:52PM +0200, Ronald Wimmer via FreeIPA-users wrote:
> On 06.10.20 13:57, Dominik Vogt via FreeIPA-users wrote:
> > To get a list of Ipa users one can type something like
> >
> >$ ipa user-find | grep "User login:" | sed -e "/
To get a list of Ipa users one can type something like
$ ipa user-find | grep "User login:" | sed -e "/.* //"
This works on any ipa client, but can take a couple of seconds.
This is a bit clumsy when scripting because scripts are slow to
respond. Is there a quicker way to get that list?
Ciao
On Mon, Oct 05, 2020 at 11:46:34AM +0100, Dominik Vogt wrote:
> Somehow I've managed to damage the ipa server configuration so
> that ipal users cannot login anymore. Local users work fine.
> Using the console on the ipa server:
>
> Login: ...
> Password: ...
>
> System error
>
> Messages
Somehow I've managed to damage the ipa server configuration so
that ipal users cannot login anymore. Local users work fine.
Using the console on the ipa server:
Login: ...
Password: ...
System error
Messages in /var/log/secure say:
--
... login[25478]: pam_sss(login:auth):
On Mon, Sep 21, 2020 at 11:30:19AM -0400, Rob Crittenden via FreeIPA-users
wrote:
> Dominik Vogt via FreeIPA-users wrote:
> > On Mon, Sep 21, 2020 at 09:46:07AM -0400, Rob Crittenden via FreeIPA-users
> > wrote:
> >> What's the problem? Can you provide som
On Mon, Sep 21, 2020 at 09:46:07AM -0400, Rob Crittenden via FreeIPA-users
wrote:
> Dominik Vogt via FreeIPA-users wrote:
> > The config-mod commands generates an error if it does not change
> > anything:
> >
> > $ ipa config-mod --ipaselinuxusermap=".&quo
The config-mod commands generates an error if it does not change
anything:
$ ipa config-mod --ipaselinuxusermap="."
ipa: ERROR: no modifications to be performed
As for real errors, the return code is 1, so this cannot be used
to detect "nothing to be done" errors.
This makes it very
On Thu, Sep 10, 2020 at 08:32:39PM +0300, Alexander Bokovoy via FreeIPA-users
wrote:
> On to, 10 syys 2020, Dominik Vogt via FreeIPA-users wrote:
> > On Thu, Sep 10, 2020 at 11:17:42AM -0400, Rob Crittenden via FreeIPA-users
> > wrote:
> > > > a customer wants to
On Thu, Sep 10, 2020 at 11:17:42AM -0400, Rob Crittenden via FreeIPA-users
wrote:
> > a customer wants to use the Redhat certificate system instead of
> > the one built into freeipa. AFAIK both use dogtag under the hood.
>
> Can you expand on what "instead of" means here? What type of
Hi folks,
a customer wants to use the Redhat certificate system instead of
the one built into freeipa. AFAIK both use dogtag under the hood.
The customer wants to run the certificate system on the same
machine as the ipa server, if possible (because otherwise he needs
more hardware). Redhat
On Fri, Jul 10, 2020 at 05:29:16PM +0200, Sumit Bose via FreeIPA-users wrote:
> On Thu, Jul 09, 2020 at 04:56:21PM +0100, Dominik Vogt via FreeIPA-users
> wrote:
> > We have a freeipa server and some clients. One of the clients
> > runs a (minimal) Docker container with some
We have a freeipa server and some clients. One of the clients
runs a (minimal) Docker container with some custom application.
The application does user authorization and authentication using
PAM. Is there a good way to make PAM delegate all decisions to
the host running the Docker conainer?
On Mon, Jun 29, 2020 at 02:02:58PM +0300, Alexander Bokovoy via FreeIPA-users
wrote:
> On ma, 29 kesÃ?? 2020, Dominik Vogt via FreeIPA-users wrote:
> > In our setup, a service is running on some server machine, say,
> > "sample/servername.domain" and a client for th
In our setup, a service is running on some server machine, say,
"sample/servername.domain" and a client for that service is
running on a workstation (using the sample gssapi client and
server code from the kerberos sources). Now, what is the proper
way to do this in freeipa?
1. Allow users foo
For a test setup, we need to create a custom service running on a
server and a custom application running on the client. The
sample gss client/server from the Kerberos sources is used for
demonstration.
Setting this up with plain Kerberos is easy:
1. Create the service principal with
$
On Thu, Apr 16, 2020 at 06:38:49PM +0200, Florence Blanc-Renaud wrote:
> there is a section in FreeIPA workshop that would guide you through the
> required steps:
> https://github.com/freeipa/freeipa-workshop/blob/master/5-web-app-authnz.rst
Thank you very much for the information and also to
53 matches
Mail list logo
