[Freeipa-users] Re: AllowUsers/Groups on ipa clients

On 24/05/2024 15:52, Alexander Bokovoy via FreeIPA-users wrote: On Fri, 24 May 2024, Sam Morris via FreeIPA-users wrote: On 24/05/2024 13:07, Sam Morris via FreeIPA-users wrote: On non-IPA clients I'm using AllowUsers/AllowGroups to restrict which local users are able to SSH into a system

[Freeipa-users] Re: AllowUsers/Groups on ipa clients

On 24/05/2024 13:07, Sam Morris via FreeIPA-users wrote: On non-IPA clients I'm using AllowUsers/AllowGroups to restrict which local users are able to SSH into a system. On IPA clients I am using HBAC to control the same for IPA users. But what's the best way to control which local users can

[Freeipa-users] AllowUsers/Groups on ipa clients

On non-IPA clients I'm using AllowUsers/AllowGroups to restrict which local users are able to SSH into a system. On IPA clients I am using HBAC to control the same for IPA users. But what's the best way to control which local users can SSH in to an IPA client? It looks like I could modify

[Freeipa-users] Re: Replica re-initialization failing Replication bind with GSSAPI auth failed: LDAP error 49 (Invalid credentials) ()

On 08/05/2024 16:16, Tania Hagan via FreeIPA-users wrote: Turns out this was a DNS issue, thank you for responding. We had our /etc/resolv.conf pointing to local host and adding another ipa server as the top nameserver solved the issue. This begs the question by default installing with the

[Freeipa-users] Re: Assertion failure in dns_name_fromtext prevents named-pkcs11 from starting

On Sat, 2024-04-13 at 19:03 +0200, Louis Lagendijk via FreeIPA-users wrote: > > I had the same yesterday, so I rolled back the VMs to before the  > last > update. When I tried again today I had no problems anymore. I guess > due > to the fact that the update installed an updated bind-dyndb-ldap.

[Freeipa-users] Assertion failure in dns_name_fromtext prevents named-pkcs11 from starting

I've got two RHEL 8 servers where named-pkcs11 aborts with an assertion failure after upgrading bind to version 32:9.11.36-11.el8_9.1. ``` Apr 13 15:54:50 named-pkcs11[372364]: zone localhost/IN: loaded serial 0 Apr 13 15:54:50 named-pkcs11[372364]: zone localhost.localdomain/IN: loaded

[Freeipa-users] Re: "Credential cache is empty" error preventing certmonger from renewing a host's certificate

On 21/06/2023 09:02, Sam Morris via FreeIPA-users wrote: On 20/06/2023 15:34, Sam Morris via FreeIPA-users wrote: I've got an IPA client on which certmonger is unable to renew a certificate. Here are the log messages from certmonger... 2023-06-20 08:24:49 [622035] Certificate submission

[Freeipa-users] Can CA system certificates be rekeyed?

Hi folks I make use of certmonger's key_use_count to ensure that I don't use the same private key more than once when issuing service certificates. I was wondering what would happen if this was set on a FreeIPA server. Having done a bit of reading I think this looks like a Very Bad Idea, but

[Freeipa-users] Re: Revoked certificates not appearing in CRL

On 23/03/2024 13:48, Sam Morris via FreeIPA-users wrote: It looks like my CRL renewal master (RHEL 8) is not producing the CRL correctly. This was because it had "ca.certStatusUpdateInterval=0" set in /etc/pki/pki-tomcat/ca/CS.cfg - ouch. I think I got into this state when I deco

[Freeipa-users] Revoked certificates not appearing in CRL

It looks like my CRL renewal master (RHEL 8) is not producing the CRL correctly. I've got two certificates that were requested by certmonger running on an ipa client. I'm pretty sure I revoked them as an admin logged into a second ipa client. Status of all replication agreements on all ipa

[Freeipa-users] Re: "Internal server error 'Link'" from ClonesConnectivyAndDataCheck health check on RHEL 8 when talking to RHEL 9 server

On 12/03/2024 12:27, Rob Crittenden via FreeIPA-users wrote: I guess the newer version of Dogtag in RHEL 9 doesn't include this "Link" attribute, but pki.cert:CertDataInfoCollection.from_json in RHEL 8 expects it to be present. Thanks for doing the research, this is great! Any chance you can

[Freeipa-users] "Internal server error 'Link'" from ClonesConnectivyAndDataCheck health check on RHEL 8 when talking to RHEL 9 server

I tracked down the source of the myserious "Internal server error 'Link'" message when running this health check. It's caused by having a mixture of both RHEL 8 and RHEL 9 servers. The error message in context: # ipa-healthcheck --source=pki.server.healthcheck.clones.connectivity_and_data

[Freeipa-users] ipa-healthcheck timeout too short for ClonesConnectivyAndDataCheck

All three of my IPA servers have this health check failing: [root@ipa3 ~]# ipa-healthcheck --source pki.server.healthcheck.clones.connectivity_and_data --check ClonesConnectivyAndDataCheck --output-type=human Internal server error 'Link' ERROR:

[Freeipa-users] Re: disable OTP authentication on specific hosts

On 28/02/2024 17:23, Sam Morris via FreeIPA-users wrote: Another approach is possible, where you don't configure the authentication indicator requirement on the host/service objects within the directory; instead, the hosts/services are themselves responsible for examining the authentication

[Freeipa-users] Re: disable OTP authentication on specific hosts

On 28/02/2024 11:31, Giuseppe Calò via FreeIPA-users wrote: Hi all, the default User authentication methos that we use is only: "Two factor authentication (password + OTP)" Threfore the users can access to host or service (LDAP) by OTP. We are looking for a way to disable OTP on a specific host

[Freeipa-users] Re: FreeIPA users can't run processes within scope units on Fedora 39

On Wed, Nov 15, 2023 at 11:11:44AM +0200, Alexander Bokovoy via FreeIPA-users wrote: > On Срд, 15 ліс 2023, Sam Morris via FreeIPA-users wrote: > > I've just installed a Fedora 39 system and joined it to my IPA domain. > > > > I've found that when an IPA user connects with S

[Freeipa-users] FreeIPA users can't run processes within scope units on Fedora 39

I've just installed a Fedora 39 system and joined it to my IPA domain. I've found that when an IPA user connects with SSH, they can't launch podman rootless containers, nor can they create scope units. Local users are unaffected, hence I thought I'd post here in the hope that someone else can

[Freeipa-users] After rotating a principal's keys, when do the old keys become useless?

Hi folks, I want to upload a corefile of a crashed named process that likely has the keys for DNS/$HOSTNAME embedded within it. I've run 'ipa-getkeytab -p DNS/$HOSTNAME -k /etc/named.keytab' to generate new keys for the service & store them in the keytab file. The previous keys are still

[Freeipa-users] Re: Apache Tomcat Showing on Security Scan as Outdated.

On Mon, 2023-10-30 at 22:35 +, Marcelo Carvalho via FreeIPA-users wrote: > Hi Rob > > Thanks for helping out here.  I was pulled sideways and I am > returning to this issue now.  I am sorry. > > Vulnerability showing is "Apache Tomcat 9.0.0-M1 < 9.0.68 Request > Smuggling Vulnerability" If

[Freeipa-users] Re: Lost password for CA private key

On 21/09/2023 22:05, John Stokes via FreeIPA-users wrote: What is the kracert.p12 used for? I get this error when I try to export: [root@aaa-01 ca]# pki-server subsystem-cert-export kra --pkcs12-file=/root/kracertbackup.p12 ERROR: No kra subsystem in instance pki-tomcat. You've probablty not

[Freeipa-users] Re: Lost password for CA private key

On 21/09/2023 20:30, Rob Crittenden via FreeIPA-users wrote: I ask because my /root/cacert.p12 and /root/kracert.p12 files also aren't encrypted with my directory manager password and I am pretty sure I haven't changed this password since installing any of my current IPA servers. And when I

[Freeipa-users] Re: prevent 'sudo -i ' from executing

On 21/09/2023 18:30, Ulf Volmer via FreeIPA-users wrote: On 21.09.23 19:17, Rob Crittenden via FreeIPA-users wrote: HBAC can do this better. HBAC controls who is allowed to use PAM services. sudo-i is a PAM service. It is allowed now, I'm assuming, because you have the HBAC allow_all rule

[Freeipa-users] Re: Lost password for CA private key

On 21/09/2023 15:38, Rob Crittenden via FreeIPA-users wrote: John Stokes via FreeIPA-users wrote: Today while creating a backup I realized I don't know the >> password for the file /root/cacert.p12 where the private key >> of the CA shoudl be stored. The one I thought it should be >> (same as

[Freeipa-users] Re: RedHat and 2FA Problem

On 21/09/2023 08:55, Sirio Sannipoli via FreeIPA-users wrote: Thanks so much Sumit, your suggestion works perfectly. I'm still curious about the difference in behavior between distributions, but it's not that important. Greetings Probably on RHEL you have pam_sssd in your PAM stack, which is

[Freeipa-users] Re: Kerberos logs / TGS

On 18/09/2023 14:19, Ole Froslie via FreeIPA-users wrote: Scenario 2: User : test2 is not a member of testusergroup anymore and should not be granted access to the test server. This also works as expected, when logging in with correct password, test2 is denied service with message "Connection

[Freeipa-users] Re: Constrained delegation for host/service principals broken on RHEL 8 servers?

On 07/09/2023 13:35, Alexander Bokovoy via FreeIPA-users wrote: On Чцв, 07 вер 2023, Sam Morris wrote: On Wed, Sep 06, 2023 at 02:50:32PM +0300, Alexander Bokovoy via FreeIPA-users wrote: It would help to see logs (krb5kdc.log) from RHEL8 servers for this communication, both on ipa5/ipa6 and

[Freeipa-users] Re: Constrained delegation for host/service principals broken on RHEL 8 servers?

On Wed, Sep 06, 2023 at 02:50:32PM +0300, Alexander Bokovoy via FreeIPA-users wrote: > It would help to see logs (krb5kdc.log) from RHEL8 servers for this > communication, both on ipa5/ipa6 and back to xoanon. I've created a script to test this automatically. [root@xoanon ~]# (set -eu;

[Freeipa-users] Re: Constrained delegation for host/service principals broken on RHEL 8 servers?

On Tue, Sep 05, 2023 at 07:22:51PM +0100, Sam Morris via FreeIPA-users wrote: > On Tue, Sep 05, 2023 at 08:14:28PM +0300, Alexander Bokovoy via FreeIPA-users > wrote: > > Since you are saying it started after May 2023, that might be actually > > the 4.9.11 change. This would aff

[Freeipa-users] Re: Constrained delegation for host/service principals broken on RHEL 8 servers?

On Tue, Sep 05, 2023 at 08:14:28PM +0300, Alexander Bokovoy via FreeIPA-users wrote: > Since you are saying it started after May 2023, that might be actually > the 4.9.11 change. This would affect services which have no constrained > delegation rules on defined. I guess that explains why, if I

[Freeipa-users] Constrained delegation for host/service principals broken on RHEL 8 servers?

On Mon, Sep 04, 2023 at 06:43:02PM +0100, Sam Morris via FreeIPA-users wrote: > I get the same when I run it on ipa3 (also running RHEL 8). I changed 'server' in /etc/ipa/default.conf to point to this server and I see the same errors: Sep 05 14:02:49 ipa3.ipa.example.com krb5kdc[1715](i

[Freeipa-users] Re: certgmonger not able to renew a certificate: 2100 (Insufficient access: SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (C

On Mon, Sep 04, 2023 at 04:42:59PM +0300, Alexander Bokovoy via FreeIPA-users wrote: > On Пан, 04 вер 2023, Sam Morris via FreeIPA-users wrote: > > I've made some slight progress. I noticed that at the same time, the KDC > > logs these messages: > > > >==> /var/

[Freeipa-users] Re: certgmonger not able to renew a certificate: 2100 (Insufficient access: SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (C

On Fri, Sep 01, 2023 at 01:59:00PM -0400, Rob Crittenden via FreeIPA-users wrote: > Sam Morris via FreeIPA-users wrote: > > Hi folks, I've got a machine where certmonger is unable to renew a > > certificate request: > > > > # getcert list -i 20220519165212 >

[Freeipa-users] anonymous kinit (-n) failed with "PKINIT client could not verify DH reply" (solution)

I found that 'kinit -n' was prompting me for the password for WELLKNOWN/anonym...@ipa.example.com. This happened on everal, but not all clients. After setting the environment variable KRB5_TRACE=/dev/stderr, the useful parts of the output of 'kinit -n' were: [826240] 1693432177.150062:

[Freeipa-users] certgmonger not able to renew a certificate: 2100 (Insufficient access: SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (Cred

Hi folks, I've got a machine where certmonger is unable to renew a certificate request: # getcert list -i 20220519165212 Number of certificates and requests being tracked: 2. Request ID '20220519165212': status: MONITORING ca-error: Server at

[Freeipa-users] Re: sudo and hostnames

On 29/06/2023 07:31, Ronald Wimmer via FreeIPA-users wrote: Is a correct hostname (FQDN) required for sudo rules to work properly? I do have a host where the hostname is set to its shortname. My user is allowed to perform sudo on this host (as it is a member of the admin group which is

[Freeipa-users] Re: "Credential cache is empty" error preventing certmonger from renewing a host's certificate

On 26/06/2023 16:05, Rob Crittenden via FreeIPA-users wrote: Sam Morris via FreeIPA-users wrote: On 20/06/2023 15:34, Sam Morris via FreeIPA-users wrote: I've got an IPA client on which certmonger is unable to renew a certificate. Here are the log messages from certmonger... 2023-06-20

[Freeipa-users] Re: Replication of account lock state

On 23/06/2023 01:50, Djerk Geurts via FreeIPA-users wrote: What are the available options? Right now having to log into multiple IPA servers to find lockouts is a real pita I don't believe you can see this from the web console, but you can use the 'ipa user-status' command which will show you

[Freeipa-users] Re: "Credential cache is empty" error preventing certmonger from renewing a host's certificate

On 20/06/2023 15:34, Sam Morris via FreeIPA-users wrote: I've got an IPA client on which certmonger is unable to renew a certificate. Here are the log messages from certmonger... 2023-06-20 08:24:49 [622035] Certificate submission attempt complete. 2023-06-20 08:24:49 [622035] Child

[Freeipa-users] "Credential cache is empty" error preventing certmonger from renewing a host's certificate

I've got an IPA client on which certmonger is unable to renew a certificate. Here are the log messages from certmonger... 2023-06-20 08:24:49 [622035] Certificate submission attempt complete. 2023-06-20 08:24:49 [622035] Child status = 2. 2023-06-20 08:24:49 [622035] Child output:

[Freeipa-users] Re: Eliminating Basic Auth Prompt When Accessing FreeIPA Direct

On 17/05/2023 18:59, Jeff Hochberg via FreeIPA-users wrote: Hello! Having only used it once...it's fair to say I'm a relatively new FreeIPA user. I'm seeing undesirable behavior that I am unsure of how to disable. Any time I use a browser to connect to the FreeIPA server, I see a Basic Auth

[Freeipa-users] Re: can't kinit after upgrade to redhat 9.2

On 15/05/2023 19:00, Charles Hedrick via FreeIPA-users wrote: I just upgraded from redhat 9.0 to 9.2 on a set of kerberos servers, fortunately a test system. I can't kinit as existing users. If I add a user I can kinit as them. Changing the password doesn't help. krb5kdc says May 15 13:58:30

[Freeipa-users] Re: Authentication failures on a RHEL 9.2 IPA server

On Mon, May 15, 2023 at 09:28:22AM +0300, Alexander Bokovoy via FreeIPA-users wrote: > On su, 14 touko 2023, Sam Morris wrote: > > On Fri, May 12, 2023 at 06:19:44PM +0100, Sam Morris via FreeIPA-users > > wrote: > > > I wonder about the root cause; is this because

[Freeipa-users] Re: Authentication failures on a RHEL 9.2 IPA server

On Fri, May 12, 2023 at 06:19:44PM +0100, Sam Morris via FreeIPA-users wrote: > I wonder about the root cause; is this because MIT Kerberos 1.20 always > wants to include a PAC in its issued TGTs, and it gives up if it can't > retrieve a user's SID from the directory? (If so I wonder i

[Freeipa-users] Re: Authentication failures on a RHEL 9.2 IPA server

On Fri, May 12, 2023 at 03:45:55PM +0300, Alexander Bokovoy via FreeIPA-users wrote: > Correct, run the task, it will produce some output in the dirsrv errorlog. Ok: I tried to run this on the problematic server, but it seems that this problem also stops the ipa command working there (I

[Freeipa-users] Re: Authentication failures on a RHEL 9.2 IPA server

On Fri, May 12, 2023 at 02:32:48PM +0300, Alexander Bokovoy via FreeIPA-users wrote: > Please check whether this user had SID from IPA domain. There might also be > a problem allocating SIDs, due to incorrect or missing ID range for this > user's POSIX ID. In that case there could be sidgen

[Freeipa-users] Authentication failures on a RHEL 9.2 IPA server

Hi folks. This morning I found that one of my IPA servers no longer wants to authenticate any users (specifically, it doesn't want to issue any TGTs to users). It's a fully updated RHEL 9 server; I am sure this has only been a problem since upgrading to RHEL 9.2 (see my remarks about krb5kdc.log

[Freeipa-users] Re: BrowserMatch MSIE

On 26/04/2023 13:06, Finn Fysj via FreeIPA-users wrote: I see that /etc/httpd/conf.d/ssl.conf for my IPA instances includes the following lines: > [...] BrowserMatch "MSIE [2-5]" \ nokeepalive ssl-unclean-shutdown \ downgrade-1.0 force-response-1.0 Would it be a good

[Freeipa-users] Re: ACIs for replication status monitoring

On Mon, Apr 24, 2023 at 03:54:30PM -0400, Rob Crittenden via FreeIPA-users wrote: > Sam Morris wrote: > > On Mon, Apr 24, 2023 at 12:07:16PM -0400, Rob Crittenden via FreeIPA-users > > wrote: > >>> However, this attribute can be read from the second search! Although > >>> it's not included in

[Freeipa-users] Re: ACIs for replication status monitoring

On Mon, Apr 24, 2023 at 12:07:16PM -0400, Rob Crittenden via FreeIPA-users wrote: > > However, this attribute can be read from the second search! Although > > it's not included in the results when 'ALL' attributes are requested, > > explicitly adding it to the search query works fine: > > The

[Freeipa-users] ACIs for replication status monitoring

I've created a system account for replication status monitoring: uid=repl-mon,cn=sysaccounts,cn=etc,dc=ipa,dc=example,dc=com ... and I've added it to the permissions: "cn=Read Replication Agreements,cn=permissions,cn=pbac,dc=ipa,dc=example,dc=com" permission. While this allows the account to

[Freeipa-users] Re: Proper way to update options on existing certificate

On Fri, 2023-04-14 at 17:54 +, Shawn Asmussen via FreeIPA-users wrote: > Our organization has a large number of existing certificates that we > want to make modifications to the options for. Specifically, we have > certificates used by a couple of different services, that we want to > add in a

[Freeipa-users] Re: 2FA only for certain hosts/host groups

On 29/03/2023 21:48, Ronald Wimmer via FreeIPA-users wrote: On 29.03.23 22:30, Ronald Wimmer via FreeIPA-users wrote: Is it possible to enforce the second factor for a user only when trying to login to specific hosts/host groups? List here says yes...

[Freeipa-users] Re: Essential ports between IPA servers and clients

On 10/01/2023 12:08, Ronald Wimmer via FreeIPA-users wrote: Which Ports have to be open (on which side) in order to enable basic IPA functionality between IPA servers and clients.

[Freeipa-users] Re: DNS Global Forwarder

On 06/01/2023 16:08, Francis Augusto Medeiros-Logeay via FreeIPA-users wrote: Now that I have replicas on another premise, I can’t seem to set a Global Forwarder individually on the replicas. So if I have a 192.168.1.1 on my premise A, it gets copied to premise B, which won’t be reachable on

[Freeipa-users] Re: Named failing the whole time

On 13/12/2022 08:49, Francis Augusto Medeiros-Logeay wrote: On 12 Dec 2022, at 10:33, Sam Morris via FreeIPA-users wrote: On 11/12/2022 12:22, Francis Augusto Medeiros-Logeay via FreeIPA-users wrote: I know this mail has very few info - will add them later - but are there common causes

[Freeipa-users] Re: Named failing the whole time

On 11/12/2022 12:22, Francis Augusto Medeiros-Logeay via FreeIPA-users wrote: I know this mail has very few info - will add them later - but are there common causes for named to crash randomly? My FreeIPA réplica has been so unstable. actually, named crashes. Any hints on where to look? Once

[Freeipa-users] Re: failed to add IPA Replica(Centos 8) on existing IPA cluster (Centos 7) with CA role enabled.

On 25/11/2022 14:14, dushyant k via FreeIPA-users wrote: I am trying to add new replica Centos 8 IPA v.4.7 to my existing centos 7 IPA cluster which has IPA version 4.6 CentOS 8 has been EOL for some time now. Try with CentOS Stream 8 (or better, CentOS Stream 9?) instead. I am able to

[Freeipa-users] Re: /var/log volume filling up due to growing logs of signedaudit

On 24/11/2022 09:38, Sam Morris via FreeIPA-users wrote: acme/debug.*.log ca/debug.*.log kra/debug.*.log Rotated daily, have never been cleaned up. --- https://github.com/dogtagpki/pki/issues/3731 filed but no one has taken a look at it yet... https://www.dogtagpki.org/wiki

[Freeipa-users] Re: /var/log volume filling up due to growing logs of signedaudit

On 23/11/2022 19:12, Sam Morris via FreeIPA-users wrote: I've been meaning to raise bugs regarding the rotation of PKI log files on this list for some time but never got around to it. On a reasonably old server there are always lots of very old log files in /var/log/pki/pki-tomcat. On the server

[Freeipa-users] Re: /var/log volume filling up due to growing logs of signedaudit

On 23/11/2022 16:49, Rob Crittenden via FreeIPA-users wrote: > He also told me that this is disabled by default so someone must have > turned it on or for some reason their generating a ton of audit events. > Something else to look into perhaps. FYI I've never turned these on and on my oldest IPA

[Freeipa-users] Re: New ipaclient releases for PyPI?

On 22/11/2022 09:28, Alexander Bokovoy wrote: On ti, 22 marras 2022, Sam Morris via FreeIPA-users wrote: ipaclient on PyPI is a bit outdated (4.8.9). Are there any plans to start uploading it again? We are planning new releases for 4.9/4.10 series soon. I'll make sure we'd upload updates too

[Freeipa-users] New ipaclient releases for PyPI?

ipaclient on PyPI is a bit outdated (4.8.9). Are there any plans to start uploading it again? Cheers, -- Sam Morris PGP: rsa4096/CAAA AA1A CA69 A83A 892B 1855 D20B 4202 5CDA 27B9 ___ FreeIPA-users mailing list --

[Freeipa-users] Re: Prometheus exporter ldap search monitoring FreeIPA servers

On 21/11/2022 17:10, Tania Hagan via FreeIPA-users wrote: I have a prometheus server and I am trying to setup an alert to test if an ldap search succeeds. Searching there seems to be a few exporters (389ds exporter, openldap exporter ) but all rather old and I'm struggling to get any useful

[Freeipa-users] Re: ipa-healthcheck errors

On Sat, 2022-11-19 at 11:57 +0100, Rob Verduijn via FreeIPA-users wrote: > Hi all, > > I managed to get rid of another error but I still have plenty erros > left. > > Any help would be apreciated. > > ipa-healthcheck errors remaining: > > ipa-healthcheck   > args=({'msgtype': 101, 'msgid': 3,

[Freeipa-users] Re: Microsoft November 2022 updates breaks Active Directory integration

On 17/11/2022 15:09, Rob Crittenden via FreeIPA-users wrote: Rob Crittenden wrote: Microsoft addressed a number of CVEs last week which introduced some authentication issues. After installation of these patches, user authentication on Linux systems integrated in Active Directory no longer works

[Freeipa-users] Re: Microsoft November 2022 updates breaks Active Directory integration

On 14/11/2022 15:19, Rob Crittenden via FreeIPA-users wrote: Microsoft addressed a number of CVEs last week which introduced some authentication issues. After installation of these patches, user authentication on Linux systems integrated in Active Directory no longer works and new systems are

[Freeipa-users] /etc/ipa/nssdb label

Hi folks I've got a container image into which I bind mount /etc/ipa so that freeipa-client works. I noticed[0] that /etc/ipa/nssdb is not accessible inside the container, because it is labelled with cert_t. SELinux policy prevents container_t from reading files labelled with cert_t. As I

[Freeipa-users] Re: Rocky Linux 9 missing groups or modules: idm:DL1

On 04/11/2022 02:45, Rob Crittenden via FreeIPA-users wrote: RHEL-9 and derivatives no longer use modules. You can install the packages directly. rob A trivial question but I always wondered about the naming of the module stream in RHEL 8. did "DL1" refer to "domain level 1"? Thanks :) --

[Freeipa-users] Re: debian and derivates as ipa clients?

On 02/11/2022 16:31, Mathias Homann via FreeIPA-users wrote: Am Mittwoch, 2. November 2022, 17:07:33 CET schrieb Sam Morris via FreeIPA- users: On 02/11/2022 06:10, Mathias Homann via FreeIPA-users wrote: Hi, I have a few debian hosts of various flavours (raspbian, OSMC, and actual debian

[Freeipa-users] Re: debian and derivates as ipa clients?

On 02/11/2022 06:10, Mathias Homann via FreeIPA-users wrote: Hi, I have a few debian hosts of various flavours (raspbian, OSMC, and actual debian) that I have to attach to my ipa server (which runs in docker using the last official image), and I'm having trouble finding some of the required

[Freeipa-users] Re: LDAP not starting for IPA-Server

On 30/09/2022 15:38, Nick Polites via FreeIPA-users wrote: UPDATE: I have resolved the issue. The problem all stemmed from the $getcert list Having expired certificates. I had to startup IPA using ipactl start --ignore-service-failures and then issue the getcert resubmit -i <> One

[Freeipa-users] Re: Slow ssh authentication due to sysdb_update_members_ex errors

On 28/09/2022 10:43, ahmed zakraoui via FreeIPA-users wrote: Hello, I have a cluster of 6 FreeIPA servers in production that are connected to Active Directory cluster via the Active directory trust. The goal is to make users access linux VMs using their Active directory credentials. This

[Freeipa-users] Re: Issue logging to desktop sessions

On 20/09/2022 13:22, Antoine Gatineau via FreeIPA-users wrote: The issue was cause by a configuration of the DNS config. The forwarding policy on global config and the main zone was set to "only" instead of "first". Once set back to "first" everything is fine. Check that the DNS forwarders

[Freeipa-users] Re: Connection Reset upon kinit

On 19/09/2022 13:18, Ronald Wimmer via FreeIPA-users wrote: So... we get closer. Ages ago we put the following performance tuning options to /etc/fstab: #Performancetuning for SSSD/IPA tmpfs   /var/lib/sss/db/    tmpfs   size=1024M,mode=0700 It looks like the directory is not created

[Freeipa-users] Re: Ubuntu 22 and sssd 2.6.3

On 25/08/2022 05:41, Ranbir via FreeIPA-users wrote: After enabling debug_level 9, I managed to figure out that my test client was missing the krb5-pkinit package so I installed that. I thought krb5-pkinit is only needed if you want to use PKINIT? sssd uses the host/$HOSTNAME principal to

[Freeipa-users] Re: Freeipa in a virtual machine, host being a client

On 02/08/2022 14:32, lol lol via FreeIPA-users wrote: Hello, I'd like to run IPA server in a vm and at the same time use the host OS as an IPA client for a uniform set-up of DNS, NTP, SSO etc across the board. I do this, with libvirt. Host is RHEL 8, there are actually two guests at the

[Freeipa-users] Re: SSSD prompting/2fa

On 16/07/2022 04:08, Jacob M Cutright via FreeIPA-users wrote: Hello, Apologies if I am misunderstanding and this is incorrect, but users who log in via SSH keys do not get Kerberos tickets by default, which is why your pam_sss_sudo isn't working. You can reference this issue here:

[Freeipa-users] Re: road-warrior laptop vs password change in FreeIPA

On 16/07/2022 11:09, Harald Dunkel via FreeIPA-users wrote: I've got a few colleagues running Debian 10 or 11 on a laptop. Their account is managed by FreeIPA in the office. On first-time login their laptop is wired to the office lan. When they are in home office they have a VPN connection

[Freeipa-users] Re: Port 389 on IPA servers

On 15/07/2022 11:49, Ronald Wimmer via FreeIPA-users wrote: The official RedHat doumentation states The TCP port 389 is not required to be open on IdM servers for trust, but it is necessary for clients communicating with the IdM server. Is this still true? Or could LDAPS/Port 636 be used as

[Freeipa-users] Re: SSSD prompting/2fa

On 08/07/2022 07:57, Sigbjorn Lie-Soland wrote: On 8 Jun 2022, at 10:26, Sam Morris via FreeIPA-users wrote: On 03/06/2022 08:19, Sigbjorn Lie via FreeIPA-users wrote: Hi list, When I have a 2FA enabled user account, I receive the two password prompt for sudo at a host, even on hosts

[Freeipa-users] Re: Kerberos after migration

On 24/06/2022 09:32, Serge Krawczenko via FreeIPA-users wrote: ldapsearch operates properly with `hostname` but not localhost With localhost i'm getting GSSAPI Error: Unspecified GSS failure.  Minor code may provide more information (Server ldap/localhost@ not found in Kerberos database) Any

[Freeipa-users] Re: "Invalid IV size (16) for CBC" when retrieving from vaults via RHEL 9 server

On 21/06/2022 19:45, Rob Crittenden wrote: It seems to be an interop problem between the server and client. The RHEL 9 server is wrapping the secret with AES but the client is trying to use TripleDES (and only supports 3DES). Upstream ticket https://pagure.io/freeipa/issue/6524 changed from a

[Freeipa-users] "Invalid IV size (16) for CBC" when retrieving from vaults via RHEL 9 server

I've added a RHEL 9 server to my IPA domain and I am finding that 'ipa vault-retrieve' fails intermittently. It turns out that whenever the ipa client talks to the RHEL 9 server, this error happens: $ ipa vault-retrieve --service host/myhost.example.com manager-password Traceback (most

[Freeipa-users] Re: SSSD prompting/2fa

On 03/06/2022 08:19, Sigbjorn Lie via FreeIPA-users wrote: Hi list, When I have a 2FA enabled user account, I receive the two password prompt for sudo at a host, even on hosts where 2FA is not required. This breaks Ansible for me, when using "become" with Ansible. A way forward might be to

[Freeipa-users] Re: Allowing a user to manage a service's certificates

On 15/05/2022 17:21, Sam Morris wrote: $ http -f https://ipa0.example.qq/ipa/session/login_password user=host/authtest.example.qq 'password=' Well, this is strange. The above was tested on my home setup (FreeIPA 4.9.8 on RHEL 8). But at work (FreeIPA 4.6.8 on RHEL 7) when I make the call

[Freeipa-users] Re: Allowing a user to manage a service's certificates

Thanks for the really in depth replies, Alexander & Robert! On Fri, May 13, 2022 at 09:27:34PM +0300, Alexander Bokovoy wrote: > On pe, 13 touko 2022, Sam Morris via FreeIPA-users wrote: > > I'm looking into using <https://github.com/guilhem/freeipa-issuer> to > >

[Freeipa-users] Allowing a user to manage a service's certificates

I'm looking into using to request certificates from FreeIPA on behalf of a (FreeIPA) service. The project authenticates to the FreeIPA API with a specified username and password:

[Freeipa-users] Re: IPA API can't talk to PKI

On 27/04/2022 15:52, Rob Crittenden wrote: Sam Morris via FreeIPA-users wrote: On 27/04/2022 14:09, Sam Morris wrote: Hi folks. PKI-related commands have started to fail on my setup: Oh, it turns out this is <https://bugzilla.redhat.com/show_bug.cgi?id=2006070> again, but thi

[Freeipa-users] Re: IPA API can't talk to PKI

On 27/04/2022 14:09, Sam Morris wrote: Hi folks. PKI-related commands have started to fail on my setup: Oh, it turns out this is again, but this time manifesting slightly differently: secret="oldsecret" was replaced by

[Freeipa-users] IPA API can't talk to PKI

Hi folks. PKI-related commands have started to fail on my setup: $ ipa cert-find ipa: ERROR: Certificate operation cannot be completed: Unable to communicate with CMS (403) $ ipa vaultconfig-show ipa: ERROR: an internal error has occurred In /var/log/httpd/error_log I can see,

[Freeipa-users] Re: Strategy to renew TGT - any thoughts?

> So as long as a keytab is generated and the variable is setup, so will > FreeIPA automatically use it to fetch a new TGT when the older one expires after 7 days? You need something to automate the process of obtaining a ticket-granting-ticket every so often. Check out kstart

[Freeipa-users] Re: Is it possible to create hosts in AD via FreeIPA?

> I would like to use FreeIPA to manage Linux VDI machines, but VMware is > Active Directory-centric, and it's Horizon Connection Server creates > machine objects on AD that the VM's join to when created - and these > objects are deleted automatically when the corresponding VM ceases to >

[Freeipa-users] Re: Change admin user name

> Is it possible to use a different name than 'admin' for the admin account. > Same name change need for the admins group. For the user account, what I do is create an admin user with a different name, and then disable the default admin account. For the group - you can't rename it, it's

[Freeipa-users] Re: How to retrieve user's credentials from IPA database?

> I have absolutely no doubt you are right. I'm just not sure (yet) how to > implement the > SSSD/PAM/IDA integration (lack of knowledge from my side). See the Linux-PAM Application Developer's Guide . If you're totally new to PAM you

[Freeipa-users] Re: Use of OTP in special cases?

Fair. Looks like there is an XAuth PAM plugin but I don't see how to configure the PAM conversation. -- Sam Morris PGP: rsa4096/CAAA AA1A CA69 A83A 892B 1855 D20B 4202 5CDA 27B9 ___ FreeIPA-users mailing list --

[Freeipa-users] Re: Use of OTP in special cases?

What VPN server are you using & how do you currently integrate it with FreeIPA? If you integrate via PAM, I think the following is possible, but it is untested--it's just what I've pulled together in my notes, I haven't got around to actually trying it yet. You can allow a user to use _either_

[Freeipa-users] Re: Use FreeIPA as a CA for web apps

> The docs aren't 100% clear on this, how do I use the WebUI to sign a tls cert > with the > CA > I've tried adding via Authentication > Certificates > Certificates but it > said > it can't find the principal, and when I tick the add principal button, it > says i > cannot create a user

[Freeipa-users] Re: Adding DNS on a replica

> I set up a replica server, but I omitted the "--setup-dns" option when > installing the replica. Is there any way to add this, without uninstalling > completely and > re-installing? Try ipa-dns-install. -- Sam Morris PGP: rsa4096/CAAA AA1A CA69 A83A 892B 1855 D20B

[Freeipa-users] Re: SSHFP records

Only a problem if you want to use SSHFP records to verify the host keys presented by the SSH server running on the client. When SSHing to the client from another machine that has been enrolled, the host key will usually be verified by sss_ssh_knownhostsproxy which does not use SSHFP records.

[Freeipa-users] Re: Unable to communicate with CMS (403)

On Fri, 2021-12-17 at 06:59 +0200, Alexander Bokovoy wrote: > On to, 16 joulu 2021, Sam Morris via FreeIPA-users wrote: > > > The CA has its own upgrade code which runs unconditionally and I think > > > that's how both secret and requiredSecret got added to server.xml

  1   2   >