On 2/25/20 8:27 PM, Chris Bacott via FreeIPA-users wrote:
Oh wow. Well, thank you very much for showing me how to enable the debug
logging for the whole app stack, that proved to reveal exactly what the issue
was.
Turns out, apache mod_security was blocking the access from "ipa host-del".
> On Tue, Feb 25, 2020 at 10:02:48AM -, Michael Solodovnikov via
> FreeIPA-users wrote:
>
> Thanks,
>
> please try to add
>
> krb5_use_fast = never
>
> to the [domain/] section of sssd.conf as well.
>
> If this does not help, please send/paste the krb5_child.log files with
> this
Oh wow. Well, thank you very much for showing me how to enable the debug
logging for the whole app stack, that proved to reveal exactly what the issue
was.
Turns out, apache mod_security was blocking the access from "ipa host-del".
[Tue Feb 25 13:04:59.559181 2020] [:error] [pid 26434:tid
On 2/25/20 6:25 PM, Chris Bacott via FreeIPA-users wrote:
Thank you for the reply. There is no errors with getting any certs at all,
that's why this is baffling me. The 403 error is making me think this is either
an apache or tomcat issue.
Strange issue, indeed. You can enable debug logs:
Thank you for the reply. There is no errors with getting any certs at all,
that's why this is baffling me. The 403 error is making me think this is either
an apache or tomcat issue.
# ipa cert-show 1
Issuing CA: ipa
Certificate:
Subject: CN=Certificate Authority,O=
Issuer:
On 2/25/20 4:18 PM, Chris Bacott via FreeIPA-users wrote:
Hello,
I've been searching for resolution on this issue for a while now, but it seems
all of the issues others have encountered were unrelated.
Host OS: CentOS 8.1.1911
All packages up to date.
This is a stock installation of
On ti, 25 helmi 2020, Ronald Wimmer via FreeIPA-users wrote:
On 25.02.20 16:47, Alexander Bokovoy via FreeIPA-users wrote:
[...]
Details are in https://access.redhat.com/articles/4661861 (accessible
with a subscription but even free Developer's subscription is fine).
"Red Hat is working on an
We are migrating from AD to FreeIPA and we have existing tools that limit
search by containers, and keeping containers would facilitate the migration a
lot!
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an
We are migrating from AD to FreeIPA and we have existing tools that limit the
search by containers, and keeping those containers would facilitate the
migration a lot!
Best Regards,
Mary
___
FreeIPA-users mailing list --
On 25.02.20 16:47, Alexander Bokovoy via FreeIPA-users wrote:
[...]
Details are in https://access.redhat.com/articles/4661861 (accessible
with a subscription but even free Developer's subscription is fine).
"Red Hat is working on an SSSD/adcli (RHEL8,RHEL7) enhancement that
allows the use of
On ti, 25 helmi 2020, Ronald Wimmer via FreeIPA-users wrote:
Hi,
will Microsofts decision to let domain controllers talk LDAPS only in
the near future affect IPA sowehow?
Details are in https://access.redhat.com/articles/4661861 (accessible
with a subscription but even free Developer's
Hello,
I've been searching for resolution on this issue for a while now, but it seems
all of the issues others have encountered were unrelated.
Host OS: CentOS 8.1.1911
All packages up to date.
This is a stock installation of freeipa, nothing tricky like replication or
anything. The system
Sorry for this post. It is a duplicate of "Domain controllers switch to
LDAPS". Thunderbird crashed and I was not aware that it sent that message...
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to
Hi,
will Microsofts decision to let domain controllers talk LDAPS only in
the near future affect IPA sowehow?
Cheers,
Ronald
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to
Will IPA be affected somehow when Windows Domain Controllers start
accepting LDAPS traffic only?
Cheers,
Ronald
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to
On ti, 25 helmi 2020, Mary Georgiou via FreeIPA-users wrote:
Thank you very much for the prompt answer.
If I generally would like to add another container such as
cn=some_other_type_of_users, cn=accounts, dc=example,dc=com. Is there
a way to not create a mess in this case?
Perhaps, it would
Thank you very much for the prompt answer.
If I generally would like to add another container such as
cn=some_other_type_of_users, cn=accounts, dc=example,dc=com.
Is there a way to not create a mess in this case?
Again thanks a lot,
All the best
Mary
On ti, 25 helmi 2020, Mary Georgiou via FreeIPA-users wrote:
Hello all,
I'd like to add to the FreeIPA 389DS more user and group containers.
For example currently, the default one is cn=users, cn=accounts,
dc=example,dc=com and I'd like to add OU=something, cn=accounts,
dc=example,dc=com and
Hello all,
I'd like to add to the FreeIPA 389DS more user and group containers.
For example currently, the default one is cn=users, cn=accounts,
dc=example,dc=com and I'd like to add OU=something, cn=accounts,
dc=example,dc=com and under it cn=some_other_users,OU=something, cn=accounts,
On Tue, Feb 25, 2020 at 11:38:29AM +0100, Ronald Wimmer via FreeIPA-users wrote:
> I was not aware of that. If I change sudo rules for a certain user do I have
> any control on how long the changes take to be effective? Is invalidating
> the cache on a client the only option I have?
Hi,
you can
I was not aware of that. If I change sudo rules for a certain user do I
have any control on how long the changes take to be effective? Is
invalidating the cache on a client the only option I have?
Cheers,
Ronald
___
FreeIPA-users mailing list --
On Tue, Feb 25, 2020 at 11:17:17AM +0100, Ronald Wimmer via FreeIPA-users wrote:
> If SSSD has cache_credentials set to True it will take some time until
> changes become visible on an IPA client. When I change sudo permissions for
> a certain user I usually want to changes to be effective
On Tue, Feb 25, 2020 at 10:02:48AM -, Michael Solodovnikov via
FreeIPA-users wrote:
> > Hi,
> >
> > can you paste krb5_child.log from the server and client attempt as well?
> >
> > bye,
> > Sumit
>
> Attempt on server krb5_child.log - https://paste.centos.org/view/09edb080
>
> Attempt on
If SSSD has cache_credentials set to True it will take some time until
changes become visible on an IPA client. When I change sudo permissions
for a certain user I usually want to changes to be effective
immediately. Does this imply setting cache_credentials to False or what
are best practices
> Hi,
>
> can you paste krb5_child.log from the server and client attempt as well?
>
> bye,
> Sumit
Attempt on server krb5_child.log - https://paste.centos.org/view/09edb080
Attempt on client krb5_child.log - https://paste.centos.org/view/eb2b89b3
Michael.
25 matches
Mail list logo