[Freeipa-users] Re: Is bind's native dnssec now a better choice than opendnssec?

On to, 16 joulu 2021, Harry G. Coin via FreeIPA-users wrote: Alexander and others who care about dnssec: Given the ongoing problems with opendnssec/libp11 and the many freeipa routines and resources dedicated to working around it, has bind9's native dnssec implementation improved to the point

[Freeipa-users] Re: Unable to communicate with CMS (403)

On to, 16 joulu 2021, Sam Morris via FreeIPA-users wrote: The CA has its own upgrade code which runs unconditionally and I think that's how both secret and requiredSecret got added to server.xml. I wasn't able to duplicate the 403 though, it always just worked for me. Perhaps it has to go

[Freeipa-users] Re: Unable to communicate with CMS (403)

> The CA has its own upgrade code which runs unconditionally and I think > that's how both secret and requiredSecret got added to server.xml. I > wasn't able to duplicate the 403 though, it always just worked for me. > Perhaps it has to go through more than one upgrade cycle. I did my > testing on

[Freeipa-users] Is bind's native dnssec now a better choice than opendnssec?

Alexander and others who care about dnssec: Given the ongoing problems with opendnssec/libp11 and the many freeipa routines and resources dedicated to working around it, has bind9's native dnssec implementation improved to the point we can greatly reduce the freeipa package count by just

[Freeipa-users] Re: [WARN] Please refrain from installing RhSA-2021:5082 yet

On to, 16 joulu 2021, Sam Morris wrote: On Thu, 2021-12-16 at 10:40 +0200, Alexander Bokovoy wrote: As a workaround, you can skip upgrading ipa-selinux package if that is possible (it seemed to work in my tests). 'dnf upgrade' should make it possible to skip that. Thanks. For me a 'dnf

[Freeipa-users] Re: Making use of ipa-user-mod --auth-user-type=hardened

On Thu, 2021-12-16 at 17:16 +0200, Alexander Bokovoy wrote: > On to, 16 joulu 2021, Sam Morris wrote: > > On Thu, 2021-12-16 at 16:28 +0200, Alexander Bokovoy wrote: > > > On to, 16 joulu 2021, Sam Morris wrote: > > > > > > > > But I don't see the link with ipa user-mod

[Freeipa-users] Re: Making use of ipa-user-mod --auth-user-type=hardened

On to, 16 joulu 2021, Sam Morris wrote: On Thu, 2021-12-16 at 16:28 +0200, Alexander Bokovoy wrote: On to, 16 joulu 2021, Sam Morris wrote: > > But I don't see the link with ipa user-mod --auth-user-type=hardened... > in my case it just seems to make it impossible to log in as the user at >

[Freeipa-users] Re: Making use of ipa-user-mod --auth-user-type=hardened

On Thu, 2021-12-16 at 16:28 +0200, Alexander Bokovoy wrote: > On to, 16 joulu 2021, Sam Morris wrote: > > > > But I don't see the link with ipa user-mod --auth-user-type=hardened... > > in my case it just seems to make it impossible to log in as the user at > > all... > > For hardened, I think I

[Freeipa-users] Re: Making use of ipa-user-mod --auth-user-type=hardened

On to, 16 joulu 2021, Sam Morris wrote: On Thu, 2021-12-16 at 15:08 +0200, Alexander Bokovoy wrote: On to, 16 joulu 2021, Sam Morris via FreeIPA-users wrote: > I was wondering what the purpose of 'ipa user-mod > --auth-user-type=hardened' was. In the web UI the option is > labelled > "Hardened

[Freeipa-users] Re: Making use of ipa-user-mod --auth-user-type=hardened

On Thu, 2021-12-16 at 15:08 +0200, Alexander Bokovoy wrote: > On to, 16 joulu 2021, Sam Morris via FreeIPA-users wrote: > > I was wondering what the purpose of 'ipa user-mod > > --auth-user-type=hardened' was. In the web UI the option is > > labelled > > "Hardened Password (by SPAKE or FAST)". > >

[Freeipa-users] Re: Making use of ipa-user-mod --auth-user-type=hardened

On to, 16 joulu 2021, Sam Morris via FreeIPA-users wrote: I was wondering what the purpose of 'ipa user-mod --auth-user-type=hardened' was. In the web UI the option is labelled "Hardened Password (by SPAKE or FAST)". What I found (by setting KRB5_TRACE=/dev/stderr) was that without setting this

[Freeipa-users] Re: FreeIPA logs retention Period

Hi, I guess it depends which log you're considering. Some services drop a configuration snippet in /etc/logrotate.d (for instance httpd, named, and others), and this snippet defines a log rotation policy. For more details refer to man logrotate(8) and man logrotate.conf(5). The LDAP server has

[Freeipa-users] Re: FreeIPA logs retention Period

Retention of some log files is determined by the files in /etc/logrotate.d. For others you'd have to look at the configuration of individual services on the server (e.g., for the directory service look inside the cn=config entry; for the CA service look at /etc/pki/pki-tomcat/logging.properties

[Freeipa-users] Making use of ipa-user-mod --auth-user-type=hardened

I was wondering what the purpose of 'ipa user-mod --auth-user-type=hardened' was. In the web UI the option is labelled "Hardened Password (by SPAKE or FAST)". What I found (by setting KRB5_TRACE=/dev/stderr) was that without setting this option, kinit already opportunistically uses SPAKE: $

[Freeipa-users] FreeIPA logs retention Period

Hi Team , Could you please help me understand or tell what is the log retention period for FreeIPA ? Couldnt get a clean/clear answer to this anywhere .How can we find out this information . Thanks ___ FreeIPA-users mailing list --

[Freeipa-users] Re: [WARN] Please refrain from installing RhSA-2021:5082 yet

On Thu, 2021-12-16 at 10:40 +0200, Alexander Bokovoy wrote: > > As a workaround, you can skip upgrading ipa-selinux package if that is > possible (it seemed to work in my tests). 'dnf upgrade' should make it > possible to skip that. Thanks. For me a 'dnf upgrade --nobest' did the trick. --

[Freeipa-users] Re: [WARN] Please refrain from installing RhSA-2021:5082 yet

On ke, 15 joulu 2021, Alexander Bokovoy via FreeIPA-users wrote: On ke, 15 joulu 2021, Sam Morris via FreeIPA-users wrote: On ma, 13 joulu 2021, Alexander Bokovoy via FreeIPA-users wrote: RHSA-2021:5142 adds RHEL IdM fix that should work together with Samba changes introduced in