[Freeipa-users] Re: How to lock a user after password expired for some period

[Florence Blanc-Renaud via FreeIPA-users]

Hi,

On Wed, Feb 8, 2023 at 2:04 AM Sarawut Lee via FreeIPA-users <
freeipa-users@lists.fedorahosted.org> wrote:

> Hi,
>
> I'm using FreeIPA 4.9.8 on Centos Stream 8. One feature I'm going to
> consider is to lock a user once password expires(except for some group).
> Why I need, because some application when access to user/password from
> FreeIPA the applications just read user/password for each user only(don't
> implement Single Sign On). I'd appreciate for any advice.
>
Do you mean that the app is doing a ldap bind with the user/password? If
that's what the app is doing, you can configure the password policy with a
number of allowed grace logins = 0. This way, when the password is expired,
ldap bind is not allowed past password expiration.

See the design at
https://freeipa.readthedocs.io/en/latest/designs/ldap_grace_period.html

flo

>
> Regards,
> Lee.
> ___
> FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
> To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
> Fedora Code of Conduct:
> https://docs.fedoraproject.org/en-US/project/code-of-conduct/
> List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
> List Archives:
> https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
> Do not reply to spam, report it:
> https://pagure.io/fedora-infrastructure/new_issue
>
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
Do not reply to spam, report it: 
https://pagure.io/fedora-infrastructure/new_issue

[Freeipa-users] Re: Issue with Login PIN Prompting with SSSD and krb5_child.

[Sumit Bose via FreeIPA-users]

Am Wed, Feb 08, 2023 at 12:45:57AM - schrieb r0 nam1 via FreeIPA-users:
> Realized I never set up any mapping rules, fixed that and they match properly.
> Looking at the krb5_log now that's working, I see a few lines of interest:
> [sss_krb5_prompter] (0x4000): sss_krb5_prompter name [(null)] banner [(null)] 
> num_prompts [1] EINVAL.
> (2023-02-07 16:42:57): [krb5_child[699]] [sss_krb5_prompter] (0x4000): Prompt 
> [0][Password for u...@internal.my.DOMAIN].
> (2023-02-07 16:42:57): [krb5_child[699]] [sss_krb5_prompter] (0x0200): 
> Prompter interface isn't used for password prompts by SSSD.
> (2023-02-07 16:42:57): [krb5_child[699]] [sss_child_krb5_trace_cb] (0x4000): 
> [699] 1675816977.033417: Preauth module encrypted_challenge (138) (real) 
> returned: -1765328254/Cannot read password
> 
> Here's that log: https://pastebin.com/U7At3nkX

Hi,

looks like still the password if used for authentication. Please send
all files from /var/log/sssd to get a better understanding why SSSD does
not want to use the certificate from the Smartcard for authentication.

bye,
Sumit

> ___
> FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
> To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
> Fedora Code of Conduct: 
> https://docs.fedoraproject.org/en-US/project/code-of-conduct/
> List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
> List Archives: 
> https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
> Do not reply to spam, report it: 
> https://pagure.io/fedora-infrastructure/new_issue
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
Do not reply to spam, report it: 
https://pagure.io/fedora-infrastructure/new_issue

[Freeipa-users] Re: ipa-replica-install fails when I use custom certificates

[Bryan Fang via FreeIPA-users]

Hi Rob and Flo,
 thanks for your reply, yes I am using external CA certificate, we have 
separate Apache server as proxy of ipa server, and we are using external CA 
certificate for Apache server, version of ipa server is 4.6.8, and I don’t know 
how to upgrade domain level to 1, I tried to manually set it to 1 but failed 
with error message ‘server doesn’t support the domain level’, if I ant to reuse 
existing ipa server, how can I promote it to be replica? Or would you pls 
advise me how to rebuild all of deployment? Thanks a lot!
Bryan
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
Do not reply to spam, report it: 
https://pagure.io/fedora-infrastructure/new_issue

[Freeipa-users] Re: Questions about /root/cacert.p12 file

[Rob Crittenden via FreeIPA-users]

Kathy Zhu via FreeIPA-users wrote:
> Hi Team,
> 
> I like to understand more about the /root/cacert.p12 file in a self
> signed CA environment. Here are the questions: 
> 
> 1, could this file be located somewhere other than under /root? 
> 2, what operations use this file instead of nssdb? In other words, if
> the /root/cacert.p12 file were not in place, what operations would fail? 
> 3, any good readings to learn more? 

This is not operational. It is a backup of your CA keys in case
something catastrophic happens, created at time of initial server
installation. Depending IPA version you don't need it at all. Early
versions would use this file to prepare replicas. We ended up instead
calling PKCS12Export to generate a new one prior to replica creation.

I don't think it is really used with domain-level 1 at all, so any
version released in the last 5 years or so.

It is an artifact that comes out of the CA installation. It's in /root
to provide the best possible protection for the file. The default
/var/lib/pki/pki-tomcat/alias/ca_backup_keys.p12. We move it.

You might find information about it in the RHCS documentation.

rob
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
Do not reply to spam, report it: 
https://pagure.io/fedora-infrastructure/new_issue

[Freeipa-users] How to lock a user after password expired for some period

[Sarawut Lee via FreeIPA-users]

Hi,

I'm using FreeIPA 4.9.8 on Centos Stream 8. One feature I'm going to consider 
is to lock a user once password expires(except for some group). Why I need, 
because some application when access to user/password from FreeIPA the 
applications just read user/password for each user only(don't implement Single 
Sign On). I'd appreciate for any advice.

Regards,
Lee.
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
Do not reply to spam, report it: 
https://pagure.io/fedora-infrastructure/new_issue

[Freeipa-users] Questions about /root/cacert.p12 file

[Kathy Zhu via FreeIPA-users]

Hi Team,

I like to understand more about the /root/cacert.p12 file in a self signed
CA environment. Here are the questions:

1, could this file be located somewhere other than under /root?
2, what operations use this file instead of nssdb? In other words, if
the /root/cacert.p12 file were not in place, what operations would fail?
3, any good readings to learn more?

Thank you in advance!

Kathy.
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
Do not reply to spam, report it: 
https://pagure.io/fedora-infrastructure/new_issue

[Freeipa-users] Re: Issue with Login PIN Prompting with SSSD and krb5_child.

[r0 nam1 via FreeIPA-users]

Realized I never set up any mapping rules, fixed that and they match properly.
Looking at the krb5_log now that's working, I see a few lines of interest:
[sss_krb5_prompter] (0x4000): sss_krb5_prompter name [(null)] banner [(null)] 
num_prompts [1] EINVAL.
(2023-02-07 16:42:57): [krb5_child[699]] [sss_krb5_prompter] (0x4000): Prompt 
[0][Password for u...@internal.my.DOMAIN].
(2023-02-07 16:42:57): [krb5_child[699]] [sss_krb5_prompter] (0x0200): Prompter 
interface isn't used for password prompts by SSSD.
(2023-02-07 16:42:57): [krb5_child[699]] [sss_child_krb5_trace_cb] (0x4000): 
[699] 1675816977.033417: Preauth module encrypted_challenge (138) (real) 
returned: -1765328254/Cannot read password

Here's that log: https://pastebin.com/U7At3nkX
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
Do not reply to spam, report it: 
https://pagure.io/fedora-infrastructure/new_issue

[Freeipa-users] Re: Issue with Login PIN Prompting with SSSD and krb5_child.

[r0 nam1 via FreeIPA-users]

I've gone ahead and uploaded the logs to here, a temp file site: 
(https://temp.sh/FYaWU/Terminal-Logs.zip) 

One thing to bring up is I did see this in the PAM log:
 Found cert [MyCertHash] does not match matching rules and is ignored.

Seems of interest, but unsure why it would only apply during pam. 
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
Do not reply to spam, report it: 
https://pagure.io/fedora-infrastructure/new_issue

[Freeipa-users] Upgrade outdated FreeIPA sanity check

[Kevin Vasko via FreeIPA-users]

We have a set of 3x freeIPA servers that have outdated (everything) in a
development/test environment that need to be updated.

It seems that 4.6.8-5.el7.centos.12 is the latest version available on
CentOS 7?

We are at on the 3 servers:
4.5.4-10.el7.centos.4.4
4.6.4-10-el7.centos.6
4.6.4-10-el7.centos.6

For the two 4.6.4 installs, that seems relatively simple upgrade as we
would only be going to a different dot release and a simple "yum update
ipa-server" should handle this? Is there any advisement for/against doing a
full "yum update" on the entire system to get everything updated?

For the 4.5.4 system, is there much of a concern going straight from 4.5.4
to 4.6.8 straight? I assume the concern would be jumping major versions and
going from say 4.5 to 4.9?

My current plan is to stop at CentOS 7.9 and latest FreeIPA 4.6 release on
CentOS 7.9. But for my own knowledge if I was going to 4.10 wouldn't the
recommendation path to upgrade to 4.10, to install CentOS Stream 9 on a new
server, enroll it, make 4.10 the master and then remove the CentOS 7
instances?

-Kevin
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
Do not reply to spam, report it: 
https://pagure.io/fedora-infrastructure/new_issue

[Freeipa-users] Re: password-expiration

[Rob Crittenden via FreeIPA-users]

It relies on the Kerberos TGT you currently have. I assume you log into
the UI as admin but on the cli you have a ticket for yourself.

Use klist to find out

To become admin: kinit admin

rob

Philippe de Rochambeau wrote:
> Hi Rob,
> I’m not at work anymore.
> How do you find out which credentials you need to modify users in ipa?
> Do you need to be root?
> When using the FreeIPA GUI, I’ve no problem creating and modifying users, 
> adding them to groups, etc.
> However, in the GUI, the password-expiration field is readonly, which is why 
> I have attempted modifying its value on the CLI.
> 
>> Le 7 févr. 2023 à 18:53, Rob Crittenden  a écrit :
>>
>> What user principal are you using? Do you have permissions to modify
>> this other user's information? The error message says you don't.
>>
>> rob
>>
>> phi...@free.fr wrote:
>>>
>>> Hi Rob,
>>>
>>> thanks for your feedback.
>>>
>>> Unfortunately,
>>>
>>> ipa user-mod user1 --setattr givenname=phili
>>> ipa: ERROR: Insufficient access: Insufficient 'write' privilege to the 
>>> 'givenName' attribute of entry 'uid=...'.
>>>
>>>
> In general we strongly encourage you to upgrade to a supported release
>>>
>>> I wish I could. I'll report it to my manager.
>>>
>>>
>>>
>>>
>>> - Mail original -
>>> De: "Rob Crittenden" 
>>> À: "FreeIPA users list" 
>>> Cc: phi...@free.fr
>>> Envoyé: Mardi 7 Février 2023 17:51:20
>>> Objet: Re: [Freeipa-users] Re: password-expiration
>>>
>>> When using --setattr you have to use the LDAP attribute name. So in this
>>> case givenname.
>>>
>>> 4.5.4 is getting along to 6 years old now. In general we strongly
>>> encourage you to upgrade to a supported release, one release at a time
>>> (there is no going from 4.5 to 4.10 directly).
>>>
>>> rob
>>>
>>> None via FreeIPA-users wrote:


 Hi Florence,

 I've tried the --setattr option with 'first', 


 ipa user-mod user1 --setattr first=phil

 ... but to no avail 

 ipa: ERROR: Insufficient access: Insufficient 'write' privilege to the 
 'first' attribute of 
 entry 'uid=...'.



 - Mail original -
 De: "Florence Blanc-Renaud via FreeIPA-users" 
 
 À: phi...@free.fr
 Cc: freeipa-users@lists.fedorahosted.org, "Florence Blanc-Renaud" 
 
 Envoyé: Mardi 7 Février 2023 17:37:19
 Objet: [Freeipa-users] Re: password-expiration





 Hi, 



 On Tue, Feb 7, 2023 at 5:23 PM < phi...@free.fr > wrote: 


 Hi Florence, 
 alas, same issue 

 ipa: error: no such option: --password-expiration 



 Ok, the functionality was added in 4.6.0 (see Release notes ) so you need 
 to use directly ipa user-mod LOGIN --setattr krbpasswordexpiration =VALUE 
 flo 






 - Mail original - 
 De: "Florence Blanc-Renaud" < f...@redhat.com > 
 À: phi...@free.fr 
 Cc: freeipa-users@lists.fedorahosted.org 
 Envoyé: Mardi 7 Février 2023 17:12:32 
 Objet: Re: [Freeipa-users] password-expiration 




 Hi, 



 On Tue, Feb 7, 2023 at 4:49 PM < phi...@free.fr > wrote: 


 Hi Florence, 
 unfortunately, 

 ipa user-mod user1 --krbpasswordexpiration='2024-06-28 07:49:37Z' 
 Usage: ipa [global-options] user-mod LOGIN [options] 

 ipa: error: no such option: --krbpasswordexpiration 


 My bad, I copied the attribute name instead of the CLI option name. Can 
 you try with 
 ipa user-mod LOGIN --password-expiration =DATETIME 


 Note: if you type ipa user-mod --help you can see all the available 
 options. 
 flo 


>>>
>>
> 
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
Do not reply to spam, report it: 
https://pagure.io/fedora-infrastructure/new_issue

[Freeipa-users] Re: password-expiration

[Philippe de Rochambeau via FreeIPA-users]

Hi Rob,
I’m not at work anymore.
How do you find out which credentials you need to modify users in ipa?
Do you need to be root?
When using the FreeIPA GUI, I’ve no problem creating and modifying users, 
adding them to groups, etc.
However, in the GUI, the password-expiration field is readonly, which is why I 
have attempted modifying its value on the CLI.

> Le 7 févr. 2023 à 18:53, Rob Crittenden  a écrit :
> 
> What user principal are you using? Do you have permissions to modify
> this other user's information? The error message says you don't.
> 
> rob
> 
> phi...@free.fr wrote:
>> 
>> Hi Rob,
>> 
>> thanks for your feedback.
>> 
>> Unfortunately,
>> 
>> ipa user-mod user1 --setattr givenname=phili
>> ipa: ERROR: Insufficient access: Insufficient 'write' privilege to the 
>> 'givenName' attribute of entry 'uid=...'.
>> 
>> 
 In general we strongly encourage you to upgrade to a supported release
>> 
>> I wish I could. I'll report it to my manager.
>> 
>> 
>> 
>> 
>> - Mail original -
>> De: "Rob Crittenden" 
>> À: "FreeIPA users list" 
>> Cc: phi...@free.fr
>> Envoyé: Mardi 7 Février 2023 17:51:20
>> Objet: Re: [Freeipa-users] Re: password-expiration
>> 
>> When using --setattr you have to use the LDAP attribute name. So in this
>> case givenname.
>> 
>> 4.5.4 is getting along to 6 years old now. In general we strongly
>> encourage you to upgrade to a supported release, one release at a time
>> (there is no going from 4.5 to 4.10 directly).
>> 
>> rob
>> 
>> None via FreeIPA-users wrote:
>>> 
>>> 
>>> Hi Florence,
>>> 
>>> I've tried the --setattr option with 'first', 
>>> 
>>> 
>>> ipa user-mod user1 --setattr first=phil
>>> 
>>> ... but to no avail 
>>> 
>>> ipa: ERROR: Insufficient access: Insufficient 'write' privilege to the 
>>> 'first' attribute of 
>>> entry 'uid=...'.
>>> 
>>> 
>>> 
>>> - Mail original -
>>> De: "Florence Blanc-Renaud via FreeIPA-users" 
>>> 
>>> À: phi...@free.fr
>>> Cc: freeipa-users@lists.fedorahosted.org, "Florence Blanc-Renaud" 
>>> 
>>> Envoyé: Mardi 7 Février 2023 17:37:19
>>> Objet: [Freeipa-users] Re: password-expiration
>>> 
>>> 
>>> 
>>> 
>>> 
>>> Hi, 
>>> 
>>> 
>>> 
>>> On Tue, Feb 7, 2023 at 5:23 PM < phi...@free.fr > wrote: 
>>> 
>>> 
>>> Hi Florence, 
>>> alas, same issue 
>>> 
>>> ipa: error: no such option: --password-expiration 
>>> 
>>> 
>>> 
>>> Ok, the functionality was added in 4.6.0 (see Release notes ) so you need 
>>> to use directly ipa user-mod LOGIN --setattr krbpasswordexpiration =VALUE 
>>> flo 
>>> 
>>> 
>>> 
>>> 
>>> 
>>> 
>>> - Mail original - 
>>> De: "Florence Blanc-Renaud" < f...@redhat.com > 
>>> À: phi...@free.fr 
>>> Cc: freeipa-users@lists.fedorahosted.org 
>>> Envoyé: Mardi 7 Février 2023 17:12:32 
>>> Objet: Re: [Freeipa-users] password-expiration 
>>> 
>>> 
>>> 
>>> 
>>> Hi, 
>>> 
>>> 
>>> 
>>> On Tue, Feb 7, 2023 at 4:49 PM < phi...@free.fr > wrote: 
>>> 
>>> 
>>> Hi Florence, 
>>> unfortunately, 
>>> 
>>> ipa user-mod user1 --krbpasswordexpiration='2024-06-28 07:49:37Z' 
>>> Usage: ipa [global-options] user-mod LOGIN [options] 
>>> 
>>> ipa: error: no such option: --krbpasswordexpiration 
>>> 
>>> 
>>> My bad, I copied the attribute name instead of the CLI option name. Can you 
>>> try with 
>>> ipa user-mod LOGIN --password-expiration =DATETIME 
>>> 
>>> 
>>> Note: if you type ipa user-mod --help you can see all the available 
>>> options. 
>>> flo 
>>> 
>>> 
>> 
> 
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
Do not reply to spam, report it: 
https://pagure.io/fedora-infrastructure/new_issue

[Freeipa-users] Re: password-expiration

[Rob Crittenden via FreeIPA-users]

What user principal are you using? Do you have permissions to modify
this other user's information? The error message says you don't.

rob

phi...@free.fr wrote:
> 
> Hi Rob,
> 
> thanks for your feedback.
> 
> Unfortunately,
> 
> ipa user-mod user1 --setattr givenname=phili
> ipa: ERROR: Insufficient access: Insufficient 'write' privilege to the 
> 'givenName' attribute of entry 'uid=...'.
> 
> 
>>> In general we strongly encourage you to upgrade to a supported release
> 
> I wish I could. I'll report it to my manager.
> 
> 
> 
> 
> - Mail original -
> De: "Rob Crittenden" 
> À: "FreeIPA users list" 
> Cc: phi...@free.fr
> Envoyé: Mardi 7 Février 2023 17:51:20
> Objet: Re: [Freeipa-users] Re: password-expiration
> 
> When using --setattr you have to use the LDAP attribute name. So in this
> case givenname.
> 
> 4.5.4 is getting along to 6 years old now. In general we strongly
> encourage you to upgrade to a supported release, one release at a time
> (there is no going from 4.5 to 4.10 directly).
> 
> rob
> 
> None via FreeIPA-users wrote:
>>
>>
>> Hi Florence,
>>
>> I've tried the --setattr option with 'first', 
>>
>>
>> ipa user-mod user1 --setattr first=phil
>>
>> ... but to no avail 
>>
>> ipa: ERROR: Insufficient access: Insufficient 'write' privilege to the 
>> 'first' attribute of 
>> entry 'uid=...'.
>>
>>
>>
>> - Mail original -
>> De: "Florence Blanc-Renaud via FreeIPA-users" 
>> 
>> À: phi...@free.fr
>> Cc: freeipa-users@lists.fedorahosted.org, "Florence Blanc-Renaud" 
>> 
>> Envoyé: Mardi 7 Février 2023 17:37:19
>> Objet: [Freeipa-users] Re: password-expiration
>>
>>
>>
>>
>>
>> Hi, 
>>
>>
>>
>> On Tue, Feb 7, 2023 at 5:23 PM < phi...@free.fr > wrote: 
>>
>>
>> Hi Florence, 
>> alas, same issue 
>>
>> ipa: error: no such option: --password-expiration 
>>
>>
>>
>> Ok, the functionality was added in 4.6.0 (see Release notes ) so you need to 
>> use directly ipa user-mod LOGIN --setattr krbpasswordexpiration =VALUE 
>> flo 
>>
>>
>>
>>
>>
>>
>> - Mail original - 
>> De: "Florence Blanc-Renaud" < f...@redhat.com > 
>> À: phi...@free.fr 
>> Cc: freeipa-users@lists.fedorahosted.org 
>> Envoyé: Mardi 7 Février 2023 17:12:32 
>> Objet: Re: [Freeipa-users] password-expiration 
>>
>>
>>
>>
>> Hi, 
>>
>>
>>
>> On Tue, Feb 7, 2023 at 4:49 PM < phi...@free.fr > wrote: 
>>
>>
>> Hi Florence, 
>> unfortunately, 
>>
>> ipa user-mod user1 --krbpasswordexpiration='2024-06-28 07:49:37Z' 
>> Usage: ipa [global-options] user-mod LOGIN [options] 
>>
>> ipa: error: no such option: --krbpasswordexpiration 
>>
>>
>> My bad, I copied the attribute name instead of the CLI option name. Can you 
>> try with 
>> ipa user-mod LOGIN --password-expiration =DATETIME 
>>
>>
>> Note: if you type ipa user-mod --help you can see all the available options. 
>> flo 
>>
>>
> 
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
Do not reply to spam, report it: 
https://pagure.io/fedora-infrastructure/new_issue

[Freeipa-users] Re: password-expiration

[Rob Crittenden via FreeIPA-users]

Kevin Vasko wrote:
> I’m in a similar situation and need to upgrade.
> 
> These docs are what I
> found https://www.freeipa.org/page/Upgrade#FreeIPA_4.2.0_or_newer and it
> seems to imply to simply run a yum update freeipa-server to go to the
> latest version. Is there some other documentation I should be following?

It is still true that upgrading packages will move from one version to
another. We never envisioned moving multiple at the same time. There
have been rather huge architectural changes since the 4.5 releases.

https://docs.redhat.com/ has the latest documentation under RHEL.

rob

> 
> -Kevin
> 
>> On Feb 7, 2023, at 10:51 AM, Rob Crittenden via FreeIPA-users
>>  wrote:
>>
>> When using --setattr you have to use the LDAP attribute name. So in this
>> case givenname.
>>
>> 4.5.4 is getting along to 6 years old now. In general we strongly
>> encourage you to upgrade to a supported release, one release at a time
>> (there is no going from 4.5 to 4.10 directly).
>>
>> rob
>>
>> None via FreeIPA-users wrote:
>>>
>>>
>>> Hi Florence,
>>>
>>> I've tried the --setattr option with 'first',
>>>
>>>
>>> ipa user-mod user1 --setattr first=phil
>>>
>>> ... but to no avail
>>>
>>> ipa: ERROR: Insufficient access: Insufficient 'write' privilege to
>>> the 'first' attribute of
>>> entry 'uid=...'.
>>>
>>>
>>>
>>> - Mail original -
>>> De: "Florence Blanc-Renaud via FreeIPA-users"
>>> 
>>> À: phi...@free.fr
>>> Cc: freeipa-users@lists.fedorahosted.org, "Florence Blanc-Renaud"
>>> 
>>> Envoyé: Mardi 7 Février 2023 17:37:19
>>> Objet: [Freeipa-users] Re: password-expiration
>>>
>>>
>>>
>>>
>>>
>>> Hi,
>>>
>>>
>>>
>>> On Tue, Feb 7, 2023 at 5:23 PM < phi...@free.fr > wrote:
>>>
>>>
>>> Hi Florence,
>>> alas, same issue
>>>
>>> ipa: error: no such option: --password-expiration
>>>
>>>
>>>
>>> Ok, the functionality was added in 4.6.0 (see Release notes ) so you
>>> need to use directly ipa user-mod LOGIN --setattr
>>> krbpasswordexpiration =VALUE
>>> flo
>>>
>>>
>>>
>>>
>>>
>>>
>>> - Mail original -
>>> De: "Florence Blanc-Renaud" < f...@redhat.com >
>>> À: phi...@free.fr
>>> Cc: freeipa-users@lists.fedorahosted.org
>>> Envoyé: Mardi 7 Février 2023 17:12:32
>>> Objet: Re: [Freeipa-users] password-expiration
>>>
>>>
>>>
>>>
>>> Hi,
>>>
>>>
>>>
>>> On Tue, Feb 7, 2023 at 4:49 PM < phi...@free.fr > wrote:
>>>
>>>
>>> Hi Florence,
>>> unfortunately,
>>>
>>> ipa user-mod user1 --krbpasswordexpiration='2024-06-28 07:49:37Z'
>>> Usage: ipa [global-options] user-mod LOGIN [options]
>>>
>>> ipa: error: no such option: --krbpasswordexpiration
>>>
>>>
>>> My bad, I copied the attribute name instead of the CLI option name.
>>> Can you try with
>>> ipa user-mod LOGIN --password-expiration =DATETIME
>>>
>>>
>>> Note: if you type ipa user-mod --help you can see all the available
>>> options.
>>> flo
>>>
>>>
>> ___
>> FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
>> To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
>> Fedora Code of Conduct:
>> https://docs.fedoraproject.org/en-US/project/code-of-conduct/
>> List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
>> List Archives:
>> https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
>> Do not reply to spam, report it:
>> https://pagure.io/fedora-infrastructure/new_issue
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
Do not reply to spam, report it: 
https://pagure.io/fedora-infrastructure/new_issue

[Freeipa-users] Re: password-expiration

[Kevin Vasko via FreeIPA-users]

I’m in a similar situation and need to upgrade.

These docs are what I found 
https://www.freeipa.org/page/Upgrade#FreeIPA_4.2.0_or_newer and it seems to 
imply to simply run a yum update freeipa-server to go to the latest version. Is 
there some other documentation I should be following?

-Kevin

> On Feb 7, 2023, at 10:51 AM, Rob Crittenden via FreeIPA-users 
>  wrote:
> 
> When using --setattr you have to use the LDAP attribute name. So in this
> case givenname.
> 
> 4.5.4 is getting along to 6 years old now. In general we strongly
> encourage you to upgrade to a supported release, one release at a time
> (there is no going from 4.5 to 4.10 directly).
> 
> rob
> 
> None via FreeIPA-users wrote:
>> 
>> 
>> Hi Florence,
>> 
>> I've tried the --setattr option with 'first', 
>> 
>> 
>> ipa user-mod user1 --setattr first=phil
>> 
>> ... but to no avail 
>> 
>> ipa: ERROR: Insufficient access: Insufficient 'write' privilege to the 
>> 'first' attribute of 
>> entry 'uid=...'.
>> 
>> 
>> 
>> - Mail original -
>> De: "Florence Blanc-Renaud via FreeIPA-users" 
>> 
>> À: phi...@free.fr
>> Cc: freeipa-users@lists.fedorahosted.org, "Florence Blanc-Renaud" 
>> 
>> Envoyé: Mardi 7 Février 2023 17:37:19
>> Objet: [Freeipa-users] Re: password-expiration
>> 
>> 
>> 
>> 
>> 
>> Hi, 
>> 
>> 
>> 
>> On Tue, Feb 7, 2023 at 5:23 PM < phi...@free.fr > wrote: 
>> 
>> 
>> Hi Florence, 
>> alas, same issue 
>> 
>> ipa: error: no such option: --password-expiration 
>> 
>> 
>> 
>> Ok, the functionality was added in 4.6.0 (see Release notes ) so you need to 
>> use directly ipa user-mod LOGIN --setattr krbpasswordexpiration =VALUE 
>> flo 
>> 
>> 
>> 
>> 
>> 
>> 
>> - Mail original - 
>> De: "Florence Blanc-Renaud" < f...@redhat.com > 
>> À: phi...@free.fr 
>> Cc: freeipa-users@lists.fedorahosted.org 
>> Envoyé: Mardi 7 Février 2023 17:12:32 
>> Objet: Re: [Freeipa-users] password-expiration 
>> 
>> 
>> 
>> 
>> Hi, 
>> 
>> 
>> 
>> On Tue, Feb 7, 2023 at 4:49 PM < phi...@free.fr > wrote: 
>> 
>> 
>> Hi Florence, 
>> unfortunately, 
>> 
>> ipa user-mod user1 --krbpasswordexpiration='2024-06-28 07:49:37Z' 
>> Usage: ipa [global-options] user-mod LOGIN [options] 
>> 
>> ipa: error: no such option: --krbpasswordexpiration 
>> 
>> 
>> My bad, I copied the attribute name instead of the CLI option name. Can you 
>> try with 
>> ipa user-mod LOGIN --password-expiration =DATETIME 
>> 
>> 
>> Note: if you type ipa user-mod --help you can see all the available options. 
>> flo 
>> 
>> 
> ___
> FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
> To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
> Fedora Code of Conduct: 
> https://docs.fedoraproject.org/en-US/project/code-of-conduct/
> List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
> List Archives: 
> https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
> Do not reply to spam, report it: 
> https://pagure.io/fedora-infrastructure/new_issue
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
Do not reply to spam, report it: 
https://pagure.io/fedora-infrastructure/new_issue

[Freeipa-users] Re: password-expiration

[None via FreeIPA-users]

Hi Rob,

thanks for your feedback.

Unfortunately,

ipa user-mod user1 --setattr givenname=phili
ipa: ERROR: Insufficient access: Insufficient 'write' privilege to the 
'givenName' attribute of entry 'uid=...'.


>> In general we strongly encourage you to upgrade to a supported release

I wish I could. I'll report it to my manager.




- Mail original -
De: "Rob Crittenden" 
À: "FreeIPA users list" 
Cc: phi...@free.fr
Envoyé: Mardi 7 Février 2023 17:51:20
Objet: Re: [Freeipa-users] Re: password-expiration

When using --setattr you have to use the LDAP attribute name. So in this
case givenname.

4.5.4 is getting along to 6 years old now. In general we strongly
encourage you to upgrade to a supported release, one release at a time
(there is no going from 4.5 to 4.10 directly).

rob

None via FreeIPA-users wrote:
> 
> 
> Hi Florence,
> 
> I've tried the --setattr option with 'first', 
> 
> 
> ipa user-mod user1 --setattr first=phil
> 
> ... but to no avail 
> 
> ipa: ERROR: Insufficient access: Insufficient 'write' privilege to the 
> 'first' attribute of 
> entry 'uid=...'.
> 
> 
> 
> - Mail original -
> De: "Florence Blanc-Renaud via FreeIPA-users" 
> 
> À: phi...@free.fr
> Cc: freeipa-users@lists.fedorahosted.org, "Florence Blanc-Renaud" 
> 
> Envoyé: Mardi 7 Février 2023 17:37:19
> Objet: [Freeipa-users] Re: password-expiration
> 
> 
> 
> 
> 
> Hi, 
> 
> 
> 
> On Tue, Feb 7, 2023 at 5:23 PM < phi...@free.fr > wrote: 
> 
> 
> Hi Florence, 
> alas, same issue 
> 
> ipa: error: no such option: --password-expiration 
> 
> 
> 
> Ok, the functionality was added in 4.6.0 (see Release notes ) so you need to 
> use directly ipa user-mod LOGIN --setattr krbpasswordexpiration =VALUE 
> flo 
> 
> 
> 
> 
> 
> 
> - Mail original - 
> De: "Florence Blanc-Renaud" < f...@redhat.com > 
> À: phi...@free.fr 
> Cc: freeipa-users@lists.fedorahosted.org 
> Envoyé: Mardi 7 Février 2023 17:12:32 
> Objet: Re: [Freeipa-users] password-expiration 
> 
> 
> 
> 
> Hi, 
> 
> 
> 
> On Tue, Feb 7, 2023 at 4:49 PM < phi...@free.fr > wrote: 
> 
> 
> Hi Florence, 
> unfortunately, 
> 
> ipa user-mod user1 --krbpasswordexpiration='2024-06-28 07:49:37Z' 
> Usage: ipa [global-options] user-mod LOGIN [options] 
> 
> ipa: error: no such option: --krbpasswordexpiration 
> 
> 
> My bad, I copied the attribute name instead of the CLI option name. Can you 
> try with 
> ipa user-mod LOGIN --password-expiration =DATETIME 
> 
> 
> Note: if you type ipa user-mod --help you can see all the available options. 
> flo 
> 
> 
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
Do not reply to spam, report it: 
https://pagure.io/fedora-infrastructure/new_issue

[Freeipa-users] Re: password-expiration

[Rob Crittenden via FreeIPA-users]

When using --setattr you have to use the LDAP attribute name. So in this
case givenname.

4.5.4 is getting along to 6 years old now. In general we strongly
encourage you to upgrade to a supported release, one release at a time
(there is no going from 4.5 to 4.10 directly).

rob

None via FreeIPA-users wrote:
> 
> 
> Hi Florence,
> 
> I've tried the --setattr option with 'first', 
> 
> 
> ipa user-mod user1 --setattr first=phil
> 
> ... but to no avail 
> 
> ipa: ERROR: Insufficient access: Insufficient 'write' privilege to the 
> 'first' attribute of 
> entry 'uid=...'.
> 
> 
> 
> - Mail original -
> De: "Florence Blanc-Renaud via FreeIPA-users" 
> 
> À: phi...@free.fr
> Cc: freeipa-users@lists.fedorahosted.org, "Florence Blanc-Renaud" 
> 
> Envoyé: Mardi 7 Février 2023 17:37:19
> Objet: [Freeipa-users] Re: password-expiration
> 
> 
> 
> 
> 
> Hi, 
> 
> 
> 
> On Tue, Feb 7, 2023 at 5:23 PM < phi...@free.fr > wrote: 
> 
> 
> Hi Florence, 
> alas, same issue 
> 
> ipa: error: no such option: --password-expiration 
> 
> 
> 
> Ok, the functionality was added in 4.6.0 (see Release notes ) so you need to 
> use directly ipa user-mod LOGIN --setattr krbpasswordexpiration =VALUE 
> flo 
> 
> 
> 
> 
> 
> 
> - Mail original - 
> De: "Florence Blanc-Renaud" < f...@redhat.com > 
> À: phi...@free.fr 
> Cc: freeipa-users@lists.fedorahosted.org 
> Envoyé: Mardi 7 Février 2023 17:12:32 
> Objet: Re: [Freeipa-users] password-expiration 
> 
> 
> 
> 
> Hi, 
> 
> 
> 
> On Tue, Feb 7, 2023 at 4:49 PM < phi...@free.fr > wrote: 
> 
> 
> Hi Florence, 
> unfortunately, 
> 
> ipa user-mod user1 --krbpasswordexpiration='2024-06-28 07:49:37Z' 
> Usage: ipa [global-options] user-mod LOGIN [options] 
> 
> ipa: error: no such option: --krbpasswordexpiration 
> 
> 
> My bad, I copied the attribute name instead of the CLI option name. Can you 
> try with 
> ipa user-mod LOGIN --password-expiration =DATETIME 
> 
> 
> Note: if you type ipa user-mod --help you can see all the available options. 
> flo 
> 
> 
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
Do not reply to spam, report it: 
https://pagure.io/fedora-infrastructure/new_issue

[Freeipa-users] Re: password-expiration

[None via FreeIPA-users]

Hi Florence,

I've tried the --setattr option with 'first', 


ipa user-mod user1 --setattr first=phil

... but to no avail 

ipa: ERROR: Insufficient access: Insufficient 'write' privilege to the 'first' 
attribute of 
entry 'uid=...'.



- Mail original -
De: "Florence Blanc-Renaud via FreeIPA-users" 

À: phi...@free.fr
Cc: freeipa-users@lists.fedorahosted.org, "Florence Blanc-Renaud" 

Envoyé: Mardi 7 Février 2023 17:37:19
Objet: [Freeipa-users] Re: password-expiration





Hi, 



On Tue, Feb 7, 2023 at 5:23 PM < phi...@free.fr > wrote: 


Hi Florence, 
alas, same issue 

ipa: error: no such option: --password-expiration 



Ok, the functionality was added in 4.6.0 (see Release notes ) so you need to 
use directly ipa user-mod LOGIN --setattr krbpasswordexpiration =VALUE 
flo 






- Mail original - 
De: "Florence Blanc-Renaud" < f...@redhat.com > 
À: phi...@free.fr 
Cc: freeipa-users@lists.fedorahosted.org 
Envoyé: Mardi 7 Février 2023 17:12:32 
Objet: Re: [Freeipa-users] password-expiration 




Hi, 



On Tue, Feb 7, 2023 at 4:49 PM < phi...@free.fr > wrote: 


Hi Florence, 
unfortunately, 

ipa user-mod user1 --krbpasswordexpiration='2024-06-28 07:49:37Z' 
Usage: ipa [global-options] user-mod LOGIN [options] 

ipa: error: no such option: --krbpasswordexpiration 


My bad, I copied the attribute name instead of the CLI option name. Can you try 
with 
ipa user-mod LOGIN --password-expiration =DATETIME 


Note: if you type ipa user-mod --help you can see all the available options. 
flo 


-- 

ipa --version 
VERSION: 4.5.4, API_VERSION: 2.228 



- Mail original - 
De: "Florence Blanc-Renaud" < f...@redhat.com > 
À: "FreeIPA users list" < freeipa-users@lists.fedorahosted.org > 
Cc: phi...@free.fr 
Envoyé: Mardi 7 Février 2023 16:40:11 
Objet: Re: [Freeipa-users] password-expiration 




Hi, 



On Tue, Feb 7, 2023 at 4:11 PM None via FreeIPA-users < 
freeipa-users@lists.fedorahosted.org > wrote: 


Hello, 
in FreeIPA 4.5.4, how do you reset a user's password expiration date? 



IIRC the command "ipa user-mod LOGIN --krbpasswordexpiration=DATETIME was 
already available in that version. 
flo 



Many thanks. 
Best regards, 
Philippe 
___ 
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org 
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org 
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/ 
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines 
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
 
Do not reply to spam, report it: 
https://pagure.io/fedora-infrastructure/new_issue 


___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
Do not reply to spam, report it: 
https://pagure.io/fedora-infrastructure/new_issue
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
Do not reply to spam, report it: 
https://pagure.io/fedora-infrastructure/new_issue

[Freeipa-users] Re: password-expiration

[Florence Blanc-Renaud via FreeIPA-users]

Hi,

On Tue, Feb 7, 2023 at 5:23 PM  wrote:

> Hi Florence,
> alas, same issue
>
> ipa: error: no such option: --password-expiration
>
>
> Ok, the functionality was added in 4.6.0 (see Release notes
) so you need to use directly
ipa user-mod LOGIN --setattr krbpasswordexpiration=VALUE
flo


>
>
> - Mail original -
> De: "Florence Blanc-Renaud" 
> À: phi...@free.fr
> Cc: freeipa-users@lists.fedorahosted.org
> Envoyé: Mardi 7 Février 2023 17:12:32
> Objet: Re: [Freeipa-users] password-expiration
>
>
>
>
> Hi,
>
>
>
> On Tue, Feb 7, 2023 at 4:49 PM < phi...@free.fr > wrote:
>
>
> Hi Florence,
> unfortunately,
>
> ipa user-mod user1 --krbpasswordexpiration='2024-06-28 07:49:37Z'
> Usage: ipa [global-options] user-mod LOGIN [options]
>
> ipa: error: no such option: --krbpasswordexpiration
>
>
> My bad, I copied the attribute name instead of the CLI option name. Can
> you try with
> ipa user-mod LOGIN --password-expiration =DATETIME
>
>
> Note: if you type ipa user-mod --help you can see all the available
> options.
> flo
>
>
> --
>
> ipa --version
> VERSION: 4.5.4, API_VERSION: 2.228
>
>
>
> - Mail original -
> De: "Florence Blanc-Renaud" < f...@redhat.com >
> À: "FreeIPA users list" < freeipa-users@lists.fedorahosted.org >
> Cc: phi...@free.fr
> Envoyé: Mardi 7 Février 2023 16:40:11
> Objet: Re: [Freeipa-users] password-expiration
>
>
>
>
> Hi,
>
>
>
> On Tue, Feb 7, 2023 at 4:11 PM None via FreeIPA-users <
> freeipa-users@lists.fedorahosted.org > wrote:
>
>
> Hello,
> in FreeIPA 4.5.4, how do you reset a user's password expiration date?
>
>
>
> IIRC the command "ipa user-mod LOGIN --krbpasswordexpiration=DATETIME was
> already available in that version.
> flo
>
>
>
> Many thanks.
> Best regards,
> Philippe
> ___
> FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
> To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
> Fedora Code of Conduct:
> https://docs.fedoraproject.org/en-US/project/code-of-conduct/
> List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
> List Archives:
> https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
> Do not reply to spam, report it:
> https://pagure.io/fedora-infrastructure/new_issue
>
>
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
Do not reply to spam, report it: 
https://pagure.io/fedora-infrastructure/new_issue

[Freeipa-users] Re: password-expiration

[None via FreeIPA-users]

When I run 'ipa user-show user1 --all'

the krbpasswordexpiration attribute appears in the list of user attributes 
though.



- Mail original -
De: "None via FreeIPA-users" 
À: "Florence Blanc-Renaud" 
Cc: freeipa-users@lists.fedorahosted.org, phi...@free.fr
Envoyé: Mardi 7 Février 2023 17:23:34
Objet: [Freeipa-users] Re: password-expiration

Hi Florence,
alas, same issue

ipa: error: no such option: --password-expiration





- Mail original -
De: "Florence Blanc-Renaud" 
À: phi...@free.fr
Cc: freeipa-users@lists.fedorahosted.org
Envoyé: Mardi 7 Février 2023 17:12:32
Objet: Re: [Freeipa-users] password-expiration




Hi, 



On Tue, Feb 7, 2023 at 4:49 PM < phi...@free.fr > wrote: 


Hi Florence, 
unfortunately, 

ipa user-mod user1 --krbpasswordexpiration='2024-06-28 07:49:37Z' 
Usage: ipa [global-options] user-mod LOGIN [options] 

ipa: error: no such option: --krbpasswordexpiration 


My bad, I copied the attribute name instead of the CLI option name. Can you try 
with 
ipa user-mod LOGIN --password-expiration =DATETIME 


Note: if you type ipa user-mod --help you can see all the available options. 
flo 


-- 

ipa --version 
VERSION: 4.5.4, API_VERSION: 2.228 



- Mail original - 
De: "Florence Blanc-Renaud" < f...@redhat.com > 
À: "FreeIPA users list" < freeipa-users@lists.fedorahosted.org > 
Cc: phi...@free.fr 
Envoyé: Mardi 7 Février 2023 16:40:11 
Objet: Re: [Freeipa-users] password-expiration 




Hi, 



On Tue, Feb 7, 2023 at 4:11 PM None via FreeIPA-users < 
freeipa-users@lists.fedorahosted.org > wrote: 


Hello, 
in FreeIPA 4.5.4, how do you reset a user's password expiration date? 



IIRC the command "ipa user-mod LOGIN --krbpasswordexpiration=DATETIME was 
already available in that version. 
flo 



Many thanks. 
Best regards, 
Philippe 
___ 
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org 
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org 
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/ 
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines 
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
 
Do not reply to spam, report it: 
https://pagure.io/fedora-infrastructure/new_issue 
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
Do not reply to spam, report it: 
https://pagure.io/fedora-infrastructure/new_issue
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
Do not reply to spam, report it: 
https://pagure.io/fedora-infrastructure/new_issue

[Freeipa-users] Re: password-expiration

[None via FreeIPA-users]

Hi Florence,
alas, same issue

ipa: error: no such option: --password-expiration





- Mail original -
De: "Florence Blanc-Renaud" 
À: phi...@free.fr
Cc: freeipa-users@lists.fedorahosted.org
Envoyé: Mardi 7 Février 2023 17:12:32
Objet: Re: [Freeipa-users] password-expiration




Hi, 



On Tue, Feb 7, 2023 at 4:49 PM < phi...@free.fr > wrote: 


Hi Florence, 
unfortunately, 

ipa user-mod user1 --krbpasswordexpiration='2024-06-28 07:49:37Z' 
Usage: ipa [global-options] user-mod LOGIN [options] 

ipa: error: no such option: --krbpasswordexpiration 


My bad, I copied the attribute name instead of the CLI option name. Can you try 
with 
ipa user-mod LOGIN --password-expiration =DATETIME 


Note: if you type ipa user-mod --help you can see all the available options. 
flo 


-- 

ipa --version 
VERSION: 4.5.4, API_VERSION: 2.228 



- Mail original - 
De: "Florence Blanc-Renaud" < f...@redhat.com > 
À: "FreeIPA users list" < freeipa-users@lists.fedorahosted.org > 
Cc: phi...@free.fr 
Envoyé: Mardi 7 Février 2023 16:40:11 
Objet: Re: [Freeipa-users] password-expiration 




Hi, 



On Tue, Feb 7, 2023 at 4:11 PM None via FreeIPA-users < 
freeipa-users@lists.fedorahosted.org > wrote: 


Hello, 
in FreeIPA 4.5.4, how do you reset a user's password expiration date? 



IIRC the command "ipa user-mod LOGIN --krbpasswordexpiration=DATETIME was 
already available in that version. 
flo 



Many thanks. 
Best regards, 
Philippe 
___ 
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org 
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org 
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/ 
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines 
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
 
Do not reply to spam, report it: 
https://pagure.io/fedora-infrastructure/new_issue 
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
Do not reply to spam, report it: 
https://pagure.io/fedora-infrastructure/new_issue

[Freeipa-users] Re: password-expiration

[Florence Blanc-Renaud via FreeIPA-users]

Hi,

On Tue, Feb 7, 2023 at 4:49 PM  wrote:

> Hi Florence,
> unfortunately,
>
> ipa user-mod user1 --krbpasswordexpiration='2024-06-28 07:49:37Z'
> Usage: ipa [global-options] user-mod LOGIN [options]
>
> ipa: error: no such option: --krbpasswordexpiration
>
> My bad, I copied the attribute name instead of the CLI option name. Can
you try with
ipa user-mod LOGIN  --password-expiration=DATETIME

Note: if you type *ipa user-mod --help* you can see all the available
options.
flo

> --
>
> ipa --version
> VERSION: 4.5.4, API_VERSION: 2.228
>
>
>
> - Mail original -
> De: "Florence Blanc-Renaud" 
> À: "FreeIPA users list" 
> Cc: phi...@free.fr
> Envoyé: Mardi 7 Février 2023 16:40:11
> Objet: Re: [Freeipa-users] password-expiration
>
>
>
>
> Hi,
>
>
>
> On Tue, Feb 7, 2023 at 4:11 PM None via FreeIPA-users <
> freeipa-users@lists.fedorahosted.org > wrote:
>
>
> Hello,
> in FreeIPA 4.5.4, how do you reset a user's password expiration date?
>
>
>
> IIRC the command "ipa user-mod LOGIN --krbpasswordexpiration=DATETIME was
> already available in that version.
> flo
>
>
>
> Many thanks.
> Best regards,
> Philippe
> ___
> FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
> To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
> Fedora Code of Conduct:
> https://docs.fedoraproject.org/en-US/project/code-of-conduct/
> List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
> List Archives:
> https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
> Do not reply to spam, report it:
> https://pagure.io/fedora-infrastructure/new_issue
>
>
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
Do not reply to spam, report it: 
https://pagure.io/fedora-infrastructure/new_issue

[Freeipa-users] Re: password-expiration

[None via FreeIPA-users]

Hi Florence,
unfortunately, 

ipa user-mod user1 --krbpasswordexpiration='2024-06-28 07:49:37Z'
Usage: ipa [global-options] user-mod LOGIN [options]

ipa: error: no such option: --krbpasswordexpiration

--

ipa --version
VERSION: 4.5.4, API_VERSION: 2.228



- Mail original -
De: "Florence Blanc-Renaud" 
À: "FreeIPA users list" 
Cc: phi...@free.fr
Envoyé: Mardi 7 Février 2023 16:40:11
Objet: Re: [Freeipa-users] password-expiration




Hi, 



On Tue, Feb 7, 2023 at 4:11 PM None via FreeIPA-users < 
freeipa-users@lists.fedorahosted.org > wrote: 


Hello, 
in FreeIPA 4.5.4, how do you reset a user's password expiration date? 



IIRC the command "ipa user-mod LOGIN --krbpasswordexpiration=DATETIME was 
already available in that version. 
flo 



Many thanks. 
Best regards, 
Philippe 
___ 
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org 
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org 
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/ 
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines 
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
 
Do not reply to spam, report it: 
https://pagure.io/fedora-infrastructure/new_issue 
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
Do not reply to spam, report it: 
https://pagure.io/fedora-infrastructure/new_issue

[Freeipa-users] Re: help

[Pagan, Omar via FreeIPA-users]

I deployed coredns zones in openstack to accommodate for the private IPs in the 
zone I wanted with the FQDN.  Once the private IPs were able to resolve with 
the domain I wanted I was able to deploy.

If anyone want details, I can post here.
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
Do not reply to spam, report it: 
https://pagure.io/fedora-infrastructure/new_issue

[Freeipa-users] Re: Error on updating FreeIPA (custodia No such file or directory: '/var/lib/ipa/ra-agent.key')

[alexey safonov via FreeIPA-users]

Thanks. correct my ipa was  4.8.2 after updating to 4.8.7 all good.

вт, 7 февр. 2023 г. в 21:50, Florence Blanc-Renaud :
>
> Hi,
>
> the issue really looks similar to
> - 1998016 RA key import failing during pki instance creation on RHEL9.0 
> replica from RHEL8.4 server
> - 2032806 - Error replacing a replica with CentOS Stream 9
> The fix requires an update of both pki and ipa packages.
>
> flo
>
> On Mon, Feb 6, 2023 at 4:21 AM alexey safonov via FreeIPA-users 
>  wrote:
>>
>> I have 5 servers on CentOS 8 stream, and while trying to update to
>> Rocky 9.1 I found that re-creating new replicas only with one server
>> it is successful. And the others provide an error
>>
>> It fails with this error (full log attached):
>>   [22/29]: Importing RA key
>> Error storing key "keys/ra/ipaCert": CalledProcessError(Command
>> ['/usr/libexec/ipa/custodia/ipa-custodia-ra-agent', '--import', '-']
>> returned non-zero exit status 1: 'Traceback (most recent call last):\n
>>  File "/usr/libexec/ipa/custodia/ipa-custodia-ra-agent", line 8, in
>> \nmain(ra_agent_parser())\n  File
>> "/usr/lib/python3.9/site-packages/ipaserver/secrets/handlers/pemfile.py",
>> line 114, in main\n
>> common.main(parser, export_key, import_key)\n  File
>> "/usr/lib/python3.9/site-packages/ipaserver/secrets/handlers/common.py",
>> line 73, in
>> main\nfunc(args, tmpdir, **kwargs)\n  File
>> "/usr/lib/python3.9/site-packages/ipaserver/secrets/handlers/pemfile.py",
>> line 69, in
>> import_key\nipautil.run(cmd, umask=0o027)\n  File
>> "/usr/lib/python3.9/site-packages/ipapython/ipautil.py", line 598, in
>> run\nraise
>> CalledProcessError(\nipapython.ipautil.CalledProcessError:
>> CalledProcessError(Command [\'/usr/bin/openssl\', \'pkcs12\', \'-in\',
>> \'/tmp/tmp7jrs5dqp/import.p12\', \'-clcerts\', \'-nokeys\', \'-out\',
>> \'/var/lib/ipa/ra-agent.pem\', \'-password\',
>> \'file:/tmp/tmp7jrs5dqp/passwd\'] returned non-zero exit status 1:
>> \'Error outputting keys and
>> certificates\\n80EB2D6B5D7F:error:0308010C:digital envelope
>> routines:inner_evp_generic_fetch:unsupported:crypto/evp/evp_fetch.c:346:Global
>> default library context, Algorithm (RC2-40-CBC : 0),
>> Properties ()\\n\')\n')
>>   [error] FileNotFoundError: [Errno 2] No such file or directory:
>> '/var/lib/ipa/ra-agent.key'
>> Your system may be partly configured.
>> Run /usr/sbin/ipa-server-install --uninstall to clean up.
>>
>> So currently, I'm on a situation   where I have servers:
>> A,B - CentOS8
>> C,D,E - RHEL9
>>
>> I know that only when I'm mastering with server B the recreation of
>> replica will be successful. Even with the new server on RHEL9.1 no
>> replica will be created due to custodia error.
>>
>> Any ideas on how to fix that?
>>
>> pki-ca on server A - 10.12.0.3
>> server B - 10.12.0.2
>> C,D,E - 11.2.1.1
>>
>> ipa on A, B - 4.9.8.2
>> C,D,E - 4.10.0.7
>>
>> I'm really worrying why only creating replica with server B works.
>>
>> Alex
>> ___
>> FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
>> To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
>> Fedora Code of Conduct: 
>> https://docs.fedoraproject.org/en-US/project/code-of-conduct/
>> List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
>> List Archives: 
>> https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
>> Do not reply to spam, report it: 
>> https://pagure.io/fedora-infrastructure/new_issue
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
Do not reply to spam, report it: 
https://pagure.io/fedora-infrastructure/new_issue

[Freeipa-users] Re: password-expiration

[Florence Blanc-Renaud via FreeIPA-users]

Hi,

On Tue, Feb 7, 2023 at 4:11 PM None via FreeIPA-users <
freeipa-users@lists.fedorahosted.org> wrote:

> Hello,
> in FreeIPA 4.5.4, how do you reset a user's  password expiration date?
>

IIRC the command "ipa user-mod LOGIN --krbpasswordexpiration=DATETIME was
already available in that version.
flo

Many thanks.
> Best regards,
> Philippe
> ___
> FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
> To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
> Fedora Code of Conduct:
> https://docs.fedoraproject.org/en-US/project/code-of-conduct/
> List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
> List Archives:
> https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
> Do not reply to spam, report it:
> https://pagure.io/fedora-infrastructure/new_issue
>
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
Do not reply to spam, report it: 
https://pagure.io/fedora-infrastructure/new_issue

[Freeipa-users] password-expiration

[None via FreeIPA-users]

Hello,
in FreeIPA 4.5.4, how do you reset a user's  password expiration date?
Many thanks.
Best regards,
Philippe
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
Do not reply to spam, report it: 
https://pagure.io/fedora-infrastructure/new_issue

[Freeipa-users] Re: ipa-replica-install fails when I use custom certificates

[Rob Crittenden via FreeIPA-users]

Bryan Fang via FreeIPA-users wrote:
> Hi folks,
> hope you are doing well, in case of dealing with domain level 0, when run 
> ipa-replica-install, i have to provide gpg file as one of parameters, and 
> cannot use --dirsrv-cert-file etc. together with gpg file
> 'You cannot specify any of --dirsrv-cert-file, --http-cert-file, or 
> --pkinit-cert-file together with replica file'
> as your suggestion I run ipa-client-install firstly, all certificates should 
> be placed correctly, then when I run ipa-replica-install file.gpg -d, then 
> get below error message
> ipapython.admintool: DEBUGThe ipa-replica-install command failed, 
> exception: ScriptError: IPA client is already configured on this system.
> Please uninstall it first before configuring the replica, using 
> 'ipa-client-install --uninstall'.
> ipapython.admintool: ERRORIPA client is already configured on this system.
> 
> but certificate issue if I uninstall ipa-client, how to solve this issue? 
> thanks in advance!

It's hard to help with older installs when you don't provide any version
or OS information.

DL0 doesn't allow for client promotion to replica.

Is there a reason you're not upgrading to DL1?

Information on how the server is installed would be helpful. It sure
sounds like you replaced some certificates with externally-signed ones
but still have an IPA CA, is that correct?

rob
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
Do not reply to spam, report it: 
https://pagure.io/fedora-infrastructure/new_issue

[Freeipa-users] Re: Joining realm failed: libcurl failed to execute the HTTP POST transaction

[Rob Crittenden via FreeIPA-users]

Bryan Fang via FreeIPA-users wrote:
> After adding certificates and chain of *.domain.com to /etc/ipa/ca.crt in 
> master freeipa, then copy the ca.crt file to client machine, and rename it to 
> ca.pem with 
> mv ca.crt ca.pem
> this ca.pem includes all required certificates for both ipa server and https 
> server, then run ipa-client-install command like below, it will work for new 
> client machine
> 
> ipa-client-install --mkhomedir --domain=domain2.com --server=ipa.domain.com 
> --realm=DOMAIN.COM --force-ntpd --hostname=ipa.domain2.com -d 
> --ca-cert-file=/home/ec2-user/ca.pem 

If you use ipa-cacert-manage to load the external CA certificates onto
the IPA server then using a custom ca-cert-file shouldn't be necessary
as the entire cert chain will be pulled down as part of the installation.

Note that when you add custom certificates you should run ipa-certupdate
on all IPA hosts, clients and servers, to pull in the new chain.

rob
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
Do not reply to spam, report it: 
https://pagure.io/fedora-infrastructure/new_issue

[Freeipa-users] Re: Error on updating FreeIPA (custodia No such file or directory: '/var/lib/ipa/ra-agent.key')

[alexey safonov via FreeIPA-users]

How can I send that request to a specific server? so it's going to one
of the old server during replica-creation

  [2/2]: Importing RA key
  [2/2]: Importing RA key
Waiting up to 300 seconds to see our keys appear on host
ldap://lt-hkg1-avm01.int.lhft.io
Starting new HTTPS connection (1): lt-hkg1-avm01.int.lhft.io:443
https://lt-hkg1-avm01.int.lhft.io:443 "GET
/ipa/keys/ra/ipaCert?type=kem= HTTP/1.1" 200 6024
Starting external process
args=['/usr/libexec/ipa/custodia/ipa-custodia-ra-agent', '--import', '-']
Process finished, return code=0
stdout=
stderr=
Starting external process

вт, 7 февр. 2023 г. в 21:50, Florence Blanc-Renaud :
>
> Hi,
>
> the issue really looks similar to
> - 1998016 RA key import failing during pki instance creation on RHEL9.0 
> replica from RHEL8.4 server
> - 2032806 - Error replacing a replica with CentOS Stream 9
> The fix requires an update of both pki and ipa packages.
>
> flo
>
> On Mon, Feb 6, 2023 at 4:21 AM alexey safonov via FreeIPA-users 
>  wrote:
>>
>> I have 5 servers on CentOS 8 stream, and while trying to update to
>> Rocky 9.1 I found that re-creating new replicas only with one server
>> it is successful. And the others provide an error
>>
>> It fails with this error (full log attached):
>>   [22/29]: Importing RA key
>> Error storing key "keys/ra/ipaCert": CalledProcessError(Command
>> ['/usr/libexec/ipa/custodia/ipa-custodia-ra-agent', '--import', '-']
>> returned non-zero exit status 1: 'Traceback (most recent call last):\n
>>  File "/usr/libexec/ipa/custodia/ipa-custodia-ra-agent", line 8, in
>> \nmain(ra_agent_parser())\n  File
>> "/usr/lib/python3.9/site-packages/ipaserver/secrets/handlers/pemfile.py",
>> line 114, in main\n
>> common.main(parser, export_key, import_key)\n  File
>> "/usr/lib/python3.9/site-packages/ipaserver/secrets/handlers/common.py",
>> line 73, in
>> main\nfunc(args, tmpdir, **kwargs)\n  File
>> "/usr/lib/python3.9/site-packages/ipaserver/secrets/handlers/pemfile.py",
>> line 69, in
>> import_key\nipautil.run(cmd, umask=0o027)\n  File
>> "/usr/lib/python3.9/site-packages/ipapython/ipautil.py", line 598, in
>> run\nraise
>> CalledProcessError(\nipapython.ipautil.CalledProcessError:
>> CalledProcessError(Command [\'/usr/bin/openssl\', \'pkcs12\', \'-in\',
>> \'/tmp/tmp7jrs5dqp/import.p12\', \'-clcerts\', \'-nokeys\', \'-out\',
>> \'/var/lib/ipa/ra-agent.pem\', \'-password\',
>> \'file:/tmp/tmp7jrs5dqp/passwd\'] returned non-zero exit status 1:
>> \'Error outputting keys and
>> certificates\\n80EB2D6B5D7F:error:0308010C:digital envelope
>> routines:inner_evp_generic_fetch:unsupported:crypto/evp/evp_fetch.c:346:Global
>> default library context, Algorithm (RC2-40-CBC : 0),
>> Properties ()\\n\')\n')
>>   [error] FileNotFoundError: [Errno 2] No such file or directory:
>> '/var/lib/ipa/ra-agent.key'
>> Your system may be partly configured.
>> Run /usr/sbin/ipa-server-install --uninstall to clean up.
>>
>> So currently, I'm on a situation   where I have servers:
>> A,B - CentOS8
>> C,D,E - RHEL9
>>
>> I know that only when I'm mastering with server B the recreation of
>> replica will be successful. Even with the new server on RHEL9.1 no
>> replica will be created due to custodia error.
>>
>> Any ideas on how to fix that?
>>
>> pki-ca on server A - 10.12.0.3
>> server B - 10.12.0.2
>> C,D,E - 11.2.1.1
>>
>> ipa on A, B - 4.9.8.2
>> C,D,E - 4.10.0.7
>>
>> I'm really worrying why only creating replica with server B works.
>>
>> Alex
>> ___
>> FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
>> To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
>> Fedora Code of Conduct: 
>> https://docs.fedoraproject.org/en-US/project/code-of-conduct/
>> List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
>> List Archives: 
>> https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
>> Do not reply to spam, report it: 
>> https://pagure.io/fedora-infrastructure/new_issue
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
Do not reply to spam, report it: 
https://pagure.io/fedora-infrastructure/new_issue

[Freeipa-users] Re: Error on updating FreeIPA (custodia No such file or directory: '/var/lib/ipa/ra-agent.key')

[alexey safonov via FreeIPA-users]

Correct, but that's a problem. Seems like rhel9 server is not able to make
replica with rhel 9. Only one of two old stream 8 works

Alex

On Tue, Feb 7, 2023, 21:50 Florence Blanc-Renaud  wrote:

> Hi,
>
> the issue really looks similar to
> - 1998016  RA key
> import failing during pki instance creation on RHEL9.0 replica from RHEL8.4
> server
> - 2032806  - Error
> replacing a replica with CentOS Stream 9
> The fix requires an update of both pki and ipa packages.
>
> flo
>
> On Mon, Feb 6, 2023 at 4:21 AM alexey safonov via FreeIPA-users <
> freeipa-users@lists.fedorahosted.org> wrote:
>
>> I have 5 servers on CentOS 8 stream, and while trying to update to
>> Rocky 9.1 I found that re-creating new replicas only with one server
>> it is successful. And the others provide an error
>>
>> It fails with this error (full log attached):
>>   [22/29]: Importing RA key
>> Error storing key "keys/ra/ipaCert": CalledProcessError(Command
>> ['/usr/libexec/ipa/custodia/ipa-custodia-ra-agent', '--import', '-']
>> returned non-zero exit status 1: 'Traceback (most recent call last):\n
>>  File "/usr/libexec/ipa/custodia/ipa-custodia-ra-agent", line 8, in
>> \nmain(ra_agent_parser())\n  File
>> "/usr/lib/python3.9/site-packages/ipaserver/secrets/handlers/pemfile.py",
>> line 114, in main\n
>> common.main(parser, export_key, import_key)\n  File
>> "/usr/lib/python3.9/site-packages/ipaserver/secrets/handlers/common.py",
>> line 73, in
>> main\nfunc(args, tmpdir, **kwargs)\n  File
>> "/usr/lib/python3.9/site-packages/ipaserver/secrets/handlers/pemfile.py",
>> line 69, in
>> import_key\nipautil.run(cmd, umask=0o027)\n  File
>> "/usr/lib/python3.9/site-packages/ipapython/ipautil.py", line 598, in
>> run\nraise
>> CalledProcessError(\nipapython.ipautil.CalledProcessError:
>> CalledProcessError(Command [\'/usr/bin/openssl\', \'pkcs12\', \'-in\',
>> \'/tmp/tmp7jrs5dqp/import.p12\', \'-clcerts\', \'-nokeys\', \'-out\',
>> \'/var/lib/ipa/ra-agent.pem\', \'-password\',
>> \'file:/tmp/tmp7jrs5dqp/passwd\'] returned non-zero exit status 1:
>> \'Error outputting keys and
>> certificates\\n80EB2D6B5D7F:error:0308010C:digital envelope
>>
>> routines:inner_evp_generic_fetch:unsupported:crypto/evp/evp_fetch.c:346:Global
>> default library context, Algorithm (RC2-40-CBC : 0),
>> Properties ()\\n\')\n')
>>   [error] FileNotFoundError: [Errno 2] No such file or directory:
>> '/var/lib/ipa/ra-agent.key'
>> Your system may be partly configured.
>> Run /usr/sbin/ipa-server-install --uninstall to clean up.
>>
>> So currently, I'm on a situation   where I have servers:
>> A,B - CentOS8
>> C,D,E - RHEL9
>>
>> I know that only when I'm mastering with server B the recreation of
>> replica will be successful. Even with the new server on RHEL9.1 no
>> replica will be created due to custodia error.
>>
>> Any ideas on how to fix that?
>>
>> pki-ca on server A - 10.12.0.3
>> server B - 10.12.0.2
>> C,D,E - 11.2.1.1
>>
>> ipa on A, B - 4.9.8.2
>> C,D,E - 4.10.0.7
>>
>> I'm really worrying why only creating replica with server B works.
>>
>> Alex
>> ___
>> FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
>> To unsubscribe send an email to
>> freeipa-users-le...@lists.fedorahosted.org
>> Fedora Code of Conduct:
>> https://docs.fedoraproject.org/en-US/project/code-of-conduct/
>> List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
>> List Archives:
>> https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
>> Do not reply to spam, report it:
>> https://pagure.io/fedora-infrastructure/new_issue
>>
>
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
Do not reply to spam, report it: 
https://pagure.io/fedora-infrastructure/new_issue

[Freeipa-users] Re: Error on updating FreeIPA (custodia No such file or directory: '/var/lib/ipa/ra-agent.key')

[Florence Blanc-Renaud via FreeIPA-users]

Hi,

the issue really looks similar to
- 1998016  RA key
import failing during pki instance creation on RHEL9.0 replica from RHEL8.4
server
- 2032806  - Error
replacing a replica with CentOS Stream 9
The fix requires an update of both pki and ipa packages.

flo

On Mon, Feb 6, 2023 at 4:21 AM alexey safonov via FreeIPA-users <
freeipa-users@lists.fedorahosted.org> wrote:

> I have 5 servers on CentOS 8 stream, and while trying to update to
> Rocky 9.1 I found that re-creating new replicas only with one server
> it is successful. And the others provide an error
>
> It fails with this error (full log attached):
>   [22/29]: Importing RA key
> Error storing key "keys/ra/ipaCert": CalledProcessError(Command
> ['/usr/libexec/ipa/custodia/ipa-custodia-ra-agent', '--import', '-']
> returned non-zero exit status 1: 'Traceback (most recent call last):\n
>  File "/usr/libexec/ipa/custodia/ipa-custodia-ra-agent", line 8, in
> \nmain(ra_agent_parser())\n  File
> "/usr/lib/python3.9/site-packages/ipaserver/secrets/handlers/pemfile.py",
> line 114, in main\n
> common.main(parser, export_key, import_key)\n  File
> "/usr/lib/python3.9/site-packages/ipaserver/secrets/handlers/common.py",
> line 73, in
> main\nfunc(args, tmpdir, **kwargs)\n  File
> "/usr/lib/python3.9/site-packages/ipaserver/secrets/handlers/pemfile.py",
> line 69, in
> import_key\nipautil.run(cmd, umask=0o027)\n  File
> "/usr/lib/python3.9/site-packages/ipapython/ipautil.py", line 598, in
> run\nraise
> CalledProcessError(\nipapython.ipautil.CalledProcessError:
> CalledProcessError(Command [\'/usr/bin/openssl\', \'pkcs12\', \'-in\',
> \'/tmp/tmp7jrs5dqp/import.p12\', \'-clcerts\', \'-nokeys\', \'-out\',
> \'/var/lib/ipa/ra-agent.pem\', \'-password\',
> \'file:/tmp/tmp7jrs5dqp/passwd\'] returned non-zero exit status 1:
> \'Error outputting keys and
> certificates\\n80EB2D6B5D7F:error:0308010C:digital envelope
>
> routines:inner_evp_generic_fetch:unsupported:crypto/evp/evp_fetch.c:346:Global
> default library context, Algorithm (RC2-40-CBC : 0),
> Properties ()\\n\')\n')
>   [error] FileNotFoundError: [Errno 2] No such file or directory:
> '/var/lib/ipa/ra-agent.key'
> Your system may be partly configured.
> Run /usr/sbin/ipa-server-install --uninstall to clean up.
>
> So currently, I'm on a situation   where I have servers:
> A,B - CentOS8
> C,D,E - RHEL9
>
> I know that only when I'm mastering with server B the recreation of
> replica will be successful. Even with the new server on RHEL9.1 no
> replica will be created due to custodia error.
>
> Any ideas on how to fix that?
>
> pki-ca on server A - 10.12.0.3
> server B - 10.12.0.2
> C,D,E - 11.2.1.1
>
> ipa on A, B - 4.9.8.2
> C,D,E - 4.10.0.7
>
> I'm really worrying why only creating replica with server B works.
>
> Alex
> ___
> FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
> To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
> Fedora Code of Conduct:
> https://docs.fedoraproject.org/en-US/project/code-of-conduct/
> List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
> List Archives:
> https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
> Do not reply to spam, report it:
> https://pagure.io/fedora-infrastructure/new_issue
>
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
Do not reply to spam, report it: 
https://pagure.io/fedora-infrastructure/new_issue

[Freeipa-users] Re: Visibility/access of Freeipa users to windows on trusted AD

[Francis Augusto Medeiros-Logeay via FreeIPA-users]

Thanks a lot Alexander.

Best,
Francis
---
Francis Augusto Medeiros-Logeay
Oslo, Norway

On 2023-02-07 08:20, Alexander Bokovoy via FreeIPA-users wrote:
On ma, 06 helmi 2023, Francis Augusto Medeiros-Logeay via FreeIPA-users 
wrote:

Hi,

I have searched this everywhere, but can't find it.

I want to grant access to a FreeIPA user to a Windows machine. When I 
try to grant the user access on windows, adding it like 
FREEIPADOMAIN\freeipauser, I get an error. There is a trust between 
both domains, but every place where I see the trusted domain on 
Windows (for example when configuring a GPO) I can't search for 
FreeIPA users.


Is this how it is supposed to be, or how can I see my FreeIPA users on 
Windows the same way I see AD users on my freeipa linux clients?


This is how it supposed to be. Using IPA users on Windows systems in
trusted AD forest is not supported so far. We need to complete Global
Catalog service implementation first which is currently on hold due to
other work being priority.

___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
Do not reply to spam, report it: 
https://pagure.io/fedora-infrastructure/new_issue

[Freeipa-users] Re: Removal & clean up certificates from o=ipaca

[Florence Blanc-Renaud via FreeIPA-users]

Hi,

On Tue, Feb 7, 2023 at 1:28 AM Jernej Jakob via FreeIPA-users <
freeipa-users@lists.fedorahosted.org> wrote:

> Hi David. I had the same issue here and found your writeup to be very
> helpful.
>
> I used more or less the same ldap actions to delete the certificates
> and requests (~3.6k) from LDAP. This did make 'ipa cert-find' display
> just the one "used"/"correct" certificate for the host, but the main
> issue is not fixed. The webUI still displays all the old certificates
> that I have deleted from LDAP. Opening the "Hosts" tab or a host page
> takes very long, around 1-2 minutes.
>
> So I want to know what else needs to be done to make the webUI "forget"
> about the wrongly issued certificates?
>
> Where does the webUI get its list of certificates?
> I did some searching through the code and could only find the JS
> code that invokes a RPC call. But I could not find the code that
> handles that call.
>
> The webui is making a call equivalent to "ipa cert-find" which is handled
by the following code:
https://github.com/freeipa/freeipa/blob/master/ipaserver/plugins/cert.py#L1496

The call looks for certificates in multiple locations:
- in the subtree "ou=certificateRepository,ou=ca,o=ipaca"
- in the suffix "dc=example,dc=com", in the users/hosts/services entries

You cleaned the certificates from the cert repository but there may be many
entries (users/hosts/services) containing a userCertificate attribute. To
avoid seeing those certs you would have to delete the corresponding
userCertificate values.

HTH,
flo

>
> IIRC my issue that caused certmonger to request a certificate over and
> over was caused by a bug after upgrading a client from Ubuntu 14.04 to
> 16.04. The path to ca_external_helper changed but it was not changed in
> /var/lib/certmonger/cas/* which caused certmonger to fail running
> ca_external_helper. To fix it I did:
>
> sed -i -e 's#x86_64-linux-gnu/##g; s#certmonger/certmonger#certmonger#g'
> /var/lib/certmonger/cas/*
>
>
> Below is the exact procedure I used to delete the certificates from
> LDAP.
>
> First fix the issue that caused the issuing of too many certificates.
> Make sure it successfully issued and saved the cert on the client and
> that it's in status "MONITORING", "stuck: no".
> Find the serial number of the cert currently present on the client.
> 'sudo getcert list', look at "certificate:" in my case it was in
> "/etc/ssl/private/hostname-ipa-cert.crt"
> openssl x509 -in /etc/ssl/private/hostname-ipa-cert.crt -noout -text
> In my case it was 268369940.
>
> Used the following shell script to revoke all the certificates with
> serial not matching. I did this before I knew howo to get the cert
> serials from ldap so it uses ipa cert-find. It's a slow process.
> for s in $(ipa cert-find --hosts=badhost --pkey-only --sizelimit=0|awk
> '/Serial number/{print $3 ;}'); do if [ "$s" = "268369940" ] || [ -z "$s"
> ]; then continue; fi; echo "revoking $s"; ipa cert-revoke "$s"; done
>
> You can view all the revoked cert cn's with this command before
> deleting them.
> ldapsearch -LLL -x -D "cn=directory manager" -W -b
> "ou=certificateRepository,ou=ca,o=ipaca"
> '(&(subjectName~="badhost")(certStatus=REVOKED))' dn certStatus|less
>
> Make a list of all cert cn's not matching the used cert, save output
> into a file, ready to be read by ldapdelete later.
> ldapsearch -LLL -x -D "cn=directory manager" -W -b
> "ou=certificateRepository,ou=ca,o=ipaca"
> '(&(subjectName~="badhost")(!(cn=268369940)))' | grep -o 'cn=.*' >
> cert_to_delete_not_used_badhost
>
> Make a list of all the requestId for all the certs to be deleted.
> ldapsearch -LLL -x -D "cn=directory manager" -W -b
> "ou=certificateRepository,ou=ca,o=ipaca"
> '(&(subjectName~="badhost")(!(cn=268369940)))' metaInfo|grep -oP
> 'requestId:\K.*' > cert_request_to_delete_not_used_from_metaInfo_badhost
>
> In my case there were a couple more requests than issued certs, I'm not
> sure why. I made a list of all requests for this host excluding the
> requestId of the correct cert. First find the correct/used cert
> requestId. In my case it was 9990026.
> ldapsearch -LLL -x -D "cn=directory manager" -W -b
> "ou=certificateRepository,ou=ca,o=ipaca"
> '(&(subjectName~="badhost")(cn=268369940))' metaInfo|grep -oP
> 'requestId:\K.*'
>
> Then get a list of all requests for that host, excluding that one
> requestId.
> ldapsearch -LLL -x -D "cn=directory manager" -W -b
> "ou=ca,ou=requests,o=ipaca"
> '(&(extdata-req--005fsubject--005fname--002ecn=badhost)(!(cn=9990026)))'
> dn|grep -o 'cn=.*' > cert_request_to_delete_not_used_badhost
>
> Count the number of certs/requests from the previous operations. The
> first two must match, the 3rd shows how many extra requests there are.
> wc -l cert_to_delete_not_used_badhost
> cert_request_to_delete_not_used_from_metaInfo_badhost
> cert_request_to_delete_not_used_badhost
>   3982 cert_to_delete_not_used_badhost
>   3982 cert_request_to_delete_not_used_from_metaInfo_badhost
>   3990