[Freeipa-users] can't upgrade IPA because of certificate alias problem

I’ve installed ipa. Originally I did the default install, without DNS. I then updated to a commercial cert. Notes at the end. I just did a yum update. isa-upgrade failed with the following error: 017-07-12T19:23:39Z DEBUG stderr= 2017-07-12T19:23:44Z DEBUG Loading Index file from

[Freeipa-users] Re: Radius authentication trouble

It’s not entirely clear to me what the configuration is. You say “second factor.” If you’re using 2FA, things that normally work no longer do. If you’re putting Freeradius in front of IPA, neither of the ways Freeradius would talk to IPA works with 2FA. LDAP doesn’t work, because the IPA LDAP

[Freeipa-users] Re: Could not chdir to home directory: Permission denied

If you are mounting the file system with kerberos, mkhomedir wont’ work. I have a Kerberized mkhomedir if that’s your issue. On Sep 16, 2017, at 6:45 PM, Wanderley Teixeira via FreeIPA-users > wrote: I installed

[Freeipa-users] how I spent my day (hints on dealing with issues setting up a replica)

In case anyone else has the same problem, let me document what I did today with our IPA installation (Centos 7.3) We started out by installing a primary with a default install, and doing ipa-replica-install with no parameters. That worked fine. We then install a commercial certificate, because

[Freeipa-users] Re: IPA Server Upgrade Error

We were in the same situation. I tried this solution, and it does fix the problem with not being able to upgrade. However it still leaves an inconsistency in the configuration. I was unable to add a new replica. It failed at the CA step, even if the new replica was installed without CA. The

[Freeipa-users] unexpected upgrade to 4.5

I just installed a new replica on Centos 7.3. Our existing servers are also on Centos 7.3, and use IPA 4.4, which comes with Centos 7.3. I was somewhat surprised to find that my new replica was IPA 4.5 with a newer version of sssd as well. It appears that the replica install process did the

[Freeipa-users] Re: IPA Server Upgrade Error

Note that the —rename option of certutil doesn’t seem to work for this format of files. Extract the cert, delete and and add it back with the new nickname. e.g. certutil -L -d /etc/httpd/alias -n ‘CN=…...' -a -o ~/krb1.cert certutil -D -d /etc/httpd/alias -n ‘CN=…..' certutil -A -d

[Freeipa-users] problems installing replicas

I’ve mentioned problems setting up a replica. I just got it to work. The install ran cleanly. No sign of errors. However a couple of items ended up in LDAP on the replica, but didn’t get into the copies on the original 2 systems. krb4.cs.rutgers.edu is the new

[Freeipa-users] Re: Upgrading with GoDaddy SSL cert for https only

There was a previous email about this. I suspect what failed was near the end when it was upgrading the CA. As part of that process it looks at the certificates for LDAP and HTTP. It expects the nicknames in the certificate database to be Server-Cert. However the process of installing a 3rd

[Freeipa-users] Re: upgrade to ubuntu 17.10 fails

We successfully ran on Centos 7.3 with 4.4.4 and 4.5, the 4.5 having been installed later. The first step in installing the replica was that it automatically upgraded itself to the newest release, so it happened without giving us any choice. We later upgraded everything to 4.5. 4.5 have

[Freeipa-users] Re: Upgrade from CentOS 7.3 to 7.4 - Safe?

I did “yum upgrade ipa-server,” which presumably does the things that are most likely to be an issue. I didn’t have any problems. I’ll do the rest of the 7.4 upgrade during Thanksgiving break. I wasn’t actually planning to do the IPA 4.5 upgrade (which is what this did) until Thanksgiving. But

[Freeipa-users] Re: ipa-client-install (3.0.2 on Wheezy) fails after root certificate change via ipa-cacert-manage

I’ve seen the same thing. Or at least I think it seems like it’s related. We have three servers, all on Centos. The initial one was installed under 7.3, using defaults. That caused it to generate a self-signed CA. We later added a commercial cert for HTTP and LDAP. When we upgraded to 7.4, it

[Freeipa-users] Re: PWM and FreeIPA integration

I can’t help with PWM, but I can say that I have a self-service web app that does “ipa passwd” to change user passwords. It works fine, though the principal it uses has to be registered specially if you don’t want the user to be forced to change password the first time they login. The

[Freeipa-users] Re: adding new server to freeipa

If I understand your question, you want to specify —domain=example.com in ipa-client-install. /etc/sssd/sssd.conf After installation you can fix it. Make sure the DNS entry for example.com has all the SRV records /etc/sssd/sssd.conf ipa_domain is set

[Freeipa-users] Re: sudoers issues

mpleblend.net>]]] [sdap_process_result] (0x2000): Trace: sh[0x55848d200b40], connected[1], ops[(nil)], ldap[0x55848d2272e0] (Thu Nov 9 08:53:57 2017) [sssd[be[mgt.stl.exampleblend.net<http://mgt.stl.exampleblend.net>]]] [sdap_process_result] (0x2000): Trace: end of ldap_result lis

[Freeipa-users] kinit -n

I understood that kinit -n is supposed to work with IPA 4.5. I have a server upgraded from 4.4 to 4.5. kinit -n prompts for a password. What needs to be true on client and server for this to work? ___ FreeIPA-users mailing list --

[Freeipa-users] Re: Accessing KRB5 NFS from local system accounts

Do you also need auth_to_local in krb5.conf? I believe idmapd just controls what you see in ls -l. > On Dec 1, 2017, at 8:34 AM, Anton Semjonov via FreeIPA-users > wrote: > > On 01/12/17 00:11, Simo Sorce via FreeIPA-users wrote: >> On Thu, 2017-11-30 at

[Freeipa-users] Re: Overall users experience with Free-IPA

The basic technology is solid and the admin tools reasonable. However it has the same problems as all large, integrated systems: if the system isn’t in exactly the state they expect, significant administrative operations such as upgrading version or adding a replica will fail. Those things are

[Freeipa-users] Re: NFSv4 question

Right. the documentation is often not clear. Most Linux client software will try several principals. One of them is host/hostname. So you don’t need nfs/hostname. Since nfs/hostname is one of the principals it tries, some documentation says to use that principal. > On Jun 19, 2018, at 3:24 AM,

[Freeipa-users] Re: 2FA integration: FreeIPA and Mac OS

You can get an MIT Kerberos implementation from Macports. I use that myself. However I don’t use it for login, so I haven’t tried the pam support on the Mac. The Macports implementation supports both 2FA and the https proxy. We restrict access to our kerberos servers, so people at home have to

[Freeipa-users] Re: auth to pther providers still using freeipa

It depends upon what you want to do. If you want a user to authenticate for all purposes using some external service, you can do that, as long as the external service supports radius. You may have to et up a radius server and configure it to use the external authentication. You can have more

[Freeipa-users] Re: freeIPA backup

Our IPA servers are VMs. We do backups of snapshots, either through VMware or when the image is on a Netapp, through a Netapp snapshot. That guarantees that you have all the pieces in a consistent state. I’ve never had to restore a production server, but I have started copies of one of the

[Freeipa-users] Re: replica install fails: CA_UNREACHABLE

I also had issues installing a replica under 7.4. Here are my notes. krb4 is the new replica, krb1 and 2 the existing ones. However a few things set up on krb4 didn't replicate to the krb1 and krb2. There were enough issues that I did a full comparison of dumps from krb1 and krb4. Use

[Freeipa-users] Re: restricting shells

. This is really what I’d expect default behavior to be if allowed_shells isn’t set. > On Jan 26, 2018, at 8:20 AM, Robbie Harwood via FreeIPA-users > <freeipa-users@lists.fedorahosted.org> wrote: > > Rob Crittenden via FreeIPA-users <freeipa-users@lists.fedorahosted.org> > writes

[Freeipa-users] Re: restricting shells

reeipa-users@lists.fedorahosted.org>> wrote: Hrm, is there any provision for different paths for the same shell on different platforms? (E.g. bash on Linux vs FreeBSD) On Fri, Jan 26, 2018, 1:04 PM Charles Hedrick via FreeIPA-users <freeipa-users@lists.fedorahosted.org<ma

[Freeipa-users] restricting shells

One of my staff made a typo in his shell in “ipa user-mod —shell” It can be hard to recover from, since you can’t login. Is there a way to restrict what they can use? Traditionally only shells in /etc/shells were valid. ___ FreeIPA-users mailing list

[Freeipa-users] Re: restricting shells

looks like the real solution is valid_shells in sssd.conf. That will prevent people from damaging themselves. > On Jan 25, 2018, at 3:12 PM, Rob Crittenden <rcrit...@redhat.com> wrote: > > Charles Hedrick via FreeIPA-users wrote: >> One of my staff made a typo in his s

[Freeipa-users] Re: restricting shells

ugh. valid_shells is carefully designed so it can’t be used for this. But doing it in sshd is probably the right answer. > On Jan 25, 2018, at 3:15 PM, Charles Hedrick via FreeIPA-users > <freeipa-users@lists.fedorahosted.org> wrote: > > looks like the real soluti

[Freeipa-users] Re: restricting shells

given the way sssd is designed, if we could restrict in IPA to a list, sssd could map anything that’s not on the local system to a fallback. But sssd isn’t set up so that random typos can get mapped to a fallback. > On Jan 25, 2018, at 3:17 PM, Charles Hedrick via FreeIPA-users > &l

[Freeipa-users] user/admin

There’s a convention of creating admin instances for users, usually named user/admin. IPA doesn’t seem to allow such instances. Is there a way to make them work? As far as I can tell the instance can only be a hostname. That doesn’t seem like a sensible restriction.

[Freeipa-users] Re: user/admin

I can actually create a principal foo/admin by creating a user foo-admin and change the principal. But kinit can’t use it, so it’s not terribly useful. > On Feb 13, 2018, at 4:52 PM, Charles Hedrick wrote: > > There’s a convention of creating admin instances for users,

[Freeipa-users] Re: user/admin

I have two identifies, one a normal user and one with privileges in IPA. The normal Kerberos convention is for them to be hedrick and hedrick/admin. > On Feb 13, 2018, at 5:03 PM, Rob Crittenden <rcrit...@redhat.com> wrote: > > Charles Hedrick via FreeIPA-users wrote: >>

[Freeipa-users] Re: user/admin

principals. > On Feb 15, 2018, at 3:34 AM, Alexander Bokovoy <aboko...@redhat.com> wrote: > > On ke, 14 helmi 2018, Charles Hedrick via FreeIPA-users wrote: >> I have two identifies, one a normal user and one with privileges in >> IPA. The normal Kerberos conventio

[Freeipa-users] Re: user/admin

From the point of view of managing users, it would be nice to be able to add it as a secondary principal for the user. It’s not important enough for a major implementation effort. > On Feb 19, 2018, at 4:11 PM, Charles Hedrick via FreeIPA-users > <freeipa-users@lists.fedorahosted.o

[Freeipa-users] Re: [SSSD-users] Re: Re: Auto create NFS home folders on IPA Server.

to the daemon, however, is Kerberized. That should work in any IPA environment. > On Mar 14, 2018, at 10:39 AM, Charles Hedrick via FreeIPA-users > <freeipa-users@lists.fedorahosted.org> wrote: > > I noted before that we have a Kerberized mkhomedir. There’s a pam module, > pa

[Freeipa-users] Re: [SSSD-users] Re: Re: Auto create NFS home folders on IPA Server.

I noted before that we have a Kerberized mkhomedir. There’s a pam module, pam_kmkhomedir. It does a kerberized call to a service on the NFS server or some other system that has the file system mounted in a way that it can create directories. We did this because we use Kerberized NFS. Root can’t

[Freeipa-users] Re: Obtain TGT at login.

A TGT comes from either a password or some other type of identication. Somehow you have to identify the user, whether it’s password, biometrics, or whatever. The process that identifies the user is assumed to create the TGT. Typically sssd handles login, so if you login with a password or some

[Freeipa-users] Re: Is IPA secure enough for public exposure plus trust management issue

We have a separate web app to change passwords. But the normal approach if they haven’t forgotten their password is the kpasswd command. Of course we’re in a Linux environment where our users know the command line. > On Oct 18, 2018, at 9:58 AM, William Muriithi via FreeIPA-users > wrote: >

[Freeipa-users] uid/gid mapping from windows to IPA

We’re in the process of setting up Windows machines to authenticate against IPA and use home directories from our NFS servers with Kerberized NFS. The process is not easy, but possible. One thing I’ve found frustrating is that documentation on Windows NFS is terrible. In particular, when you

[Freeipa-users] Re: uid/gid mapping from windows to IPA

. I’m hardcoding the server because it makes debugging easier. > On Jan 9, 2019, at 12:24 PM, Charles Hedrick via FreeIPA-users > wrote: > > We’re in the process of setting up Windows machines to authenticate against > IPA and use home directories from our NFS servers with

[Freeipa-users] Re: system time

In Linux, time is always in UTC internally. The time zone controls how time it shown to users. Changing the time zone thus has no effect on the internal operations of the servers. It just changes log files and user displays. If you actually reset the time on the server to local time, Kerberos

[Freeipa-users] Re: FreeIPA for the maximally paranoid and overworked?

Rob mentioned issues with restoring data for one entry. We run on VMs, and periodically take snapshots. We can copy a snapshot to a new VM. Since the hostname is critical, edit /etc/hosts and add an entry for the new IP address giving it the original hostname. That way the system will think

[Freeipa-users] yum upgrade doesn't do IPA upgrade

For some reason on one of our 3 servers, yum update didn’t run the IPA upgrade. /var/log/ipaupgrade.log was zero length. “ipactl start” noted that an upgraded was needed, and did it. So it wasn’t a big deal. But it would be nice for yum update to show some sign if there’s an issue. And perhaps

[Freeipa-users] Re: different security policy for login(password+otp) and screenlock (password only) for workstation

Basically if you put pam_unix before pam_sss, you’ll get a single prompt, and things like RDP will work with OTP. Here’s the default in password-auth and system-auth for Centos 7 auth[default=1 ignore=ignore success=ok] pam_succeed_if.so uid >= 1000 quiet auth[default=1

[Freeipa-users] timeout for IPA command

It appears that the IPA command uses a host hardwired in /etc/ipa/default.conf. If that fails, it then gets a list from DNS. This works fine if there’s a connection refused, but if there is no response, it takes so long to time out that most users will give up. Is there a way to change the

[Freeipa-users] Re: secure freeipa exposed to internet

2 of our 3 IPA servers are exposed to the Internet. However we have a host firewall that limits the hosts that can access us. We use iptables with an ipset. I have a cron job that dumps a list of hosts known to IPA and adds them to the ipset. So basically we’ll only accept connections from

[Freeipa-users] Re: Doing SSO on a non-IPA joined OS X system

Kerberos works fine on OS X. as long as you don’t need Two Factor authentication or HTTPS proxy. If you need those, install the kerberos5 and ssh packages from MacPorts. ssh, sshd, the NFS client (Kerberized NFS version 3 and 4), Chome and Firefox (SPNEGO) all support Kerberos. I think “join

[Freeipa-users] upgrade 7 to 8

I see that RHEL 8 has been released. It has an in place upgrade option. How well (if at all) has inplace upgrade on an IPA server been tested? ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to

[Freeipa-users] Re: Fedora 30 Client

It’s hard to guess without seeing your system: * pam should be set to check both local password and sssd. If the first fails you need to go on * /etc/nsswitch.conf should probably put files before sss * user info in /etc/passwd should be the same as in IPA. If the UID or group is different I

[Freeipa-users] Re: different security policy for login(password+otp) and screenlock (password only) for workstation

: authentication failure; logname= > uid=350600026 euid=350600026 tty=:10.0 ruser= rhost= user=jdejong > Mar 29 13:19:50 workstation01 mate-screensaver-dialog: > pam_sss(mate-screensaver:auth): authentication success; logname= > uid=350600026 euid=350600026 tty=:10.0 ruser= rhost= user=jd

[Freeipa-users] Re: can't delete host, apparent problem setting up RA

Yes "Removing self-signed CA.” is there. Our configuration may have confused the upgrader. We initially did a default install, which sets up certificate management with a self-signed cert. Then we moved to a commercial certificate, which was a documented procedure. So one of our 3 servers

[Freeipa-users] can't delete host, apparent problem setting up RA

On one of 3 IPA servers (most recent centos 7.6, 4.6.4-10.el7.centos.6). I can’t delete hosts. error_log show a bunch of python errors, ending in Wed Aug 28 15:59:11.634233 2019] [:error] [pid 18035] File "/usr/lib/python2.7/site-packages/ipalib/frontend.py", line 478, in __do_call [Wed Aug

[Freeipa-users] Re: can't delete host, apparent problem setting up RA

now: ra_plugin = dogtag dogtag_version = 10 enable_ra = True works I guess that was wrong from when it was originally set up? > On Aug 28, 2019, at 4:24 PM, Rob Crittenden wrote: > > Charles Hedrick via FreeIPA-users wrote: >>

[Freeipa-users] how do you update certs for kinit -n?

Recent versions of freeipa support kinit -n. However we need a file that has certificates from all the servers. We have three servers. Their certificates renew themselves automatically a few hours before expiration. But then we need to concatenate all of them and put them on all clients. It

[Freeipa-users] Re: Upgrade path in CentOS 7

We’ve done a number of upgrades without problems. I believe we’ve done all 7.x versions, though, and not skipped any. On Jul 3, 2019, at 5:40 PM, John Keates via FreeIPA-users mailto:freeipa-users@lists.fedorahosted.org>> wrote: To be safe, I’d just add a new server with the latest of

[Freeipa-users] Re: reinstall freeIPA server without loosing data

I have another reason to want to do a reinstall. I have 3 Centos 7 servers. I want to move to Centos 8. (eventually. I’ll do some testing first). The official approach is a new installation. Obviously I can create 3 replicas and kill the originals. But then I’ll have to find every client and

[Freeipa-users] Re: number of topology segments for 3 servers clean setup?

I followed the thread, and I’m not sure you ever got an answer. Generally ipa replica install seems to create one replication agreement. The exact relationships for 3 servers depends upon which master the replica was created from. It could be 2 replicas talking to the original, or 3 in a line.

[Freeipa-users] DHCP integration

We’re in the process of moving DHCP service to our IPA LDAP server. IN our environment it makes sense to include DHCP as part of our centralized system management scheme, which is based on IPA. We seem to be getting about a DHCP request per second, so I don’t see this causing a performance

[Freeipa-users] Re: Disaster Recovery Architecture for IPA servers setup replicating in full mesh

On Nov 5, 2019, at 2:25 AM, Florence Blanc-Renaud via FreeIPA-users mailto:freeipa-users@lists.fedorahosted.org>> wrote: As a general rule, we recommend rebuilding from an existing replica, rather than using backup-restore. Right. Our strategy is * all of our systems are VMs. We take

[Freeipa-users] Re: IPA healthcheck for older versions

I use Kerberos at home. So do a couple of faculty. I have a Kerberos https: proxy set up on one of our public web servers. This is less than ideal, as it requires installing separate Kerberos software for both Mac and Windows. The Kerberos protocol is standardized across OSs, but not the proxy

[Freeipa-users] Re: IPA healthcheck for older versions

Wouldn’t that also expose the main web UI, and IPA commands? Seems like a much larger attack surface. On Nov 11, 2019, at 1:27 PM, Alex Corcoles mailto:a...@corcoles.net>> wrote: On Mon, Nov 11, 2019 at 5:45 PM Charles Hedrick mailto:hedr...@rutgers.edu>> wrote: I use Kerberos at home. So do

[Freeipa-users] what is the difference between idm:client and idm:DL1

In Centos 8, there are two streams for idm software. You need DL1 for a server. But it seems to have client software as well. Is that the same in both streams? We have a web server with the KDC proxy. It appears that we would need DL1 to get that. Is that reasonable for a system that isn’t a

[Freeipa-users] Re: what is the difference between idm:client and idm:DL1

so it’s valid to use DL1 on a system that isn’t a KDC but needs some package such as the proxy that isn’t in client? > On Nov 11, 2019, at 2:28 PM, Rob Crittenden wrote: > > Charles Hedrick via FreeIPA-users wrote: >> In Centos 8, there are two streams for idm softwar

[Freeipa-users] Re: ipa-getkeytab -r for user keytabs

In centos 8, the man page for ktuil says 1.16.1. -f isn’t in the man page nor does it work. yum also shows the version of 1.16.1. -s is there but not -f. When I tried it without -f the resulting key table didn’t work. Ubuntu 20.4 will be out shortly. Hopefully Centos 8.x will include 17. But

[Freeipa-users] Re: ipa-getkeytab -r for user keytabs

them authenticate with the same principal. Any solution for this in current version of IPA (4.6)? --- Regards, Dmitry Perets On Fri, 22 Nov 2019, 20:05 Alexander Bokovoy, mailto:aboko...@redhat.com>> wrote: On pe, 22 marras 2019, Charles Hedrick via FreeIPA-users wrote: >Interesting

[Freeipa-users] Re: ipa-getkeytab -r for user keytabs

You can always fetch key tables using kadmin.local on one of the kdc’s. I haven't actually tried using ipa-getkeytab on the wrong host. I just copied the key table. I doubt ipa-getkeytab checks that the hostname matches, but it’s always possible. On Nov 22, 2019, at 3:48 PM, Dmitry Perets

[Freeipa-users] Re: ipa-getkeytab -r for user keytabs

Bound in the sense that it has the hostname as part of the principal, not in the sense that there’s any actual connection with that host when you use it. Dmitry Perets wants to use the same principal and key table on several hosts. They can simply create a principal for one of them. It and its

[Freeipa-users] Re: ipa-getkeytab -r for user keytabs

Interesting idea, but seems to require a time machine. The kerberos in centos 8 is 1.16. I believe Ubuntu 18 is also. On Nov 22, 2019, at 1:21 PM, Alexander Bokovoy via FreeIPA-users mailto:freeipa-users@lists.fedorahosted.org>> wrote: ktutil> add_entry -password -p principal -k kvno -f The

[Freeipa-users] Re: ipa-getkeytab -r for user keytabs

. (The primary intent is to use it with NFS. It doesn’t need forward able credentials.) > On Nov 22, 2019, at 2:04 PM, Alexander Bokovoy wrote: > > On pe, 22 marras 2019, Charles Hedrick via FreeIPA-users wrote: >> Interesting idea, but seems to require a time machine. The kerberos

[Freeipa-users] is it possible to enable constrained delegation for only some users?

We have kerberos everywhere, and use it for access to NFS home directories. So what do we do about cron jobs? We have a solution, but it involves custom code that impersonates the KDC. I’d like to do someone more standard. Constained delegation seems like a possibility. But I’d need to be able

[Freeipa-users] Re: is it possible to enable constrained delegation for only some users?

as not implemented, but I looked at the IPA source, and it looks like it is implemented. I’ll try this. If it works it would be a significant improvement for us. > On Oct 22, 2019, at 6:22 AM, Alexander Bokovoy wrote: > > On ma, 21 loka 2019, Charles Hedrick via FreeIPA-users wrote: >> W

[Freeipa-users] Re: is it possible to enable constrained delegation for only some users?

within a department it’s actually pretty good, as long as you know the limitations. I wouldn’t use it as my only security, but it’s a useful supplement to checking a key table. On Oct 22, 2019, at 9:40 AM, Alexander Bokovoy mailto:aboko...@redhat.com>> wrote: Since IP addresses are

[Freeipa-users] Re: is it possible to enable constrained delegation for only some users?

ficant improvement for us. > Yes. Please share your findings, even if negative. Perhaps, we would > need to add something to support his case. At least, > ipaAllowToImpersonate needs to be added into IPA framework to allow > manage it. > >> >>> On Oct 22, 2019, at 6:22

[Freeipa-users] Re: using SPAKE

actually I found a solution to this. You can use a normal commercial cert for PKINIT. You just need a couple of extra lines in /etc/krb5.conf. The only disadvantage is that you have to have a line in /etc/krb5.conf for each KDC. That means you lose the ability to add a KDC and depend upon DNS

[Freeipa-users] Re: is it possible to enable constrained delegation for only some users?

ok. So delegation works. Now we come to the question of how to configure it in gssproxy. The man page describes the syntax of the file but not how it actually works. Any suggestions? > On Oct 22, 2019, at 9:52 AM, Alexander Bokovoy wrote: > > On ti, 22 loka 2019, Charles Hedrick wrote: >>

[Freeipa-users] using SPAKE

I’d like to avoid having to use a second cache to armor 2FA requests. My impression was that SPAKE was supposed to fix this. I just installed a new kdc (replica of an old one) in Centos 8. It understands SPAKE, offering it as preauthebtication for normal users. But a user with 2FA is not

[Freeipa-users] Re: using SPAKE

where possible.) > On Oct 18, 2019, at 2:47 PM, Robbie Harwood wrote: > > Charles Hedrick via FreeIPA-users > writes: > >> I’d like to avoid having to use a second cache to armor 2FA >> requests. My impression was that SPAKE was supposed to fix this. I >>

[Freeipa-users] Re: is it possible to enable constrained delegation for only some users?

AM, Alexander Bokovoy wrote: > > On ti, 22 loka 2019, Charles Hedrick via FreeIPA-users wrote: >> ok. So delegation works. Now we come to the question of how to >> configure it in gssproxy. The man page describes the syntax of the file >> but not how it actually works. Any suggesti

[Freeipa-users] Re: ipa-getkeytab -r for user keytabs

Here’s an approach that will work if you’re on the kdc. Become root. Run kadmin.local. ktadd -k XXX.kt -norandkey XXX -rorandley is the equivalent of -r That creates a key table XXX.kt (or adds to if it already exists). No password needed except what you normally do to become root. On Nov

[Freeipa-users] Re: Online migration from internal CA to no-CA setup

this will let you add outside certs for the services that would be visible to users: https://www.freeipa.org/page/Using_3rd_part_certificates_for_HTTP/LDAP It doesn’t actually turn off the CA functionality, but it becomes largely unused. I’d actually be interested in a way to completely move

[Freeipa-users] Re: suggestion for password policy

020, at 2:40 PM, Rob Crittenden wrote: > > Charles Hedrick via FreeIPA-users wrote: >> The NIST recommendations for passwords say they don’t think character >> classes and expiration are useful. Instead, they recommend using a blacklist >> of known common passwords.

[Freeipa-users] after recreating server, ipa: ERROR: No valid Negotiate header in server response

we just upgraded servers to centos 8.1, by dealing them and recreating them. On a few systems when I try to use the IPA command I get ipa: ERROR: No valid Negotiate header in server response This doesn’t happen on all hosts. The IPA command works fine on the server itself. Since it’s only on

[Freeipa-users] Re: suggestion for password policy

’d prefer an interface to ds389 I’d be wiling to work on that. But it’s > not clear from your reference whether the API is finished. If so, could you > point to documentation, or at least source? > >> On Jan 28, 2020, at 4:12 PM, Charles Hedrick via FreeIPA-users >> wrote:

[Freeipa-users] Re: suggestion for password policy

>> is where policy is enforced. >> >> rob >> >>> >>> >>>> On Jan 28, 2020, at 4:34 PM, Charles Hedrick wrote: >>>> >>>> If you’d prefer an interface to ds389 I’d be wiling to work on that. But >>>> it

[Freeipa-users] files to omit from backup

We currently do rsync backups of our server. On an MIT server, you’d want to omit the stash file. But IPA doesn’t use that. Is there anything like that that should be omitted? I’m not sure just how freeipa bootstraps trust when it starts up. ___

[Freeipa-users] Re: suggestion for password policy

e to ds389 I’d be wiling to work on that. But >>> it’s not clear from your reference whether the API is finished. If so, >>> could you point to documentation, or at least source? >>> >>>> On Jan 28, 2020, at 4:12 PM, Charles Hedrick via FreeIPA-users >>>

[Freeipa-users] Re: suggestion for password policy

e would >>>> be much simpler. I’m using an sqlite database, but I’d be happy with >>>> other formats if you have a preference. (Stanford was doing additional >>>> checks that really needed something as powerful as SQL. We’d implementing >>>&g

[Freeipa-users] can't install replica

We are moving from Centos 7 to 8. I did a test on copies and it worked with 8.0. i made the mistake of doing it on the production servers under 8.1. It fails. I removed one server and recreated it as a replica. It worked fine. However the second one failed near the end of the process: Restart

[Freeipa-users] Re: can't install replica

This is when trying to set up from the centos 7 server. When it tries from the server that is already centos 8, I get [error] DatabaseError: Server is unwilling to perform: Entry is managed by topology plugin. Adding of entry not allow as it’s trying to add the replication agreement. > On

[Freeipa-users] Re: can't install replica

Here’s my workaround: It appears that this happens only when using commercial certs. It's trying to fetch the Directory Manager password (encrypted) from the primary to put it in the new sysstem. I commented out custodiainstance.py:211, def import_dm_password(self): cli =

[Freeipa-users] Re: after recreating server, ipa: ERROR: No valid Negotiate header in server response

on all our systems, and things work. We had a number of issues that happened when not all the old data was deleted before we recreated the server. This looks like yet another symptom. On Jan 28, 2020, at 5:48:45 PM, Charles Hedrick via FreeIPA-users mailto:freeipa-users@lists.fedorahosted.org

[Freeipa-users] suggestion for password policy

The NIST recommendations for passwords say they don’t think character classes and expiration are useful. Instead, they recommend using a blacklist of known common passwords. There’s no way to implement this policy without writing your own plugin. It would be useful for IPA’s password policy to

[Freeipa-users] centos 7.6 or 8.0?

We have a limited time period when I would prefer to do major changes. I had expected to update our Centos 7.6 to 8 during January. Unfortunately it appears that there have been no updates to 8, pending 8.1 and 8.1 is waiting for a surprising mount of time. I have a test 8.0 installation, and

[Freeipa-users] Re: Where is the "Audit" in IPA?

Most of our IPA activity occurs through a local web application. It logs all IPA commands that it issues. This includes creating user, managing groups, etc. I will say that this log has proven really useful. However it doesn’t capture IPA commands issued directly. It would be really great for

[Freeipa-users] Re: Where is the "Audit" in IPA?

This looks pretty reasonable. Unfortunately it intermixed lots of info. The files grow rapidly enough that it’s probably not practical to keep them for a long time. It might not be hard to pull out just the things that make changes. On Jan 15, 2020, at 4:47 PM, Angus Clarke via FreeIPA-users

[Freeipa-users] Re: Where is the "Audit" in IPA?

I’ve thought about this a bit more. I think it would be useful if log entries showing changes could be routed differently by syslog. The simplest would be to use a different log level, e.g. NOTICE, where other things are INFO. Another approach would be to put a specific tag in the try, e.g.

[Freeipa-users] Re: Kerberized NFS Home directories

If it works for one login type and not for the other, chances are there’s a different tin the pam configuration files. Each service, which would include gdm and sshd, has a configuration file in /etc/pam.d, which determines how authentication is done. If you are using sssd for your

[Freeipa-users] Re: Kerberized NFS Home directories

authentication, and you’ll end up without a Kerberos credential. On Jan 17, 2020, at 4:33 PM, Charles Hedrick via FreeIPA-users mailto:freeipa-users@lists.fedorahosted.org>> wrote: If it works for one login type and not for the other, chances are there’s a different tin the pam configuration files

[Freeipa-users] Re: Two interfaces on FreeIPA server.. How?

I haven’t tried this for the IPA server, but we have servers with two interfaces, one for general use and one as a storage backend network. We can’t just list both IPs in an A record, because then normal traffic will try to go through the backend, which it can’t get to. What I ended up doing

[Freeipa-users] Re: Ubuntu client: Kerberos works, authentication does not

On Mar 7, 2020, at 12:32:38 PM, Nicholas DeMarco via FreeIPA-users mailto:freeipa-users@lists.fedorahosted.org>> wrote: # getent passwd | grep ndemarco Are you sure this is supposed to work? Typically you want to disable enumeration. Does getent passwd ndemarco also fail?

  1   2   >