Melissa,I’ve been following your thread here as I also have a 4.5.x system that _really_ needs to be updated, but I’m nervous to touch it since it “works”.How you testing this without breaking the instance? Im nervous I have issues like you are experiencing and it breaks everything. I would like
I actually did this recently.
Full working settings configuration in TrueNAS Scale. You will need to
create a BIND account which I used "svcbind". The Aux Parameters are
extremely important otherwise your groups won't work correctly.
Directory Services
1. Hostname: ipa.site.example.com
2. Base
pied the pam sshd to sftp and it just worked for me,
> assuming I didn't screw something up.
>
> rob
>
> >
> >
> >
> > On Tue, May 16, 2023 at 12:56 PM Rob Crittenden > <mailto:rcrit...@redhat.com>> wrote:
> >
> > Kevin Vasko via Fr
den wrote:
> Kevin Vasko via FreeIPA-users wrote:
> > Try to make this simple.
> >
> > Have a HBAC, have the "Who" set to a user, have the "Accessing" set to a
> > server.
> >
> > Have the "Via Service" set to "sshd".
Try to make this simple.
Have a HBAC, have the "Who" set to a user, have the "Accessing" set to a
server.
Have the "Via Service" set to "sshd". The user can ssh into the server no
issue.
I want to limit this user to only being able to sftp into this server (no
direct ssh).
If I swap the "Via
ne of these systems up, I'm going to document what I can.
I always dread making any changes to kerberos because of how temperamental
it is. Are there any other services I should be looking at
restarting/resetting when dealing with this topic?
On Mon, Apr 10, 2023 at 11:08 AM Rob Crittenden wrote:
Hello,
Does anyone have any tips for completely refreshing (forcing cleaning) all
kerberos tickets on a client from FreeIPA?
I assumed "$ kdestroy -A" should do it, but it certainly doesn't completely
clear all caches.
What I'm having trouble with is some NFS/NAS servers using kerberos. I'll
akob via FreeIPA-users
>> wrote:
>>
>> On Wed, 8 Feb 2023 09:53:35 -0600
>> Kevin Vasko via FreeIPA-users
>> wrote:
>>
>>> Thanks Rafael.
>>>
>>> I was hoping to do it in place if at all possible because where things get
>>>
h server
2. promoting the 4th server to master
3. decommission the 4.5.4 server
4. reassign the 4th server the same IP as the old 4.5.4 server?
5. upgrade rest of servers
Any thoughts? recommendations?
On Wed, Feb 8, 2023 at 5:43 AM Rafael Jeffman wrote:
>
>
> On Tue, Feb 7, 2023 at 6:29
We have a set of 3x freeIPA servers that have outdated (everything) in a
development/test environment that need to be updated.
It seems that 4.6.8-5.el7.centos.12 is the latest version available on
CentOS 7?
We are at on the 3 servers:
4.5.4-10.el7.centos.4.4
4.6.4-10-el7.centos.6
I’m in a similar situation and need to upgrade.
These docs are what I found
https://www.freeipa.org/page/Upgrade#FreeIPA_4.2.0_or_newer and it seems to
imply to simply run a yum update freeipa-server to go to the latest version. Is
there some other documentation I should be following?
-Kevin
I know this is probably stupid but we have a server with a local account (let’s
call this local user “user1”). This server and its install predated our IPA
install. This local user also has sudoers exception for this account for a
“NOPASSWD” locally on this machine and this machine alone.
Trying to find the best option for me for better “shared” “/home” directories.
I ideally would like to give everyone a network based /home directory so I
could quota the folders so people would quit filling up every severs /home
directory.
We have two major use cases, the first isn’t much of
I think something recently changed on Ubuntu 20.04 where I’m now having to put
Domain = my.domain.com
In /etc/idmapd.conf or run ipa-client-automount to have that do it for me.
No matter, my issue is I effectively have to reboot after making the change.
I can restart sssd, all the rpc*
Hello,
We have our NFS servers kerberized which requires a ticket to be able to access
the NFS share. We also have a GPU cluster where people get to launch docker
containers to complete work. Unfortunately, within the container users can’t
access the NFS share even though its mapped on the
Hello,
We have an application that does some data processing on our NFS server. Users
typically just ssh into a box which then has a kerberos key generated for them,
which allows them access the NFS share and run the script.
We are wanting to set this up in a more automated fashion. Such as
Our users on their local machines (which are enrolled into our domain/realm)
access (mount read/write) our NFS shares as they need with their LDAP accounts.
We are wanting to allow users to use docker containers to mount/access these
same mount/NFS Servers. These containers are short lived so
Is the clock off? NTP working correctly?
-Kevin
> On Mar 7, 2020, at 12:55 PM, Nicholas DeMarco wrote:
>
>
> Good question. Yes. The user is in the admin group and has access to other
> newly joined machines.
>
>> On Sat, Mar 7, 2020, 1:39 PM Kevin Vasko wrote:
>> Does the user have
Does the user have access to the machine?
-Kevin
> On Mar 7, 2020, at 11:33 AM, Nicholas DeMarco via FreeIPA-users
> wrote:
>
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to
I’m interested in hearing others responses as well on this.
Is there anything in particular I would need to do to make sure I can get
things back into a “working” state?
-Kevin
> On Feb 24, 2020, at 12:10 PM, Andrew Meyer via FreeIPA-users
> wrote:
>
> Hello,
> I was trying to search the
Hello,
I’m trying to understand when/how the different KVNO versions in a file should
or shouldn’t work. We have a Dell EMC Unity box that’s giving us fits on what
it will accept for a keytab file with different KVNO versions. I’m not sure if
I’m misunderstanding something, or there’s a bug
So I feel we have a decent process for users on Linux (Ubuntu/CentOS)
to access NFS shares, however there is rumbling of people wanting to
use their Mac and Windows boxes to access the data shares.
The tricky part of this is we won't be able to enroll the Windows or
Mac systems into FreeIPA.
So
Thanks.
I posted the bug report.
https://pagure.io/freeipa/issue/8106
-Kevin
> On Oct 28, 2019, at 9:24 AM, Alexander Bokovoy wrote:
>
> On ma, 28 loka 2019, Kevin Vasko via FreeIPA-users wrote:
>>
>>
>> Mainly looking for input on where to file a bug I
Mainly looking for input on where to file a bug I think I found in
p11-kit-trust.so but potentially caused by the FreeIPA client install process
on Ubuntu.
I have been trying to figure out a way of getting Ubuntu to load the system
wide certs like CentOS/Fedora does. Alexander helped me
So. this is an interesting read thanks for that.
But just a FYI to the OP, if you are using any Ubuntu 18.04 clients (i haven’t
tried it with Fedora/CentOS) there is an issue with not having local docker
groups on the system.
What ends up happening is on a boot, docker services try starting
Well that’s the thing, I didn’t realize the service certificate was revoked as
I thought the entire point of validating the client cert was to validate the
entire “chain” with OCSP.
Im using IPAs internal cert system.
Yeah, I kept reissueing tickets when I was trying to get the post command
Welp, I'm an idiot and you are completely 100% correct.
It was indeed revoked, but the http servers certificate was revoked
and not the client..which is where I was focusing 100% of my
debugging. Which clears up a LOT of things. I originally was loading
the ca.crt on an Ubuntu machine a few days
So following these instructions I found out that the certs are NOT revoked.
https://serverfault.com/questions/590504/how-do-i-check-if-my-ssl-certificates-have-been-revoked
The one thing I did find is that in Firefox if I uncheck "Query OCSP
responder servers to confirm the current validity of
I'm 100% positive I did nothing with this cert.
To validate, I spun up a brand new machine completely from scratch.
1. ran yum update
2. installed Gnome
3. installed ipa with my normal "sudo ipa-client-install
--domain=exaple.com --realm=EXAMPLE.COM --enable-dns-updates
--mkhomedir"
4. started
> It is the first one that brings all the system-wide certificates into
>> NSS and other databases. For OpenSSL applications it can be brought in
>> via PKCS#11 engine support.
>>> So I at this point I don't think anything is wrong with
>>> ipa-install-client and it is perf
>ipa-install-client and it is performing correctly at this point adding
> >it to the cert store. Given that the exception that you mentioned,
> >that there is a difference in ipa-install-client adding it to the the
> >NSS database on RHEL/Fedora/CentOS and not on the Ubuntu/Debia
hat I find.
-Kevin
On Thu, Oct 10, 2019 at 9:17 AM Alexander Bokovoy wrote:
>
> On to, 10 loka 2019, Kevin Vasko via FreeIPA-users wrote:
> >I actually manually checked the system wide crt files on each
> >distribution I'm using, Ubuntu, CentOS and RHEL6/7. In all cases my
&
g/en-US/kb/setting-certificate-authorities-firefox
So based off of this information I'm going to have to manually add the
root certificates to each Chrome and Firefox cert store on the client
machines, which is a bummer.
Sorry for the noise.
On Thu, Oct 10, 2019 at 8:40 AM Rob Crittenden wrote:
>
>
en via FreeIPA-users wrote
> >
> > Kevin Vasko via FreeIPA-users wrote:
> >> How would I validate that certs are getting added properly on a CentOS
> >> machine system wide store?
> >>
> >> I’m going to test it today to find out if this is a problem
re?
>>
> Thanks for the details. I do not know about system trust on Ubuntu.
> It could be that ipa-client on Ubuntu does add the IPA CA to system
> trust, but the Firefox/Chrome packages ignore the system trust
> store.
>
> Hopefully someone more familiar with Ubuntu can
.
On Wed, Oct 9, 2019 at 8:25 PM Fraser Tweedale wrote:
>
> On Wed, Oct 09, 2019 at 06:28:11PM -0500, Kevin Vasko via FreeIPA-users wrote:
> > Hello,
> >
> > I’m wanting to make our https servers use a trusted certificate within our
> > LAN only. So for example if
Hello,
I’m wanting to make our https servers use a trusted certificate within our LAN
only. So for example if I have websrv1.ny.example.com when a user uses a
machine that’s enrolled into our realm and they visit
https://websrv1.ny.example.com they shouldn’t be prompted to accept the self
Have you made sure your “elham” user has the correct permissions to access the
machines? Take a look in the UI at the groups/permissions that user elham has.
Take a look at your HBAC rules as well. That would be my first recommendation
to check if it was me.
-Kevin
> On Oct 9, 2019, at 7:23
someone even saw this. Thanks for answering.
-Kevin
> On Oct 7, 2019, at 2:19 PM, François Cami wrote:
>
> On Mon, Oct 7, 2019 at 8:39 PM Kevin Vasko via FreeIPA-users
> wrote:
>>
>> Ok thanks! I just tried it and that seems to do it! Just using the
>> “example.
onfigure the domain on
>>> the server (as any of the domain strings you want) and then use the
>>> same domain on all clients), that should make them work.
>>>
>>>> On Mon, 2019-10-07 at 12:37 -0400, Simo Sorce via FreeIPA-users wrote:
>>>>
ld make them work.
>
>> On Mon, 2019-10-07 at 12:37 -0400, Simo Sorce via FreeIPA-users wrote:
>> If you use krb5 authentication you should have no issues, are you using
>> auth=sys instead ?
>>
>>> On Fri, 2019-10-04 at 17:10 -0500, Kevin Vasko via FreeIPA-user
Hello,
I’ve got FreeIPA setup where I have multiple domains for client machines
depending on their geography.
For example, ca.example.com, and ny.example.com.
I have a NFS server in nfs-server.ny.example.com and users mapping the NFS
server on their clients from ny.example.com and
Thanks much! I just tried this and sure enough everything came alive and
started working as soon as I changed the scheme to what Louis posted in his
first post.
The only other thing that I will note is that the Dell EMC seems to hard code
what is entered for the REALM as the SPN (Service
Thanks Louis! Will be trying this as soon as I get in on Monday (no remote
access). If I wanted to validate my configuration how do I go about getting
this information out of my FreeIPA installation?
Since the EMC by default includes the schema I attached is it old/out of
date or is it for
I’m trying to integrate the “NAS Server” on our Dell EMC Unity with our FreeIPA
server so we can secure our NFS shares. Our FreeIPA server is run of the mill
setup. We don’t have any special configuration.
The Dell EMC Box NAS configuration settings is asking for the following.
Realm:
KDC
I’m following this because I’m having same issue. Since the OpenVPN client
won’t prompt twice for the second factor I know you have to do the whole
“password+otp” (without the +) but keep getting invalid password.
-Kevin
> On Nov 8, 2018, at 12:51 PM, Eric Fredrickson via FreeIPA-users
>
the services.
Thanks for the reply.
-Kevin
> On Nov 8, 2018, at 12:46 PM, Robbie Harwood wrote:
>
> Kevin Vasko via FreeIPA-users
> writes:
>
>> I followed these instructions to enable kerberos within my realm/domain.
>>
>> My FreeIPA, NFS server and my NFS
I followed these instructions to enable kerberos within my realm/domain.
My FreeIPA, NFS server and my NFS client is CentOS 7.4
https://docs.fedoraproject.org/en-US/Fedora/18/html/FreeIPA_Guide/kerb-nfs.html
I’m completely stuck in that when I mount the NFS share I get
Sudo mount -o sec=krb5p
48 matches
Mail list logo
