I've got
> something new.
>
> /tony
>
>
> On 2017-06-22 15:13, Rob Verduijn via FreeIPA-users wrote:
> > If you are using gss-api and using putty to log in.
> > Did you do the thing metioned in 5.3.4.5
> > https://access.redhat.com/documentation/en-US/Red_Hat_
> Enterp
Hi,
I've been hitting walls regarding nfs auto home creation as well.
Once I started using kerberized nfs4 home dirs, the automatic of homedirs
is no longer happening.
a "Simple" setup of a ipaserver (no nfs on this one) , nfs4 server
(sec=krb5p,root_squash) and an nfs client will give you a
Hello,
I'm trying to figure out why an ad-domain user cannot use sudo.
When I test with
ipa hbactest --user=ansible --host ipa01.linux.example.com --service sudo-i
It says access granted: True
however if I issue the command 'sudo -l -U ansible' on the ipa01 host it
says:User
is 0
[ipa_init_dyndns] (0x0080): Failure setting up automatic DNS update
What causes this ?
Rob
Op vr 19 apr. 2019 om 16:27 schreef François Cami :
> Hi,
>
> On Fri, Apr 19, 2019 at 4:00 PM Rob Verduijn via FreeIPA-users
> wrote:
> >
> > Hello,
> >
> > I ha
t;
> There's a timer, I think. What happens if you wait a bit?
> Can you compare to another host?
>
> > Rob
> >
> > Op vr 19 apr. 2019 om 16:27 schreef François Cami :
> >>
> >> Hi,
> >>
> >> On Fri, Apr 19, 2019 at 4:00 PM Rob Verduijn
Hello
forward and reverse dynamic dns updates are on
Rob
Op vr 19 apr. 2019 om 16:30 schreef Florence Blanc-Renaud :
> On 4/19/19 3:59 PM, Rob Verduijn via FreeIPA-users wrote:
> > Hello,
> >
> > I have this laptop that is an ipa domain member.
> > And the login/su
schreef Florence Blanc-Renaud via FreeIPA-users <
freeipa-users@lists.fedorahosted.org>:
> On 7/30/19 10:00 AM, Rob Verduijn via FreeIPA-users wrote:
> > Hello,
> >
> > I was doing some rtfm for migration of an ipa ca-renewal master to a
> > different system.
> > I
Cool
Op do 1 aug. 2019 11:48 schreef Florence Blanc-Renaud :
> On 7/31/19 3:42 PM, Rob Verduijn via FreeIPA-users wrote:
> > Hi
> >
> > Thanx for the answer, sadly i've experienced that filing a bug with Red
> > hat can be a real challenge when you know your stuff.
Hello,
I found out that running ipa on rhel8 in the file /etc/krb5.conf.d/freeipa
the setting
[libdefaults]
spake_preauth_groups=edwards25519
prevents ad domain account users from logging in to the ipa server running
on rhel8
according to this site it's protection against dictionary attacks
done
https://bugzilla.redhat.com/show_bug.cgi?id=1748072
Rob
Op ma 2 sep. 2019 om 16:35 schreef Alexander Bokovoy :
> On ma, 02 syys 2019, Rob Verduijn via FreeIPA-users wrote:
> >Hello,
> >
> >I found out that running ipa on rhel8 in the file /etc/krb5.conf.d/f
Hello,
I was doing some rtfm for migration of an ipa ca-renewal master to a
different system.
I figured that the docs on migrating from rhel7 to rhel8 would be a nice
help for me to migrate from one centos7 to another centos 7 system.
Something in the docs gave me pause.
In the doc in chapter
Hello ,
Next month microsoft is going to enforce ldap signing.
https://portal.msrc.microsoft.com/en-us/security-guidance/advisory/ADV190023
Will this have an impact on ipa domain with an ad trust ?
Rob
___
FreeIPA-users mailing list --
Hello,
I've encountered a minor annoyance when using the 'enrollement
administrator' role
I created a user for ipa-client enrolment and made the user a member of the
'enrollement administrator' role.
I've tested it and it was capable of enrolling clients.
After this I disabled the allow_all
I use this in a play
Rob
---
- name: get keytzb
hosts: keytab_host
become: true
gather_facts: true
tasks:
- name: add service {{ keytab }} principal to ipa
ipaservice:
ipaadmin_password: '{{ ipaadmin_password }}'
name: '{{ principal }}'
state: present
force: true
when: keytab.type == 'service'
duh it moved again
https://github.com/gssapi/gssproxy/tree/main/docs
the example is your answer
https://github.com/gssapi/gssproxy/blob/main/docs/NFS.md
Rob
Op do 8 okt. 2020 om 19:03 schreef Rob Verduijn :
> Hi,
> Check this, it is already installed on your rhel/centos server, and works
>
Hi,
Check this, it is already installed on your rhel/centos server, and works
great with ipa.
( in fact the lead dev is also a dev on ipa )
https://pagure.io/gssproxy
Rob
Op do 8 okt. 2020 om 18:20 schreef Kevin Vasko via FreeIPA-users <
freeipa-users@lists.fedorahosted.org>:
> Hello,
>
> We
Hello,
I've been working with idm ad integration for some time now.
But one thing has always confused me.
In all the docs it will tell you to check the dns to see if the dns records
resolve.
dig +short -t SRV _kerberos._udp.idm.example.com.
dig +short -t SRV _ldap._tcp.idm.example.com.
dig
Hello,
Today I upgraded my ipaserver from centos 8.1 to centos 8.2
And ipa-healthcheck --failures-only claims all my certs have expired in
1970.
Which is a bit weird since they all seem to work fine for me.
Everything seems to work except for a lot of errors in my logs from
certmonger.
I get a
Thanx,
It was indeed the problem and your suggestion also solved it.
Rob
Op di 16 jun. 2020 om 16:08 schreef Rob Crittenden :
> Rob Verduijn via FreeIPA-users wrote:
> > Hello,
> >
> > Today I upgraded my ipaserver from centos 8.1 to centos 8.2
> >
> > An
Hello,
I am looking into integrating a 3rd party application with ipa.
Last time I checked it was only possible to do this with a bind account
that you would create with an ldiff
ldapmodify -x -D 'cn=Directory Manager' -W <___
FreeIPA-users mailing
k thanx
Op di 12 jan. 2021 om 17:11 schreef Rob Crittenden :
> Rob Verduijn via FreeIPA-users wrote:
> > Hello,
> >
> > I am looking into integrating a 3rd party application with ipa.
> >
> > Last time I checked it was only possible to do this with a bind
Hello,
I'm trying to install freeipa on centos8,
However it fails with an error related to java.
(see error below)
I found this bugzilla that describes the problem :
https://bugzilla.redhat.com/show_bug.cgi?id=1892216
The downgrade suggestion in that bugzilla does not work for centos8 since
Hi,
Thanx, I'll try that.
Rob
Op di 3 nov. 2020 om 17:42 schreef Rob Crittenden via FreeIPA-users <
freeipa-users@lists.fedorahosted.org>:
> Aad-Jan Couwenhoven via FreeIPA-users wrote:
> > The output of the downgrade command;-
> > [root@ipa01 ~]# if rpm -q --queryformat '%{version}'
Hello,
I've updated my ipa server to the latest version today.
But now the ipa healthcheck gives a warning about kra.
ipa-healthcheck --failures-only
Internal error testing KRA clone. 'NoneType' object has no attribute
'config'
[
{
"source":
Hi,
I'm trying to figure out how to get xrdp to work with ipa user accounts.
So far I can only login to an xrdp centos8 desktop with local user accounts.
But as soon as I try to log in to the same machine with a ipa user account
it fails.
Anybody who knows how to get xrdp to work with ipa users
I just noticed that xrdp works fine for ipa idm users.
However for users that login with ad accounts from the ad that has a trust
relation with ipa xrdp fails.
Rob
Op di 30 mrt. 2021 om 15:00 schreef Rob Verduijn :
> Hi,
>
> I'm trying to figure out how to get xrdp to work with ipa user
rt. 2021 om 15:57 schreef Alexander Bokovoy :
> On ti, 30 maalis 2021, Rob Verduijn via FreeIPA-users wrote:
> >I just noticed that xrdp works fine for ipa idm users.
> >
> >However for users that login with ad accounts from the ad that has a trust
> >relation with ipa xrdp f
Hello,
My ipa server on centos 8 seems to have a problem.
The ipa-dnskeysyncd keeps trying to start and keeps crashing while doing so.
I suspect this is caused by the crashed ipaserver that I now have removed
from the domain.
I spend quite some time adjusting all the dns entries so they now all
Hi,
After some thought I decided to run the ipa-dns-install with the
no-dnssec-validation option.
When this was done my ipa dns was working fine again and the
ipa-dnskeysyncd service no longer crashes.
Rob
Op di 20 apr. 2021 om 12:53 schreef Rob Verduijn :
> Hello,
>
> My ipa server on centos
dunno but since it's part of rhel you could check out
https://access.redhat.com/security/cve/cve-2021-44228
Op ma 13 dec. 2021 om 07:36 schreef GAURAV Pande via FreeIPA-users <
freeipa-users@lists.fedorahosted.org>:
> Below are the log4J jar i can see on my server where freeIPA 4.6.8 is
>
Hi all,
Sorry for the reply to an ancient post.
But I thought I share how I finally managed to get xrdp to play nice with
freeipa.
The solution was rather simple.
When in ipa allow_all policy is disabled.
Add xrdep-sesman to the hbac-services then add the service to the
hbac-policy that allows
Hello.
Is there support in freeipa for howdy ?
https://github.com/boltgolt/howdy
rpms are already available here:
https://copr.fedorainfracloud.org/coprs/principis/howdy/
Would be nice if this would integrate with freeipa.
Rob
___
FreeIPA-users
l ip to that container.
>
> I will test this in the next few days.
>
> Rob
>
>
> Op wo 9 feb. 2022 om 22:39 schreef Rafael Jeffman :
>
>> Hi Rob,
>>
>> On Wed, Feb 9, 2022 at 9:32 AM Rob Verduijn via FreeIPA-users <
>> freeipa-users@lists.fedorahosted.o
Hi all,
I'm trying to reduce the number of systems in my network.
Currently if I want to use a pi-hole in combination with freeipa one of
them is going to use the other as a forwarder.
And without some firewall/router port redirection magic (also hopelessly
complicating things) this is not going
this in the next few days.
Rob
Op wo 9 feb. 2022 om 22:39 schreef Rafael Jeffman :
> Hi Rob,
>
> On Wed, Feb 9, 2022 at 9:32 AM Rob Verduijn via FreeIPA-users <
> freeipa-users@lists.fedorahosted.org> wrote:
>
>> Hi all,
>>
>> I'm trying to reduce the number
thanx
authselect enable-feature with-subid
did the trick
Rob
Op wo 25 mei 2022 om 15:55 schreef Rob Crittenden :
> Rob Verduijn via FreeIPA-users wrote:
> > Hello,
> >
> > Is there any additional configuration required to use the subordinate
> > id's on a fedora
Hello,
Is there any additional configuration required to use the subordinate id's
on a fedora client
after assigning a subuid/subgid range to an account in the freeipa server ?
now after trying to create a new rootless container image as an ordinary
user it complains there potentially not enough
ipa-backup and ipa-restore are default included in your ipa installation
as a good sysadmin you should try running ipa-healthcheck to reduce the
chance of ever needing ipa-restore
it's not default installed but if you got freeipa server your package
manager kan easily install it for you.
Op zo
; > > >"duration": "0.655251",
> > > >"kw": {
> > > > "exception": "bus, object_path and dbus_interface must
> > not be
> > > None."
> > > >
Hello,
I've found an issue with my ipa dns setup.
all local dns queries work fine.
However queries outside my ipa domain fail most of the time.
I found this error in the logs:
managed-keys-zone: Unable to fetch DNSKEY set '.': timed out
I think that this causes my problems with external dns.
>
> HTH,
> flo
>
> On Tue, Nov 22, 2022 at 3:59 PM Rob Verduijn via FreeIPA-users <
> freeipa-users@lists.fedorahosted.org> wrote:
>
>> Hello,
>>
>> I've found an issue with my ipa dns setup.
>>
>> all local dns queries work fine.
>> H
Op zo 20 nov. 2022 15:06 schreef Sam Morris :
> On Sat, 2022-11-19 at 11:57 +0100, Rob Verduijn via FreeIPA-users
> wrote:
> > Hi all,
> >
> > I managed to get rid of another error but I still have plenty erros
> > left.
> >
> > Any help would be
Op zo 20 nov. 2022 15:57 schreef Mark Reynolds :
>
> On 11/20/22 9:06 AM, Sam Morris via FreeIPA-users wrote:
> > On Sat, 2022-11-19 at 11:57 +0100, Rob Verduijn via FreeIPA-users
> > wrote:
> >> Hi all,
> >>
> >> I managed to get rid of another
",
"check": "IPAFileCheck",
"result": "CRITICAL",
"uuid": "85deeb45-7e32-4f00-b2ab-a9b0484242c7",
"when": "20221119105639Z",
"duration": "0.083885",
"kw": {
"
Hello,
After todays update I noticed I am now running rocky 8.7
freeipa was updated just fine and is working nicely.
However after running ipa-healthcheck I was treated with a HUGE amount of
errors.
After some digging I found that certmonger stopped tracking of all my certs.
Figuring out how
server upgrade to Fedora 35 or 36
>>>
>>> The workaround would be to disable dnssec validation. Edit
>>> /etc/named/ipa-options-ext.conf or /etc/named.conf (depending on your
>>> version) and replace
>>> dnssec-validation yes
>>> with
>>> dns
sorry posted the answer in a dm.
I'll post any weird stuff in it here when rob finds it
.
Op ma 21 nov. 2022 om 15:25 schreef Rob Crittenden :
> Rob Verduijn via FreeIPA-users wrote:
> > thanx
> >
> > any clues about the other errors?
>
> It isn't a dbus issue b
Hi all,
I managed to get rid of another error but I still have plenty erros left.
Any help would be apreciated.
ipa-healthcheck errors remaining:
ipa-healthcheck
args=({'msgtype': 101, 'msgid': 3, 'result': 32, 'desc': 'No such object',
'ctrls': [], 'ldap_request':
ob
>
> >
> > .
> >
> > Op ma 21 nov. 2022 om 15:25 schreef Rob Crittenden > <mailto:rcrit...@redhat.com>>:
> >
> > Rob Verduijn via FreeIPA-users wrote:
> > > thanx
> > >
> > > any clues about the other errors?
&
> looking
> > for back traces or other suppressed output.
> >
> > rob
> >
> > >
> > > Rob
> > >
> > >
> > > Op di 17 jan. 2023 om 15:55 schreef Rob Crittenden
> > mailto:rcrit...@redhat.
should be looking for ?
Rob
Op di 17 jan. 2023 om 15:55 schreef Rob Crittenden :
> Rob Verduijn via FreeIPA-users wrote:
> > I do have migration in mind, and I already have seen that doc.
> >
> > I double checked the roles, and the only two roles that are enabled are
> &g
king
> for back traces or other suppressed output.
>
> rob
>
> >
> > Rob
> >
> >
> > Op di 17 jan. 2023 om 15:55 schreef Rob Crittenden > <mailto:rcrit...@redhat.com>>:
> >
> > Rob Verduijn via FreeIPA-users wrote:
>
accourding to the healthcheck.
And I don't want to start migrating before the current situation has a good
alth status for all the replicas/masters.
Op di 17 jan. 2023 om 15:37 schreef Francisco Triviño García <
ftriv...@redhat.com>:
>
> On 1/17/23 09:33, Rob Verduijn via FreeIPA
Hello,
When somebody has created a direct mount map without adding any keys.
How can you see that it is an indirect mount map ?
Also how can you see what the mount point is of the indirect mount map ?
I can't seem to find an option to check for this ?
Cheers
Rob
Hi,
Didn't know that one yet.
Thanx,
Op di 14 feb. 2023 om 17:03 schreef Rob Crittenden :
> Rob Verduijn via FreeIPA-users wrote:
> > Hello,
> >
> > When somebody has created a direct mount map without adding any keys.
> >
> > How can you see that it is an
55 matches
Mail list logo