Hm... I think my question was not clear, therefore I'll try to repeat it with a
better description.
Therefore I simply take an example from Pi-hole directly: "Pi-hole as
All-Around DNS Solution" (https://docs.pi-hole.net/guides/unbound/)
This means that basically this procedure should work with
Do you recommend to file a bug?
Can you share some instructions how to do this?
I'm not familiar with the process on Fedora.
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to
Hi,
to my knowledge IPA's DNS server is Bind.
And this server is working as recursive DNS for internal domains.
Question:
Can I use this DNS server for recursive DNS request of external domains, too?
If yes, how?
My intention is to send client request to Pi-hole first for DNS filtering;
Pi-hole
Hi Robbie,
let me share some additional information on this issue before filing a bug.
I checked the log files for errors but didn't detect anything.
Then I verified if any service was failing, but everything was running.
After this I tried to restart ipa.service and this failed with an error
Solved.
/var/log was 100% full.
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List
Hi,
starting today I cannot login to WebUI anymore.
This is not a password authentication issue because I can switch to user
"admin" in console.
When I enter 'kinit list' as root I get this response:
kinit: general error (see e-text) for Initial credentials will be fetched.
The same error is
Well, could you please share your recommendation for this request, means how
would you add / maintain a laptop with 2 NICs?
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to
THX
I have found this howto guide:
https://www.freeipa.org/page/Howto/HBAC_and_allow_all
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of
Hi,
how can I restrict access for users to specific hosts?
Please advise.
THX
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct:
Hi,
adding a client in WebUI is simple.
However, what do you recommend when adding a client with 2 NICs, e.g. laptop?
These devices have typically different NICs for LAN and WLAN.
And consequently there are 2 MAC addresses and 2 IPs.
But there's only 1 hostname (FQHN).
Any advise is appreciated.
I started setup from scratch.
There are no issues observed as of now.
I cannot reproduce the issue since the re-installation.
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to
OK.
I created 2 reverse zones:
1.168.192.in-addr.arpa
100.168.192.in-addr.arpa
Then I continued and created a host via WebUI.
The host is displayed with correct hostname, however there's an error displayed:
The host was added but the DNS update failed with: All nameservers failed to
answer the
No, I didn't create a reverse zone.
I'm not sure if the definition of DNS forwarding in FreeIPA makes sense.
Actually I consider to use Pi-hole as single DNS for specific network
192.168.1.0/24 only and forward any requests to FreeIPA.
Would this make sense?
And how could I create this reverse
Hi,
when I start service `named-pkcs11.service` on replica server I get these error
messages:
```
Dez 29 17:33:28 ipa-replica.example.com named-pkcs11[3936]: Failed to get
initial credentials (TGT) using principal 'DNS/ipa-replica.example.com' and
keytab 'FILE:/etc/named.keytab' (Generic error
Hi,
starting service `named-pkcs11.service` fails with a core dump:
```
Dez 29 17:32:25 ipa-master.example.com systemd-coredump[2901]: Process 2895
(named-pkcs11) of user 25 dumped core.
Stack
trace of thread 2897:
OK.
I have a follow-up question. This is related to system group id.
On Debian, users belonging to group sudo get root permission.
On Arch Linux, users belonging to group wheel get root permission.
Should I maintain the same groups sudo and wheel in FreeIPA with the relevant
GUI?
THX
Hi,
could you please explain the difference of FreeIPA UID vs. Linux UID?
When I create a user in FreeIPA the UID is this: 122721
But in any Linux the first user created has UID: 1000
Should I align UIDs in FreeIPA to the Linux UID?
If yes, does the same apply to GID?
Or should I keep the
Hi Flo,
I have defined the IP of my router as DNS:
[root@ipa-master ~]# ipa dnsserver-show
Servername: ipa-master.biszumbitterenen.de
Servername: ipa-master.biszumbitterenen.de
SOA mname override: ipa-master.biszumbitterenen.de.
Forwarders: 192.168.100.1
Forward policy: only
The same IP
Hi Flo,
thanks for your reply.
I decided to start replica setup from scratch.
This means I executed this command on master: ipa-replica-manage del
ipa-replica.biszumbitterenen.de
Then I restored the replica server to a previous state, installed
freeipa-packages 4.7.2 (and its dependencies).
Hello Flo,
I successfully installed FreeIPA 4.7.2 packages on replica server:
```
[root@ipa-replica ~]# rpm -q freeipa-server freeipa-client ipa-server
ipa-client 3
89-ds-base pki-ca krb5-server
Hi,
can you please advise how to upgrade to 4.7.2?
I'm running version 4.7.0
[root@ipa-replica ~]# rpm -q freeipa-server freeipa-client ipa-server
ipa-client 389-ds-base pki-ca krb5-server
freeipa-server-4.7.0-3.fc29.x86_64
freeipa-client-4.7.0-3.fc29.x86_64
Das Paket ipa-server ist nicht
Hello Flo,
I've decided to follow your advise.
This means I will install another CA instance on the replica server.
However I would prefer to upgrade FreeIPA to version 4.7.2 before.
Unfortunately I failed on this task.
I've executed ipa-server-upgrade and this process finished successfully
Hi Florence,
thank you for this detailed analysis.
I fully support your conclusion.
Before you replied to this ticket I have already opened a bug report:
https://pagure.io/freeipa/issue/7795
Question:
Is there any workaround to temporarily fix this issue and complete the setup of
replica
Well, then I will repeat the context...
After completing FreeIPA master (vm200; 192.168.100.200) installation I started
setup of replica (vm201; 192.168.100.201).
This means I first enrolled the replica server as a client successfully and
then executed this command:
ipa-replica-install
The
I was instructed to delete the existing cert before executing
ipa-pkinit-manage enable.
And I have provided the output of getcert in an earlier response.
I was told that this cert is incomplete/incorrect.
___
FreeIPA-users mailing list --
I have installed freeipa-server-common=4.7.0, so I don't understand the
relation to an issue that should be fixed with 4.6.0.
I have no restarted command ipa-pkinit-manage enable after opening port 8443 on
both, master and replica server.
In my opinion the root cause is different.
According to
This is true, the connect error is clear.
However, I don't understand why there's a connection error to the
replica-server?
Please note that command ipa-pkinit-manage enable is executed on the
replica-server, means the connection fails to itself.
And there's no instruction to open port 8443 on
Hi,
this is the output that looks good to me... but I'm not the expert.
[root@ipa-replica ~]# getcert list -f /var/kerberos/krb5kdc/kdc.crt
Number of certificates and requests being tracked: 4.
Request ID '20181202164246':
status: MONITORING
stuck: no
key pair storage:
Actually I executed these commands before you replied on the replica server:
[root@ipa-replica ~]# ipa-pkinit-manage status
PKINIT is disabled
The ipa-pkinit-manage command was successful
[root@ipa-replica ~]# ipa-pkinit-manage enable
Configuring Kerberos KDC (krb5kdc)
[1/1]: installing X509
Hi,
after completing master installation I started setup of replica.
This means I first enrolled the replica server as a client and then executed
this command:
ipa-replica-install
The installation log reports this error:
Full PKINIT configuration did not succeed
The setup will only install bits
Hi Florence,
I intend to define a subdomain for each network, e.g.
DMZ = dmz..de (10.0.0.0/24) -> VLAN
LAN = local..de (192.168.1.0/24)
SHZ = smz..de (Smart Home Network) (10.0.10.0/28) -> VLAN
Does this make sense to you?
Or is this an overkill?
THX
Thomas
Hi,
I completed installation using the recommended FQHN ipa..de of
FreeIPA server.
How can I add a client host configured with sub-domain local..de?
THX
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an
Hi,
I have completed installation on Fedora Server 29 w/o issues.
Before I tried WebUI I ensured that administrative ticket is valid.
[root@ipa ~]# ipa user-show admin
Anmeldename: admin
Nachname: Administrator
Home-Verzeichnis: /home/admin
Anmeldeshell: /bin/bash
Principal alias:
Hi,
I have executed script setup.sh from package "freeipa-letsencrypt".
The installation finished with this error message:
ipaplatform.redhat.tasks: INFO: Systemwide CA database updated.
ipalib.backend: DEBUG: Destroyed connection context.rpcclient_140228802354200
ipapython.admintool: INFO: The
Solved
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines:
Hi,
I just completed installation with Fedora 29 in KVM.
The installation finished w/o errors.
Setup complete
Next steps:
1. You must make sure these network ports are open:
TCP Ports:
* 80, 443: HTTP/HTTPS
* 389, 636: LDAP/LDAPS
Hi,
I consider to deploy FreeIPA in my home network.
In this network I run several servers and workstations with both Linux and
Windows.
In addition I have setup some Webservices running in containers (LXC).
I have only one public IP and manage the (privately hosted) Webservices with a
reverse
37 matches
Mail list logo