[Freeipa-users] Re: sftp file broswer causes 4 (System Error)
Hi Alexander. Spot on... we fixed the issue with your suggestion. Thanks heaps Appreciated. regards On Fri, Nov 9, 2018 at 12:43 PM Alfredo De Luca wrote: > thanks Alexander. We don't have selinux enabled so good point from you. I > will implement the solution you suggested soon and let you know. > Thanks heaps > > Alfredo > > > On Thu, Nov 8, 2018 at 9:05 PM Alexander Bokovoy > wrote: > >> On to, 08 marras 2018, Alfredo De Luca via FreeIPA-users wrote: >> >Hi alexander. Thanks for your info. >> >Here are 2 logs. One is the pam.log and the other one is the domain.log >> at >> >the time when we got the error below. >> > >> >Nov 8 17:09:06 sftp-test sshd[25100]: pam_sss(sshd:account): Access >> denied >> >for user nifi_sftp: 4 (System error) >> > >> >The user to search is nifi_sftp. >> > >> >Thanks heaps and let me know if you need more info >> Do you have SELinux enabled? Disabled? >> >> From the looks of sssd_.log you have trouble with setting >> SELinux for the user: >> >> Thu Nov 8 17:09:06 2018) [sssd[be[novalocal]]] [selinux_child_done] >> (0x0020): selinux_child_parse_response failed: [22][Invalid argument] >> >> This means that most likely you have SELinux disabled completely yet >> SSSD attempts to set up SELinux context and considers its failure a hard >> fail. >> >> Setting >> >> selinux_provider = none >> >> in [domain/novalocal] section should help if you are not using SELinux. >> >> >Cheers >> > >> > >> > >> >On Wed, Nov 7, 2018 at 3:49 PM Alexander Bokovoy >> >wrote: >> > >> >> On ke, 07 marras 2018, Alfredo De Luca via FreeIPA-users wrote: >> >> >Hi all. I wonder who and how this is been resolved? >> >> >I have centos 7 where an sftp server is running. Authentication is >> with >> >> >freeIPA 4.5.4. >> >> >all the users connect to the sftp server normally but when there are >> >> >multiple connections randomly I got this error >> >> > >> >> >Nov 7 08:30:09 sftp sshd[23487]: pam_sss(sshd:account): Access >> denied for >> >> >user nifi_sftp: 4 (System error) >> >> > >> >> >Not sure why. The same user doesn't have any issue connecting >> manually but >> >> >when different connections from 3 nodes (running a open source sftp >> client >> >> >called NIFI from apache.org) I got that error. >> >> >I have to say that I tried to reproduce with a script running multiple >> >> >connections at the same time and I get the same errors. If I use >> >> >controlmaster mechanism on ssh client I dont' get the error at all. >> >> > >> >> >Any idea? >> >> Use sssd debugging to demonstrate why pam_sss is denying access. >> >> https://docs.pagure.org/SSSD.sssd/users/troubleshooting.html >> >> >> >> You'd need logs from the sssd_.log and sssd_pam.log related to >> >> the time when there is an attempt to connect with NIFI. Use >> >> debug_level=9 in domain and pam sections to show all logs and provide >> >> them somewhere we can look up. >> >> >> >> -- >> >> / Alexander Bokovoy >> >> Sr. Principal Software Engineer >> >> Security / Identity Management Engineering >> >> Red Hat Limited, Finland >> >> >> > >> > >> >-- >> >*Alfredo* >> >> >> -- >> / Alexander Bokovoy >> Sr. Principal Software Engineer >> Security / Identity Management Engineering >> Red Hat Limited, Finland >> > > > -- > *Alfredo* > > -- *Alfredo* ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
[Freeipa-users] Re: sftp file broswer causes 4 (System Error)
thanks Alexander. We don't have selinux enabled so good point from you. I will implement the solution you suggested soon and let you know. Thanks heaps Alfredo On Thu, Nov 8, 2018 at 9:05 PM Alexander Bokovoy wrote: > On to, 08 marras 2018, Alfredo De Luca via FreeIPA-users wrote: > >Hi alexander. Thanks for your info. > >Here are 2 logs. One is the pam.log and the other one is the domain.log at > >the time when we got the error below. > > > >Nov 8 17:09:06 sftp-test sshd[25100]: pam_sss(sshd:account): Access > denied > >for user nifi_sftp: 4 (System error) > > > >The user to search is nifi_sftp. > > > >Thanks heaps and let me know if you need more info > Do you have SELinux enabled? Disabled? > > From the looks of sssd_.log you have trouble with setting > SELinux for the user: > > Thu Nov 8 17:09:06 2018) [sssd[be[novalocal]]] [selinux_child_done] > (0x0020): selinux_child_parse_response failed: [22][Invalid argument] > > This means that most likely you have SELinux disabled completely yet > SSSD attempts to set up SELinux context and considers its failure a hard > fail. > > Setting > > selinux_provider = none > > in [domain/novalocal] section should help if you are not using SELinux. > > >Cheers > > > > > > > >On Wed, Nov 7, 2018 at 3:49 PM Alexander Bokovoy > >wrote: > > > >> On ke, 07 marras 2018, Alfredo De Luca via FreeIPA-users wrote: > >> >Hi all. I wonder who and how this is been resolved? > >> >I have centos 7 where an sftp server is running. Authentication is with > >> >freeIPA 4.5.4. > >> >all the users connect to the sftp server normally but when there are > >> >multiple connections randomly I got this error > >> > > >> >Nov 7 08:30:09 sftp sshd[23487]: pam_sss(sshd:account): Access denied > for > >> >user nifi_sftp: 4 (System error) > >> > > >> >Not sure why. The same user doesn't have any issue connecting manually > but > >> >when different connections from 3 nodes (running a open source sftp > client > >> >called NIFI from apache.org) I got that error. > >> >I have to say that I tried to reproduce with a script running multiple > >> >connections at the same time and I get the same errors. If I use > >> >controlmaster mechanism on ssh client I dont' get the error at all. > >> > > >> >Any idea? > >> Use sssd debugging to demonstrate why pam_sss is denying access. > >> https://docs.pagure.org/SSSD.sssd/users/troubleshooting.html > >> > >> You'd need logs from the sssd_.log and sssd_pam.log related to > >> the time when there is an attempt to connect with NIFI. Use > >> debug_level=9 in domain and pam sections to show all logs and provide > >> them somewhere we can look up. > >> > >> -- > >> / Alexander Bokovoy > >> Sr. Principal Software Engineer > >> Security / Identity Management Engineering > >> Red Hat Limited, Finland > >> > > > > > >-- > >*Alfredo* > > > -- > / Alexander Bokovoy > Sr. Principal Software Engineer > Security / Identity Management Engineering > Red Hat Limited, Finland > -- *Alfredo* ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
[Freeipa-users] Re: sftp file broswer causes 4 (System Error)
Hi all. I wonder who and how this is been resolved? I have centos 7 where an sftp server is running. Authentication is with freeIPA 4.5.4. all the users connect to the sftp server normally but when there are multiple connections randomly I got this error Nov 7 08:30:09 sftp sshd[23487]: pam_sss(sshd:account): Access denied for user nifi_sftp: 4 (System error) Not sure why. The same user doesn't have any issue connecting manually but when different connections from 3 nodes (running a open source sftp client called NIFI from apache.org) I got that error. I have to say that I tried to reproduce with a script running multiple connections at the same time and I get the same errors. If I use controlmaster mechanism on ssh client I dont' get the error at all. Any idea? cheers On Mon, Sep 17, 2018 at 3:43 AM Aaron Hicks via FreeIPA-users < freeipa-users@lists.fedorahosted.org> wrote: > Hi Simo, > > Yes, we recognise this as a client side issue. This was as much a FYI post > for people in the future searching for similar issues to latch onto. I've > also made similar comments back to the developers of the MobaXterm client > we observed this with. We now ask our users to switch the file browser > protocol to SCP which I think uses the master connection method you've > recommended. > > Regards, > > Aaron > > -Original Message- > From: Simo Sorce > Sent: Thursday, 13 September 2018 4:20 AM > To: FreeIPA users list > Cc: Aaron Hicks > Subject: Re: [Freeipa-users] sftp file broswer causes 4 (System Error) > > On Tue, 2018-09-11 at 14:10 +1200, Aaron Hicks via FreeIPA-users wrote: > > Hello the list, > > > > > > > > We just had a bit of fuss involved user logins. We're using sssd > > 1.16.1 on a client and FreeIPA 4.5.4 (ok, it's really RHIdM) > > > > > > > > We had a lot of users having issues logging and/or resetting their > > passwords on a host with 2FA enabled, and it turns out when they're > > using an advanced SSH client (e.g. MobaXterm) that also starts a SFTP > > session they can't login and we see error like: > > > > > > > > Sep 11 00:09:05 lander sshd[27408]: pam_sss(sshd:auth): received for > > user > > testuser: 4 (System error) > > > > Sep 11 00:09:06 lander sshd[27380]: error: PAM: Authentication failure > > for testuser from remote.local > > > > > > > > If the SFTP file browser is disabled, or it's protocol is set to use > > SCP then logins progress normally. > > > > > > > > In FreeIPA we've enabled 2FA on a per-host basis and the HBAC rule > > only allows sshd services, so if these were the cause of the '4 (System > error)' > > failures then it'd be much better if the error reports were more > meaningful. > > > > > > > > Does anyone have any advice on setting up SFTP so that it works (and > > ideally, doesn't need repeated entry of credentials). > > You should find out if your client supports using a master connection for > SSH, instead of trying to open multiple different connection for SSH and > SFTP. In the end it is a client issue if it can't properly prompt for > credentials when it uses multiple different authenticated connections (I > assume this client is caching passwords and trying to resubmit old 2FA > codes in the process ? [Caching of password seem already bad in itself if > that's the case, how long does it hold onto your creds? will it leak them?]) > > HTH, > Simo. > > -- > Simo Sorce > Sr. Principal Software Engineer > Red Hat, Inc > > ___ > FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org > To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org > Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines > List Archives: > https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org > -- *Alfredo* ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
[Freeipa-users] Re: Changing domain name
Thanks heaps Angus. appreciated
/Alfredo
On Fri, 17 Aug 2018, 10:40 Angus Clarke,
wrote:
> You might find some useful tips here:
>
> https://www.redhat.com/archives/freeipa-users/2014-May/msg00158.html
>
> Not sure if they did drop their other scripts into github (as suggested
> two thirds down)
>
> Regards
> Angus
>
>
> On 17 August 2018 at 10:09, Alfredo De Luca via FreeIPA-users <
> freeipa-users@lists.fedorahosted.org> wrote:
>
>> Hi Rob. It worked. Thanks.
>> It was confusing for me the name *migrated *thinking was the new host
>> rather than the *"old"* .
>> Now users/groups are there and whoever has the password needs to connect
>> to the new server in order to recreate their password with kerberos. I
>> guess who has the ssh keys don't need to to that...right?
>>
>> Now I need to migrate manually the hbac,sudo etc
>>
>> Thanks
>>
>>
>> On Thu, Aug 16, 2018 at 4:00 PM Alfredo De Luca
>> wrote:
>>
>>> Thanks Rob. I ll give a try.
>>> CHeers
>>>
>>> On Thu, Aug 16, 2018 at 2:31 PM Rob Crittenden
>>> wrote:
>>>
>>>> Alfredo De Luca via FreeIPA-users wrote:
>>>> > Hi Florence.
>>>> > But the example says ldap://*migrated*.freeipa.server.test
>>>> >
>>>> > so I ran the command from the actual server where I want migrate the
>>>> > users from and pointing to the migrated (so the new which I will
>>>> migrate
>>>> > to) server...
>>>> > So is it wrong?
>>>> > So should I run the command instead fron the new ipa server pointing
>>>> to
>>>> > the old server?
>>>>
>>>> The old server. You have been trying to migrate the server to itself.
>>>>
>>>> rob
>>>>
>>>> >
>>>> >
>>>> >
>>>> > On Thu, Aug 16, 2018 at 1:02 PM Florence Blanc-Renaud >>> > <mailto:f...@redhat.com>> wrote:
>>>> >
>>>> > On 08/16/2018 12:37 PM, Alfredo De Luca via FreeIPA-users wrote:
>>>> > > The IP is the new server where I'd like to migrate all the
>>>> > user/groups
>>>> > > to and it should be ok.
>>>> > > The migrate-ds is the default I copy from the freeipa.org
>>>> > <http://freeipa.org>
>>>> > > <http://freeipa.org> migration section..
>>>> > >
>>>> > Hi,
>>>> >
>>>> > the ldap URI should point to the server where the users are
>>>> currently
>>>> > defined (=the FROM server).
>>>> >
>>>> > Hope this clarifies,
>>>> > flo
>>>> > >
>>>> > >
>>>> > >
>>>> > > On Tue, Aug 14, 2018 at 7:00 PM Rob Crittenden
>>>> > mailto:rcrit...@redhat.com>
>>>> > > <mailto:rcrit...@redhat.com <mailto:rcrit...@redhat.com>>>
>>>> wrote:
>>>> > >
>>>> > > Alfredo De Luca via FreeIPA-users wrote:
>>>> > > > Hi Rob.
>>>> > > > Yes. I am following the link you sent. So now I can
>>>> understand
>>>> > > they need
>>>> > > > to create the new Kerberos but given the command I
>>>> should have
>>>> > > seen all
>>>> > > > the users in the new freeipa server... which are not
>>>> there.
>>>> > > > Maybe I put a wrong command? (below)
>>>> > > >
>>>> > > > ipa migrate-ds --bind-dn="cn=Directory Manager"
>>>> > > > --user-container=cn=users,cn=accounts
>>>> --group-overwrite-gid
>>>> > > > --group-container=cn=groups,cn=accounts
>>>> > > --group-objectclass=posixgroup
>>>> > > >
>>>> > >
>>>> >
>>>>
>>>> --user-ignore-attribute={krbPrincipalName,krbextradata,krblastfailedauth,krblastpwdchange,krblastsuccessfulauth,krbloginfailedcount,krbpasswordexpiration,krbticketflags,krbpwdpolicyreference,mepManagedEntry}
>>>> > > > --user-ignore-objectclass=mepOriginEntry --with-compat
>>
[Freeipa-users] Re: Changing domain name
Hi Rob. It worked. Thanks.
It was confusing for me the name *migrated *thinking was the new host
rather than the *"old"* .
Now users/groups are there and whoever has the password needs to connect to
the new server in order to recreate their password with kerberos. I guess
who has the ssh keys don't need to to that...right?
Now I need to migrate manually the hbac,sudo etc
Thanks
On Thu, Aug 16, 2018 at 4:00 PM Alfredo De Luca
wrote:
> Thanks Rob. I ll give a try.
> CHeers
>
> On Thu, Aug 16, 2018 at 2:31 PM Rob Crittenden
> wrote:
>
>> Alfredo De Luca via FreeIPA-users wrote:
>> > Hi Florence.
>> > But the example says ldap://*migrated*.freeipa.server.test
>> >
>> > so I ran the command from the actual server where I want migrate the
>> > users from and pointing to the migrated (so the new which I will migrate
>> > to) server...
>> > So is it wrong?
>> > So should I run the command instead fron the new ipa server pointing to
>> > the old server?
>>
>> The old server. You have been trying to migrate the server to itself.
>>
>> rob
>>
>> >
>> >
>> >
>> > On Thu, Aug 16, 2018 at 1:02 PM Florence Blanc-Renaud > > <mailto:f...@redhat.com>> wrote:
>> >
>> > On 08/16/2018 12:37 PM, Alfredo De Luca via FreeIPA-users wrote:
>> > > The IP is the new server where I'd like to migrate all the
>> > user/groups
>> > > to and it should be ok.
>> > > The migrate-ds is the default I copy from the freeipa.org
>> > <http://freeipa.org>
>> > > <http://freeipa.org> migration section..
>> > >
>> > Hi,
>> >
>> > the ldap URI should point to the server where the users are
>> currently
>> > defined (=the FROM server).
>> >
>> > Hope this clarifies,
>> > flo
>> > >
>> > >
>> > >
>> > > On Tue, Aug 14, 2018 at 7:00 PM Rob Crittenden
>> > mailto:rcrit...@redhat.com>
>> > > <mailto:rcrit...@redhat.com <mailto:rcrit...@redhat.com>>> wrote:
>> > >
>> > > Alfredo De Luca via FreeIPA-users wrote:
>> > > > Hi Rob.
>> > > > Yes. I am following the link you sent. So now I can
>> understand
>> > > they need
>> > > > to create the new Kerberos but given the command I should
>> have
>> > > seen all
>> > > > the users in the new freeipa server... which are not there.
>> > > > Maybe I put a wrong command? (below)
>> > > >
>> > > > ipa migrate-ds --bind-dn="cn=Directory Manager"
>> > > > --user-container=cn=users,cn=accounts --group-overwrite-gid
>> > > > --group-container=cn=groups,cn=accounts
>> > > --group-objectclass=posixgroup
>> > > >
>> > >
>> >
>>
>> --user-ignore-attribute={krbPrincipalName,krbextradata,krblastfailedauth,krblastpwdchange,krblastsuccessfulauth,krbloginfailedcount,krbpasswordexpiration,krbticketflags,krbpwdpolicyreference,mepManagedEntry}
>> > > > --user-ignore-objectclass=mepOriginEntry --with-compat
>> > > > ldap://192.168.20.177:389 <http://192.168.20.177:389>
>> > <http://192.168.20.177:389>
>> > > <http://192.168.20.177:389>
>> > > >
>> > > > Password:
>> > > > ---
>> > > > migrate-ds:
>> > > > ---
>> > > > Migrated:
>> > > > group: admins, editors
>> > > > Failed user:
>> > > > admin: This entry already exists
>> > > > Failed group:
>> > > > --
>> > > > Passwords have been migrated in pre-hashed format.
>> > > > IPA is unable to generate Kerberos keys unless provided
>> > > > with clear text passwords. All migrated users need to
>> > > > login at https://your.domain/ipa/migration/ before they
>> > > > can use their Kerberos accounts.
>> > >
>> > > It isn't finding any of your users. Are you sure that IP
>> > address points
>> >
[Freeipa-users] Re: Changing domain name
Thanks Rob. I ll give a try.
CHeers
On Thu, Aug 16, 2018 at 2:31 PM Rob Crittenden wrote:
> Alfredo De Luca via FreeIPA-users wrote:
> > Hi Florence.
> > But the example says ldap://*migrated*.freeipa.server.test
> >
> > so I ran the command from the actual server where I want migrate the
> > users from and pointing to the migrated (so the new which I will migrate
> > to) server...
> > So is it wrong?
> > So should I run the command instead fron the new ipa server pointing to
> > the old server?
>
> The old server. You have been trying to migrate the server to itself.
>
> rob
>
> >
> >
> >
> > On Thu, Aug 16, 2018 at 1:02 PM Florence Blanc-Renaud > <mailto:f...@redhat.com>> wrote:
> >
> > On 08/16/2018 12:37 PM, Alfredo De Luca via FreeIPA-users wrote:
> > > The IP is the new server where I'd like to migrate all the
> > user/groups
> > > to and it should be ok.
> > > The migrate-ds is the default I copy from the freeipa.org
> > <http://freeipa.org>
> > > <http://freeipa.org> migration section..
> > >
> > Hi,
> >
> > the ldap URI should point to the server where the users are currently
> > defined (=the FROM server).
> >
> > Hope this clarifies,
> > flo
> > >
> > >
> > >
> > > On Tue, Aug 14, 2018 at 7:00 PM Rob Crittenden
> > mailto:rcrit...@redhat.com>
> > > <mailto:rcrit...@redhat.com <mailto:rcrit...@redhat.com>>> wrote:
> > >
> > > Alfredo De Luca via FreeIPA-users wrote:
> > > > Hi Rob.
> > > > Yes. I am following the link you sent. So now I can
> understand
> > > they need
> > > > to create the new Kerberos but given the command I should
> have
> > > seen all
> > > > the users in the new freeipa server... which are not there.
> > > > Maybe I put a wrong command? (below)
> > > >
> > > > ipa migrate-ds --bind-dn="cn=Directory Manager"
> > > > --user-container=cn=users,cn=accounts --group-overwrite-gid
> > > > --group-container=cn=groups,cn=accounts
> > > --group-objectclass=posixgroup
> > > >
> > >
> >
>
> --user-ignore-attribute={krbPrincipalName,krbextradata,krblastfailedauth,krblastpwdchange,krblastsuccessfulauth,krbloginfailedcount,krbpasswordexpiration,krbticketflags,krbpwdpolicyreference,mepManagedEntry}
> > > > --user-ignore-objectclass=mepOriginEntry --with-compat
> > > > ldap://192.168.20.177:389 <http://192.168.20.177:389>
> > <http://192.168.20.177:389>
> > > <http://192.168.20.177:389>
> > > >
> > > > Password:
> > > > ---
> > > > migrate-ds:
> > > > ---
> > > > Migrated:
> > > > group: admins, editors
> > > > Failed user:
> > > > admin: This entry already exists
> > > > Failed group:
> > > > --
> > > > Passwords have been migrated in pre-hashed format.
> > > > IPA is unable to generate Kerberos keys unless provided
> > > > with clear text passwords. All migrated users need to
> > > > login at https://your.domain/ipa/migration/ before they
> > > > can use their Kerberos accounts.
> > >
> > > It isn't finding any of your users. Are you sure that IP
> > address points
> > > to your existing IPA instance?
> > >
> > > rob
> > >
> > >
> > >
> > > --
> > > /Alfredo/
> > >
> > >
> > >
> > > ___
> > > FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
> > <mailto:freeipa-users@lists.fedorahosted.org>
> > > To unsubscribe send an email to
> > freeipa-users-le...@lists.fedorahosted.org
> > <mailto:freeipa-users-le...@lists.fedorahosted.org>
> > > Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
> > > List Guidelines:
> > https://fedoraproject.org/wiki/Mailing_list_guidel
[Freeipa-users] Re: Changing domain name
The IP is the new server where I'd like to migrate all the user/groups to
and it should be ok.
The migrate-ds is the default I copy from the freeipa.org migration
section..
On Tue, Aug 14, 2018 at 7:00 PM Rob Crittenden wrote:
> Alfredo De Luca via FreeIPA-users wrote:
> > Hi Rob.
> > Yes. I am following the link you sent. So now I can understand they need
> > to create the new Kerberos but given the command I should have seen all
> > the users in the new freeipa server... which are not there.
> > Maybe I put a wrong command? (below)
> >
> > ipa migrate-ds --bind-dn="cn=Directory Manager"
> > --user-container=cn=users,cn=accounts --group-overwrite-gid
> > --group-container=cn=groups,cn=accounts --group-objectclass=posixgroup
> >
> --user-ignore-attribute={krbPrincipalName,krbextradata,krblastfailedauth,krblastpwdchange,krblastsuccessfulauth,krbloginfailedcount,krbpasswordexpiration,krbticketflags,krbpwdpolicyreference,mepManagedEntry}
> > --user-ignore-objectclass=mepOriginEntry --with-compat
> > ldap://192.168.20.177:389 <http://192.168.20.177:389>
> >
> > Password:
> > ---
> > migrate-ds:
> > ---
> > Migrated:
> > group: admins, editors
> > Failed user:
> > admin: This entry already exists
> > Failed group:
> > --
> > Passwords have been migrated in pre-hashed format.
> > IPA is unable to generate Kerberos keys unless provided
> > with clear text passwords. All migrated users need to
> > login at https://your.domain/ipa/migration/ before they
> > can use their Kerberos accounts.
>
> It isn't finding any of your users. Are you sure that IP address points
> to your existing IPA instance?
>
> rob
>
--
*Alfredo*
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedoraproject.org/archives/list/freeipa-users@lists.fedorahosted.org/message/N3LK45PLAZOV3SA2TRNI6SYQKTNQQPF3/
[Freeipa-users] Re: Changing domain name
Hi Florence. I created an new IPA server and tried to migrate but I got the following ... *Passwords have been migrated in pre-hashed format.* *IPA is unable to generate Kerberos keys unless provided* *with clear text passwords. All migrated users need to* *login at https://your.domain/ipa/migration/ <https://your.domain/ipa/migration/> before they* *can use their Kerberos accounts.* Alfredo On Mon, Aug 13, 2018 at 2:04 PM Alfredo De Luca wrote: > Thanks heaps Florence. Appreciated > > Alfredo > > > On Mon, Aug 13, 2018 at 11:42 AM Florence Blanc-Renaud > wrote: > >> On 08/13/2018 11:17 AM, Alfredo De Luca via FreeIPA-users wrote: >> > Hi Florence. yes this clarify my question. So or I will build an new >> > FreeIPA then manually add all the users/groups etc ... or maybe import >> > at least some users with some sort of ldap command? >> > >> Hi, >> >> FreeIPA provides a tool to migrate users/groups: ipa migrate-ds, see [1] >> >> Note that other objects need to be migrated manually (sudo, hbac, ...). >> The procedure involves retrieving the objects with ldapsearch into a >> ldif file, editing the ldif to replace the basedn, and importing to the >> new server. >> >> There are a few knowledge base articles related to this topic, for >> instance Migrating Your IDM Environment To a New Environment in RHEL 7 >> [2]. You may also find additional information in the users mailing list. >> >> HTH, >> flo >> >> [1] >> >> https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/linux_domain_identity_authentication_and_policy_guide/migrating_from_a_directory_server_to_ipa >> [2] https://access.redhat.com/articles/2949931 >> >> > Cheers >> > >> > >> > On Mon, Aug 13, 2018 at 8:38 AM Florence Blanc-Renaud > > <mailto:f...@redhat.com>> wrote: >> > >> > On 08/11/2018 06:11 PM, Alfredo De Luca via FreeIPA-users wrote: >> > > Hi all. >> > > We'd like to change the domain name on our freeipa (4.5.4 on >> centos >> > > 7.5). Not the realm but only the domain >> > > is it doable? >> > > If so... how? >> > > >> > Hi, >> > >> > unfortunately, no. Please have a look at IdM documentation, section >> > Host >> > Name and DNS Configuration [1]. It contains a big warning: >> > Note that the primary DNS domain and Kerberos realm cannot be >> changed >> > after the installation. >> > >> > Hope this clarifies, >> > flo >> > >> > [1] >> > >> https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/linux_domain_identity_authentication_and_policy_guide/installing-ipa#dns-reqs >> > >> > > Cheers >> > > >> > > >> > > -- >> > > /Alfredo/ >> > > >> > > >> > > >> > > ___ >> > > FreeIPA-users mailing list -- >> > freeipa-users@lists.fedorahosted.org >> > <mailto:freeipa-users@lists.fedorahosted.org> >> > > To unsubscribe send an email to >> > freeipa-users-le...@lists.fedorahosted.org >> > <mailto:freeipa-users-le...@lists.fedorahosted.org> >> > > Fedora Code of Conduct: >> https://getfedora.org/code-of-conduct.html >> > > List Guidelines: >> > https://fedoraproject.org/wiki/Mailing_list_guidelines >> > > List Archives: >> > >> https://lists.fedoraproject.org/archives/list/freeipa-users@lists.fedorahosted.org/message/HG5BWVSUFHVZ5XT22OAHANND4P4UMJEE/ >> > > >> > >> > >> > >> > -- >> > /Alfredo/ >> > >> > >> > >> > ___ >> > FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org >> > To unsubscribe send an email to >> freeipa-users-le...@lists.fedorahosted.org >> > Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html >> > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines >> > List Archives: >> https://lists.fedoraproject.org/archives/list/freeipa-users@lists.fedorahosted.org/message/GPFF573QLX2JUFGKKCLCHWKJIKKICYDJ/ >> > >> >> > > -- > *Alfredo* > > -- *Alfredo* ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/freeipa-users@lists.fedorahosted.org/message/LY6JGEP2Q5MBLYFEPZ5QYRH26CWZ3H2M/
[Freeipa-users] Re: Changing domain name
Thanks heaps Florence. Appreciated Alfredo On Mon, Aug 13, 2018 at 11:42 AM Florence Blanc-Renaud wrote: > On 08/13/2018 11:17 AM, Alfredo De Luca via FreeIPA-users wrote: > > Hi Florence. yes this clarify my question. So or I will build an new > > FreeIPA then manually add all the users/groups etc ... or maybe import > > at least some users with some sort of ldap command? > > > Hi, > > FreeIPA provides a tool to migrate users/groups: ipa migrate-ds, see [1] > > Note that other objects need to be migrated manually (sudo, hbac, ...). > The procedure involves retrieving the objects with ldapsearch into a > ldif file, editing the ldif to replace the basedn, and importing to the > new server. > > There are a few knowledge base articles related to this topic, for > instance Migrating Your IDM Environment To a New Environment in RHEL 7 > [2]. You may also find additional information in the users mailing list. > > HTH, > flo > > [1] > > https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/linux_domain_identity_authentication_and_policy_guide/migrating_from_a_directory_server_to_ipa > [2] https://access.redhat.com/articles/2949931 > > > Cheers > > > > > > On Mon, Aug 13, 2018 at 8:38 AM Florence Blanc-Renaud > <mailto:f...@redhat.com>> wrote: > > > > On 08/11/2018 06:11 PM, Alfredo De Luca via FreeIPA-users wrote: > > > Hi all. > > > We'd like to change the domain name on our freeipa (4.5.4 on > centos > > > 7.5). Not the realm but only the domain > > > is it doable? > > > If so... how? > > > > > Hi, > > > > unfortunately, no. Please have a look at IdM documentation, section > > Host > > Name and DNS Configuration [1]. It contains a big warning: > > Note that the primary DNS domain and Kerberos realm cannot be changed > > after the installation. > > > > Hope this clarifies, > > flo > > > > [1] > > > https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/linux_domain_identity_authentication_and_policy_guide/installing-ipa#dns-reqs > > > > > Cheers > > > > > > > > > -- > > > /Alfredo/ > > > > > > > > > > > > ___ > > > FreeIPA-users mailing list -- > > freeipa-users@lists.fedorahosted.org > > <mailto:freeipa-users@lists.fedorahosted.org> > > > To unsubscribe send an email to > > freeipa-users-le...@lists.fedorahosted.org > > <mailto:freeipa-users-le...@lists.fedorahosted.org> > > > Fedora Code of Conduct: > https://getfedora.org/code-of-conduct.html > > > List Guidelines: > > https://fedoraproject.org/wiki/Mailing_list_guidelines > > > List Archives: > > > https://lists.fedoraproject.org/archives/list/freeipa-users@lists.fedorahosted.org/message/HG5BWVSUFHVZ5XT22OAHANND4P4UMJEE/ > > > > > > > > > > > -- > > /Alfredo/ > > > > > > > > ___ > > FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org > > To unsubscribe send an email to > freeipa-users-le...@lists.fedorahosted.org > > Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html > > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines > > List Archives: > https://lists.fedoraproject.org/archives/list/freeipa-users@lists.fedorahosted.org/message/GPFF573QLX2JUFGKKCLCHWKJIKKICYDJ/ > > > > -- *Alfredo* ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/freeipa-users@lists.fedorahosted.org/message/72FUZIYGME2QABDAOPHYBS7NBV7B2XAO/
[Freeipa-users] Re: Changing domain name
Hi Florence. yes this clarify my question. So or I will build an new FreeIPA then manually add all the users/groups etc ... or maybe import at least some users with some sort of ldap command? Cheers On Mon, Aug 13, 2018 at 8:38 AM Florence Blanc-Renaud wrote: > On 08/11/2018 06:11 PM, Alfredo De Luca via FreeIPA-users wrote: > > Hi all. > > We'd like to change the domain name on our freeipa (4.5.4 on centos > > 7.5). Not the realm but only the domain > > is it doable? > > If so... how? > > > Hi, > > unfortunately, no. Please have a look at IdM documentation, section Host > Name and DNS Configuration [1]. It contains a big warning: > Note that the primary DNS domain and Kerberos realm cannot be changed > after the installation. > > Hope this clarifies, > flo > > [1] > > https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/linux_domain_identity_authentication_and_policy_guide/installing-ipa#dns-reqs > > > Cheers > > > > > > -- > > /Alfredo/ > > > > > > > > ___ > > FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org > > To unsubscribe send an email to > freeipa-users-le...@lists.fedorahosted.org > > Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html > > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines > > List Archives: > https://lists.fedoraproject.org/archives/list/freeipa-users@lists.fedorahosted.org/message/HG5BWVSUFHVZ5XT22OAHANND4P4UMJEE/ > > > > -- *Alfredo* ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/freeipa-users@lists.fedorahosted.org/message/GPFF573QLX2JUFGKKCLCHWKJIKKICYDJ/
[Freeipa-users] Changing domain name
Hi all. We'd like to change the domain name on our freeipa (4.5.4 on centos 7.5). Not the realm but only the domain is it doable? If so... how? Cheers -- *Alfredo* ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/freeipa-users@lists.fedorahosted.org/message/HG5BWVSUFHVZ5XT22OAHANND4P4UMJEE/
[Freeipa-users] Re: _srv_
Thanks Alex. I saw that command but I wasn't sure it was for External DNS too. cheers /Alfredo On Fri, 10 Aug 2018, 12:19 Alexander Bokovoy, wrote: > On pe, 10 elo 2018, Alfredo De Luca via FreeIPA-users wrote: > >Hi all. > >If I don't have freeipa dns and we use external DNS and I wanted to use > >_srv_ for all the clients to connect automatically when a master goes down > >what should I do on the DNS server? > With FreeIPA 4.4 or later there is a command > > ipa dns-update-system-records --dry-run > > which gives you a list of actual DNS entries that should exist. It does > not include A/ records for the masters but it has all SRV/TXT > records needed (and A record for the CRL master, ipa-ca.$domain). > > If you'd add --out=/some/file.txt, you'll get the output in nsupdate > format. > > -- > / Alexander Bokovoy > Sr. Principal Software Engineer > Security / Identity Management Engineering > Red Hat Limited, Finland > ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/freeipa-users@lists.fedorahosted.org/message/SC53FMZN5CY5SBH5CPQC4KIVD45N5KUZ/
[Freeipa-users] _srv_
Hi all. If I don't have freeipa dns and we use external DNS and I wanted to use _srv_ for all the clients to connect automatically when a master goes down what should I do on the DNS server? I tried to have master1.mydom.test SRV replica1.mydon.test SRV etc etc... but I don't think is working Cheers -- *Alfredo* ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/freeipa-users@lists.fedorahosted.org/message/X6PO2GZV2WIJPMFOHIKWEGCVH4OHC633/
[Freeipa-users] Re: FreeIPA replica
Hi Alex et all I wonder what I need to do on our internal DNS to point all the clients to both master and replica without changing all the ipa clients conf. At this stage it's too late to change the server in autodiscovery. What should I do on the DNS server? Cheers On Wed, Aug 1, 2018 at 2:24 PM Alfredo De Luca wrote: > Thanks heaps. > > Cheers > > > On Wed, Aug 1, 2018 at 12:12 PM Alexander Bokovoy > wrote: > >> On ke, 01 elo 2018, Alfredo De Luca via FreeIPA-users wrote: >> >Thanks heaps Alexander. That made the trick. >> > >> >Now if all the ipa clients point to the master and it goes down ...the >> >replica will do the job but ...do I need to change the DNS to add the >> >replica? >> Read ipa-client-install man page, it has explanation. You don't really >> need to specify --server option. If you did, you pinned the client to >> that server. If you just use autodiscovery, --server is not needed. >> >> > >> >Cheers >> > >> > >> >On Tue, Jul 31, 2018 at 2:52 PM Alfredo De Luca < >> alfredo.del...@gmail.com> >> >wrote: >> > >> >> Hi all. >> >> I am trying to add a replica on a freeIPA Server lev 1 (version 4.5.4 >> on >> >> Centos 7) but I get the following error; >> >> >> >> >> >> ipa.ipapython.install.cli.install_tool(CompatServerReplicaInstall): >> ERROR >> >> Cannot promote this client to a replica. Local domain 'digit.test' >> does >> >> not match IPA domain 'mytestdomain.it'. >> >> >> >> Now I know that on IPA server lev 1 you cannot add a replica from the >> >> server so that's why I tried >> >> 1. ipa-client-install (gone well) >> >> 2. ipa-replica-install (with errors) >> >> >> >> Any idea? >> >> >> >> >> >> >> >> -- >> >> *Alfredo* >> >> >> >> >> > >> >-- >> >*Alfredo* >> >> >___ >> >FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org >> >To unsubscribe send an email to >> freeipa-users-le...@lists.fedorahosted.org >> >Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html >> >List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines >> >List Archives: >> https://lists.fedoraproject.org/archives/list/freeipa-users@lists.fedorahosted.org/message/EZJLFKKCVBPYMLJ5SVLM6Y2HOICW6GTA/ >> >> >> -- >> / Alexander Bokovoy >> Sr. Principal Software Engineer >> Security / Identity Management Engineering >> Red Hat Limited, Finland >> > > > -- > *Alfredo* > > -- *Alfredo* ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/freeipa-users@lists.fedorahosted.org/message/4H3MOZC2Z7T2FQYY4CKOGZSYDEDSJKP7/
[Freeipa-users] Re: FreeIPA replica
Thanks heaps. Cheers On Wed, Aug 1, 2018 at 12:12 PM Alexander Bokovoy wrote: > On ke, 01 elo 2018, Alfredo De Luca via FreeIPA-users wrote: > >Thanks heaps Alexander. That made the trick. > > > >Now if all the ipa clients point to the master and it goes down ...the > >replica will do the job but ...do I need to change the DNS to add the > >replica? > Read ipa-client-install man page, it has explanation. You don't really > need to specify --server option. If you did, you pinned the client to > that server. If you just use autodiscovery, --server is not needed. > > > > >Cheers > > > > > >On Tue, Jul 31, 2018 at 2:52 PM Alfredo De Luca > > >wrote: > > > >> Hi all. > >> I am trying to add a replica on a freeIPA Server lev 1 (version 4.5.4 on > >> Centos 7) but I get the following error; > >> > >> > >> ipa.ipapython.install.cli.install_tool(CompatServerReplicaInstall): > ERROR > >> Cannot promote this client to a replica. Local domain 'digit.test' > does > >> not match IPA domain 'mytestdomain.it'. > >> > >> Now I know that on IPA server lev 1 you cannot add a replica from the > >> server so that's why I tried > >> 1. ipa-client-install (gone well) > >> 2. ipa-replica-install (with errors) > >> > >> Any idea? > >> > >> > >> > >> -- > >> *Alfredo* > >> > >> > > > >-- > >*Alfredo* > > >___ > >FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org > >To unsubscribe send an email to > freeipa-users-le...@lists.fedorahosted.org > >Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html > >List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines > >List Archives: > https://lists.fedoraproject.org/archives/list/freeipa-users@lists.fedorahosted.org/message/EZJLFKKCVBPYMLJ5SVLM6Y2HOICW6GTA/ > > > -- > / Alexander Bokovoy > Sr. Principal Software Engineer > Security / Identity Management Engineering > Red Hat Limited, Finland > -- *Alfredo* ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/freeipa-users@lists.fedorahosted.org/message/55BQZZ33R7YKYRYTNKWFRNMD6MPTLMU5/
[Freeipa-users] Re: FreeIPA replica
Hi Alexander. yes I did.. these are all the options with client install ipa-client-install --force-join --domain digit.test --server idm.digit.test --realm MYTESTDOMAIN.IT --hostname ipa-repl.digit.test --mkhomedir -U --principal admin --password and all went well. I can access the host with IPA users and so on Whatelse can I try? Cheers On Wed, Aug 1, 2018 at 8:16 AM Alexander Bokovoy wrote: > On ti, 31 heinä 2018, Alfredo De Luca via FreeIPA-users wrote: > >Hi all. > >I am trying to add a replica on a freeIPA Server lev 1 (version 4.5.4 on > >Centos 7) but I get the following error; > > > > > >ipa.ipapython.install.cli.install_tool(CompatServerReplicaInstall): ERROR > > Cannot promote this client to a replica. Local domain 'digit.test' does > >not match IPA domain 'mytestdomain.it'. > > > >Now I know that on IPA server lev 1 you cannot add a replica from the > >server so that's why I tried > >1. ipa-client-install (gone well) > >2. ipa-replica-install (with errors) > How did you call 'ipa-client-install'? What options did you pass there? > Did you use 'ipa-client-install -n digit.test'? > > -- > / Alexander Bokovoy > Sr. Principal Software Engineer > Security / Identity Management Engineering > Red Hat Limited, Finland > -- *Alfredo* ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/freeipa-users@lists.fedorahosted.org/message/M3IQY5BUIBJ5URUQQ4NMZNSTEVUZCNT2/
[Freeipa-users] Re: FreeIPA replica
Hi all. Any idea for this? /Alfredo On Tue, 31 Jul 2018, 14:52 Alfredo De Luca, wrote: > Hi all. > I am trying to add a replica on a freeIPA Server lev 1 (version 4.5.4 on > Centos 7) but I get the following error; > > > ipa.ipapython.install.cli.install_tool(CompatServerReplicaInstall): ERROR > Cannot promote this client to a replica. Local domain 'digit.test' does > not match IPA domain 'mytestdomain.it'. > > Now I know that on IPA server lev 1 you cannot add a replica from the > server so that's why I tried > 1. ipa-client-install (gone well) > 2. ipa-replica-install (with errors) > > Any idea? > > > > -- > *Alfredo* > > ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/freeipa-users@lists.fedorahosted.org/message/RHYOZ2VZTO6C2LXRYQYPOYIAXH52GTTY/
[Freeipa-users] FreeIPA replica
Hi all. I am trying to add a replica on a freeIPA Server lev 1 (version 4.5.4 on Centos 7) but I get the following error; ipa.ipapython.install.cli.install_tool(CompatServerReplicaInstall): ERROR Cannot promote this client to a replica. Local domain 'digit.test' does not match IPA domain 'mytestdomain.it'. Now I know that on IPA server lev 1 you cannot add a replica from the server so that's why I tried 1. ipa-client-install (gone well) 2. ipa-replica-install (with errors) Any idea? -- *Alfredo* ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/freeipa-users@lists.fedorahosted.org/message/OVGV74JZ6MUV6G2YPOLOJ7ZR22AJ3AMN/
[Freeipa-users] Re: Forcing ssh key login
Anyone on this question? cheers /Alfredo On Thu, 26 Jul 2018, 18:35 Alfredo De Luca, wrote: > Hi all. > I wonder how to force ssh keys only all the users with freeIPA. We have > 4.5.4 version. > Is it the only way changing the sshd_config from PasswordAuthentication > from yes to *NO*? > > Cheers > > > -- > *Alfredo* > > ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/freeipa-users@lists.fedorahosted.org/message/3EAJ43X3HBVKRQDZHMBLY7WFFLSBQK35/
[Freeipa-users] Forcing ssh key login
Hi all. I wonder how to force ssh keys only all the users with freeIPA. We have 4.5.4 version. Is it the only way changing the sshd_config from PasswordAuthentication from yes to *NO*? Cheers -- *Alfredo* ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/freeipa-users@lists.fedorahosted.org/message/Y2BZIXM6M4XMUQWH7FXUQACV6LMG5XKK/
[Freeipa-users] Re: freeIPa replica setup
Thanks Rob. IPA version is 4.5.4 and I d's lev 1 domain. So I'll try to with up client then ups replica install. thx /Alfredo On Fri, 20 Jul 2018, 19:54 Rob Crittenden, wrote: > Alfredo De Luca via FreeIPA-users wrote: > > Hi all. > > I need to setup a freeIPA replica and not sure which is the best and > > more reliable. > > I found a few people preparing the replica from the server others just > > installing the replica on another machine with the appropriate > > configuration. > > > > Any info/docs? > > It depends on the version of IPA (and the knowing the distro would help > too). > > For 4.x+ you want to start with: > > $ ipa domainlevel-get > > If it is domain level 1 then you can install the new machine as an IPA > client and then promote it to a master by running ipa-replica-install. > > For domain-level 0 you need to run ipa-replica-prepare on an existing > master and then ipa-replica-install on the new master. > > > rob > ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/freeipa-users@lists.fedorahosted.org/message/EJPGAXMFDVIHHTBXP3ICRTOKU7NHW5DV/
[Freeipa-users] freeIPa replica setup
Hi all. I need to setup a freeIPA replica and not sure which is the best and more reliable. I found a few people preparing the replica from the server others just installing the replica on another machine with the appropriate configuration. Any info/docs? -- *Alfredo* ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/freeipa-users@lists.fedorahosted.org/message/3XYKBBNWAETR7L3RFCLO7WDKS3XJH2KP/
[Freeipa-users] Re: freeIPA backup
ok thanks. but can I have a different IP address but same hostname? this is to check if everything works /Alfredo On Mon, 25 Jun 2018, 18:24 , wrote: > Yes. Edit /etc/hosts and add your IP address and hostname. Edit > /etc/hostname to put your hostname. > > That works for me. > > You should probably make sure that you have iptables on the production > systems to reject connections from the ip address of your copy. Otherwise > you run the danger of having an out of date copy giving you out of date > data. > > On Jun 25, 2018, at 11:31 AM, Alfredo De Luca > wrote: > > Hi Hedrick. > Jus a quick one. If i want to restore a full backup IPA in a different > host (just for test purpose) can I change the IP address but have the same > hostname/FQDN? > > Alfredo > > > On Sat, Jun 23, 2018 at 5:54 PM wrote: > >> There is actually documentation supporting my view: >> https://www.freeipa.org/page/Backup_and_Restore Look particularly at the >> section "Why snapshot and not backup and restore scripts?" >> >> The difference is that they suggest stopping a replica before making a >> snapshot, while we snapshot a running system. I’ve done this with a variety >> of databases and other applications. My claim is that a point in time >> snapshot should be safe for any software that is designed to survive a >> crash, because a point in time snapshot is no harder to recover from than a >> crash. We have multiple snapshots, in case we can’t use one of them. But >> I’ve never seen that happen. >> >> We always run complex software systems such a ipa in a VM. >> >> On Jun 23, 2018, at 11:28:37 AM, Alfredo De Luca < >> alfredo.del...@gmail.com> wrote: >> >> Thanks Charles. Out IPA is a VM too on Openstack but for some reasons >> they said it's not good to take snapshots and rely on that for backups... I >> ll investigate further tho... cause my idea was exactly that. Snapshots >> >> >> Thanks for sharing. >> >> On Fri, Jun 22, 2018 at 4:34 PM Charles Hedrick >> wrote: >> >>> Our IPA servers are VMs. We do backups of snapshots, either through >>> VMware or when the image is on a Netapp, through a Netapp snapshot. That >>> guarantees that you have all the pieces in a consistent state. I’ve never >>> had to restore a production server, but I have started copies of one of the >>> backups to do experiments that I didn’t want to do on a production system. >>> I’ve never had an issue starting from a backup, though I need to do some >>> changes so the system thinks it has the same hostname as the original one. >>> >>> On Jun 11, 2018, at 9:10 AM, Alfredo De Luca via FreeIPA-users < >>> freeipa-users@lists.fedorahosted.org> wrote: >>> >>> Hi all. >>> What's the best procedure/practice to periodically perform a backup on >>> a single freeipa server with CA? >>> >>> Cheers >>> >>> -- >>> *Alfredo* >>> >>> ___ >>> FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org >>> To unsubscribe send an email to >>> freeipa-users-le...@lists.fedorahosted.org >>> Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html >>> List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines >>> List Archives: >>> https://lists.fedoraproject.org/archives/list/freeipa-users@lists.fedorahosted.org/message/KKKIFFZZQS4V562HUWYYR6FHGEA4KOYL/ >>> >>> >>> >> >> -- >> *Alfredo* >> >> >> > > -- > *Alfredo* > > > ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/freeipa-users@lists.fedorahosted.org/message/TW5LN5LFE5ZFNP2JP6WTV6CKBERMKGSE/
[Freeipa-users] Re: freeIPA backup
Hi Hedrick. Jus a quick one. If i want to restore a full backup IPA in a different host (just for test purpose) can I change the IP address but have the same hostname/FQDN? Alfredo On Sat, Jun 23, 2018 at 5:54 PM wrote: > There is actually documentation supporting my view: > https://www.freeipa.org/page/Backup_and_Restore Look particularly at the > section "Why snapshot and not backup and restore scripts?" > > The difference is that they suggest stopping a replica before making a > snapshot, while we snapshot a running system. I’ve done this with a variety > of databases and other applications. My claim is that a point in time > snapshot should be safe for any software that is designed to survive a > crash, because a point in time snapshot is no harder to recover from than a > crash. We have multiple snapshots, in case we can’t use one of them. But > I’ve never seen that happen. > > We always run complex software systems such a ipa in a VM. > > On Jun 23, 2018, at 11:28:37 AM, Alfredo De Luca > wrote: > > Thanks Charles. Out IPA is a VM too on Openstack but for some reasons they > said it's not good to take snapshots and rely on that for backups... I ll > investigate further tho... cause my idea was exactly that. Snapshots > > > Thanks for sharing. > > On Fri, Jun 22, 2018 at 4:34 PM Charles Hedrick > wrote: > >> Our IPA servers are VMs. We do backups of snapshots, either through >> VMware or when the image is on a Netapp, through a Netapp snapshot. That >> guarantees that you have all the pieces in a consistent state. I’ve never >> had to restore a production server, but I have started copies of one of the >> backups to do experiments that I didn’t want to do on a production system. >> I’ve never had an issue starting from a backup, though I need to do some >> changes so the system thinks it has the same hostname as the original one. >> >> On Jun 11, 2018, at 9:10 AM, Alfredo De Luca via FreeIPA-users < >> freeipa-users@lists.fedorahosted.org> wrote: >> >> Hi all. >> What's the best procedure/practice to periodically perform a backup on a >> single freeipa server with CA? >> >> Cheers >> >> -- >> *Alfredo* >> >> ___ >> FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org >> To unsubscribe send an email to >> freeipa-users-le...@lists.fedorahosted.org >> Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html >> List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines >> List Archives: >> https://lists.fedoraproject.org/archives/list/freeipa-users@lists.fedorahosted.org/message/KKKIFFZZQS4V562HUWYYR6FHGEA4KOYL/ >> >> >> > > -- > *Alfredo* > > > -- *Alfredo* ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/freeipa-users@lists.fedorahosted.org/message/74LL3P7EOIMG3NYM2OC6QUXH5YSYRY3G/
[Freeipa-users] Re: freeIPA backup
Thanks heaps. On Mon, Jun 18, 2018 at 8:16 PM Rob Crittenden wrote: > Alfredo De Luca via FreeIPA-users wrote: > > Hi Tony et all. > > AFAIK if I perform a full backup, and one day I need to restore it , I > > can but only on the same machine/FQDN... is that right? So if I destroy > > the IPA server then create a new one with the same FQDN and options as > > the first time then I restore it should be fine? > > Yes. The same version of IPA is also required. > > rob > > > > > Cheers > > Alfredo > > > > > > On Wed, Jun 13, 2018 at 5:49 PM Alfredo De Luca > > mailto:alfredo.del...@gmail.com>> wrote: > > > > Thanks Tony. Appreciated. > > > > I will soon do that. > > Cheers > > > > > > On Wed, Jun 13, 2018 at 11:10 AM Tony Brian Albers via FreeIPA-users > > > <mailto:freeipa-users@lists.fedorahosted.org>> wrote: > > > > Hi Alfredo, > > > > As Peter says, use ipa-backup. I suggest running it twice a day, > > but > > that depends on how many changes you make in FreeIPA. > > > > Then, get your backup software to backup /var/lib/ipa/backup > > some time > > after you've run ipa-backup. Or, get your backup software to run > > ipa-backup for you and then back up the destination folder. > > > > It's always easier to restore a system from a full backup, but > > it takes > > time and demands many full backups which are large in size, > > demands a > > lot of storage and stresses your network. > > > > I'd run a full backup of the FreeIPA server weekly and > incrementals > > twice a day, all of them right after running ipa-backup. > > > > HTH > > > > /tony > > > > > > On 13/06/18 10:07, Alfredo De Luca via FreeIPA-users wrote: > > > thanks Peter. > > > I know that having only one server it's not good thats' why > > for now I just want to implement a backup/restore process then > > one/multiple replicas. > > > > > > About a retore... is it better to restore from a full backup > > rather than only data backup? > > > > > > > > > Cheers > > > ___ > > > FreeIPA-users mailing list -- > > freeipa-users@lists.fedorahosted.org > > <mailto:freeipa-users@lists.fedorahosted.org> > > > To unsubscribe send an email to > > freeipa-users-le...@lists.fedorahosted.org > > <mailto:freeipa-users-le...@lists.fedorahosted.org> > > > Fedora Code of Conduct: > https://getfedora.org/code-of-conduct.html > > > List Guidelines: > > https://fedoraproject.org/wiki/Mailing_list_guidelines > > > List Archives: > > > https://lists.fedoraproject.org/archives/list/freeipa-users@lists.fedorahosted.org/message/ZQODAMCETRGPFZXWHDAMV3C2ASSQIEDS/ > > > > > > > > > -- > > Tony Albers > > Systems administrator, IT-development > > Royal Danish Library, Victor Albecks Vej 1, 8000 Aarhus C, > Denmark. > > Tel: +45 2566 2383 / +45 8946 2316 > > ___ > > FreeIPA-users mailing list -- > > freeipa-users@lists.fedorahosted.org > > <mailto:freeipa-users@lists.fedorahosted.org> > > To unsubscribe send an email to > > freeipa-users-le...@lists.fedorahosted.org > > <mailto:freeipa-users-le...@lists.fedorahosted.org> > > Fedora Code of Conduct: > https://getfedora.org/code-of-conduct.html > > List Guidelines: > > https://fedoraproject.org/wiki/Mailing_list_guidelines > > List Archives: > > > https://lists.fedoraproject.org/archives/list/freeipa-users@lists.fedorahosted.org/message/XVJJI4RT4TSPGNTOTAP2Z56JNVLP4MES/ > > > > > > > > -- > > /Alfredo/ > > > > > > > > -- > > /Alfredo/ > > > > > > > > ___ > > FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org > > To unsubscribe send an email to > freeipa-users-le...@lists.fedorahosted.org > > Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html > > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines > > List Archives: > https://lists.fedoraproject.org/archives/list/freeipa-users@lists.fedorahosted.org/message/MZ4J2WAFT2FELS65TTYH23XZAHQXJIVM/ > > > > -- *Alfredo* ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/freeipa-users@lists.fedorahosted.org/message/MC4BCY7PMBP33GGGLRPYYXHXEBQ4HKBG/
[Freeipa-users] Email account creation
Hi all. We have freeIPA VERSION: 4.4.0, and we are creating users and all works fine. What if we would like to create as long as the username also its email account on our email server? Would it be possible? how? Cheers thx in advance -- *Alfredo* ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/freeipa-users@lists.fedorahosted.org/message/HLPJVPFSIEOSAXXMUYCRUMXMLLN6G7F3/
[Freeipa-users] Re: freeIPA backup
Hi Tony et all. AFAIK if I perform a full backup, and one day I need to restore it , I can but only on the same machine/FQDN... is that right? So if I destroy the IPA server then create a new one with the same FQDN and options as the first time then I restore it should be fine? Cheers Alfredo On Wed, Jun 13, 2018 at 5:49 PM Alfredo De Luca wrote: > Thanks Tony. Appreciated. > > I will soon do that. > Cheers > > > On Wed, Jun 13, 2018 at 11:10 AM Tony Brian Albers via FreeIPA-users < > freeipa-users@lists.fedorahosted.org> wrote: > >> Hi Alfredo, >> >> As Peter says, use ipa-backup. I suggest running it twice a day, but >> that depends on how many changes you make in FreeIPA. >> >> Then, get your backup software to backup /var/lib/ipa/backup some time >> after you've run ipa-backup. Or, get your backup software to run >> ipa-backup for you and then back up the destination folder. >> >> It's always easier to restore a system from a full backup, but it takes >> time and demands many full backups which are large in size, demands a >> lot of storage and stresses your network. >> >> I'd run a full backup of the FreeIPA server weekly and incrementals >> twice a day, all of them right after running ipa-backup. >> >> HTH >> >> /tony >> >> >> On 13/06/18 10:07, Alfredo De Luca via FreeIPA-users wrote: >> > thanks Peter. >> > I know that having only one server it's not good thats' why for now I >> just want to implement a backup/restore process then one/multiple replicas. >> > >> > About a retore... is it better to restore from a full backup rather >> than only data backup? >> > >> > >> > Cheers >> > ___ >> > FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org >> > To unsubscribe send an email to >> freeipa-users-le...@lists.fedorahosted.org >> > Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html >> > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines >> > List Archives: >> https://lists.fedoraproject.org/archives/list/freeipa-users@lists.fedorahosted.org/message/ZQODAMCETRGPFZXWHDAMV3C2ASSQIEDS/ >> > >> >> >> -- >> Tony Albers >> Systems administrator, IT-development >> Royal Danish Library, Victor Albecks Vej 1, 8000 Aarhus C, Denmark. >> Tel: +45 2566 2383 / +45 8946 2316 >> ___ >> FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org >> To unsubscribe send an email to >> freeipa-users-le...@lists.fedorahosted.org >> Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html >> List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines >> List Archives: >> https://lists.fedoraproject.org/archives/list/freeipa-users@lists.fedorahosted.org/message/XVJJI4RT4TSPGNTOTAP2Z56JNVLP4MES/ >> > > > -- > *Alfredo* > > -- *Alfredo* ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/freeipa-users@lists.fedorahosted.org/message/MZ4J2WAFT2FELS65TTYH23XZAHQXJIVM/
[Freeipa-users] Re: freeIPA backup
Thanks Tony. Appreciated. I will soon do that. Cheers On Wed, Jun 13, 2018 at 11:10 AM Tony Brian Albers via FreeIPA-users < freeipa-users@lists.fedorahosted.org> wrote: > Hi Alfredo, > > As Peter says, use ipa-backup. I suggest running it twice a day, but > that depends on how many changes you make in FreeIPA. > > Then, get your backup software to backup /var/lib/ipa/backup some time > after you've run ipa-backup. Or, get your backup software to run > ipa-backup for you and then back up the destination folder. > > It's always easier to restore a system from a full backup, but it takes > time and demands many full backups which are large in size, demands a > lot of storage and stresses your network. > > I'd run a full backup of the FreeIPA server weekly and incrementals > twice a day, all of them right after running ipa-backup. > > HTH > > /tony > > > On 13/06/18 10:07, Alfredo De Luca via FreeIPA-users wrote: > > thanks Peter. > > I know that having only one server it's not good thats' why for now I > just want to implement a backup/restore process then one/multiple replicas. > > > > About a retore... is it better to restore from a full backup rather than > only data backup? > > > > > > Cheers > > ___ > > FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org > > To unsubscribe send an email to > freeipa-users-le...@lists.fedorahosted.org > > Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html > > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines > > List Archives: > https://lists.fedoraproject.org/archives/list/freeipa-users@lists.fedorahosted.org/message/ZQODAMCETRGPFZXWHDAMV3C2ASSQIEDS/ > > > > > -- > Tony Albers > Systems administrator, IT-development > Royal Danish Library, Victor Albecks Vej 1, 8000 Aarhus C, Denmark. > Tel: +45 2566 2383 / +45 8946 2316 > ___ > FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org > To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org > Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines > List Archives: > https://lists.fedoraproject.org/archives/list/freeipa-users@lists.fedorahosted.org/message/XVJJI4RT4TSPGNTOTAP2Z56JNVLP4MES/ > -- *Alfredo* ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/freeipa-users@lists.fedorahosted.org/message/JEX2SN2BLATKFESDTRSUDNWEW4TPSOWV/
[Freeipa-users] Re: freeIPA backup
thanks Peter. I know that having only one server it's not good thats' why for now I just want to implement a backup/restore process then one/multiple replicas. About a retore... is it better to restore from a full backup rather than only data backup? Cheers ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/freeipa-users@lists.fedorahosted.org/message/ZQODAMCETRGPFZXWHDAMV3C2ASSQIEDS/
[Freeipa-users] freeIPA backup
Hi all. What's the best procedure/practice to periodically perform a backup on a single freeipa server with CA? Cheers -- *Alfredo* ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/freeipa-users@lists.fedorahosted.org/message/KKKIFFZZQS4V562HUWYYR6FHGEA4KOYL/
[Freeipa-users] Re: pam,mkhomedir and umask with freeIPA
Thanks Rob. So where, in the oddjobd-*mkhomedir.conf , *can I add the umask I want? Cheers On Wed, Jun 6, 2018 at 5:43 PM Rob Crittenden wrote: > Alfredo De Luca via FreeIPA-users wrote: > > Hi all. > > We have pam entry (below) and we wanna change the umask when a new > homedir for an existing user is created. we modified the umaks but doesnt > work. > > We have sssd integrated with freeIPA to manage all user etc. > > > > Any clue? > > > > session optional pam_oddjob_mkhomedir.so umask=0770 > > From pam_oddjob_mkhomedir(8): > > The location of the skeleton directory and the default umask are deter‐ > mined by the configuration for the corresponding service in oddjobd- > mkhomedir.conf, so they can not be specified as arguments to this mod‐ > ule. > > rob > -- *Alfredo* ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/freeipa-users@lists.fedorahosted.org/message/U3Z74H3KGAV62UL3KA2WPQGI6J7GDLGD/
[Freeipa-users] pam,mkhomedir and umask with freeIPA
Hi all. We have pam entry (below) and we wanna change the umask when a new homedir for an existing user is created. we modified the umaks but doesnt work. We have sssd integrated with freeIPA to manage all user etc. Any clue? session optional pam_oddjob_mkhomedir.so umask=0770 Cheers ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/freeipa-users@lists.fedorahosted.org/message/26A47DM4UKUVIFK3GED2UAXYREH2LISC/
