] reliability of external radius
On Пан, 12 лют 2024, Charles Hedrick via FreeIPA-users wrote:
>Currently our department uses passwords in IPA, with a few users using
>OTP. I'm considering using a University radius server for most users.
>Are there reliability implications? My concern is wha
Currently our department uses passwords in IPA, with a few users using OTP. I'm
considering using a University radius server for most users. Are there
reliability implications? My concern is what happens if the radius server is
slow to respond or even is down. I'd like users with accounts in
A bit more info. Looking at errors, a normal backup terminates with
[20/Dec/2023:23:01:32.943228301 -0500] - INFO - archive_copyfile - Copying
/etc/dirsrv/slapd-CS-RUTGERS-EDU/pwdfile.txt to /var/lib/dirsrv/slapd-\
CS-RUTGERS-EDU/bak/CS-RUTGERS-EDU/config_files/pwdfile.txt
I just upgraded one of three servers from RHEL 9.2. to 9.3. I have a clone of
our three servers, on which all three have been upgraded to 9.3.
All of the servers run a cron job
/sbin/ipa-backup --online --data > /usr/local/scripts/ipa-backup.log 2>&1
The LDAP server hung (needed kill -9) at
If I wanted to using aes256-sha2 for tickets by default, how would I do that?
I've verified that our KDC can issue service tickets for that if I specify -e
aes256-sha2 with ipa-getkeytab, but kinit and everything else seems to use
older encryptioni types.
We did most of this, and have been using it for a few years. However it depends
upon the ISC DHCP server, which is now EOL. The replacement, KEA, does not
support LDAP, and there are no plans for it to.
I think the reason is that they didn't want to put dynamic addresses in LDAP,
because LDAP
rom the command line of any
problems.
________
From: Charles Hedrick via FreeIPA-users
Sent: Monday, May 15, 2023 4:33 PM
To: Rob Crittenden ; FreeIPA users list
Cc: Sam Morris ; Alexander Bokovoy ;
Charles Hedrick
Subject: [Freeipa-users] Re: Authentication failur
To: FreeIPA users list
Cc: Sam Morris ; Alexander Bokovoy ;
Charles Hedrick
Subject: Re: [Freeipa-users] Re: Authentication failures on a RHEL 9.2 IPA
server
Charles Hedrick via FreeIPA-users wrote:
> OK, so I see the answer to my problem is to run
>
> ipa config-mod --add-sids --e
OK, so I see the answer to my problem is to run
ipa config-mod --add-sids --enable-sid
But we have old UIDs that with low numbers. It looks like I need to do
ipa idrange-add CS.RUTGERS.EDU_low_id_range --base-id=1 --range-size=20
--rid-base=2 --secondary-rid-base=3
ipa
is there a way to do a bulk update of existing users? We have this issue. I can
disable the pac, but that might not be a good long term solution
From: Sam Morris via FreeIPA-users
Sent: Monday, May 15, 2023 8:08 AM
To: FreeIPA users list
Cc: Alexander Bokovoy ;
I just upgraded from redhat 9.0 to 9.2 on a set of kerberos servers,
fortunately a test system. I can't kinit as existing users. If I add a user I
can kinit as them. Changing the password doesn't help. krb5kdc says
May 15 13:58:30 krb1.cs.rutgers.edu krb5kdc[652884](info): AS_REQ (4 etypes
We have a site where some users want to be able to run cron jobs with
credentials so they can access files via NFS. We are currently using a local
mechanism to generate those credentials. I'm considering using gssproxy
instead. I've verified that it will work.
Is there any disadvantage to
Ok. Makes sense. I’ll use that solution too.
> On Aug 14, 2022, at 4:35 PM, Jochen Kellner wrote:
>
> Charles Hedrick via FreeIPA-users
> writes:
>
>> it's active, but it seems not to do anything:
>>
>> ● ipa-ccache-sweep.timer - Remove Expired Kerbero
, but another trigger (like OnActiveSec or OnBootSec) would be
needed to trigger the first run of foo.service to get the ball rolling.
From: Jochen Kellner
Sent: Sunday, August 14, 2022 12:39 PM
To: Charles Hedrick via FreeIPA-users
Cc: Charles Hedrick
Subject
RHEL 9.0. /run/ipa/ccaches is filling with credential caches. Many are too old
to be valid.
I assume it's safe to have a cron job delete any more than a day old? (that's
our maxmum lifetime.) I can't see the lifetime directly, because they are
encrypted.
will not include that either.
>
> Thanks,
> Fraser
>
>>
>> From: Fraser Tweedale
>> Sent: Sunday, June 19, 2022 11:34 PM
>> To: Charles Hedrick ; Rob Crittenden via FreeIPA-users
>>
>> Cc: Rob Crittenden
>>
your KDC, or else do without PKINIT.
Thanks,
Fraser
>
> >
> >
> > --------------------
> > *From:* Charles Hedrick via FreeIPA-users
> >
> > *Sent:* Wednesday, June 15, 2022 3:39 PM
> > *To:* freeipa-users@lists.fedorahosted.org
>
the error is
The KDC certificate in cert.pem, privkey.pem is not valid: invalid for a KDC
From: Charles Hedrick via FreeIPA-users
Sent: Wednesday, June 15, 2022 3:39 PM
To: freeipa-users@lists.fedorahosted.org
Cc: Charles Hedrick
Subject: [Freeipa-users] ipa
ipa-server-certinstall works fine for http and ldap. But I can't get the -k
option to work.
I've tried cert.pem and privkey.pem with and without chain.pem, as well as
fullchain.pem and privkey.pem (fullchain has both the cert and the chain).
The certs were issued by Internet2, which chains up
passwords? And how does the kdc issues the
ticket?
This info would help me a lot!
Best,
Francis
---
Francis Augusto Medeiros-Logeay
Oslo, Norway
On 2022-04-22 20:59, Charles Hedrick via FreeIPA-users wrote:
We have a script that renews all tickets that are still in use, and kills those
this happens a lot. We use a cron job to save copies of dse.ldif.
From: Sigbjorn Lie via FreeIPA-users
Sent: Tuesday, April 19, 2022 6:25 AM
To: freeipa-users@lists.fedorahosted.org
Cc: Sigbjorn Lie
Subject: [Freeipa-users] dse.ldif and dse.ldif.bak gone after
We have a script that renews all tickets that are still in use, and kills those
that are not. The original version of this is a bit complex, but I now have a
bash script in testing that seems reasonable.
I agree that keytables are a bit of a risk. They work on any host, and root can
steal
Our campus uses DUO. We're wondering whether it's possible to use that from
IPA. My main concern is that user interaction can take time.
I see that it's possible to raise the timeout. But is that safe to do? I'm
wondering whether otpd is really designed to have lots of threads waiting for
the
We have users who have otp set. I want to require them to use it except in one
specific situation, where I want to be able to use a keytable to generate
credentials for them (which have to work for all services).
Can anyone think of a way to do this?
Auth indicators doesn't seem to do the job,
I'm trying to find ways to get rid of as much of my custom C coding as
possible, since I may be the only one that can maintain it. One major one is
renewd, which renews tgt's automatically.
sssd can now do this. However I also need to kill the tickets when the user is
no longer active. This
We’ve had good experience doing just release upgrades, e.g from 8.1 to 8.2. For
that I do yum update, I,e. the whole thing. My assumption is that testing is
done on systems with the full release.! So upgrading just some things gives us
a configuration that hasn’t been tested. We did a full
I just upgraded copies of our 3 servers from Centos 8.2 to 8.3. I always try it
on copies before doing it on the real thing.
The upgrades all went fine, but on one of the servers, the services weren’t
running, and ipactl status complained
Failed to get list of services to probe status!
thanks. There’s enough jargon in this that I’m not sure I understand. What’s
the difference in level of QA between freeipa in Stream and RHEL? I’d be happy
to have new versions of IPA sooner, if they’ve actually been tested well enough
that they’re ready for the next RHEL release. Are things in
We’e in the same situation. I’d actually be willing to pay for Redhat, but not
with the requirement to do a reinstall. So until RHEL 9 I need an alternative.
While I have lots of reasons to dislike it, I’m currently thinking of Oracle
Linux for our remaining time on 8. I’ve found delays in
a
mulitimasteir SQL database just to do DHCP.)
> On Jul 6, 2020, at 2:24:43 PM, Charles Hedrick via FreeIPA-users
> wrote:
>
> The main issues are
> * adding to the schema
> * tools for managing
> * dynamic address allocation
>
> We don’t use dynamic allocation. so
The main issues are
* adding to the schema
* tools for managing
* dynamic address allocation
We don’t use dynamic allocation. so that’s not an issue for us. That means the
normal ISC dhcpd works fine. It supports getting data from LDAP. They supply a
schema file, which with some tweaking works
for what it’s worth, you can use ansible’s ldap module with GSSAPI if you make
a one-line patch. In this case we’re only concerned with issuing the ldap
command locally. Ansible defaults SASL to using external rather than GSSAPI.
You’d think they’d make it an option, but it’s hardcoded. I was
On Mar 7, 2020, at 12:32:38 PM, Nicholas DeMarco via FreeIPA-users
mailto:freeipa-users@lists.fedorahosted.org>>
wrote:
# getent passwd | grep ndemarco
Are you sure this is supposed to work? Typically you want to disable
enumeration. Does
getent passwd ndemarco
also fail?
> On Mar 6, 2020, at 5:31:36 PM, Todd Grayson via FreeIPA-users
> wrote:
>
> Thanks Rob, Thanks Angus,
>
> I am aware of how to point the client to the specific IPA server, what I'm
> struggling more with is freeIPA in an environment where its not using DNS for
> domain and realm
>> is where policy is enforced.
>>
>> rob
>>
>>>
>>>
>>>> On Jan 28, 2020, at 4:34 PM, Charles Hedrick wrote:
>>>>
>>>> If you’d prefer an interface to ds389 I’d be wiling to work on that. But
>>>> it
We currently do rsync backups of our server. On an MIT server, you’d want to
omit the stash file. But IPA doesn’t use that. Is there anything like that that
should be omitted? I’m not sure just how freeipa bootstraps trust when it
starts up.
___
e to ds389 I’d be wiling to work on that. But
>>> it’s not clear from your reference whether the API is finished. If so,
>>> could you point to documentation, or at least source?
>>>
>>>> On Jan 28, 2020, at 4:12 PM, Charles Hedrick via FreeIPA-users
>>>
e would
>>>> be much simpler. I’m using an sqlite database, but I’d be happy with
>>>> other formats if you have a preference. (Stanford was doing additional
>>>> checks that really needed something as powerful as SQL. We’d implementing
>>>&g
’d prefer an interface to ds389 I’d be wiling to work on that. But it’s
> not clear from your reference whether the API is finished. If so, could you
> point to documentation, or at least source?
>
>> On Jan 28, 2020, at 4:12 PM, Charles Hedrick via FreeIPA-users
>> wrote:
on all our
systems, and things work.
We had a number of issues that happened when not all the old data was deleted
before we recreated the server. This looks like yet another symptom.
On Jan 28, 2020, at 5:48:45 PM, Charles Hedrick via FreeIPA-users
mailto:freeipa-users@lists.fedorahosted.org
we just upgraded servers to centos 8.1, by dealing them and recreating them.
On a few systems when I try to use the IPA command I get
ipa: ERROR: No valid Negotiate header in server response
This doesn’t happen on all hosts. The IPA command works fine on the server
itself. Since it’s only on
020, at 2:40 PM, Rob Crittenden wrote:
>
> Charles Hedrick via FreeIPA-users wrote:
>> The NIST recommendations for passwords say they don’t think character
>> classes and expiration are useful. Instead, they recommend using a blacklist
>> of known common passwords.
The NIST recommendations for passwords say they don’t think character classes
and expiration are useful. Instead, they recommend using a blacklist of known
common passwords. There’s no way to implement this policy without writing your
own plugin. It would be useful for IPA’s password policy to
Here’s my workaround:
It appears that this happens only when using commercial certs. It's trying to
fetch the Directory Manager password (encrypted) from the primary to put it in
the new sysstem. I commented out custodiainstance.py:211,
def import_dm_password(self):
cli =
This is when trying to set up from the centos 7 server. When it tries from the
server that is already centos 8, I get
[error] DatabaseError: Server is unwilling to perform: Entry is managed by
topology plugin. Adding of entry not allow
as it’s trying to add the replication agreement.
> On
We are moving from Centos 7 to 8. I did a test on copies and it worked with
8.0. i made the mistake of doing it on the production servers under 8.1. It
fails.
I removed one server and recreated it as a replica. It worked fine. However the
second one failed near the end of the process:
Restart
I haven’t tried this for the IPA server, but we have servers with two
interfaces, one for general use and one as a storage backend network.
We can’t just list both IPs in an A record, because then normal traffic will
try to go through the backend, which it can’t get to.
What I ended up doing
authentication, and
you’ll end up without a Kerberos credential.
On Jan 17, 2020, at 4:33 PM, Charles Hedrick via FreeIPA-users
mailto:freeipa-users@lists.fedorahosted.org>>
wrote:
If it works for one login type and not for the other, chances are there’s a
different tin the pam configuration files
If it works for one login type and not for the other, chances are there’s a
different tin the pam configuration files. Each service, which would include
gdm and sshd, has a configuration file in /etc/pam.d, which determines how
authentication is done. If you are using sssd for your
I’ve thought about this a bit more. I think it would be useful if log entries
showing changes could be routed differently by syslog. The simplest would be to
use a different log level, e.g. NOTICE, where other things are INFO. Another
approach would be to put a specific tag in the try, e.g.
This looks pretty reasonable. Unfortunately it intermixed lots of info. The
files grow rapidly enough that it’s probably not practical to keep them for a
long time. It might not be hard to pull out just the things that make changes.
On Jan 15, 2020, at 4:47 PM, Angus Clarke via FreeIPA-users
Most of our IPA activity occurs through a local web application. It logs all
IPA commands that it issues. This includes creating user, managing groups, etc.
I will say that this log has proven really useful. However it doesn’t capture
IPA commands issued directly. It would be really great for
We have a limited time period when I would prefer to do major changes. I had
expected to update our Centos 7.6 to 8 during January. Unfortunately it appears
that there have been no updates to 8, pending 8.1 and 8.1 is waiting for a
surprising mount of time. I have a test 8.0 installation, and
Here’s an approach that will work if you’re on the kdc. Become root. Run
kadmin.local.
ktadd -k XXX.kt -norandkey XXX
-rorandley is the equivalent of -r
That creates a key table XXX.kt (or adds to if it already exists). No password
needed except what you normally do to become root.
On Nov
You can always fetch key tables using kadmin.local on one of the kdc’s.
I haven't actually tried using ipa-getkeytab on the wrong host. I just copied
the key table. I doubt ipa-getkeytab checks that the hostname matches, but it’s
always possible.
On Nov 22, 2019, at 3:48 PM, Dmitry Perets
Bound in the sense that it has the hostname as part of the principal, not in
the sense that there’s any actual connection with that host when you use it.
Dmitry Perets wants to use the same principal and key table on several hosts.
They can simply create a principal for one of them. It and its
them authenticate with the same principal.
Any solution for this in current version of IPA (4.6)?
---
Regards,
Dmitry Perets
On Fri, 22 Nov 2019, 20:05 Alexander Bokovoy,
mailto:aboko...@redhat.com>> wrote:
On pe, 22 marras 2019, Charles Hedrick via FreeIPA-users wrote:
>Interesting
. (The
primary intent is to use it with NFS. It doesn’t need forward able
credentials.)
> On Nov 22, 2019, at 2:04 PM, Alexander Bokovoy wrote:
>
> On pe, 22 marras 2019, Charles Hedrick via FreeIPA-users wrote:
>> Interesting idea, but seems to require a time machine. The kerberos
In centos 8, the man page for ktuil says 1.16.1. -f isn’t in the man page nor
does it work. yum also shows the version of 1.16.1.
-s is there but not -f. When I tried it without -f the resulting key table
didn’t work.
Ubuntu 20.4 will be out shortly. Hopefully Centos 8.x will include 17. But
Interesting idea, but seems to require a time machine. The kerberos in centos 8
is 1.16. I believe Ubuntu 18 is also.
On Nov 22, 2019, at 1:21 PM, Alexander Bokovoy via FreeIPA-users
mailto:freeipa-users@lists.fedorahosted.org>>
wrote:
ktutil> add_entry -password -p principal -k kvno -f
The
so it’s valid to use DL1 on a system that isn’t a KDC but needs some package
such as the proxy that isn’t in client?
> On Nov 11, 2019, at 2:28 PM, Rob Crittenden wrote:
>
> Charles Hedrick via FreeIPA-users wrote:
>> In Centos 8, there are two streams for idm softwar
In Centos 8, there are two streams for idm software. You need DL1 for a server.
But it seems to have client software as well. Is that the same in both streams?
We have a web server with the KDC proxy. It appears that we would need DL1 to
get that. Is that reasonable for a system that isn’t a
Wouldn’t that also expose the main web UI, and IPA commands? Seems like a much
larger attack surface.
On Nov 11, 2019, at 1:27 PM, Alex Corcoles
mailto:a...@corcoles.net>> wrote:
On Mon, Nov 11, 2019 at 5:45 PM Charles Hedrick
mailto:hedr...@rutgers.edu>> wrote:
I use Kerberos at home. So do
I use Kerberos at home. So do a couple of faculty. I have a Kerberos https:
proxy set up on one of our public web servers. This is less than ideal, as it
requires installing separate Kerberos software for both Mac and Windows. The
Kerberos protocol is standardized across OSs, but not the proxy
We’re in the process of moving DHCP service to our IPA LDAP server. IN our
environment it makes sense to include DHCP as part of our centralized system
management scheme, which is based on IPA. We seem to be getting about a DHCP
request per second, so I don’t see this causing a performance
On Nov 5, 2019, at 2:25 AM, Florence Blanc-Renaud via FreeIPA-users
mailto:freeipa-users@lists.fedorahosted.org>>
wrote:
As a general rule, we recommend rebuilding from an existing replica, rather
than using backup-restore.
Right. Our strategy is
* all of our systems are VMs. We take
I followed the thread, and I’m not sure you ever got an answer. Generally ipa
replica install seems to create one replication agreement. The exact
relationships for 3 servers depends upon which master the replica was created
from. It could be 2 replicas talking to the original, or 3 in a line.
actually I found a solution to this. You can use a normal commercial cert for
PKINIT. You just need a couple of extra lines in /etc/krb5.conf. The only
disadvantage is that you have to have a line in /etc/krb5.conf for each KDC.
That means you lose the ability to add a KDC and depend upon DNS
AM, Alexander Bokovoy wrote:
>
> On ti, 22 loka 2019, Charles Hedrick via FreeIPA-users wrote:
>> ok. So delegation works. Now we come to the question of how to
>> configure it in gssproxy. The man page describes the syntax of the file
>> but not how it actually works. Any suggesti
ok. So delegation works. Now we come to the question of how to configure it in
gssproxy. The man page describes the syntax of the file but not how it actually
works. Any suggestions?
> On Oct 22, 2019, at 9:52 AM, Alexander Bokovoy wrote:
>
> On ti, 22 loka 2019, Charles Hedrick wrote:
>>
within a department it’s actually pretty good, as long as you know the
limitations. I wouldn’t use it as my only security, but it’s a useful
supplement to checking a key table.
On Oct 22, 2019, at 9:40 AM, Alexander Bokovoy
mailto:aboko...@redhat.com>> wrote:
Since IP addresses are
ficant improvement for us.
> Yes. Please share your findings, even if negative. Perhaps, we would
> need to add something to support his case. At least,
> ipaAllowToImpersonate needs to be added into IPA framework to allow
> manage it.
>
>>
>>> On Oct 22, 2019, at 6:22
as not implemented, but I
looked at the IPA source, and it looks like it is implemented. I’ll try this.
If it works it would be a significant improvement for us.
> On Oct 22, 2019, at 6:22 AM, Alexander Bokovoy wrote:
>
> On ma, 21 loka 2019, Charles Hedrick via FreeIPA-users wrote:
>> W
We have kerberos everywhere, and use it for access to NFS home directories.
So what do we do about cron jobs? We have a solution, but it involves custom
code that impersonates the KDC. I’d like to do someone more standard.
Constained delegation seems like a possibility. But I’d need to be able
where
possible.)
> On Oct 18, 2019, at 2:47 PM, Robbie Harwood wrote:
>
> Charles Hedrick via FreeIPA-users
> writes:
>
>> I’d like to avoid having to use a second cache to armor 2FA
>> requests. My impression was that SPAKE was supposed to fix this. I
>>
I’d like to avoid having to use a second cache to armor 2FA requests. My
impression was that SPAKE was supposed to fix this. I just installed a new kdc
(replica of an old one) in Centos 8. It understands SPAKE, offering it as
preauthebtication for normal users. But a user with 2FA is not
this will let you add outside certs for the services that would be visible to
users: https://www.freeipa.org/page/Using_3rd_part_certificates_for_HTTP/LDAP
It doesn’t actually turn off the CA functionality, but it becomes largely
unused.
I’d actually be interested in a way to completely move
I have another reason to want to do a reinstall.
I have 3 Centos 7 servers. I want to move to Centos 8. (eventually. I’ll do
some testing first). The official approach is a new installation. Obviously I
can create 3 replicas and kill the originals. But then I’ll have to find every
client and
Recent versions of freeipa support kinit -n. However we need a file that has
certificates from all the servers.
We have three servers. Their certificates renew themselves automatically a few
hours before expiration. But then we need to concatenate all of them and put
them on all clients.
It
Yes "Removing self-signed CA.” is there.
Our configuration may have confused the upgrader.
We initially did a default install, which sets up certificate management with a
self-signed cert. Then we moved to a commercial certificate, which was a
documented procedure. So one of our 3 servers
now:
ra_plugin = dogtag
dogtag_version = 10
enable_ra = True
works
I guess that was wrong from when it was originally set up?
> On Aug 28, 2019, at 4:24 PM, Rob Crittenden wrote:
>
> Charles Hedrick via FreeIPA-users wrote:
>>
On one of 3 IPA servers (most recent centos 7.6, 4.6.4-10.el7.centos.6). I
can’t delete hosts. error_log show a bunch of python errors, ending in
Wed Aug 28 15:59:11.634233 2019] [:error] [pid 18035] File
"/usr/lib/python2.7/site-packages/ipalib/frontend.py", line 478, in __do_call
[Wed Aug
We’ve done a number of upgrades without problems. I believe we’ve done all 7.x
versions, though, and not skipped any.
On Jul 3, 2019, at 5:40 PM, John Keates via FreeIPA-users
mailto:freeipa-users@lists.fedorahosted.org>>
wrote:
To be safe, I’d just add a new server with the latest of
It’s hard to guess without seeing your system:
* pam should be set to check both local password and sssd. If the first fails
you need to go on
* /etc/nsswitch.conf should probably put files before sss
* user info in /etc/passwd should be the same as in IPA. If the UID or group is
different I
2 of our 3 IPA servers are exposed to the Internet. However we have a host
firewall that limits the hosts that can access us. We use iptables with an
ipset. I have a cron job that dumps a list of hosts known to IPA and adds them
to the ipset. So basically we’ll only accept connections from
I see that RHEL 8 has been released. It has an in place upgrade option. How
well (if at all) has inplace upgrade on an IPA server been tested?
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to
Kerberos works fine on OS X. as long as you don’t need Two Factor
authentication or HTTPS proxy. If you need those, install the kerberos5 and ssh
packages from MacPorts.
ssh, sshd, the NFS client (Kerberized NFS version 3 and 4), Chome and Firefox
(SPNEGO) all support Kerberos.
I think “join
: authentication failure; logname=
> uid=350600026 euid=350600026 tty=:10.0 ruser= rhost= user=jdejong
> Mar 29 13:19:50 workstation01 mate-screensaver-dialog:
> pam_sss(mate-screensaver:auth): authentication success; logname=
> uid=350600026 euid=350600026 tty=:10.0 ruser= rhost= user=jd
Basically if you put pam_unix before pam_sss, you’ll get a single prompt, and
things like RDP will work with OTP.
Here’s the default in password-auth and system-auth for Centos 7
auth[default=1 ignore=ignore success=ok] pam_succeed_if.so uid >= 1000
quiet
auth[default=1
It appears that the IPA command uses a host hardwired in /etc/ipa/default.conf.
If that fails, it then gets a list from DNS. This works fine if there’s a
connection refused, but if there is no response, it takes so long to time out
that most users will give up.
Is there a way to change the
Rob mentioned issues with restoring data for one entry. We run on VMs, and
periodically take snapshots. We can copy a snapshot to a new VM. Since the
hostname is critical, edit /etc/hosts and add an entry for the new IP address
giving it the original hostname. That way the system will think
In Linux, time is always in UTC internally. The time zone controls how time it
shown to users. Changing the time zone thus has no effect on the internal
operations of the servers. It just changes log files and user displays. If you
actually reset the time on the server to local time, Kerberos
. I’m hardcoding
the server because it makes debugging easier.
> On Jan 9, 2019, at 12:24 PM, Charles Hedrick via FreeIPA-users
> wrote:
>
> We’re in the process of setting up Windows machines to authenticate against
> IPA and use home directories from our NFS servers with
We’re in the process of setting up Windows machines to authenticate against IPA
and use home directories from our NFS servers with Kerberized NFS.
The process is not easy, but possible. One thing I’ve found frustrating is that
documentation on Windows NFS is terrible. In particular, when you
For some reason on one of our 3 servers, yum update didn’t run the IPA upgrade.
/var/log/ipaupgrade.log was zero length. “ipactl start” noted that an upgraded
was needed, and did it. So it wasn’t a big deal. But it would be nice for yum
update to show some sign if there’s an issue. And perhaps
We have a separate web app to change passwords. But the normal approach if they
haven’t forgotten their password is the kpasswd command. Of course we’re in a
Linux environment where our users know the command line.
> On Oct 18, 2018, at 9:58 AM, William Muriithi via FreeIPA-users
> wrote:
>
Right. the documentation is often not clear. Most Linux client software will
try several principals. One of them is host/hostname. So you don’t need
nfs/hostname. Since nfs/hostname is one of the principals it tries, some
documentation says to use that principal.
> On Jun 19, 2018, at 3:24 AM,
You can get an MIT Kerberos implementation from Macports. I use that myself.
However I don’t use it for login, so I haven’t tried the pam support on the
Mac. The Macports implementation supports both 2FA and the https proxy. We
restrict access to our kerberos servers, so people at home have to
Our IPA servers are VMs. We do backups of snapshots, either through VMware or
when the image is on a Netapp, through a Netapp snapshot. That guarantees that
you have all the pieces in a consistent state. I’ve never had to restore a
production server, but I have started copies of one of the
It depends upon what you want to do. If you want a user to authenticate for all
purposes using some external service, you can do that, as long as the external
service supports radius. You may have to et up a radius server and configure it
to use the external authentication. You can have more
1 - 100 of 133 matches
Mail list logo