Hi,
I've upgraded my freeipa server to Fedora 40 (the system was installed
several releases ago). After the upgrade I get the following new warning
from ipa-healthcheck:
{
"source": "ipahealthcheck.ds.backends",
"check": "BackendsCheck",
"result": "WARNING",
"uuid":
slek kus via FreeIPA-users
writes:
> Hi Jochen, nsswitch.conf checks local files and sss. Below is the contents of
> etc/pam.d/sudo:
> sssd_[domain].log:
> https://privatebin.net/?e841ce0e62791e1b#CU9EhpDrajzQXEihhp2jmjbD92RtG8YZ6Sw4FxaZw1Zx
I think that sssd is ok here. I didn't verify the
slek kus via FreeIPA-users
writes:
> Hi Rob, unfortunally not. I am honestly out of options here. I must be
> missing something trivial or it is a configuration issue.
...
> On the client:
>
>
> ansible@debclient1:~$ sudo -i
> [sudo] password for ansible:
> ansible is not allowed to run
Alexander Bokovoy via FreeIPA-users
writes:
> As discussions on this mailing list show, there are plenty of edge
> cases, mostly around 'legacy' UID/GIDs and missing ID ranges that would
> have covered those IDs. Or ID ranges missing SID-specific attributes
> (base RID and secondary base RID)
Alex Corcoles via FreeIPA-users
writes:
> Hi all,
>
> Sorry I didn't keep track of this more accurately. Some time ago, the
> ipa-healthcheck service started failing (September 23rd, I think). I
> took a look, and IIRC, it said something like some certs were about to
> expire. I ignored that
Sam Morris via FreeIPA-users
writes:
> On 21/09/2023 08:55, Sirio Sannipoli via FreeIPA-users wrote:
>> Thanks so much Sumit,
>> your suggestion works perfectly.
>> I'm still curious about the difference in behavior between
>> distributions, but it's not that important.
>> Greetings
>
> Probably
Anonymous via FreeIPA-users
writes:
> I want to authenticate to cockpit with kerberos. Some of the servers
> however have other services running on the http service in
> freeipa. Freeipa is also an example. What is the proper way that I can
> have kerberos authentication on cockpit running on
Martin Jackson via FreeIPA-users
writes:
> The "unexpected cert" warnings are of long standing and are because I
> have certmonger-managed certs for cockpit on the controller.
I do have an ansible playbook to add these cert requests to the ignore
configuration:
# Another WARNING is
Rob Crittenden via FreeIPA-users
writes:
> Jochen Kellner via FreeIPA-users wrote:
>> Orion Poplawski via FreeIPA-users
>> writes:
>>
>>> Does anyone know of a script or way to get a list of certificates issued by
>>> the IPA CA that are about to
Orion Poplawski via FreeIPA-users
writes:
> Does anyone know of a script or way to get a list of certificates issued by
> the IPA CA that are about to expire?
I do have a small script for byobu that warns when certificates are
about to expire and I verify refresh really works - that's only
Bob Strachan via FreeIPA-users
writes:
> At some point and I believe it was when we got to Rhel8.6 we started
> getting hc errors with this type of message:
> "msg": "Certificate 'subsystemCert cert-pki-ca' does not match the
> value of kra.subsystem.cert in
>
Philippe de Rochambeau via FreeIPA-users
writes:
> Hello,
> is there an ipa command called role-add? I couldn’t find it in the man.
> Furthermore, let’s say you wish to 400 roles to FreeIPA using the CLI.
> Would you recommend backing-up FreeIPA before issuing 400 role-adds?
> Can role-adds fail
Juan Pablo Lorier via FreeIPA-users
writes:
> Hi Rob,
>
> All dates are good once I add the pin manually. The only problem is
> the NEWLY_ADDED_NEED_KEYINFO_READ_PIN that appears every time I run
> the updater. I don’t know what is not right with the certs. Maybe you
> can point me in a
Hello Juan,
Juan Pablo Lorier via FreeIPA-users
writes:
> You are right, there are several certificates stuck in dc2:
>
> getcert list
...
> Request ID '20221130160320':
> status: NEWLY_ADDED_NEED_KEYINFO_READ_PIN
My google-fu point to that comment in an issue:
Hello Kevin,
Kevin Vasko via FreeIPA-users
writes:
> I know this is probably stupid but we have a server with a local
> account (let’s call this local user “user1”). This server and its
> install predated our IPA install. This local user also has sudoers
> exception for this account for a
Hi,
Florence Blanc-Renaud via FreeIPA-users
writes:
> Hi,
>
> On Wed, Nov 16, 2022 at 9:54 AM Jochen Kellner via FreeIPA-users <
> freeipa-users@lists.fedorahosted.org> wrote:
>
>>
>> Hello,
>>
>> On 2022-11-16 two of my four IPA server have thi
Hello,
On 2022-11-16 two of my four IPA server have this healthcheck error:
freeipa1, freeipa2:
{
"source": "pki.server.healthcheck.meta.csconfig",
"check": "KRADogtagCertsConfigCheck",
"result": "ERROR",
"uuid": "892ad5b7-8612-4476-8120-2a5fe6c6b005",
"when":
Ronald Wimmer via FreeIPA-users
writes:
>> Jochen already provided you the required commands. They can be
>> automated
>> easily.
>
> I was still thinking about how to do that from the AIX side. I'm
> sorry... Obviously I could need more coffee. ;-)
A lot of what can be done depends on what you
Hello Ronald,
Ronald Wimmer via FreeIPA-users
writes:
> On 02.11.22 18:20, Rob Crittenden via FreeIPA-users wrote:
>> Ronald Wimmer via FreeIPA-users wrote:
>>> In order to integrate our AIX clients we do have to take two steps
>>> manually:
>>>
>>> 1) Enrolling the host
>>> 2) Fetching the
Charles Hedrick via FreeIPA-users
writes:
> it's active, but it seems not to do anything:
>
> ● ipa-ccache-sweep.timer - Remove Expired Kerberos Credential Caches
> Loaded: loaded (/usr/lib/systemd/system/ipa-ccache-sweep.timer; enabled;
> vendor preset: disabled)
> -
>
> I believe
Charles Hedrick via FreeIPA-users
writes:
> RHEL 9.0. /run/ipa/ccaches is filling with credential caches. Many are too
> old to be valid.
>
> I assume it's safe to have a cron job delete any more than a day old?
> (that's our maxmum lifetime.) I can't see the lifetime directly,
> because they
Hello,
Jacob M Cutright via FreeIPA-users
writes:
> It would be nice if ansible.cfg had keytab support
I'm not sure what you mean/want here. I'm using an LDAP inventory from
FreeIPA in ansible. Authentication on the clients uses authorized_keys
here (no kerberos). Until recently I did a
Hi,
Rob Crittenden via FreeIPA-users
writes:
> Documents like this are for testing purposes only. We don't want to
> encourage/enable users to roll their own PKI solution as it is bound to
> lead to problems.
I can confirm it's a real problem.
> The mariadb instructions issue 10-year server
Rob Crittenden via FreeIPA-users
writes:
>
> It may very well depend on the version of sudo you have on the client(s)
> whether regular expressions are supported or not.
In sudo 1.9.10 (released 2022-03-03) has this in the news:
Added support for using POSIX extended regular expressions in
Hello Timo,
Timo Aaltonen via FreeIPA-users
writes:
> freeipa-client is finally in bullseye-backports, feel free to report
> bugs (if any) on bugs.debian.org.
Thank you - that is good news! I've used the client from snapshots:
https://snapshot.debian.org/archive/debian/20210121
I'll update
Rob Crittenden via FreeIPA-users
writes:
> Jochen Kellner via FreeIPA-users wrote:
>>
>> Hi,
>>
>> I'm about to decomission one of my IPA replicas running on up to date
>> fedora 35 (freeipa-server-common-4.9.7-4.fc35.noarch). On my CA renewal
>> master
Alexander Bokovoy via FreeIPA-users
writes:
> I think you can remove _() in local handler() function in
> _ensure_last_of_role():
>
> else:
> raise errors.ServerRemovalError(reason=_(msg))
>
> Looks like all the callers give already gettext-enabled message (wrapped
>
Hello Alexander,
Alexander Bokovoy via FreeIPA-users
writes:
> On su, 21 marras 2021, Jochen Kellner via FreeIPA-users wrote:
>>
>>Hi,
>>
>>I tried removing a replica and got an internal error:
>>
>>jochen@freeipa1:~$ ipa server-del freeipa4.example.o
Hi,
I tried removing a replica and got an internal error:
jochen@freeipa1:~$ ipa server-del freeipa4.example.org
Removing freeipa4.example.org from replication topology, please wait...
ipa: ERROR: Ein interner Fehler ist aufgetreten
I'm running with LANG=de_DE.UTF-8. Using en_US.UTF-8 would be
Hi,
I'm about to decomission one of my IPA replicas running on up to date
fedora 35 (freeipa-server-common-4.9.7-4.fc35.noarch). On my CA renewal
master (freeipa1.example.org) I try to remove freeipa4.example.org:
[root@freeipa1 ~]# ipa server-del freeipa4.example.org
Removing
Jochen Kellner via FreeIPA-users
writes:
> And that's due to an error I made when trying to fix KRA. This is an
> excerpt from "getcert list":
>
> Request ID '20210210143948':
> status: MONITORING
> ca-error: Server at
> "http://freeipa1.exa
Hi,
I'm working to get the KRA subsystem in shape again. It has been broken
due to failed system replication (which is since fixed). There might be
lurking further problems - let's see what we can find out.
I'm working through ipa-healthcheck - currently on the CA renewal
master. The (last)
Hi,
Robert Kudyba via FreeIPA-users
writes:
> Yes and I found a fix. All that is needed is to surround the echo command
> with double quotes at the top of the script where username is set:
> username="$(echo $line | cut -f1 -d:)"
For some of these errors using shellcheck might help. Not
Robert Kudyba via FreeIPA-users
writes:
> So now I put:
> ipa user-add $username --first=$first --last=$last \
> --setattr userpassword='{CRYPT}$password1' --gidnumber=$gid
Try:
--setattr "userpassword={CRYPT}$password1" --gidnumber=$gid
Jochen
--
This space is
Hello,
Rob Crittenden via FreeIPA-users
writes:
> mir mal via FreeIPA-users wrote:
>> I'm still struggling to find a clue why it's happening, any help much
>> appriciated.
>
> This stands out:
>
> Nov 30 10:15:46 csc-64 sshd[608090]: pam_unix(sshd:auth): authentication
> failure; logname=
Hello Alexander,
Alexander Bokovoy via FreeIPA-users
writes:
> Can you please show both your CA and the IMAP server public certificates
> in their entirety?
I think/hope we found the error in the iOS configuration, so I'll not
send the certificates now. If I'm wrong I'll get back to the list
se the CA from FreeIPA and the CA certificate has been imported in
the trust store.
Using a web browser to access an internal website with an (older) IPA
issued certificate works/validates fine.
> On Sun, Sep 06, 2020 at 11:24:22AM +0200, Jochen Kellner via FreeIPA-users
> wrote:
>>
Hello,
I'm running IPA on current Fedora 32, freeipa-server-4.8.9-2 and
pki-server-10.9.0-0.4
Today the certificate of my IMAP server (running on Debian Buster) was
automatically refreshed:
,
| Request ID '20181003215953':
| status: MONITORING
| stuck: no
| key
"Scott Z. via FreeIPA-users"
writes:
> My current status is that I've done an ipactl restart
> --ignore-service-failure, my timedate value is once again current,
Your IDM server has the ntp role enables, so you can't go back in time
and user "ipactl start", because that is setting the time to
Jochen Kellner via FreeIPA-users
writes:
> I see... I've looked again for my research concerning IPA OTP timeouts.
> These posts document the timeouts I found:
>
> https://www.redhat.com/archives/freeipa-users/2016-December/msg00239.html
> https://www.redhat.com/archives/fre
Hi,
Sergiy Genyuk via FreeIPA-users
writes:
> Radius server is DUO so when in FreeIPA radius server set it sends
> Access-Request to the DUO Radius server DUO check password against AD
> and then push Accept message to the user mobile app... then returns
> Access-Accept message back to
Sergiy Genyuk via FreeIPA-users
writes:
> Thank you for your reply, I do have ipv6 disabled and in capture do not see
> failed attempts.
> In capture it is only ipv4:
>
> 1 0.0 xx.xx.xx.xx -> yy.yy.yy.yy RADIUS 117 Access-Request(1)
> (id=214, l=75)
> 2 7.889686902 yy.yy.yy.yy ->
Hello Sergiy,
Sergiy Genyuk via FreeIPA-users
writes:
> I have setup radius proxy (DUO) and associate user with it. Everything works
> except radius
> timeout. It is 5 seconds and you have to be blazing fast to push the button
> :-)
> I did adjust radius timeout in freeipa to 30 seconds but
Hello Ronald,
Ronald Wimmer via FreeIPA-users
writes:
> I would highly appreciate if you could take a quick look and tell me
> how severe they are and what I can possibly do to fix them. I do not
> care about KRA because we did not use the feature at this point in
> time. KRA could be set up
Jochen Kellner via FreeIPA-users
writes:
> In IPA I have four certificates for "IPA RA" - one (the oldest) revoked,
> two are expired in 2017 and 2019 and one valid until next year.
>
> The certificate in CS.cfg is expired:
>
> Serial
Rob Crittenden via FreeIPA-users
writes:
> Jochen Kellner via FreeIPA-users wrote:
>> Topology:
>> freeipa1 + freeipa2: CentOS Linux release 7.8.2003 (Core) (upgrade from
>> older CentOS 7 releases)
>> DNS, CA, KRA, AD trust
>> freeipa1
Hi,
I've been running IPA on CentOS 7 for some time on two servers with
integrated CA. With the release of CentOS 8.1 I tried upgrading with a
second replica - but scrapped that due to the problem with the wrong
samba libraries linked. Since no fix is in sight I thought about
migrating to Fedora
Klaus Vink Slott via FreeIPA-users
writes:
> But at the same time it is really annoying that to
> satisfy kerberos, I have to type the fqdn at the ssh prompt every time.
I have the following in my laptops ~/.ssh/config:
,
| CanonicalizeHostname always
| CanonicalDomains example.org
`
Hello Ronald,
Ronald Wimmer via FreeIPA-users
writes:
> are there any plans to integrate a DHCP server into FreeIPA. We have
> several environments where a lack of DHCP is a showstopper at the
> moment.
I have a (simple) script running that creates a configuration snippet
for dnsmasq from the
"White, Daniel E. (GSFC-770.0)[NICS] via FreeIPA-users"
writes:
> SSSD does not seem to be the source of the glitch. The sssd_nss.log says
> that it successfully finds the user.
>
> All the error in /var/log/auth.log contain "pam_unix", so I tried
> adding "debug" to the end of every instance
Hi,
3. August 2017 03:03, "Fraser Tweedale via FreeIPA-users"
schrieb:
> On Wed, Aug 02, 2017 at 11:11:09PM +0200, Jochen Hein via FreeIPA-users wrote:
>> I'm playing around with keycloak and wanted to use an SSL certificate
>> from IPA. I've looked around
51 matches
Mail list logo