[Freeipa-users] Fedora 40: new warning in ipa-healthckeck

Hi, I've upgraded my freeipa server to Fedora 40 (the system was installed several releases ago). After the upgrade I get the following new warning from ipa-healthcheck: { "source": "ipahealthcheck.ds.backends", "check": "BackendsCheck", "result": "WARNING", "uuid":

[Freeipa-users] Re: Issues with sudo permissions

slek kus via FreeIPA-users writes: > Hi Jochen, nsswitch.conf checks local files and sss. Below is the contents of > etc/pam.d/sudo: > sssd_[domain].log: > https://privatebin.net/?e841ce0e62791e1b#CU9EhpDrajzQXEihhp2jmjbD92RtG8YZ6Sw4FxaZw1Zx I think that sssd is ok here. I didn't verify the

[Freeipa-users] Re: Issues with sudo permissions

slek kus via FreeIPA-users writes: > Hi Rob, unfortunally not. I am honestly out of options here. I must be > missing something trivial or it is a configuration issue. ... > On the client: > > > ansible@debclient1:~$ sudo -i > [sudo] password for ansible: > ansible is not allowed to run

[Freeipa-users] Re: cannot login on FreeIPA web GUI: Your session has expired. Please log in again.

Alexander Bokovoy via FreeIPA-users writes: > As discussions on this mailing list show, there are plenty of edge > cases, mostly around 'legacy' UID/GIDs and missing ID ranges that would > have covered those IDs. Or ID ranges missing SID-specific attributes > (base RID and secondary base RID)

[Freeipa-users] Re: Health check issues

Alex Corcoles via FreeIPA-users writes: > Hi all, > > Sorry I didn't keep track of this more accurately. Some time ago, the > ipa-healthcheck service started failing (September 23rd, I think). I > took a look, and IIRC, it said something like some certs were about to > expire. I ignored that

[Freeipa-users] Re: RedHat and 2FA Problem

Sam Morris via FreeIPA-users writes: > On 21/09/2023 08:55, Sirio Sannipoli via FreeIPA-users wrote: >> Thanks so much Sumit, >> your suggestion works perfectly. >> I'm still curious about the difference in behavior between >> distributions, but it's not that important. >> Greetings > > Probably

[Freeipa-users] Re: Multiple http services on one host

Anonymous via FreeIPA-users writes: > I want to authenticate to cockpit with kerberos. Some of the servers > however have other services running on the http service in > freeipa. Freeipa is also an example. What is the proper way that I can > have kerberos authentication on cockpit running on

[Freeipa-users] Re: KRA installation problem

Martin Jackson via FreeIPA-users writes: > The "unexpected cert" warnings are of long standing and  are because I > have certmonger-managed certs for cockpit on the controller. I do have an ansible playbook to add these cert requests to the ignore configuration: # Another WARNING is

[Freeipa-users] Re: Show expiring certificates issued by IPA CA

Rob Crittenden via FreeIPA-users writes: > Jochen Kellner via FreeIPA-users wrote: >> Orion Poplawski via FreeIPA-users >> writes: >> >>> Does anyone know of a script or way to get a list of certificates issued by >>> the IPA CA that are about to

[Freeipa-users] Re: Show expiring certificates issued by IPA CA

Orion Poplawski via FreeIPA-users writes: > Does anyone know of a script or way to get a list of certificates issued by > the IPA CA that are about to expire? I do have a small script for byobu that warns when certificates are about to expire and I verify refresh really works - that's only

[Freeipa-users] Re: Healthckeck help

Bob Strachan via FreeIPA-users writes: > At some point and I believe it was when we got to Rhel8.6 we started > getting hc errors with this type of message: > "msg": "Certificate 'subsystemCert cert-pki-ca' does not match the > value of kra.subsystem.cert in >

[Freeipa-users] Re: Adding roles

Philippe de Rochambeau via FreeIPA-users writes: > Hello, > is there an ipa command called role-add? I couldn’t find it in the man. > Furthermore, let’s say you wish to 400 roles to FreeIPA using the CLI. > Would you recommend backing-up FreeIPA before issuing 400 role-adds? > Can role-adds fail

[Freeipa-users] Re: HTTP certificate expired

Juan Pablo Lorier via FreeIPA-users writes: > Hi Rob, > > All dates are good once I add the pin manually. The only problem is > the NEWLY_ADDED_NEED_KEYINFO_READ_PIN that appears every time I run > the updater. I don’t know what is not right with the certs. Maybe you > can point me in a

[Freeipa-users] Re: HTTP certificate expired

Hello Juan, Juan Pablo Lorier via FreeIPA-users writes: > You are right, there are several certificates stuck in dc2: > > getcert list ... > Request ID '20221130160320': > status: NEWLY_ADDED_NEED_KEYINFO_READ_PIN My google-fu point to that comment in an issue:

[Freeipa-users] Re: Local account override IPA account

Hello Kevin, Kevin Vasko via FreeIPA-users writes: > I know this is probably stupid but we have a server with a local > account (let’s call this local user “user1”). This server and its > install predated our IPA install. This local user also has sudoers > exception for this account for a

[Freeipa-users] Re: ipa-healthcheck: KRADogtagCertsConfigCheck

Hi, Florence Blanc-Renaud via FreeIPA-users writes: > Hi, > > On Wed, Nov 16, 2022 at 9:54 AM Jochen Kellner via FreeIPA-users < > freeipa-users@lists.fedorahosted.org> wrote: > >> >> Hello, >> >> On 2022-11-16 two of my four IPA server have thi

[Freeipa-users] ipa-healthcheck: KRADogtagCertsConfigCheck

Hello, On 2022-11-16 two of my four IPA server have this healthcheck error: freeipa1, freeipa2: { "source": "pki.server.healthcheck.meta.csconfig", "check": "KRADogtagCertsConfigCheck", "result": "ERROR", "uuid": "892ad5b7-8612-4476-8120-2a5fe6c6b005", "when":

[Freeipa-users] Re: IPA API - Fetch keytab

Ronald Wimmer via FreeIPA-users writes: >> Jochen already provided you the required commands. They can be >> automated >> easily. > > I was still thinking about how to do that from the AIX side. I'm > sorry... Obviously I could need more coffee. ;-) A lot of what can be done depends on what you

[Freeipa-users] Re: IPA API - Fetch keytab

Hello Ronald, Ronald Wimmer via FreeIPA-users writes: > On 02.11.22 18:20, Rob Crittenden via FreeIPA-users wrote: >> Ronald Wimmer via FreeIPA-users wrote: >>> In order to integrate our AIX clients we do have to take two steps >>> manually: >>> >>> 1) Enrolling the host >>> 2) Fetching the

[Freeipa-users] Re: /run/ipa/ccaches filling

Charles Hedrick via FreeIPA-users writes: > it's active, but it seems not to do anything: > > ● ipa-ccache-sweep.timer - Remove Expired Kerberos Credential Caches > Loaded: loaded (/usr/lib/systemd/system/ipa-ccache-sweep.timer; enabled; > vendor preset: disabled) > - > > I believe

[Freeipa-users] Re: /run/ipa/ccaches filling

Charles Hedrick via FreeIPA-users writes: > RHEL 9.0. /run/ipa/ccaches is filling with credential caches. Many are too > old to be valid. > > I assume it's safe to have a cron job delete any more than a day old? > (that's our maxmum lifetime.) I can't see the lifetime directly, > because they

[Freeipa-users] Re: SSSD prompting/2fa

Hello, Jacob M Cutright via FreeIPA-users writes: > It would be nice if ansible.cfg had keytab support I'm not sure what you mean/want here. I'm using an LDAP inventory from FreeIPA in ansible. Authentication on the clients uses authorized_keys here (no kerberos). Until recently I did a

[Freeipa-users] Re: No server certificates found in /xx/http.pem The ipa-server-certinstall command failed.

Hi, Rob Crittenden via FreeIPA-users writes: > Documents like this are for testing purposes only. We don't want to > encourage/enable users to roll their own PKI solution as it is bound to > lead to problems. I can confirm it's a real problem. > The mariadb instructions issue 10-year server

[Freeipa-users] Re: sudo rules and globbing

Rob Crittenden via FreeIPA-users writes: > > It may very well depend on the version of sudo you have on the client(s) > whether regular expressions are supported or not. In sudo 1.9.10 (released 2022-03-03) has this in the news: Added support for using POSIX extended regular expressions in

[Freeipa-users] Re: freeipa-client 4.9.8 in Debian 11 backports

Hello Timo, Timo Aaltonen via FreeIPA-users writes: > freeipa-client is finally in bullseye-backports, feel free to report > bugs (if any) on bugs.debian.org. Thank you - that is good news! I've used the client from snapshots: https://snapshot.debian.org/archive/debian/20210121 I'll update

[Freeipa-users] Re: Deleting this server is not allowed as it would leave your installation without a KRA.

Rob Crittenden via FreeIPA-users writes: > Jochen Kellner via FreeIPA-users wrote: >> >> Hi, >> >> I'm about to decomission one of my IPA replicas running on up to date >> fedora 35 (freeipa-server-common-4.9.7-4.fc35.noarch). On my CA renewal >> master

[Freeipa-users] Re: locale de_DE.UTF-8 and internel error

Alexander Bokovoy via FreeIPA-users writes: > I think you can remove _() in local handler() function in > _ensure_last_of_role(): > > else: > raise errors.ServerRemovalError(reason=_(msg)) > > Looks like all the callers give already gettext-enabled message (wrapped >

[Freeipa-users] Re: locale de_DE.UTF-8 and internel error

Hello Alexander, Alexander Bokovoy via FreeIPA-users writes: > On su, 21 marras 2021, Jochen Kellner via FreeIPA-users wrote: >> >>Hi, >> >>I tried removing a replica and got an internal error: >> >>jochen@freeipa1:~$ ipa server-del freeipa4.example.o

[Freeipa-users] locale de_DE.UTF-8 and internel error

Hi, I tried removing a replica and got an internal error: jochen@freeipa1:~$ ipa server-del freeipa4.example.org Removing freeipa4.example.org from replication topology, please wait... ipa: ERROR: Ein interner Fehler ist aufgetreten I'm running with LANG=de_DE.UTF-8. Using en_US.UTF-8 would be

[Freeipa-users] Deleting this server is not allowed as it would leave your installation without a KRA.

Hi, I'm about to decomission one of my IPA replicas running on up to date fedora 35 (freeipa-server-common-4.9.7-4.fc35.noarch). On my CA renewal master (freeipa1.example.org) I try to remove freeipa4.example.org: [root@freeipa1 ~]# ipa server-del freeipa4.example.org Removing

[Freeipa-users] Re: KRA: problems renewing 'storageCert cert-pki-kra'

Jochen Kellner via FreeIPA-users writes: > And that's due to an error I made when trying to fix KRA. This is an > excerpt from "getcert list": > > Request ID '20210210143948': > status: MONITORING > ca-error: Server at > "http://freeipa1.exa

[Freeipa-users] KRA: problems renewing 'storageCert cert-pki-kra'

Hi, I'm working to get the KRA subsystem in shape again. It has been broken due to failed system replication (which is since fixed). There might be lurking further problems - let's see what we can find out. I'm working through ipa-healthcheck - currently on the CA renewal master. The (last)

[Freeipa-users] Re: migrating NIS passwords to FreeIPA in Fedora 33 with {CRYPT} and RH sample nis-users.sh script

Hi, Robert Kudyba via FreeIPA-users writes: > Yes and I found a fix. All that is needed is to surround the echo command > with double quotes at the top of the script where username is set: > username="$(echo $line | cut -f1 -d:)" For some of these errors using shellcheck might help. Not

[Freeipa-users] Re: migrating NIS passwords to FreeIPA in Fedora 33 with {CRYPT} and RH sample nis-users.sh script

Robert Kudyba via FreeIPA-users writes: > So now I put: > ipa user-add $username --first=$first --last=$last \ > --setattr userpassword='{CRYPT}$password1' --gidnumber=$gid Try: --setattr "userpassword={CRYPT}$password1" --gidnumber=$gid Jochen -- This space is

[Freeipa-users] Re: Concurrent ssh to the same host fails after few successfully open sessions with Additional pre-authentication krb error.

Hello, Rob Crittenden via FreeIPA-users writes: > mir mal via FreeIPA-users wrote: >> I'm still struggling to find a clue why it's happening, any help much >> appriciated. > > This stands out: > > Nov 30 10:15:46 csc-64 sshd[608090]: pam_unix(sshd:auth): authentication > failure; logname=

[Freeipa-users] Re: FreeIPA certificate doesn't validate in iOS

Hello Alexander, Alexander Bokovoy via FreeIPA-users writes: > Can you please show both your CA and the IMAP server public certificates > in their entirety? I think/hope we found the error in the iOS configuration, so I'll not send the certificates now. If I'm wrong I'll get back to the list

[Freeipa-users] Re: FreeIPA certificate doesn't validate in iOS

se the CA from FreeIPA and the CA certificate has been imported in the trust store. Using a web browser to access an internal website with an (older) IPA issued certificate works/validates fine. > On Sun, Sep 06, 2020 at 11:24:22AM +0200, Jochen Kellner via FreeIPA-users > wrote: >>

[Freeipa-users] FreeIPA certificate doesn't validate in iOS

Hello, I'm running IPA on current Fedora 32, freeipa-server-4.8.9-2 and pki-server-10.9.0-0.4 Today the certificate of my IMAP server (running on Debian Buster) was automatically refreshed: , | Request ID '20181003215953': | status: MONITORING | stuck: no | key

[Freeipa-users] Re: pki-tomcatd not starting

"Scott Z. via FreeIPA-users" writes: > My current status is that I've done an ipactl restart > --ignore-service-failure, my timedate value is once again current, Your IDM server has the ntp role enables, so you can't go back in time and user "ipactl start", because that is setting the time to

[Freeipa-users] Re: OTP Radius 5 seconds timeout

Jochen Kellner via FreeIPA-users writes: > I see... I've looked again for my research concerning IPA OTP timeouts. > These posts document the timeouts I found: > > https://www.redhat.com/archives/freeipa-users/2016-December/msg00239.html > https://www.redhat.com/archives/fre

[Freeipa-users] Re: OTP Radius 5 seconds timeout

Hi, Sergiy Genyuk via FreeIPA-users writes: > Radius server is DUO so when in FreeIPA radius server set it sends > Access-Request to the DUO Radius server DUO check password against AD > and then push Accept message to the user mobile app... then returns > Access-Accept message back to

[Freeipa-users] Re: OTP Radius 5 seconds timeout

Sergiy Genyuk via FreeIPA-users writes: > Thank you for your reply, I do have ipv6 disabled and in capture do not see > failed attempts. > In capture it is only ipv4: > > 1 0.0 xx.xx.xx.xx -> yy.yy.yy.yy RADIUS 117 Access-Request(1) > (id=214, l=75) > 2 7.889686902 yy.yy.yy.yy ->

[Freeipa-users] Re: OTP Radius 5 seconds timeout

Hello Sergiy, Sergiy Genyuk via FreeIPA-users writes: > I have setup radius proxy (DUO) and associate user with it. Everything works > except radius > timeout. It is 5 seconds and you have to be blazing fast to push the button > :-) > I did adjust radius timeout in freeipa to 30 seconds but

[Freeipa-users] Re: Problem with AD users after upgrade

Hello Ronald, Ronald Wimmer via FreeIPA-users writes: > I would highly appreciate if you could take a quick look and tell me > how severe they are and what I can possibly do to fix them. I do not > care about KRA because we did not use the feature at this point in > time. KRA could be set up

[Freeipa-users] Re: ipa-healthcheck with fresh replica

Jochen Kellner via FreeIPA-users writes: > In IPA I have four certificates for "IPA RA" - one (the oldest) revoked, > two are expired in 2017 and 2019 and one valid until next year. > > The certificate in CS.cfg is expired: > > Serial

[Freeipa-users] Re: ipa-healthcheck with fresh replica

Rob Crittenden via FreeIPA-users writes: > Jochen Kellner via FreeIPA-users wrote: >> Topology: >> freeipa1 + freeipa2: CentOS Linux release 7.8.2003 (Core) (upgrade from >> older CentOS 7 releases) >> DNS, CA, KRA, AD trust >> freeipa1

[Freeipa-users] ipa-healthcheck with fresh replica

Hi, I've been running IPA on CentOS 7 for some time on two servers with integrated CA. With the release of CentOS 8.1 I tried upgrading with a second replica - but scrapped that due to the problem with the wrong samba libraries linked. Since no fix is in sight I thought about migrating to Fedora

[Freeipa-users] Re: ssh bash completion (no known_hosts)

Klaus Vink Slott via FreeIPA-users writes: > But at the same time it is really annoying that to > satisfy kerberos, I have to type the fqdn at the ssh prompt every time. I have the following in my laptops ~/.ssh/config: , | CanonicalizeHostname always | CanonicalDomains example.org `

[Freeipa-users] Re: Plans for integrating DHCP

Hello Ronald, Ronald Wimmer via FreeIPA-users writes: > are there any plans to integrate a DHCP server into FreeIPA. We have > several environments where a lack of DHCP is a showstopper at the > moment. I have a (simple) script running that creates a configuration snippet for dnsmasq from the

[Freeipa-users] Re: A Debian Head-Scratcher

"White, Daniel E. (GSFC-770.0)[NICS] via FreeIPA-users" writes: > SSSD does not seem to be the source of the glitch. The sssd_nss.log says > that it successfully finds the user. > > All the error in /var/log/auth.log contain "pam_unix", so I tried > adding "debug" to the end of every instance

[Freeipa-users] Re: ipa-getcert and java certstore/keytool

Hi, 3. August 2017 03:03, "Fraser Tweedale via FreeIPA-users" schrieb: > On Wed, Aug 02, 2017 at 11:11:09PM +0200, Jochen Hein via FreeIPA-users wrote: >> I'm playing around with keycloak and wanted to use an SSL certificate >> from IPA. I've looked around