Hi Guille,
The meaning of "Pass --pin-" means: pass along the argument --pin and set it to
an empty value (because --pin= does exactly that, it says "pin equals to
nothing").
In your case this might look like:
ipa-server-certinstall -w -d --pin= mysite.key mysite.crt
Or, if the command
In that case, let's save you some additional time: FIPS mode is not beneficial,
unless you are contractually required to shoot yourself in the foot and get a
FIPS audit done.
Aside from that (somewhat obvious) fact, it would be useful for the list if you
stated why you want this, and if you
What Rob (and Alexander) are saying is: your auditor will do an audit and tell
you if you are FIPS compliant. While using software in FIPS-compliant mode
might reduce the amount of work you'll need to do to be compliant, it's not
some sort of labeling procedure where you need show some specs
We have a similar situation where we end up with ~50k dead hosts after only a
week; ended up creating a lambda dat pulls all the hosts out of IPA LDAP and
then tries to find them each AWS account using the EC2 API. If a host is not
found to be either running or shut-down but still stored and
FreeIPA doesn’t do NT domain server of AD server things and does not support
Windows clients. Are you sure you are on the right track?
As far as the relation between FreeIPA and Microsoft Active Directory goes:
FreeIPA can ’trust’ an external AD domain so you can authenticate AD users via
IPA
You can, but only if you use hybrid Azure AD and have an AD DC to connect to.
But then he problem becomes ‘who created the forest’. If you join in to an AAD
‘forest’ you still can’t create a trust.
So far I’ve only had implementations where the AD domains and forests were
‘classic’ and only
pens I believe I can get the certs to update, but right
> now everything seems to be attempting to talk to IPA2 which is still running
> but the server was rebuilt after this image was made, so we can't talk with
> the server.
>
> Randy
>
> On 9/26/2019 4:05 PM, John Keat
You could turn the clock back, remove the agreements, renew the certs to a
future date, shutdown, reset the clock and renew again to get up and running.
Make sure you’re doing it while the system is offline to prevent NTP.
Also: make sure you don’t run in to this again by making regular recovery
So the name is MEYERAD but you typed MEYER-AD. Remove the dash from your
earlier command and it should work.
John
> On 22 Jul 2019, at 17:48, Andrew Meyer via FreeIPA-users
> wrote:
>
> Getting this:
>
> [andrew.meyer@freeipa01 ~]$ sudo ipa trust-find
> ---
> 1 trust matched
>
What does the AD Trust list in IPA show for the AD domain you should be using?
The same one? Or a different notation?
John
> On 22 Jul 2019, at 17:13, Andrew Meyer via FreeIPA-users
> wrote:
>
> Hello,
> I am working on setting up FreeIPA with AD integration and seem to be running
> into an
An alternative would be writing your own IPA plugin.
John
> On 9 Jul 2019, at 23:23, Andrew Meyer via FreeIPA-users
> wrote:
>
> I was hoping to not use a radius server in between.
>
> Sent from Yahoo Mail on Android
>
To be safe, I’d just add a new server with the latest of everything, join it to
the domain and decommission the old one. Not a direct answer to your question,
I know, but as soon as you are unsure of the upgrade path, putting in those 30
minutes to do the install-and-replace routine solves it
That is part of the packaging, not part of freeipa-client. Usually, on apt/deb
systems you can tell apt or dpkg you are running unattended by setting an
environment variable like DEBIAN_FRONTEND=noninteractive .
After installing the package, you can setup the client unattended using
Start at the beginning:
- Is the install running? (ipactl status)
- Is apache listening (ss -l or netstar -l or systemctl status
apache2/httpd/apache/whatverthenameis)
- Is the firewall letting you in?
- What does /var/log/apache2 or /var/log/httpd or whatever it’s configured to
log to say?
srv records from company.com to
> auth.company.com?
>
> And it's okay I guess if the host keytabs look like
>
> host/server.company@auth.company.com
>
> I am slowly getting there :)
>
> -Chris.
>
> On 17/06/2019 14:06, John Keates via FreeIPA-users wrote:
>> In
want dc=company,dc=com.
> We will not be using any Windows / AD things. Only UNIX/Linux.
> The Services are used in house as well as from around the world (public).
>
> Thanks so much.
> -Christian.
>
>
> On 17/06/2019 13:44, John Keates via FreeIPA-users wrote:
>
Domain: company.com
> K5: COMPANY.COM
>
> Primary failed: ERRORDNS zone COMPANY.COM. already exists in DNS and
> is handled by server(s): ns1.ns-serve.net., ns2.ns-serve.net.
>
> What would be the right approach here?
>
> Thanks again!
> -Chris.
>
>
> On 17/06
A HA-aware client would use SRV records to locate the server(s) and then
connect every returned instance until a working server is found. And by using
locations you can scope the servers you get back.
Regarding the single URL: while there are many options, we decided to simply
register all
Sounds great! Where do we find this tool? In an upcoming release or as a
stand-alone package?
John
> On 14 Jun 2019, at 16:29, Rob Crittenden via FreeIPA-users
> wrote:
>
> I'd like to introduce a new tool for an IPA adminstrators tool kit we're
> working on, currently in a beta state and
IPA als already highly available, from the service side using DNS and multiple
records for all services, on the web side: every server has a working web
interface.
If you want to redirect users to any working interface, a generic load balancer
without keepalive works, redirect them to the IP
ESX has nothing to do with the iLO. The iLO settings can for example be set
from the iLO web interface, use LDAP authentication and point it to IPA.
John
> On 6 Jun 2019, at 10:57, Karim Bourenane via FreeIPA-users
> wrote:
>
> Hello All
>
> I want to authenticate Users into our ILO 4 card
Keep in mind that when you use RHEL, features that aren’t available (due to
supported versions restrictions) should probably not be hacked/bypassed because
that would probably void your support just as well.
If you want something unsupported you might as well use something else (Fedora,
On *nix I’d test with klist etc to get information on what tickets I have and
what those tickets are good for.
Perhaps you can do the same on Windows, figure out what tickets you actually
have and what you can do with them.
John
> On 1 Jun 2019, at 13:04, lejeczek via FreeIPA-users
> wrote:
Very odd, those steps look correct to me. And if auto-discovery for the domain,
realm, hostname and IPA server work, then it’s not the ipa-client-install
script I think.
What versions are you running? Important bits:
- freeipa packages
- kerberos packages
- sssd packages
also, what does
nerally okay with servers being at different versions,
> then? Could I upgrade by creating a new server, enrolling it as a
> replica of then old server and then shut down the old server. Can I do
> that as a general behaviour?
>
> On 29/05/2019 21:21, John Keates via FreeIPA-users wro
In what phase do you run the script? It should be one of the last scripts in
the final phase for the install to work reliably. If it’s in preconfig or
config phase it breaks 9 out of 10 times.
John
> On 29 May 2019, at 22:53, Boudjoudad Abdelkader wrote:
>
> I'm using cloud-init with this
What I meant was that you are already practically disabling it; you specify the
hostname, domain, server, realm on your command line but those should be
discoverable.
Here is an enrollment jinja2 template I use:
ipa-client-install -U --enable-dns-updates
I don’t know what you are missing, but I do know that in theory your enrolment
should work with just -U for unattended and the principal and password.
Unless you have a special environment that requires auto discovery to be
disabled, I’d recommend using it.
I’m enrolling clients in three ways
It’s not really doing anything more, except doing the status on all of the
units with one command. If units were to be added/removed, the command would
stay the same.
But I wouldn’t call this monitoring, it’s more like a health check, you get a
binary (good/bad). Monitoring would expect metrics
Yes, that is possible.
The best and most-supported way is installing a second server (or VM) and
running your desired version on that. Then join it to the domain, install all
services (ca, domain, trust controller, kra etc.).
Then you can uninstall the ‘old’ server (after testing of course!).
For this to work, yes you need to setup AD Trust, and for HBAC to access the
Linux systems, you need ID View user overrides.
Once you have verified basic password or ssh key login (set key in user
override!) works, GSSAPI should be an easy next step.
Keep in mind that if you were to kinit on a
Turn up the dial on debug logging on SSSD to find out more.
John
> On 24 May 2019, at 13:00, Rob Verduijn via FreeIPA-users
> wrote:
>
> Hello,
>
> I'm trying to figure out why an ad-domain user cannot use sudo.
>
> When I test with
>
> ipa hbactest --user=ansible --host
You don’t need to setup a DNS server or Route 53 Zone, you can use the
route53resolver. It allows a conditional forwarder for any domain you wish and
you can point it straight at an IPA DNS server.
It’s built in to AWS:
That’s mostly for general redundancy and speed. Speed is both for load
balancing and querying local servers first.
Say you don’t talk to IPA often and your cross-continental latency isn’t an
issue, then running 1 server in Iceland would fit.
For us, the redundancy part is relatively important
That’s not too bad.
We have a similar setup somewhere, about 39 AWS accounts, some with multiple
VPCs, three physical locations, one with two separate DCs (the others have one).
For AWS we simply add PCXes where possible with sg source rules, makes it
pretty secure. For other accounts we run
I’d think that if you can remote-enrol hosts as IPA clients, it would be real
easy to also enrol them as VPN clients first. Heck, even Wireguard would be
good enough, even without a full audit.
You’d just add a single route to the route table for that VPN to the IPA server
and you’re good to
I would never run FreeIPA over the public internet, bad idea. It’s not as bad
as running AD over the internet, but it’s getting pretty close.
Run servers in all zones/regions and have those servers talk to each other
(tunnels).
Stuff inside a zone will do a discovery and find the servers that
The documentation on this is pretty good. Basically, you can ’trust’ AD from
FreeIPA, which means the users from AD can be used in IPA. Groups too.
Passwords must be set and reset in AD, but everything you need for Linux (SSH
keys, host rules etc) can be done in IPA.
Your specific issue might not be because the .local TLD, but .local is a
special ‘reserved’ name for multicast DNS. You can use any other (including
fake) TLD that is not registered.
There are some other TLDs that are ’special’, like the one used for reverse-IP
records in APIPA. Best to avoid
In that case I don’t know how to help (but someone else might). As per
https://tools.ietf.org/html/rfc6762 .local isn’t supposed to be used the way
you are using it at this time, and it will conflict with pretty much any
standard system. I don’t know how to patch/override that without breaking
I used to look for the same thing, but it didn’t make sense in the end: IPA
isn’t authoritative on what IP adressen are used, and why. That is where
infrastructure configuration management is for, i.e. your DHCP servers and
tooling used to static configuration (like Salt and Ansible).
John
>
Did you select mDNS’s TLD .local on purpose? Or was this an inheritance.
> On 3 Mar 2019, at 14:49, Vivek Aggarwal via FreeIPA-users
> wrote:
>
> Our current implementation has multiple dots(.) names in the hostname
> ,details mentioned below & we're using below setting while configuring
I think the issue is outlined in the PAC error you got.
> On 11 Feb 2019, at 16:51, D via FreeIPA-users
> wrote:
>
> sss_send_pac failed, group membership for user with principal [ username>@AD.DOMAIN.COM] might not be correct.
It seems to indicate that the PAC in the ticket doesn’t match
I’m using Keycloak and it works fine with FreeIPA. Ipsilon was not mature
enough for our use case (which is fine, not everything fits everywhere) but it
is much simpler in comparison to Keycloak.
As big as it looks, it’s not that much of a beast to deploy and configure; you
basically have the
There is no enumeration support, but if you want to figure out if your
connection works, try getent on a group or user (or using id on a group or
user). If those don’t work the AD Trust might not be working correctly.
I start the trusts on the IPA side and use Domain Admin creds (and not a
We are using FreeIPA Debian clients, been using snapshots or sid packages for
that since it is very nicely constrained wrt dependencies.
Using our IoC/configuration management/orchestration tooling we simply push a
number of packages to the clients and install them and their in-repo
My suggestion would be: don’t run it on a Pi, it’s not fast enough. But you
came to that conclusion already, so I guess the next issue would be: where does
it fail?
I’m assuming the rpm install works out but ipa-server-install doesn’t? Or does
that work but does the starting of all the
That is normal, they are actually listening on both IPv4 and IPv6. The netstat
output shows it as :::80 :::*. Listening on both protocol versions makes it
show up as IPv6. You do not get two separate entries.
You could try to start netcat in listen mode on port 80 and you’ll find that it
errors
I think you can do this if you upload your certificate and key to ACM in AWS,
and then use the ACM ARN for your uploaded certificate as the certificate for
the ALB.
You do need to generate the CSR separately indeed.
John
> On 25 Oct 2018, at 19:10, Peter Tselios via FreeIPA-users
> wrote:
>
I’d say: don’t run FreeIPA server on the same install as the SAP server.
John
> On 10 Oct 2018, at 23:16, Dan Haskell via FreeIPA-users
> wrote:
>
>
>
> Per the FreeIPA quickstart guide:
>
> The rule about /etc/hosts is that the fully-qualified name must come first.
> It should look like:
Only UTF-8 is allowed. Re-sign with UTF-8.
John
> On 12 Sep 2018, at 16:37, Peter Tselios via FreeIPA-users
> wrote:
>
> No one
> ___
> FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
> To unsubscribe send an email to
There is no Global Catalog or support for this. IPA does not host the services
for the AD->IPA trust yet.
John
> On 26 Aug 2018, at 12:11, Zafer Syed via FreeIPA-users
> wrote:
>
> Good Day,
>
> I've configured a Two-way Forest trust between AD (windows-2016) and FreeIPA
> 4.7(Centos 7).
Hi,
Using SSSD 1.15.2-1 and FreeIPA Client 4.4.4-1 on Debian Stretch 9.0 generates
a broken SSSD configuration.
Adding the services manually to sssd.conf fixes this:
services = nss, sudo, pam, ssh
For some reason, ipa-client-install thinks we have socket-activated SSSD
services, but we don’t.
What you want is not possible because DNS resolves to one IP, not to a NAT’ed
IP.
Doing this differently is very hacky and totally unsupported. One host, one IP,
one DNS record. NAT doesn’t belong in this type of networking.
If you really wanted to shoot yourself in the foot, you can use
expires: 2019-01-26 19:41:51 UTC
> key usage:
> digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
> eku: id-kp-serverAuth,id-kp-clientAuth
> pre-save command: /usr/lib64/ipa/certmonger/renew_ra_cert_pre
> post-save command: /usr/lib64/
I would suggest doing what the last line says:
Add "NSSEnforceValidCerts off" to nss.conf so the server can start until the
problem can be resolved.
Then, you can check the certificates and maybe refresh it if it is actually
expired.
John
> On 7 Jun 2017, at 14:39, Roberto Cornacchia via
Hi,
At the risk of smelling like a thread hijack; I’m experiencing the same issue
on one server (Fedora 25), but on all others it’s fine. I don’t think this is a
‘normal’ issue that should be ‘fixed’ by restarting named-pkcs11 all the time.
I tend to check for known issues (and solutions) on
Hi,
Instead of using the Let’s Encrypt thing on the IPA server itself, I often just
use it on a reverse proxy. This way the end-users see the verified CA and
FreeIPA can keep doing it’s business.
I tried to use ACME on the IPA server in the past, but it wasn’t very well
integrated and caused
58 matches
Mail list logo
