[Freeipa-users] POSIX attributes and Trusts in FreeIPA

Can I please get clarification on a FreeIPA instance (as IdM in RHEL8.3) and AD's POSIX attributes? From what I can see, the POSIX attributes - are ignored? Specifically, when I run $ id u...@ad.domain.com $ id -u u...@ad.domain.com $ id -g u...@ad.domain.com The POSIX attribute values are

[Freeipa-users] Re: ipa-idoverride-memberof-plugin issue, ipa 4.8.7 rhel 8.3

Perfect, thank you. ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/

[Freeipa-users] ipa-idoverride-memberof-plugin issue, ipa 4.8.7 rhel 8.3

Hola, When I browse to the webUI for IDM, I'm getting nothing. The http error log is showing: [Thu Dec 10 15:30:44.429646 2020] [wsgi:error] [pid 1773:tid 139794280646400] [remote 172.26.33.93:42908] ipa: INFO: [jsonserver_i18n_messages] UNKNOWN: i18n_messages(version='2.239'): SUCCESS [Thu

[Freeipa-users] Re: How to delete replica that no longer exists?

On Wed, 3 Oct 2018 at 09:28, Lachlan Musicman wrote: > On Wed, 3 Oct 2018 at 08:34, Lachlan Musicman wrote: > >> How do I delete a replica from the master if the replica no longer exists? >> >> The message I get is "Unable to delete replica hostname; cannot connect >> to ldaps://hostname:389"

[Freeipa-users] Re: Testing requested - certificate checking tool

On Thu, 4 Oct 2018 at 23:22, Rob Crittenden via FreeIPA-users < freeipa-users@lists.fedorahosted.org> wrote: > As part of a larger IPA "health" checker and driven largely by necessity > I have the beginning of a certificate checking tool available at > https://github.com/rcritten/checkcerts > >

[Freeipa-users] Re: How to delete replica that no longer exists?

On Wed, 3 Oct 2018 at 08:34, Lachlan Musicman wrote: > How do I delete a replica from the master if the replica no longer exists? > > The message I get is "Unable to delete replica hostname; cannot connect to > ldaps://hostname:389" > I tried using --force but got $ ipa-csreplica-manage del

[Freeipa-users] How to delete replica that no longer exists?

How do I delete a replica from the master if the replica no longer exists? The message I get is "Unable to delete replica hostname; cannot connect to ldaps://hostname:389" cheers L. -- '...postwork futures are dismissed with the claim that "it is not in our nature to be idle", thereby

[Freeipa-users] Re: FreeIPA AD Trust with Samba4 ... is it possible?

On 14 August 2018 at 01:38, Hacker Sword via FreeIPA-users < freeipa-users@lists.fedorahosted.org> wrote: > Hi Alex, > > >The documentation is only conflicting if you are using it in a > conflicting way. > > > > The choice of Kerberos library is important. Samba AD DC with MIT > Kerberos still is

[Freeipa-users] Re: DNS not resolving IPA Clients or IPA Server

On 11 July 2018 at 14:39, Sameer Gurung via FreeIPA-users < freeipa-users@lists.fedorahosted.org> wrote: > my IPA server is linserver. IP: 192.168.0.111 > domain is dcs.smcs > > on my client machine /etc/resolv.conf > namserver 192.168.0.111 > > when i dig linserver.dcs.smcs > > I get no result.

[Freeipa-users] Re: Replica can ipa-find but can't id

On Mon., 18 Jun. 2018, 16:15 Alexander Bokovoy, wrote: > On ma, 18 kesä 2018, Lachlan Musicman wrote: > >On 15 June 2018 at 16:03, Alexander Bokovoy wrote: > > > >> On pe, 15 kesä 2018, Lachlan Musicman via FreeIPA-users wrote: > >> > >>> >

[Freeipa-users] Re: Replica can ipa-find but can't id

On 15 June 2018 at 16:03, Alexander Bokovoy wrote: > On pe, 15 kesä 2018, Lachlan Musicman via FreeIPA-users wrote: > >> >> https://github.com/freeipa/freeipa/pull/1825 >> >> And from here >> https://lists.fedorahosted.org/archives/list/freeipa-use

[Freeipa-users] Replica can ipa-find but can't id

CentOS 7.5 ipa --version VERSION: 4.5.4, API_VERSION: 2.228 When on my replica, and I use ipa idoverrideuser-find 'Default Trust View' I get the expected results: -- 1 User ID override matched -- Anchor to override:

[Freeipa-users] Re: FreeIPA upgrade fails in CentOS 7.4 to CentOS 7.5 upgrade

On 6 June 2018 at 11:24, Lachlan Musicman wrote: > From ipaupgrade.log, the CA isn't coming up? > Digging, I found this Internal Database Error encountered: Could not connect to LDAP server host vmpr-linuxidm.unix.company.com port 636 Error netscape.ldap.LDAPException: Unable to create

[Freeipa-users] FreeIPA upgrade fails in CentOS 7.4 to CentOS 7.5 upgrade

>From ipaupgrade.log, the CA isn't coming up? 2018-06-06T01:05:40Z DEBUG wait_for_open_ports: localhost [8080, 8443] timeout 300 2018-06-06T01:05:40Z DEBUG waiting for port: 8080 2018-06-06T01:05:40Z DEBUG Failed to connect to port 8080 tcp on ::1 2018-06-06T01:05:40Z DEBUG Failed to connect to

[Freeipa-users] Re: FreeIPA 4.6.3 on CentOS 7.5?

On 30 May 2018 at 23:58, Alexander Bokovoy via FreeIPA-users < freeipa-users@lists.fedorahosted.org> wrote: > On ke, 30 touko 2018, Zak Wolfinger via FreeIPA-users wrote: > >> Is it possible to run FreeIPA 4.6.3 on CentOS 7.5 (build 1804)? >> >> It appears to me that 4.6.3 is only available in

[Freeipa-users] Re: ipa-client-install - sssd.conf

On Wed, May 16, 2018 at 12:04 PM, Ronald Wimmer via FreeIPA-users < freeipa-users@lists.fedorahosted.org> wrote: > Hi, >> >> is there a way to configure parameters in sssd.conf when calling >> ipa-client-install? It would be very helpful to be able to specify these >> parameters: >> >> [sssd] >>

[Freeipa-users] Re: Problem on dirsrv when updating from 4.5.0 (RHEL 7.4) to 4.5.4 (RHEL 7.5)

On 1 May 2018 at 17:40, SOLER SANGUESA Miguel via FreeIPA-users < freeipa-users@lists.fedorahosted.org> wrote: > hello, > > > > I have an IPA master that updated from 4.5.0 (RHEL 7.4) to 4.5.4 (RHEL > 7.5). An hour later I tried to do the same with the unique replica I have, > but after update

[Freeipa-users] Re: Host is enrolled and installed

On 24 April 2018 at 15:43, Lachlan Musicman <data...@gmail.com> wrote: > On 23 April 2018 at 17:00, Alexander Bokovoy <aboko...@redhat.com> wrote: > >> On ma, 23 huhti 2018, Lachlan Musicman via FreeIPA-users wrote: >>>> >>>>> Am I making hard wo

[Freeipa-users] Re: Host is enrolled and installed

On 23 April 2018 at 17:53, Lachlan Musicman <data...@gmail.com> wrote: > On 23 April 2018 at 17:00, Alexander Bokovoy <aboko...@redhat.com> wrote: > >> On ma, 23 huhti 2018, Lachlan Musicman via FreeIPA-users wrote: >> >>> Am I making hard work of someth

[Freeipa-users] Re: Host is enrolled and installed

On 23 April 2018 at 17:00, Alexander Bokovoy <aboko...@redhat.com> wrote: > On ma, 23 huhti 2018, Lachlan Musicman via FreeIPA-users wrote: > >> Am I making hard work of something that is relatively straight forward and >> solved elsewhere but I've missed? >> >&

[Freeipa-users] Host is enrolled and installed

Not 100% sure where to send this. Am trying to write an Ansible playbook to install SSSD and enroll the host in a domain. The problem starts when the host exists in the domain and ipa-client is already installed. We can use Ansible's delegate module to remove host from domain enrollment (would

[Freeipa-users] FreeIPA Ansible scripts

Has anyone on the list used the FreeIPA Ansible scripts? https://github.com/freeipa/ansible-freeipa It looks relatively up to date and functional. Cheers L. -- "The antidote to apocalypticism is *apocalyptic civics*. Apocalyptic civics is the insistence that we cannot ignore the truth, nor

[Freeipa-users] Re: Announcing SSSD 1.16.1

On 29 March 2018 at 06:45, Jakub Hrozek wrote: > > On 28 Mar 2018, at 21:20, Rob Crittenden wrote: > > > > What COPR is that? > > The SSSD team copr: > https://copr.fedorainfracloud.org/groups/g/sssd/coprs/ > > Fabiano already built the packages, I just

[Freeipa-users] Re: Announcing SSSD 1.16.1

On 9 March 2018 at 23:28, Jakub Hrozek via FreeIPA-users < freeipa-users@lists.fedorahosted.org> wrote: > SSSD 1.16.1 > === > > The SSSD team is proud to announce the release of version 1.16.1 of the > System Security Services Daemon. > > The tarball can be downloaded from

[Freeipa-users] Maintenance mode

Stupid question, but to stop anyone from logging in anywhere - for instance during a maintenance period - is there an easy maintenance mode in IPA? Or is the best method to disable all HBAC rules? cheers L. -- "The antidote to apocalypticism is *apocalyptic civics*. Apocalyptic civics is the

[Freeipa-users] Re: Upgrade from CentOS 7.3 to 7.4 - Safe?

<http://skype:Trefex?call> > > > This message is confidential and may contain privileged information. > It is intended for the named recipient only. > If you receive it in error please notify me and permanently delete the > original message and any copies. > > >

[Freeipa-users] master - replica relationship

Hola, I'm still trying to wrap my head around the master-replica concept. >From what I read in the documentation (Chapter 4 of https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html-single/linux_domain_identity_authentication_and_policy_guide/ ) the replica should be able

[Freeipa-users] Re: libsemanage updates fail due to AD user with space

On 4 April 2017 at 17:44, Lukas Slebodnik wrote: > >>> On Mon, Apr 03, 2017 at 11:00:21AM +1000, Lachlan Musicman wrote: > >>> > > >>> > With SSSD/IPA in use, in a one way trust to AD, and AD users have > spaces > >>> in > >>> > their names, libsemanage fails to update: >

[Freeipa-users] Re: Replica stopped working: pki-ca port failed?

On 27 October 2017 at 07:38, Rob Crittenden <rcrit...@redhat.com> wrote: > Lachlan Musicman via FreeIPA-users wrote: > > > > > ipa -version > > VERSION: 4.5.0, API_VERSION: 2.228 > > It shouldn't be even trying port 7389 with v4.5.0. Very old versions of &

[Freeipa-users] Re: Replica stopped working: pki-ca port failed?

On 27 October 2017 at 10:32, Lachlan Musicman <data...@gmail.com> wrote: > On 27 October 2017 at 07:38, Rob Crittenden <rcrit...@redhat.com> wrote: > >> Lachlan Musicman via FreeIPA-users wrote: >> > >> > When I look at the ID Views in the interface, I

[Freeipa-users] Replica stopped working: pki-ca port failed?

When I first installed our replica, it worked just fine - I could add a user and see it on the master server. And vice versa. I recently went back to take a look and make sure everything was working - and it's not. ipactl status shows everything is ok. Munge is up. I can ssh hostname between

[Freeipa-users] Re: 7.4 upgrade fails with timeout exceeded

On 20 September 2017 at 16:15, Lachlan Musicman wrote: > On 20 September 2017 at 15:54, Alexander Bokovoy > wrote: > >> >> Ok. By the look of this commit (to 4.5): >>> >>> https://pagure.io/freeipa/c/bdf9a34dffdf4d7925208e5df9f69e3927b88858 >>> >>> from

[Freeipa-users] Re: 7.4 upgrade fails with timeout exceeded

On 20 September 2017 at 15:54, Alexander Bokovoy wrote: > > Ok. By the look of this commit (to 4.5): >> >> https://pagure.io/freeipa/c/bdf9a34dffdf4d7925208e5df9f69e3927b88858 >> >> from this issue https://pagure.io/freeipa/issue/7083 >> >> It is (or was) the IPv6 problem.

[Freeipa-users] Re: 7.4 upgrade fails with timeout exceeded

On 20 September 2017 at 13:01, Lachlan Musicman wrote: > https://pagure.io/freeipa/c/bdf9a34dffdf4d7925208e5df9f69e3927b88858 > On 20 September 2017 at 12:30, Fraser Tweedale > wrote: > >> >> Can you please provide log files? Especially >>

[Freeipa-users] Re: 7.4 upgrade fails with timeout exceeded

On 20 September 2017 at 12:30, Fraser Tweedale <ftwee...@redhat.com> wrote: > On Wed, Sep 20, 2017 at 08:50:03AM +1000, Lachlan Musicman via > FreeIPA-users wrote: > > 2017-09-19T22:30:50Z DEBUG wait_for_open_ports: localhost [8080, 8443] > > timeout 300 > > 2017-09

[Freeipa-users] 7.4 upgrade fails with timeout exceeded

2017-09-19T22:30:50Z DEBUG wait_for_open_ports: localhost [8080, 8443] timeout 300 2017-09-19T22:35:51Z ERROR IPA server upgrade failed: Inspect /var/log/ipaupgrade.log and run command ipa-server-upgrade manually. 2017-09-19T22:35:51Z DEBUG File "/usr/lib/python2.7/site-

[Freeipa-users] Centos/Redhat 7.4

What version of IPA is available in 7.4? cheers L. -- "The antidote to apocalypticism is *apocalyptic civics*. Apocalyptic civics is the insistence that we cannot ignore the truth, nor should we panic about it. It is a shared consciousness that our institutions have failed and our ecosystem

[Freeipa-users] Re: HBAC rules / ssh keys for AD users not working right away

On 13 July 2017 at 00:48, bogusmaster--- via FreeIPA-users < freeipa-users@lists.fedorahosted.org> wrote: > > On Thu, Jul 06, 2017 at 02:29:34PM -, bogusmaster--- via > FreeIPA-users wrote: > > I have verified that hint. I've stopped sssd daemon, cleared the cache and > started it back again.

[Freeipa-users] Re: HBAC rules / ssh keys for AD users not working right away

Thank you for sharing this hint, I am going to try the upgrade. Can I ask you which version of IPA did you use with that sssd version? Did you upgrade sssd on each type of server (I mean both client and server)? I did a test roll out to just the clients before going to all. We are using the

[Freeipa-users] Re: HBAC rules / ssh keys for AD users not working right away

On 7 July 2017 at 00:29, bogusmaster--- via FreeIPA-users < freeipa-users@lists.fedorahosted.org> wrote: > Just to add some example of behaviour I described, I configured an AD user > group membership and granted him access via HBAC rule. Waited approximately > for 2 hours and then, all of a

[Freeipa-users] Re: HBAC rules / ssh keys for AD users not working right away

Bart, Which versions of SSSD and FreeIPA are you using? cheers L. -- "Mission Statement: To provide hope and inspiration for collective action, to build collective power, to achieve collective transformation, rooted in grief and rage but pointed towards vision and dreams." - Patrisse

[Freeipa-users] Fwd: Logwatch and FreeIPA/sssd

Hola, I have logwatch set up on my server, and there is a stanza in my daily email called "**Unmatched Entries**", which is filled with lines from either ipa or sssd: Failed password for usen...@domain.com from 10.126.67.170 port 57331 ssh2 : 2 time(s) Accepted password for usen...@domain.com