[Freeipa-users] FreeIPA Server - Allow authentication over multiple networks

I have a pair of IPA servers with 2 networks(192.168.10.0, 192.168.30.0). Authentication happens over the 192.168.30.0 network. I am unable to authenticate over the 192.168.10.0 network. What do I need to configure to get authentication working over the 192.168.10.0 network? Is this easily

[Freeipa-users] Re: access IPA client via ssh does not work

Hi Sumit, thank you, this solved it! I had added the user to the "User ID overrides" instead of the External for some reason and did not realize this. Wish you a great week. Best regards, Thomas ___ FreeIPA-users mailing list --

[Freeipa-users] access IPA client via ssh does not work

I have a fresh IPA server setup with a trust to an Active Directory. Alls IPA services are working fine, IPA users can connect to IPA client hosts without problems. I now have added an AD user via creating an ID override in the default trust view and added an ssh key for the user. I made the

[Freeipa-users] Re: Problem with added host to freeipa with AD Trust setup

Dear Alexander, thank you for your speedy reply and for clarifying this ! Best regards, Thomas ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora

[Freeipa-users] Problem with added host to freeipa with AD Trust setup

Hi! I am experiencing strange behaviour with a host which is added to an IPA instance. The IPA instance is working as it should and I can't see any problems there. There is a Trust established to an AD domain. The AD domain is in the form of example.com whereas the IPA domain is

[Freeipa-users] Re: password-expiration

bute name. So in this case givenname. 4.5.4 is getting along to 6 years old now. In general we strongly encourage you to upgrade to a supported release, one release at a time (there is no going from 4.5 to 4.10 directly). rob None via FreeIPA-users wrote: > > > Hi Florence, &

[Freeipa-users] Re: password-expiration

fedorahosted.org > Cc: phi...@free.fr Envoyé: Mardi 7 Février 2023 16:40:11 Objet: Re: [Freeipa-users] password-expiration Hi, On Tue, Feb 7, 2023 at 4:11 PM None via FreeIPA-users < freeipa-users@lists.fedorahosted.org > wrote: Hello, in FreeIPA 4.5.4, how do

[Freeipa-users] Re: password-expiration

When I run 'ipa user-show user1 --all' the krbpasswordexpiration attribute appears in the list of user attributes though. - Mail original - De: "None via FreeIPA-users" À: "Florence Blanc-Renaud" Cc: freeipa-users@lists.fedorahosted.org, phi...@free.fr Envoyé:

[Freeipa-users] Re: password-expiration

"Florence Blanc-Renaud" < f...@redhat.com > À: "FreeIPA users list" < freeipa-users@lists.fedorahosted.org > Cc: phi...@free.fr Envoyé: Mardi 7 Février 2023 16:40:11 Objet: Re: [Freeipa-users] password-expiration Hi, On Tue, Feb 7, 2023 at

[Freeipa-users] Re: password-expiration

rence Blanc-Renaud" À: "FreeIPA users list" Cc: phi...@free.fr Envoyé: Mardi 7 Février 2023 16:40:11 Objet: Re: [Freeipa-users] password-expiration Hi, On Tue, Feb 7, 2023 at 4:11 PM None via FreeIPA-users < freeipa-users@lists.fedorahosted.org > wrote: Hello, in

[Freeipa-users] password-expiration

Hello, in FreeIPA 4.5.4, how do you reset a user's password expiration date? Many thanks. Best regards, Philippe ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to

[Freeipa-users] Re: Max number of users

t; Envoyé: Jeudi 15 Décembre 2022 14:27:49 Objet: [Freeipa-users] Re: Max number of users Ronald Wimmer via FreeIPA-users wrote: > On 15.12.22 11:09, None via FreeIPA-users wrote: >> Hello, >> what is the maximum number of users you can add to freeipa? > > Th

[Freeipa-users] Max number of users

Hello, what is the maximum number of users you can add to freeipa? Many thanks. Best regards, Philippe ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org

[Freeipa-users] createTimestamp

Hello, is there a way in FreeIPA to access LDAP fields which are not normally accessible, such as createTimeStamp? Many thanks. ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to

[Freeipa-users] Re: New fields

Objet: Re: [Freeipa-users] New fields None via FreeIPA-users wrote: > Good morning, > Is it possible to create new fields in Freeipa using the IPA CLI? Yes but it is often non-trivial. It can be achieved with a server-side plugin but basic understanding of LDAP is necessary. > Further

[Freeipa-users] Re: Dumping Freeipa

Hi Rob, my bad. After checking, the IPA version is 4.5.4. - Mail original - De: "Rob Crittenden" À: "FreeIPA users list" , "Rob Verduijn" Cc: "Philippe de Rochambeau" Envoyé: Lundi 5 Décembre 2022 15:27:11 Objet: Re: [Freeipa-users] Re: Dumping Freeipa You mention freeipa 2.0. Are

[Freeipa-users] Re: New fields

Hi Rob, thank you for your feedback. I'd like to know when the account was created. - Mail original - De: "Rob Crittenden" À: "FreeIPA users list" Cc: phi...@free.fr Envoyé: Lundi 5 Décembre 2022 15:31:34 Objet: Re: [Freeipa-users] New fields None via FreeIPA

[Freeipa-users] New fields

Good morning, Is it possible to create new fields in Freeipa using the IPA CLI? Furthermore, how can you access LDAP fields (eg. the account creation date) from ipa ? Many thanks. Philippe ___ FreeIPA-users mailing list --

[Freeipa-users] Use of certificates to have https secure connection

Hello, I have run that command and I get the following message. The file doesn't exist.  certutil -L -d /etc/httpd/alias -n Server-Cert certutil: Could not find cert: Server-Cert : PR_FILE_NOT_FOUND_ERROR: File not found Not sure what to do next. Also is here where I can find the

[Freeipa-users] Re: Script deletion of a host?

--force-join Sounds like it may be just what I'm looking for. I'll give that a try. Thank you! On Wed, Mar 25, 2020 at 12:56 PM Alexander Bokovoy wrote: > On ke, 25 maalis 2020, None via FreeIPA-users wrote: > >This may be a bit of a strange scenario. > > > >Environment

[Freeipa-users] Script deletion of a host?

This may be a bit of a strange scenario. Environment is a compute cluster (running xCAT 2.15) FreeIPA server is running on the cluster master node. FreeIPA clients are installed on all other nodes. Compute nodes, login nodes, storage nodes, GPU nodes, etc. I created a script that installs the

[Freeipa-users] Re: ansible ipa_group failure

Thank you for the PR. Should I open a big on ansible's within for the fact that it fails with external=false on an existing non external group? Monkey Message d'origine > De : Thomas Woerner via FreeIPA-users > À : FreeIPA users list > Sujet : [Freeipa-users] Re: ansible ipa_group

[Freeipa-users] Interesting Issue -- IPA HTTP calls all fail with certificate verify failed: unable to get local issuer certificate

So, my IPA server rebooted last night (from dnf automatic updates -- Fedora Server 31) When it came back, IPA basically is unusable, since pretty much every action logs this: (Caused by SSLError(SSLCertVerificationError(1, '[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: unable to

[Freeipa-users] install failed on RedHat7.4

Dear, I encountered an error when installing freeipa using command "ipa-server-install". Error as below. Can anyone give some idea about how to solve this issue? Is this a FreeIPA bug on RH7.4 linux version? Thanks ahead. ...Done configuring Kerberos KDC (krb5kdc).Applying LDAP updatesUpgrading

[Freeipa-users] Re: dirsrv replicas crashing with FD errors

To answer my own question, it actually was just using too many file handles. I missed the part where you have to set it inside dirsrv too, since that got blown away when I rebuilt it. ___ FreeIPA-users mailing list --

[Freeipa-users] dirsrv replicas crashing with FD errors

I recently reinstalled a couple of our freeipa replicas and they're both falling over with the same error. They run for a few minutes - as little as one, or up to an hour, and then fall over with thousands of errors like this: > ERR - accept_and_configure - PR_Accept() failed, Netscape Portable

[Freeipa-users] FreeIPA ca for kerberos

Hello, if possible i would like to use the FreeIPA ca for Kubernetes. but kubernetes has some requirements on the CN and O. the CN has to match the pattern system:node:$FQDN and O has to match system:node also see:

[Freeipa-users] Re: ipa.service "fails" to start

Hi Flo, the journalctl reports that request is rejected, error 2. dogtag-ipa-ca-renew-agent-submit[29544]: Forwarding request to dogtag-ipa-renew-agent dogtag-ipa-renew-agent-submit[29558]: GET http://ca-ldap01.:8080/ca/ee/ca/profileSubmit?profil dogtag-ipa-renew-agent-submit[29558]: Apache

[Freeipa-users] Re: ipa.service "fails" to start

Hi Flo, your feedback helps, thanks a lot !!! Interestingly, 'ipa config-show' read that none of four (4) server is renewal master. I suspect it's the one that's installed first, indeed it has file /var/lib/ipa/pki-ca/publish/MasterCRL.bin Finally I fixed that so ca-ldap01 now reads as "IPA CA

[Freeipa-users] Re: ipa.service "fails" to start

Thanks Flo. [1] Service pki-tomcatd@pki-tomcat.service is active (running) [2] /var/log/pki/pki-tomcat/ca/debug reads among others: - SSL handshake happened - Could not connect to LDAP server host ca-ldap03.us.domain.com port 636 Error netscape.ldap.LDAPException: Authentication failed (48) -

[Freeipa-users] ipa require mvn?

Dear, I tried to install ipa using "yum install -y ipa-server" in CentOS 7.2. Since the environement cann not connect to network, i prepared an local yum repository using iso file. Then i encountered dependency issue as below, Error: Package: resteasy-base-jaxrs-3.0.6-4.el7.norach (iso)

[Freeipa-users]回复：Re: Can we install LDAP only

主题：[Freeipa-users] Re: Can we install LDAP only 日期：2018年07月26日 15点06分 On to, 26 heinä 2018, None via FreeIPA-users wrote: >Dear, > >Can we only install LDAP related components, with Kerberos? How? Do you mean you want LDAP server only? LDAP server with Kerberos KDC? LDAP server without Ker

[Freeipa-users] Re: "No valid Negotiate header in server response" error when trying to install

ora) CMD (cd > /opt/cleanup && /opt/cleanup/venv/bin/python host-cleanup.py >> /var/log/cron) Think that's connected? Is there some reason that would happen? - greg On 2018-07-11 13:19, None via FreeIPA-users wrote: > Hey, > > Sorry for the delay, I couldn't repro

[Freeipa-users] Re: "No valid Negotiate header in server response" error when trying to install

roxy file - I saw that come up in another thread. - greg On 2018-06-22 08:40, Florence Blanc-Renaud via FreeIPA-users wrote: > On 06/21/2018 06:05 PM, None via FreeIPA-users wrote: Hey everyone: I posted > this like a week ago and didn't get a response. Hoping someone can respond, > sin

[Freeipa-users] Re: "No valid Negotiate header in server response" error when trying to install

Hey everyone: I posted this like a week ago and didn't get a response. Hoping someone can respond, since it's happened to us again. Any ideas? On 2018-06-12 10:58, g...@greg-gilbert.com wrote: > Hi all, > > I've been having an issue recently where my servers can't install FreeIPA due > to

[Freeipa-users] "No valid Negotiate header in server response" error when trying to install

Hi all, I've been having an issue recently where my servers can't install FreeIPA due to this error: Cannot connect to the server due to generic error: error marshalling data for XML-RPC transport: message: need a ; got 'No valid Negotiate header in server response' (a ) Installation failed.

[Freeipa-users] Re: replication test

FreeIPA-users wrote: El 18/05/18 a las 16:52, Mark Reynolds escribió: On 05/18/2018 03:13 PM, i...@tecnoaccion.com.ar wrote: El 18/05/18 a las 16:09, Mark Reynolds escribió: On 05/18/2018 03:01 PM, None via FreeIPA-users wrote: hi! I'm new to FreeIPA, I inherited a FreeIPA infrastructure

[Freeipa-users] Re: replication test

El 21/05/18 a las 11:20, Mark Reynolds escribió: On 05/21/2018 10:16 AM, i...@tecnoaccion.com.ar wrote: El 18/05/18 a las 20:02, Mark Reynolds escribió: On 05/18/2018 04:07 PM, None via FreeIPA-users wrote: El 18/05/18 a las 16:52, Mark Reynolds escribió: On 05/18/2018 03:13 PM, i

[Freeipa-users] Re: replication test

El 18/05/18 a las 20:02, Mark Reynolds escribió: On 05/18/2018 04:07 PM, None via FreeIPA-users wrote: El 18/05/18 a las 16:52, Mark Reynolds escribió: On 05/18/2018 03:13 PM, i...@tecnoaccion.com.ar wrote: El 18/05/18 a las 16:09, Mark Reynolds escribió: On 05/18/2018 03:01 PM, None via

[Freeipa-users] Re: replication test

El 18/05/18 a las 16:52, Mark Reynolds escribió: On 05/18/2018 03:13 PM, i...@tecnoaccion.com.ar wrote: El 18/05/18 a las 16:09, Mark Reynolds escribió: On 05/18/2018 03:01 PM, None via FreeIPA-users wrote: hi! I'm new to FreeIPA, I inherited a FreeIPA infrastructure, and I'm trying to have

[Freeipa-users] Re: replication test

El 18/05/18 a las 16:09, Mark Reynolds escribió: On 05/18/2018 03:01 PM, None via FreeIPA-users wrote: hi! I'm new to FreeIPA, I inherited a FreeIPA infrastructure, and I'm trying to have a Nagios check for the replication status (without indicating a password). I found this article: <ht

[Freeipa-users] replication test

hi! I'm new to FreeIPA, I inherited a FreeIPA infrastructure, and I'm trying to have a Nagios check for the replication status (without indicating a password). I found this article: . It's

[Freeipa-users] Re: obtaining initial ticket via keytab

> Josh writes: > > > Destroy the keytab. Recreate using ipa-getkeytab. I can't use ipa-getkeytab at the moment. Is getting keytab via ktutil not possible at all? Any technical details about it? Regards, Josh. ___ FreeIPA-users mailing list --

[Freeipa-users] Client install fails: Automember Plugin update unexpectedly failed.

Hey, Things have been fine for a long time, but in the last day or so we've been seeing a lot of errors. We can't create any IPA users, and we get this whenever we try to run ipa-client-install: > Synchronizing time with KDC... > Attempting to sync time using ntpd. Will timeout after 15

[Freeipa-users] FreeIPA UI not working - Only shows certificate management

Hi all, I have installed FreeIPA server on CentOS 6.9 but the GUI is not coming up completely. It only shows the following certificate system messages. Not sure why and here are the files in the /etc/httpd/alias: lrwxrwxrwx 1 root root 24 Jan 30 14:19 libnssckbi.so ->

[Freeipa-users] ipa-server-install get error Configuration of CA failed

Hi, I was installing FreeIPA on REDHAT 6.7. I used yum install ipa-server and then ipa-server-install. But the ipa-server-install failed with below error, can anyone give some advice on why could be the root cause? Thanks ahead. [3/21]: configuring certificate server instanceipa :

[Freeipa-users]回复：Re: ipa host-del fail

Thanks, Rob.I ran the command one another node and it worked for me. None via FreeIPA-users wrote: > Dear, > > I am trying to install replica by "ipa-replica-install > replica-info-namenode2.hadoop.gxdwdc.gpg" but it failed, > > ipa-replica-install replica-info

[Freeipa-users] ipa host-del fail

Dear, I am trying to install replica by "ipa-replica-install replica-info-namenode2.hadoop.gxdwdc.gpg" but it failed, ipa-replica-install replica-info-namenode2.hadoop.gxdwdc.gpg...The host namenode2.hadoop.gxdwdc already exists on the master server.You should remove it before procedding:

[Freeipa-users]Reply：Question about FreeIPA-pki-tomcatd fails to start

Hi, Thanks ('Rob Crittenden' <rcrit...@redhat.com>) to inform me that /var/lib/pki/pki-tomcat/logs/ca/signedAudit not exsited. By "mkdir -p /var/lib/pki/pki-tomcat/logs/ca/signedAudit" automatically, pki-tomcatd can be started normally. - 原始邮件 ----- 发件人：None via FreeIP

[Freeipa-users] Question about FreeIPA-pki-tomcatd fails to start

Dear, I encountered an issue on FreeIPA, could someone give some suggestion? thanks ahead~ ipactl start Starting Directory Service Staring krb5kdc service Staring kadmin Service … Starting pki-tomcatd Service Failed to start pki-tomcatd server .. The Linux version is CentOS7.2

[Freeipa-users] Restoring DNS Grants

Hello, I have two questions: 1. How can the default DNS grants be restored, or fixed, without knowing what they were? 2. Where can I get information about grants? I can't seem to find where they're documented. I was trying to get DDNS updates to work from DHCP server, and the

[Freeipa-users] Re: "Cannot obtain CA certificate" error when trying to install, but works on older instances; force fails

> All of the lines have err=0 except these: > > conn=3295 op=0 RESULT err=14 tag=97 nentries=0 etime=0, SASL bind in progress > conn=3295 op=1 BIND dn="" method=sasl version=3 mech=GSSAPI > conn=3295 op=1 RESULT err=14 tag=97 nentries=0 etime=0, SASL bind in progress >

[Freeipa-users] Re: "Cannot obtain CA certificate" error when trying to install, but works on older instances; force fails

, SASL bind in progress > conn=3295 op=2 BIND dn="" method=sasl version=3 mech=GSSAPI > > The server is running FreeIPA 4.4: > > $ ipa --version > VERSION: 4.4.0, API_VERSION: 2.213 > $ ipa-client-install --version > 4.4.0 > > - greg > > On 2017-08-

[Freeipa-users] Re: "Cannot obtain CA certificate" error when trying to install, but works on older instances; force fails

install --version 4.4.0 - greg On 2017-08-01 05:13, Florence Blanc-Renaud wrote: > On 08/01/2017 03:26 AM, None via FreeIPA-users wrote: > >> I'm really at a loss on this one. >> >> I have a bunch of old server images (from 2 months ago) that can run >> ipa-clie

[Freeipa-users] Setting up "Trust" without AD Admin credentials?

Hi everyone, first post, hope the question is not too dumb and this is the right list. I’m trying to use IPA in the way the RHEL Windows Integration Guide describes it in the one-way-trust setup (indirect integration, using AD for auth, IPA for policies). However, I’m hitting a wall since at