On 11/09/2017 08:10 PM, Kristian Petersen via FreeIPA-users wrote:
Hey all,
Is there a way to get a list of all of the groups in FreeIPA using the
python API?
--
Kristian Petersen
System Administrator
Dept. of Chemistry and Biochemistry
___
FreeIP
If you explicitly define your host into the sudo rule, does it work? Can you
post the output with the hostname explicitly defined in the rule, to see if it
parses it? That way we can at least see if sudo is comparing it's FQDN to
what's in the host rule.
if it does find the host, then it mean
Is the domainname set to the domain name of your IPA domain? I usually set
CentOS/RHEL servers hostname as the FQDN and when you install the
free-ipa-client it sets the domain name of the server to the freeipa domain
name.
The next thing to check is if your hosts file is setup properly. Mea
Did you try the command as defined in the sudo rule? sudo /usr/bin/su - jira
Also why not just create a sudo rule in IPA with:
Sudo Option:!authenticate
User Groups:developers, ops_sudoers
Host category: all
Sudo Allow Commands: all
->>>RunAs User category: these will be external users
In IPA the Cmnd_Alias is more like the sudo command group.
Basically you have 2 options on how you want to input sudo commands for rules.
1. input each command as a sudo command, and then group the commands into sudo
command groups.
2. input directly into the rule, one at a time. Very nasty, an
I upgraded my freeipa server to F26 and I noticed it wasn't working anymore.
So I ran 'ipa-server-upgrade' and got the following :
Upgrading IPA:
[1/8]: saving configuration
[2/8]: disabling listeners
[3/8]: enabling DS global lock
[4/8]: starting directory server
[5/8]: updating schema
Can you start apache manually?
On Fri, Nov 10, 2017 at 2:20 PM Fuji San via FreeIPA-users <
freeipa-users@lists.fedorahosted.org> wrote:
> I upgraded my freeipa server to F26 and I noticed it wasn't working
> anymore.
> So I ran 'ipa-server-upgrade' and got the following :
>
> Upgrading IPA:
>
Yes, This is exactly what I did. However something is weird and the policy is
not being activated...maybe its a priority thing?
On Friday, November 10, 2017 7:17 AM, Aaron Cole via FreeIPA-users
wrote:
Did you try the command as defined in the sudo rule? sudo /usr/bin/su - jira
Also
I will check this out and get back to you. thank you.
On Friday, November 10, 2017 8:04 AM, Aaron Cole via FreeIPA-users
wrote:
In IPA the Cmnd_Alias is more like the sudo command group.
Basically you have 2 options on how you want to input sudo commands for rules.
1. input each com
Hi folks,
maybe I missed something, but shouldn't admin have sufficient
privileges to run
# ipa-client-install --hostname stretch1.vs.example.de --no-ssh --no-sshd
--no-nisdomain --no-sudo --no-ntp --no-dns-sshfp
# reboot
:
:
# kinit admin
# ipa-getkeytab -s ipa1.example.de -p HTTP
Fuji San via FreeIPA-users wrote:
> I upgraded my freeipa server to F26 and I noticed it wasn't working anymore.
> So I ran 'ipa-server-upgrade' and got the following :
>
> Upgrading IPA:
> [1/8]: saving configuration
> [2/8]: disabling listeners
> [3/8]: enabling DS global lock
> [4/8]: s
No I cannot:
Nov 10 15:33:56 myserver.mydomain systemd[1]: Starting The Apache HTTP Server...
-- Subject: Unit httpd.service has begun start-up
-- Defined-By: systemd
-- Support: https://lists.freedesktop.org/mailman/listinfo/systemd-devel
--
-- Unit httpd.service has begun starting up.
Nov 10 15:
ipa-server-upgrade
$ ipa-server-upgrade
Upgrading IPA:
[1/8]: saving configuration
[2/8]: disabling listeners
[3/8]: enabling DS global lock
[4/8]: starting directory server
[5/8]: updating schema
[6/8]: upgrading server
[7/8]: stopping directory server
[8/8]: restoring configurat
On pe, 10 marras 2017, Harald Dunkel via FreeIPA-users wrote:
Hi folks,
maybe I missed something, but shouldn't admin have sufficient
privileges to run
# ipa-client-install --hostname stretch1.vs.example.de --no-ssh --no-sshd
--no-nisdomain --no-sudo --no-ntp --no-dns-sshfp
# reboot
:
:
# kini
Presumably you have tried reloading the service daemon as per the error
message? (systemctl daemon-reload)
I'm no expert but it does appear that httpd refusing to start is at least
the first problem you are encountering, whether its the only issue will
have to wait until this one is corrected! Try
Ok I figured out what happened.
After the upgrade to F26, the file /etc/httpd/conf.d/ssl.conf has been modified
somehow preventing the httpd server to start.
Line 5 : Listen 443 https
I had to comment it.
Line 61: #ServerName myserver.mydomain:443
I had to uncomment it. Somehow it was commented
OK, I finally took time to figure out what is going on with kinit -n. This is
an issue for us because we use one-time passwords, and kinit -n is useful for
bootstrapping kinit.
* concatenate /var/kerberos/krb5kdc/kdc.crt from all of the KDC’s, and put the
resulting file someplace on the clients
On pe, 10 marras 2017, Charles Hedrick via FreeIPA-users wrote:
OK, I finally took time to figure out what is going on with kinit -n.
This is an issue for us because we use one-time passwords, and kinit -n
is useful for bootstrapping kinit.
* concatenate /var/kerberos/krb5kdc/kdc.crt from all of
Fuji San via FreeIPA-users wrote:
> Ok I figured out what happened.
>
> After the upgrade to F26, the file /etc/httpd/conf.d/ssl.conf has been
> modified somehow preventing the httpd server to start.
>
> Line 5 : Listen 443 https
> I had to comment it.
>
> Line 61: #ServerName myserver.mydomain
Thanks Aaron, appreciate the input. Happy Friday!
I read that article and that key-value does not exist. I also set the FQDN
before `ipa-client-install` and let it do it's magic. Only sssd.conf changes to
add debug configuration
(https://gist.github.com/briantopping/671341ea8025f127588a66801932
So I was wondering if anyone has FreeIPA setup to do authentication with
wireless. We have an ArubaNetworks platform setup to do EAP-PEAP only
communicating back to the current OpenLDAP system, but would like to migrate to
FreeIPA.
I was able to set this up using Meraki MR18s but I have to us
OK thanks
Removed mod_ssl package.
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Hi,
How did you proceed? One by one just a yum update on all pending packages?
--
Dr Christophe Trefois, Dipl.-Ing.
Technical Specialist / Post-Doc
UNIVERSITÉ DU LUXEMBOURG
LUXEMBOURG CENTRE FOR SYSTEMS BIOMEDICINE
Campus Belval | House of Biomedicine
6, avenue du Swing
L-4367 Belvaux
T: +352
On 11/10/2017 12:08 PM, Christophe TREFOIS via FreeIPA-users wrote:
Hi,
How did you proceed? One by one just a yum update on all pending packages?
--
Little late to the party, but FWIW, I just upgraded one of our IPA
servers from 7.3 to 7.4 doing yum -y update. Worked like a charm. I do
hav
I did that before sending my initial email. The command group_find() only
appears to look for the group name that you tell it to search for. I am
looking for something that will give me a list of every group in IPA
without knowing their names. None of the group functions seem to provide
this fun
Kristian Petersen via FreeIPA-users wrote:
> I did that before sending my initial email. The command group_find()
> only appears to look for the group name that you tell it to search for.
> I am looking for something that will give me a list of every group in
> IPA without knowing their names. N
I did “yum upgrade ipa-server,” which presumably does the things that are most
likely to be an issue. I didn’t have any problems.
I’ll do the rest of the 7.4 upgrade during Thanksgiving break.
I wasn’t actually planning to do the IPA 4.5 upgrade (which is what this did)
until Thanksgiving. But
Debug logs are always long...
Even though you don't have that key, it shows how to do some further testing
and debuging for sudo itself.
In that article did you set the sudoers_debug to 3 - to get all info for sudo
(you can paste it here)? Did you check the nsswitch.conf for sss in it? Did
did you try to setup a new rule with run the user group allowed to run on
defined hosts, all commands, as those particular users, and then use sudo -u
{user} -i?
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send
I have not done that yet. I will do that though.
On Friday, November 10, 2017 1:54 PM, Aaron Cole via FreeIPA-users
wrote:
did you try to setup a new rule with run the user group allowed to run on
defined hosts, all commands, as those particular users, and then use sudo -u
{user} -i?
i prefer making people use sudo over giving permissions to su. it's purely a
preference though...
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
The cache for a specific system user is always checked and updated whenever
that user performs a task. However, SSSD caches all rules which relate to the
local system. That complete cache is updated in two ways:
-Incrementally, meaning only changes to rules since the last full update
(ldap_sudo
32 matches
Mail list logo
