So I had a running replica on CentOS 7 LXC which started giving me trouble,
so I decided to rebuild it.
Now, when running ipa-replica install I get:
2018-11-04T20:12:20Z DEBUG stderr=pkispawn: ERROR...
subprocess.CalledProcessError: Command '['sysctl', 'crypto.fips_enabled',
'-bn']'
On Mon, Nov 5, 2018 at 5:36 PM Rob Crittenden wrote:
> The bug was in dogtag and not in IPA. It looks like this is only fixed
> in 10.6.3+ upstream. I don't know if they have or plan to backport this
> to 10.5.x.
>
> The fix is
>
> https://github.com/dogtagpki/pki/commit/11fa1e2c4cc74e93cd1f9486a
So I solved my LXC problems (thanks Rob, again), but now:
ipa-replica-install -U --setup-ca -N
fails when rebuilding my replica from scratch, see:
https://gist.github.com/alexpdp7/4431da5e11afe6029e2baa01bc1f2251
, where I think I've copied the relevant logs. I think I saw someone
recommending
Might this be related to:
https://pagure.io/freeipa/issue/7654
Maybe?
--
___
{~._.~}
( Y )
()~*~() mail: alex at corcoles dot net
(_)-(_) http://alex.corcoles.net/
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsu
er Tweedale wrote:
> On Mon, Nov 05, 2018 at 09:48:40PM +0100, Alex Corcoles via FreeIPA-users
> wrote:
> > Might this be related to:
> >
> > https://pagure.io/freeipa/issue/7654
> >
> > Maybe?
> >
> Possibly. Need the HTTP access log, the Dogtag access l
Alex Corcoles via FreeIPA-users wrote:
> > So I solved my LXC problems (thanks Rob, again), but now:
> >
> > ipa-replica-install -U --setup-ca -N
> >
> > fails when rebuilding my replica from scratch, see:
> >
> > https://gist.github.com/alexpdp7/4431da5e11afe
Hi Fraser and the new guys!
I think this may be it:
https://gist.github.com/alexpdp7/358626a92a07c787fbf246b2761dddb3#file-_var_log_pki_pki-tomcat_localhost-2018-11-07-log
snip:
SEVERE: Servlet.service() for servlet [caUpdateNumberRange] in context with
path [/ca] threw exception [Could not ini
On Thu, Nov 8, 2018 at 8:03 PM Alex Corcoles wrote:
> This is not timestamped, but I guess it is the thing. Weird, I don't
> remember my provisioning does anything JRE-related, but I will do some
> digging myself.
>
Yay, I'm an idiot. I have automatic updates via yum-cron and OpenJDK had
been up
Hi,
I've read:
https://www.freeipa.org/page/Web_App_Authentication
, but there is some stuff that is not clear to me.
1) SAML
As I recall, there's Ipsilon and Keycloak. Ipsilon is "dead" and
Keycloak is the way to go, right?
However, Keycloak setup is not trivial, correct? Running CentOS ther
Hi,
On Sun, 2018-11-25 at 14:48 +0200, Alexander Bokovoy wrote:
> 1) SAML
> >
> > As I recall, there's Ipsilon and Keycloak. Ipsilon is "dead" and
> > Keycloak is the way to go, right?
> No. Both Ipsilon and Keycloak are healthy and kicking well. Ipsilon
> is
> what Fedora Project's FAS service i
On Sun, 2018-11-25 at 18:51 +0100, Alex Corcoles wrote:
> Even if Ipsilon is phased out I think I'll try again. IIRC, I had an
> issue doing a test run, read about Keycloak being the future and gave
> up quickly. RHEL 7 is still good for a few years, so maybe I have an
> alternative solution on RHE
Hi,
On Sun, 2018-11-25 at 22:28 +0200, Alexander Bokovoy wrote:
> RHEL is not shipping Ipsilon, that's all what above is explained.
>
> Fedora Project is using it but Fedora's FAS service is deployed on
> RHEL
> and it is rock-solid for the functionality they use. There are 15
> pull
> requests
On Mon, 2018-11-26 at 09:24 +0100, Jakub Hrozek via FreeIPA-users
wrote:
> On Sun, Nov 25, 2018 at 06:51:36PM +0100, Alex Corcoles via FreeIPA-
> users wrote:
> > I mean it still requires a sizable amount of elbow grease. I think
> > there is no systemd unit file, it doesn'
On Fri, 2018-11-30 at 21:42 +0100, Jochen Hein via FreeIPA-users wrote:
> I've installed the client packages from snapshot.debian.org with a
> version near the freeze for the next release. That's working fine
> for
> me, but you won't get security fixes that way.
This is basically what I'm doing:
Massive thread necromancy but...
On Sun, 2018-11-25 at 12:21 +0100, Alex Corcoles wrote:
> 2) SSO
>
> What is the special sauce for users using a browser on an IPA-joined
> system to log in to apps without even seeing a login form? SPNEGO?
>
> I'm using mod_auth_gssapi for some apps, having http
On Sun, Mar 10, 2019 at 7:25 PM Alexander Bokovoy
wrote:
>
> Yes, the naming of Kerberos principals is more or less historical. All
> browsers only request service tickets to HTTP/ principal. If
> you expect browsers to utilize GSSAPI, your target Kerberos service
> principal must be HTTP/.. acc
l that the documentation is OK and I was just dumb :-p
On Mon, Mar 11, 2019 at 11:22 AM Alexander Bokovoy
wrote:
> On ma, 11 maalis 2019, Alex Corcoles via FreeIPA-users wrote:
> >On Sun, Mar 10, 2019 at 7:25 PM Alexander Bokovoy
> >wrote:
> >
> >>
> >> Yes, the naming
So I now have an OS X work laptop and did a kinit user@MYDOMAIN and... it
worked!
I've seen some guides about joining an OS X system to FreeIPA, but I don't
think I want that (we are not currently joining work OS X systems to a
domain, but I suppose we will soon- and I guess joining two domains wo
t don’t work
> for MacOS. See
> https://www.jeffgeerling.com/blogs/jeff-geerling/kerberos-authentication-mac-os
> for
> the magic “defaults write” commands.
>
>
>
> On Apr 24, 2019, at 7:33 AM, Alex Corcoles via FreeIPA-users <
> freeipa-users@lists.fedorahosted.org> wrote:
>
example.com.
>>
>> Note that the instructions for Chrome from the IPA webclient don’t work
>> for MacOS. See
>> https://www.jeffgeerling.com/blogs/jeff-geerling/kerberos-authentication-mac-os
>> for
>> the magic “defaults write” commands.
>>
>>
>>
&
Well, in that scenario site-to-site VPNs should not be too terrible (AWS
provides one, for instance).
I think that certainly having a default install which is "safe" to
expose to the Internet would be a very nice feature. However, I realize
that has its cost and maybe its drawbacks, so of cour
Well, in that scenario site-to-site VPNs should not be too terrible (AWS
provides one, for instance).
I think that certainly having a default install which is "safe" to
expose to the Internet would be a very nice feature. However, I realize
that has its cost and maybe its drawbacks, so of cour
The output of ipactl looks very similar to systemctl status. Is it doing
much more than that? I'm already monitoring systemd failed units so I
wonder if it's running checking ipactl.
On Wed, Sep 19, 2018 at 1:33 PM Neal Harrington via FreeIPA-users <
freeipa-users@lists.fedorahosted.org> wrote:
>
od/bad). Monitoring would expect metrics IMO, and even
> health checks you’d want to do on the WebUI, REST server, LDAP, KDC to see
> if they are responding in an expected way.
>
> The service can be up (according to systems or ipactl) but still produce
> garbage.
>
> John
>
>
On Tue, May 28, 2019 at 8:17 PM Rob Crittenden wrote:
> FWIW, speaking of healthcheck, you might want to look at the
> freeipa-healthcheck package in Fedora 28+. It produces JSON output of
> checks a bunch of things including whether services are running.
>
> It is still in pretty early developme
Hi Rob,
On Tue, Nov 5, 2019 at 4:35 PM Rob Crittenden via FreeIPA-users <
freeipa-users@lists.fedorahosted.org> wrote:
> I made an EPEL 7 build in COPR,
> https://copr.fedorainfracloud.org/coprs/rcritten/ipa-healthcheck/
>
> The more feedback I get on it the better and more useful I can make it.
On Mon, Nov 11, 2019 at 1:30 AM Rob Crittenden wrote:
> I'm open to suggestions on this. I don't mean for it to scare anyone but
> the consequences can be head scratching. I have a blog entry on it that
> gets quite a few views.
>
Well, I think the ideal would be to prevent this from happening i
On Mon, Nov 11, 2019 at 3:48 PM Rob Crittenden wrote:
> Jones, Bob (rwj5d) via FreeIPA-users wrote:
> > If you’re making these sorts of changes, might I suggest a flag to
> generate Nagios safe output that is just a summary of how many
> warnings/errors were found like the way checkipaconsistency
On Mon, Nov 11, 2019 at 5:45 PM Charles Hedrick wrote:
> I use Kerberos at home. So do a couple of faculty. I have a Kerberos
> https: proxy set up on one of our public web servers. This is less than
> ideal, as it requires installing separate Kerberos software for both Mac
> and Windows. The Ker
OK, I just set up Nagios monitoring with ipa-healthcheck. In case someone
wants to replicate, this is roughly what I did with Puppet:
FreeIPA Puppet manifest:
Install the package:
+ exec {'/usr/bin/curl
https://copr.fedorainfracloud.org/coprs/rcritten/ipa-healthcheck/repo/epel-7/rcritten-ipa-he
Hi,
I've managed to integrate some webapps with FreeIPA nicely, both using
mod_auth_gssapi and Ipsilon. Both work great on computers joined to
FreeIPA, I am signed in automatically without typing my password.
Can a similar experience be achieved on Firefox Android? I can log in
putting my passwor
Hi,
I've been running ipa-healthcheck for a while and this morning I started to
get a few failures:
{
"source": "ipahealthcheck.ipa.certs",
"kw": {
"msg": "Request id 20180929065627 expires in 27 days",
"expiration_date": "20200104123511Z",
"days": 27,
"key": "20
can alert on the first two, but the third
one shows up somewhere, but doesn't send alerts.
...
I think I'll change my monitoring to just alert on CRITICAL and ERROR,
hopefully that won't be a bad idea.
Cheers,
Álex
On Sun, Dec 8, 2019 at 7:08 PM Rob Crittenden wrote:
> Ale
Hi,
I'm monitoring using ipa-healthcheck and I just started getting:
$ sudo ipa-healthcheck --severity CRITICAL --severity ERROR --failures-only
ra.get_certificate(): EXCEPTION (Invalid Credential.)
ra.get_certificate(): EXCEPTION (Invalid Credential.)
ra.get_certificate(): EXCEPTION (Invalid Cre
Thanks!
On Sun, Dec 22, 2019 at 11:13 AM Florence Blanc-Renaud
wrote:
> 4. On the other replicas, check that the certificate has been properly
> installed in the NSS database /etc/httpd/alias/ or in
> /var/lib/ipa/ra-agent.pem.
> If it's not the case, you can manually install the cert or call ge
:Dec 8 16:21:59 ipa certmonger: 2019-12-08
16:21:59 [15599] Invalid cookie: u''
, which is weird; 20200104123511 is in the future...
On Sun, Dec 22, 2019 at 9:04 PM Florence Blanc-Renaud
wrote:
> On 12/22/19 6:28 PM, Alex Corcoles via FreeIPA-users wrote:
> > Thanks!
>
Hi,
I'm labbing a FreeIPA environment for personal use, and I'm getting that
while bringing up a replica.
I set up my first freeipa-server instance on a cheap VPS on a public IP,
intend on making it publicly accessible so I can always authenticate my
laptop even on wild public networks.
I'm addi
something like that, I'll try to reproduce
and start a new thread about that- but I guess it's more of an LXC problem
(ideally I would like to run my replica on LXC so it consumes less RAM, but
I can live with a full VM).
Cheers,
Álex
2018-01-07 12:20 GMT+01:00 Alex Corcoles via FreeIPA-u
d
non-zero exit status 1
ipa.ipapython.install.cli.install_tool(CompatServerReplicaInstall):
ERRORThe ipa-replica-install command failed. See
/var/log/ipareplica-install.log for more information
Cheers,
Álex
On Tue, Jan 9, 2018 at 7:45 PM, Martin Basti via FreeIPA-users <
freeipa-user
't install FreeIPA in LXC, but I'm happy user of FreeIPA running in
> LXC :-) So it should work
>
> 2018-01-09 11:40 GMT+01:00 Alex Corcoles via FreeIPA-users <
> freeipa-users@lists.fedorahosted.org>:
>
>> Hi Marti,
>>
>> On Tue, Jan 9, 2018 at 12:46
s <
> freeipa-users@lists.fedorahosted.org> wrote:
>
>> do you have a traceback in log? I'm curious where exactly this happened,
>> what is your FreeIPA version?
>>
>> [1]
>> I haven't install FreeIPA in LXC, but I'm happy user of FreeIPA runn
, Jan 9, 2018 at 10:05 PM, Alex Corcoles wrote:
> Ah, wait, this new replica doesn't have CA and DNS. Will try various
> combinations and post back.
>
> On Tue, Jan 9, 2018 at 10:03 PM, Alex Corcoles wrote:
>
>> That's weird. I've now tried a replica install on
ists.fedorahosted.org> wrote:
> I meant traceback fot the DNS issue :-)
>
> Could you please provide the reason why gssaproxy didn't start?
>
> journalctl -xe
> systemctl status gssproxy
> journalctl -u gssproxy
>
> 2018-01-09 21:29 GMT+01:00 Alex Corcoles via FreeIPA-u
one (remove, disabling is not enough) and
> add it back after installation, if this won't cause you any service
> interruptions. (but you have to able to resolve h2.int.pdp7.net without
> forwardzone)
>
> 2018-01-10 19:38 GMT+01:00 Alex Corcoles via FreeIPA-users <
> freeip
Maybe this is a bug in the definition of gssproxy? Should it be a Wants=
instead of a Requires=?
On Wed, Jan 10, 2018 at 9:41 PM, Robbie Harwood wrote:
> Alex Corcoles via FreeIPA-users
> writes:
>
> > Jan 10 18:47:02 ctipa.h2.int.pdp7.net systemd[1]: Dependency failed for
&
Hi,
After some comments on:
https://lists.fedoraproject.org/archives/list/freeipa-users@lists.fedorahosted.org/thread/7A2I475DZFE235QRJRXMRXTL3DVT46IN/
I decided to file a bug:
https://bugzilla.redhat.com/show_bug.cgi?id=1533228
, but the comments there made me doubt my plan to set up FreeIPA,
Ah, that'd be wonderful- that will solve my problem as I don't need NFS on
LXC. If I have some time I will try editing the gssproxy unit file and see
if that's the only stopper to running a FreeIPA replica on LXC.
On Thu, Jan 11, 2018 at 9:17 PM, Robbie Harwood wrote:
>
Never mind, I don't seem to be able to reproduce this.
On Fri, Jan 12, 2018 at 12:35 PM, lejeczek via FreeIPA-users <
freeipa-users@lists.fedorahosted.org> wrote:
>
>
> On 11/01/18 19:49, Alex Corcoles via FreeIPA-users wrote:
>
>> > Jan 10 18:47:02 ctipa.
Hi,
Now that I have my FreeIPA server working in my setup, I'd like to
configure my Proxmox server as an IPA client; both for UNIX users and its
web/API.
As you might be aware, ipa-client-install is only in sid, and it seems to
be problematic. I'm posting everything I'm doing to keep this documen
full.
>
> 1. Enable sid repo
> 2. Install freeipa-client and python-sss packages
> 3. Update python-six to 1.10+
> 4. Restart dbus service
> 5. ipa-client-install command
>
> In the end - I've got completely working ipa-client for ssh and sudo.
>
> 2018-01-19 0:24
I'm just starting, but:
$ free -m
totalusedfree shared buff/cache
available
Mem: 1791 680 274 72 835
833
Swap: 0 0 0
This is for personal use, so being able to run a replica at home for
On Tue, Jan 23, 2018 at 3:24 PM, Andrew Meyer wrote:
> For the most part, yes. Its cheap, low-power.
>
It also has no moving parts and you can swap out the SD card to a spare
quite easily. It's not something for an enterprise environment, but as a
hobbyist, it's an awesome thing for the cost.
Hi all,
Is there any official literature about how to monitor FreeIPA?
The upstream guide mentions:
1) Testing clients using id
https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/linux_domain_identity_authentication_and_policy_guide/client-test
2) Adding a user on a
On Thu, Feb 1, 2018 at 5:25 PM, Jochen Hein wrote:
> I'm using https://github.com/peterpakos/checkipaconsistency to monitor
> my replicas.
>
Yeah, but I'm not exactly reassured by choosing on of the many plugins out
there- or running them all. It would be great to push for an official check.
I'
You can, but you need to add the DNS entries that FreeIPA adds to its
domain to your DNS server.
What I did was install FreeIPA in a test environment and fish the entries
from there.
On Tue, Feb 13, 2018 at 4:37 AM, Andrew Meyer via FreeIPA-users <
freeipa-users@lists.fedorahosted.org> wrote:
>
Is there are ticket for this to watch?
On Wed, Feb 14, 2018 at 5:27 PM, Alexander Bokovoy via FreeIPA-users <
freeipa-users@lists.fedorahosted.org> wrote:
> On ke, 14 helmi 2018, Felipe_G0NZÁLEZ_SANTIAG0 via FreeIPA-users wrote:
>
>> I have a Freeipa server version 4.3.1 on Ubuntu 16.04. Then I i
I use a mixture of Puppet and FreeIPA to manage my "hobbyist" FreeIPA
installation. I actually use Puppet to install the FreeIPA packages, then
launch ipa-server-install through Ansible and I create my "service" Ansible
user and set up HBAC with Ansible, through the Ansible IPA module... I also
use
Hi,
Is there a nice combo that gives you a well-integrated remote desktop
(preferrably RDP or something bandwidth friendly) on FreeIPA? What I mean
is something that can be dnf-installed and doesn't require much messing
around so I can use mstsc.exe or Remmina (or rocket-depot, etc.) and
connect t
Hi,
I run a FreeIPA domain as a hobbyist, basically to get password sync
among my boxes and some services. Right now I'm the sole admin (and
user). I've been toying with the idea of adding 2FA, but I wonder if
there's a good solution if I lose my token.
I guess I can have some sets of printed one
Hi,
I'm running Fedora 27 as my main desktop enrolled on my FreeIPA domain
for a while and it's awesome. I was toying with the idea of building a
cloud VM as a remote desktop, but xrdp is a bit annoying on Fedora 27
so I postponed that.
Now I'm playing with Fedora 28 on a VM, where xrdp works *be
I don't know whether this is good practice, but:
* You can run the action locally instead of in the target host; if the user
running Ansible has a ticket, it should work
* If you use ssh to connect to the IPA client host using an IPA user, you
should get a ticket and it should work
* Another optio
Hi!
When i use command
> ldapsearch -h ldap.exemple.com -p 389 -x -b dc=exemple,dc=com -L
>
> I get all information about my instance without any authentication
> How i can set authentication to this action ?
>
The term for this is "anonymous binds". How to disable them is mentioned in
the releva
Hi,
On Fri, May 8, 2020 at 3:18 PM Angus Clarke via FreeIPA-users <
freeipa-users@lists.fedorahosted.org> wrote:
> We run out IPA infrastructure globally with VPN connected sites, no issue
> there. I don't have experience of road warrior VPN clients though. I'm not
> sure how IPA behaves when hos
>
> It shows up as hostname.ipadomain in FreeIPA (which doesn't match its name
> on the networks) and I've never had any issue- I suspect client hostnames
> are not really important.
>
Sorry, correction. My laptop's hostname *IS* hostname.ipadomain. When it
connects to different networks, the DNS
Hi,
I have a Debian (Proxmox) system joined to FreeIPA. I'm trying to log in via
SSH using Kerberos, but it doesn't work. If I start a debug SSH server, I get
the following output:
No key table entry found matching host/h1.h1.int.example.net@
, but hostname -f on the same host reports h1.examp
Hi,
I have a Debian (Proxmox) system joined to FreeIPA. I'm trying to log in via
SSH using Kerberos, but it doesn't work. If I start a debug SSH server, I get
the following output:
No key table entry found matching host/h1.h1.int.example.net@
, but hostname -f on the same host reports h1.examp
Hi all,
Sorry I didn't keep track of this more accurately. Some time ago, the
ipa-healthcheck service started failing (September 23rd, I think). I took a
look, and IIRC, it said something like some certs were about to expire. I
ignored that (because they renew automatically?). But then I checke
I forgot to add; I'm running two replicas, both are CAs and provisioned
identically, and only one of them shows this issue.
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.
Oh, thanks for the playbook- I appreciate it.
It's surprising that some of the bugs you posted mention SELinux- the replica
that doesn't have issues is running SELinux, while the replica that has issues
doesn't (it's an LXC container).
___
FreeIPA-user
69 matches
Mail list logo