On 2017-07-06 08:25, Robert Sturrock via FreeIPA-users wrote:
[...]
We have a test IPA server with HBAC allow_all and we can ssh to it reliably as
a regular user, but when we try to ssh as ‘first name.lastname@affiliate’ we
see the following exceptions in /var/log/sssd/krb5_child.log:
[...]
Are you 100% sure that you have a line like "sudoers: files sss" in your
/etc/nsswitch.conf?
Am 7. August 2017 11:10:56 MESZ schrieb Alka Murali via FreeIPA-users
:
>Hello Team,
>
>Have checked all the logs, and the SSSD Logs are saying that it is
On 2017-05-26 18:51, Sumit Bose via FreeIPA-users wrote:
[...]
Did you ‘Allow GSSAPI credential delegation’ in the putty configuration?
Additionally the internal Windows Kerberos handling only allows
delegation to host which have the ok-to-delegate flag set in the
Kerberos service ticket.
How do those of you deal with files that should remain per-host (e.g.
.bash_history) when using automounted home directories?
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to
Does anyone have AIX 7 IPA Clients? Is there also an IPA client
installer around or do I have to go through this:
https://www.freeipa.org/page/FreeIPAv1:ConfiguringAixClients
Regards,
Ronald
___
FreeIPA-users mailing list --
Hi,
today I found out that some entries in a keytab file seemed to have expired:
Request ticket server HTTP/mwc.linux.mydomain...@linux.mydomain.at kvno
4 not found in keytab; keytab is likely out of date
Fetching the keytab again with ipa-getkeytab fixed the problem. But why
is this
Hi,
I read about the vault feature in the documentation and installed the
feature on my ipa master (ipa-kra-install). However, when I try to
access my vault on an ipa client, I get:
ipa: INFO: trying https://ipa2.linux.mydomain.at/ipa/session/json
ipa: INFO: trying
I upgraded from 7.3 to 7.4 on CentOS without a single issue.
Cheers,
Ronald
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
On 2017-09-19 11:53, Alexander Bokovoy wrote:
[...]
Please spend some time reading the documentation. It is vast and has a
lot of answers to questions people keep asking on these lists.
I've already spent some time reading the documentation. Since
"ipa-getkeytab" worked I was not aware of the
command leading to invalidating the keytab on the first two servers if I
issue the command on the third?
I would really appreciate some clarification here.
Regards,
Ronald
On 2017-09-14 11:46, Alexander Bokovoy wrote:
On to, 14 syys 2017, Ronald Wimmer via FreeIPA-users wrote:
Hi,
today I
eytab has
option '-r' that allows to retrieve existing key if you have enough
privileges for that.
https://www.freeipa.org/page/V4/Keytab_Retrieval_Management describes
this feature.
Regards,
Ronald
On 2017-09-14 11:46, Alexander Bokovoy wrote:
On to, 14 syys 2017, Ronald Wimmer via FreeIPA-users wrote:
On 2017-09-28 11:37, Alexander Bokovoy wrote:
You need to define HBAC rules that target system-auth PAM service on
this host then.
But yes, any practical PAM service would work as long as you have
appropriate HBAC rules for this service.
Is an HBAC Service in IPA the counterpart to the PAM
Is it possible to find an IPA user or computer account from a windows
(AD) machine [trust between ipa and ad domain is set up]? If I try that,
all i get is a message that no object can be found.
Regards,
Ronald
___
FreeIPA-users mailing list --
On 2017-12-19 12:05, Jakub Hrozek via FreeIPA-users wrote:
[...]
I think the best practice is to restrict the commands the users can run
to a bare minimum. Letting them only through sudo (as opposed to sudo
su) has the advantage that sudo sends all commands to the audit
subsystem. Also, if
We have some users that have ALL sudo permissions. What is the best way
of keeping track of all actions they do after having switched to the
root user? Or would it be better to completely prevent switching to the
root user? (if yes, what would be the recommended way of doing that?)
Regards,
Is there a chance that this will be implemented at some point in time?
My Use Case: I would like to use a System in the IPA domain as Citrix
VDA - the Citrix management software can only add computers that can be
found by their Windows-based tool.
Regards,
Ronald
Hi,
is there a way to configure parameters in sssd.conf when calling
ipa-client-install? It would be very helpful to be able to specify these
parameters:
[sssd]
default_domain_suffix = SOMEDOMAIN
[nss]
homedir_substring = /home
default_shell = /bin/bash
default_shell is the most important
Is there a way to rename an existing HBAC rule? The WebGUI only offers
enable/disable/delete...
Regards,
Ronald
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to
I am using IPA and the automount feature for user home directories.
Where I did not find a suitable solution yet is what to do when a user
logs in for the first time. Due to the fact that /home gets mounted on
demand none of the pam modules (like pam_oddjob_mkhomedir) seem to work.
Is there a
If nobody has an answer here maybe someone has some input on which
factors are necessary to do an estimation on how many replicas are
needed per datacenter?
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an
Hi,
for demonstration purposes I added two users to an external group that
already contained an AD group. The AD group had a human readable name.
The users as well.
When I removed these two users the AD group name changed from the human
readable name to the group SID. Why did that happen?
Hi,
we have been evaluating FreeIPA for quite a while now on our test setup
(1 IPA server, 1 Replica) and are planning to move towards production.
Can the whole setup be migrated from an ipa test to an ipa production
server? (the ipa 'linux.ourdomain.at' domain should stay the same) Or
would
Wow! I am impressed. That setting fixed my problem! Thanks a lot!
Cheers
Ronald
On 2018-09-27 20:47, Rob Crittenden wrote:
Ronald Wimmer via FreeIPA-users wrote:
The home directories of several servers in our company are IPA
automounted. About a week ago, this mechanism stopped working
The home directories of several servers in our company are IPA
automounted. About a week ago, this mechanism stopped working properly
on one server. The directory still gets mounted automatically but the
permissions are nobody:nobody.
I thought restarting idmapd or automount could solve the
I set up ipsilon on a separate machine as documented in
https://ipsilon-project.org/doc/quickstart-ipa.html
When I try to log in with the admin user I get the "Unauthorized" error.
The logs say:
==> ssl_error_log <==
[Thu Jan 17 09:51:45.555163 2019] [authnz_pam:warn] [pid 5977] [client
On 17.01.19 10:09, Alexander Bokovoy wrote:
On to, 17 tammi 2019, Ronald Wimmer via FreeIPA-users wrote:
I set up ipsilon on a separate machine as documented in
https://ipsilon-project.org/doc/quickstart-ipa.html
When I try to log in with the admin user I get the "Unauthorized&qu
Is it true that this feature is only available to native ipa users?
On 30.11.18 09:42, Ronald Wimmer via FreeIPA-users wrote:
Is there any possibility to use the vault feature for external (AD)
users?
___
FreeIPA-users mailing list -- freeipa-users
On 21.11.18 17:40, Rob Crittenden via FreeIPA-users wrote:
[..]
Yes, masters are all more or less equal, the difference being whether
they run optional services and there are a few roles that only one
master has (CRL manager, renewal manager).
I still do not have a clear picture. Is it true
On 19.10.18 14:15, Rob Crittenden via FreeIPA-users wrote:
Ronald Wimmer via FreeIPA-users wrote:
Hi,
we have been evaluating FreeIPA for quite a while now on our test setup
(1 IPA server, 1 Replica) and are planning to move towards production.
Can the whole setup be migrated from an ipa test
Hi,
I set up relevant ansible files exaclty like described in:
https://www.freeipa.org/page/V4/ClientInstallationWithAnsible#Ansible_ipaclient_module
The ipaclient role was fetched from here:
https://github.com/freeipa/ansible-freeipa/tree/master/roles
Uninstalling an ipaclient works.
On 01.03.19 16:49, Thomas Woerner wrote:
Hello Ronald,
[...]
How old is your clone of the ansible-freeipa repository?
ipaclient_extraargs was only used in the beginning. ipaclient_principal
is the wrong name. Please update your ansible-freeipa clone.
Oh my god. You were completely right.
Today I was reading the documentation on
https://www.freeipa.org/page/Using_3rd_part_certificates_for_HTTP/LDAP
Is the Prerequisite step necessary if the CA (Digicert) is already
trusted by the OS?
Regards,
Ronald
___
FreeIPA-users mailing list --
I sucessfully registered my server server5.mydomain.at. After setting up
an appropriate HBAC rule as well as setting the default domain in the
sssd.conf to a.mydomain.at I tried to connect to the server via SSH using:
myusern...@mydomain.at
This fails because the UPN seems to be picked:
On 28.01.19 12:36, François Cami wrote:
On Mon, Jan 28, 2019 at 12:20 PM Ronald Wimmer via FreeIPA-users
wrote:
What would be a good solution to add systems where the FQDN cannot be
changed?
It's a pretty generic question, could you be more specific?
Legacy systems are in an AD domain
On 28.01.19 12:42, Alexander Bokovoy wrote:
On ma, 28 tammi 2019, Ronald Wimmer via FreeIPA-users wrote:
[...]
Is there any experience on how to deal with such a situation?
Really depends on where these existing clients are located and what is
their function. Do they belong to some other
On 29.01.19 12:28, Alexander Bokovoy via FreeIPA-users wrote:
[...]
I think you need to tune sssd configuration here. Sumit or Jakub may
have more details on what exact options should be used.
Should I contact them directly or are they gonna read this here anyway?
I tested an IPA user - that
What would be a good solution to add systems where the FQDN cannot be
changed?
Would it make sense to add a second DNS A Record in the IPA domain for
each of these systems?
Is there any experience on how to deal with such a situation?
Thanks a lot in advance!
Cheers,
Ronald
Afaik it should be possible to set a users umask by putting something
like "umask=0007" in the GECOS field in combination with pam_umask.so.
pam_umask.so seems to be present on our systems. What I do not know is
in which file (at which exact position) I would have to put "session
optional
On 02.07.19 20:19, Justin Stephenson wrote:
[...]
Do you see similar failures on RHEL8 with the above session recording
configuration? Is the problem specific to IPA client systems?
IPA or local user makes no difference. I am getting logged out
immediately after successful SSH login. (root
On 04.07.19 13:31, Alexander Bokovoy via FreeIPA-users wrote:
On to, 04 heinä 2019, Ronald Wimmer via FreeIPA-users wrote:
On 02.07.19 20:19, Justin Stephenson wrote:
[...]
Do you see similar failures on RHEL8 with the above session
recording configuration? Is the problem specific to IPA
On 02.07.19 17:12, Ronald Wimmer via FreeIPA-users wrote:
What I did on an OracleLinux 8 beta system (which is an IPA client)
was installing the packages tlog and cockpit-session-recording. I do
not want to use the cockpit web interface. What are the next steps in
order to get session
What I did on an OracleLinux 8 beta system (which is an IPA client) was
installing the packages tlog and cockpit-session-recording. I do not
want to use the cockpit web interface. What are the next steps in order
to get session recording working?
Cheers,
Ronald
On 02.07.19 17:16, Ronald Wimmer via FreeIPA-users wrote:
On 02.07.19 17:12, Ronald Wimmer via FreeIPA-users wrote:
What I did on an OracleLinux 8 beta system (which is an IPA client)
was installing the packages tlog and cockpit-session-recording. I do
not want to use the cockpit web
I have managed to login to an IPA client with a non-existing user.
My AD user is z123...@addomain.mydomain.at and I have created a similar
user called i123...@ipadomain.mydomain.at. What happened now is that I
could log in with the i-User and what I get to see after logging in is this:
On 16.04.19 11:29, Sumit Bose via FreeIPA-users wrote:
On Tue, Apr 16, 2019 at 11:12:18AM +0200, Ronald Wimmer via FreeIPA-users wrote:
On 16.04.19 10:50, Sumit Bose via FreeIPA-users wrote:
On Tue, Apr 16, 2019 at 09:06:44AM +0200, Ronald Wimmer via FreeIPA-users wrote:
I have managed
On 16.04.19 10:50, Sumit Bose via FreeIPA-users wrote:
On Tue, Apr 16, 2019 at 09:06:44AM +0200, Ronald Wimmer via FreeIPA-users wrote:
I have managed to login to an IPA client with a non-existing user.
My AD user is z123...@addomain.mydomain.at and I have created a similar user
called i123
SSSD might be the right way to go. I followed this guide
https://github.com/keycloak/keycloak-documentation/blob/master/server_admin/topics/user-federation/sssd.adoc
but I am not sure what the output of "sssctl user-checks admin -s
keycloak" should be.
sssctl user-checks admin -s keycloak
Is there a way of using users coming from Active Directory in Keycloak?
Cheers,
Ronald
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of
SSSD seems to work now and I can login to Keycloak with an IPA user.
Unfortunately, when trying to use an AD user I get an exception:
Aug 20 13:10:46 keycloak-test.linux.mydomain.at standalone.sh[16537]:
13:10:46,967 WARN [org.keycloak.services] (default task-52)
KC-SERVICES0013: Failed
On 22.07.19 17:29, Alexander Bokovoy wrote:
[...] It might be related to a recent update:
https://support.microsoft.com/en-us/help/4490425/updates-to-tgt-delegation-across-incoming-trusts-in-windows-server
If i try to issue the command
netdom trust second.mydomain.at
On 27.08.19 14:06, Rob Crittenden via FreeIPA-users wrote:
Ronald Wimmer via FreeIPA-users wrote:
Is it possible to use multiple automount locations (i.e. sssd.conf
containing ipa_automount_location=locationA,locationB)?
A location provides the master map so there can be only one.
Thanks
Is it possible to use multiple automount locations (i.e. sssd.conf
containing ipa_automount_location=locationA,locationB)?
Cheers,
Ronald
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to
On 29.08.19 08:59, Jakub Hrozek via FreeIPA-users wrote:
[...]
Apparently then are not defined on the server side. btw is
ronald.wim...@mydomain.at a user in the trusted domain or the IPA
domain?
The user comes from a trusted domain where all four attributes exist and
have values.
When
On 28.08.19 08:39, Jakub Hrozek via FreeIPA-users wrote:
[...]
OK, this is what I would have expected. Is it possible to enable
debugging and run the KC operation to see exactly what is being looked
up and what fails?
(Tue Aug 20 14:09:37 2019) [sssd[ifp]] [ifp_add_ldb_el_to_dict]
(0x0400):
On 26.08.19 09:26, Jakub Hrozek via FreeIPA-users wrote:
[...]
Sorry, it's not totally clear to me if all the attributes were mapped to
mail by the KC installer or by your snippet?
The original config looked like it should after executing keycloak's
federation-sssd-setup.sh:
[domain
On 23.08.19 20:18, Jakub Hrozek via FreeIPA-users wrote:
[...]
Wait, do they really map all these attributes to mail? This seems wrong,
the format is externalname:ldapname and IIRC the last one wins, so the last
one is applied and stores mail as telephoneNumber.
Sorry. I pasted a config
On 16.04.19 11:12, Ronald Wimmer via FreeIPA-users wrote:
[...]
In general default_domain_suffix should not be used anymore, better is
to define a domain lookup order on the IPA server.
How exactly would I do that?
Cheers,
Ronald
___
FreeIPA-users
Sorry for asking. I might have missed to read that part of the official
documentation:
https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/windows_integration_guide/short-names#configuring-clients
___
FreeIPA-users mailing
Configured it on the ipa server side and it works like a charm!
What I am still missing is setting the default shell on the server side
as well. I still have to use the default_shell entry in the nss section
of sssd.conf to set the shell to /bin/bash for AD users.
Cheers,
Ronald
On 22.08.19 15:57, Jakub Hrozek via FreeIPA-users wrote:
[...]
As far as I remember, Keycloak uses the D-Bus interface of SSSD to
retrieve the user's attribute. Can you check if the ifp service is up
and running and if there are any helpful logs in the sssd_ifp.log file?
I do not get AD
On 23.08.19 15:53, Jakub Hrozek via FreeIPA-users wrote:
[...]
Hmm, I don't remember from the top of my head which attributes does KC
try to fetch, but e-mail sounds like what it would need, at least that's
what's most commonly used for claims and such.
If you correlate the KC lookup errors
On 23.08.19 18:03, Alexander Bokovoy wrote:
[...] Is this Keycloak installation done separate from IPA master? If
yes,
then you need to have ldap_user_extra_attrs on both IPA client where
Keycloak runs and on IPA masters that SSSD would talk to to obtain
information about AD users.
Keycloak
On 22.07.19 17:29, Alexander Bokovoy wrote:
[...] It might be related to a recent update:
https://support.microsoft.com/en-us/help/4490425/updates-to-tgt-delegation-across-incoming-trusts-in-windows-server
I bet we have been struck by that. PuTTY-Settings are correct,
On 23.07.19 09:54, Alexander Bokovoy wrote:
On ti, 23 heinä 2019, Ronald Wimmer wrote:
On 22.07.19 17:29, Alexander Bokovoy wrote:
[...] It might be related to a recent update:
https://support.microsoft.com/en-us/help/4490425/updates-to-tgt-delegation-across-incoming-trusts-in-windows-server
Unfortunately, when I try the following on an affected windows machine
it does not work:
C:\> netdom trust linux.mydomain.at /domain:ad.mydomain.at
/EnableTGTDelegation:
Yes /verbose
Establishing a session with \\ipa1.linux.mydomain.at
Reading LSA domain policy information
Deleting the
Removing the SendEnv line in /etc/ssh/ssh_config solved the problem.
Thanks a lot!
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of
Some days ago a strange problem struck us. When colleagues access a
server using an ipa-automounted share from a Windows client they can
logon to such a server using a Kerberos ticket but they cannot access
their NFS-automounted home-share anymore. When they log on with
username/password they
When it does not work I can see the following error in the logs:
Jul 18 15:12:49 myservername gssproxy[5592]: (OID: { 1 2 840 113554 1 2
2 }) Unspecified GSS failure. Minor code may provide more information,
No credentials cache found
___
On 23.07.19 15:19, Alexander Bokovoy wrote:
netdom trust ad.mydomain.at /domain:linux.mydomain.at
/enabletgtdelegation:Yes /verbose
I think you are right. This way a domain controller is contacted. But
still, I get an "Access is denied.". Presumably I would need an AD admin
to issue that
On 23.07.19 16:03, Alexander Bokovoy wrote:
On ti, 23 heinä 2019, Ronald Wimmer wrote:
On 23.07.19 15:19, Alexander Bokovoy wrote:
netdom trust ad.mydomain.at /domain:linux.mydomain.at
/enabletgtdelegation:Yes /verbose
I think you are right. This way a domain controller is contacted. But
On 23.07.19 16:06, Ronald Wimmer via FreeIPA-users wrote:
On 23.07.19 16:03, Alexander Bokovoy wrote:
On ti, 23 heinä 2019, Ronald Wimmer wrote:
On 23.07.19 15:19, Alexander Bokovoy wrote:
netdom trust ad.mydomain.at /domain:linux.mydomain.at
/enabletgtdelegation:Yes /verbose
I think you
On 22.07.19 16:18, Rob Crittenden wrote:
Rolf Linder via FreeIPA-users wrote:
Hi all
We've seen the same issue at our site too.
Kerberos SSO logins do not work for (remote) NFS access anymore. We can access
the share when using password login (or after SSO login by using kinit). Any
hints
On 22.07.19 16:25, Rob Crittenden wrote:
[...]
An assumption here since your workflow isn't completely clear but do you
actually have a ticket on the Linux machine after sshing in from
Windows? Sure seems like you don't.
The affected users do not have any Kerberos ticket on the target machine.
I have an IPA installation with an AD trust from ipa.mydomain.at to
ad.mydomain.at.
What is the Realm domains feature for?
Is it possible to define an IPA subdomain (e.g. test.ipa.mydomain.at) as
an additional realm domain? Will Kerberos and AD trust (configured for
ipa.mycomain.at) work for
Today I was not able to log in with an AD user to an IPA client within a
test setup. IPA users worked fine.
DNS is managed externally. I figured out that the DNS-Record of that
particular IPA client has not been created correctly. After having
corrected the DNS entry and having dropped the
On one of the IPA servers themselves a
getent passwd myadu...@bau.mydomain.at
is working. On the system where I cannot login with this user I do not
get a result.
What do I have to look for in which sssd log file in order to find out
what the problem is?
Cheers,
Ronald
Simply increasing the krb5_auth_timeout in the client's sssd.conf did
the trick. Thanks for the good troubleshooting guide at
https://docs.pagure.org/SSSD.sssd/users/troubleshooting.html
Cheers,
Ronald
___
FreeIPA-users mailing list --
The only log entries that appear when a different user tries it do
appear in /var/log/secure:
Nov 6 10:33:19 ws102317180 sshd[24003]: Invalid user
an_ad_u...@bau.mydomain.at from 10.16.11.218 port 60646
Nov 6 10:33:19 ws102317180 sshd[24003]: input_userauth_request: invalid
user
On 06.11.19 08:08, Sumit Bose via FreeIPA-users wrote:
On Wed, Nov 06, 2019 at 12:20:21AM +0100, Ronald Wimmer via FreeIPA-users wrote:
Today I was not able to log in with an AD user to an IPA client within a
test setup. IPA users worked fine.
DNS is managed externally. I figured out
Today I've encountered a strange problem on a Centos 7.7 machine with
IPA automounted user homes.
When I try to do a git clone in my home directory using SSH I it aborts
abnormally with the following error message:
remote: Enumerating objects: 4045, done.
remote: Counting objects: 100%
It seems that this was a coincidence... sometimes AD users are found but
most of the time they are not:
[root@ipaclient sssd]# id us...@bau.mydomain.at
id: us...@bau.mydomain.at: No such user
[root@ipaclient sssd]# id us...@bau.mydomain.at
id: us...@bau.mydomain.at: No such user
Where do I
On 08.11.19 11:08, Alexander Bokovoy via FreeIPA-users wrote:
[...]
Are these assumptions true:
- ipaA became a trust controller by issuing the "ipa trust-add" command
- ipaB will have to be configured as trust agent
Correct. By running ipa-adtrust-install --add-agents on ipaA, you can
add
On 08.11.19 10:15, Sumit Bose via FreeIPA-users wrote:
On Fri, Nov 08, 2019 at 10:04:41AM +0100, Ronald Wimmer via FreeIPA-users wrote:
It seems that this was a coincidence... sometimes AD users are found but
most of the time they are not:
[root@ipaclient sssd]# id us...@bau.mydomain.at
id
I think I know where to take a closer look.
I have 2 IPA servers, let's call them ipaA and ipaB. On ipaA everything
works without any problems. On ipaB I cannot resolve AD users.
The "ipa trust-add" command has only been issued on ipaA. Some time ago
I read about trust controllers and trust
On 04.12.19 20:32, Rob Crittenden via FreeIPA-users wrote:
[...]
In my opinion as a general rule it is far safer to create a new master
than in-place upgrade.
Thank you very much for your quick reply!
Cheers,
Ronald
___
FreeIPA-users mailing list --
Could a RedHat guy give a short answer to my last question, please?
Cheers,
Ronald
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct:
Will this feature also allow using ipa vault for AD users?
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct:
Hi,
is there a way to use multiple HBAC rules in the same "Require
pam-account" line in on and the same Apache config?
Something like
Require pam-account hbacA|hbacB
Cheers,
Ronald
___
FreeIPA-users mailing list --
After a reboot of a RHEL 7.7 machine autofs.service did not start:
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct:
Sorry... Accidently hit "send message" somehow. Here is the full story:
When that server is booted autofs.service does not run. (inactive: dead)
Trying to start it with systemctl results in that command hanging.
After restarting rpcidmapd, rpcgssd and sssd I tried again without success.
A
According to a RedHat document
(https://access.redhat.com/articles/4263361 ) an in-place upgrade is
only possible from RHEL 7.6 to RHEL 8.1. Unfortunately, I've kept my IPA
servers up-to-date so that their version is now 7.7.1908.
The document also states that there will be a possibility to
I cannot remember to have set anything to "debug" regarding CA.
Nevertheless, these files are growing continuously:
-rw-r-. 1 pkiuser pkiuser 1.6G Dec 10 09:15
/var/log/pki/pki-tomcat/ca/debug
-rw-r-. 1 pkiuser pkiuser 303M Dec 10 09:16
/var/log/pki/pki-tomcat/ca/debug
-rw-r-. 1
On 25.02.20 16:47, Alexander Bokovoy via FreeIPA-users wrote:
[...]
Details are in https://access.redhat.com/articles/4661861 (accessible
with a subscription but even free Developer's subscription is fine).
"Red Hat is working on an SSSD/adcli (RHEL8,RHEL7) enhancement that
allows the use of
I would like to set values for
On 28.02.20 08:53, Alexander Bokovoy wrote:
On pe, 28 helmi 2020, Ronald Wimmer via FreeIPA-users wrote:
Is there a way to set some default keys and values that end up in an
IPA client's sssd.conf upon ipa-client-install?
I don't think of any that are applied
Is there a way to set some default keys and values that end up in an IPA
client's sssd.conf upon ipa-client-install?
Cheers,
Ronald
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to
On 25.02.20 11:27, Sumit Bose via FreeIPA-users wrote:
'cache_credentials' only control is the credentials given by the user,
typically this is a password, is stored in the cache in a hashed
version.
In regard to caching, what happens when an AD user gets locked or
changes its password? When
On 28.02.20 10:04, Sumit Bose via FreeIPA-users wrote:
would it help to create a file in/etc/sssd/conf.d/ with the config
settings you would like to add before calling ipa-client-install? See
section 'CONFIGURATION SNIPPETS FROM INCLUDE DIRECTORY' in the sssd.conf
man page for more details.
If SSSD has cache_credentials set to True it will take some time until
changes become visible on an IPA client. When I change sudo permissions
for a certain user I usually want to changes to be effective
immediately. Does this imply setting cache_credentials to False or what
are best practices
I was not aware of that. If I change sudo rules for a certain user do I
have any control on how long the changes take to be effective? Is
invalidating the cache on a client the only option I have?
Cheers,
Ronald
___
FreeIPA-users mailing list --
Hi,
will Microsofts decision to let domain controllers talk LDAPS only in
the near future affect IPA sowehow?
Cheers,
Ronald
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to
1 - 100 of 416 matches
Mail list logo