FreeIPA allows disabling DNS Autodiscovery by explicitly listing the host names
of FreeIPA servers. However, it isn't clear if the order of host names
matters. For example:
ipa-client-install --server firsthostname.example.com --server
secondhostname.example.com
Is the first host name I list
Thanks Rob
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines: https://fedora
It is not always clear the best way to create an account for a script or
application to use. Generally this special type of account has no password
expiration (or a very long expiration window). For example, some applications
require a bind user to connect to LDAP. It seems there are a half a
As far as option D goes I'm now starting to understand IPA makes a distinction
between a password and Kerberos keys. If you don't set a password, but use
ipa-getkeytab followed by ipa user-show the "Kerberos keys available" attribute
changes from Fasle to True, but "Password" remains False. T
If I create an IPA Service is the default state for the keys in the keytab to
never expire?
How do I set a password policy max life to never expire? Use "0"? Leave that
field blank in the GUI?
Since the keys and password are separate it sounds like I can't use an IPA
service as an LDAP bind
What is the recommended way to handle a local user in an IPA group?
For example, I have the standard local user "apache" that I'd like to add to an
IPA group. I don't really want to add an "apache" user to IPA as it isn't
really a regular user. Similarly, I don't want to create a local group o
Hi Rob,
Thanks for the link. Sounds like there are some proposals / ideas on how to
solve this problem, but no solution yet. I guess the work around for now is to
either promote the local apache user to be an IPA user or create a local group
that mirrors the IPA group, but contains the apach
I'm trying to find out which users do not have a password set yet. The "ipa
user-find" command doesn't seem to allow filtering by "existence of password".
Further, it doesn't show whether the password exists in output anyways. The
user-show and user-add commands can show a "Password: False" o
Thanks Rob.
I ended up creating a script that loops over each user via "ipa user-find" and
then uses "ipa user-show" to check for password existence. I'm filtering the
user-find by a specific user group, but the LDAP search could probably do that
too and probably is much faster.
___
Hi IPA Users,
I have a custom PHP script on the same Apache HTTPD server as used by IPA and
the script attempts to make a request to the IPA Server's JSON endpoint using
PHP's libcurl and a custom service principal. However, the request is coming
across as the IPA HTTP service principal, not
Further investigation suggests this might have something to do with gssproxy.
I was expecting to find the HTTP keytab at /etc/httpd/conf/ipa.keytab, but now
see it is in /var/lib/ipa/gssproxy. This problem only occurs if the PHP script
is executed by the apache user in the context of the HTTP
Thanks Simo,
I've got this working now using PHP's shell_exec and a bash script that invokes
curl directly (as opposed to using libcurl in PHP). This allows me to clear
the environment (unset GSS_USE_PROXY).
Here is the final solution for reference:
PHP script now looks like:
Shell script
Hi IPA Users,
What is the status of the IPA integration with Kerberos utilities such as
kadmin (kadmin.local) and kdb5_util? Can they be used or are they not
supported. If not supported maybe they should report an error or warning.
It seems setting a user's password expiration with kadmin wor
Hi Alexander and Robbie,
Thanks for the responses. I'm not quite ready to start hacking IPA just yet as
I'm still trying to get it setup and running. I'll try to re-create the
weirdness with password expiration not sticking with kadmin.local and I'll post
back if I'm able to reproduce that.
Kerberos has kadmin.local, and I'm looking for a similar way to execute admin
commands as the local root user. Looks like I could create a keytab, and use
kinit on it, but ipa-getkey doesn't seem to work for the admin principal. So I
could create a new service account instead, but I can't see
Hi Alexander,
I'm actually looking for a way to execute a command as local root without
being prompted for a password. My understanding is adding an account for root
to IPA is not a good idea as it would then be a domain account. I don't see
how I can add root to "admins" group then. Also,
doesn’t kinit
ticket.
> On Jul 27, 2018, at 3:23 PM, Alexander Bokovoy wrote:
>
>> On pe, 27 heinä 2018, Ryan Slominski via FreeIPA-users wrote:
>> Hi Alexander,
>> I'm actually looking for a way to execute a command as local root
>> without being prompted f
Creating a new user, adding them to the admins group, obtaining a keytab for
the new user, then having root use kinit -kt on the keytab does work. Thanks.
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an emai
Hi IPA Users,
I'm attempting to setup Single Sign On (SSO) with SSH in an IPA domain. I'd
like to allow users who already have a Kerberos ticket to be allowed to SSH
around the network without being prompted for a password. I have the following
configuration:
/etc/ssh/sshd_config has:
GSSAPI
Hi Robbie,
After setting KRB5_TRACE to a file in /tmp and running ssh command I get the
following output:
[1714] 1533649123.284380: ccselect module realm chose cache
KEYRING:persistent:1234:krb_ccache_6taXFjL with client principal
testu...@example.com for server principal
host/testclient2.exa
Hi Sumit,
Here is the sshd server side output with logging set to DEBUG3 after
re-running client and server over custom port 2:
[root@testclient2 ~]# /usr/sbin/sshd -ddd -p 2
debug2: load_server_config: filename /etc/ssh/sshd_config
debug2: load_server_config: done config len = 920
de
Hi Robbie,
What is the proper way to configure an IPA host so that the sshd will use
the FQDN? I've noticed that IPA client installer modifies the file
/etc/krb5.conf and adds the lines:
dns_canonicalize_hostname = false
rdns = false
If I comment out those lines then SSO works. Alternativ
Hi Dave,
I might be totally off - but I noticed there is a principal alias option.
If you want each IP to have a separate SSH key this probably won't work, but if
all IPs on a box can share a single set of keys then this might work.
Good luck,
Ryan
__
Hi FreeIPA dudes,
What is the status of audit in IPA? Specifically, is there an easy way to
determine what was the group membership of a particular group was at a
particular point in time, say last October?I noticed there is an audit log
file (disabled by default), but that is going to be
Hi FreeIPA users,
I've got a username in the preserved list that is bugged. If you try to
search for the record on the web UI it throws an error, but still shows a
record in the result table. On the UI the error is in a dialog box that reads:
"Operations Error" with "Some operations faile
Hi Flo,
Thanks for the tips. Fortunately rebooting the server fixed the issue.
I did activate some debug logging, but the amount of logging is enormous on a
live active server though so it was going to be tough to correlate. I couldn't
leave debugging enabled for long before resetting back t
26 matches
Mail list logo
