[Freeipa-users] radius-proxy / Blast-Radius

Hello Our RSA infra was upgraded to address Blast-Radius vulnerability https://www.blastradius.fail/ Since then, radius-proxy enabled users can no longer authenticate against those providers. I understand the RSA radius servers now require Message-Authenticator attributes to be set which I sup

[knot-dns-users] Re: EPEL Packages

Hi Günther The Fedora EPEL version 3.3.9 was built quite recently: rpm -qip knot-3.3.9-1.el9.x86_64.rpm  | grep Build\ Date Build Date  : Mon 26 Aug 2024 16:52:07 CEST Which is the same day Daniel announced that version actually! I guess whoever maintains the package in Ferdora EPEL need

[ovirt-users] High Performance VMs - cpu pinning

Hi In 4.10.1. Creating a High Performance Virtual Machine, Template, or Pool https://www.ovirt.org/documentation/virtual_machine_management_guide/index.html#creating-a-high-performance-virtual-machine-template-or-pool I need some help trying to understand this section, please see my comments

[ovirt-users] hosted-engine --deploy - trigger storage rescan

Hello OLVM 4.5 - SHE install Our storage guy messed up the FC storage allocation -> when the SHE install got to ask about storage for the hosted_engine the expected LUN was not in the list. It took the process around an hour to get to this point so I didn't want to restart from the beginning,

[knot-dns-users] knotc reload after updates to knot.conf

Hello, When doing something quite dramatic in knot.conf like adding and/or removing a zone, is "knotc reload" a suitable approach to honour those changes or would you recommend restarting the whole process? "knotc reload" seems to work just fine in test, I'm just looking for some further c

[ovirt-users] Re: HPE Oneview KVM appliance 8.8.0 / 8.7.0

failures. Overall this is probably not very interesting as this seems to revolve around IDE disk types - I'll feedback to HPE the Virtio-SCSI notes that Gianluca and Simon have mentioned. Thanks a lot Angus On Thu, 11 Apr 2024 14:42:32 +0200 Angus Clarke wrote --- Hi Gian

[ovirt-users] Re: [External] : Re: HPE Oneview KVM appliance 8.8.0 / 8.7.0

, share the SR number you created. Thanks Simon On Apr 11, 2024, at 2:42 PM, Angus Clarke <mailto:an...@ajct.uk> wrote: Hi Gianluca Thank you for the detailed instructions - these were excellent, I wasn't aware of the "lsinitrd" command before now - thanks! My VM sti

[ovirt-users] Re: HPE Oneview KVM appliance 8.8.0 / 8.7.0

On Wed, 10 Apr 2024 23:59:22 +0200 Gianluca Cecchi wrote --- On Wed, Apr 10, 2024 at 12:29 PM Angus Clarke <mailto:an...@ajct.uk> wrote: Hi Gianluca The software is free from HPE but requires a login, I've shared a link separately. Thanks for taking an interest Regards A

[ovirt-users] Re: HPE Oneview KVM appliance 8.8.0 / 8.7.0

Hi Gianluca The software is free from HPE but requires a login, I've shared a link separately. Thanks for taking an interest Regards Angus On Wed, 10 Apr 2024 11:56:54 +0200 Gianluca Cecchi wrote --- On Wed, Apr 10, 2024 at 11:47 AM Angus Clarke <mailto:an...

[ovirt-users] HPE Oneview KVM appliance 8.8.0 / 8.7.0

Hello folks I realise this probably isn't the place for this but someone might be interested or have some knowledge. I deployed the KVM version of HPE Oneview 8.8 to oVirt 4.5 (OLVM 4.5) It came as a single QCOW2 disk image. The VM I created needed a couple of tweaks to get it to boot (C

[FreeRDP-devel] wfreerdp.exe - some options don't appear to be working

Hello I realised I was using some different version (older?) downloaded from: https://cloudbase.it/freerdp-for-windows-nightly-builds/ Which is the first Windows URL mentioned under https://github.com/FreeRDP/FreeRDP/wiki/PreBuilds However since downloading latest built wfreerdp.exe from https

[ovirt-users] Re: Dedicated Migration Network

Just to share some operational experience, I set MTU=9000 on all our networks including the migration network 👍 Worthy mention: You must ensure this is applied on network equipment otherwise your packets will fragment which would likely result in worse performance than leaving the default MTU o

[ovirt-users] Re: Dedicated Migration Network

Hi Clint, Just from experience, yes the migration network is IP based and doesn't need a gateway. Regards Angus From: Clint Boggio Sent: 20 June 2022 15:43 To: users@ovirt.org Subject: [ovirt-users] Re: Dedicated Migration Network Thanks for the input Abe. For

[Freeipa-users] Re: Upgrading from EL7.9 to EL8

Thanks Rob Angus From: Rob Crittenden Sent: 15 June 2022 14:15 To: FreeIPA users list Cc: Angus Clarke Subject: Re: [Freeipa-users] Upgrading from EL7.9 to EL8 Angus Clarke via FreeIPA-users wrote: > Hello > > I am planning the upgrade of one of ou

[Freeipa-users] Upgrading from EL7.9 to EL8

Hello I am planning the upgrade of one of our FreeIPA deployments from EL7.9 Previously, we have been quite good at upgrading through OS point upgrades (7.3, 7.4, 7.5 etc) as this was the advice through that series of FreeIPA software. Upgrading our FreeIPAs from EL7.9 today will see me introd

[Freeipa-users] Re: hostgroup automember rules

nks for the pointers Regards Angus ____ From: Angus Clarke Sent: 26 May 2022 09:11 To: Rob Crittenden ; FreeIPA users list ; Alexander Bokovoy Subject: Re: [Freeipa-users] Re: hostgroup automember rules Super that worked a treat thanks, however I see that the host

[Freeipa-users] Re: hostgroup automember rules

g the ipa-client-install command. Thanks again Angus From: Rob Crittenden Sent: 25 May 2022 20:24 To: FreeIPA users list ; Alexander Bokovoy Cc: Angus Clarke Subject: Re: [Freeipa-users] Re: hostgroup automember rules This is controlled by the permission '

[Freeipa-users] Re: hostgroup automember rules

ntry 'cn=automember rebuild membership,cn=tasks,cn=config'. Thanks a lot Angus From: Alexander Bokovoy Sent: 20 May 2022 13:39 To: FreeIPA users list Cc: Angus Clarke Subject: Re: [Freeipa-users] hostgroup automember rules Hi Angus, On pe, 20 touko 2022

[Freeipa-users] Re: hostgroup automember rules

Thanks a lot Alexander. From: Alexander Bokovoy Sent: 20 May 2022 13:39 To: FreeIPA users list Cc: Angus Clarke Subject: Re: [Freeipa-users] hostgroup automember rules Hi Angus, On pe, 20 touko 2022, Angus Clarke via FreeIPA-users wrote: >Hello > &g

[Freeipa-users] Re: hostgroup automember rules

Thanks a lot Flo. From: Florence Blanc-Renaud Sent: 20 May 2022 13:12 To: FreeIPA users list Cc: Angus Clarke Subject: Re: [Freeipa-users] hostgroup automember rules Hi, On Fri, May 20, 2022 at 11:48 AM Angus Clarke via FreeIPA-users mailto:freeipa-users

[Freeipa-users] hostgroup automember rules

Hello FreeIPA 4.6.8 We are very happy with hostgroup automember rules based on servername attribute however one of our internal customers uses a generic servername template for all of their servers regardless of its function. So I'm wondering what other attributes I might use for hostgroup aut

Re: per record responses based on originating IP

t geoip module overview: https://blog.apnic.net/2018/11/14/geoip-in-knot-dns-2-7/ Thanks Angus From: bind-users on behalf of Nick Tait via bind-users Sent: 16 May 2022 13:55 To: BIND Users Mailing List Subject: Re: per record responses based on originating IP On 16/0

Re: per record responses based on originating IP

Thanks for taking the time Nick and Grant, As mentioned in a separate reply to Grant, the goal is to have (amongst other things) local recursors "find" the locally deployed authoritative servers through NS records. What hasn't been mentioned is that I am also looking to simplify configuration m

Re: per record responses based on originating IP

added to the RRset. Maybe I can limit a RRset response to the first X number of entries? Thanks Angus From: bind-users on behalf of Grant Taylor via bind-users Sent: 12 May 2022 18:11 To: bind-users@lists.isc.org Subject: Re: per record responses based on o

per record responses based on originating IP

Hello I'm familiar with Dan Bernstein's aging DNS software. With it I can add location based responses to individual records, so that the DNS can respond differently to a name lookup according to the source network/IP on a per-record basis. With bind (and others) it seems that DNS views are th

[Freeipa-users] Re: EL8 ipa upgrade / Single Level Domain

Thank you for the direction Regards Angus From: Alexander Bokovoy Sent: 04 May 2022 09:58 To: FreeIPA users list Cc: Florence Blanc-Renaud ; Angus Clarke Subject: Re: [Freeipa-users] Re: EL8 ipa upgrade / Single Level Domain On ke, 04 touko 2022, Angus

[Freeipa-users] Re: EL8 ipa upgrade / Single Level Domain

infra. Thanks Angus From: Florence Blanc-Renaud via FreeIPA-users Sent: 03 May 2022 13:37 To: FreeIPA users list Cc: Angus Clarke ; Florence Blanc-Renaud Subject: [Freeipa-users] Re: EL8 ipa upgrade / Single Level Domain Hi, On Tue, May 3, 2022 at 11:59 AM

[Freeipa-users] EL8 ipa upgrade / Single Level Domain

Hello We installed our IPA servers back in EL7.2 days and deployed with a single level domain and matching (uppercased) realm. Through various upgrades we are now at EL7.9 and are aware that the ipa-client-install command has become finickity about single level domains however thus far we have

[ovirt-users] Re: No bootable device

Hi Nicolas You could try "fixing" the VM OS boot process by booting into rescue mode from the VM Linux distribution's installation CD - you'd need to read up on re-writing the boot software (probably grub.) and/or you could look at exporting the disk back to VirtuaBox and trying to boot it the

[ovirt-users] No bootable device

Hi Nicolas In oVirt 4.3: Compute -> Virtual Machines -> Select VM On the VM screen: Disks -> Highlight disk -> Edit Check the bootable tick box Hope that helps Angus From: nico...@devels.es Sent: 23 March 2022 14:00 To: users@ovirt.org Subject: [ovirt-users

[ovirt-users] Re: Importing KVMs and QCOW

> The odd thing when I do that is that on boot the VM says no boot device or > the like Did you set the boot disk flag in oVirt? Compute -> VMs -> "Highlight VM" -> Disks -> "Highlight boot disk" -> Edit -> "Bootable" tick box Otherwise you should also check the disk type in oVirt is the same a

[ovirt-users] Re: VM Disk extend not reflected in VM oS

Manual rescan the SCSI bus, for each echo "- - -" > /sys/class/scsi_host//scan Regards Angus From: si...@justconnect.ie Sent: Friday, February 25, 2022 3:32:01 PM To: users@ovirt.org Subject: [ovirt-users] Re: VM Disk extend not reflected in VM oS In a produ

[ovirt-users] Re: oVirt alternatives

Hi Sandro Thanks for sharing, probably the stand out question to the uninitiated would be; why not integrate oVirt as OpenShift's virtualization stack? Thanks Angus From: Sandro Bonazzola Sent: Monday, 21 February 2022, 8:31 am To: Nathanaël Blanchet Cc: users

[ovirt-users] Re: Enable Power Management Ovirt 4.3

oVirt's ilo4 fence agent is not dependant on kdump - I think this answers your question. Regards Angus From: emiliano.pozzess...@satservizi.eu Sent: 17 February 2022 14:19 To: users@ovirt.org Subject: [ovirt-users] Re: Enable Power Management Ovirt 4.3 Hi Angu

[ovirt-users] Re: Enable Power Management Ovirt 4.3

There is a fence agent in oVirt 4.3 called "ilo4" - use this agent for HPE-ilo4 devices. You should not need any Options. [cid:9a900aa1-5cac-4a09-b5cf-15076a6c087d] Regards Angus From: emiliano.pozzess...@satservizi.eu Sent: 17 February 2022 13:25 To: users@ovi

[ovirt-users] Re: Enable Power Management Ovirt 4.3

Hi Emiliano Please check you have enabled IPMI/DCMI on the ilo device in order to use the fence_type "ilo4" and that network access is in place (port 623, not sure if TCP is required or not.) The ilo account needs various privileges on the device also, to start with give the user full administ

[ovirt-users] oVirt 4.3 - Fibre Channel Data Domain as ISO dump.

Hello RE: oVirt 4.3 - Fibre Channel Data Domain as ISO dump. Thanks for letting me join the list. I added a fibre channel Data domain with a view to using it as an ISO dump however I cannot mount CDs to VMs with this error: "Error while executing action Change CD: Drive image file could not be

[Freeipa-users] Re: Web service to receive callbacks via HTTP

Hi Akshay I'm unfamiliar with your specific question (I'm just a user) however the web interface and command line tools use the API to perform these processes which in turn get logged to Apache's error_log. Regards Angus From: akshay p via FreeIPA-users Sent:

[Freeipa-users] Re: DNS and FreeIPA

: FreeIPA users list ; Rafael Jeffman ; Peter Larsen Cc: Dave Mintz ; Angus Clarke Subject: Re: [Freeipa-users] Re: DNS and FreeIPA Hi Angus, Just be aware that maintaining parrellel records is an overhead in the longer term as it's a manual process of keeping things in sync. Delegation is

[Freeipa-users] Re: DNS and FreeIPA

Thanks for sharing Harry, I really appreciate you and everyone else, taking the time to consider my situation. Regards Angus From: Harry G. Coin via FreeIPA-users Sent: Tuesday, December 28, 2021 12:17:16 AM To: freeipa-users@lists.fedorahosted.org Cc: Harry G.

[Freeipa-users] Re: DNS and FreeIPA

ct that you're not getting a response that answers you question. I suspect that the domain will offer some public services and some private services and that's what you're struggling with. However you haven't articulated this either. -Original Message- From: Angu

[Freeipa-users] Re: DNS and FreeIPA

Thanks for your replies, I think I need to focus on internal resolver configuration and less on public subdomain delegation. Cheers Angus From: Rafael Jeffman Sent: Monday, 27 December 2021, 11:11 pm To: Peter Larsen Cc: Angus Clarke; FreeIPA users list

[Freeipa-users] Re: DNS and FreeIPA

on the topic myself. Regards Angus From: Rafael Jeffman Sent: Monday, 27 December 2021, 8:15 pm To: Angus Clarke Cc: FreeIPA users list; Dave Mintz; Peter Larsen Subject: Re: [Freeipa-users] Re: DNS and FreeIPA Hello Angus, On Mon, Dec 27, 2021 at 11:31 AM Angus Clarke mailto:an...@charworth.

[Freeipa-users] Re: DNS and FreeIPA

Hi Rafael What is not clear to me is how to integrate FreeIPA with a real public DNS domain, which I think is what Dave is referring to as he mentioned he owns a legitimate domain. In any case, AFAIK we're not supposed to use made up domains for internal DNS anymore ... I see the docs talk abo

[Freeipa-users] Re: DNS and FreeIPA

Hi You could host split view dns so as to only give responses to queries from certain (your) IP addresses, thus hiding your private DNS information from general public queries. Similarly yet more succinctly, you could use a subdomain and delegate the DNS for that to a private IP in your networ

[Freeipa-users] Re: freeIPA Status Debian/Ubuntu

AFAIK Oracle still produce RHEL based Linux releases for free, however I haven't yet migrated to EL8. Regards Angus From: Nico Maas via FreeIPA-users Sent: 06 September 2021 07:52 To: Ian Willis Cc: FreeIPA users list ; Timo Aaltonen ; Nico Maas ; Ilya Kogan

[Freeipa-users] Re: [EXTERNAL] FreeIPA Enterprise or Paid Support

Don't shoot me :) Oracle support FreeIPA as part of their general Linux support package, expected to be on Oracle Linux of course however I think they offer support for other Linux OSs too but this might only be through some onboarding phase. Suse used to support non-suse Linux as well but I do

[ovirt-users] Re: ovirt_host_network -> networks: pass list

true with_nested: - "{{ groups['kvm'] }}" - "{{ groups['net'] }}" Cheers Angus From: Angus Clarke Sent: 14 February 2021 18:07 To: users@ovirt.org Subject: ovirt_host_network -> networks: pass list

[ovirt-users] ovirt_host_network -> networks: pass list

Hello I can see some examples of what I am trying to understand, but I'm still not quite clear, perhaps someone can help? I am trying to lookup a list of network names to pass to the ovirt_host_network, networks parameter. I have the networks in my hosts file like: # Logical networks net: h

[Freeipa-users] Re: Allow "sudo su - USER" to only the specified user

sss_cache -E to invalidate all cache, you can be more refined with other options. Regards Angus From: Russ Long via FreeIPA-users Sent: 22 January 2021 16:39 To: freeipa-users@lists.fedorahosted.org Cc: Russ Long Subject: [Freeipa-users] Re: Allow "sudo su - U

[Freeipa-users] Re: Allow "sudo su - USER" to only the specified user

I edited sudoers by hand however it should give you something to aim towards ... [root@orable76 ~]# grep angus /etc/sudoers angus ALL=NOPASSWD: /usr/bin/su - appuser [root@orable76 ~]# su - angus Last login: Fri Jan 22 17:01:30 CET 2021 on pts/0 [angus@orable76 ~]$ sudo su - appuser Last login

[Freeipa-users] Re: Helpo with DNS setup?

Forward and reverse lookups use the resolver library which is configured through /etc/nsswitch.conf As long as files is listed before dns then you should be good: $ grep ^hosts: /etc/nsswitch.conf hosts: files dns myhostname Regards Angus From: Dominik Vogt

[Freeipa-users] Re: Reinstalling client's OS

The steps you mention seem fine to me Roberto, Detlev has detailed an alternative. If you lose a client and need to rebuild (i.e. you didn't get chance to run the "--uninstall" option) then you can also just delete the host entry from IPA through the web gui or ipa command line before running t

[ovirt-users] Re: Ovirt 4.4.3 Hyper-converged Deployment with GlusterFS

Hi Sorry if this goes against convention here, maybe best practises have moved on, but I always create a partition on a disk before using it. ... multipath -F parted /dev/sdb mklabel gpt parted /dev/sdb mkpart primary 0% 100% parted /dev/sdb set 1 lvm on pvcreate /dev/sdb1 It's good practise t

[ovirt-users] Re: sshd_config AuthorizedKeysFile

the contents of '/root/.pub' anyway, look at the -f option) From: Martin Perina Sent: 12 November 2020 09:43 To: Angus Clarke Cc: users@ovirt.org ; Dana Elfassy ; Yedidyah Bar David Subject: Re: [ovirt-users] sshd_config AuthorizedKeysFile Hi,

[ovirt-users] sshd_config AuthorizedKeysFile

Hello Sharing for anyone who needs it, this was carried out on OL7, they use ovirt 4.3 In short: both the hosted-engine deployment routine and the host add to cluster routine distribute public ssh keys to /root/.ssh/authorized_keys regardless of the AuthorizedKeysFile setting in /etc/ssh/sshd_c

[ovirt-users] Re: ovirt glusterfs

Hi I was having this error earlier today in my lab environment I didn't resolve it and gave up! Prior to the messages you mention, I noticed something about "multipath -a /dev/sdb" which was failing and for sure you can try that from the command line and see the failure message. I just assumed

[Freeipa-users] Re: Stop/Disable Apache on IdM servers

Thanks for your input Rob - you've said enough to scare me off the topic! Cheers Angus From: Rob Crittenden Sent: 08 October 2020 20:52 To: FreeIPA users list Cc: Angus Clarke Subject: Re: [Freeipa-users] Stop/Disable Apache on IdM servers Angus Clark

[Freeipa-users] Stop/Disable Apache on IdM servers

Hello We have a single mesh of FreeIPA servers in several different locations, we capture logs (apache ErrorLog directive) to a log server in each of those locations. When auditors ask us questions we have to trawl log servers from all locations as our IdM administrators might have used any of

[Freeipa-users] Re: POSIX ids of all AD users

Hi Ronald Look at the "Attribute Editor" tab against a user account in "Active Directory users and computers." It should be in the list there (uidNumber) amongst other useful things. I'm no Microsoft administrator but am aware that this "Attribute Editor" tab is not listed if you search for th

[Freeipa-users] Re: migrate IPA server to new OS

You could build a replica, reinstall your original with Centos and then build that as a replica. Not too much downtime for your original whilst it is being rebuilt. Regards Angus From: Boris Behrens via FreeIPA-users Sent: Friday, September 4, 2020 11:34:02 AM T

[Freeipa-users] Web UI behind Reverse proxy

Hello We want to give freeipa web ui access to a corporate team, our security guys insist we hide this behind a reverse proxy, we're putting 2 of our 10 freeipa servers behind the RP address. In our initial testing we get the kerberos error "Unable to verify your Kerberos credentials" in the b

[Freeipa-users] Re: Multimaster error adding user when one master down.

Hi Just a bit of user experience ... I'm guessing you ran the ipa-client-install program on your client specifying "--server=ipa01.bos1.domain.com" rather than relying on auto-discovery (requires SRV DNS records) If DNS SRV records are not configured and you need to manually specify the IPA s

[Freeipa-users] Re: Planing multi-site deployment

Hi We run a similar setup (multiple sites, different dns domain per site, 2 IPA servers per site) without the issues you mention, we're not using DNS discovery however that shouldn't make a huge difference. Are you passing --realm=blah to the ipa-client-install command? That and other options

[Freeipa-users] Re: where to place the freeipa server in a segmented network

Hi At the one end of things you might want to secure your IPA server in your production network however this might not be reachable from other networks (your network policy.) At the other end of things you might want to place it in your most accessible network however then the system is more at

[Freeipa-users] Re: Unset passwords for accounts

After running, the web UI no longer shows a string of asterisks next to the password field of the user. Thanks ever so much! Angus From: Rob Crittenden Sent: 04 May 2020 15:34 To: FreeIPA users list Cc: Angus Clarke Subject: Re: [Freeipa-users] Unset

[Freeipa-users] Unset passwords for accounts

Hello We don't use FreeIPA passwords for user accounts however some accounts have had passwords set which is noticed from time to time. I would like to revert those account passwords to the point when the user was newly added but the password not yet set. I don't see anything obvious in the do

[Freeipa-users] Re: EL7 Upgrades

s list Cc: Angus Clarke Subject: Re: [Freeipa-users] EL7 Upgrades Angus Clarke via FreeIPA-users wrote: > Hello > > Our environment has grown and as additional IPA servers have been added, > different versions have been deployed. I am looking to bring IPA servers > up to the l

[Freeipa-users] EL7 Upgrades

Hello Our environment has grown and as additional IPA servers have been added, different versions have been deployed. I am looking to bring IPA servers up to the latest version for EL7 and wanted some guidance or reassurance. Here are my versions, they are all VMWare VMs: idm001 ipa-server-4.5

[Freeipa-users] Re: Running FreeIPA using IPv4

Hi As far as I'm aware you just need to have ipv6 enabled in the kernel on the IPA servers, you don't actually have to use it. The IPA installer performs this check but doesn't need it to be configured. Someone else here very recently resolved this issue by simply removing "ipv6_disabled=1" fr

[Freeipa-users] Re: Some users unable to log in to host

Hello I suggest running the hbactest function, somrthing like: ipa hbactest --user=user1 --host=fqdn.of.target.server --service=login Regards Angus From: Kristian Petersen via FreeIPA-users Sent: 16 March 2020 21:57 To: FreeIPA users list Cc: Kristian Petersen

[Freeipa-users] Re: freeIPA in a complex multi-subnet, multi-domain, multi-identity provider lab environment

Aaah, for me that is outside of my knowledge. Regards Angus From: Todd Grayson via FreeIPA-users Sent: Friday, March 6, 2020 11:31:36 PM To: freeipa-users@lists.fedorahosted.org Cc: Todd Grayson Subject: [Freeipa-users] Re: freeIPA in a complex multi-subnet, mul

[Freeipa-users] Re: freeIPA in a complex multi-subnet, multi-domain, multi-identity provider lab environment

Or indeed chose any of your existing DNS domains for the IPA servers, I suspect changing the domain at a later time might be troublesome, so maybe pick one that has some assured longevity to it! Regards Angus From: Angus Clarke via FreeIPA-users Sent: Friday

[Freeipa-users] Re: freeIPA in a complex multi-subnet, multi-domain, multi-identity provider lab environment

Hello As far as I'm aware, Kerberos requires DNS A records for clients and servers. Could you not just setup freeIPA using its internal DNS using a new domain just to add the ipa servers to, and then have forwarding between the different DNS systems? Clients can be under any DNS domain you like

[Freeipa-users] Re: Traffic from client to server through management's interface

Not very helpful I realise but in my experience, moving away from multi-interfaced servers to single interface was the best thing we ever did. It took massive change in the tech department to do that but was well worth it with respect to reduced complexity. Regards Angus __

[Freeipa-users] Re: Integrated DNS - best solution to unique domain

As is often the case, ours was an operational experience decision - we already had a DNS which was already managed by my team. All the best Angus From: Daniel PC via FreeIPA-users Sent: 16 January 2020 16:19 To: freeipa-users@lists.fedorahosted.org Cc: Daniel P

[Freeipa-users] Re: Where is the "Audit" in IPA?

Angus From: Charles Hedrick Sent: 15 January 2020 22:54 To: FreeIPA users list Cc: Ryan Slominski ; Angus Clarke Subject: Re: [Freeipa-users] Where is the "Audit" in IPA? This looks pretty reasonable. Unfortunately it intermixed lots of info. The files grow rapidly e

[Freeipa-users] Re: Where is the "Audit" in IPA?

Just a note from a fellow user ... Changes made through the API are logged via apache's ErrorLog directive, I've been using this to some degree of success to answer 3rd party audit queries. However it does miss things like "which groups was this user a member of when they were deleted" though .

[Freeipa-users] DNS discovery / locations

Hello Not sure if this is more a generic DNS question or not ... We run FreeIPA 4.6.4 on a RHEL7.6 clone, we do not use FreeIPA DNS and we currently do not use DNS discovery. I have read this: https://www.freeipa.org/page/Howto/IPA_locations

[Freeipa-users] Re: No Login on GUI

Hi Christian Some things to check first: Have you checked your times are in sync within 5 minutes? Have you checked DNS is working for all node entries between all nodes? Have you used ipactl [status|restart|stop]? -> Do you see certain services fail and have you checked their logs? I'm hoping

[Freeipa-users] Re: SOC documentation

Not directly answering your question but sharing some knowledge ... Similarly our IPA system falls under certain audit conditions, specifically with regard to user addition/deletion and what goup memberships have been ammended over some period of time (we base our sudo rules on group membership

[Freeipa-users] Re: number of topology segments for 3 servers clean setup?

Just some user notes I really like the IPA server topology graph through the web front end, visualising the agreements between servers is really useful. You can add or remove agreements here too, for both domain and CA (for servers that have CA enabled) I've deployed 6 IPA servers equally acro

[Freeipa-users] Re: Full Server backup fails with IPA version error

them. Regards Angus From: Saurabh Garg Sent: Tuesday, October 29, 2019 9:08:06 AM To: Angus Clarke Cc: FreeIPA users list Subject: Re: [Freeipa-users] Re: Full Server backup fails with IPA version error Thanks Angus for the reply. In my case, original IPA serv

[Freeipa-users] Re: Full Server backup fails with IPA version error

Hi An alternative approach would be to setup your new server as an IPA client and then to promote it. On new server: # ipa-client-install Followed by # ipa-replica-install Check the man pages for options suitable to your environment, otherwise I specify --setup-ca for all our new IPA instance

[Freeipa-users] Re: FreeIPA new network with DNS

My guess is that you have the domain "intra.example.com" listed in the "search" order found in /etc/resolv.conf on server ipa1 but not on server mahavishnu. Regards Angus From: Jason Dunham via FreeIPA-users Sent: Thursday, 17 October 2019, 20:31 To: freeipa-us

[Freeipa-users] Remove stale server entry from LDAP

Hi all After decommissioning 2 IPA servers some time back (reduced from 8 to 6) I recently noticed that one of the decommissioned servers still appears when issuing commands like "ipa server-find." It only appears on 2 of the existing servers, not the other 4. "ipa server-del" and "ipa-replica

[Freeipa-users] Re: Manually join machines in stateless environment

Hmm, yes I see the problem, when a previously registered node reboots, all the local configuration is lost however it still has entries in IPA server. I've not tried running ipa-client-install on such a node but it sounds like you have and the --force option is achieving what you desire. Altern

[Freeipa-users] Re: log dispatching for IPA servers

Hi If you just want an audit trail of the FreeIPA server(s) API, then apache's ErrorLog directive catches all that. Regards Angus From: Fraser Tweedale via FreeIPA-users Sent: 24 September 2019 11:08 To: Nazan CENGİZ ; freeipa-users@lists.fedorahosted.org Cc:

[Freeipa-users] Re: Manually join machines in stateless environment

Hi Perhaps some boot script to run the ipa-client-install command when a new instance boots up? I'm not sure how the system would behave if you run the ipa-client-install command multiple times, should the same machine name boots more than once. For HBAC rules you can use "auto-member" to auto

[Freeipa-users] Re: remove bad replica from list not working

Hi A bit late I realise but I noticed ... https://www.freeipa.org/page/Domain_Levels (# ipa domainlevel-get) IPA 4.5 is likely domain level 1. According to the ipa-replica-del man page: <-- snip To manage IPA replication agreements in a domain at domain level 1, use IPA CLI or Web UI, see `ipa

[Freeipa-users] Re: ipausers unable to sudo

Hi Albert I use sss_cache to drop a client's cache when testing some change I've applied. sss_cache -E to drop all cache. Take a look at the man page for other options. Regards Angus From: Albert Szostkiewicz via FreeIPA-users Sent: Monday, Septembe

[Freeipa-users] Re: kadmin service fails to start

Hi Mike It's prolly too late but you could have tried this as root to identify which process had port 749 open: netstat -pan | grep LISTEN | grep 749 Regards Angus From: Mike Conner via FreeIPA-users Sent: Wednesday, September 4, 2019 5:35:57 AM To: freeipa-us

[Freeipa-users] Re: Disabled user accounts

isabled accounts via the web interface. Regards Angus From: Alexander Bokovoy Sent: 22 August 2019 10:04 To: FreeIPA users list Cc: Angus Clarke Subject: Re: [Freeipa-users] Disabled user accounts On to, 22 elo 2019, Angus Clarke via FreeIPA-users wrote: >Hi all >

[Freeipa-users] Disabled user accounts

Hi all Just an observation really, some of our users complained that their IdM login names did not match other systems' - we saw IdM as the easiest place to fix this (as opposed to modifying local accounts on hundreds of none-IdM enabled *nix boxes around the estate) Rightly or wrongly, the ap

[Freeipa-users] Re: How can I add an additional certificate for a different domain name?

Hi We run separate IPA instances for different environments (rather than a single IPA setup with multiple interfaces) - I suggest looking at that instead. We also run different domain names across our environments: is it not just a case of adding "--realm=BLAH" to your ipa-client-install comman

[Freeipa-users] Re: Windows Integration - Using SSH Without Passwords

I suspect OP is enquiring about ssh keys. You need to tell your SSH client about your SSH private key (keep it safe) and paste the public component of your key pair into the SSH key field in the FreeIPA web admin screen for the user (the field is about a third of the way down the screen on the

[Freeipa-users] Re: secure freeipa exposed to internet

Hello Best practises say to deploy 2 - 3 IPA server per site (Deployment Recommendations) however I've never really understood why. We run 2 IPA servers in each of our primary DCs and then connect our smaller remote sites to those IPA servers over IPSEC VPNs. For example, IPA clients in a small

[Freeipa-users] RSA using FreeIPA as an identity source

Hi all Excuse my ignorance, can anyone give me some pointers on getting RSA Authentication Manager 8 to use FreeIPA 4.5 as an identity source over LDAPS? Many thanks Angus ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubsc

NSD/Unbound for private internal use

Hello I'm looking to replace our Data Centre DNS software, we run our own private domain example.private and use 10. private IP address range so I'd be looking to use NSD for authoritative responses for the domain & IP block and unbound as a general recursive name server. Wanted your views really

[Freeipa-users] Re: Changing domain name

You might find some useful tips here: https://www.redhat.com/archives/freeipa-users/2014-May/msg00158.html Not sure if they did drop their other scripts into github (as suggested two thirds down) Regards Angus On 17 August 2018 at 10:09, Alfredo De Luca via FreeIPA-users < freeipa-users@lists.

  1   2   >