Oh, thanks for the playbook- I appreciate it.
It's surprising that some of the bugs you posted mention SELinux- the replica
that doesn't have issues is running SELinux, while the replica that has issues
doesn't (it's an LXC container).
___
FreeIPA-user
I forgot to add; I'm running two replicas, both are CAs and provisioned
identically, and only one of them shows this issue.
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.
Hi all,
Sorry I didn't keep track of this more accurately. Some time ago, the
ipa-healthcheck service started failing (September 23rd, I think). I took a
look, and IIRC, it said something like some certs were about to expire. I
ignored that (because they renew automatically?). But then I checke
Hi,
I have a Debian (Proxmox) system joined to FreeIPA. I'm trying to log in via
SSH using Kerberos, but it doesn't work. If I start a debug SSH server, I get
the following output:
No key table entry found matching host/h1.h1.int.example.net@
, but hostname -f on the same host reports h1.examp
Hi,
I have a Debian (Proxmox) system joined to FreeIPA. I'm trying to log in via
SSH using Kerberos, but it doesn't work. If I start a debug SSH server, I get
the following output:
No key table entry found matching host/h1.h1.int.example.net@
, but hostname -f on the same host reports h1.examp
>
> It shows up as hostname.ipadomain in FreeIPA (which doesn't match its name
> on the networks) and I've never had any issue- I suspect client hostnames
> are not really important.
>
Sorry, correction. My laptop's hostname *IS* hostname.ipadomain. When it
connects to different networks, the DNS
Hi,
On Fri, May 8, 2020 at 3:18 PM Angus Clarke via FreeIPA-users <
freeipa-users@lists.fedorahosted.org> wrote:
> We run out IPA infrastructure globally with VPN connected sites, no issue
> there. I don't have experience of road warrior VPN clients though. I'm not
> sure how IPA behaves when hos
Hi!
When i use command
> ldapsearch -h ldap.exemple.com -p 389 -x -b dc=exemple,dc=com -L
>
> I get all information about my instance without any authentication
> How i can set authentication to this action ?
>
The term for this is "anonymous binds". How to disable them is mentioned in
the releva
I don't know whether this is good practice, but:
* You can run the action locally instead of in the target host; if the user
running Ansible has a ticket, it should work
* If you use ssh to connect to the IPA client host using an IPA user, you
should get a ticket and it should work
* Another optio
:Dec 8 16:21:59 ipa certmonger: 2019-12-08
16:21:59 [15599] Invalid cookie: u''
, which is weird; 20200104123511 is in the future...
On Sun, Dec 22, 2019 at 9:04 PM Florence Blanc-Renaud
wrote:
> On 12/22/19 6:28 PM, Alex Corcoles via FreeIPA-users wrote:
> > Thanks!
>
Thanks!
On Sun, Dec 22, 2019 at 11:13 AM Florence Blanc-Renaud
wrote:
> 4. On the other replicas, check that the certificate has been properly
> installed in the NSS database /etc/httpd/alias/ or in
> /var/lib/ipa/ra-agent.pem.
> If it's not the case, you can manually install the cert or call ge
Hi,
I'm monitoring using ipa-healthcheck and I just started getting:
$ sudo ipa-healthcheck --severity CRITICAL --severity ERROR --failures-only
ra.get_certificate(): EXCEPTION (Invalid Credential.)
ra.get_certificate(): EXCEPTION (Invalid Credential.)
ra.get_certificate(): EXCEPTION (Invalid Cre
can alert on the first two, but the third
one shows up somewhere, but doesn't send alerts.
...
I think I'll change my monitoring to just alert on CRITICAL and ERROR,
hopefully that won't be a bad idea.
Cheers,
Álex
On Sun, Dec 8, 2019 at 7:08 PM Rob Crittenden wrote:
> Ale
Hi,
I've been running ipa-healthcheck for a while and this morning I started to
get a few failures:
{
"source": "ipahealthcheck.ipa.certs",
"kw": {
"msg": "Request id 20180929065627 expires in 27 days",
"expiration_date": "20200104123511Z",
"days": 27,
"key": "20
Hi,
I've managed to integrate some webapps with FreeIPA nicely, both using
mod_auth_gssapi and Ipsilon. Both work great on computers joined to
FreeIPA, I am signed in automatically without typing my password.
Can a similar experience be achieved on Firefox Android? I can log in
putting my passwor
OK, I just set up Nagios monitoring with ipa-healthcheck. In case someone
wants to replicate, this is roughly what I did with Puppet:
FreeIPA Puppet manifest:
Install the package:
+ exec {'/usr/bin/curl
https://copr.fedorainfracloud.org/coprs/rcritten/ipa-healthcheck/repo/epel-7/rcritten-ipa-he
On Mon, Nov 11, 2019 at 5:45 PM Charles Hedrick wrote:
> I use Kerberos at home. So do a couple of faculty. I have a Kerberos
> https: proxy set up on one of our public web servers. This is less than
> ideal, as it requires installing separate Kerberos software for both Mac
> and Windows. The Ker
On Mon, Nov 11, 2019 at 3:48 PM Rob Crittenden wrote:
> Jones, Bob (rwj5d) via FreeIPA-users wrote:
> > If you’re making these sorts of changes, might I suggest a flag to
> generate Nagios safe output that is just a summary of how many
> warnings/errors were found like the way checkipaconsistency
On Mon, Nov 11, 2019 at 1:30 AM Rob Crittenden wrote:
> I'm open to suggestions on this. I don't mean for it to scare anyone but
> the consequences can be head scratching. I have a blog entry on it that
> gets quite a few views.
>
Well, I think the ideal would be to prevent this from happening i
Hi Rob,
On Tue, Nov 5, 2019 at 4:35 PM Rob Crittenden via FreeIPA-users <
freeipa-users@lists.fedorahosted.org> wrote:
> I made an EPEL 7 build in COPR,
> https://copr.fedorainfracloud.org/coprs/rcritten/ipa-healthcheck/
>
> The more feedback I get on it the better and more useful I can make it.
On Tue, May 28, 2019 at 8:17 PM Rob Crittenden wrote:
> FWIW, speaking of healthcheck, you might want to look at the
> freeipa-healthcheck package in Fedora 28+. It produces JSON output of
> checks a bunch of things including whether services are running.
>
> It is still in pretty early developme
od/bad). Monitoring would expect metrics IMO, and even
> health checks you’d want to do on the WebUI, REST server, LDAP, KDC to see
> if they are responding in an expected way.
>
> The service can be up (according to systems or ipactl) but still produce
> garbage.
>
> John
>
>
The output of ipactl looks very similar to systemctl status. Is it doing
much more than that? I'm already monitoring systemd failed units so I
wonder if it's running checking ipactl.
On Wed, Sep 19, 2018 at 1:33 PM Neal Harrington via FreeIPA-users <
freeipa-users@lists.fedorahosted.org> wrote:
>
Well, in that scenario site-to-site VPNs should not be too terrible (AWS
provides one, for instance).
I think that certainly having a default install which is "safe" to
expose to the Internet would be a very nice feature. However, I realize
that has its cost and maybe its drawbacks, so of cour
Well, in that scenario site-to-site VPNs should not be too terrible (AWS
provides one, for instance).
I think that certainly having a default install which is "safe" to
expose to the Internet would be a very nice feature. However, I realize
that has its cost and maybe its drawbacks, so of cour
example.com.
>>
>> Note that the instructions for Chrome from the IPA webclient don’t work
>> for MacOS. See
>> https://www.jeffgeerling.com/blogs/jeff-geerling/kerberos-authentication-mac-os
>> for
>> the magic “defaults write” commands.
>>
>>
>>
&
t don’t work
> for MacOS. See
> https://www.jeffgeerling.com/blogs/jeff-geerling/kerberos-authentication-mac-os
> for
> the magic “defaults write” commands.
>
>
>
> On Apr 24, 2019, at 7:33 AM, Alex Corcoles via FreeIPA-users <
> freeipa-users@lists.fedorahosted.org> wrote:
>
So I now have an OS X work laptop and did a kinit user@MYDOMAIN and... it
worked!
I've seen some guides about joining an OS X system to FreeIPA, but I don't
think I want that (we are not currently joining work OS X systems to a
domain, but I suppose we will soon- and I guess joining two domains wo
l that the documentation is OK and I was just dumb :-p
On Mon, Mar 11, 2019 at 11:22 AM Alexander Bokovoy
wrote:
> On ma, 11 maalis 2019, Alex Corcoles via FreeIPA-users wrote:
> >On Sun, Mar 10, 2019 at 7:25 PM Alexander Bokovoy
> >wrote:
> >
> >>
> >> Yes, the naming
On Sun, Mar 10, 2019 at 7:25 PM Alexander Bokovoy
wrote:
>
> Yes, the naming of Kerberos principals is more or less historical. All
> browsers only request service tickets to HTTP/ principal. If
> you expect browsers to utilize GSSAPI, your target Kerberos service
> principal must be HTTP/.. acc
Massive thread necromancy but...
On Sun, 2018-11-25 at 12:21 +0100, Alex Corcoles wrote:
> 2) SSO
>
> What is the special sauce for users using a browser on an IPA-joined
> system to log in to apps without even seeing a login form? SPNEGO?
>
> I'm using mod_auth_gssapi for some apps, having http
On Fri, 2018-11-30 at 21:42 +0100, Jochen Hein via FreeIPA-users wrote:
> I've installed the client packages from snapshot.debian.org with a
> version near the freeze for the next release. That's working fine
> for
> me, but you won't get security fixes that way.
This is basically what I'm doing:
On Mon, 2018-11-26 at 09:24 +0100, Jakub Hrozek via FreeIPA-users
wrote:
> On Sun, Nov 25, 2018 at 06:51:36PM +0100, Alex Corcoles via FreeIPA-
> users wrote:
> > I mean it still requires a sizable amount of elbow grease. I think
> > there is no systemd unit file, it doesn'
Hi,
On Sun, 2018-11-25 at 22:28 +0200, Alexander Bokovoy wrote:
> RHEL is not shipping Ipsilon, that's all what above is explained.
>
> Fedora Project is using it but Fedora's FAS service is deployed on
> RHEL
> and it is rock-solid for the functionality they use. There are 15
> pull
> requests
On Sun, 2018-11-25 at 18:51 +0100, Alex Corcoles wrote:
> Even if Ipsilon is phased out I think I'll try again. IIRC, I had an
> issue doing a test run, read about Keycloak being the future and gave
> up quickly. RHEL 7 is still good for a few years, so maybe I have an
> alternative solution on RHE
Hi,
On Sun, 2018-11-25 at 14:48 +0200, Alexander Bokovoy wrote:
> 1) SAML
> >
> > As I recall, there's Ipsilon and Keycloak. Ipsilon is "dead" and
> > Keycloak is the way to go, right?
> No. Both Ipsilon and Keycloak are healthy and kicking well. Ipsilon
> is
> what Fedora Project's FAS service i
Hi,
I've read:
https://www.freeipa.org/page/Web_App_Authentication
, but there is some stuff that is not clear to me.
1) SAML
As I recall, there's Ipsilon and Keycloak. Ipsilon is "dead" and
Keycloak is the way to go, right?
However, Keycloak setup is not trivial, correct? Running CentOS ther
On Thu, Nov 8, 2018 at 8:03 PM Alex Corcoles wrote:
> This is not timestamped, but I guess it is the thing. Weird, I don't
> remember my provisioning does anything JRE-related, but I will do some
> digging myself.
>
Yay, I'm an idiot. I have automatic updates via yum-cron and OpenJDK had
been up
Hi Fraser and the new guys!
I think this may be it:
https://gist.github.com/alexpdp7/358626a92a07c787fbf246b2761dddb3#file-_var_log_pki_pki-tomcat_localhost-2018-11-07-log
snip:
SEVERE: Servlet.service() for servlet [caUpdateNumberRange] in context with
path [/ca] threw exception [Could not ini
Alex Corcoles via FreeIPA-users wrote:
> > So I solved my LXC problems (thanks Rob, again), but now:
> >
> > ipa-replica-install -U --setup-ca -N
> >
> > fails when rebuilding my replica from scratch, see:
> >
> > https://gist.github.com/alexpdp7/4431da5e11afe
er Tweedale wrote:
> On Mon, Nov 05, 2018 at 09:48:40PM +0100, Alex Corcoles via FreeIPA-users
> wrote:
> > Might this be related to:
> >
> > https://pagure.io/freeipa/issue/7654
> >
> > Maybe?
> >
> Possibly. Need the HTTP access log, the Dogtag access l
Might this be related to:
https://pagure.io/freeipa/issue/7654
Maybe?
--
___
{~._.~}
( Y )
()~*~() mail: alex at corcoles dot net
(_)-(_) http://alex.corcoles.net/
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsu
So I solved my LXC problems (thanks Rob, again), but now:
ipa-replica-install -U --setup-ca -N
fails when rebuilding my replica from scratch, see:
https://gist.github.com/alexpdp7/4431da5e11afe6029e2baa01bc1f2251
, where I think I've copied the relevant logs. I think I saw someone
recommending
On Mon, Nov 5, 2018 at 5:36 PM Rob Crittenden wrote:
> The bug was in dogtag and not in IPA. It looks like this is only fixed
> in 10.6.3+ upstream. I don't know if they have or plan to backport this
> to 10.5.x.
>
> The fix is
>
> https://github.com/dogtagpki/pki/commit/11fa1e2c4cc74e93cd1f9486a
So I had a running replica on CentOS 7 LXC which started giving me trouble,
so I decided to rebuild it.
Now, when running ipa-replica install I get:
2018-11-04T20:12:20Z DEBUG stderr=pkispawn: ERROR...
subprocess.CalledProcessError: Command '['sysctl', 'crypto.fips_enabled',
'-bn']'
Hi,
I'm running Fedora 27 as my main desktop enrolled on my FreeIPA domain
for a while and it's awesome. I was toying with the idea of building a
cloud VM as a remote desktop, but xrdp is a bit annoying on Fedora 27
so I postponed that.
Now I'm playing with Fedora 28 on a VM, where xrdp works *be
Hi,
I run a FreeIPA domain as a hobbyist, basically to get password sync
among my boxes and some services. Right now I'm the sole admin (and
user). I've been toying with the idea of adding 2FA, but I wonder if
there's a good solution if I lose my token.
I guess I can have some sets of printed one
Hi,
Is there a nice combo that gives you a well-integrated remote desktop
(preferrably RDP or something bandwidth friendly) on FreeIPA? What I mean
is something that can be dnf-installed and doesn't require much messing
around so I can use mstsc.exe or Remmina (or rocket-depot, etc.) and
connect t
I use a mixture of Puppet and FreeIPA to manage my "hobbyist" FreeIPA
installation. I actually use Puppet to install the FreeIPA packages, then
launch ipa-server-install through Ansible and I create my "service" Ansible
user and set up HBAC with Ansible, through the Ansible IPA module... I also
use
Is there are ticket for this to watch?
On Wed, Feb 14, 2018 at 5:27 PM, Alexander Bokovoy via FreeIPA-users <
freeipa-users@lists.fedorahosted.org> wrote:
> On ke, 14 helmi 2018, Felipe_G0NZÁLEZ_SANTIAG0 via FreeIPA-users wrote:
>
>> I have a Freeipa server version 4.3.1 on Ubuntu 16.04. Then I i
You can, but you need to add the DNS entries that FreeIPA adds to its
domain to your DNS server.
What I did was install FreeIPA in a test environment and fish the entries
from there.
On Tue, Feb 13, 2018 at 4:37 AM, Andrew Meyer via FreeIPA-users <
freeipa-users@lists.fedorahosted.org> wrote:
>
On Thu, Feb 1, 2018 at 5:25 PM, Jochen Hein wrote:
> I'm using https://github.com/peterpakos/checkipaconsistency to monitor
> my replicas.
>
Yeah, but I'm not exactly reassured by choosing on of the many plugins out
there- or running them all. It would be great to push for an official check.
I'
Hi all,
Is there any official literature about how to monitor FreeIPA?
The upstream guide mentions:
1) Testing clients using id
https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/linux_domain_identity_authentication_and_policy_guide/client-test
2) Adding a user on a
On Tue, Jan 23, 2018 at 3:24 PM, Andrew Meyer wrote:
> For the most part, yes. Its cheap, low-power.
>
It also has no moving parts and you can swap out the SD card to a spare
quite easily. It's not something for an enterprise environment, but as a
hobbyist, it's an awesome thing for the cost.
I'm just starting, but:
$ free -m
totalusedfree shared buff/cache
available
Mem: 1791 680 274 72 835
833
Swap: 0 0 0
This is for personal use, so being able to run a replica at home for
full.
>
> 1. Enable sid repo
> 2. Install freeipa-client and python-sss packages
> 3. Update python-six to 1.10+
> 4. Restart dbus service
> 5. ipa-client-install command
>
> In the end - I've got completely working ipa-client for ssh and sudo.
>
> 2018-01-19 0:24
Hi,
Now that I have my FreeIPA server working in my setup, I'd like to
configure my Proxmox server as an IPA client; both for UNIX users and its
web/API.
As you might be aware, ipa-client-install is only in sid, and it seems to
be problematic. I'm posting everything I'm doing to keep this documen
Never mind, I don't seem to be able to reproduce this.
On Fri, Jan 12, 2018 at 12:35 PM, lejeczek via FreeIPA-users <
freeipa-users@lists.fedorahosted.org> wrote:
>
>
> On 11/01/18 19:49, Alex Corcoles via FreeIPA-users wrote:
>
>> > Jan 10 18:47:02 ctipa.
Ah, that'd be wonderful- that will solve my problem as I don't need NFS on
LXC. If I have some time I will try editing the gssproxy unit file and see
if that's the only stopper to running a FreeIPA replica on LXC.
On Thu, Jan 11, 2018 at 9:17 PM, Robbie Harwood wrote:
>
Hi,
After some comments on:
https://lists.fedoraproject.org/archives/list/freeipa-users@lists.fedorahosted.org/thread/7A2I475DZFE235QRJRXMRXTL3DVT46IN/
I decided to file a bug:
https://bugzilla.redhat.com/show_bug.cgi?id=1533228
, but the comments there made me doubt my plan to set up FreeIPA,
Maybe this is a bug in the definition of gssproxy? Should it be a Wants=
instead of a Requires=?
On Wed, Jan 10, 2018 at 9:41 PM, Robbie Harwood wrote:
> Alex Corcoles via FreeIPA-users
> writes:
>
> > Jan 10 18:47:02 ctipa.h2.int.pdp7.net systemd[1]: Dependency failed for
&
one (remove, disabling is not enough) and
> add it back after installation, if this won't cause you any service
> interruptions. (but you have to able to resolve h2.int.pdp7.net without
> forwardzone)
>
> 2018-01-10 19:38 GMT+01:00 Alex Corcoles via FreeIPA-users <
> freeip
ists.fedorahosted.org> wrote:
> I meant traceback fot the DNS issue :-)
>
> Could you please provide the reason why gssaproxy didn't start?
>
> journalctl -xe
> systemctl status gssproxy
> journalctl -u gssproxy
>
> 2018-01-09 21:29 GMT+01:00 Alex Corcoles via FreeIPA-u
, Jan 9, 2018 at 10:05 PM, Alex Corcoles wrote:
> Ah, wait, this new replica doesn't have CA and DNS. Will try various
> combinations and post back.
>
> On Tue, Jan 9, 2018 at 10:03 PM, Alex Corcoles wrote:
>
>> That's weird. I've now tried a replica install on
s <
> freeipa-users@lists.fedorahosted.org> wrote:
>
>> do you have a traceback in log? I'm curious where exactly this happened,
>> what is your FreeIPA version?
>>
>> [1]
>> I haven't install FreeIPA in LXC, but I'm happy user of FreeIPA runn
't install FreeIPA in LXC, but I'm happy user of FreeIPA running in
> LXC :-) So it should work
>
> 2018-01-09 11:40 GMT+01:00 Alex Corcoles via FreeIPA-users <
> freeipa-users@lists.fedorahosted.org>:
>
>> Hi Marti,
>>
>> On Tue, Jan 9, 2018 at 12:46
d
non-zero exit status 1
ipa.ipapython.install.cli.install_tool(CompatServerReplicaInstall):
ERRORThe ipa-replica-install command failed. See
/var/log/ipareplica-install.log for more information
Cheers,
Álex
On Tue, Jan 9, 2018 at 7:45 PM, Martin Basti via FreeIPA-users <
freeipa-user
something like that, I'll try to reproduce
and start a new thread about that- but I guess it's more of an LXC problem
(ideally I would like to run my replica on LXC so it consumes less RAM, but
I can live with a full VM).
Cheers,
Álex
2018-01-07 12:20 GMT+01:00 Alex Corcoles via FreeIPA-u
Hi,
I'm labbing a FreeIPA environment for personal use, and I'm getting that
while bringing up a replica.
I set up my first freeipa-server instance on a cheap VPS on a public IP,
intend on making it publicly accessible so I can always authenticate my
laptop even on wild public networks.
I'm addi
69 matches
Mail list logo
