Our production IPA servers are currently at
ipa-server-4.9.12-11.module+el8.9.0+20824+f2605038.x86_64. (Planning is
underway to migrate to new RHEL 9.3 servers.) We have a 1-way trust
established with AD. All active users are in AD with the POSIX attributes
defined. Overall, this has worked well. H
We currently use (Free)IPA (what's provided by Redhat) in a forest trust
relationship with our Active Directory domains. All accounts are defined in
AD with the necessary POSIX attributes. The only things locally defined
within IPA are the automounter maps, sudo rules, and HBAC rules. (I must
say,
On Mon, Mar 21, 2022 at 12:44 PM Alexander Bokovoy
wrote:
> On ma, 21 maalis 2022, Amos via FreeIPA-users wrote:
>
> >https://access.redhat.com/solutions/6633491 which isn't very encouraging.
>
> This one is unrelated. RHEL 8.4+ should have enough fixes.
>
> Do yo
Hi.
I'm trying to find out if the changes to PacRequestorEnforcement in order
to remedy CVE-2021-42287 will have an impact on IPA servers/clients. Our
IPA servers are in a one-way trust with AD. All user accounts are in AD.
I've tried to lookup anything related to this, but not finding much. Wh
We have a mutli-master configuration between two servers, ca-master1, and
rep1. It was discovered that there were some replication failures with
some records. We were instructed to clear these failed replication events
by doing the following.
# ldapdelete -x -h localhost -D 'cn=Directory Manage
On Mon, Oct 26, 2020 at 8:04 PM Louis Abel via FreeIPA-users <
freeipa-users@lists.fedorahosted.org> wrote:
>
>
> * Like in the comments, don't add that on the IPA server's sssd.conf, only
> to the clients enrolled to the IPA domain.
> * I cannot remember if it also drops the @domain for the group
Our IPA servers are in a one-way AD trust. Since all of our users are in
AD, I take advantage of the SSSD settings on the clients to hide the
@AD_REALM from their login names, and use AD_REALM as the default_realm.
This works nicely.
Solaris clients, however, do not have the convenience of SSSD.
Thanks!
On Sun, Jun 14, 2020 at 2:55 AM Florence Blanc-Renaud
wrote:
>
> Hi,
>
> 389-ds implemented a new feature that allows to run the automembership
> plugin on modify operations as well as on add operations. For more
> information, please refer to the feature design [1] and 389-ds ticket
> 5
Sorry to follow-up to an old thread, but is this still true?
https://www.redhat.com/archives/freeipa-users/2015-February/msg00038.html
On Thu, Sep 19, 2019 at 9:45 AM Rob Crittenden wrote:
> Amos via FreeIPA-users wrote:
> > Is it possible to have an automember rule to add a
So, was told a RHEL IPA client (leveraging sssd) could not also be a Samba
server (leveraging winbindd) because sssd and winbindd collide in terms of
the Kerberos bindings. Our IPA servers are configured in "compat" mode in
expectation of having to support a few Solaris systems. Could I configure
no dice
[root@aisffcgi08 ~]# kinit admin
Password for ad...@ipa.x.org:
[root@aisffcgi08 ~]# ipa-getkeytab -s ipasrv01.ipa.x.org -k
/etc/krb5.keytab -p host/ipasrv01.ipa.x.org
Keytab successfully retrieved and stored in: /etc/krb5.keytab
[root@aisffcgi08 ~]# klist -kte
Keytab name: FILE:/etc/
Oddly enough, I'm experiencing this on one of our IPA clients as well.
However, I have some questions...
On Fri, Jan 3, 2020 at 12:25 PM Alexander Bokovoy via FreeIPA-users <
freeipa-users@lists.fedorahosted.org> wrote:
>
> The in-memory keytab is something SSSD copies the keys from
> /etc/krb5.k
When enrolling a host, an error was presented:
root: INFO Joining realm failed: RPC failed at server. invalid
'hostname': invalid domain-name: only letters, numbers, '-' are allowed.
DNS label may not start or end with '-'
Where does this error originate from? Is it truly impossible
On Thu, Sep 19, 2019 at 9:45 AM Rob Crittenden wrote:
>
> Using enrolledBy in the inclusive regex should do it.
>
>
Thanks! Are Inclusive conditions logically "AND", or are they logical "OR"?
Amos
___
FreeIPA-users mailing list -- freeipa-users@lists.
Why is it that hostgroups and netgroups share the same name space?
Amos
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct:
https://doc
Is it possible to have an automember rule to add a host to a hostgroup
based on the account used with ipa-install-client?
Amos
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@list
On Tue, Feb 6, 2018 at 2:16 PM, Jakub Hrozek via FreeIPA-users <
freeipa-users@lists.fedorahosted.org> wrote:
>
> If you don't want to bother with the POSIX attributes on the AD side,
> you can perhaps use ID overrides? See
> https://access.redhat.com/documentation/en-us/red_hat_
> enterprise_linu
Apologies if this post is slightly off-topic, but I'd really like to pick
some brains
Currently, we have two, main LDAP directory environments: AD and a cluster
of Solaris LDAP servers. The accounts are unified, and are managed via
Microsoft Identity Manager (with a connector for updating Sol
I've been studying the docs, and googling the Internet pipes, but it seems
our environment is particular twisted.
We have hundreds of UNIX/Linux servers residing in the "x.org" DNS domain
that have been using Sun LDAP servers for naming services and
authentication. DNS for the servers in this "x.
19 matches
Mail list logo
