Hallo,
right now checkipaconsistency reports an error when not all IPA servers
havew AD trust enabled. My first two IPA servers running CentOS 7 do
have KRA enabled, but installing KRA on a new CentOS 8 replica failed.
Would it be useful to check that in checkipaconsistency?
If yes, here's my f
Daniel PC via FreeIPA-users
writes:
> Currently, I have 2FA implemented with password + FreeOTP as authentication
> methods.
>
> I wonder if possible to implement ssh pub+priv keys instead of a password as
> the first authentication factor.
>
> Has anyone implemented such thing?
That's possibl
Andrew Meyer via FreeIPA-users
writes:
> [andrew.meyer@freeipa01 ~]$ sudo ipactl --ignore-service-failures start
...
> Starting smb Service
> Failed to start smb Service
> Forced start, ignoring smb Service, continuing normal operation
> Starting winbind Service
> Failed to start winbind Service
Andrew Meyer via FreeIPA-users
writes:
> I am trying to research how to add other 2FA providers to FreeIPA.
> Has anyone added Duo or something else to FreeIPA/IPA in the most
> recent versions?
I'm running Privacyidea (https://www.privacyidea.org/) and FreeRADIUS
and have some users authentica
Karim Bourenane via FreeIPA-users
writes:
> I want to deploy some IPA-client with 2 interfaces, each host interface
> managed by each IPA server.
I think the IPA servers should be replicas.
> Can you confirm me, that its possible to enroll 2 time the ipa-client in
> each servers ?
I manage ser
Rob Crittenden via FreeIPA-users
writes:
[...]
> I don't think that first entry is a glob. I believe that * just means
> any. & is shorthand for the matching key so
>
> * -fstype=nfs4,soft,intr,rsize=8192,wsize=8192,tcp
> fileserver.chem.byu.edu:/export/home/students/&
>
> Just substitutes whate
Albert Szostkiewicz via FreeIPA-users
writes:
> So I do have an user on my laptop with same username as IPA user. I've
> noticed that after installing client, this existing user is still
> being authenticated by it's original password and is with its original
> UID.
> What is the best procedure i
Hello,
today freeipa-client migrated from sid to buster - thanks a lot for
this!
Jochen
--
This space is intentionally left blank.
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le
William Muriithi via FreeIPA-users
writes:
> I am using autofs to mount home directories. The autofs maps are on IPA
> server. A while back, I adjusted the mount idle timeout from the default 5
> minutes to 2 hours.
>
> I now want to undo the change, essentially bring down the timeout to 5
> min
Johan Vermeulen via FreeIPA-users
writes:
> Now it would come in handy if I could field some Debian clients for some
> purposes.
> But on the current stable release there is no freeipa client.
> I have installed some freeipa-clients from unstable, but it's not ideal.
>
> I'm wondering, is anyone
Sina Owolabi via FreeIPA-users
writes:
> Yes I use PAM with openvpn to authenticate user clients
> "plugin /usr/lib64/openvpn/plugins/openvpn-plugin-auth-pam.so login"
> I'm also running a HBAC controlled IPA environment but the rule for vpnusers
> is a --servicecat=all:
>
> Rule name: allowvpnus
Rob Crittenden via FreeIPA-users
writes:
> Sina Owolabi via FreeIPA-users wrote:
>> Hi List
>>
>> I’ve been struggling with this for a while and I would really appreciate
>> some advice.
>> I have an openvpn server using freeIPA to authenticate users logging
>> into the office VPN.
>> Currentl
Ranbir via FreeIPA-users writes:
> When GSSAPI delegation doesn't work, I see this error:
>
> debug1: Unspecified GSS failure. Minor code may provide more information
> Server host/ip...@theinside.rnr not found in Kerberos database
You used "ssh ipa01", right? And the host has been enrolleed w
hedrick--- via FreeIPA-users
writes:
> We have a number of systems on the internet. They are constantly
> attacked through ssh. A lot of attacks try to guess passwords for a
> user called “admin.”
If you don't need the user admin on the outside facing boxes, you could
try that in /etc/sss/sssd.c
Rob Crittenden via FreeIPA-users
writes:
> I don't know where Keycloak upstream is.
Look at http://www.keycloak.org
Jochen
--
This space is intentionally left blank.
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscrib
Udo Rader via FreeIPA-users
writes:
> Our current setup looks like this:
...
> #4 DHCP is handled by multiple, distributed ISC DHCP servers,
> configured to pull their configuration from OpenLDAP (network
> definitions, routers, NTP servers, MAC addresses etc.)
...
> Regarding DHCP, all I found w
Hi,
Duncan Colhoun via FreeIPA-users
writes:
> Can I get some feedback on the overall experience setting up and
> running Free-IPA. I am looking at implementing Free-IPA to
> enhance/replace an OpenLDAP environment.
I'm running a small FreeIPA (2 servers) installation in a family
network. Inst
Jochen Hein via FreeIPA-users
writes:
> Randy Morgan via FreeIPA-users
> writes:
>
> [BIND as slave on IPA DNS masters]
>
>> Has anyone set this up before and if so, do you have a sample config
>> that I could look at to gain a better understanding of what is needed
Bret Wortman via FreeIPA-users
writes:
> # kinit admin
> kint: Client's credentials have been revoked while getting initial
> credentials
>
> Then while looking at /var/log/httpd/error_log:
>
> [date] [:error] [pid] [remote 192.168.1.50:96] Database Error: Server
> is unwilling to perform: Too ma
Randy Morgan via FreeIPA-users
writes:
[BIND as slave on IPA DNS masters]
> Has anyone set this up before and if so, do you have a sample config
> that I could look at to gain a better understanding of what is needed
> here?
I'm running a pair of IPA servers with a single DNS slave. There's on
Winfried de Heiden via FreeIPA-users
writes:
> OTP using IPA 4.5 on CentOS seems to work well. However: I can force a user
> to use OTP and/or a host.
Authentication indicators won't work that way...
> Selecting a user, ALL authentication needs OTP. Since sudo in this case will
> ask for OTP
Bret Wortman via FreeIPA-users
writes:
> If this is the correct search, then no. It's gone.
Now, if you don't have the private keys any longer (see Rob's mail), we
should consider your CA really gone. I'd look at ipa-ca-install and
something like
https://www.freeipa.org/page/V4/CA-less_to_CA-fu
Bret Wortman via FreeIPA-users
writes:
> I may be going about this in the hardest way possible, so let me stop
> and roll everything back to my root need:
>
> I have two IPA servers which manage our infrastructure. We used to
> have three, but a catastrophic failure on one led to its total
> loss
Bret Wortman via FreeIPA-users
writes:
> Sequence of events in trying to stand up a new IPA server to replace
> (wholesale) our old ones.
>
...
> 3. # ipa-server-install --setup-dns --auto-reverse --no-forwarders
...
> And now I'm back where I was. IPA is running and contains our user,
> host, an
John Ratliff via FreeIPA-users
writes:
> Okay, so the problem wasn't that it wasn't working; it's that I didn't
> understand the prompts. Debian only prompts for password, but wants
> password + OTP on the same field. CentOS prompts for First Factor /
> Second Factor.
>
> Is there any way I can m
Alex Corcoles via FreeIPA-users
writes:
> Is there any official literature about how to monitor FreeIPA?
I'm using https://github.com/peterpakos/checkipaconsistency to monitor
my replicas.
> Is there any plan to provide an official way to monitor FreeIPA? My
> foremost concern would be to ensur
Lukas Slebodnik via FreeIPA-users
writes:
> On (15/01/18 10:53), Rob Crittenden via FreeIPA-users wrote:
>>As I read it he has the reverse problem. He installed with NTP support
>>and now wants to remove it.
>>
>>You need to remove NTP as a managed IPA service by removing the entry:
>>
>>cn=NTP,
Giulio Casella via FreeIPA-users
writes:
> Il 09/01/2018 18:19, Jochen Hein via FreeIPA-users ha scritto:
>> Giulio Casella via FreeIPA-users
>> writes:
>>
>>> Done, ipactl status report everything running,
>>
>> That's not correct, see below.
>
Giulio Casella via FreeIPA-users
writes:
> Done, ipactl status report everything running,
That's not correct, see below.
> but certificates don't renew.
> Looking at certmonger (in debug mod) I can see:
>
> "Server at https://idc01.linux.unicloudidattica.local/ipa/xml failed
> request, will re
Cody Rathgeber writes:
> Thanks, I'm sure it was a versioning issue as the server is 4.5, and i see
> the default ubuntu 14.04 packages i was using were 3.3. Using the repo
> Jochen Mentioned I can install 4.0 on ubuntu 14.04 but I will get the below
> errors in the log during install, is this s
Cody Rathgeber via FreeIPA-users
writes:
> I'm trying to deploy freeipa to an environment running a mix of ubuntu
> 16.04 and 14.04 servers.
> on 16.04 the servers join and can pull down users no problem, on 14.04 when
> joining it'll throw a
>
> "Unable to find 'admin' user with 'getent passwd a
Aaron Hicks via FreeIPA-users
writes:
> As a workaround for another issue we have with using two-factor
> authentication, we're using pam_krb5 to change expired passwords, so in
> /etc/pam.d/password-auth-ac whe have changed the password section to be:
>
...
>
> This puts the user through a passw
Kristian Petersen via FreeIPA-users
writes:
> The dirsrv log just shows a bunch of the following:
> [13/Oct/2017:14:32:07.132312021 -0600] - ERR - slapi_ldap_bind - Error:
> could not bind id [cn=Replication Manager cloneAgreement1-ipa
> 2.chem.byu.edu-pki-tomcat,ou=csusers,cn=config] authenticat
Kristian Petersen via FreeIPA-users
writes:
> When I recently updated one of my IPA servers (it reports
> 4.5.0-21.el7_4.1.2 in yum), the result was that it could not start back up
> because pki-tomcatd kept failing. I was able to get it running for now by
> ignoring the failure of that one serv
Mark Haney via FreeIPA-users
writes:
> since these two servers are CentOS 6.9. I'm almost certain I've got
> everything setup correctly, but I'm still unable to login as an IPA
> user either with SSH or with su - . I get ' does
> not exist'. However, I /can/ 'kinit admin' /and/ 'kinit mark.haney
Alexander Bokovoy writes:
> On to, 05 loka 2017, Jochen Hein via FreeIPA-users wrote:
>>> [Thu Oct 05 11:36:38.505372 2017] [:error] [pid 7424] [remote
>>> 192.168.1.48:244] CalledProcessError: Command '/usr/bin/kinit -n -c
>>> /var/run/ipa/ccaches/armor
Marius Bjørnstad via FreeIPA-users
writes:
> After I upgraded to FreeIPA 4.5 (on CentOS 7), I get an error "Login
> failed due to an unknown reason" on the web UI, no matter if I use the
> admin user or my personal user.
...
> [Thu Oct 05 11:36:38.505372 2017] [:error] [pid 7424] [remote
> 192.16
Gady Notrica via FreeIPA-users
writes:
> But still having the same issue:
No, you don't. Earlier it timed out waiting for dirsrv, but now it's
dogtag (Port 8080, 8443):
>
> 2017-09-15T15:58:46Z DEBUG stderr= 2017-09-15T15:58:46Z DEBUG
> wait_for_open_ports: localhost [8080, 8443] timeout 300
>
Torsten Harenberg via FreeIPA-users
writes:
> Suddenly, our Linux Mint clients refrain from logging in users and
> throw a system error. I increased the log level and the relevant lines
> seem to be:
>
> (Sun Sep 10 03:19:09 2017) [sssd[be[pleiades.uni-wuppertal.de]]]
> [hbac_eval_user_element]
Ludwig Krispenz via FreeIPA-users
writes:
> This is issue: https://pagure.io/389-ds-base/issue/49334
Thanks for the info. I like the documentation and analysis in the
tickets (not only this one) - well done!
Jochen
--
This space is intentionally left blank.
__
I've upgraded my FreeIPA servers to CentOS 7.5 (CR). After that I have
the following new messages during backup:
Aug 30 01:34:34 freeipa1 ns-slapd: [30/Aug/2017:01:34:34.225932118 +0200] - ERR
- dblayer_copy_directory - Backend instance "cldb" does not exist; Instance
path /var/lib/dirsrv/slapd
saidireddy ranabothu via FreeIPA-users
writes:
> I have enabled password+OTP authentication for a user and able to sync
> tokens and SSH.
>
> While ssh to server using FIPA credentials it's asking authentication in
> two steps as First Factor and Second Factor .
>
> But i just want to give it in
Jochen Hein via FreeIPA-users
writes:
> Rob Crittenden via FreeIPA-users
> writes:
>
>> So theoretically certmonger could for example, track PEM files in the
>> filesystem and upon renewal run a post script to import the updated cert
>> into the java keystore.
>
Rob Crittenden via FreeIPA-users
writes:
> certmonger doesn't support storing certificates in a java keystore.
>
> certmonger has the concept of pre and post renewal scripts so you can,
> for example stop or start a service, or import a renewed certificate
> somewhere else (IPA uses this to store
Rob Crittenden writes:
> certmonger doesn't support storing certificates in a java keystore.
That's what I found out :-)
> The tricky bit might be in dealing with the CSR. certmonger needs the
> private key in order do the renewal.
>
> I guess one thing you could do is a straight ipa-getcert -f
Hi,
I'm playing around with keycloak and wanted to use an SSL certificate
from IPA. I've looked around but didn't see any howto about using java
keytool with ipa-getcert. Has someone experience with it?
I was not successful adding key/cert created by certmonger into keytool,
and also not succes
Prasun Gera via FreeIPA-users
writes:
> The only thing I would be interested in knowing is if there is a
> performance penalty to mounting NFS locally. Ideally, it should be smart
> enough to know that, but I'm not sure if it is.
On my NFS server /home is a local ext4 mount and exportet. The cli
Hello Dagan,
> The VPN is Cisco, we use openconnect to connect to it currently and it
> works without a problem.
I use ocserv on my VPN server and openconnect - normally with GSSAPI,
but I'll try with password/OTP.
> The Yubikeys in the existing configuration are in a static file, which
> does
Hallo,
Dagan McGregor via FreeIPA-users
writes:
> I have been asked to configure FreeIPA 4.4 servers to handle VPN
What kind of VPN do you use? What client do you use?
> authentication using a FreeRADIUS server, with 2FA being generated by
> a Yubikey given to each user.
Is the Yubikey enro
49 matches
Mail list logo
