On Fri, May 21, 2021, 08:54 Rob Crittenden wrote:
> Mark Potter via FreeIPA-users wrote:
> > Long story short, we had to redeploy part of our FreeIPA cluster. As far
> > as I know I followed all of the proper procedures and everything
> > seems to be working from the clien
Long story short, we had to redeploy part of our FreeIPA cluster. As far as
I know I followed all of the proper procedures and everything seems to be
working from the client side however we are getting a TON of these messages
in krb5kdc.log
ipa3.example.com krb5kdc[31232](info): TGS_REQ (8 etypes
Is there a way to enable a user to be able to retrieve all host keytabs
without explicitly allowing for each host?
In short we have a very large, stateless environment. We are currently in
the process of converting to RHEL in order to receive support. The size of
our environment makes force joinin
I have a working FreeIPA cluster and need to start deploying for other
geolocations. I deployed with freeipa-ansible. While I can find docs on
multi-master setups I am struggling to find the initial setup bits.
Would it be best to deploy a new cluster without any knowledge of the
existing cluster
So the DNS overload was my own fault. I was using 'while' in Ansible and
doing an entry at a time instead of just generating a playbook that adds
multiple entries. I've tested with 100 entries and had a single update per
zone to the replicas. So I've sorted that. I shouldn't Ansible on almost no
sl
The docs say 2k to 3k hosts per FreeIPA machine. We currently have 1 server
and 3 replicas for ~9k hosts. The issue is that the hosts in question are
stateless so have to have ipa-client-install run every boot. We've got that
part handled but something came up that's got me concerne.
I was adding
I am also seeing "secure_path" having no effect:
LDAP Role: dug_it
RunAsUsers: ALL
RunAsGroups: ALL
Options: !authenticate, !requiretty, always_set_home, env_reset,
!visiblepw, env_keep="COLORS DISPLAY
HOSTNAME HISTSIZE INPUTRC KDEDIR LS_COLORS", env_keep+="MAIL PS1
PS2 QTDIR U
I am trying to create a default sudo environment that is applied to all
users in addition to anything from other groups. This would include things
like "secure_path" and a few env lines. However I cannot seem to get this
to work. I understand that the highest number in "Sudo order" is processed
fir
After a lot of reading, adding "ignore_group_members = True" to sssd.conf
vastly dropped the login time. From a completely blank cache taking > 25
seconds to login to ~1 second to login.
On Wed, Jan 6, 2021 at 1:59 PM Mark Potter wrote:
> We are experiencing slow logins on all client machines.
We are experiencing slow logins on all client machines. At present this is
only two machines but have experienced the same issue with prior
installations. We have migrated the entirety of our ancient OpenLDAP
install to FreeIPA. Our environment is:
1 x IPA Server
3 x IPA Replicas
All of these hav
. I'll
try adding the primary as the only resolver and see what happens though.
On Wed, Dec 2, 2020, 11:14 AM wrote:
> Am 2020-12-02 17:59, schrieb Mark Potter via FreeIPA-users:
> > Greetings!
> >
> > I am attempting to deploy a cluster using ansible-freeipa:
&
Greetings!
I am attempting to deploy a cluster using ansible-freeipa:
CentOS 8.2
Ansible 2.10.2
The ipaserver role successfully deploys the server but I have a question
about dns specifically: What is the format for "ipaserver_reverse_zones". I
haven't seen an example. We have a LOT of reverse z
ttps://bitbucket.versatushpc.com.br/projects/OPENCATTUS/repos/deployment
>
> Feel free to look at inner workings of the code, it’s basically an Ansible
> Playbook.
>
> On 1 Sep 2020, at 11:31, Mark Potter via FreeIPA-users <
> freeipa-users@lists.fedorahosted.org> wrote:
>
>
Yes, they will all need a unique identity as we will be using HBAC along
with RBAC. This is an HPC environment with 10k+ unique systems and growing.
I can explain more if you'd like.
On Tue, Sep 1, 2020 at 7:37 PM Ben Aveling via FreeIPA-users <
freeipa-users@lists.fedorahosted.org> wrote:
> If t
We boot everything stateless in our environment and are using FreeIPA for
authentication. I started discussing this a while ago but ended up with
other things taking priority. The number of machines we have make managing
keys an untenable solution so we are using
ipa-client-install -U -q -p -w __
I have noticed that group membership is functioning differently on CentOS 8
with FreeIPA 4.8.4-7 than I remember it functioning on CentOS 7. This is a
clean install with no use of backups.
I have a user user(2063) with a primary group of admingroup(2060). I set up
a sudo rule for members of adming
Thanks! Setting the global time limit worked.
On Tue, Jun 30, 2020 at 3:17 PM Rob Crittenden via FreeIPA-users <
freeipa-users@lists.fedorahosted.org> wrote:
> Mark Potter via FreeIPA-users wrote:
> > We have ~22000 DNS entries at present and more will be added. I have
>
We have ~22000 DNS entries at present and more will be added. I have
adjusted nsslapd-sizelimit to -1. This causes the web interface to return
~6000 and ~8000 entries with the number being different each time. I
suspect this is due to a time limit but I cannot figure out which time
limit affects th
ore and see if I can replicate the issue.
On Tue, May 19, 2020 at 9:28 AM Alexander Bokovoy
wrote:
> On ti, 19 touko 2020, Mark Potter via FreeIPA-users wrote:
> >While I have seen similar posts to the list while digging through the
> >archive, I cannot find this question specifica
dc=test,dc=example
memberof: cn=groupb,cn=groups,cn=accounts,dc=text,dc=example
memberof: cn=groupa,cn=groups,cn=accounts,dc=test,dc=example
On Tue, May 19, 2020 at 9:36 AM Rob Crittenden wrote:
> Alexander Bokovoy via FreeIPA-users wrote:
> > On ti, 19 touko 2020, Mark Potter via
While I have seen similar posts to the list while digging through the
archive, I cannot find this question specifically answered. We are coming
from OpenLDAP and migrating to FreeIPA on CentOS 7.5. We are using indirect
memberships to make this migration easier as we are moving from an
organically
21 matches
Mail list logo
