[Freeipa-users] Re: Undestnding IPA and Samba connections

Hello, On Tue, Jun 17, 2025 at 7:13 AM Николай Савельев via FreeIPA-users < freeipa-users@lists.fedorahosted.org> wrote: > > > Sorry, i cant understand one moment in RHEL documentation. > https://docs.redhat.com/en/documentation/red_hat_enterprise_linux/9/html/configuring_and_using_network_file_se

[Freeipa-users] Re: IPA and AD users

On Wed, Mar 5, 2025 at 6:16 PM Ronald Wimmer via FreeIPA-users < freeipa-users@lists.fedorahosted.org> wrote: > > We have a trust between the ipa domain (ipa.mydomain.at) and some AD > domain (windows.mydomain.at). > > A user 'userxy' exists in both domains. > > use...@windows.mydomain.at is not ma

[Freeipa-users] Re: FreeIPA Client Not Auto-Discovering New Server & DNS Issues

On Mon, Feb 10, 2025 at 2:29 PM Florence Blanc-Renaud via FreeIPA-users < freeipa-users@lists.fedorahosted.org> wrote: > > Hi, > > As a side-note, please keep the mailing list in the recipients list. > > On Mon, Feb 10, 2025 at 5:40 PM azeem wrote: >> >> Hi Florence, >> >> Thanks for the response.

[Freeipa-users] Re: FreeIPA Client Not Auto-Discovering New Server & DNS Issues

On Mon, Feb 10, 2025 at 7:36 AM Florence Blanc-Renaud via FreeIPA-users < freeipa-users@lists.fedorahosted.org> wrote: > > Hi, > > do your clients use the new IPA server as DNS server? This can be done prior to calling ipa-client-install. > flo > Adding to the answer, if you want to use Ansible, t

[Freeipa-users] Re: slave replica's DNS to forward first to master replica?

On Fri, Jan 31, 2025 at 5:42 PM Brian J. Murrell via FreeIPA-users < freeipa-users@lists.fedorahosted.org> wrote: > > Is there any supported configuration that instructs a slave replica to > first forward DNS queries to the master replica's DNS server and only > if it is down, to try to resolve rec

[Freeipa-users] Re: CentOS 7.9, IPA version 4.6.8 named-pkcs11.service issues

On Fri, Sep 6, 2024 at 11:04 AM Sina Owolabi wrote: > > Ah I see, I guess its Alma or similar then, right? > For any CentOS derivative, you should perform this procedure: https://docs.redhat.com/en/documentation/red_hat_enterprise_linux/8/html-single/migrating_to_identity_management_on_rhel_8/in

[Freeipa-users] Re: CentOS 7.9, IPA version 4.6.8 named-pkcs11.service issues

On Fri, Sep 6, 2024 at 7:36 AM Sina Owolabi via FreeIPA-users < freeipa-users@lists.fedorahosted.org> wrote: > > Hi > > Thanks for responding. > Im not sure how to downgrade since CentOS 7 is now cast down from the heavens, hence my ask about migrating to Debian 12 (Is this a good idea?) > IIRC, D

[Freeipa-users] Re: FreeIPA -Airtight- No access to Internet - How to update/upgrade package installation.

Hi Marcelo, Take care with inplace upgrade of IPA between major versions of RHEL, as it is not supported. For RHEL 7 to RHEL 8 upgrades take a look at: https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/html/installing_identity_management/update-downgrade-ipa_installing-ide

[Freeipa-users] Re: freeipa.py plugin for AWX dynamic inventory not available

On Tue, Jan 23, 2024 at 1:33 PM slek kus via FreeIPA-users < freeipa-users@lists.fedorahosted.org> wrote: > > Hi, is there a possibility to have the below plugin avialable in Ansible Galaxy FreeIPA collection? > https://github.com/ansible/ansible/blob/stable-2.9/contrib/inventory/freeipa.py > > Try

[Freeipa-users] Re: Freeipa Ansible Galaxy collection - missing idoverride module from community.general collection.

On Mon, Jan 15, 2024 at 12:43 PM slek kus via FreeIPA-users < freeipa-users@lists.fedorahosted.org> wrote: > > Hi Rafael, I am lost. I have had it succeed once, running a playbook from AWX which created a testuser. I have been fiddeling with the formatting, reread the documentation but to no avail.

[Freeipa-users] Re: Old Home Folders and Free ipa users

On Thu, Jan 11, 2024 at 6:56 PM Rob Crittenden via FreeIPA-users < freeipa-users@lists.fedorahosted.org> wrote: > > Alper AYKUT wrote: > > Hi,If I need to explain through my A server > > > > There are about 30 locally running users in my A server. These users > > have their own homelands. Example.

[Freeipa-users] Re: Freeipa Ansible Galaxy collection - missing idoverride module from community.general collection.

Hi Slek, On Thu, Jan 4, 2024 at 12:18 PM slek kus via FreeIPA-users < freeipa-users@lists.fedorahosted.org> wrote: > > Hi, I have tested below playbook on a testmachine, where I downloaded the ansible roles and modules, which worked. Now trying to do > repeat this on Ansible automation platform bu

[Freeipa-users] Re: (no subject)

On Wed, Jan 3, 2024 at 12:21 PM Finn Fysj via FreeIPA-users < freeipa-users@lists.fedorahosted.org> wrote: > > > Finn Fysj via FreeIPA-users wrote: > > > > There is not currently. > > > > I guess I would suggest hardening after installing IPA. You're moving > > into an untested/unsupported configur

[Freeipa-users] Re: Old Clients

Hi Justin, On Sun, Nov 12, 2023 at 2:01 PM Justin Sanderson via FreeIPA-users < freeipa-users@lists.fedorahosted.org> wrote: > > > All - I've posted here before a while back. Long story short, I > inherited a FreeIPA server and am now looking at building out a more > robust environment. > > Two th

[Freeipa-users] Re: Migration of DNS Zones and it's records from one FreeIPA server to other

Hello, On Mon, Sep 25, 2023 at 2:41 AM Srikanth C via FreeIPA-users < freeipa-users@lists.fedorahosted.org> wrote: > > Hi, > > I am looking for the process to migrate the DNS Zones and it's records from one FreeIPA to other FreeIPA server. I have gone through the documentation but didn't find any

[Freeipa-users] Re: Get running FreeIPA in Docker in Docker

Hi Jay, For running FreeIPA in a container you may want to check https://github.com/freeipa/freeipa-container The setup for it to work is somewhat sensible and following their recommendations will prevent a lot of headaches. Rafael P.S.: Sorry for the top post. On Wed, Sep 20, 2023 at 10:10 AM

[Freeipa-users] Re: A-record creation in during ipa-client-install

On Sun, Sep 17, 2023 at 10:22 AM dweller dweller via FreeIPA-users < freeipa-users@lists.fedorahosted.org> wrote: > > I decided to make a little test during spare time to investigate the problem further: > > >[root@host-01 ~]# ipa dnszone-show test-krb1.novalocal > > Zone name: test-krb1.novalocal

[Freeipa-users] Re: Which distribution to choose for the enterprise linux desktop

On Fri, Sep 15, 2023 at 5:21 PM Ronald Wimmer via FreeIPA-users < freeipa-users@lists.fedorahosted.org> wrote: > > If you had to choose between Linux distros which ones are known to work > very well with FreeIPA? (apart from the obvious like RHEL itself or > Fedora) Would Ubuntu also be a good choi

[Freeipa-users] Re: Installing FreeIPA server + replica using Ansible Role FreeIPA

On Thu, Sep 14, 2023 at 8:10 AM Finn Fysj via FreeIPA-users < freeipa-users@lists.fedorahosted.org> wrote: > > Hello, > > > > On 6/22/23 16:08, Finn Fysj via FreeIPA-users wrote: > > > > which IPA and ansible-freeipa versions are you using? > > > > Please provide more information about your invent

[Freeipa-users] Re: Free IPA DNS Issues

Hi Pradeep, On Wed, Aug 30, 2023 at 3:27 PM Pradeep KNS via FreeIPA-users < freeipa-users@lists.fedorahosted.org> wrote: > > Hi Rob, > > Thank you for your valuable insights on FreeIPA and DNS. I have an existing internal DNS server that I would like to integrate with FreeIPA's DNS feature. As I u

[Freeipa-users] Re: Failure during ipa-server-install on ipa-client-install part in the container

Hi, Running FreeIPA in a container is tricky, I suggest you reach https://github.com/freeipa/freeipa-container They have some guidance on running FreeIPA in containers. Rafael On Wed, Jul 12, 2023 at 2:30 AM dweller dweller via FreeIPA-users < freeipa-users@lists.fedorahosted.org> wrote: > > In

[Freeipa-users] Re: failed to create/enable SID

On Thu, May 18, 2023 at 1:03 PM alexey safonov via FreeIPA-users < freeipa-users@lists.fedorahosted.org> wrote: > > After upgrading to RHEL 9.2 it seems I must enable SID in my prod setup. > > So when I tried I'm getting an error message > > [18/May/2023:23:09:46.570447195 +0800] - ERR - get_ranges

[Freeipa-users] Re: Ansible FreeIPA Server + Replica

On Mon, Apr 17, 2023 at 2:08 PM Finn Fysj via FreeIPA-users wrote: > > Yes, so I do not want to use FreeIPA as DNS, since the cloud provider already > fix this when I provision the machines + the dyanmic inventory. I've tried to > modify the /etc/hosts on both machines to include each other as I

[Freeipa-users] Re: Ansible FreeIPA Server + Replica

On Mon, Apr 17, 2023 at 1:14 PM Finn Fysj via FreeIPA-users wrote: > > Maybe I'm mistaken, however: > > Playbook: > - hosts: > - master2.example.com Is it a typo, or you are using the same host for both ipaserver and ipareplica? > roles: > - role: freeipa.ansible_freeipa.ipaserver

[Freeipa-users] Re: Ansible FreeIPA Server + Replica

On Mon, Apr 17, 2023 at 3:50 AM Finn Fysj via FreeIPA-users wrote: > > Also... It's required to have IPA client installed on the replica?.. Would it > still be considered a "master"? > I had to manually join as I get the following error running ipareplica role: > > FAILED! => {"changed": false, "

[Freeipa-users] Re: Ansible FreeIPA Server + Replica

On Fri, Apr 14, 2023 at 5:10 AM Finn Fysj via FreeIPA-users wrote: > > Hi, > > I'm new to FreeIPA and the ansible-freeipa collection. > I can successfully install IPA server using the role ipaserver. However, I > want to setup a multi-master replication with failover. > > As far as I know I need

[Freeipa-users] Re: DNS Problems

Hi, On Tue, Mar 28, 2023 at 12:23 PM Anonymous via FreeIPA-users wrote: > > So for the last week I'm having trouble with my DNS. It is not working as > expected and is giving me all sort of headaches. I have 4 ipa servers and 4 > clients. This is test env for evaluation purposes and I wan't to

[Freeipa-users] Re: backup & restore - 4.9.11 -> 4.10.1

On Fri, Mar 17, 2023 at 3:07 PM Rob Crittenden via FreeIPA-users < freeipa-users@lists.fedorahosted.org> wrote: > > lejeczek via FreeIPA-users wrote: > > Hi guys. > > > > I'm trying to migrate IPA from Centos 8 over to Centos 9 but I fail. > > If the path I try is supported & should work then, firs

[Freeipa-users] Re: Starting `ipa-server-install` fails while trying to run inside created Docker container

Hi Gerogiy, If your intention is to run FreeIPA in a container, I suggest you take a look at https://github.com/freeipa/freeipa-container. They have recipes for running with Rocky 9. Rafael On Fri, Feb 10, 2023 at 11:53 AM Georgiy Odisharia via FreeIPA-users < freeipa-users@lists.fedorahosted.

[Freeipa-users] Re: Upgrade outdated FreeIPA sanity check

On Tue, Feb 7, 2023 at 6:29 PM Kevin Vasko via FreeIPA-users < freeipa-users@lists.fedorahosted.org> wrote: > > We have a set of 3x freeIPA servers that have outdated (everything) in a development/test environment that need to be updated. > > It seems that 4.6.8-5.el7.centos.12 is the latest versio

[Freeipa-users] Re: Migration to new server - recommended steps/best practices

Hello, You may want to follow this doc: https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/html/migrating_to_identity_management_on_rhel_8/ref_migrating-to-idm-on-rhel-8-from-freeipa-on-non-rhel-linux-distributions_migrating-to-idm-from-external-sources Rafael On Sat, Feb 4

[Freeipa-users] Re: Is there a web-UI or GUI application for IPA Password Vault?

Hello, On Wed, Feb 1, 2023 at 8:23 AM Djerk Geurts via FreeIPA-users < freeipa-users@lists.fedorahosted.org> wrote: > > Hi, > > Looking into whether KRA can be used for users who would rather not use a CLI for credential management. Is there a UI that can be used by users with KRA/Password Vault?

[Freeipa-users] Re: AD Conditional Forwarder to IdM failure

On Mon, Jan 16, 2023 at 12:27 PM Jeremy Tourville via FreeIPA-users < freeipa-users@lists.fedorahosted.org> wrote: > > That worked! Thank you. > > In short: > - Add the A record > - Add the NS record > - Create the delegation of authority > > Now create the forwarder. > Great that it worked fo

[Freeipa-users] Re: AD Conditional Forwarder to IdM failure

Hi Jeremy, On Fri, Jan 13, 2023 at 4:00 PM Jeremy Tourville via FreeIPA-users < freeipa-users@lists.fedorahosted.org> wrote: > > I am following the directions from here: > > Section: 32.6.4. Configuring DNS forwarding in AD > https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/

[Freeipa-users] Re: Replica install: LDAP error: Can't contact LDAP server - no response received

On Fri, Jan 6, 2023 at 1:25 PM Francis Augusto Medeiros-Logeay via FreeIPA-users wrote: > > > > On 6 Jan 2023, at 14:53, Rafael Jeffman wrote: > > > > On Fri, Jan 6, 2023 at 10:30 AM Francis Augusto Medeiros-Logeay via FreeIPA-users wrote: > > > > > > > > --- > > Francis Augusto Medeiros-Logeay

[Freeipa-users] Re: Replica install: LDAP error: Can't contact LDAP server - no response received

On Fri, Jan 6, 2023 at 10:30 AM Francis Augusto Medeiros-Logeay via FreeIPA-users wrote: > > > > --- > Francis Augusto Medeiros-Logeay > Oslo, Norway > > On 2023-01-06 14:05, Rob Crittenden via FreeIPA-users wrote: > > Francis Augusto Medeiros-Logeay via FreeIPA-users wrote: > >> Hi, > >> > >> I a

[Freeipa-users] Re: Replica install: LDAP error: Can't contact LDAP server - no response received

On Fri, Jan 6, 2023 at 9:40 AM Francis Augusto Medeiros-Logeay via FreeIPA-users wrote: > > Hi, > > I am trying to create a replica, but somehow I keep getting this error: > > [26/39]: setting up initial replication > Starting replication, please wait until this has completed. > Update in progre

[Freeipa-users] Re: keycloak - the other way around?

On Tue, Jun 28, 2022 at 5:48 AM lejeczek via FreeIPA-users < freeipa-users@lists.fedorahosted.org> wrote: > > > > On 28/06/2022 07:08, Alexander Bokovoy wrote: > > On ma, 27 kesä 2022, lejeczek via FreeIPA-users wrote: > >> > >> > >> On 09/11/2021 06:40, Alexander Bokovoy wrote: > >>> On ti, 09 mar

[Freeipa-users] Re: Are URI dns records required?

Hi Ranbir, On Wed, May 25, 2022 at 12:46 AM Ranbir via FreeIPA-users < freeipa-users@lists.fedorahosted.org> wrote: > Hello, > > My employer uses Windows for DNS and would prefer to keep using that > instead of freeipa's integrated DNS. Ok, sure, why not? I don't like > it, but there are bigger b

[Freeipa-users] Re: Which Ubuntu OS version have FreeIPA version 4.7.x ?

On Thu, Apr 7, 2022 at 12:08 PM GAURAV Pande via FreeIPA-users < freeipa-users@lists.fedorahosted.org> wrote: > > Hi Guys , > > Apologies for dumb question if it sounds but could you let me know which Ubuntu version comes with FreeIPA 4.7.x versions ? Couldn't find any solid reference . Thanks Tr

[Freeipa-users] Re: freeipa and pihole integration, so no forwarders

Hi Rob, On Wed, Feb 9, 2022 at 9:32 AM Rob Verduijn via FreeIPA-users < freeipa-users@lists.fedorahosted.org> wrote: > Hi all, > > I'm trying to reduce the number of systems in my network. > Currently if I want to use a pi-hole in combination with freeipa one of > them is going to use the other a

[Freeipa-users] Re: new DNS setup

Hello Stephen, On Fri, Feb 4, 2022 at 1:17 PM Stephen Berg, Code 7309 via FreeIPA-users < freeipa-users@lists.fedorahosted.org> wrote: > New-ish ipa-4.9.6 setup on rocky linux 8.5. Initially we just setup the > basic IPA services without DNS. I've started setting up ipa-dns now and > not quite s

[Freeipa-users] Re: DNS and FreeIPA

Hello Angus, Besides what Peter has written, let's get this warning from FreeIPA site [1]: > **Avoid name collisions** > We strongly recommend that you do not use a domain name that is not > delegated to you, even on a private network. For example, you should > not use domain name company.int if

[Freeipa-users] Re: DNS and FreeIPA

;t used FreeIPA's DNS. > If you don't use FreeIPA's DNS, there is no problem in using whatever your DNS nameserver supports, as long as FreeIPA entries are correct and accessible. You may find which records need to be available with `ipa dns-update-system-records --dry-run`. Hope

[Freeipa-users] Re: DNS and FreeIPA

Sorry for the top reply, but this is more an overview about all messages than a direct answer. Everything here assumes you are using FreeIPA's integrated DNS. First, it was suggested that split view DNS is used. Don't do that, as it is not supported by FreeIPA. Use it only if you manage your own e

[Freeipa-users] Re: Freeipa-client not available for debian bullseye

On Thu, Oct 14, 2021 at 12:31 PM ahmed zakraoui via FreeIPA-users < freeipa-users@lists.fedorahosted.org> wrote: > > Hello, > > OK I know that there were an old discussion about this but still today, after the release of bullseye 11.1 the freeipa-client package is still not available. > We are usin

[Freeipa-users] Re: ansible freeipa get info

Hello Nathanael, On Wed, Oct 13, 2021 at 6:55 PM Nathanaël Blanchet via FreeIPA-users < freeipa-users@lists.fedorahosted.org> wrote: > > Hello, > > I'm used to get informations/facts from any API based product such as > ovirt or awx with either a module (ovirt_vm_info ) or either a lookup > plugin

[Freeipa-users] Re: Waiting for CA subsystem to start

On Tue, Aug 17, 2021 at 5:46 PM Per Qvindesland via FreeIPA-users < freeipa-users@lists.fedorahosted.org> wrote: > > Is selinux enabled? > This should make no difference. What are the package versions related to this issue? Rafael > Sent from my Commodore 64 > > > 13. aug. 2021 kl. 13:29 skrev

[Freeipa-users] Re: FreeIPA Upgrade F31 -> F32: usr/lib/api/apiutil.c Could not open /run/lock/opencryptoki/LCK..APIlock

On Thu, Jul 1, 2021 at 9:34 AM lejeczek via FreeIPA-users < freeipa-users@lists.fedorahosted.org> wrote: > > > > On 12/05/2021 08:03, Florence Renaud via FreeIPA-users wrote: > > Hi, > > this is a known selinux-policy issue, tracked at > > https://bugzilla.redhat.com/show_bug.cgi?id=1894132 > >

[Freeipa-users] Re: dns of two out of three masters not up to date

Hello, On Mon, Jun 21, 2021 at 3:40 PM Kees Bakker via FreeIPA-users < freeipa-users@lists.fedorahosted.org> wrote: > > Hi, > > There is nothing in the daemon logs with "syncrepl" or "sync_repl". > > Should there be a syncrepl log for every update? Or only when there > is a failure? > > Do I need

[Freeipa-users] Re: DNS Locations and external DNS

Hello Ronald, On Mon, Jun 14, 2021 at 8:12 AM Ronald Wimmer via FreeIPA-users < freeipa-users@lists.fedorahosted.org> wrote: > > Is it sufficient to create DNS locations in IPA and do a ipa > dns-update-system-records --dry-run in order to populate new DNS Zone > information to the external DNS sy

[Freeipa-users] Re: python3-ipaserver installutils.py missing IPA_MODULES list

Iulian, I need more details on what is going on then. Can you provide the Ansible output with -vvv, your inventory file and the relevant tasks from the playbook? Rafael On Thu, Jun 3, 2021 at 4:54 AM iulian roman via FreeIPA-users < freeipa-users@lists.fedorahosted.org> wrote: > Hi Rafael , > >

[Freeipa-users] Re: python3-ipaserver installutils.py missing IPA_MODULES list

Hello Iulian, Which version of ansible-freeipa are you using? IIRC, this issue has been fixed in version 0.2.0. Rafael On Thu, May 27, 2021 at 6:28 AM iulian roman via FreeIPA-users < freeipa-users@lists.fedorahosted.org> wrote: > Hello everybody, > > I do not know if this is the right place t

[Freeipa-users] Re: Debian Docker container FreeIPA Server Installation error

Hello, On Tue, Apr 13, 2021 at 8:23 AM Guille Colmena via FreeIPA-users < freeipa-users@lists.fedorahosted.org> wrote: > Hello Rob, > > Thank you for the advice. The only thing is that I have tried to do the > installation on a Debian VM (Buxter 10) and I have got the same error > message in the

[Freeipa-users] Re: ipa-server-install w/o password on command line?

On Thu, Mar 25, 2021 at 6:53 AM Dominik Vogt via FreeIPA-users < freeipa-users@lists.fedorahosted.org> wrote: > > We want to generate the initial passwords at random. Is there a > non-interactive method of telling ipa-server-install the passwords > (-a and -p options) that does not require putting

[Freeipa-users] Re: Speeding up installation?

If you have a "template" VM with the packages installed, you can clone the VM, and it will take around 5-6 minutes to install (or less). If you can use a pre-configured VM, just use snapshots (I usually have "before_ipa", "after_packages", and "after_install" snapshots). Rafael On Mon, Mar 8, 202

[Freeipa-users] Re: FreeIPA sudo command

On Tue, Feb 2, 2021 at 12:04 PM Mustapha Aissat via FreeIPA-users < freeipa-users@lists.fedorahosted.org> wrote: > > Hi all, > > I have a question regarding sudo command and rules in FreeIPA, is it possible to allow a user to only install packages and not remove? > for example the sudo command will

[Freeipa-users] Re: FreeIPA 4.9.1 released

On Tue, Feb 2, 2021 at 12:23 PM Alexander Bokovoy via FreeIPA-users < freeipa-users@lists.fedorahosted.org> wrote: > > On ke, 27 tammi 2021, Alexander Bokovoy via FreeIPA-users wrote: > >On ke, 27 tammi 2021, Dirk Streubel via FreeIPA-users wrote: > >>Hello Alexander, > >> > >>will this Version ava

[Freeipa-users] Re: ansible-freeipa in RHEL8.1

Hello Dominik, ipaconfig is available since 0.1.10 release, and iparole since 0.2.0 release, but there is currently no plan to rebase the ansible-freeipa that comes in RHEL 8.1. To be able to use both roles you might need to wait for RHEL 8.4, as 8.3 has version 0.1.12, and does not have iparole.

[Freeipa-users] Re: chronyd support in freeipa server?

On Wed, Jan 20, 2021 at 4:15 PM Kent Brodie via FreeIPA-users < freeipa-users@lists.fedorahosted.org> wrote: > > I have found online docs proposing chronyd support for freeipa (target 4.7). > > I am running 4.8. Does support for using chronyd instead of ntpd exist yet? I have not founnd anythin

[Freeipa-users] Re: Running ipa commands through Ansible

On Fri, Jan 8, 2021 at 11:03 AM Dominik Vogt via FreeIPA-users < freeipa-users@lists.fedorahosted.org> wrote: > We have to set up the ipa-server with Ansible scripts, but there > isn't a module for everything. For example, this command needs to > be executed. > > - name: ... > shell: ipa co

[Freeipa-users] Re: Slave Zones in FreeIPA Integrated DNS Server

On Tue, Dec 29, 2020 at 1:12 PM Juarez Souza Junior via FreeIPA-users < freeipa-users@lists.fedorahosted.org> wrote: > Hi All! > > Somebody knows if is possible to add a slave zone declaration in the > integrated DNS Server of FreeIPA? Something similar to standard BIND server > configuration. >

[Freeipa-users] Re: Error during FreeIPA installation

Hi, As stated in the error, KDC will not work if it resolves to the localhost (::1) address. To fix your installation, modify your /etc/hosts to ``` ::1 localhost localhost6 10.27.3.2 freeipa-2.packet.das-schiff.io freeipa-2 ``` Take care, Rafael On Tue, Oct 27, 2020 at 10:50 AM Charl

[Freeipa-users] Re: Deploying freeipa-client with ansible-freeipa behind haproxy

Hello, On Mon, Oct 26, 2020 at 2:13 PM Ulrich-Lorenz Schlüter via FreeIPA-users < freeipa-users@lists.fedorahosted.org> wrote: > > Hello there, > > when I deploy the freeipa-client to hosts behind a haproxy most of the > hostnames get changed to the rDNS entry of the haproxy. The > freeipa-clients

[Freeipa-users] Re: OK_AS_DELEGATE by default

On Thu, Oct 1, 2020 at 12:59 PM Ronald Wimmer via FreeIPA-users < freeipa-users@lists.fedorahosted.org> wrote: > > On 01.10.20 17:46, Alexander Bokovoy wrote: > > On to, 01 loka 2020, Ronald Wimmer via FreeIPA-users wrote: > >> Is it possible to set this flag by default for all new IPA hosts? > > >

[Freeipa-users] Re: BadRequest when using freeipa-python

On Thu, Sep 17, 2020 at 9:59 AM Ronald Wimmer via FreeIPA-users < freeipa-users@lists.fedorahosted.org> wrote: > Anyone using freeipa-python here? When I try to use > > client.host_mod('myserver.mydomain.at', userclass='SomeUserClass') > > the user class is set correctly on the host above but I do

[Freeipa-users] Re: Deploying IPA on AWS

William, Once I had to setup an IPA master and a few clients on AWS, and have issues with its DNS, since the external name do not match the internal name, hence, clients could not enroll (which I believe is similar to what you are facing with replicas). What I did, using Ansible (and ansible-free

[Freeipa-users] Re: Reverse DNS zones with AD Trust

Hello Vinicius, If you follow the rules found in Deployment Recomendations [1] I don't see why it wouldn't work. I think your best option is to follow the old discussion [2], and set delegation on AD side, and PTR records on IPA side. You'll also need to grant permission for the dynamic updates a

[Freeipa-users] Re: Ansible and ipa-getkeytab issues

Hi Peter, Looks like the whole environment is cleaned up when using the `command` module, including Kerberos tickets. For example, this does not work. ``` --- - name: Test KRB5 hosts: ipaserver become: yes gather_facts: no tasks: - name: Login to IPA Master command: echo "SomeADMIN

[Freeipa-users] Re: Ansible tasks for certprofiles and ca-acls

Hi Philipp, You might not want to use wildcard certificates ( https://tools.ietf.org/html/rfc6125#section-7.2). I don't know of any module that can directly manage certprofiles and ca-acls using Ansible and FreeIPA. It is not the best solution, but you might use `command` and follow the Howto/Wil

[Freeipa-users] Re: Centos 6 FreeIPA Client install Error

Hello, Is this using ansible-freeipa roles? If so, you'll need RHEL/CentOS 7.4+ for it to work. Rafael On Thu, Apr 16, 2020 at 7:41 AM Faraz Younus via FreeIPA-users < freeipa-users@lists.fedorahosted.org> wrote: > Hi Team, > > I'm trying to add client with hostname abc.example.com on freeip se

[Freeipa-users] Re: How to set up kerberized web service with access control?

Hello Dominik, I haven't done it myself, but I'd start here: https://www.freeipa.org/page/Web_App_Authentication Rafael On Thu, Apr 16, 2020 at 5:11 AM Dominik Vogt via FreeIPA-users < freeipa-users@lists.fedorahosted.org> wrote: > Hi folks, > > on RHEL8.0, we've set up a small cluster with a

[Freeipa-users] Re: ansible ipa_group failure

gards > Monkey > > On Fri, 2020-03-06 at 14:45 -0300, Rafael Jeffman via FreeIPA-users wrote: > > Hello, > > There is an open issue about this: > https://github.com/ansible/ansible/issues/25660 > > You can try ansible-freeipa (https://github.com/freeipa/ansible-freeipa)

[Freeipa-users] Re: ansible ipa_group failure

Hello, There is an open issue about this: https://github.com/ansible/ansible/issues/25660 You can try ansible-freeipa (https://github.com/freeipa/ansible-freeipa), that has an idempotent ipagroup module. Regards, Rafael On Wed, Mar 4, 2020 at 9:54 AM Monkey Bizness via FreeIPA-users < freeipa-