On Mon, 2025-09-15 at 10:21 -0400, Rob Crittenden via FreeIPA-users
wrote:
> I'd suggest you reduce this to a smaller value, say 200, and see how
> that goes. Every API command that does an LDAP search uses this value
> to
> restrict the amount of data returned. The value of 100 was chosen to
> dis
I'm seeing an error I've never seen before and don't really understand.
I added our 34th AlmaLinux 9 IdM master to the topology. After I did
that, I can no longer run any ipa command or login to the web UI of any
member IdM master.
For example:
$ ipa config-show
ipa: ERROR: Configured size limit
On Thu, 2025-09-11 at 11:16 +0200, Florence Blanc-Renaud via FreeIPA-
users wrote:
> Hi,
>
> all the ipa * calls use a search size limit and search time limit to
> avoid returning too many entries. In order to see those settings, you
> can do:
> # kinit admin
> # ipa config-show
> ...
> Search tim
Hello,
I have an AlmaLinux 9 IdM domain which is working just fine. A new
master I stood up was moved into a restricted access network where it
unfortunately ended up being disconnected from the topology for almost
two weeks.
The two "outside" AL9 IdM masters that it had a replication agreement
w
On Tue, 2023-08-15 at 12:09 -0400, Mark Reynolds via FreeIPA-users
wrote:
> What was happening at this time? Is there anything before this
> message
> in the log? Like an LDIF import?
I know I'm replying to an old thread, but I started it and I'm seeing
the same errors still and I looked online
Hello,
Would it be enough to add "dyndns_update = True" to the enrolled host's
sssd.conf and restart sssd to enable DDNS updates on the enrolled host?
Note: DDNS updates are already enabled on the server side. DDNS is also
working with other hosts that were enrolled with the feature enabled
from
Hello Everyone,
Can I migrate a freeipa enrolled host, host.domain.tld, to a brand new
host with the same name without disrupting services that depend on
keytabs on the old host? The keytab files from the old host should just
work on the new one as long as the hostnames are exactly the same,
right
On Fri, 2024-08-30 at 21:30 -0400, Ranbir via FreeIPA-users wrote:
> On Fri, 2024-08-30 at 10:53 +0200, Florence Blanc-Renaud via FreeIPA-
> users wrote:
> > Did you define any dnsforwardzone?
> > ipa dnsforwardzone-find
>
> That's a negative, too.
>
> [roo
On Fri, 2024-08-30 at 10:53 +0200, Florence Blanc-Renaud via FreeIPA-
users wrote:
> Did you define any dnsforwardzone?
> ipa dnsforwardzone-find
That's a negative, too.
[root@ipa01 ~]# ipa dnsforwardzone-find
Number of entries returned 0
On Thu, 2024-08-29 at 16:11 +0200, Florence Blanc-Renaud via FreeIPA-
users wrote:
> - does your Fedora 40 host have any hosts defined in its local
> /etc/hosts?
It's the default file; no manual entries.
> - on your IDM servers, do you have any DNS forwarder setup?
I do not.
> kinit admin
> ipa
Hi Everyone,
I'm running into a weird DNS resolution problem (at home) for an
external subdomain.
rogersbank.com can be looked up from my Fedora 40 host joined to a two
server AlmaLinux 9 IdM domain:
$ dig rogersbank.com
; <<>> DiG 9.18.28 <<>> rogersbank.com
;; global options: +cmd
;; Got answ
On Tue, 2024-08-27 at 12:49 +0300, Alexander Bokovoy via FreeIPA-users
wrote:
> Did you look into man page faillock.conf(5)?
>
> local_users_only
> Only track failed user authentications attempts for local
> users in /etc/passwd and ignore centralized (AD, IdM,
> LDAP,
>
Hello,
Is it possible to enable the sssd profile feature, "with-faillock", for
local accounts, even root, on a freeipa enrolled AlmaLinux 8 host in a
freeipa domain that's in a trust with AD? What a mouthful.
I can enable "with-faillock", but it appears to enable it for local and
trusted users. P
Hello Everyone,
Is there a flag to disable all caching in sssd? I know we shouldn't
disable the various caches. However, I'm working on isolating a problem
we're seeing between our firewall and AD.
The firewall has a plugin that monitors AD for session information.
When a login occurs, the firewa
On Tue, 2023-08-15 at 10:46 -0400, Ranbir via FreeIPA-users wrote:
>
> I'll reply with a link to the issue after I've submitted it.
Submitted:
https://github.com/389ds/389-ds-base/issues/5898
--
Ranbir
___
FreeIPA-users mailing
On Tue, 2023-08-15 at 14:08 +0300, Alexander Bokovoy via FreeIPA-users
wrote:
> This is from 389-ds backend database code.
>
> I'd suggest you to open an issue with them directly
> (https://github.com/389ds/389-ds-base/issues/)
I can certainly do that, though it seems weird I'd report it to a
com
I'm seeing errors like the ones below on my ipa servers (excuse the wrapping):
[11/Aug/2023:22:07:37.684144411 -0700] - ERR - get_value_from_string - type
does not match: dsEntryDN != dsEntryDN;vucsn-64d5d55800040013
[11/Aug/2023:22:07:37.686865097 -0700] - ERR - get_value_from_string - t
On Wed, 2022-12-21 at 09:59 +0200, Alexander Bokovoy via FreeIPA-users
wrote:
[snip]
That was all excellent info. Thank you.
> Now, if you have no people at your organization to implement a plugin
> to
> provide an integrated solution, you can write down the logic you need
> to
> create all addi
On Wed, 2022-12-21 at 09:09 +0100, Ronald Wimmer via FreeIPA-users
wrote:
> This concept could easily be customized to allow a single user only
> and
> give it sudo permissions.
This sounds like there is at least some usage of python to interact
with IPA. I unfortunately do not know python and I
On Tue, 2022-12-20 at 08:22 +0200, Alexander Bokovoy via FreeIPA-users
wrote:
> FreeIPA does not provide generation capabilities in itself. These
> things
> are specific to individual deployments and their logic is impossible
> to
> automate in a generic way without exposing some kind of a general
On Tue, 2022-12-20 at 13:08 +1000, Fraser Tweedale via FreeIPA-users
wrote:
> I don't see a way around it. But I could be overlooking something.
That's exactly what I was thinking.
> It would be nice if you could associate workstations (hosts) to
> users directly, then automatically generate/inf
We have many users that run GNU/Linux workstations. At the moment
everyone is using local accounts. We want to convert them to IPA
clients and still allow them sudo privileges on their own workstations.
It's easy to grant them access to their workstations by making them all
a member of a "workstat
Hi Everyone,
When I try to run "sudo su - [user]" on an Ubuntu 20 or Ubuntu 22
client, I get the error "su: Permisison denied". Upon enabling
debug_level = 6 for the domain, I saw in the log the message "Access
denied by HBAC rules".
Well, that's odd since my user is in a group that is allowed to
Hello Everyone,
I've configured IPA Locations for all our sites and added site specific
IPA servers to each one. I've also configured the first few IPA clients
to use only the IPA DNS servers that are in the same location as the
IPA clients.
These are the three pertinant options set on the IPA cl
On Fri, 2022-09-09 at 08:53 +0200, Florence Blanc-Renaud via FreeIPA-
users wrote:
> Are you aware of the following guide: Tuning performance in Identity
> Management [1] ? It contains a chapter that may help clarify settings
> to apply on servers vs clients: Tuning SSSD performance for large
> IdM
Hi Everyone,
I've been tweaking sssd.conf configs on the masters and clients in my
AlmaLinux 9 IdM domain (it's in a trust with AD, too). Sometimes it's
easy to tell when a particular option belongs on the master or on the
client or on both. Most of the time though, I don't know for sure when
to p
On Thu, 2022-08-25 at 19:41 +0100, Sam Morris via FreeIPA-users wrote:
> Interesting. After installing sssd on a fresh system there isn't an
> /etc/sssd/sssd.conf file. I guess ipa-client-install ultimately needs
> to
> make sure it's not enabling services that are already enabled via
> socket
>
On Thu, 2022-08-25 at 18:44 +0100, Sam Morris via FreeIPA-users wrote:
> I thought krb5-pkinit is only needed if you want to use PKINIT? sssd
> uses the host/$HOSTNAME principal to establish a FAST channel for
> pre-authentication, so I don't see how krb5-pkinit affects things?
My goal there was
On Thu, 2022-08-25 at 09:42 +0300, Sami Hulkko via FreeIPA-users wrote:
> No probs in Ubuntu 22.04.1 thats for shore.
Well, that's encouraging.
What does your sssd.conf look like? Which version of freeipa are you
using? Also, is your freeipa domain in a trust with AD?
My CentOS, Rocky Linux an
On Thu, 2022-08-25 at 09:35 -0400, Rob Crittenden wrote:
> I'd suggest you open Ubuntu bugs on the missing dependency and
> services
> issue.
I've already found bug entries about the services problem; I don't
recall if they were closed. But, considering I'm seeing the same issue
as described in th
Hello All,
Has anyone successfully enrolled an Ubuntu 22 client into an AlmaLinux
9 IdM or Rocky Linux 9 IdM domain in a trust with AD _and_ managed to
have consistently fast and reliable logins into that Ubuntu 22 client
with AD users? I sure haven't.
I have been smashing my head into a wall tr
On Tue, 2022-08-16 at 14:20 -0400, Ranbir via FreeIPA-users wrote:
> Am I doing something incorrectly?
Darn. Looks like others are running into the same issue and it's been a
long standing problem. I'll just put the link to the last list thread I
found about it:
https://lists.fed
Hi All,
Has anyone else noticed the list is a lot quieter then it used to be?
There's much less engagement from the devs and users are replying more
often to themselves. That's what I've noticed anyway. Maybe I'm wrong,
but it sure looks that way to me.
Is using freeipa or IdM in one of the RHEL
On Mon, 2022-08-08 at 12:01 -0400, Ranbir via FreeIPA-users wrote:
> It's the CentOS 7 client that's also reporting not being able to find
> the name for the admin group ID.
After a lot of testing, I've narrowed the problem down to when I use ID
Views. As soon as I'
On Fri, 2022-08-05 at 17:58 +0200, Florence Blanc-Renaud via FreeIPA-
users wrote:
> Are those groups defined inside IdM (ie can you find the group with
> "ipa group-find --gid 1762200513" for instance)?
The majority of groups are in AD. The only groups in IdM are the POSIX
groups I've created to
On Thu, 2022-07-28 at 17:13 -0400, Ranbir via FreeIPA-users wrote:
> I've never experienced this before in an idm environment. What's
> causing the issue?
No pointers, eh? Hmmm, well I've tried the low hanging things I can
think of, like making sure the sssd cache has been
Hi Everyone,
I migrated an Ubuntu 20.04 client from NIS authentication to an
AlmaLinux 9 IdM domain. I purged the NIS package, installed the
freeipa-client, successfully enrolled it into the domain and now when I
login via ssh, I get these messages:
groups: cannot find name for group ID 17622005
Hello All,
I don't see a direct option that would allow the auto creation of a
home directory in a different location if the default home directory
provided by autofs isn't available for one reason or another. Is there
a workaround that could let me do that? I'm thinking that maybe I could
do some
On Fri, 2022-06-24 at 10:30 +0200, Florence Blanc-Renaud via FreeIPA-
users wrote:
> There is no tool to remove only the trust controller role. I'm afraid
> you need to go through the uninstallation of the server and re-
> install the server with only the roles you wish to configure on it.
> This t
On Thu, 2022-06-23 at 13:07 -0400, Ranbir via FreeIPA-users wrote:
> Is it possible to remove the trust controller role from masters? I
> ran
> the trust agent setup on two masters that I just wanted to handle the
> trust agent role and now they're showing up as trust controllers,
Hi Everyone,
Is it possible to remove the trust controller role from masters? I ran
the trust agent setup on two masters that I just wanted to handle the
trust agent role and now they're showing up as trust controllers, too.
I don't know why that happened since I've done this before.
I could run
On Mon, 2022-06-20 at 22:06 -0400, Ranbir via FreeIPA-users wrote:
> I've run it now a few times with the same result. Which one of the
> myriad of logs should I check to maybe understand why this is
> happening?
I fixed it.
I used to have a second internal DNS domain that I used
On Mon, 2022-06-20 at 22:06 -0400, Ranbir via FreeIPA-users wrote:
[snip]
Sorry, Rob! I clicked on the wrong email in another message when I
composed my message. I didn't mean to also address you.
--
Ranbir
___
FreeIPA-users mailing list -- fr
Hello Everyone,
I have an AlmaLinux 9.0 client enrolled into a 4.9.8 ipa domain running
on a Rocky Linux 8.6 server. I'm running the following command on the
client to request a cert:
ipa-getcert request -I cockpit -k /etc/cockpit/ws-certs.d/0-cockpit.key
-f /etc/cockpit/ws-certs.d/0-cockpit.crt
On Wed, 2022-06-15 at 07:19 +0200, Sumit Bose via FreeIPA-users wrote:
> it you have an AD user with samAccountName=abc in a domain called
> ad.dom
> which has set userPrincipalName=x...@example.com calling
>
> getent passwd x...@example.com
>
> should return the user entry for a...@ad.dom.
>
Hello Everyone,
I have a situation where users' UPN in AD for the domain that my ipa
domain has a trust with has been modified to look nothing like the
domain account. The user name and suffix entered in the UPN don't match
the AD account name or the trusted domain.
I've used ipa trust-mod to add
On Fri, 2022-06-10 at 15:18 -0400, Ranbir via FreeIPA-users wrote:
> The problem is also that /etc/nsswitch.conf isn't being updated. Does
> the client install use /etc/nsswitch.conf after it's supposed to get
> updated to use sssd for lookups?
>
I got the CentOS 7 machine
On Fri, 2022-06-10 at 08:53 -0400, Rob Crittenden via FreeIPA-users
wrote:
> Are the clients also running Rocky?
>
The first two clients are running Rocky Linux 8 and Centos 7. The Rocky
system is brand new, while the CentOS 7 server was using NIS before.
I've successfully done NIS to ipa swaps b
Hi All,
I'm running a Rocky IdM domain with six masters. I have a one way trust
configured with the AD domain. I can look up users in AD from the trust
agents and controllers. So far so good.
I'm now doing a typical client enrollment, which is something I've done
many, many times before. The clie
On Wed, 2022-06-08 at 09:57 +0200, Sumit Bose via FreeIPA-users wrote:
> I'm sorry, it looks like the default for the new 'pac_check' option
> is
> too strict. Please try to set
>
> pac_check = check_upn, check_upn_dns_info_ex
>
> in the [pac] section of sssd.conf and then try to update again
On Thu, 2022-06-02 at 13:33 +0200, Pavel Březina via FreeIPA-users
wrote:
> # SSSD 2.7.1
>
>
> ### Configuration changes
>
> * New option `implicit_pac_responder` to control if the PAC responder
> is
> started for the IPA and AD providers, default is `true`.
> * New option `krb5_check_pac` to c
On Tue, 2022-05-31 at 16:29 -0400, Rob Crittenden via FreeIPA-users
wrote:
> I wonder if it doesn't have permission because the DNS service was
> not
> installed.
Not every master is providing DNS, but the one the replica found
definitely is.
I changed the install options to use that server speci
On Tue, 2022-05-31 at 16:16 -0400, Rob Crittenden via FreeIPA-users
wrote:
> How are you installing the replica?
>
ipa-replica-install --domain the.domain.tld --realm THE.DOMAIN.TLD -P admin -w
'[passwd]' --setup-ca --setup-dns --mkhomedir --ssh-trust-dns --no-reverse
--forwarder 1.2.3.4
The s
On Fri, 2022-05-27 at 23:10 -0400, Ranbir via FreeIPA-users wrote:
> Replica DNS records could not be added on master: Insufficient
> access:
> Insufficient 'add' privilege to add the entry
> 'idnsname=ipa04,idnsname=theinside.rnr.,cn=dns,dc=theinside,dc=rnr'.
>
Hi All,
I have a freeipa domain that I've been upgrading from running on CentOS
7.9 to Rocky Linux 8.6. The domain is only two servers: one is still
CentOS 7.9 and one is now Rocky Linux 8.6. The old CentOS 7.9 server it
replaced has already been dropped from the domain.
I added a new Rocky Linux
On Wed, 2022-05-25 at 08:59 -0300, Rafael Jeffman via FreeIPA-users
wrote:
>
> URI records were introduced as they are the preferred discovery
> method for
> MIT Kerberos 1.15+. Previous Kerberos versions and AD use SRV
> records.
>
> IPA will still work without the URI records.
Cool! Thanks fo
Hello,
My employer uses Windows for DNS and would prefer to keep using that
instead of freeipa's integrated DNS. Ok, sure, why not? I don't like
it, but there are bigger battles to fight.
I did the install on the first server without DNS, grabbed the DNS
records that needed to be imported into Wi
Hello Everyone,
I'm a long time freeipa admin, but I've never used its NIS
compatibility features. I'm also not well versed with NIS in general.
Anyway, I'm testing out migrating NIS users, netgroup, etc. to freeipa
and pointing a test NIS client at the freeipa server to get the NIS
users, groups,
On Tue, 2021-08-10 at 08:47 +, Christopher Lamb via FreeIPA-users
wrote:
> However I cannot log in to the Fedora Desktop (Gnome) of the VM
> running freeipa-server with the freeipa users. —> NOT OK.
>
> Any ideas?
Create an HBAC rule that allows you or a group you're in to access your
host (
On Mon, 2021-08-02 at 18:05 -0400, Rob Crittenden via FreeIPA-users
wrote:
> We can't anticipate every possible script one may want to run.
>
Yes, that's not lost on me and I completely understand. Still, I wish
there wasn't a denial! lol
> It was suggested you ask the SELinux folks about the AV
On Tue, 2021-07-27 at 08:45 +, Sam Morris via FreeIPA-users wrote:
> If you can reproduce this on Fedora or CentOS Stream then it's worth
> filing a bug on Red Hat bugzilla (but of course have a search first
> to see if this particular behaviour has been seen before).
I migrated the host to Ce
On Mon, 2021-07-26 at 22:02 +, Sam Morris via FreeIPA-users wrote:
>
> I'm surprised setting your script to certmonger_unconfined_exec_t
> didn't help - - can you try the ausearch command after doing so &
> confirm that your script is now running in the certmonger_unconfined_t
> domain?
I ran
On Mon, 2021-07-26 at 19:21 -0400, Ranbir via FreeIPA-users wrote:
> I ran your test on my server, but it failed to run the command on my
> end. Also, the steps reported by certmonger are different for me:
>
> New signing request "20210726231003" added.
> State NEWLY_ADDE
On Mon, 2021-07-26 at 08:20 -0400, Rob Crittenden via FreeIPA-users
wrote:
> [root@ipa] # cat /usr/local/sbin/testme
> #!/bin/sh
> touch /tmp/hello
> [root@ipa]# ls -l /tmp/hello
> ls: cannot access '/tmp/hello': No such file or directory
> [root@ipa]# ipa-getcert request -f /etc/pki/tls/certs/test
On Mon, 2021-07-26 at 16:38 +, Sam Morris via FreeIPA-users wrote:
> If you are running SELinux in enforcing mode then it's possible that
> your script is being confined by the certmonger_t domain, which could
> prevent your file copy from working.
>
> You can search for AVC denials related to
On Mon, 2021-07-26 at 08:20 -0400, Rob Crittenden via FreeIPA-users
wrote:
> Perhaps the command isn't executable?
It's definitely executable because I ran the script on its own. The
podman command works if I use it directly instead of from the script.
That's why I'm confused!
> It works fine fo
Hello Everyone,
I'm running an updated CentOS 8 KVM on an up to date CentOS 7 host. My
freeipa servers CentOS 7 hosts and fully updated, too. In the KVM I'm
requesting a certificate from my freeipa CA, which in and of itself
works just find. But, when I add a post-save command, that command is
nev
On 2020-09-16 18:28, Ranbir via FreeIPA-users wrote:
On Wed, 2020-09-16 at 13:02 +0200, Sumit Bose via FreeIPA-users wrote:
sssctl should show all the IPA servers which can be found with a DNS
SRV
query. Does e.g.
host -t SRV _ldap._tcp.your.ipa.domain
show more servers than the sssctl
On Wed, 2020-09-16 at 13:02 +0200, Sumit Bose via FreeIPA-users wrote:
> sssctl should show all the IPA servers which can be found with a DNS
> SRV
> query. Does e.g.
>
> host -t SRV _ldap._tcp.your.ipa.domain
>
> show more servers than the sssctl output? If yes, can you show some
> examples
On Tue, 2020-09-15 at 17:58 -0400, Rob Crittenden via FreeIPA-users
wrote:
> If the line contains _srv_ then it should include others. It does for
> me.
>
The first entry is _srv_ on all of the clients. I also see a second
entry after _srv_, which is one of the masters. On most of the clients,
it
Hello Everyone,
When I run "sssctl domain-status [domain]", should I see a list of all
the masters in the domain under the "Discovered IPA servers" section?
I'm assuming I'm suppose to. Right now, I'm not. I don't know if it's a
DNS problem (maybe a missing SRV record), but basic name resolution
On Mon, 2018-10-08 at 19:28 -0400, Ranbir via FreeIPA-users wrote:
> What do I need to add to my freeipa DNS configuration to make this
> work properly?
I figured it out on my own: I had to enable dynamic updates for the
second zone.
After enabling dynamic updates, ipa-client-install add
Hello,
I have freeipa running with two DNS zones: one I configured during the
initial install and a second one I added later. This new zone is
obviously still part of the same kerberos realm.
When I join a client in the new DNS zone to the freeipa domain, I see
these errors:
Failed to update DN
On Thu, 2018-09-06 at 16:24 -0400, Simo Sorce via FreeIPA-users wrote:
> I need to ask, if you really mean "delegation" or if you mean
> "single-
> sign-on" here.
I definitely am. I've been using the -K switch for ssh to ensure GSSAPI
credentials are used and forwarded.
> Delegation is completely
On Thu, 2018-09-06 at 19:25 +0300, Alexander Bokovoy via FreeIPA-users
wrote:
>
> By default FreeIPA deals with fully qualified host names. Unless you
> added non-FQDN names as aliases to your host records in IPA (I
> suspect
> you don't), doing non-FQDN ssh access will not work if they aren't
> r
On Thu, 2018-09-06 at 19:04 +0300, Alexander Bokovoy via FreeIPA-users
wrote:
>
> Do you have
> GSSAPIDelegateCredentials yes
> on all your servers in /etc/ssh/ssh_config?
Ah crap, I didn't explain it fully: from some servers, GSSAPI
delegation only works when I use the FQDN for the server I
On Thu, 2018-09-06 at 05:08 +0200, Jochen Hein via FreeIPA-users wrote:
>
> You used "ssh ipa01", right? And the host has been enrolleed with
> ipa01.theinside.rnr?
Yes.
> I have in my ~/.ssh/config:
> CanonicalizeHostname always
> CanonicalDomains example.org
I can try that. But, it doesn't a
Hello,
I have a Fedora 26 desktop joined to a freeipa domain running two ipa
4.5.4-10 servers on CentOS 7.5.1804. I have an odd "problem" I hope
someone here can help me fix.
I can ssh from my desktop to any server in the domain using my password
(i.e. interactive) or GSSAPI. Once on a server, I
Hello Everyone,
I have four CentOS 7.3 boxes running ipa that are in a one way trust
with an AD domain. Two servers are configured as trust agents and the
other two are trust controllers.
The trust agents and one trust controller are functioning properly.
That is, I can ssh to them and login with
On Mon, 2017-09-25 at 11:00 -0400, Rob Crittenden wrote:
>
> I'd refer you to the SECURITY NOTES in the sudoers man page to
> reconsider this approach.
You're referring to giving sudo to all commands and then trying to take
some things away? Ya, it's stupid, doesn't actually work and I don't
know
On Sun, 2017-09-24 at 02:28 -0400, Ranbir via FreeIPA-users wrote:
> I'm now thoroughly confused! Can anyone lend a hand?
I think I managed to achieve what I wanted by specifying a "sudo
order". Now I can give the user the ability to run every command as
another user (that that
Hi Everyone,
We have sudo rules like this on plain, non-freeipa domain CentOS
servers:
%group ALL=(someuser) ALL,!SU,!SHELLS
How would I implement the above in a freeipa domain? I've tried to name
my rules 01-group and 02-group and put the above into two separate
rules, but it didn't w
82 matches
Mail list logo
