[Freeipa-users] Re: NFS4 kerberos auth for local services

On 21/05/2024 13.11, Djerk Geurts wrote: Thank you, that’s really helpful, especially how to test. For the 3CX service I do indeed need to add the GSS_USE_PROXY=yes, but as a side note, I’ll need to work out which service needs it as there are many daemons that make up 3CX. Anyway, this is on

[Freeipa-users] Re: NFS4 kerberos auth for local services

On 21/05/2024 12.15, Djerk Geurts via FreeIPA-users wrote: Hi all, Judging by my online searches, I’m far from the first to ask the question, but I’m keft with holes in my understanding of Kerberos and how services can authenticate via Kerberos (keytab). I’m switching from sec=sys to

[Freeipa-users] Re: User Agreement Description Field

On 23/04/2024 12.45, Riccardo Rotondo via FreeIPA-users wrote: Hi, I defined an Agreement in the web-ui and I can see loaded in noggin. I was wondering if the description support html, markdown or any other syntax in order to put an url clickable in the description. I made some tests but with

[Freeipa-users] Re: ipaclient-install.log certutil: Could not find cert:

On 12/04/2024 18.46, C Wilson via FreeIPA-users wrote: Hello I'm trying to roll out a new IPA server for our development environment and have nicely automated the server installation process with Ansible but when I've come to rolling out the clients I'm hitting this problem. When running

[Freeipa-users] Re: Possible to split a toplogy to 2 topologies?

On 05/04/2024 09.43, Heo Paul via FreeIPA-users wrote: Hi. I installed ipa-core servers in a toplogy and the version of those are 4.9.3. A topology : 1 <--> 2 <--> 3 <--> 4 <--> 5 <--> 6 For the record, that is a problematic topology with no fault tolerance and slow replication. Each server

[Freeipa-users] Re: How to prevent non-admin users of FreeIPA from reading the list of users in the web interface?

On 04/04/2024 13.24, Riccardo Rotondo via FreeIPA-users wrote: Hi Alexander, Thank you Alexander, this solution probably fits our needs. My only problem now is the I configured freeipa with docker, and in that image developer didn't include the Fedora Account System plugin for IPA so in the

[Freeipa-users] Re: CA_UNREACHABLE when requesting from Ubuntu 20.04 to FreeIPA v4.11.1

On 03/04/2024 16.21, Djerk Geurts via FreeIPA-users wrote: Not sure how long we’ll need to wait for a fix in Ubuntu 20.04, so we’re uplifting our jumphosts to Ubuntu 22.04. We were going to wait so we could go from 20.04 to 24.04, but alas… Thank you for your time! I'm the downstream

[Freeipa-users] Re: admin password changes when joing new replica

On 21/03/2024 18.42, Rob Crittenden via FreeIPA-users wrote: Schweiss, Chip via FreeIPA-users wrote: I'm building out a multisite installation. For unknown reasons, the 'admin' user password needs to be reset each time I join a new FreeIPA replica. It seems to happen a minute or two after the

[Freeipa-users] Re: Create IPA user via LDAP

On 13/02/2024 18.03, Ronald Wimmer via FreeIPA-users wrote: On 13.02.24 17:47, Rob Crittenden wrote: I don't think it's possible to speculate without knowing your process. This requires the cleartext password so assuming you create the staged user then immediately active them, that would be

[Freeipa-users] Re: ldap bind user, getting "invalid credentials"

On 13/02/2024 16.02, slek kus via FreeIPA-users wrote: Hi, can't get an application to work with FreeIPA (4.10.2). Created a bind users as per manual (https://www.freeipa.org/page/HowTo/LDAP) but keep getting invalid creds. Created the user as below: - [root@idm01 log]# ldapmodify -x -D

[Freeipa-users] Re: Create IPA user via LDAP

On 12/02/2024 14.15, Christian Heimes wrote: While writing the lines above another question came up in my mind: Is there a way to forbid password modification for IPA users so that users are forced to do that in an external sytem? Yes, that's easy, remove the self service permission "Self can

[Freeipa-users] Re: Create IPA user via LDAP

On 12/02/2024 13.32, Ronald Wimmer via FreeIPA-users wrote: On 12.02.24 13:23, Christian Heimes via FreeIPA-users wrote: On 12/02/2024 12.47, Ronald Wimmer via FreeIPA-users wrote: On 12.02.24 12:38, Christian via FreeIPA-users wrote: On 11/02/2024 22.40, Ronald Wimmer via FreeIPA-users wrote

[Freeipa-users] Re: Create IPA user via LDAP

On 12/02/2024 12.47, Ronald Wimmer via FreeIPA-users wrote: On 12.02.24 12:38, Christian via FreeIPA-users wrote: On 11/02/2024 22.40, Ronald Wimmer via FreeIPA-users wrote: Remark: If I set a new password for this particular user after the user has been activated, it works. We are still

[Freeipa-users] Re: Create IPA user via LDAP

On 11/02/2024 22.40, Ronald Wimmer via FreeIPA-users wrote: Remark: If I set a new password for this particular user after the user has been activated, it works. We are still facing this particular problem and do not have any clue why the initial password set by the external system does not

[Freeipa-users] Re: XRDP certificates via FreeIPA fails with an SELinux error

On 31/01/2024 13.28, Bo Lind via FreeIPA-users wrote: I'm rolling out some servers providing a graphical desktop, and everything is fine except this: our desktop software of choice is XRDP which needs a certificate. It ships with a self-signed one, but that gives warnings on the clients, so

[Freeipa-users] Re: How to do getkeytab through ansible-freeipa

On 07/12/2023 14.15, Kees Bakker via FreeIPA-users wrote: FWIW, the host principal of a system (host/$HOSTNAME) has permission to manage its own services. The principal can add new services and request a new keytab for a service. You can kinit with the host keytab to acquire a TGT for the host

[Freeipa-users] Re: How to do getkeytab through ansible-freeipa

On 07/12/2023 13.24, twoerner--- via FreeIPA-users wrote: Hello, On 12/7/23 12:50, Kees Bakker via FreeIPA-users wrote: Hi, Is this a good place to ask questions about ansible-freeipa ? Does anyone have an example to do getkeytab through ansible? What I want to achieve is the equivalence of  

[Freeipa-users] Re: Help with permissions on new objects/attributes

On 14/11/2023 09.18, Francis Augusto Medeiros-Logeay via FreeIPA-users wrote: I am a bit confused here. What should be an appropriate default_privileges value so that a system account can read all the entries/attributes below cn=mailserver,cn=etc? Who should be allowed to access the fields?

[Freeipa-users] Re: Help with permissions on new objects/attributes

On 14/11/2023 08.48, Francis Augusto Medeiros-Logeay via FreeIPA-users wrote: On Nov 14, 2023, at 07:39, Christian Heimes via FreeIPA-users wrote: I noticed that your plugin creates a bunch of managed permissions, but has no update code to wire them to privileges and roles. You have

[Freeipa-users] Re: Help with permissions on new objects/attributes

On 13/11/2023 22.43, Francis Augusto Medeiros-Logeay via FreeIPA-users wrote: I’d love if someone could please point me to the right direction to manage these permissions so that my binding user can see attributes and entries. The underlying acis are likely not created yet. Run

[Freeipa-users] Re: Current best practice: Backup/Restore?

On 18/10/2023 16.57, Harry G Coin wrote: On Tue, Oct 17, 2023 at 7:50 PM Christian Heimes via FreeIPA-users wrote: On 17/10/2023 19.32, Harry G Coin via FreeIPA-users wrote: 'security' and 'other' seemingly 'unrelated' 'upgrades' to packages n levels deep but whose previously

[Freeipa-users] Re: Current best practice: Backup/Restore?

On 17/10/2023 19.32, Harry G Coin via FreeIPA-users wrote: 'security' and 'other' seemingly 'unrelated'  'upgrades' to packages n levels deep but whose previously un-noticed freeipa killing race-condition or other bug manifests after the upgrade.  I find myself obligated to prevent any

[Freeipa-users] Re: Disabling Anonymous Binds - Hangs on Request - No Return to Prompt

On 27/09/2023 22.00, Andrew Imeson via FreeIPA-users wrote: The password can be stored in Ansible Vault, prompted for, or whatever preferred Ansible secret management strategy you employ. I run it from the FreeIPA nodes, so it’s over an encrypted SSH session and then done via the loopback.

[Freeipa-users] Re: prevent 'sudo -i ' from executing

On 21/09/2023 18.21, Nathanaël Blanchet via FreeIPA-users wrote: Hello, I don't want my users to become root with simply executing the 'sudo -i' command so they can execute all root commands. Users should only execute with sudo the allowed defined commands. I'm able to prevent them from

[Freeipa-users] Re: Would like to set up a "least privilege" admin only capable of managing POSIX groups, not users.

On 20/09/2023 16.01, Chris Cowan via FreeIPA-users wrote: Christian, Rereading this, I'm wondering if besides the "admin" user and "admins" group if there are any other special users or groups with FreeIPA? From my reading so far, I think the answer is no, but want to be sure. The

[Freeipa-users] Re: How to use ipa-dsu

On 30/08/2023 11.35, Duarte Petiz via FreeIPA-users wrote: Hello freeipa users! I'm trying to follow the guide that is available here: https://freeipa.readthedocs.io/en/latest/designs/disable-stale-users.html about ipa-dsu. I was trying to do a dry-run in order to check what it really does on

[Freeipa-users] Re: Basic set-up for 2FA for ubuntu linux authentication

On 29/08/2023 09.52, Ole Froslie via FreeIPA-users wrote: thanks for pointing me in the right direction, It works as expected now. You are welcome! For LDAP integration, I'm working on a new howto. The document in an early draft stage and I haven't checked it for typos and bugs. You may

[Freeipa-users] Re: Basic set-up for 2FA for ubuntu linux authentication

On 25/08/2023 14.20, Ole Froslie via FreeIPA-users wrote: Hi all, I do acknowledge that this topic has been discussed in various threads, but I am struggling to get it working and to understand the concepts. My use cases are to use OTP 2FA with for example Google Authenticator as additional

[Freeipa-users] Re: Restrict access in FreeIPA

On 23/08/2023 13.48, Ivan Nagornov via FreeIPA-users wrote: Hi all, just a small question about access control in FreeIPA which bomb my head around a few days: - is there any possibility to restrict ACI permissions in FreeIPA to limit their impact to another groups/users? We have a

[Freeipa-users] Re: Would like to set up a "least privilege" admin only capable of managing POSIX groups, not users.

On 19/08/2023 19.18, DFIRob via FreeIPA-users wrote: I might be missing something here, but if an account can manage all posixGroup objects then he's, from a attacker point of view, as privileged as a member of the admin group, isn't he? No, they can only add/remove groups and modify group

[Freeipa-users] Re: Would like to set up a "least privilege" admin only capable of managing POSIX groups, not users.

On 17/08/2023 18.31, Chris Cowan via FreeIPA-users wrote: Reading through the docs carefully, but I'm just wondering if anyone else has done this, and if there are any "gotchas" I have to worry about? FreeIPA has role-based access control that lets you define fine-grained permissions,

[Freeipa-users] Re: Creating permission to manage OTP Tokens

On 14/08/2023 14.11, spike via FreeIPA-users wrote: On 14.08.23 13:52, Christian Heimes via FreeIPA-users wrote: On 14/08/2023 07.37, spike via FreeIPA-users wrote: Hi, I've been trying to create a permission to allow certain users to manipulate all OTP Tokens. I found a post to this list

[Freeipa-users] Re: Creating permission to manage OTP Tokens

On 14/08/2023 07.37, spike via FreeIPA-users wrote: Hi, I've been trying to create a permission to allow certain users to manipulate all OTP Tokens. I found a post to this list from 2017 describing pretty much exactly what I want to do:

[Freeipa-users] Re: Broken plugin for FreeIPA Help Please

On 03/07/2023 15.44, Günther J. Niederwimmer via FreeIPA-users wrote: Am Montag, 3. Juli 2023, 14:26:13 CEST schrieb Christian Heimes via FreeIPA-users: > On 03/07/2023 14.15, Günther J. Niederwimmer via FreeIPA-users wrote: > > > Hello FreeIPA list, > > > > I go

[Freeipa-users] Re: Broken plugin for FreeIPA Help Please

On 03/07/2023 14.15, Günther J. Niederwimmer via FreeIPA-users wrote: Hello FreeIPA list, I got the ipa module freeipa-user-mailalternateaddress-master from github, unfortunately the paths have apparently changed (version 9.2) with the IPA version 4.10.1 API version 2.251 one of YOU can change

[Freeipa-users] Re: FIPs enabled Install Fails

On 02/07/2023 19.19, Entrepreneur AJ via FreeIPA-users wrote: Thank you for the response Christian. I would rather not use FIPs at all but looks like it's going to become a requirement with me going into the financial industry. I will submit it on Pagure If certified FIPS compliance is a

[Freeipa-users] Re: FIPs enabled Install Fails

On 02/07/2023 12.21, Entrepreneur AJ via FreeIPA-users wrote: I today spun up a fresh Fedora 38 VPS on Vultr and started the FreeIPA Server install. This VPS has been switched to FIPs enabled. I have then tried to install the latest FreeIPA server from DNF without the DNS package. All was

[Freeipa-users] Re: How does FreeIPA actually auth client behind the scenes?

On 01/07/2023 16.15, dweller dweller via FreeIPA-users wrote: Hi, I'm impressed! You figured out most of the authentication and authorization workflow yourself. This is quite an achievement! The system is complex and goes through multiple stacks. I'm sure you would have figured out the rest

[Freeipa-users] Re: Kerberos after migration

On 23/06/2022 13.30, Serge Krawczenko via FreeIPA-users wrote: kinit -kt keytab file ldapsearch -Q -Y GSSAPI -h localhost  ipa This keytab file was generated for dedicated user Obviously, kinit was required for ldap gssapi and ipa commands. Actually kinit is not needed. Any

[Freeipa-users] Re: PKI-Tomcat flagging up on security scans

On 20/04/2021 10.24, Jake Reynolds via FreeIPA-users wrote: > Thanks for the response. > > I appreciate the inter-dependency, and a firewall probably is the workaround > that I'm going to use - but it still seems a lazy approach? To just > hide/restrict a security problem rather than fixing the

[Freeipa-users] Re: FreeIPA and FIPS

On 14/04/2021 22.07, Steve Reed via FreeIPA-users wrote: > If I successfully install FreeIPA in FIPS mode, does that mean that all my > clients that call on the server need to be in FIPS mode as well? Or can I > just have the server in FIPS mode and the clients in whatever mode I want? FreeIPA

[Freeipa-users] Re: CRL Not Updating

On 13/01/2021 21.44, TC Johnson via FreeIPA-users wrote: > Back around Nov/Dec when RHEL 8.3 release, I was hit with the update issue > regarding fapolicy. Fortunatly only my IPA1 was impacted, though at the time > it was my CA and CRL master. As part of recovery I migrated CA and CRL to >

[Freeipa-users] Re: FreeIPA 4.6 and ACME

On 20/11/2020 16.39, chriz.r--- via FreeIPA-users wrote: > Hey, > we are currently running FreeIPA 4.6.8 on CentOS 7 and found out to manage > our Certificates in a Kubernetes Cluster FreeIPA now Supports ACME as a > service. > On CentOS 7 However ACME is not available in the current FreeIPA

[Freeipa-users] Re: FREEIPA - TLS - CN > 64 characters

On 19/10/2020 15.17, Krzysztof O via FreeIPA-users wrote: >> Krzysztof O via FreeIPA-users wrote: >> >> RFC 3280 defines the upper-bound of common name at 64 and is mandatory. >> >> What problem is this causing? >> >> rob > > When issuing CSR from the overcloud nodes, the CN field value exceeds

[Freeipa-users] Re: Modify LDAP/HTTP to add alternative names

On 28/09/2020 08.01, Fraser Tweedale via FreeIPA-users wrote: > On Thu, Sep 24, 2020 at 02:15:11PM -, Willie Lima via FreeIPA-users wrote: >> Hi guys, >> >> I have 12 freeipa servers deployed with integrated DNS and CA >> (realm and domain int.example.com). >> >> I would like to make a DNS

[Freeipa-users] Re: root CA 4096 bits signing key

On 02/06/2020 19.57, Natxo Asenjo via FreeIPA-users wrote: > hi, > > We have a new realm with rhel 7.8 and a default CA key of 2048 bits. > > Recently a question arose to upgrade this to 4096 bits. Is there any particular reason you want a 4096 bit RSA certificate and not a 3072 bit RSA

[Freeipa-users] Re: [Freeipa-devel] FreeIPA 4.7.5 released, last release in 4.7 series

On 27/03/2020 09.14, Alexander Bokovoy via FreeIPA-devel wrote: > > The FreeIPA team would like to announce FreeIPA 4.7.5 release! > > FreeIPA 4.7.5 is the final release in 4.7 series. No new releases will > be provided for FreeIPA 4.7 as there are no distributors using the > series anymore.

[Freeipa-users] Re: kdb5_util: Kerberos database constraints violated while adding entries to the database

On 18/02/2020 10.53, Djan D via FreeIPA-users wrote: > HI > Installed a fresh IPA server on CentOS 6 and all services are up and > running. While trying to create database for the first-time, i am facing > following error. > > * # /usr/sbin/kdb5_util create -r TESTLAB.ORG   -s

[Freeipa-users] Re: Problem adding a RHEL 8.1 client

On 10/01/2020 12.49, SOLER SANGUESA Miguel via FreeIPA-users wrote: > Seems that I have found the problem. It is TLSv1.3, I have tried to connect > with TLSv1.2 and connection was OK: Hi, is the IPA server on RHEL 7.7 in FIPS mode or is it a standard installation? There have been known issues

[Freeipa-users] Re: FreeIPA/IdM versions on RHEL8

On 06/12/2019 17.48, Vinícius Ferrão via FreeIPA-users wrote: > Hello, this is probably a comercial question and not a technical one, > but I’m curious about it. > > As today RHEL8 ships with FreeIPA (IdM) 4.7. The latest release is 4.8 > with some interesting features. RHEL 8.0 has 4.7.1. RHEL

[Freeipa-users] Re: Apache mod_ssl on the same host as FreeIPA

On 05/12/2019 18.41, Vinícius Ferrão via FreeIPA-users wrote: > Hello, > > Is it supported to install mod_ssl on the same machine of FreeIPA? I’m asking > this because FreeIPA ships by default mod_nss and this may lead to > conflicting issues inside /etc/httpd/conf.d. For example: > >

[Freeipa-users] Re: ipa-replica-install with more than one server

On 20/11/2019 13.27, Dirk Streubel via FreeIPA-users wrote: > Hello, > > it is possible to run the ipa-replica at the same time with more than > just one server. > > So, what i mean is this: ipa-replica-install --server=1 --server=b > --server=c --setup-dns --forwarder /192.0.2.1.../ No, that is

[Freeipa-users] Re: ECC keypair generation failed with `ipa-server-instal` on HSM

On 29/05/2019 03.39, チョーチュアン via FreeIPA-users wrote: > Thanks for the feed, and yes, I have the RSA CA working apart from a > negotiation error. Hi, fantastic, thanks for trying this! I was able to install FreeIPA with NitroKey HSM support last year using an experimental build

[Freeipa-users] Fwd: Fedora 30 System-Wide Change Proposal: FreeIPA Python 2 Removal

For your information, The upcoming FreeIPA 4.8.0 release will no longer support Python 2.7 or 3.5. Python 3.6 or newer will be required. In case you have any Python script, tool, or application that import a FreeIPA package like ipalib or ipaclient, now is the time to port them to Python 3!

[Freeipa-users] Re: Python 3 support

On 2018-09-06 02:16, Rob Crittenden via FreeIPA-users wrote: > Kristian Petersen via FreeIPA-users wrote: >> What version of FreeIPA was the one that gave us API support in >> Python3?  I am currently running Redhat IdM v4.5.4 and am curious what >> version to be looking out for. > > No RHEL

[Freeipa-users] Re: ipa-restore: a bytes-like object is required, not 'str'

On 2018-01-23 12:16, Matt . via FreeIPA-users wrote: > Hi, > > Yes Fedora 27, not sure if I had the same on the latest 4.5.4 on F26 as that > installed was broked in some strange way without any changes and has kinda > the same issue I thought. > > What I run now on F27 is: > > # rpm -q

[Freeipa-users] Re: Cronjob requesting krb tickets

On 2017-07-27 12:17, Darac Marjal via FreeIPA-users wrote: > Hi all, > > I'm fairly new to FreeIPA, but I'm using it to sort out single-sign-on > on a few computers on my small network. > > So far, I've managed to setup up automounting of krb5i-protected shares > on my NAS. I can see that, when

[Freeipa-users] Re: Password and OTP auth

On 2017-05-17 12:06, Andrey Dudin wrote: > Hello > > If I do ipa user-mod test --user-auth-type=password > --user-auth-type=otp I have user: > > [root@ipa-centos]# ipa user-show test > User login: test > First name: test > Last name: test > Home directory: /home/test > Login shell:

[Freeipa-users] Re: Ansible and ipa-client-install

On 2017-06-12 10:50, Florence Blanc-Renaud via FreeIPA-users wrote: > Hi, > > the team is starting investigations regarding the deployment of IPA > using Ansible, and we would like to get community feedback. Ansible > already provides a few community-maintained Identity Modules [1] > allowing to

[Freeipa-users] Re: Ansible and ipa-client-install

On 2017-06-12 11:45, wouter.hummelink--- via FreeIPA-users wrote: > Hi, > > For our puppet profile we use ipa-client-install unless the file > /etc/ipa/default.conf exists (which is created by ipa-client-install), this > should work for ansible as well. The creates option in both puppet exec