[Freeipa-users] Re: Upgrading from EL7.9 to EL8

[Alexander Bokovoy via FreeIPA-users]

On pe, 17 kesä 2022, Harald Dunkel via FreeIPA-users wrote:

Hi Alex,

On 2022-06-15 16:23:53, Alexander Bokovoy via FreeIPA-users wrote:


The same as with not doing backports to older OSes, FreeIPA depends on a
*particular set* of integrated services and libraries, not just any. We
choose to avoid some of tough to solve upgrade issues by doing upgrade
by replication. Sometimes battles won by not fighting them.



You mean I cannot upgrade to FreeIPA 4.9.x on RHEL7, either? That was
plan B.


I think at least my messaging was pretty consistent for the past decade or
so. ;)

There were no plans to have FreeIPA 4.x on RHEL 6. Install new replica
on RHEL 7 to migrate.

There were no plans to have FreeIPA 4.7+ on RHEL 7. Install new replica
on RHEL 8 to migrate.

RHEL 8 will see FreeIPA 4.9.10 soon and we are going to switch to
FreeIPA 4.10.x series for RHEL 9 in next several weeks. FreeIPA 4.10
series will not appear in RHEL 8 because of Dogtag PKI 11.2+ dependency
for Random Serial Number features.

Setting up a replica on newer OS release is a preferred way to upgrade.

Fedora was kind of excluded from this policy because there are only two
Fedora releases in support at the same time and they typically very
close to each other in terms of packages provided. Still, we stop
pushing new versions to older releases when that is not possible to
fulfill -- this happened a year ago with Fedora 33, for example, when
pluggable subid support was not present there.

--
/ Alexander Bokovoy
Sr. Principal Software Engineer
Security / Identity Management Engineering
Red Hat Limited, Finland
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
Do not reply to spam on the list, report it: 
https://pagure.io/fedora-infrastructure

[Freeipa-users] Re: ID Views change sudo rules for local user

[Alessandro Fort via FreeIPA-users]

On 17/06/2022 12.46, Grant Janssen wrote:

what does "sudo -l -U " show?
My experience flushing sss_cache has rarely been successful.
When I experience issues with user sudo permissions, I restart sssd. 
Fixes it every time.


- grant


On Jun 17, 2022, at 00:53, Alessandro Fort via FreeIPA-users 
 wrote:


CAUTION: This email originated outside Company3-Method. Do not click 
links or open attachments unless you recognize the sender and know 
the content is safe.


Hi,

I have a local user (let's call it local) that has NOPASSWD set in
/etc/sudoers. When I apply an ID view to change my FreeIPA user's (let's
call it domain) username, UID, GID, shell and home to that of local,
whenever I try to use sudo after logging in with either domain or local,
domain's sudo rules apply and I am asked for a password. Is this
expected behaviour or a quirk of my configuration/policies? I would
expect that when logging in using domain, FreeIPA sudo rules are
applied, while if I log in using local I'd get the old /etc/sudoers
policy. Is this possible?

Thank you!
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to 
freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: 
https://nam10.safelinks.protection.outlook.com/?url=https%3A%2F%2Fdocs.fedoraproject.org%2Fen-US%2Fproject%2Fcode-of-conduct%2Fdata=05%7C01%7Cgrant.janssen%40efilm.com%7C9c040f23f57a47fe41ed08da50367153%7C4ef3e80f9fc24b3387194a4b1b215b69%7C0%7C0%7C637910492005203684%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7Csdata=Q3va0%2BYtjgspG3TsTDO4NOT36XnCHjl%2FwtFC5slb%2BVI%3Dreserved=0 

List Guidelines: 
https://nam10.safelinks.protection.outlook.com/?url=https%3A%2F%2Ffedoraproject.org%2Fwiki%2FMailing_list_guidelinesdata=05%7C01%7Cgrant.janssen%40efilm.com%7C9c040f23f57a47fe41ed08da50367153%7C4ef3e80f9fc24b3387194a4b1b215b69%7C0%7C0%7C637910492005203684%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7Csdata=GFEmjnOytC7UufKPM2NfV1HraqGVnNdppnhQlSx0VN8%3Dreserved=0 

List Archives: 
https://nam10.safelinks.protection.outlook.com/?url=https%3A%2F%2Flists.fedorahosted.org%2Farchives%2Flist%2Ffreeipa-users%40lists.fedorahosted.orgdata=05%7C01%7Cgrant.janssen%40efilm.com%7C9c040f23f57a47fe41ed08da50367153%7C4ef3e80f9fc24b3387194a4b1b215b69%7C0%7C0%7C637910492005203684%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7Csdata=zIbRCQs0aHGOOmd7ORkI1oj4MpO5IJThAvWojcnDLok%3Dreserved=0 

Do not reply to spam on the list, report it: 
https://nam10.safelinks.protection.outlook.com/?url=https%3A%2F%2Fpagure.io%2Ffedora-infrastructuredata=05%7C01%7Cgrant.janssen%40efilm.com%7C9c040f23f57a47fe41ed08da50367153%7C4ef3e80f9fc24b3387194a4b1b215b69%7C0%7C0%7C637910492005203684%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7Csdata=eNXAWyGvXmcar7cHUFIWiG6FMHXu1X5rYvFtCKnngWo%3Dreserved=0 




With no ID view applied, sudo -l -U local shows

(ALL : ALL) ALL
(ALL) NOPASSWD: ALL
(ALL) NOPASSWD: ALL
(duplicated lines are caused by cloudinit's /etc/sudoers.d 

[Freeipa-users] Re: ID Views change sudo rules for local user

[Grant Janssen via FreeIPA-users]

what does "sudo -l -U " show?
My experience flushing sss_cache has rarely been successful.
When I experience issues with user sudo permissions, I restart sssd. Fixes it 
every time.

- grant


On Jun 17, 2022, at 00:53, Alessandro Fort via FreeIPA-users 
mailto:freeipa-users@lists.fedorahosted.org>>
 wrote:

CAUTION: This email originated outside Company3-Method. Do not click links or 
open attachments unless you recognize the sender and know the content is safe.

Hi,

I have a local user (let's call it local) that has NOPASSWD set in
/etc/sudoers. When I apply an ID view to change my FreeIPA user's (let's
call it domain) username, UID, GID, shell and home to that of local,
whenever I try to use sudo after logging in with either domain or local,
domain's sudo rules apply and I am asked for a password. Is this
expected behaviour or a quirk of my configuration/policies? I would
expect that when logging in using domain, FreeIPA sudo rules are
applied, while if I log in using local I'd get the old /etc/sudoers
policy. Is this possible?

Thank you!
___
FreeIPA-users mailing list -- 
freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to 
freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: 
https://nam10.safelinks.protection.outlook.com/?url=https%3A%2F%2Fdocs.fedoraproject.org%2Fen-US%2Fproject%2Fcode-of-conduct%2Fdata=05%7C01%7Cgrant.janssen%40efilm.com%7C9c040f23f57a47fe41ed08da50367153%7C4ef3e80f9fc24b3387194a4b1b215b69%7C0%7C0%7C637910492005203684%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7Csdata=Q3va0%2BYtjgspG3TsTDO4NOT36XnCHjl%2FwtFC5slb%2BVI%3Dreserved=0
List Guidelines: 
https://nam10.safelinks.protection.outlook.com/?url=https%3A%2F%2Ffedoraproject.org%2Fwiki%2FMailing_list_guidelinesdata=05%7C01%7Cgrant.janssen%40efilm.com%7C9c040f23f57a47fe41ed08da50367153%7C4ef3e80f9fc24b3387194a4b1b215b69%7C0%7C0%7C637910492005203684%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7Csdata=GFEmjnOytC7UufKPM2NfV1HraqGVnNdppnhQlSx0VN8%3Dreserved=0
List Archives: 
https://nam10.safelinks.protection.outlook.com/?url=https%3A%2F%2Flists.fedorahosted.org%2Farchives%2Flist%2Ffreeipa-users%40lists.fedorahosted.orgdata=05%7C01%7Cgrant.janssen%40efilm.com%7C9c040f23f57a47fe41ed08da50367153%7C4ef3e80f9fc24b3387194a4b1b215b69%7C0%7C0%7C637910492005203684%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7Csdata=zIbRCQs0aHGOOmd7ORkI1oj4MpO5IJThAvWojcnDLok%3Dreserved=0
Do not reply to spam on the list, report it: 
https://nam10.safelinks.protection.outlook.com/?url=https%3A%2F%2Fpagure.io%2Ffedora-infrastructuredata=05%7C01%7Cgrant.janssen%40efilm.com%7C9c040f23f57a47fe41ed08da50367153%7C4ef3e80f9fc24b3387194a4b1b215b69%7C0%7C0%7C637910492005203684%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7Csdata=eNXAWyGvXmcar7cHUFIWiG6FMHXu1X5rYvFtCKnngWo%3Dreserved=0

___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
Do not reply to spam on the list, report it: 
https://pagure.io/fedora-infrastructure

[Freeipa-users] Re: Upgrading from EL7.9 to EL8

[Harald Dunkel via FreeIPA-users]

Hi Alex,

On 2022-06-15 16:23:53, Alexander Bokovoy via FreeIPA-users wrote:


The same as with not doing backports to older OSes, FreeIPA depends on a
*particular set* of integrated services and libraries, not just any. We
choose to avoid some of tough to solve upgrade issues by doing upgrade
by replication. Sometimes battles won by not fighting them.



You mean I cannot upgrade to FreeIPA 4.9.x on RHEL7, either? That was
plan B.


Regards
Harri
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
Do not reply to spam on the list, report it: 
https://pagure.io/fedora-infrastructure

[Freeipa-users] ID Views change sudo rules for local user

[Alessandro Fort via FreeIPA-users]

Hi,

I have a local user (let's call it local) that has NOPASSWD set in 
/etc/sudoers. When I apply an ID view to change my FreeIPA user's (let's 
call it domain) username, UID, GID, shell and home to that of local, 
whenever I try to use sudo after logging in with either domain or local, 
domain's sudo rules apply and I am asked for a password. Is this 
expected behaviour or a quirk of my configuration/policies? I would 
expect that when logging in using domain, FreeIPA sudo rules are 
applied, while if I log in using local I'd get the old /etc/sudoers 
policy. Is this possible?


Thank you!
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
Do not reply to spam on the list, report it: 
https://pagure.io/fedora-infrastructure

[Freeipa-users] kdb5_util: Plugin does not support the operation performing Kerberos version 5 release 1.11 dump

[rui liang via FreeIPA-users]

> Oh, I see.Thank you for your guidance
> 
> My system is Ubuntu16.04 Freeipa4.3, because the current CA cert has expired 
> and there
> are
> problems, it is difficult to repair, so I want to rebuild the new environment 
> to recover
> the user data on the old cluster, is there any good scheme recommended?Thank 
> you very much

I tried the kdb5_util tool to import Kerberos data into the new IPA 
environment, but I got a message that the file was empty. What's the reason?
man  kdb5_util
1.13.2KDB5_UTIL(8)  

   
https://web.mit.edu/kerberos/krb5-1.13/doc/admin/admin_commands/kdb5_util.html#dump

root@migration-ipa-65:~# kdb5_util dump  mydump  
kdb5_util: Plugin does not support the operation performing Kerberos version 5 
release 1.11 dump

root@migration-ipa-65:~# kdb5_util dump -verbose  mydump  
ad...@yydevops.com
K/m...@yydevops.com
krbtgt/yydevops@yydevops.com
kadmin/migration-ipa-65.185.hiido.host.yydevops@yydevops.com
kadmin/ad...@yydevops.com
kadmin/chang...@yydevops.com
kiprop/migration-ipa-65.185.hiido.host.yydevops@yydevops.com
ldap/migration-ipa-65.185.hiido.host.yydevops@yydevops.com
host/migration-ipa-65.185.hiido.host.yydevops@yydevops.com
HTTP/migration-ipa-65.185.hiido.host.yydevops@yydevops.com
csant...@yydevops.com
r...@yydevops.com
kdb5_util: Plugin does not support the operation performing Kerberos version 5 
release 1.11 dump

-old|-ov|-b6|-b7|-r13|-r18  I tried all the parameters, but it didn't work. Why?
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
Do not reply to spam on the list, report it: 
https://pagure.io/fedora-infrastructure