[Freeipa-users] How to determine when host last checked in?
In large orginizations, hosts can sometimes be retired without following procedures, etc, which leaves host objects in FreeIPA for hosts that no longer exist. Is there anyway to see when a host last checked in with FreeIPA? One could then delete host objects which haven't connected in say 30/60/90 days. ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
[Freeipa-users] Re: How to determine when host last checked in?
Nothing? No ideas? How do large organizations with 1000s of hosts handle this? ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
[Freeipa-users] Re: How to determine when host last checked in?
Thanks for the response, François. I'm somewhat surprised there isn't a way to determine both host and user activity already. For hosts, doesn't the Kerberos ticket have to be renewed on a regular basis? Couldn't that timestamp be used? ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
[Freeipa-users] Re: Auto cleanup old enrolled hosts
The best way to handle this is via a CloudWatch event that triggers a Lambda when the EC2 is terminated to call the IPA REST API to remove the host. No need for all the rigamorale you are doing. ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
[Freeipa-users] Intermittent login issues with SSSD/IDM
Howdy, We are having intermittent login issues with our SSSD/IPA clients using Identity Manager in a read-only cross-forest trust configuration. The SSSD/IPA servers themselves don't seem to be having this issue, just the SSSD/IPA clients using the IDM/IPA servers as their identity provider. In addition, the problem only affects AD accounts, not native IDM accounts. The issue manifests itself as either failed logins or the 'id' command returning user unknown. All of our IDM servers are RHEL 8. Clients are various mixes of RHEL 7 and RHEL 8, all exhibiting the same issue. We have a P2 open with Red Hat, and it feels like they are having a problem pinpointing the issue. Red Hat support seems to be indicating our AD environment is to blame, at least partially, as most our of AD groups don't have GIDs. We have 80K + users in our AD (not all of them assigned a Unix UID in AD as most of them have no need to log in to Unix). However, the users that are logging in via SSSD obviously have UIDs and many groups attached to them, most of which may not have Possix GIDs as many of those groups will never need to touch Unix. (ie, email groups, Windows only access groups, etc, etc, etc) Red Hat seems to indicate this is a highly unusual configuration for AD, where not all groups have Possix GIDs assigned. I'm curious to know if those who have large AD environments like this with a mix of Unix and non-Unix uses, truly assign a Possix GID to each and every group, even if that group will never be utilized by Unix. Also curious to know if anyone else is experiencing intermittent loging problems like this, and if you were able to solve it, and how? Thank you... ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
[Freeipa-users] Intermittent login issues with SSSD/IDM
Howdy, We are having intermittent login issues with our SSSD/IPA clients using Identity Manager in a read-only cross-forest trust configuration. The SSSD/IPA servers themselves don't seem to be having this issue, just the SSSD/IPA clients using the IDM/IPA servers as their identity provider. In addition, the problem only affects AD accounts, not native IDM accounts. The issue manifests itself as either failed logins or the 'id' command returning user unknown. All of our IDM servers are RHEL 8. Clients are various mixes of RHEL 7 and RHEL 8, all exhibiting the same issue. We have a P2 open with Red Hat, and it feels like they are having a problem pinpointing the issue. Red Hat support seems to be indicating our AD environment is to blame, at least partially, as most our of AD groups don't have GIDs. We have 80K + users in our AD (not all of them assigned a Unix UID in AD as most of them have no need to log in to Unix). However, the users that are logging in via SSSD obviously have UIDs and many groups attached to them, most of which may not have Possix GIDs as many of those groups will never need to touch Unix. (ie, email groups, Windows only access groups, etc, etc, etc) Red Hat seems to indicate this is a highly unusual configuration for AD, where not all groups have Possix GIDs assigned. I'm curious to know if those who have large AD environments like this with a mix of Unix and non-Unix uses, truly assign a Possix GID to each and every group, even if that group will never be utilized by Unix. Also curious to know if anyone else is experiencing intermittent loging problems like this, and if you were able to solve it, and how? Thank you... ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
