Re: [Freeipa-users] CentOS patch management on FreeIPA server

[Lakshan Jayasekara]

Hi Chris,

Thanks for the update. Pl let me know any sort of configuration backup can be 
taken for IPA server. Also let me know the sequence of updating the systems, as 
I have IPA servers and a replica server in my infrastructure.

These are virtual servers and backing up before updating.


Best Regards,

Reply / Forwarded by
Lakshanth Chandika Jayasekara
Senior Systems Engineer

Confidentiality Notice: The information contained in this message is privileged 
and confidential information intended only for the use of the individual or 
entity named above. If the reader of this message is not the intended 
recipient, or the employee or agent responsible to deliver it to the intended 
recipient, you are hereby notified that any release, dissemination, 
distribution, or copying of this communication is strictly prohibited. If you 
have received this communication in error, please notify the author immediately 
by replying to this message and delete the original message. Internet 
communications cannot be guaranteed to be timely, secure, error or virus-free. 
The sender does not accept liability for any errors or omissions. This email 
has been scanned for all viruses by the Symantec End Point Protection Email 
Security System.
P Save a tree. Don't print this e-mail unless it's really necessary.

From: Christophe TREFOIS [mailto:christophe.tref...@uni.lu]
Sent: Wednesday, May 17, 2017 11:25 PM
To: Lachlan Musicman <data...@gmail.com>
Cc: Lakshan Jayasekara <lakshan.jayasek...@lankaclear.com>; 
freeipa-users@redhat.com
Subject: Re: [Freeipa-users] CentOS patch management on FreeIPA server

Hi,

I think yum update is fine, just don’t do it at the same time. It’s written 
somewhere in the docs that this could lead to crappy outcome.

Also, Lachlan, how do you do backups of FreeIPA?
--
Dr Christophe Trefois, Dipl.-Ing.
Technical Specialist / Post-Doc
UNIVERSITÉ DU LUXEMBOURG

LUXEMBOURG CENTRE FOR SYSTEMS BIOMEDICINE
Campus Belval | House of Biomedicine
6, avenue du Swing
L-4367 Belvaux
T: +352 46 66 44 6124
F: +352 46 66 44 6949
http://www.uni.lu/lcsb
[Facebook]<https://www.facebook.com/trefex>  [Twitter] 
<https://twitter.com/Trefex>   [Google Plus] 
<https://plus.google.com/+ChristopheTrefois/>   [Linkedin] 
<https://www.linkedin.com/in/trefoischristophe>   [skype] 
<http://skype:Trefex?call>

This message is confidential and may contain privileged information.
It is intended for the named recipient only.
If you receive it in error please notify me and permanently delete the original 
message and any copies.



On 17 May 2017, at 08:04, Lachlan Musicman 
<data...@gmail.com<mailto:data...@gmail.com>> wrote:

On 17 May 2017 at 15:23, Lakshan Jayasekara 
<lakshan.jayasek...@lankaclear.com<mailto:lakshan.jayasek...@lankaclear.com>> 
wrote:
>
> Hi All,
>
>
>
> I’m using FreeIPA server VERSION: 4.4.0, API_VERSION: 2.213 and running on 
> CentOS 7 and have one replica server as well. I need to patch up centos 
> system as per PCI DSS compliance. Let me know whether I can proceed as usual 
> or to follow any sequential steps to achieve the task.


Lakshanth,

You should always have appropriate backup and restore procedures that are good 
for you.
Having said that, I regularly update our IPA server with patches (via 
Katello/Foreman) without a problem.

I think I even "yum update"d from IPA 4.2 to 4.4 and it just worked.

cheers
L.


--
"Mission Statement: To provide hope and inspiration for collective action, to 
build collective power, to achieve collective transformation, rooted in grief 
and rage but pointed towards vision and dreams."

 - Patrice Cullors, Black Lives Matter founder
--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

[Freeipa-users] CentOS patch management on FreeIPA server

[Lakshan Jayasekara]

Hi All,

I'm using FreeIPA server VERSION: 4.4.0, API_VERSION: 2.213 and running on 
CentOS 7 and have one replica server as well. I need to patch up centos system 
as per PCI DSS compliance. Let me know whether I can proceed as usual or to 
follow any sequential steps to achieve the task.



Lakshanth Chandika Jayasekara















-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

[Freeipa-users] Users can't login on some systems.

[Lakshan Jayasekara]

sg=audit(1493988068.624:141): pid=2380 uid=0 auid=0 ses=2 
subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 msg='op=destroy 
kind=server fp=d2:56:9c:49:db:85:40:df:34:de:78:82:e5:fb:66:4e direction=? 
spid=2380 suid=0  exe="/usr/sbin/sshd" hostname=? addr=192.168.104.2 
terminal=pts/1 res=success'
type=USER_LOGIN msg=audit(1493988068.628:142): pid=2380 uid=0 auid=0 ses=2 
subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 msg='op=login id=0 
exe="/usr/sbin/sshd" hostname=192.168.104.2 addr=192.168.104.2 
terminal=/dev/pts/1 res=success'
type=USER_START msg=audit(1493988068.628:143): pid=2380 uid=0 auid=0 ses=2 
subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 msg='op=login id=0 
exe="/usr/sbin/sshd" hostname=192.168.104.2 addr=192.168.104.2 
terminal=/dev/pts/1 res=success'
type=CRED_REFR msg=audit(1493988068.633:144): pid=2380 uid=0 auid=0 ses=2 
subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 msg='op=PAM:setcred 
grantors=pam_env,pam_localuser,pam_unix acct="root" exe="/usr/sbin/sshd" 
hostname=192.168.104.2 addr=192.168.104.2 terminal=ssh res=success'


Best Regards,

Reply / Forwarded by
Lakshanth Chandika Jayasekara
Senior Systems Engineer

Confidentiality Notice: The information contained in this message is privileged 
and confidential information intended only for the use of the individual or 
entity named above. If the reader of this message is not the intended 
recipient, or the employee or agent responsible to deliver it to the intended 
recipient, you are hereby notified that any release, dissemination, 
distribution, or copying of this communication is strictly prohibited. If you 
have received this communication in error, please notify the author immediately 
by replying to this message and delete the original message. Internet 
communications cannot be guaranteed to be timely, secure, error or virus-free. 
The sender does not accept liability for any errors or omissions. This email 
has been scanned for all viruses by the Symantec End Point Protection Email 
Security System.
P Save a tree. Don't print this e-mail unless it's really necessary.

From: Lakshan Jayasekara
Sent: Friday, May 5, 2017 5:06 PM
To: 'freeipa-users@redhat.com' <freeipa-users@redhat.com>
Subject: Permission Denied for IPA User

IPA user cannot login to the target centos system using the ssh. User and the 
password are valid and can access IPA server.


Lakshanth Chandika Jayasekara

[cid:image001.png@01D1F258.46575F30]

Senior Systems Engineer

Mobile:+94 77 294 0396 |  Dir:+94 11 235 6949

General:+94 11 235 6900  Ext: 949 | Fax:+94 11 2544346

LankaClear (Pvt) Ltd, Level 18, Bank of Ceylon Head Office,

"BOC Square", No. 01, Bank of Ceylon Mw, Colombo 01, Sri Lanka.

http://www.lankaclear.com<http://www.lankaclear.com/>


Confidentiality Notice: The information contained in this message is privileged 
and confidential information intended only for the use of the individual or 
entity named above. If the reader of this message is not the intended 
recipient, or the employee or agent responsible to deliver it to the intended 
recipient, you are hereby notified that any release, dissemination, 
distribution, or copying of this communication is strictly prohibited. If you 
have received this communication in error, please notify the author immediately 
by replying to this message and delete the original message. Internet 
communications cannot be guaranteed to be timely, secure, error or virus-free. 
The sender does not accept liability for any errors or omissions. This email 
has been scanned for all viruses by the Symantec End Point Protection Email 
Security System.
P Save a tree. Don't print this e-mail unless it's really necessary.

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

[Freeipa-users] Permission Denied for IPA User

[Lakshan Jayasekara]

IPA user cannot login to the target centos system using the ssh. User and the 
password are valid and can access IPA server.


Lakshanth Chandika Jayasekara

[cid:image001.png@01D1F258.46575F30]

Senior Systems Engineer

Mobile:+94 77 294 0396 |  Dir:+94 11 235 6949

General:+94 11 235 6900  Ext: 949 | Fax:+94 11 2544346

LankaClear (Pvt) Ltd, Level 18, Bank of Ceylon Head Office,

"BOC Square", No. 01, Bank of Ceylon Mw, Colombo 01, Sri Lanka.

http://www.lankaclear.com


Confidentiality Notice: The information contained in this message is privileged 
and confidential information intended only for the use of the individual or 
entity named above. If the reader of this message is not the intended 
recipient, or the employee or agent responsible to deliver it to the intended 
recipient, you are hereby notified that any release, dissemination, 
distribution, or copying of this communication is strictly prohibited. If you 
have received this communication in error, please notify the author immediately 
by replying to this message and delete the original message. Internet 
communications cannot be guaranteed to be timely, secure, error or virus-free. 
The sender does not accept liability for any errors or omissions. This email 
has been scanned for all viruses by the Symantec End Point Protection Email 
Security System.
P Save a tree. Don't print this e-mail unless it's really necessary.

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project