[Freeipa-users] Re: group management on freeipa clients

2019-10-23 Thread John Duino via FreeIPA-users
Assuming it's fairly chaotic across your systems. You may just need to brute-force it. Before adding to IPA, you'll just need to map oldGID->newGID, then do something like find/exec/chown. You can do the same with groups. If you want to get fancier, have the script do the mapping. On Wed, Oct 23,

[Freeipa-users] Re: group management on freeipa clients

2019-10-23 Thread Jason Dunham via FreeIPA-users
Oh yes, it's clear, but I just don't know if I'm setting myself up for problems if I set a freeipa gid or uid to a value that already existed on the host before it was turned into a freeipa client. That's already a problem with my users since they have different uids on the hosts if they were user

[Freeipa-users] Re: group management on freeipa clients

2019-10-23 Thread John Duino via FreeIPA-users
You can specify the GID when you create user groups in freeIPA. In the GUI it's very clear (Group name[required], Description, Group Type, GID). CLI it's something like # ipa group-add --gid= On Wed, Oct 23, 2019 at 3:12 PM Jason Dunham via FreeIPA-users < freeipa-users@lists.fedorahosted.org> wr

[Freeipa-users] Re: valid hostname?

2019-10-23 Thread François Cami via FreeIPA-users
On Wed, Oct 23, 2019 at 10:31 PM Amos via FreeIPA-users wrote: > > When enrolling a host, an error was presented: > > root: INFO Joining realm failed: RPC failed at server. invalid > 'hostname': invalid domain-name: only letters, numbers, '-' are allowed. DNS > label may not start o

[Freeipa-users] valid hostname?

2019-10-23 Thread Amos via FreeIPA-users
When enrolling a host, an error was presented: root: INFO Joining realm failed: RPC failed at server. invalid 'hostname': invalid domain-name: only letters, numbers, '-' are allowed. DNS label may not start or end with '-' Where does this error originate from? Is it truly impossible

[Freeipa-users] group management on freeipa clients

2019-10-23 Thread Jason Dunham via FreeIPA-users
Hi I'm trying to figure out the best practice for groups on my client servers. I have several computation workstation hosts that have been added as freeipa clients, and several engineers who want to run docker on them Members of the 'docker' group (gid=999 on some machines, for example) can run d

[Freeipa-users] ansbile-freeipa client install

2019-10-23 Thread Andrew Meyer via FreeIPA-users
Hello I have setup ansible to use install freeipa client on my CentOS 7/8 machines. I am able to get the packages installed however when it goes through the configuration I am getting the following: TASK [ipaclient : Install - Ensure that IPA client packages are installed] *

[Freeipa-users] Re: using SPAKE

2019-10-23 Thread Charles Hedrick via FreeIPA-users
actually I found a solution to this. You can use a normal commercial cert for PKINIT. You just need a couple of extra lines in /etc/krb5.conf. The only disadvantage is that you have to have a line in /etc/krb5.conf for each KDC. That means you lose the ability to add a KDC and depend upon DNS di

[Freeipa-users] Re: using SPAKE

2019-10-23 Thread Robbie Harwood via FreeIPA-users
Charles Hedrick writes: > Thanks. So if we’re going to continue using FAST, it would be nice to > get “kinit -n” working properly. > > We currently use external certificates. The KDC generates certificates > for kinit -n if we don’t supply an external cert, and they work, but > then I have to get

[Freeipa-users] Re: is it possible to enable constrained delegation for only some users?

2019-10-23 Thread Alexander Bokovoy via FreeIPA-users
On ke, 23 loka 2019, Charles Hedrick wrote: The kdc doesn’t supply the remote address to the policy plugin, unless I’m totally misreading the source code. I’m currently investigating ways of doing it externally, whether ebpf or something else. Ok. The interface (krb5_kdc_req struct) still has a

[Freeipa-users] Re: Freeipa homedir overrides

2019-10-23 Thread Alexander Bokovoy via FreeIPA-users
On ma, 21 loka 2019, Matthias Salzmann via FreeIPA-users wrote: Hello together I'am a newby in Freeipa I have a ( one-side ) cross-forrest trust with an Active Directory Domain. AD user are able to login with ssh on the linux server. That works fine. With sssd i am able to override the homedir.

[Freeipa-users] DNS - IPA masters' own PTR records in a classless subnet

2019-10-23 Thread lejeczek via FreeIPA-users
hi everybody when I install a replica and have DNS use cname records to a classless zone I see: Configuring DNS (named)   [1/8]: generating rndc key file   [2/8]: setting up our own record   [error] ValidationError: invali