[Freeipa-users] systemd-tmpfiles-setup.service and sssd

I ran into a perplexing problem recently: We have all of our users/groups stored in ipa, including some "service accounts" that we run services under. As we started migrating to CentOS 7 we came across the issue with some services configured to store their PID files in /run (or /var/run) which is t

[Freeipa-users] Re: Certificate showing invalid (possibly revoked) but is valid

On Wed, Feb 12, 2020 at 07:41:00PM -0500, Christopher Young wrote: > I think I found the issue (posting here in case someone else runs into > something similar). It's Apple's doing. > https://podtech.io/os/mac-osx/chrome-catalina-certificate-issue/ > > Basically, I have my default certificate dat

[Freeipa-users] Re: Certificate showing invalid (possibly revoked) but is valid

I think I found the issue (posting here in case someone else runs into something similar). It's Apple's doing. https://podtech.io/os/mac-osx/chrome-catalina-certificate-issue/ Basically, I have my default certificate date length to 4 years (since our environment is small and these rarely ever cha

[Freeipa-users] Re: Revocation process for FreeIPA Sub CA issued by ms-ca

Thanks Fraser, I'll be really interested to read it when it gets posted. For now I'll make sure there's a process for us to renew/rekey the Sub CA before revoking it. Cheers, Chris On Thu, 2020-02-13 at 09:59 +1000, Fraser Tweedale wrote: > On Wed, Feb 12, 2020 at 10:35:00PM +, Christopher

[Freeipa-users] Re: Revocation process for FreeIPA Sub CA issued by ms-ca

On Wed, Feb 12, 2020 at 10:35:00PM +, Christopher Lord via FreeIPA-users wrote: > Attempting to reply to the proper thread instead of to Rob privately. > Please forgive my inexperience with mailing lists. > > Thanks Rob, > > I thought that was probably the case. Is it at all possible to revo

[Freeipa-users] Re: Certificate showing invalid (possibly revoked) but is valid

On Wed, Feb 12, 2020 at 05:54:34PM -0500, Christopher Young wrote: > Interesting enough, I don't get this problem on my Fedora workstation > or a co-worker on a Windows-based system, so I'm currently > troubleshooting it as an issue on the Mac (which has Symantec Endpoint > Protection on it that I

[Freeipa-users] Re: Certificate showing invalid (possibly revoked) but is valid

Interesting enough, I don't get this problem on my Fedora workstation or a co-worker on a Windows-based system, so I'm currently troubleshooting it as an issue on the Mac (which has Symantec Endpoint Protection on it that I _wonder_ might be doing something here) until I prove otherwise. I would

[Freeipa-users] Re: Revocation process for FreeIPA Sub CA issued by ms-ca

Attempting to reply to the proper thread instead of to Rob privately. Please forgive my inexperience with mailing lists. Thanks Rob, I thought that was probably the case. Is it at all possible to revoke the Sub CA certificate and have FreeIPA aware that its cert has been revoked? Or would it just

[Freeipa-users] Re: [EXTERNAL] Re: FreeIPA and FreeRadius (or any RADIUS)

Daniel, There is nice how-to here https://firstyear.id.au/blog/html/2016/01/13/FreeRADIUS:_Using_mschapv2_with_freeipa.html --eZ On Wed, Feb 12, 2020, 20:03 White, Daniel E. (GSFC-770.0)[NICS] via FreeIPA-users wrote: > My use case is RADIUS for network device auth, with IPA doing the > und

[Freeipa-users] Re: [EXTERNAL] Re: FreeIPA and FreeRadius (or any RADIUS)

Many thanks. I will let the list know __ Daniel E. White daniel.e.wh...@nasa.gov NICS Linux Engineer NASA Goddard Space Flight Center 8800 Greenbelt Road Building 14, Room E

[Freeipa-users] Re: [EXTERNAL] Re: FreeIPA and FreeRadius (or any RADIUS)

Daniel, That makes sense. Then yes, the links I pointed to in my previous mail should help you accomplish what you want. If you find something lacking, do let us know. Hope that helps, Alex - Original Message - > From: "Daniel E. White (GSFC-770.0)[NICS] via FreeIPA-users" > > To:

[Freeipa-users] Re: [EXTERNAL] Re: FreeIPA and FreeRadius (or any RADIUS)

My use case is RADIUS for network device auth, with IPA doing the underlying authentication. The group information is all the LDAP groups a user belongs to. This is for access control. Our current setup uses an ancient version of RADIUS that runs on an old Solaris 9 Sparc server. It uses the u

[Freeipa-users] Re: FreeIPA and FreeRadius (or any RADIUS)

Hi Daniel, I'm afraid I don't understand what you're trying to accomplish. There's two primary use cases for RADIUS: - RADIUS for wireless auth, with IPA doing the underlying authentication - RADIUS as a backend for OTP, with IPA passing OTP queries to RADIUS to validate I'm going to guess

[Freeipa-users] Re: Enrollment Administrator role

On Wed, Feb 12, 2020 at 1:10 PM Rob Crittenden wrote: > Jeff Goddard via FreeIPA-users wrote: > > Hello again, > > > > We're using salt for automation and have created a salt service account > > for the express permissions of joining machines to our domain. This user > > has been assigned the "En

[Freeipa-users] Re: Enrollment Administrator role

Jeff Goddard via FreeIPA-users wrote: > Hello again, > > We're using salt for automation and have created a salt service account > for the express permissions of joining machines to our domain. This user > has been assigned the "Enrollment Administrator" roll but when > attempting to join clients 

[Freeipa-users] Re: Is there any documentation for the ipapython library ?

Fantastic ! Many thanks. __ Daniel E. White daniel.e.wh...@nasa.gov NICS Linux Engineer NASA Goddard Space Flight Center 8800 Greenbelt Road Building 14, Room E175 Greenbelt,

[Freeipa-users] Re: Is there any documentation for the ipapython library ?

On ke, 12 helmi 2020, White, Daniel E. (GSFC-770.0)[NICS] wrote: Many thanks for the ansible pointer, Alexander. As far as API automation, I see two immediate use-cases (and I will file an issue) 1. Some bundled commands for use by IdM admins for user management: Add a user along with all the n

[Freeipa-users] Enrollment Administrator role

Hello again, We're using salt for automation and have created a salt service account for the express permissions of joining machines to our domain. This user has been assigned the "Enrollment Administrator" roll but when attempting to join clients the log output is as follows: Client hostname: ub

[Freeipa-users] FreeIPA and FreeRadius (or any RADIUS)

Reference: https://www.freeipa.org/page/Using_FreeIPA_and_FreeRadius_as_a_RADIUS_based_software_token_OTP_system_with_CentOS/RedHat_7 What about setting it up so that RADIUS gets credentials and groups from FreeIPA without the OTP ? __

[Freeipa-users] Re: Is there any documentation for the ipapython library ?

Many thanks for the ansible pointer, Alexander. As far as API automation, I see two immediate use-cases (and I will file an issue) 1. Some bundled commands for use by IdM admins for user management: Add a user along with all the necessary additional permissions. These would use the admin-use

[Freeipa-users] Re: Is there any documentation for the ipapython library ?

Thanks for the warning, Rob. I shall proceed with caution. __ Daniel E. White daniel.e.wh...@nasa.gov NICS Linux Engineer NASA Goddard Space Flight Center 8800 Greenbelt Road