[Freeipa-users] Re: Help troubleshooting ipa-upgrade

On tue may 4th 2021 at 15:25 Rob Crittenden wrote: > > Does your CA otherwise start? You can pass --skip-version-check to > ipactl to skip the version check and just start the services. > YES! It started just fine with --skip-version-check YES! I have managed to get it upgraded. It seems to be so

[Freeipa-users] Re: Disable SSH password authentication for all non-subnet IP addresses

After further investigation, I found that by adding > AuthenticationMethods publickey to the main portion of sshd_config and adding > AuthenticationMethods publickey password to the match block, it now works as expected. I don't know how this functions differently than my prior setup, but at leas

[Freeipa-users] Re: Disable SSH password authentication for all non-subnet IP addresses

Eamon Doyle via FreeIPA-users wrote: > I am trying to require ssh keys for SSH connections that originate outside of > a subnet but allowing password auth within a subnet. Before setting up > FreeIPA, I did this by setting the following in my sshd_config: > > PasswordAuthentication no > >

[Freeipa-users] Re: Freeipa upgrade failed: NoOptionError: Section [domain.tld] has no option [ipa_server_mode]

Giovanni Bechis wrote: > On Tue, May 04, 2021 at 09:31:17AM -0400, Rob Crittenden via FreeIPA-users > wrote: >> Giovanni Bechis via FreeIPA-users wrote: >>> >>> Hi, >>> running latest FreeIPA upgrade I encountered an error and the freeipa >>> upgrade failed. >>> >>> The upgrade script tries to ad

[Freeipa-users] Disable SSH password authentication for all non-subnet IP addresses

I am trying to require ssh keys for SSH connections that originate outside of a subnet but allowing password auth within a subnet. Before setting up FreeIPA, I did this by setting the following in my sshd_config: PasswordAuthentication no Match Address 172.16.0.* PasswordAuthe

[Freeipa-users] Re: Use of certificates to have https secure connection

Thank you Rob for your guidance! I confirm I was able to sorted it out following these instructions. ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora

[Freeipa-users] AD trust - filter groups to speed up the Active Directory search

Is there any method to "filter" or mask some Active Directory groups in order to speed up the lookup/search in AD ? For example I am interested only on few groups (max. 10) and all the rules will be based on those groups. I do not want to display all hundreds of groups a user is member of, but

[Freeipa-users] Re: Freeipa upgrade failed: NoOptionError: Section [domain.tld] has no option [ipa_server_mode]

On Tue, May 04, 2021 at 09:31:17AM -0400, Rob Crittenden via FreeIPA-users wrote: > Giovanni Bechis via FreeIPA-users wrote: > > > > Hi, > > running latest FreeIPA upgrade I encountered an error and the freeipa > > upgrade failed. > > > > The upgrade script tries to add [ipa_server_mode] to my

[Freeipa-users] Re: Use of LDAP Configuration UI Web Console

G Col via FreeIPA-users wrote: > I was trying to compare openldap with freeipa, but I cannot find the > configuration for ldap in freeipa, is a plugin that needs to be installed > separately? > > If there is an option, where is the UI web interface? My confusion was because IPA is built around

[Freeipa-users] Re: Use of certificates to have https secure connection

G Col via FreeIPA-users wrote: > Hi Rob, > > Thank you for your answer. > > About replacing the nickname in nss.conf what would be my value? > > [root@freeipa openldap]# certutil -L -d /etc/httpd/alias > > Certificate Nickname Trust Attributes > SSL,S/MIME,JAR/XPI > > - Would be Server-Cert th

[Freeipa-users] Re: Freeipa upgrade failed: NoOptionError: Section [domain.tld] has no option [ipa_server_mode]

Giovanni Bechis via FreeIPA-users wrote: > > Hi, > running latest FreeIPA upgrade I encountered an error and the freeipa upgrade > failed. > > The upgrade script tries to add [ipa_server_mode] to my sssd.conf domain > section but it fails even if /etc/sssd.conf > has those options set. > Atm I

[Freeipa-users] Re: Kerberos setup in IPA server and IPA clients

> On pe, 30 huhti 2021, iulian roman via FreeIPA-users wrote: > > Correct -- in any DNS domain owned by your IPA deployment. > > It is unfortunate that there is a confusion between AD domain and DNS > domain terminology-wise. AD domain may "own" several DNS domains, as > described in the AD domai

[Freeipa-users] Re: Help troubleshooting ipa-upgrade

John Obaterspok via FreeIPA-users wrote: > Hi, > > I have been trying now for a month getting ipa-upgrade going on my > single host IPADOM. Any idea what to do would be greatly appreciated > > -- ipaupgrade log -- > 2021-05-04T04:25:02Z DEBUG args=['/bin/systemctl', 'stop', > 'dirsrv@IPADOM-LAN.s

[Freeipa-users] Re: Use of LDAP Configuration UI Web Console

I was trying to compare openldap with freeipa, but I cannot find the configuration for ldap in freeipa, is a plugin that needs to be installed separately? If there is an option, where is the UI web interface? Thank you for your help, much appreciated. :)

[Freeipa-users] Re: Use of certificates to have https secure connection

Hi Rob, Thank you for your answer. About replacing the nickname in nss.conf what would be my value? [root@freeipa openldap]# certutil -L -d /etc/httpd/alias Certificate Nickname Trust Attributes SSL,S/MIME,JAR/XPI - Would be Server-Cert the value? I think this is the one that cannot find, but

[Freeipa-users] Freeipa upgrade failed: NoOptionError: Section [domain.tld] has no option [ipa_server_mode]

Hi, running latest FreeIPA upgrade I encountered an error and the freeipa upgrade failed. The upgrade script tries to add [ipa_server_mode] to my sssd.conf domain section but it fails even if /etc/sssd.conf has those options set. Atm I am running ipa-server-4.6.8-5.el7.centos.5.x86_64 and my ss