I've tried to install and re-install the IPAserver on my node. Even tried to
re-provision it. When I look in the SSSD log for my domain I get the following:
* (2023-05-04 6:30:59): [be[lab.local]] [sdap_get_generic_ext_step]
(0x2000): [RID#16] ldap_search_ext called, msgid = 48
* (2023-
On la, 29 huhti 2023, Sebastiano Pomata via FreeIPA-users wrote:
Hi all,
I successfully deployed a FreeIPA installation with a master server and
two replicas using podman and the container images provided on
docker.io (specifically, those based on fedora 36) on RHEL 8. Time has
passed (indeed f
On ke, 03 touko 2023, Rob van Halteren wrote:
Hi Alexander,
Do you mean that forwarding is actually working correct but that
addresses with log entry “broken trust chain resolving ‘addres’ are
most likely sites that have dnssec issues ? I have lots of entry’s
like that in my log.
Correct. DNS
Am Wed, May 03, 2023 at 02:40:30PM - schrieb Finn Fysj via FreeIPA-users:
> > Am Wed, May 03, 2023 at 12:00:16PM - schrieb Finn Fysj via
> > FreeIPA-users:
> >
> > Hi,
> >
> > the behavior was changed due to
> > https://bugzilla.redhat.com/show_bug.cgi?id=1879869
> > https://github.com/S
On Wed, May 03, 2023 at 10:17:03PM -, Djerk Geurts via FreeIPA-users wrote:
> > Not all IPA users can create DNS records. One needs to be able to create
> > the TXT entry for the challenge to succeed.
>
> I think this is the crux of it. How does an anonymous ACME client
> authorise anything?
>
On Wed, May 03, 2023 at 05:08:20PM -0400, Rob Crittenden via FreeIPA-users
wrote:
> Djerk Geurts via FreeIPA-users wrote:
> > Aware that ACME support is still relatively new. I'm looking at how the
> > challenge works for an ACME client. DNS-01 seems superfluous as FreeIPA
> > manages the DNS it
Interestingly I've just found this, which includes a provision for specifying
IPA account credentials when Kerberos isn't available.
https://github.com/HeMan/ipa-dns-hook
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscr
> Can you expand on why you think that because IPA can manage DNS then
> that the DNS-01 challenge is superfluous?
Because I'm not sure how an acme client like acme.sh would validate itself
against Dogtag on FreeIPA. This is the bit I can't find in the documentation.
> Not all IPA users can crea
Djerk Geurts via FreeIPA-users wrote:
> Aware that ACME support is still relatively new. I'm looking at how the
> challenge works for an ACME client. DNS-01 seems superfluous as FreeIPA
> manages the DNS itself and HTTP-01 is often not an option, for example when
> using ACME on vSphere.
Can yo
J N via FreeIPA-users wrote:
>> J N via FreeIPA-users wrote:
>>
>> One is probably a replication conflict entry. Add --all --raw to the
>> command and look at the dn. If it contains nsUniqueId it's a conflict
>> entry. If both entries are identical you can delete it using ldapdelete.
>> otherwise f
So simple. Thanks Rob!
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct
Jeremy Tourville via FreeIPA-users wrote:
> Is it possible to create the record automatically when registering a new
> client to IPA? If so, how? Maybe I have missed something when reading the
> manuals.
Include --enable-dns-updates with your ipa-client-install invocation.
This will set dyndns
Is it possible to create the record automatically when registering a new client
to IPA? If so, how? Maybe I have missed something when reading the manuals.
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an em
Hi Alexander,
Do you mean that forwarding is actually working correct but that addresses with
log entry “broken trust chain resolving ‘addres’ are most likely sites that
have dnssec issues ?
I have lots of entry’s like that in my log.
Regards,
ROB VAN HALTEREN
AV | IT System Engineer
Entrepotd
On ke, 03 touko 2023, Rob van Halteren via FreeIPA-users wrote:
Hi,
I have trouble resolving some addresses with my freeipa server . in the log there are
lots of "broken trust chain" lines. like:
validating gew4-spclient.spotify.com/CNAME: bad cache hit (com/DS)
May 3 14:36:11 myserver named-p
> Am Wed, May 03, 2023 at 12:00:16PM - schrieb Finn Fysj via FreeIPA-users:
>
> Hi,
>
> the behavior was changed due to
> https://bugzilla.redhat.com/show_bug.cgi?id=1879869
> https://github.com/SSSD/sssd/issues/5660
>
> To switch back to the old behavior you can add
>
> pam_response_fi
Am Wed, May 03, 2023 at 12:00:16PM - schrieb Finn Fysj via FreeIPA-users:
> I'm trying to setup new IPA server and when I run 'sudo su' I get
> prompted with password, which is fine.
> However, when I successfully type my password on a RHEL7 instance
> running FreeIPA version 4.6 I get a kerber
Hi,
I have trouble resolving some addresses with my freeipa server . in the log
there are lots of "broken trust chain" lines. like:
validating gew4-spclient.spotify.com/CNAME: bad cache hit (com/DS)
May 3 14:36:11 myserver named-pkcs11[30906]: validating
gew4-spclient.spotify.com/CNAME: bad cac
Aware that ACME support is still relatively new. I'm looking at how the
challenge works for an ACME client. DNS-01 seems superfluous as FreeIPA manages
the DNS itself and HTTP-01 is often not an option, for example when using ACME
on vSphere.
If the DNS-01 verification is indeed fully local to
I'm trying to setup new IPA server and when I run 'sudo su' I get prompted with
password, which is fine.
However, when I successfully type my password on a RHEL7 instance running
FreeIPA version 4.6 I get a kerberos ticket as the logged-in user in
"root-mode", but when I do the same in the newer
> J N via FreeIPA-users wrote:
>
> One is probably a replication conflict entry. Add --all --raw to the
> command and look at the dn. If it contains nsUniqueId it's a conflict
> entry. If both entries are identical you can delete it using ldapdelete.
> otherwise for preservation purposes you'd wan
21 matches
Mail list logo