[Freeipa-users] Antivirus/malware scan

If a company policy forces you to install an antivirus/malware scan tool on Linux servers which IPA directories should be excluded because a severe performance impact would be very likely? I would start with: /var/lib/sss /etc/dirsrv/slapd-LINUX-MYDOMAIN-AT What else? Cheers, Ronald _

[Freeipa-users] Re: Antivirus/malware scan

On 26.06.23 09:32, Ronald Wimmer via FreeIPA-users wrote: If a company policy forces you to install an antivirus/malware scan tool on Linux servers which IPA directories should be excluded because a severe performance impact would be very likely? I would start with: /var/lib/sss /etc/dirsrv/sl

[Freeipa-users] Re: how to set the RIDs during migration to Rocky 8?

On Mon, 26 Jun 2023, Harald Dunkel via FreeIPA-users wrote: Hi Flo, On 2023-06-23 14:48:25, Florence Blanc-Renaud via FreeIPA-users wrote: The 2 above ranges don't have "First RID of the corresponding RID range" and "First RID of the secondary RID range" set. If you edit them with ipa idrange

[Freeipa-users] Problem joining a windows pc to freeipa realm without an AD server

Hello everyone, Since I upgraded our server to Fedora 38, we cannot access samba shares on that Linux server from windows pc. So i'm trying now to log in to a windows pc using a freeipa user account. I followed instructions I found in the following documentations: https://freeipa.org/page/Window

[Freeipa-users] Re: AIX - IPA group membership

On 23.06.23 11:34, Ronald Wimmer via FreeIPA-users wrote: On 23.06.23 10:26, Ronald Wimmer via FreeIPA-users wrote: On 21.06.23 17:29, Rob Crittenden via FreeIPA-users wrote: Ronald Wimmer via FreeIPA-users wrote: On 20.06.23 16:08, Alexander Bokovoy wrote: On Tue, 20 Jun 2023, Ronald Wimmer

[Freeipa-users] pki-tomcat fails to start after upgrade

Hi FreeIPA, I am currently using FreeIPA version 4.9.10 with 6 ipareaplicas. I went to upgrade the server to 4.9.11 but the ipa-server-upgrade failed where it attempted to start pki-tomcat. In the /var/log/pki/pki-tomcat/ca/debug.log I see: Unable to connect to LDAP server: Unable to creat

[Freeipa-users] Re: Antivirus/malware scan

Ronald Wimmer via FreeIPA-users wrote: > On 26.06.23 09:32, Ronald Wimmer via FreeIPA-users wrote: >> If a company policy forces you to install an antivirus/malware scan >> tool on Linux servers which IPA directories should be excluded because >> a severe performance impact would be very likely? >>

[Freeipa-users] Re: AIX - IPA group membership

Ronald Wimmer via FreeIPA-users wrote: > On 23.06.23 11:34, Ronald Wimmer via FreeIPA-users wrote: >> On 23.06.23 10:26, Ronald Wimmer via FreeIPA-users wrote: >>> On 21.06.23 17:29, Rob Crittenden via FreeIPA-users wrote: Ronald Wimmer via FreeIPA-users wrote: > On 20.06.23 16:08, Alexand

[Freeipa-users] Re: Antivirus/malware scan

On 26.06.23 16:45, Rob Crittenden via FreeIPA-users wrote: Ronald Wimmer via FreeIPA-users wrote: On 26.06.23 09:32, Ronald Wimmer via FreeIPA-users wrote: If a company policy forces you to install an antivirus/malware scan tool on Linux servers which IPA directories should be excluded because

[Freeipa-users] Re: Replication of account lock state

Great summary of how it works, thanks! Sam Morris via FreeIPA-users wrote: > On 23/06/2023 01:50, Djerk Geurts via FreeIPA-users wrote: >> What are the available options? Right now having to log into multiple >> IPA servers to find lockouts is a real pita > > I don't believe you can see this from

[Freeipa-users] Re: Install Error - RuntimeError: CA configuration failed - java.nio.file.AccessDeniedException: /tmp/nss-cert-11721189233651257758.crt

Jacob Chapman via FreeIPA-users wrote: > I am installing on Docker for MacOS. During initial install, it reaches step > [1/30]: configuring certificate server instance when it shows the error. > > I looked in the /data/var/log/ipaserver-install.log and it looks like > everything is OK until it

[Freeipa-users] Re: "Credential cache is empty" error preventing certmonger from renewing a host's certificate

Sam Morris via FreeIPA-users wrote: > On 20/06/2023 15:34, Sam Morris via FreeIPA-users wrote: >> I've got an IPA client on which certmonger is unable to renew a >> certificate. >> >> Here are the log messages from certmonger... >> >> 2023-06-20 08:24:49 [622035] Certificate submission attempt

[Freeipa-users] Re: Removing dead servers with tombstone entries

> On Jun 23, 2023, at 08:30, Florence Blanc-Renaud wrote: > > Hi, > > On Thu, Jun 22, 2023 at 3:18 PM Joe Rhodes via FreeIPA-users > > wrote: >> >> >>> On Jun 21, 2023, at 18:07, Rob Crittenden >> > wrote: >>> >>> Joe

[Freeipa-users] Re: Install Error - RuntimeError: CA configuration failed - java.nio.file.AccessDeniedException: /tmp/nss-cert-11721189233651257758.crt

Yes I am realizing it might be some issue with permissions writing to that directory. It could be an issue/limitation of Docker on MacOS. I read that Docker on Linux has a special type of data volume called tempfs which might fix this issue. I’ll see what I can play around with related to tha

[Freeipa-users] Re: "Credential cache is empty" error preventing certmonger from renewing a host's certificate

On 26/06/2023 16:05, Rob Crittenden via FreeIPA-users wrote: Sam Morris via FreeIPA-users wrote: On 20/06/2023 15:34, Sam Morris via FreeIPA-users wrote: I've got an IPA client on which certmonger is unable to renew a certificate. Here are the log messages from certmonger... 2023-06-20

[Freeipa-users] Re: "Credential cache is empty" error preventing certmonger from renewing a host's certificate

Sam Morris via FreeIPA-users wrote: > On 26/06/2023 16:05, Rob Crittenden via FreeIPA-users wrote: >> Sam Morris via FreeIPA-users wrote: >>> On 20/06/2023 15:34, Sam Morris via FreeIPA-users wrote: I've got an IPA client on which certmonger is unable to renew a certificate. Her