The solution/hack I came up with to get around this was to just let
tmpfiles.d create the dir with a local user and open enough permissions
that the ipa based user that the service runs as has enough permissions to
write it's pid file into the directory. Not elegant, but works for now.
/usr/lib/tmp
I ran into a perplexing problem recently:
We have all of our users/groups stored in ipa, including some "service
accounts" that we run services under. As we started migrating to CentOS 7
we came across the issue with some services configured to store their PID
files in /run (or /var/run) which is t
(UserName == NULL) {
goto exit;
}
// If UserName is computer account, just return STATUS_SUCCESS
if (UserName.back() == '$') {
goto exit;
}
(disclaimer: I don't know c++, just googled to illustrate the idea only.)
On Wed, Apr 18, 2018 at 5:11 PM, Rob Crittenden
I have passsync configured and working just fine, but with one minor
annoyance:
the passsync.log file is filled with "computer account" password changes.
Example: (first one is a user passwd change, second is computer account.)
04/16/18 09:02:02: Received passhook event. Attempting sync
04/16/18
the idview
>> override, it doesn't work.
>>
> You need to assign the view to a host and then you should restart SSSD
> on the host. ID View assignments are only taken by hosts on restart.
>
>
>
> On Fri, Feb 16, 2018 at 11:01 AM, Alexander Bokovoy
>> wrote:
>
ry moving it to the idview
override, it doesn't work.
On Fri, Feb 16, 2018 at 11:01 AM, Alexander Bokovoy
wrote:
> On pe, 16 helmi 2018, Rob Brown via FreeIPA-users wrote:
>
>> Hi,
>> We recently moved from an "old school" setup where we would push different
&g
Hi,
We recently moved from an "old school" setup where we would push different
pubkeys for the same user out to specific hosts in different environments
using configuration management. Likewise, the matching private keys would
only exist in their requisite environment.
This presents a new problem w
n level: 1
>
> Server name: ipa-prod-1202
> Min domain level: 0
> Max domain level: 1
>
> Number of entries returned 4
> ----
>
>
>
>
> On Wed, Jan 31, 2018 at 10:52 PM, Andrew Radygin
> wrote:
>
>
th replicas again.
>
> 2018-02-01 8:41 GMT+03:00 Rob Brown via FreeIPA-users <
> freeipa-users@lists.fedorahosted.org>:
>
>> ok, did a little googling, and seems like KRA refers to the "vault"
>> feature?
>> I didn't originally install this myself, s
ok, did a little googling, and seems like KRA refers to the "vault" feature?
I didn't originally install this myself, so wasn't sure if it is used for
anything critical.
I ran:
# ipa vault-find
0 vaults matched
Number of entries returne
I have 4 IPA servers, all masters, that were previously configured in a
"full mesh" replication.
2 in "prod", 2 in "preprod".
While trying to fix a replication issue, I accidentally did a:
ipa-replica-manage del
on one of the prod servers for BOTH preprod servers.
Now, the prod servers don't "see"
>
> The IPA team isn't devoting much, if any time, these days on winsync,
> instead focusing on AD trust. Given the complexity of trying to find an
> equivalent state in AD of kinda-deleted and implementing, test, etc I
> doubt this is something that will be addressed.
>
&g
Our company recently implemented freeipa to replace a cent5 kerberos
infrastructure. We set it up with a Winsync agreement with an AD domain,
and is working pretty well.
Our user disposition workflow in AD is this: user account is disabled, and
moved to a "terminated users" OU in AD. The account di
13 matches
Mail list logo
