[Freeipa-users] Re: Group permissions failing on group with ipaNTSecurityIdentifier attribute

On 2/1/22 09:24, Scott Serr via FreeIPA-users wrote: Hello, I have an IPA cluster of 5 servers, running version 4.9.6-10.  The system was put in production Feb 2021 and has been updated several times.  These updates have sometimes not gone well: https://lists.fedorahosted.org/archives/list

[Freeipa-users] Group permissions failing on group with ipaNTSecurityIdentifier attribute

Hello, I have an IPA cluster of 5 servers, running version 4.9.6-10.  The system was put in production Feb 2021 and has been updated several times.  These updates have sometimes not gone well: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org/thread/F7NSVWPC5HTA

[Freeipa-users] Re: After OS/IPA updates Employee attributes in web app are blank

On 1/17/22 10:59 AM, Rob Crittenden wrote: Scott Serr via FreeIPA-users wrote: On 1/12/22 11:43 AM, Rob Crittenden wrote: Scott Serr via FreeIPA-users wrote: Attributes in the Employee Information section of the user web page are blank following a series of OS/IPA updates. The "ipa

[Freeipa-users] Re: After OS/IPA updates Employee attributes in web app are blank

On 1/12/22 11:43 AM, Rob Crittenden wrote: Scott Serr via FreeIPA-users wrote: Attributes in the Employee Information section of the user web page are blank following a series of OS/IPA updates. The "ipa user-find --all" cli command shows these attributes fine. Specifically (

[Freeipa-users] Re: After OS/IPA updates Employee attributes in web app are blank

dnf.log shows dev-current had an update to 4.9.6-6 that the other clone (dev-dec8-updated) did not. It looks like 4.9.6-6, although replaced has created this lingering problem. dev-dec8-updated 2021-11-04T12:48:27-0600 DEBUG Upgraded: ipa-server-4.9.2-4.module+el8.4.0+664+1636a961.x86_64 202

[Freeipa-users] After OS/IPA updates Employee attributes in web app are blank

Attributes in the Employee Information section of the user web page are blank following a series of OS/IPA updates. The "ipa user-find --all" cli command shows these attributes fine. Specifically (in my case): Department Number Employee Number Employee Type I'm wondering if anyone else has

[Freeipa-users] Re: failure to sync with replicas

On 7/29/21 9:06 AM, Rob Crittenden wrote: Scott Serr via FreeIPA-users wrote: Apologies for the length/verbosity of the lasts message. I've read there can be a situation on IPA startup where the KDC server isn't fully up, but LDAP is up.  At that point in time LDAP can get swamp

[Freeipa-users] Re: failure to sync with replicas

m. https://pagure.io/freeipa/issue/8544 Please, anyone, let me know if this is the wrong conclusion. Thank you to the IPA folks answering questions on this list. Scott On 7/28/21 2:58 PM, Scott Serr via FreeIPA-users wrote: I'm running 5 ipa servers with (the latest on CentOS 8) 4.9.2. Sync

[Freeipa-users] failure to sync with replicas

I'm running 5 ipa servers with (the latest on CentOS 8) 4.9.2. Synchronization had stopped yesterday and also 3 days ago. It actually stopped yesterday after I stopped / modified / started "ipa1" to configure rotating logs longer so I could track down what happened 3 days ago. 2021-07-27 17:

[Freeipa-users] groups imported incorrectly (made compat tree look out of sync memberUid)

A few months ago, using IPA 4.8.7, I imported users and groups from OpenLDAP: ipa -v migrate-ds --with-compat \ --bind-dn="cn=Manager,dc=example,dc=com" \ --user-container="ou=People,dc=example,dc=com" \ --user-objectclass="posixAccount" \ --group-container="ou=Group,dc=example,dc=com" \ --group

[Freeipa-users] Re: DNS forward for subdomain only working on first master

It's more of a general problem, I realize now that any DNS resolution that requires forwarding fails only on the replica(s). So even "nslookup google.com" fails, but on the first master (ipa1) it's fine and succeeds. Both have "nameserver 127.0.0.1" in /etc/resolv.conf I want to add how th

[Freeipa-users] Re: DNS forward for subdomain only working on first master

I want to add how the replica was created: ipa-replica-install --setup-dns \ --forwarder=192.168.66.11 \ --forwarder=192.168.68.41 \ --setup-ca We've been trying to figure this out for a day. Looking for some help please. We have servers ipa1 and ipa2. The ipa1 was installed first and it c

[Freeipa-users] DNS forward for subdomain only working on first master

We've been trying to figure this out for a day. Looking for some help please. We have servers ipa1 and ipa2. The ipa1 was installed first and it can delegate to a subdomain fine. The ipa2 server does not get an answer. Looking at packets on ipa2, they end up going to my general forwarders to th

[Freeipa-users] reduce "normal user" permission

Two parts to this question: Is there a way to disable a normal user's ability to modify their attributes like their name? And along those lines, is there a convenient way to reduce what a normal user sees of other users (via web and cli)? I'm using version 4.8. Thank you!

[Freeipa-users] Re: Delay in behavior when making changes to custom plugins

On 9/9/20 9:17 AM, Rob Crittenden wrote: Scott Serr via FreeIPA-users wrote: My environment is: CentOS 8.2, FreeIPA 4.8.4, single instance, no clients My minimal test case plugin looks like this: user.takes_params += (     Str('useraffiliation?',     cli_name = '

[Freeipa-users] Delay in behavior when making changes to custom plugins

My environment is: CentOS 8.2, FreeIPA 4.8.4, single instance, no clients My minimal test case plugin looks like this: user.takes_params += ( Str('useraffiliation?', cli_name = 'useraffiliation', label = _('User Affiliation'), ), ) user.default_attributes.append('useraffiliation') Say I