[Freeipa-users] SSSD prompting/2fa

Hi list, When I have a 2FA enabled user account, I receive the two password prompt for sudo at a host, even on hosts where 2FA is not required. This breaks Ansible for me, when using "become" with Ansible. I am testing the [prompting/2fa] options in sssd to remediate this. I have the followi

[Freeipa-users] dse.ldif and dse.ldif.bak gone after powerloss

Hi, We recently had a failure causing an IPA server to experience an immediate powerloss. When the server power was switched back on, the dirsrv service refused to start. The following we're logged in journalctl. Apr 19 10:58:13 ipa2.redacted.tld ns-slapd[2811868]: [19/Apr/2022:10:58:13.75

[Freeipa-users] Re: Local roles CA, DNS, DNSKeySync do not match globally used roles ADTRUST, CA, DNS, DNSKeySync.

On 2022-02-22 17:47, Rob Crittenden via FreeIPA-users wrote: Sigbjorn Lie via FreeIPA-users wrote: Hi list, After our upgrade from EL7 to EL8, the ipa-backup script is stating a warning: "Warning: Local roles CA, DNS, DNSKeySync do not match globally used roles ADTRUST, CA, DNS, DNSKeySy

[Freeipa-users] Local roles CA, DNS, DNSKeySync do not match globally used roles ADTRUST, CA, DNS, DNSKeySync.

Hi list, After our upgrade from EL7 to EL8, the ipa-backup script is stating a warning: "Warning: Local roles CA, DNS, DNSKeySync do not match globally used roles ADTRUST, CA, DNS, DNSKeySync. A backup done on this host would not be complete enough to restore a fully functional, identical cl

[Freeipa-users] Re: MemberManager

On 2022-02-17 17:26, Rob Crittenden via FreeIPA-users wrote: Sigbjorn Lie via FreeIPA-users wrote: On 2022-02-17 13:52, Alexander Bokovoy via FreeIPA-users wrote: On to, 17 helmi 2022, Sigbjorn Lie-Soland via FreeIPA-users wrote: Hi list, We recenlty upgraded our IPA environment from EL7.9

[Freeipa-users] Re: MemberManager

On 2022-02-17 13:52, Alexander Bokovoy via FreeIPA-users wrote: On to, 17 helmi 2022, Sigbjorn Lie-Soland via FreeIPA-users wrote: Hi list, We recenlty upgraded our IPA environment from EL7.9 to EL8.5. And now we are testing out the new Member Manager feature. Adding a usergroup (example: "rol

[Freeipa-users] Re: IPA CA renewal and duplicate CA certs

> On 11 Mar 2020, at 14:29, Rob Crittenden via FreeIPA-users > > wrote: > > Alexander Bokovoy via FreeIPA-users wrote: >> On ke, 11 maalis 2020, Rob Crittenden wrote: >>> Alexander Bokovoy wrote: On ke, 11 maalis 2020, Fraser Tweedale via FreeI

[Freeipa-users] Re: IPA CA renewal and duplicate CA certs

> On 4 Mar 2020, at 14:27, Alexander Bokovoy via FreeIPA-users > wrote: > > On ke, 04 maalis 2020, Sigbjorn Lie via FreeIPA-users wrote: >> Hi Alex, >> >> Thanks for your prompt response. >> >> There are no Debian/Ubuntu systems in our environme

[Freeipa-users] Re: IPA CA renewal and duplicate CA certs

the ipa-certupdate command? Regards, Siggi > On 4 Mar 2020, at 13:51, Alexander Bokovoy <mailto:aboko...@redhat.com>> wrote: > > On ke, 04 maalis 2020, Sigbjorn Lie via FreeIPA-users wrote: >> Hi, >> >> We recently renewed our IPA CA cert using the "

[Freeipa-users] IPA CA renewal and duplicate CA certs

Hi, We recently renewed our IPA CA cert using the "ipa-cacert-manage renew” command. The renewal was successful, and our CA cert no longer expires in 2020, but in 2040. Running “ipa-certupdate” on existing IPA clients and ipa-client-install on new IPA clients also works, however both the new a

[Freeipa-users] Re: Large DNS zone

> On 28 Feb 2018, at 10:48, Alexander Bokovoy wrote: > > On ke, 28 helmi 2018, Sigbjorn Lie via FreeIPA-users wrote: >> Hi list, >> >> I have recently imported a DNS zone into IPA, having just over 14 000 >> records in the DNS zone. When trying to list the

[Freeipa-users] Large DNS zone

Hi list, I have recently imported a DNS zone into IPA, having just over 14 000 records in the DNS zone. When trying to list the records in the webui, there an error message is displayed "Search result has been truncated: Configured administrative server limit exceeded”. I expected this with suc

[Freeipa-users] Re: RHEL/CentOS 5 and IPA 4.5

Hi, Thank you. That worked well. :) Regards, Siggi > On 7 Nov 2017, at 11:24, Alexander Bokovoy via FreeIPA-users > wrote: > > On ma, 06 marras 2017, Sigbjorn Lie via FreeIPA-users wrote: >> Hi list, >> >> RHEL/CentOS 5.11 clients does not seem to work with IP

[Freeipa-users] Re: RHEL/CentOS 5 and IPA 4.5

ote: > > On (06/11/17 16:58), Sigbjorn Lie via FreeIPA-users wrote: >> Hi list, >> >> RHEL/CentOS 5.11 clients does not seem to work with IPA 4.5 unless I go from >> sssd-ipa to sssd-ldap. I would prefer to continue to use sssd-ipa to allow >> the existing HB

[Freeipa-users] Re: RHEL/CentOS 5 and IPA 4.5

the mentioned issues with sssd-ipa in EL5. Regards, Siggi > On 6 Nov 2017, at 17:22, Mark Haney via FreeIPA-users > wrote: > > On 11/06/2017 10:58 AM, Sigbjorn Lie via FreeIPA-users wrote: >> Hi list, >> >> RHEL/CentOS 5.11 clients does not seem to work

[Freeipa-users] RHEL/CentOS 5 and IPA 4.5

Hi list, RHEL/CentOS 5.11 clients does not seem to work with IPA 4.5 unless I go from sssd-ipa to sssd-ldap. I would prefer to continue to use sssd-ipa to allow the existing HBAC rules to function. Is there a known workaround to get EL 5.11 clients to work with IPA 4.5 using sssd-ipa? Thanks

[Freeipa-users] Re: Cannot access Web UI after IPA upgrade to 4.5

Hi, I just had the same issue as Gustavo with the webui after upgrading from 7.3 to 7.4, and came across this thread. Adding the whoami plugin to dse.ldif solved the issue. Thanks. Regards, Siggi > On 9 Aug 2017, at 17:15, Pavel Vomacka via FreeIPA-users > wrote: > > > > On 08/08/2017

[Freeipa-users] named-pkcs11 systemd service

Hi, I have experienced named stopping unexpectedly from time to time. After moving to RHEL 7 the I made use of a handy feature in systemd, “Restart=always”, to make sure named is kept alive. This has kept named alive for me, and I was wondering if this perhaps would be a useful addition to th