This language is completely unacceptable.
You have been put in permanent moderation.
You can receive messages, but anything you send will be held in
moderation and may or not be acted upon as time permits by the
moderators.
You can appeal this decision by writing to the list owners.
But I warn y
On Wed, 2023-06-07 at 14:35 +0200, Ronald Wimmer via FreeIPA-users
wrote:
> On 07.06.23 14:25, Simo Sorce via FreeIPA-users wrote:
> > On Wed, 2023-06-07 at 10:36 +0200, Ronald Wimmer via FreeIPA-users
> > wrote:
> > > On 19.09.17 12:07, Alexander Bokovoy wrote:
> > &
On Wed, 2023-06-07 at 10:36 +0200, Ronald Wimmer via FreeIPA-users
wrote:
> On 19.09.17 12:07, Alexander Bokovoy wrote:
> > On ti, 19 syys 2017, Ronald Wimmer wrote:
> > > On 2017-09-19 11:53, Alexander Bokovoy wrote:
> > > > [...]
> > > > Please spend some time reading the documentation. It is vas
On Wed, 2021-12-15 at 10:49 +0200, Alexander Bokovoy via FreeIPA-users
wrote:
> Hi Antoine,
>
> On ke, 15 joulu 2021, Antoine Gatineau via FreeIPA-users wrote:
> > Hi,
> >
> > This message was probably missed in all the log4shell exchanges.
> > Any hint on how to rebuild the RA certificate with a
Hi Steve,
On Mon, 2021-04-19 at 19:08 +, Steve Reed via FreeIPA-users wrote:
> Hi Stephen,
>
> True. I understand that, but I think we are getting off track to my
> original question. Can you run a FIPS FreeIPA server and still have
> the clients work with it? It't not necessarily required
On Wed, 2021-02-03 at 12:34 -0500, Robert Kudyba via FreeIPA-users
wrote:
> On Wed, Feb 3, 2021 at 12:18 PM Jochen Kellner wrote:
>
> > Robert Kudyba via FreeIPA-users
> > writes:
> >
> > > So now I put:
> > > ipa user-add $username --first=$first --last=$last \
> > > --setattr use
On Fri, 2020-10-02 at 12:27 +0200, Ronald Wimmer via FreeIPA-users
wrote:
> How could I possibly find the POSIX ids of all mapped Active Directory
> users?
>
> I do neither see them in LDAP nor do I find them with IPA user find.
They are in AD, query AD please.
The only other option is to use a
On Thu, 2020-10-01 at 11:46 +1000, Fraser Tweedale wrote:
> On Wed, Sep 30, 2020 at 09:43:29AM -0400, Simo Sorce wrote:
> > On Wed, 2020-09-30 at 16:04 +1000, Fraser Tweedale wrote:
> > > On Tue, Sep 29, 2020 at 09:44:16AM -0400, Simo Sorce via FreeIPA-users
> > > wro
On Wed, 2020-09-30 at 16:04 +1000, Fraser Tweedale wrote:
> On Tue, Sep 29, 2020 at 09:44:16AM -0400, Simo Sorce via FreeIPA-users wrote:
> > On Tue, 2020-09-29 at 14:01 +0200, Christian Heimes via FreeIPA-users
> > wrote:
> > > On 28/09/2020 08.01, Fraser Tweedale
On Tue, 2020-09-29 at 09:44 -0400, Simo Sorce via FreeIPA-users wrote:
> On Tue, 2020-09-29 at 14:01 +0200, Christian Heimes via FreeIPA-users
> wrote:
> > On 28/09/2020 08.01, Fraser Tweedale via FreeIPA-users wrote:
> > > On Thu, Sep 24, 2020 at 02:15:11PM -, Willie L
On Tue, 2020-09-29 at 14:01 +0200, Christian Heimes via FreeIPA-users
wrote:
> On 28/09/2020 08.01, Fraser Tweedale via FreeIPA-users wrote:
> > On Thu, Sep 24, 2020 at 02:15:11PM -, Willie Lima via FreeIPA-users
> > wrote:
> > > Hi guys,
> > >
> > > I have 12 freeipa servers deployed with in
For interested parties (and archives) part of the issue was this:
https://github.com/gssapi/mod_auth_gssapi/issues/228
I am adding some logging to mod_auth_gssapi to make this kind of error
more readily discoverable from the apache error log.
Simo.
On Wed, 2020-09-02 at 13:00 +, Aurelien Bom
On Mon, 2020-07-13 at 19:13 +, Sergiy Genyuk via FreeIPA-users
wrote:
> Radius server is DUO so when in FreeIPA radius server set it sends
> Access-Request to the DUO Radius server DUO check password against AD and
> then push Accept message to the user mobile app... then returns
> Access-
Hi Peter,
this is generally good info, and all the cleanups you mention below are
worth doing.
I just want to mention that if someone is in a pinch and needs to
prioritize operation that the only fixes that are really necessary are
those that involve certificate chains sent from servers to clients
On Wed, 2020-06-03 at 14:58 +0200, Natxo Asenjo via FreeIPA-users
wrote:
> On Tue, Jun 2, 2020 at 8:33 PM Alexander Bokovoy
> wrote:
>
> > On ti, 02 kesä 2020, Natxo Asenjo via FreeIPA-users wrote:
> > > hi,
> > >
> > > We have a new realm with rhel 7.8 and a default CA key of 2048 bits.
> > >
On Fri, 2020-05-08 at 10:27 +, Rob van Halteren via FreeIPA-users
wrote:
> Hello,
>
> I have network consisting out a LAN,WLAN,DMZ and a PRODUCTION network,
> separated by a firewall that performs the routing and connections to the
> outside world.
> I want to introduce Identity management u
On Tue, 2020-04-21 at 12:25 +, Andreas Bulling via FreeIPA-users
wrote:
> The admin login problem I just managed to fix - missing trailing slash in a
> permanent redirect from http to https in Apache.
>
> But the ISSUE/NEEDED_PREAUTH messages I'd still like to figure out if these
> are not n
On Fri, 2020-01-17 at 09:35 -0700, Kristian Petersen via FreeIPA-users
wrote:
> Hey all,
>
> I am trying to get kerberized NFS home directories working in Ubuntu 18.04
> with the mapping info coming from IPA. I can get them to mount on login in
> a multi-user target (terminal only), but not a gra
On Tue, 2020-01-14 at 15:59 +0100, Ronald Wimmer via FreeIPA-users
wrote:
> Some minutes ago and without changing anything servicea started working
> again on my Linux client whereas the problem persists on the Linux
> client of a colleague.
There isn't much to go on here, however I would look i
The port alone won't tell you anything, in AD communication happens on
port 389, but is then upgraded via SASL/GSSAPI to use a secure channel
(pretty much like you do with STARTTLS).
On Tue, 2019-12-17 at 21:56 +, Jones, Bob (rwj5d) wrote:
> Okay, I’ve narrowed it down to the sssd_be process t
On Tue, 2019-12-17 at 20:09 +, Jones, Bob (rwj5d) via FreeIPA-users
wrote:
> Hello all,
>
> Our Active Directory team is working on a project to get rid of all
> insecure LDAP communications to Active Directory, and it seems our
> FreeIPA servers are doing just that. I did a quick search and
I strongly recommend reading this article:
https://www.projectatomic.io/blog/2015/08/why-we-dont-let-non-root-users-run-docker-in-centos-fedora-or-rhel/
And based on it, I would a) reconsider if using sudo is not a better
idea, b) recommend, if possible, to create the docker group locally and
add
On Tue, 2019-10-22 at 14:31 -0400, Simo Sorce via FreeIPA-users wrote:
> On Tue, 2019-10-22 at 18:43 +0300, Alexander Bokovoy via FreeIPA-users
> wrote:
> > On ti, 22 loka 2019, Charles Hedrick via FreeIPA-users wrote:
> > > ok. So delegation works. Now we come to t
On Tue, 2019-10-22 at 18:43 +0300, Alexander Bokovoy via FreeIPA-users
wrote:
> On ti, 22 loka 2019, Charles Hedrick via FreeIPA-users wrote:
> > ok. So delegation works. Now we come to the question of how to
> > configure it in gssproxy. The man page describes the syntax of the file
> > but not ho
>
> > Another way that you can handle auth sys is to configure the domain on
> > the server (as any of the domain strings you want) and then use the
> > same domain on all clients), that should make them work.
> >
> > > On Mon, 2019-10-07 at 12:37 -0400, Simo So
d then use the
same domain on all clients), that should make them work.
On Mon, 2019-10-07 at 12:37 -0400, Simo Sorce via FreeIPA-users wrote:
> If you use krb5 authentication you should have no issues, are you using
> auth=sys instead ?
>
> On Fri, 2019-10-04 at 17:10 -0500, Kevin V
If you use krb5 authentication you should have no issues, are you using
auth=sys instead ?
On Fri, 2019-10-04 at 17:10 -0500, Kevin Vasko via FreeIPA-users wrote:
> Hello,
>
> I’ve got FreeIPA setup where I have multiple domains for client machines
> depending on their geography.
>
> For exam
On Mon, 2019-07-29 at 11:47 -0400, Simo Sorce via FreeIPA-users wrote:
> Christina,
apologies for the typo, I meant "Christian" of course.
> the easiest way to handle your situation is to create a new group for
> allowed hosts, add all current hosts then remove the 10 you ca
Christina,
the easiest way to handle your situation is to create a new group for
allowed hosts, add all current hosts then remove the 10 you care about.
Finally set up an auto-membership rule so all new hosts are
automatically added to that group.
You will have to monitor/remove any new "special"
On Thu, 2019-07-11 at 12:09 +0100, lejeczek via FreeIPA-users wrote:
> hi guys
>
> I've been having my IPA deployment trusting AD for a while now and it's
> been behaving pretty good I must say, except for one thing - kerberos,
> in some places at least.
>
> What I've needed really, or mainly tha
On Fri, 2019-05-17 at 14:19 +, SOLER SANGUESA Miguel via FreeIPA-
users wrote:
> Hello,
>
> I don't think it is a good idea to create a IPA posix group with the
> same GID. I think the best option is adding the IPA user to the local
> group as you tried to do. The only problem is that you used
On Thu, 2019-05-16 at 22:30 +, Jim Rice via FreeIPA-users wrote:
> I have a host (lucee) and a user (ricky).
> I want to allow ricky to modify files on lucee owned by a group (admins).
>
> How is this accomplished using the freeIPA server?
You create a POSIX group on the FreeIPA server and as
On Tue, 2018-12-04 at 09:43 +0100, Florence Blanc-Renaud via FreeIPA-
users wrote:
> On 12/3/18 6:10 PM, Brian Topping via FreeIPA-users wrote:
> > Hi all, I have a question about TOTP authenticators (Google Authenticator,
> > Authy, FreeOTP):
> >
> > Why is it that a given URL/QRCode can load in
On Tue, 2018-09-11 at 14:10 +1200, Aaron Hicks via FreeIPA-users wrote:
> Hello the list,
>
>
>
> We just had a bit of fuss involved user logins. We're using sssd 1.16.1 on a
> client and FreeIPA 4.5.4 (ok, it's really RHIdM)
>
>
>
> We had a lot of users having issues logging and/or resett
On Fri, 2018-09-07 at 11:49 -0400, Ranbir via FreeIPA-users wrote:
> On Thu, 2018-09-06 at 16:24 -0400, Simo Sorce via FreeIPA-users wrote:
> > I need to ask, if you really mean "delegation" or if you mean
> > "single-
> > sign-on" here.
>
> I defin
On Thu, 2018-09-06 at 16:03 -0400, Ranbir via FreeIPA-users wrote:
> On Thu, 2018-09-06 at 19:25 +0300, Alexander Bokovoy via FreeIPA-users
> wrote:
> >
> > By default FreeIPA deals with fully qualified host names. Unless you
> > added non-FQDN names as aliases to your host records in IPA (I
> > s
On Wed, 2018-09-05 at 16:19 -0400, Ranbir via FreeIPA-users wrote:
> Hello,
>
> I have a Fedora 26 desktop joined to a freeipa domain running two ipa
> 4.5.4-10 servers on CentOS 7.5.1804. I have an odd "problem" I hope
> someone here can help me fix.
>
> I can ssh from my desktop to any server i
On Wed, 2018-09-05 at 14:32 -0400, Rob Crittenden via FreeIPA-users
wrote:
> Heather A. Selbe via FreeIPA-users wrote:
> > This is going to be a strange one. I have a new instance of IPA I am
> > standing up, and did an migrate of users and groups from a prior IPA
> > instance. In the old instance,
You can use something like KeyCloak or Ipsilon as an Idp to which you
auth via kerberos, and then use their SAML or OIDC tokens to auth to
Atlassian products.
The net effect is Single Sign On, it works without issues.
On Wed, 2018-08-29 at 10:22 -0500, Jacob Block via FreeIPA-users wrote:
> Thank
Worst case you can ldapmodify the record in LDAP directly, assuming it
is the WebUI that faultily modified the record upon setting rather than
the DNS server machinery.
HTH,
Simo.
On Thu, 2018-08-09 at 10:19 +, Balg, Andreas via FreeIPA-users
wrote:
> Hi there,
>
> Our FreeIPA DNS returns th
On Thu, 2018-07-12 at 12:02 +, Ryan Slominski via FreeIPA-users
wrote:
> Further investigation suggests this might have something to do with
> gssproxy. I was expecting to find the HTTP keytab at
> /etc/httpd/conf/ipa.keytab, but now see it is in
> /var/lib/ipa/gssproxy. This problem only oc
On Tue, 2018-06-12 at 12:15 -0700, Alessandro Perucchi via FreeIPA-
users wrote:
> Hello everyone,
>
> We were using Freeipa on Fedora 24. And we are in the process to upgrade to
> Fedora 28.
> We have a cluster of 2 nodes (freeipa-01 and freeipa-02).
>
> I am trying to upgrade one server after t
On Mon, 2018-05-14 at 14:44 -0400, Josh via FreeIPA-users wrote:
> On 05/14/2018 01:29 PM, Alexander Bokovoy wrote:
> > Talking with Simo, we realized that since we are using random salt for
> > all IPA principals, you need to know the salt when creating a keytab
> > entry. You only can retrieve th
On Thu, 2018-04-26 at 21:02 -0400, Rob Crittenden via FreeIPA-users
wrote:
> Ildefonso Camargo via FreeIPA-users wrote:
> > Hello,
> >
> > At this point I am mostly looking for confirmation/denial of the
> > following observed behavior:
> >
> > FreeIPA Kerberos will issue service tickets to a use
On Wed, 2018-04-11 at 14:36 -0400, Chris Dagdigian via FreeIPA-users
wrote:
> Hi folks,
>
> Multi-region AWS IPA user here. We've got an ancient and brittle IPA
> setup with broken replication and an inability to upgrade. Rather than
> fix I want to stand up a whole new set of IPA servers runnin
On Wed, 2018-04-11 at 10:47 -0400, Dave Jablonski via FreeIPA-users
wrote:
> One of the FreeIPA replicas are not able to use the GSSAPI authentication
> to connect to ldap server on itself or any other FreeIPA server. I'm not
> sure why. I added example.com to just replace the actual domains, we'
On Tue, 2018-02-13 at 19:23 +0100, Ray via FreeIPA-users wrote:
> Hi Simo,
>
> > > Hi Simo,
> > >
> > > > > Hi there,
> > > > >
> > > > > I'm trying to make Apache to access a kerberized document root on
> > > > > CentOS
> > > > > 7 using gssproxy. So far without success. On the web server machi
Comment inline.
On Tue, 2018-02-13 at 16:58 +0100, Ray via FreeIPA-users wrote:
> Hi Simo,
>
> > > Hi there,
> > >
> > > I'm trying to make Apache to access a kerberized document root on
> > > CentOS
> > > 7 using gssproxy. So far without success. On the web server machine
> > > (=NFS client) I
On Tue, 2018-02-13 at 15:35 +0100, Ray via FreeIPA-users wrote:
> Hi there,
>
> I'm trying to make Apache to access a kerberized document root on CentOS
> 7 using gssproxy. So far without success. On the web server machine
> (=NFS client) I configured a gss-proxy config file:
>
> # cat /etc/gss
I think this could be considered a bug, not sure if there is a ticket
open already, but I think someone else reported something similar
previously.
Simo.
On Mon, 2018-02-05 at 10:06 -0600, Kat wrote:
> Yes, D is CA
>
> Firewalling is not 100% accurate. The masters are in different VPCs
> across
On Sun, 2018-02-04 at 14:28 -0600, Kat via FreeIPA-users wrote:
> This is a new one I have not seen before.
>
> Have 4 servers, trying to add a 5th.
>
> Master A and B (in one location) can talk to C and D (in another location)
>
> Trying to add E, which is a new location with the master to repl
On Fri, 2017-12-01 at 11:15 -0800, Gordon Messmer via FreeIPA-users
wrote:
> On 12/01/2017 09:52 AM, Simo Sorce via FreeIPA-users wrote:
> > gssproxy dos not use libidmapd because it is not threads safe (among
> > other issues), it is also not needed, because you can control
On Fri, 2017-12-01 at 14:34 +0100, Anton Semjonov wrote:
> On 01/12/17 00:11, Simo Sorce via FreeIPA-users wrote:
> > On Thu, 2017-11-30 at 14:50 -0800, Gordon Messmer via FreeIPA-users
> > wrote:
> > > I'm troubleshooting a problem: A local system account (daemon) nee
On Thu, 2017-11-30 at 14:50 -0800, Gordon Messmer via FreeIPA-users
wrote:
> I'm troubleshooting a problem: A local system account (daemon) needs to
> access a file on an NFS4 filesystem with sec=krb5. My understanding is
> that only processes which have a Kerberos ticket are able to access
> f
On Wed, 2017-11-29 at 09:26 -0500, Rob Morin via FreeIPA-users wrote:
> Ok so I will Initially create the account. So far my tests went ok, this
> special user can change the users group and password , ONLY if they are
> in the group sftponly. So that's ok. But I cannot seem to figure out how
>
On Mon, 2017-11-27 at 21:42 +0100, Michael Frank via FreeIPA-users
wrote:
> Hi,
>
> we run freeipa based on red hat 7.3
> It is possible to determine if a certain user (idm user who can become root
> via sudo) is logged in on multiple idm machines
> and restrict for the user that only *one* log
On Thu, 2017-10-26 at 14:11 -0700, Sean Hogan via FreeIPA-users wrote:
> Hello IPA,
>
> Hopefully a quick question.
>
> RHEL 7.3 IPA 4.4
>
> I have been digging around RHEL docs
> https://access.redhat.com/solutions/357673 for firewall ports and it
> says
> 389 is required for replication of
On Tue, 2017-10-24 at 16:23 +1300, Aaron Hicks via FreeIPA-users wrote:
> Hello the FreeIPA List,
>
>
>
> We've got a FreeIPA directory set up and running. That's all good.
>
>
>
> The difficult part is that we also have a number (many) of SLE 12 SP2
> hosts
> that need to be enrolled.
>
>
On Wed, 2017-10-11 at 10:41 -0400, Mark Haney wrote:
> On 10/10/2017 05:46 PM, Simo Sorce wrote:
> >
> > >
> > > Could you perhaps do something weird with the default shell
> > > setting?
> >
> > probably can use oddjob/oddjob_mkhomedir properly configured on the
> > various servers.
> >
> > Si
On Tue, 2017-10-10 at 17:36 -0400, Robbie Harwood via FreeIPA-users
wrote:
> Rob Crittenden writes:
>
> > Mark Haney via FreeIPA-users wrote:
> >
> > > Due to people not documenting squat here over years, one of our
> > > servers configurations got jacked up when I migrated it from
> > > OpenLDAP
On Tue, 2017-09-19 at 14:37 -0400, Simo Sorce via FreeIPA-users wrote:
> We normally store credentials in the kernel keyring, have you changed
> the default ccache type in your installation ?
Ignore the above, I overlooked that you are on RHEL6, we introduced the
keyring in RHEL7.
Simo.
On Tue, 2017-09-19 at 20:27 +0200, Jakub Hrozek via FreeIPA-users
wrote:
> On Mon, Sep 18, 2017 at 05:11:09PM +0200, Marius Bjørnstad via
> FreeIPA-users wrote:
> > Hi,
> >
> > When /tmp is full, it is impossible to authenticate with Kerberos.
> > Login with password over SSH and sudo don't work.
We normally store credentials in the kernel keyring, have you changed
the default ccache type in your installation ?
If you have elected to use /tmp to store ccaches and it is full it is
expected for auth to fail.
Simo.
On Mon, 2017-09-18 at 17:11 +0200, Marius Bjørnstad via FreeIPA-users
wrote:
On Fri, 2017-09-08 at 12:36 -0400, Mark Haney wrote:
> On 09/08/2017 12:10 PM, Simo Sorce wrote:
> > On Fri, 2017-09-08 at 10:06 -0400, Mark Haney via FreeIPA-users
> > wrote:
> > > Probably the dumbest question you'll get all day, but we've got a
> > > hundred or so VMs with OpenLDAP on them (as c
On Fri, 2017-09-08 at 10:06 -0400, Mark Haney via FreeIPA-users wrote:
> Probably the dumbest question you'll get all day, but we've got a
> hundred or so VMs with OpenLDAP on them (as clients pointing to a
> master). Are there any gotchas to replacing OpenLDAP with FreeIPA?
Do you mean that yo
On Fri, 2017-08-11 at 15:27 +, Andrew Meyer via FreeIPA-users
wrote:
> If I want to keep track of DNS changes in FreeIPA, is there a way to
> do this?
You could run a peristent serach against the DNS subtree and funnel the
output in some log file.
You would see all the changes as ldif snippet
On Mon, 2017-06-05 at 09:59 -0500, Kat via FreeIPA-users wrote:
> Never mind -- if I use ipa-getkeytab, it works perfectly.
>
> What is the difference between what getkeytab and ktutil by hand
> does?
> Is it documented?
In FreeIPA we generate a random salt instead of using the old
"principal na
On Fri, 2017-06-02 at 10:10 -0500, Kat wrote:
> Hi Simo,
>
> I understand the mechanics of the error, however, when you are trying
> to configure Cloudera Manager with IPA, the configuration/setup
> process fails with the error (and it shows in logs) and therefore, CM
> does not finish the configu
On Thu, 2017-06-01 at 14:24 -0500, Kat via FreeIPA-users wrote:
> Hi,
>
> I have read several pages on getting IPA and Clouder Manager working
> together to make nice with Kerberos, however, having an issue
> following the various steps. When I run through CM set and put the
> primary account in
You are welcome, perhaps this is something that we need to make easier
to discover with a tool or something.
We can't necessarily automaticaly add random domains, but definitely
make it easy for the admin to find out via some diagnostics.
One thing came to mind after we solved this. You may be abl
On Thu, 2017-05-25 at 16:55 -0400, Jake via FreeIPA-users wrote:
> Hey Guys,
>
> Centos7.3
> FreeIPA 4.4.0
>
>
> I'm having a strange issue with cross-realm tickets that I'm having a
> hard time troubleshooting. it looks similar to an issue posted back
> in 2014. https://www.redhat.com/archives
On Mon, 2017-05-22 at 10:17 +, doug.ke...@wipro.com wrote:
> Hi,
>
>
> I'm wondering if anyone else has done something similar to us, and if so am
> wondering how you went about it or if it is indeed at all possible.
>
>
> Our situation is:
>
>
> * We have a few VMs which are domain
On Tue, 2017-05-23 at 13:07 -0400, Chris Apsey via FreeIPA-users wrote:
> All,
>
> We use freeIPA as the LDAP backend for OpenStack Keystone, GitLab, and a
> few other things. We have been looking for a way to keep track of the
> last time a user logged on, and the obvious answer seems to be th
73 matches
Mail list logo
