Hello,
On a FreeIPA setup with AD trust I tried to centralize the ssh public keys of
the users in FreeIPA and use the sss_ssh_authorizedkeys in client ssh config in
order to retrieve the keys on the clients. I noticed that when the public key
of a user is updated or an extra public key is ad
Hello,
I have a FreeIPA setup with ad trust configured. Everything works, except the
login to the WEB UI with an Active Directory account. The only possibility to
login to the WEB UI is via the admin account.
In the /var/log/krb5kdc.log i have the following entries after i try to connect
to
Hi,
Thank you , this is what I was looking for !
Regards,
iulian
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct:
https://docs.
Hello everybody,
I have a FreeIPA setup with AD trust which works properly. I recently noticed
that authentication does not work on some freeipa clients which are in a
firewalled network. All ports to the FreeIPA servers were allowed in the
firewall. Checking the logs , I observed that kerber
Hello Everybody,
I would like to ask if it is possible to deny access to a specific server group
for a group of users who have access to all servers by default.
Example: operators group have access to all servers , but I would like to deny
access for them for a specific subset of servers which
Thank You Rob! It was a good hint. I forgot to bind roles with privilege,
therefore the "memberofindirect" was not present in the attributes of the user.
After I added privilege to the role, it worked, and user-show does display
memberofindirect for permission and privilege.
Regards,
iulian r
Hello everybody,
I have modified the ipa schema in order to automate Oracle TNS entries. When I
try to add entries with ipa-ldap-updater it works, but not when running ldapadd
(which is used by Oracle). The error i get is :
/bin/ldapadd -h ipaprd04.ipa.example.corp -p 389 -D
"uid=tnsadmin,cn=
Hi Florence,
Thank you for the hint. Indeed, after i added the override I can authenticate
via WebUI.
Nevertheless, after I added the public key to my profile I still cannot
authenticate to ipa clients without password. Any idea where should I look into
?
Regards,
iulian roman
Hi Pedro,
I've tried and restart several times, without any success. I have to mention
that this issue is only with the ActiveDirectory users, with IPA defined users
it works properly.
Regards,
iulian roman
___
FreeIPA-users mailing list -- freeip
Hello everybody,
If I try to login via WebUI with an AD account , i get the following error:
'Your session has expired. Please log in again.' in the WebUI interface.
I the http access logs i have the following entry:
user@EXAMPLE.LOCAL [03/Feb/2022:14:54:13 +0100] "POST /ipa/session/json
H
Both IPA servers are configured as trust agents. For all the other groups
everything works as expected, only for the newly defined group is not displayed
on one if the IPA servers.
Regards,
iulian
___
FreeIPA-users mailing list -- freeipa-users@lists
Hi everybody,
I have an IPA setup with AD trust and when I added a new group in AD it is
detected only on one ipa server (I have 2 ipa servers in replication mode).
getent group correctly returns the group only on one IPA server, therefore only
the ipa clients enrolled to that ipa server can
Hello,
I have an IPA setup and AD trust configured. After we removed an OU from AD ,
on the Linux side the users still show as part of those groups from the OU
removed. I run sss_cache -u on both IPA servers and IPA clients, but the issue
seems to not be solved.
Any idea how those groups can
Hello,
I have an IPA setup and AD trust configured. After we removed an OU from AD ,
on the Linux side the users still show as part of those groups from the OU
removed. I run sss_cache -u on both IPA servers and IPA clients, but the issue
seems to not be solved.
Any idea how those groups can
Hello everybody,
I have an Idm setup configured with AD trust. I would like to know if the
systems in DMZ need to have firewall ports opened only for IPA servers or they
need to access AD domain controllers as well ? Apparently, only with the rules
for the IPA servers the authentication doe
Hello everybody,
Does anybody know if it is possible to have sudo rules in FreeIPA for local
accounts (accounts which are in /etc/passwd) ?
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-
Hello,
I am using IPA version 4.8.7.
Bellow I've attached a snippet from /var/log/httpd/error_log :
[Wed Sep 01 11:36:32.899803 2021] [wsgi:error] [pid 3151741:tid
140666734245632] [remote 10.30.226.104:18475] ipa: INFO: 401 Unauthorized:
Insufficient access: Invalid credentials
[Wed Sep 01
Hello,
When I try to login to the WEB UI with an AD account , I get the message
bellow:
"Your session has expired. Please log in again."
I have tried to check/apply the suggestions on the several links with the same
error message, but so far unsuccessful. Any idea where to look into or wher
Hello,
I try to run some ldapsearch queries on the compat tree from some old clients.
Unfortunately it does display only the Idm posix users, not the AD trust users.
The query I am running for a particular AD user :
ldapsearch -Y GSSAPI -h ipaserver01.ipa.example.com -b
"cn=compat,dc=ipa,d
I have tried with that one already, but unfortunately it does not resolve the
trusted AD users.
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code
Hello,
I have some old clients (sssd 1.9) for which I need to use ldap provider in
sssd.conf. Does anyone know how ldap_search_base variables should look like in
order to resolve the AD users ?
With the default settings, it does resolve the posix users/groups from IPA but
not the AD users.
__
Hello ,
I try to enrol some old linux clients (sssd 1.9.4) to ipaserver using the
settings as mentioned in ipa-advise. I used ldap provider in sssd and I can
query the accounts defined in ipa server but not the Active Directory accounts
. I use AD trust and views in IPA, therefore the questio
Hello ,
I try to enrol some old linux clients (sssd 1.9.4) to ipaserver using the
settings as mentioned in ipa-advise. I used ldap provider in sssd and I can
query the accounts defined in ipa server but not the Active Directory accounts
. I use AD trust and views in IPA, therefore the questio
Hi Florence,
Thank you for clarification. I have indeed the Default Trust View empty (I was
confused by the statement in the doc link , because it mentions that "Default
Trust View is always applied to ad users", without mentioning if it can be
empty or not and override done only for some spec
Hi Florence,
By the "override only for a set of servers" I meant the Idm clients, not the
servers.
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora
I have a similar setup with the same issue which I tried to solve/troubleshoot
for months without success. I have opened as well few threads on this list and
sssd list. The funny part starts with sssd 2.2 , where even the uid override
which used to work on sssd 1.6 does not work anymore .
The
Hello,
I would like to do an override only for a set of servers , therefore not in the
Default Trust View. I have created another view, where I added only the servers
for which I want to do the override and the users + UIDs which I need to
override. The Default Trust View is therefore empty.
Hello everybody,
In an Idm setup with replica and AD trust , I noticed that on few clients only
some of the groups are resolved to names (on the IPA servers they are
correctly resolved) . If I remove caches on IPA server, remove the cache in
/var/lib/sss/db , I make it eventually work, altho
I have done some more investigations and with the debugging enabled, I can see
the following errors in the sssd_ipa.example.com.log on the IPA server (when I
run id from an IPA client) :
2021-07-15 16:33:34): [be[ipa.example.com]] [sdap_get_generic_op_finished]
(0x0400): Search result: Succe
Hello,
I have an issue with the group override on the IPA server. When I run the id
command it does display all the group members , but for the primary GID which
is overwritten it does not display the name, only the ID.
- groups userid
groups: cannot find name for group ID 20309 ( but it d
Indeed, one of the replica had a duplicate nameAlias in the cache. I removed
it and it looks ok now. Thank you for the hint.
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@list
Hello everybody,
In the client logs I get the error bellow when querying AD users:
[ipa_s2n_exop_done] (0x0040): ldap_extended_operation result: Time limit
exceeded(3), (null).
(Tue Jul 13 10:47:46 2021) [sssd[be[ipa.example.com]]] [ipa_s2n_exop_done]
(0x0040): ldap_extended_operation failed,
Hello,
I see the following error in the sssd_nss logs on the IPA server:
[nss] [cache_req_common_get_acct_domain_recv] (0x0080): CR #2: Could not get
account domain [1432158301]: GetAccountDomain() not supported
That seems to be related to the error bellow , which I get when running groups
:
> On pe, 09 heinä 2021, iulian roman via FreeIPA-users wrote:
>
> I think you have misunderstood what the documentation is saying.
>
yes, probably I misunderstood the statement from the doc:
"The Default Trust View is always applied to IdM servers and replicas as well
as to AD
Thanks for the links. According to the document , override for AD users can
happen only in Default Trust View, therefore I cannot have the second
host-based view defined. In this case it is absolutely impossible to make the
override for AD users work for both SSSD versions.
Hello,
Due to the fact that I have some issues with ID views and different sssd
versions, I tried a different approach. I created a second ID view , where I do
override some users only for a group of systems. The override in the second id
view (both for users and groups) is different that the o
I try to reanimate this thread, hopefully someone will be willing to spare some
time and help with it. I have done some more tests, and it seems that override
of AD users in sssd 2.2.3 does not work as expected. I do not know if it is a
bug or works as expected, but as I mentioned several times,
Thank you Rob! That was it. I've added all attributes which were denied in the
logs and now it works properly.
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.
Yes, I would like to grant anonymous access . I did not get exactly how and
where the objectclass needs to be added. I tried as filter, but that does not
work either. Do you have an example how the rule should look like ?
___
FreeIPA-users mailing lis
After enabling the debug , in the logs I see access denied:
[07/Jul/2021:09:27:58.612128660 +0200] - DEBUG - NSACLPlugin -
print_access_control_summary - conn=11 op=1 (main): Deny search on
entry(cn=oradev1,cn=oraclecontext,dc=ipadev,dc=example,dc=com).attr(objectClass)
to anonymous: no aci mat
Hi,
Bellow I attached the output from a non-anonymous bind :
# extended LDIF
#
# LDAPv3
# base with scope subtree
# filter: (objectclass=*)
# requesting: ALL
#
# OracleContext, ipadev.example.com
dn: cn=OracleContext,dc=ipadev,dc=example,dc=com
objectClass: orclContext
objectClass: top
cn: O
Hello,
I tried to grant read/search access to a specific subtree in IPA for anonymous
bind. The ipa permission-add command completed successfully, but when I try
ldapsearch it does not display any objects.
ipa permission-show 'read oracle context'
Permission name: read oracle context
Grant
> Am Wed, Jun 30, 2021 at 07:39:44PM - schrieb iulian roman via
> FreeIPA-users:
>
> Hi,
>
> maybe there is some unexpected interaction with the code which
> automatically handles user private groups and the manual creation of a
> user private group with the id-
I do not use ldap_group_name in IPA. I'll describe bellow an example for an
override , because probably it all has to do with the 'sAMAccountName' :
Example of user and group in AD:
user: testuser - AD name 'testuser' - AD 'sAMAccountName' 'testuser' -
uidNumber:23634 gidNumber:23634
group:
Hi Sumit,
Thank you for the answer. In that case probably I am in the right direction for
finding the issue with the overrides:
In AD , the 'User logon name (pre-Windows 2000)' and 'Group name (pre-Windows
2000)' are the corespondent of 'sAMAccountName' . 'sAMAccountName' should be
unique af
Hello everybody,
Can anyone explain which attribute is used to lookup/resolve group names in AD
? As far as I can see on my ipa clients, it seems to use sAMAccountName . Is
that correct ?
___
FreeIPA-users mailing list -- freeipa-users@lists.fedoraho
Hi,
> Hi,
>
> On Fri, Jun 25, 2021 at 5:27 PM iulian roman via FreeIPA-users
>
> There are cases where you need to run "sss_cache -E" on the server as
> well. That might be it.
>
I run it as well on both IPA servers , restarted sssd, sss_cache -u , etc.
&g
Hello everybody,
I try to make the above combination to work in my environment , and already
spent several weeks + open a few threads with different sort of issues. So far,
I can say that it works only with workarounds , restarts, clear caches, etc ,
which is not the setup I can move in prod
Hi Florence,
I removed the files in that location , although sss_cache -E seems to do that
as well. The behaviour hasn't changed unfortunately.
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to free
Hello,
I tried for some time to understand how the cache invalidation works on the
clients, and I have to admit that I am even more confused that when I started,
therefore I would like to ask if there is someone who can either explain or
point me to the relevant documentation.
I'll describe b
I have attached some sssd logs snippets with debug_level activated in
sssd.conf (some lines have been truncated) :
(Tue Jun 15 16:09:02 2021) [be[ipa.example.com]] [dp_get_account_info_send]
(0x0200): Got request for [0x1][BE_REQ_USER][name=test_u...@example.com]
(Tue Jun 15 16:09:02 2021) [be
Hi Sumit,
I do not override the primary gid (because I had this issue before and per your
advise I removed the gid override) , only the UID. The same setup works with
the older sssd version, as I mentioned and that's why i thought that something
might have changed in sssd.
___
Hello everybody,
I have an IPA setup with AD trust configured and Trust View defined on the IPA
server. Everything works properly on Ubuntu 18 clients with sssd 1.16.1 but it
doesn't on Ubuntu 20 with sssd version 2.2.3. I can list /query the AD accounts
which are not part of the default Trus
Hi Rafael ,
Thank you for the update. I use ansible-freeipa-0.3.2-2.el8.noarch and the
issue seems to be present.
Best Regards,
iulian roman
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to free
I have added the full chain in /var/lib/ipa/certs but I do not know if that is
the correct way.
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code
Hello everybody,
I do not know if this is the right place to mentioned, but maybe there will be
someone who can redirect me to the right list or support channel.
On RHEL 8.3 , the latest python3-ipaserver package
(python3-ipaserver-4.9.2-3.module+el8.4.0+10412+5ecb5b37) does not contain the
Hello everybody,
I tried to change the WEB UI certificate with a custom certificate signed by
our internal CA. The custom certificate was provided as a bundle (certificate +
intermediates). The root ca which signs the intermediate was added in the
truststore with ipa-cacert-manage.
Everything
I think the very strange behaviour was due to the fact that I did not have a
name for the gid in AD . As a workaround, I removed the gid from override (and
let IPA generate one) . The interesting part was that getent did assign the
username to the respective gid (therefore both getent group co
Hi ,
Thank you for the explanation. It does make sense now.
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct:
https://docs.fedorapr
Hello ,
I would like to know how is the primary group id calculated for trusted users
from AD. For example, all users in AD have primary group 'domain users' . I
see on the IPA side that the gid is different for all users who have primary
group 'domain users' in AD . Is the algorithm differ
> Am Wed, May 12, 2021 at 06:46:29AM - schrieb iulian roman via
> FreeIPA-users:
>
> Hi,
>
> did you use the IPA 'unix_users' group as primary group for those users
> and given the GID of 'unix_users' in the id-overrides for the users? Or
> di
> Am Tue, May 11, 2021 at 03:09:54PM - schrieb iulian roman via
> FreeIPA-users:
>
> Hi,
>
> can you give some more details about the group, where it comes from IPA
> or AD, and the GID, it is the original GID of the group or coming from
> an id-override as well?
That was a good hint ! Actually it does return the gid when I run getent group
. And after I run the getent group on the client
side, I can run as well id . So, only after I run getent group
on the ipa clients I can list the user attributes.
Any idea what needs to be changed in order to ha
Hello everybody,
I try to override some uid and gid for AD users in Idm (I added all users for
which I need to override attributes in Default Trust View) and although
everything works properly on both IdM server and replica, I cannot query the
users on the ipa clients. Any other users (which
Thank you for the clear explanation Sumit. I thought i can avoid id-override
(for some issues which I will highlight on a new thread) , but I'll try to
configure and see how reliable it will be in my environment.
___
FreeIPA-users mailing list -- freeip
Yes, it is correct and this is exactly what I observed in the tests (if
ipa-ad-trust-posix is not mentioned, the uidNumber and gidNumber are ignored)
and the one within the range is generated.
The situation I have in AD is a "mix" of users without those attributes and
with. If I configure the t
I have configured a trust between IdM and Active Directory with posix range
type. The users which do have an uidNumber in AD are correctly listed, but
those without uidNumber are not (similar for the groups).
Is there any setting or possibility to have the AD users without uidNumber get
an uid
Is there any method to "filter" or mask some Active Directory groups in order
to speed up the lookup/search in AD ? For example I am interested only on few
groups (max. 10) and all the rules will be based on those groups. I do not want
to display all hundreds of groups a user is member of, but
> On pe, 30 huhti 2021, iulian roman via FreeIPA-users wrote:
>
> Correct -- in any DNS domain owned by your IPA deployment.
>
> It is unfortunate that there is a confusion between AD domain and DNS
> domain terminology-wise. AD domain may "own" several DNS domai
> On to, 29 huhti 2021, iulian roman via FreeIPA-users wrote:
>
> First, to make it clear. You should not have IPA servers (replicas) in
> .example.local. If you'd do, this is unsupported configuration and any
> bugs you'd see there are your own problems. There is s
I have setup an Idm environment with replica and AD trust. I have the following
realms and domains:
IPADEV.EXAMPLE.LOCAL is the IPA realm with the domain ipadev.example.local
EXAMPLE.LOCAL is the AD realm with dns domain example.local
All the clients have the DNS domain example.local and are/wil
I am using a Idm setup which has AD trust configured.
IPADEV.EXAMPLE.LOCAL is the IPA realm
EXAMPLE.LOCAL is the AD realm
I can ssh to both ipa servers with AD credentials , but cannot ssh to the ipa
clients. I have enabled debug for almost all services in sssd and the only one
which seems
That was it Sumit ! Thank You !
I need to check if that needs to be corrected on all the clients after the
client enrolment.
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@l
I checked /etc/krb5.conf and it is mapped. I have tried as well the bellow
scenario, which might help in troubleshooting:
- If i configure trust with a different AD domain (the one created for test,
with only one DC behind AD domain) , the same IPA domain works properly. The
only difference
I have an IPA setup with replica which has trust configured with an Active
Directory domain. The trust has been configured and it does show correctly
when listed, but users cannot authenticate against Active Directory. The only
error I see (on IPA server sssd logs) after I enabled debugging is
Hello,
I would like to extend the ldap schema in order to get rid of tnsnames.ora and
use ldap for that. I try to update the schema using ipa-ldap-updater, but so
far no success. Can anybody point what would be the correct update file I
should create for the schema file bellow (this is onl
Thank you Alexander. I'll probably not use containers for now, and migrate it
later, when it is supported/tested.
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahos
Hello,
Can anyone confirm if RedHat IDM is supported/recommended to run in
containers in a production environment ? I would like to know if there are any
drawbacks before I'll put any effort in implementing it. I would like to use
it with one replica and trust with Active Directory.
Thank
> On ti, 09 maalis 2021, iulian roman via FreeIPA-users wrote:
>
> Han Boetes (Han on #freeipa) did build Samba against MIT Keberos some
> time ago to experiment with a similar stuff but he runs IPA DC on Fedora
> and only needs Samba domain members on Ubuntu:
> https://laun
Thank you for clarifications Alexander.
OS version: Ubuntu 18.04.2 LTS
samba version : Version 4.7.6-Ubuntu
FreeIPA version: 4.7.4
If I understand correctly does not make any sense to continue troubleshooting
as long as AD trust is not supported with this OS version. I'll try to see what
are
Hello,
I try to configure trust between a FreeIPA domain and Active Directory. They
are both in different domains (ipa domain: ipadev.test.local , ad domain:
iam.intern ) and use external DNS. I have configured/verified all
prerequisites, but when I run ipa trust-add command, I get the followi
> On pe, 05 maalis 2021, iulian roman via FreeIPA-users wrote:
>
> What version of IPA is this and what distribution version?
>
FreeIPA version: 4.7.4 on Ubuntu 18.04
> If I remember correctly, this was fixed in 2019 with
> https://pagure.io/freeipa/issue/6951 and should be a
Hello,
When I run ipa-adtrust-install command in order to configure trust
prerequisites , it fails in step 4, with the following error:
Configuring CIFS
[1/24]: validate server hostname
[2/24]: stopping smbd
[3/24]: creating samba domain object
Samba domain object already exists
[4/24]
Yes, that is what I've already done. It was enough to complete the install . I
thought I can avoid the plumbing and there is an updated libnss3-tools in
some ppa repos , in order to have a standard installation.
___
FreeIPA-users mailing list -- free
Thank you for the info. My problem is that the installation exists with error
because certutil does not support --simple-self-signed option.
Is there is any option i can use to workaround that and continue with the
installation ?
___
FreeIPA-users mai
After some plumbing and manual operations I managed to have CA running during
installation of the FreeIPA server. Currently the install fails in :
Configuring directory server (dirsrv)
[2/3]: adding CA certificate entry
args=['/usr/bin/certutil', '-d', 'dbm:/etc/dirsrv/slapd-IPA-LOCAL/', '-O',
I managed to move forward with the installation , which is stuck in another
step, but this thread can probably be closed
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedo
> iulian roman via FreeIPA-users wrote:
> I suspect this is a red herring. The installer is
> likely failing
> elsewhere but pkispawn seems to charge on when errors are discovered so
> you need to find the first error reported.
>
It can be. Nevertheless, i have run pkispawn
Hello,
I try to move ahead with the installation of FreeIPA server on Ubuntu, but it
always gets stuck in the CA configuration phases. The last error seems to be
related to a port value missing (as stated in the subject):
2020-12-14 11:17:29 [localhost-startStop-1] SEVERE: Unable to start CMS
Downgrading java moved the installation a bit . It fails faster now :) , but
at least i can curl the endpoint, therefore it does not timeout in that phase.
The errors i get :
2020-12-11T14:08:33Z DEBUG stderr=pkispawn: ERROR...
subprocess.CalledProcessError: Command '['sysctl', '
Hi Timo,
Thanks for the update. I have tried with new package versions (there is a
dependency as well on libjboss-annotations-1.2-api-java which needs to be
installed from freeipa staging ppa) , but the installation fails in the same
step (it fails to configure/start the CA):
2020-12-11T12:49
Hello !
Does anyone know what version of Ubuntu does support Freeipa server ? I have
tried with 18.04 which fails always due to pki-tomcatd issues and Ubuntu 20
seems to not have the packages in the repository.
Any suggestion/help is appreciated.
Thanks
___
there is no IPA client for AIX afaik. at least not when i've configured it
(few months ago).
On Thu, Sep 14, 2017 at 11:09 AM, Ronald Wimmer via FreeIPA-users <
freeipa-users@lists.fedorahosted.org> wrote:
> Does anyone have AIX 7 IPA Clients? Is there also an IPA client installer
> around or do
93 matches
Mail list logo
