Hi Daniel,
Replicating only some of the users seems like a not-great idea. That way your
replica is not truly a replica anymore, and you lose a lot of the benefits a
replica brings.
Isn't it much easier to replicate all users, and use HBAC rules to
allow/disallow login based on user- and host g
s out of sync.
Starting chrony spontaneously fixed everything.
Peter
From: Kroon PC, Peter via FreeIPA-users
Sent: Tuesday, 17 June 2025 12:44
To: Florence Blanc-Renaud; FreeIPA users list
Cc: Kroon PC, Peter
Subject: [Freeipa-users] Re: Replication i
tps://aka.ms/LearnAboutSenderIdentification>
Hi,
On Mon, Jun 16, 2025 at 5:28 PM Kroon PC, Peter via FreeIPA-users
mailto:freeipa-users@lists.fedorahosted.org>>
wrote:
Hi Flo,
>> [server1]# ldapsearch -Y GSSAPI -h server2.ipa.test -b "" -s base
>This one fails
>What is the er
ues
U ontvangt niet vaak e-mail van f...@redhat.com<mailto:f...@redhat.com>. Ontdek
waarom dit belangrijk is<https://aka.ms/LearnAboutSenderIdentification>
Hi,
On Mon, Jun 16, 2025 at 9:10 AM Kroon PC, Peter via FreeIPA-users
mailto:freeipa-users@lists.fedorahosted.org><mailto:
.@redhat.com. Ontdek waarom dit belangrijk
is<https://aka.ms/LearnAboutSenderIdentification>
Hi,
On Mon, Jun 16, 2025 at 9:10 AM Kroon PC, Peter via FreeIPA-users
mailto:freeipa-users@lists.fedorahosted.org>>
wrote:
Hi Mark,
thanks for chipping in.
Does anyone else have any sugg
] Re: Replication issues
[You don't often get email from marey...@redhat.com. Learn why this is
important at https://aka.ms/LearnAboutSenderIdentification ]
On 6/6/25 11:01 AM, Kroon PC, Peter via FreeIPA-users wrote:
> Hi Mark,
>
> thanks for the quick reply.
> Server-B has the
't often get email from marey...@redhat.com. Learn why this is
important at https://aka.ms/LearnAboutSenderIdentification ]
Hi Peter,
So the credentials the replication agreement is using are not valid (for
whatever reason). Please check the directory server access log for
"err=49" and
Hello world,
I have 3 IPA servers that are supposed to all replicate with each other. For
one server this stopped working. On all servers I have ipa-server
4.12.2-14.el9_6 on Rocky Linux 9.6.
I'll call my servers A, B, and C. Server A cannot replicate with neither server
B nor C. B and C can re
andom certificate serial numbers on
existing installation
Kroon PC, Peter via FreeIPA-users wrote:
> Hello world,
>
> I recently set up the certificate ACME service on my IPA installation, and am
> looking into pruning old and expired certificates. However, when I try
> `ipa-acme-man
Hello world,
I recently set up the certificate ACME service on my IPA installation, and am
looking into pruning old and expired certificates. However, when I try
`ipa-acme-manage pruning --config-show` it tells me `Certificate pruning
requires random serial numbers`. Is there any way to turn th
Hi Ron,
On paper, and technically, I do think this would be the best solution. Like I
wrote originally however, you need a modified ssh(d) to forward access to the
certificate/smartcard to allow pkinit to get your kerberos ticket (as far as I
understand it).
See also this kerberos mail thread:
You got me digging into this again :)
I found the alternative ssh implementation: pkixssh
https://gitlab.com/secsh/pkixssh Not sure I'd be brave enough though.
Peter
From: Kroon PC, Peter via FreeIPA-users
Sent: Wednesday, 9 April 2025 10:43
To: fr
Hello list,
This is also something I looked at a while ago, and I effectively came to the
same conclusion as Sumit, but with a but more nuance. Note that I never quite
managed to implement a fix, but I'll share my thoughts here anyway.
SSH key authentication is done by sshd, and kerberos has no
e have to support.
On Thu, 17 Oct 2024, 19.56 Rob Crittenden via FreeIPA-users,
mailto:freeipa-users@lists.fedorahosted.org>>
wrote:
Sarah PETER via FreeIPA-users wrote:
> Dear all,
>
>
>
> TLDR;
>
> We have an IPA setup consisting of four replicas (2 CA, 2 non-CA)
&
Dear all,
TLDR;
We have an IPA setup consisting of four replicas (2 CA, 2 non-CA) without any
of the DNS records that ‘ipa dns-update-system-records‘ suggests and we share
our DNS domain with AD. Will we have any issues, assuming that we are not using
Kerberos automatic discovery, the krb, sssd
e not found
> Kroon PC, Peter via FreeIPA-users wrote:
>> Thanks for the super fast reply! I'll do my best to reply in-line, but I'm
>> bound to outlook, which doesn't like it too much.
>>
>>>> Hi all!
>>>>
>>>> I'm worki
Thanks for the super fast reply! I'll do my best to reply in-line, but I'm
bound to outlook, which doesn't like it too much.
>> Hi all!
>>
>> I'm working on updating my freeipa server from rocky 8 to 9. I'm playing
>> around with a virtual machines as playground server and client, since I'd
>>
Hi all!
I'm working on updating my freeipa server from rocky 8 to 9. I'm playing around
with a virtual machines as playground server and client, since I'd rather not
break my everything right away. As part of this, I first installed ipa-server
version 4.10.2-8.el9_3 on the server. Then I did an
your prompt responses :)
>>>>I made a new lxc machine and restored a backup so at least I have a working
>>>>environment again. I kept the borken one for further investigation which
>>>>I'll use to provide more information.
>>>>I'm not super
oy
>>>Verzonden: woensdag 25 oktober 2023 20:49
>>>Aan: Rob Crittenden
>>>CC: FreeIPA users list; Kroon PC, Peter
>>>Onderwerp: Re: [Freeipa-users] Re: ipa CLI doesn't work due to revoked TGT
>>>following S4U2PROXY_NO_HEADER_PAC
>>&g
rzonden: woensdag 25 oktober 2023 20:49
>>Aan: Rob Crittenden
>>CC: FreeIPA users list; Kroon PC, Peter
>>Onderwerp: Re: [Freeipa-users] Re: ipa CLI doesn't work due to revoked TGT
>>following S4U2PROXY_NO_HEADER_PAC
>>
>>On ���, 25 ��� 2023, Rob Crittenden wro
[Freeipa-users] Re: ipa CLI doesn't work due to revoked TGT
>following S4U2PROXY_NO_HEADER_PAC
>
>On ���, 25 ��� 2023, Rob Crittenden wrote:
>>Alexander Bokovoy via FreeIPA-users wrote:
>>> On ���, 25 ��� 2023, Kroon PC, Peter via FreeIPA-users wrote:
>>>> Hi all,
&
-users] Re: ipa CLI doesn't work due to revoked TGT
following S4U2PROXY_NO_HEADER_PAC
On Срд, 25 кас 2023, Rob Crittenden wrote:
>Alexander Bokovoy via FreeIPA-users wrote:
>> On Срд, 25 кас 2023, Kroon PC, Peter via FreeIPA-users wrote:
>>> Hi all,
>>>
>>
Hi all,
After upgrading to Rocky linux 9.2 I'm running into issues with my IPA server
(4.10.1-9.el9_2). In particular, my IPA CLI seems FUBARred:
$ kinit admin
Password for ad...@example.com:
$ ipa show-user admin
ipa: ERROR: Insufficient access: SASL(-1): generic failure: GSSAPI Error: No
cred
Hello,
on one of our FreeIPA servers we recently got the following error messages:
[05/Feb/2020:22:51:44.078229410 +0100] - ERR - write_function - PR_Write(392)
Netscape Portable Runtime error -5999 (Invalid file descriptor.)
[21/Feb/2020:08:25:39.507298208 +0100] - ERR - write_function - PR_Wri
Dear all,
since a few days we get the following message about 1-2 times a day in the
error logs of several of our replicas:
INFO - csngen_new_csn - Sequence rollover; local offset updated.
Is this something we should be worried about?
We ran the readNsState.py script from
https://directory.fe
Thanks, this did exactly what I wanted.
Regards,
Peter
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
I manage a small FreeIPA domain that has one server that can be accessed
through ssh from the internet. I occasionally find that the admin account is
locked, when I try to log in to the FreeIPA admin interface (not available from
the Internet), and it seems that this is due to an endless stream
28 matches
Mail list logo
