May 2018 - FreeIPA-users - Fedora Mailing-Lists

ipa operation errors from a client, but not servers

by Kat

Anyone seen this before? Can't find anything in searches. (Client - ipa-client-4.5.4-10.el7_5.1.x86_64) (Server - ipa-server-4.5.4-10.el7_5.1.x86_64) On a client, running RHEL 7.4, and IPA server is RHEL 7.5 $ipa user-show freddy --all ipa: ERROR: ImportError: No module named gssapi Traceback (most recent call last): File "/usr/lib/python2.7/site-packages/ipalib/cli.py", line 1356, in run api.finalize() File "/usr/lib/python2.7/site-packages/ipalib/plugable.py", line 714, in finalize self.__do_if_not_done('load_plugins') File "/usr/lib/python2.7/site-packages/ipalib/plugable.py", line 421, in __do_if_not_done getattr(self, name)() File "/usr/lib/python2.7/site-packages/ipalib/plugable.py", line 592, in load_plugins for package in self.packages: File "/usr/lib/python2.7/site-packages/ipalib/__init__.py", line 945, in packages import ipaclient.remote_plugins File "/usr/lib/python2.7/site-packages/ipaclient/remote_plugins/__init__.py", line 14, in <module> from ipaclient.plugins.rpcclient import rpcclient File "/usr/lib/python2.7/site-packages/ipaclient/plugins/rpcclient.py", line 32, in <module> from ipalib.rpc import xmlclient, jsonclient File "/usr/lib/python2.7/site-packages/ipalib/rpc.py", line 45, in <module> import gssapi ImportError: No module named gssapi ipa: ERROR: an internal error has occurred Same command on another host (client) - works flawlessly, but it is same software. Ideas? Kat

3 years, 11 months

3
7
0 / 0

Announcing SSSD 1.16.1

by Jakub Hrozek

SSSD 1.16.1 =========== The SSSD team is proud to announce the release of version 1.16.1 of the System Security Services Daemon. The tarball can be downloaded from https://releases.pagure.org/SSSD/sssd/ RPM packages will be made available for Fedora shortly. Feedback -------- Please provide comments, bugs and other feedback via the sssd-devel or sssd-users mailing lists: https://lists.fedorahosted.org/mailman/listinfo/sssd-devel https://lists.fedorahosted.org/mailman/listinfo/sssd-users Highlights ————— New Features ^^^^^^^^^^^^ * A new option ``auto_private_groups`` was added. If this option is enabled, SSSD will automatically create user private groups based on user's UID number. The GID number is ignored in this case. Please see https://docs.pagure.org/SSSD.sssd/design_pages/auto_private_groups.html for more details on the feature. * The SSSD smart card integration now supports a special type of PAM conversation implemented by GDM which allows the user to select the appropriate smrt card certificate in GDM. Please refer to https://docs.pagure.org/SSSD.sssd/design_pages/smartcard_multiple_certifi... for more details about this feature. * A new API for accessing user and group information was added. This API is similar to the tradiional Name Service Switch API, but allows the consumer to talk to SSSD directly as well as to fine-tune the query with e.g. how cache should be evaluated. Please see https://docs.pagure.org/SSSD.sssd/design_pages/enhanced_nss_api.html for more information on the new API. * The ``sssctl`` command line tool gained a new command ``access-report``, which can generate who can access the client machine. Currently only generating the report on an IPA client based on HBAC rules is supported. Please see https://docs.pagure.org/SSSD.sssd/design_pages/attestation_report.html for more information about this new feature. * The ``hostid`` provider was moved from the IPA specific code to the generic LDAP code. This allows SSH host keys to be access by the generic LDAP provider as well. See the ``ldap_host_*`` options in the ``sssd-ldap`` manual page for more details. * Setting the ``memcache_timeout`` option to 0 disabled creating the memory cache files altogether. This can be useful in cases there is a bug in the memory cache that needs working around. Performance enhancements ^^^^^^^^^^^^^^^^^^^^^^^^ * Several internal changes to how objects are stored in the cache improve SSSD performance in environments with large number of objects of the same type (e.g. many users, many groups). In particular, several useless indexes were removed and the most common object types no longer use the indexed ``objectClass`` attribute, but use unindexed ``objectCategory`` instead (#3503) * In setups with ``id_provider=ad`` that use POSIX attributes which are replicated to the Global Catalog, SSSD uses the Global Catalog to determine which domain should be contacted for a by-ID lookup instead of iterating over all domains. More details about this feature can be found at https://docs.pagure.org/SSSD.sssd/design_pages/uid_negative_global_catalo... Notable bug fixes ^^^^^^^^^^^^^^^^^ * A crash in ``sssd_nss`` that might have happened if a list of domains was refreshed while a NSS lookup using this request was fixed (#3551) * A potential crash in ``sssd_nss`` during netgroup lookup in case the netgroup object kept in memory was already freed (#3523) * Fixed a potential crash of ``sssd_be`` with two concurrent sudo refreshes in case one of them failed (#3562) * A memory growth issue in ``sssd_nss`` that occured when an entry was removed from the memory cache was fixed (#3588) * Two potential memory growth issues in the ``sssd_be`` process that could have hit configurations with ``id_provider=ad`` were fixed (#3639) * The ``selinux_child`` process no longer crashes on a system where SSSD is compiled with SELinux support, but at the same time, the SELinux policy is not even installed on the machine (#3618) * The memory cache consistency detection logic was fixed. This would prevent printing false positive memory cache corruption messages (#3571) * SSSD now remembers the last successfuly discovered AD site and use this for DNS search to lookup a site and forest during the next lookup. This prevents time outs in case SSSD was discovering the site using the global list of DCs where some of the global DCs might be unreachable. (#3265) * SSSD no longer starts the implicit file domain when configured with ``id_provider=proxy`` and ``proxy_lib_name=files``. This bug prevented SSSD from being used in setups that combine identities from UNIX files together with authentication against a remote source unless a files domain was explicitly configured (#3590) * The IPA provider can handle switching between different ID views better (#3579) * Previously, the IPA provider kept SSH public keys and certificates from an ID view in its cache and returned them even if the public key or certificate was then removed from the override (#3602, #3603) * FleetCommander profiles coming from IPA are applied even if they are assigned globally (to ``category: ALL``), previously, only profiles assigned to a host or a hostgroup were applied (#3449) * It is now possible to reset an expired password for users with 2FA authentication enabled (#3585) * A bug in the AD provider which could have resulted in built-in AD groups being incorrectly cached was fixed (#3610) * The SSSD watchdog can now cope better with time drifts (#3285) * The ``nss_sss`` NSS module's return codes for invalid cases were fixed * A bug in the LDAP provider that prevented setups with id_provider=proxy and auth_provider=ldap with LDAP servers that do not allow anonymous binds from working was fixed (#3451) Packaging Changes ----------------- * The FleetCommander desktop profile path now uses stricter permissions, 751 instead of 755 (#3621) * A new option ``--logger`` was added to the ``sssd(8)`` binary. This option obsoletes old options such as ``--debug-to-files``, although the old options are kept for backwards compatibility. * The file ``/etc/systemd/system/sssd.service.d/journal.conf`` is not installed anymore In order to change logging to journald, please use the ``--logger`` option. The logger is set using the ``Environment=DEBUG_LOGGER`` directive in the systemd unit files. The default value is ``Environment=DEBUG_LOGGER=--logger=files`` Documentation Changes --------------------- There are no notable documentation changes such as options changing default values etc in this release. Tickets Fixed ------------- * `3648 <https://pagure.io/SSSD/sssd/issue/3648>`_ - Mention in the manpages that Fleet Commander does *not* work when SSSD is running as the unprivileged user * `3639 <https://pagure.io/SSSD/sssd/issue/3639>`_ - sssd_be consumes more memory on RHEL 7.4 systems. * `3627 <https://pagure.io/SSSD/sssd/issue/3627>`_ - MAN: Explain how does auto_private_groups affect subdomains * `3621 <https://pagure.io/SSSD/sssd/issue/3621>`_ - FleetCommander integration must not require capability DAC_OVERRIDE * `3618 <https://pagure.io/SSSD/sssd/issue/3618>`_ - selinux_child segfaults in a docker container * `3615 <https://pagure.io/SSSD/sssd/issue/3615>`_ - Requesting an AD user's private group and then the user itself returns an emty homedir * `3613 <https://pagure.io/SSSD/sssd/issue/3613>`_ - auto_private_groups does not work with trusted domains with direct AD integration * `3610 <https://pagure.io/SSSD/sssd/issue/3610>`_ - AD provider - AD BUILTIN groups are cached with gidNumber = 0 * `3608 <https://pagure.io/SSSD/sssd/issue/3608>`_ - dbus-send unable to find user by CAC cert * `3603 <https://pagure.io/SSSD/sssd/issue/3603>`_ - Certificate is not removed from cache when it's removed from the override * `3602 <https://pagure.io/SSSD/sssd/issue/3602>`_ - SSH public key authentication keeps working after keys are removed from ID view * `3601 <https://pagure.io/SSSD/sssd/issue/3601>`_ - race condition: sssd_be in a one-way trust accepts request before ipa-getkeytab finishes, marking the sssd offline * `3599 <https://pagure.io/SSSD/sssd/issue/3599>`_ - getent output is not showing home directory for IPA AD trusted user * `3594 <https://pagure.io/SSSD/sssd/issue/3594>`_ - sssd used wrong search base with wrong AD server * `3592 <https://pagure.io/SSSD/sssd/issue/3592>`_ - Write a regression test for false possitive "corrupted" memory cache * `3590 <https://pagure.io/SSSD/sssd/issue/3590>`_ - proxy to files does not work with implicit_files_domain * `3588 <https://pagure.io/SSSD/sssd/issue/3588>`_ - sssd_nss consumes more memory until restarted or machine swaps * `3586 <https://pagure.io/SSSD/sssd/issue/3586>`_ - Give a more detailed debug and system-log message if krb5_init_context() failed * `3585 <https://pagure.io/SSSD/sssd/issue/3585>`_ - Reset password with two factor authentication fails * `3579 <https://pagure.io/SSSD/sssd/issue/3579>`_ - SSSD fails to fetch group information after switching IPA client to a non-default view * `3571 <https://pagure.io/SSSD/sssd/issue/3571>`_ - mmap cache: consistency check might fail if there are hash collisions * `3570 <https://pagure.io/SSSD/sssd/issue/3570>`_ - The cache-req debug string representation uses a wrong format specifier for by-ID requests * `3569 <https://pagure.io/SSSD/sssd/issue/3569>`_ - The cache_req code doesn't check the min_id/max_id boundaries for requests by ID * `3564 <https://pagure.io/SSSD/sssd/issue/3564>`_ - Smartcard authentication fails if SSSD is offline and 'krb5_store_password_if_offline = True' * `3563 <https://pagure.io/SSSD/sssd/issue/3563>`_ - Some sysdb tests fail because they expect a certain order of entries returned from ldb * `3562 <https://pagure.io/SSSD/sssd/issue/3562>`_ - Use-after free if more sudo requests run and one of them fails, causing a fail-over to a next server * `3560 <https://pagure.io/SSSD/sssd/issue/3560>`_ - Improve Smartcard integration if multiple certificates or multiple mapped identities are available * `3551 <https://pagure.io/SSSD/sssd/issue/3551>`_ - Race condition between refreshing the cr_domain list and a request that is using the list can cause a segfault is sssd_nss * `3547 <https://pagure.io/SSSD/sssd/issue/3547>`_ - data from ipa returned with id_provider=file * `3545 <https://pagure.io/SSSD/sssd/issue/3545>`_ - SSSD creates bad override search filter due to AD Trust object with parenthesis * `3539 <https://pagure.io/SSSD/sssd/issue/3539>`_ - Do not autostart the implicit files domain if sssd configures id_provider=proxy and proxy_target_files * `3529 <https://pagure.io/SSSD/sssd/issue/3529>`_ - SSSD-kcm/secrets failed to restart during/after upgrade * `3528 <https://pagure.io/SSSD/sssd/issue/3528>`_ - sssd refuses to start when pidfile is present, but the process is gone * `3523 <https://pagure.io/SSSD/sssd/issue/3523>`_ - ABRT crash - /usr/libexec/sssd/sssd_nss in setnetgrent_result_timeout * `3503 <https://pagure.io/SSSD/sssd/issue/3503>`_ - Do not index objectclass, add and index objectcategory instead * `3496 <https://pagure.io/SSSD/sssd/issue/3496>`_ - [RFE] Add a configuration option to SSSD to disable the memory cache * `3486 <https://pagure.io/SSSD/sssd/issue/3486>`_ - Improve `enumerate` documentation/troubleshooting guide * `3484 <https://pagure.io/SSSD/sssd/issue/3484>`_ - MAN: Describe the constrains of ipa_server_mode better in the man page * `3468 <https://pagure.io/SSSD/sssd/issue/3468>`_ - SSSD doesn't use AD global catalog for gidnumber lookup, resulting in unacceptable delay for large forests * `3454 <https://pagure.io/SSSD/sssd/issue/3454>`_ - sssd-kcm crashes with multiple parallel requests * `3451 <https://pagure.io/SSSD/sssd/issue/3451>`_ - When sssd is configured with id_provider proxy and auth_provider ldap, login fails if the LDAP server is not allowing anonymous binds. * `3444 <https://pagure.io/SSSD/sssd/issue/3444>`_ - document information on why SSSD does not use host-based security filtering when processing AD GPOs * `3433 <https://pagure.io/SSSD/sssd/issue/3433>`_ - SYSLOG_IDENTIFIER is different * `3293 <https://pagure.io/SSSD/sssd/issue/3293>`_ - Log when SSSD authentication fails because when two IPA accounts share an email address * `3285 <https://pagure.io/SSSD/sssd/issue/3285>`_ - SSSD needs restart after incorrect clock is corrected with AD * `3265 <https://pagure.io/SSSD/sssd/issue/3265>`_ - [RFE] sssd should remember DNS sites from first search * `3198 <https://pagure.io/SSSD/sssd/issue/3198>`_ - Incorrect error code returned from krb5_child for expired/locked user with id_provider AD * `2976 <https://pagure.io/SSSD/sssd/issue/2976>`_ - sdap code can mark the whole sssd_be offline * `2840 <https://pagure.io/SSSD/sssd/issue/2840>`_ - [RFE] Produce access control attestation report for IPA domains * `2823 <https://pagure.io/SSSD/sssd/issue/2823>`_ - Integration tests: Use dbus-daemon in cwrap enviroment for test * `2478 <https://pagure.io/SSSD/sssd/issue/2478>`_ - Provide sss_nss_* API to directly query SSSD instead of nsswitch.conf route * `1872 <https://pagure.io/SSSD/sssd/issue/1872>`_ - [RFE] Support User Private Groups for main domains, too * `1729 <https://pagure.io/SSSD/sssd/issue/1729>`_ - Enumerating large number of users makes sssd_be hog the cpu for a long time. Detailed Changelog ------------------ * Andreas Schneider (1): * Avoid double semicolon warnings on older compilers * Carlos O'Donell (1): * nss: Fix invalid enum nss_status return values. * Fabiano Fidêncio (21): * CACHE_REQ: Copy the cr_domain list for each request * LDAP: Bind to the LDAP server also in the auth * TOOLS: Double quote array expansions in sss_debuglevel * TOOLS: Call "exec" for sss_debuglevel * LDAP: Improve error treatment from sdap_cli_connect() in ldap_auth * SYSDB: Remove code causing a covscan warning * NSS: Fix covscan warning * CACHE_REQ: Fix typo: cache_reg -> cache_req * TOOLS: Fix typo: exist -> exists * SYSDB: Return EOK in case a non-fatal issue happened * SYSDB_VIEWS: Remove sshPublicKey attribute when it's not set * IPA: Remove sshPublicKey attribute when it's not set * DESKPROFILE: Add checks for user and host category * DESKPROFILE: Harden the permission of deskprofilepath * DESKPROFILE: Soften umask for the domain's dir * DESKPROFILE: Fix the permissions and soften the umask for user's dir * DESKPROFILE: Use seteuid()/setegid() to create the profile * DESKPROFILE: Use seteuid()/setegid() to delete the profile/user's dir * DESKPROFILE: Set the profile permissions to read-only * PYSSS_MURMUR: Fix [-Wsign-compare] found by gcc * DESKPROFILE: Document it doesn't work when run as unprivileged user * Hristo Venev (1): * providers: Move hostid from ipa to sdap, v2 * Jakub Hrozek (35): * Update the version number to track 1.16.1 development * CONFIG: Add a new option auto_private_groups * CONFDB: Remove the obsolete option magic_private_groups * SDAP: Allow the mpg flag for the main domain * LDAP: Turn group request into user request for MPG domains if needed * SYSDB: Prevent users and groups ID collision in MPG domains except for id_provider=local * TESTS: Add integration tests for the auto_private_groups option * RESP: Add some missing NULL checks * TOOLS: Add a new sssctl command access-report * SDAP: Split out utility function sdap_get_object_domain() from sdap_object_in_domain() * LDAP: Extract the check whether to run a POSIX check to a function * LDAP: Only run the POSIX check with a GC connection * SDAP: Search with a NULL search base when looking up an ID in the Global Catalog * SDAP: Rename sdap_posix_check to sdap_gc_posix_check * DP: Create a new handler function getAccountDomain() * AD: Implement a real getAccountDomain handler for the AD provider * RESP: Expose DP method getAccountDomain() to responders * NEGCACHE: Add API for setting and checking locate-account-domain requests * TESTS: Add tests for the object-by-id cache_req interface * CACHE_REQ: Export cache_req_search_ncache_add() as cache_req private interface * CACHE_REQ: Add plugin methods required for the domain-locator request * CACHE_REQ: Add a private request cache_req_locate_domain() * CACHE_REQ: Implement the plugin methods that utilize the domain locator API * CACHE_REQ: Use the domain-locator request to only search domains where the entry was found * MAN: Document how the Global Catalog is used currently * IPA: Include SYSDB_OBJECTCATEGORY, not OBJECTCLASS in cache search results * MAN: Document that auth and access IPA and AD providers rely on id_provider being set to the same type * MAN: Improve enumeration documentation * MAN: Describe the constrains of ipa_server_mode better in the man page * IPA: Delay the first periodic refresh of trusted domains * AD: Inherit the MPG setting from the main domain * SYSDB: Fix sysdb_search_by_name() for looking up groups in MPG domains * SYSDB: Use sysdb_domain_dn instead of raw ldb_dn_new_fmt * SYSDB: Read the ldb_message from loop's index counter when reading subdomain UPNs * AD: Use the right sdap_domain for the forest root * Lukas Slebodnik (51): * KCM: Fix typo in comments * CI: Ignore source file generated by systemtap * UTIL: Add wrapper function to configure logger * Add parameter --logger to daemons * SYSTEMD: Replace parameter --debug-to-files with ${DEBUG_LOGGER} * SYSTEMD: Add environment file to responder service files * UTIL: Hide and deprecate parameter --debug-to-files * KCM: Fix restart during/after upgrade * BUILD: Properly expand variables in sssd-ifp.service * SYSTEMD: Clean pid file in corner cases * CHILD: Pass information about logger to children * BUILD: Disable tests with know failures * SPEC: Reduce build time dependencies * sysdb-test: Fix warning may be used uninitialized * responder: Fix talloc hierarchy in sized_output_name * test_responder: Check memory leak in sized_output_name * confdb: Move detection files to separate function * confdb: Fix starting of implicit files domain * confdb: Do not start implicit_files with proxy domain * test_files_provider: Regression test for implicit_files + proxy * SDAP: Fix typo in debug message * Revert "intg: Disable add_remove tests" * libnfsidmap: Use public plugin header file if available * dyndns_tests: Fix unit test with missing features in nsupdate * Remove unnecessary script for upgrading debug_levels * Remove legacy script for upgrading sssd.conf * BUILD: Add missing libs found by -Wl,-z,defs * BUILD: Fix using of libdlopen_test_providers.so in tests * SYSDB: Decrese debuglevel in sysdb_get_certmap * KRB5: Pass special flag to krb5_child * krb5_child: Distinguish between expired & disabled AD user * AD: Suppress warning Wincompatible-pointer-types with sasl callbacks * pysss: Drop unused parameter * pysss: Suppress warning Wincompatible-pointer-types * CRYPTO: Suppress warning Wstringop-truncation * INOTIFY: Fix warning Wstringop-truncation * SIFP: Suppress warning Wstringop-truncation * CLIENT: Fix warning Wstringop-overflow * pysss_murmur: Allow to have NUL character in python bindings * TESTS: Extend code coverage for murmurhash3 * mmap_cache: Remove unnecessary memchr in client code * test_memory_cache: Regression test for #3571 * SPEC: Fix systemd executions/requirements * SPEC: Reduce changes between upstream and downstream * intg: Build with optimisations and debug symbols * intg: Do not prefer builddir in PATH * intg: Install configuration for dbus daemon * intg: Install wrapper for getsockopt * intg: Add sample infopipe test in cwrap env * IPA: Drop unused ifdef HAVE_SELINUX_LOGIN_DIR * IPA: Fix typo in debug message in sssm_ipa_selinux_init * Michal Židek (9): * NSS: Move memcache setup to separate function * NSS: Specify memcache_timeout=0 semantics * MAN: Document memcache_timeout=0 meaning * MAN: GPO Security Filtering limitation * SYSDB: Better debugging for email conflicts * TESTS: Order list of entries in some lists * Revert "BUILD: Disable tests with know failures" * SELINUX: Check if SELinux is managed in selinux_child * util: Add sss\_ prefix to some functions * Niranjan M.R (1): * Initial revision of sssd pytest framework * Pavel Březina (10): * sudo: document background activity * sudo: always use srv_opts from id context * AD: Remember last site discovered * sysdb: add functions to get/set client site * AD: Remember last site discovered in sysdb * dp: use void * to express empty output argument list * dp: add method to refresh access control rules * ipa: implement method to refresh HBAC rules * ifp: add method to refresh access control rules in domain * sssctl: call dbus instead of pam to refresh HBAC rules * René Genz (12): * Fix minor spelling mistakes * README: Add link to docs repo * Fix minor spelling mistakes * Fix minor spelling mistakes in providers/* * Fix minor spelling mistakes in responder/* * Fix minor spelling mistakes in sss_client/* * Fix minor spelling mistakes in tests/cmocka/* * Fix minor spelling mistakes * Fix minor spelling mistakes in tests/* * Fix minor spelling mistakes in tests/multihost/* * Fix minor spelling mistakes in PY files in tests/python/* * Fix minor spelling mistakes and formatting in tests/python/* * Sumit Bose (48): * sss_client: create nss_common.h * nss-idmap: add nss like calls with timeout and flags * NSS: add \*_EX version of some requests * NSS: add support for SSS_NSS_EX_FLAG_NO_CACHE * CACHE_REQ: Add cache_req_data_set_bypass_dp() * nss: make memcache_delete_entry() public * NSS: add support for SSS_NSS_EX_FLAG_INVALIDATE_CACHE * NSS/TESTS: add unit tests for \*_EX requests * nss-idmap: add timeout version of old sss_nss_* calls * nss-idmap: allow empty buffer with SSS_NSS_EX_FLAG_INVALIDATE_CACHE * p11_child: return multiple certs * PAM: handled multiple certs in the responder * pam_sss: refactoring, use struct cert_auth_info * p11_child: use options to select certificate for authentication * pam: add prompt string for certificate authentication * PAM: allow missing logon_name during certificate authentication * p11_child: add descriptions for error codes to debug messages * pam: filter certificates in the responder not in the child * PAM: add certificate's label to the selection prompt * NSS: Use enum_ctx as memory_context in _setnetgrent_set_timeout() * mmap_cache: make checks independent of input size * sysdb: be_refresh_get_values_ex() remove unused option * sysdb: do not use objectClass for users and groups * sysdb: do not use LDB_SCOPE_ONELEVEL * sysdb: remove IDXONE and objectClass from users and groups * krb5: show error message for krb5_init_context() failures * UTIL: add find_domain_by_object_name_ex() * ipa: handle users from different domains in ipa_resolve_user_list_send() * overrides: fixes for sysdb_invalidate_overrides() * ipa: check for SYSDB_OVERRIDE_DN in process_members and get_group_dn_list * IPA: use cache searches in get_groups_dns() * ipa: compare DNs instead of group names in ipa_s2n_save_objects() * p11_child: make sure OCSP checks are done * nss-idmap: allow NULL result in \*_timeout calls * Revert "p11_child: make sure OCSP checks are done" * p11_child: properly check results of CERT_VerifyCertificateNow * ifp: use realloc in ifp_list_ctx_remaining_capacity() * SDAP: skip builtin AD groups in sdap_save_grpmem() * sysdb: add userMappedCertificate to the index * krb5_child: check preauth types if password is expired * pam_sss: password change with two factor authentication * nss-idmap: check timed muted return code * krb5: call krb5_auth_cache_creds() if a password is available * DESKPROFILE: Fix 'Improper use of negative value' * AD: sdap_get_ad_tokengroups_done() allocate temporary data on state * AD: do not allocate temporary data on long living context * ipa: remove SYSDB_USER_CERT from sub-domain users * ipa: add SYSDB_USER_MAPPED_CERT for certs in idoverrides * Thorsten Scherf (1): * IPA: Fixed subdomain typo * Victor Tapia (1): * WATCHDOG: Restart providers with SIGUSR2 after time drift * amitkuma (3): * cache_req: Correction of cache_req debug string ID format * cache: Check for max_id/min_id in cache_req * MAN: Explain how does auto_private_groups affect subdomains

3 years, 11 months

5
8
0 / 0

Re: Problems setting up replica on Raspberry Pi 3B (ARM)

by Rob Crittenden

Jonathan Vaughn wrote: > Here's the output from ipa-replica-install : > > # ipa-replica-install > WARNING: conflicting time&date synchronization service 'chronyd' will > be disabled in favor of ntpd > > Password for admin(a)COMPANY.INTERNAL: > Run connection check to master > Connection check OK > Configuring NTP daemon (ntpd) > [1/4]: stopping ntpd > [2/4]: writing configuration > [3/4]: configuring ntpd to start on boot > [4/4]: starting ntpd > Done configuring NTP daemon (ntpd). > Configuring directory server (dirsrv). Estimated time: 30 seconds > [1/41]: creating directory server instance > [2/41]: enabling ldapi > [3/41]: configure autobind for root > [4/41]: stopping directory server > [5/41]: updating configuration in dse.ldif > [6/41]: starting directory server > [7/41]: adding default schema > [8/41]: enabling memberof plugin > [9/41]: enabling winsync plugin > [10/41]: configuring replication version plugin > [11/41]: enabling IPA enrollment plugin > [12/41]: configuring uniqueness plugin > [13/41]: configuring uuid plugin > [14/41]: configuring modrdn plugin > [15/41]: configuring DNS plugin > [16/41]: enabling entryUSN plugin > [17/41]: configuring lockout plugin > [18/41]: configuring topology plugin > [19/41]: creating indices > [20/41]: enabling referential integrity plugin > [21/41]: configuring certmap.conf > [22/41]: configure new location for managed entries > [23/41]: configure dirsrv ccache > [24/41]: enabling SASL mapping fallback > [25/41]: restarting directory server > [26/41]: creating DS keytab > [27/41]: ignore time skew for initial replication > [28/41]: setting up initial replication > Starting replication, please wait until this has completed. > Update in progress, 11 seconds elapsed > Update succeeded > > [29/41]: prevent time skew after initial replication > [30/41]: adding sasl mappings to the directory > [31/41]: updating schema > [32/41]: setting Auto Member configuration > [33/41]: enabling S4U2Proxy delegation > [error] NetworkError: cannot connect to > 'ldapi://%2Fvar%2Frun%2Fslapd-COMPANY-INTERNAL.socket': > Your system may be partly configured. > Run /usr/sbin/ipa-server-install --uninstall to clean up. > > ipapython.admintool: ERROR cannot connect to > 'ldapi://%2Fvar%2Frun%2Fslapd-COMPANY-INTERNAL.socket': > ipapython.admintool: ERROR The ipa-replica-install command failed. > See /var/log/ipareplica-install.log for more information > > And here's the /var/log/ipareplica-install.log from just before it fails > to the failure: > > 2018-05-02T00:22:44Z DEBUG [32/41]: setting Auto Member configuration > 2018-05-02T00:22:44Z DEBUG Starting external process > 2018-05-02T00:22:44Z DEBUG args=/usr/bin/ldapmodify -v -f > /tmp/tmpt7bxf4x1 -H ldapi://%2Fvar%2Frun%2Fslapd-COMPANY-INTERNAL.socket > -Y EXTERNAL > 2018-05-02T00:22:45Z DEBUG Process finished, return code=0 > 2018-05-02T00:22:45Z DEBUG stdout=add nsslapd-pluginConfigArea: > cn=automember,cn=etc,dc=company,dc=internal > modifying entry "cn=Auto Membership Plugin,cn=plugins,cn=config" > modify complete > > > 2018-05-02T00:22:45Z DEBUG stderr=ldap_initialize( > ldapi://%2Fvar%2Frun%2Fslapd-COMPANY-INTERNAL.socket/??base ) > SASL/EXTERNAL authentication started > SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth > SASL SSF: 0 > > 2018-05-02T00:22:45Z DEBUG duration: 0 seconds > 2018-05-02T00:22:45Z DEBUG [33/41]: enabling S4U2Proxy delegation > 2018-05-02T00:22:45Z DEBUG Traceback (most recent call last): > File "/usr/lib/python3.6/site-packages/ipapython/ipaldap.py", line > 979, in error_handler > yield > File "/usr/lib/python3.6/site-packages/ipapython/ipaldap.py", line > 1572, in update_entry > self.conn.modify_s(str(entry.dn), modlist) > File "/usr/lib/python3.6/site-packages/ldap/ldapobject.py", line 600, > in modify_s > return self.modify_ext_s(dn,modlist,None,None) > File "/usr/lib/python3.6/site-packages/ldap/ldapobject.py", line 573, > in modify_ext_s > resp_type, resp_data, resp_msgid, resp_ctrls = > self.result3(msgid,all=1,timeout=self.timeout) > File "/usr/lib/python3.6/site-packages/ldap/ldapobject.py", line 714, > in result3 > resp_ctrl_classes=resp_ctrl_classes > File "/usr/lib/python3.6/site-packages/ldap/ldapobject.py", line 721, > in result4 > ldap_result = > self._ldap_call(self._l.result4,msgid,all,timeout,add_ctrls,add_intermediates,add_extop) > File "/usr/lib/python3.6/site-packages/ldap/ldapobject.py", line 294, > in _ldap_call > result = func(*args,**kwargs) > ldap.SERVER_DOWN: {'desc': "Can't contact LDAP server"} > > During handling of the above exception, another exception occurred: > > Traceback (most recent call last): > File "/usr/lib/python3.6/site-packages/ipaserver/install/service.py", > line 506, in start_creation > run_step(full_msg, method) > File "/usr/lib/python3.6/site-packages/ipaserver/install/service.py", > line 496, in run_step > method() > File > "/usr/lib/python3.6/site-packages/ipaserver/install/dsinstance.py", line > 977, in __setup_s4u2proxy > __add_principal('ipa-http-delegation', 'HTTP', self) > File > "/usr/lib/python3.6/site-packages/ipaserver/install/dsinstance.py", line > 973, in __add_principal > api.Backend.ldap2.update_entry(entry) > File "/usr/lib/python3.6/site-packages/ipapython/ipaldap.py", line > 1572, in update_entry > self.conn.modify_s(str(entry.dn), modlist) > File "/usr/lib/python3.6/contextlib.py", line 99, in __exit__ > self.gen.throw(type, value, traceback) > File "/usr/lib/python3.6/site-packages/ipapython/ipaldap.py", line > 1028, in error_handler > error=info) > ipalib.errors.NetworkError: cannot connect to > 'ldapi://%2Fvar%2Frun%2Fslapd-COMPANY-INTERNAL.socket': > > 2018-05-02T00:22:45Z DEBUG [error] NetworkError: cannot connect to > 'ldapi://%2Fvar%2Frun%2Fslapd-COMPANY-INTERNAL.socket': > 2018-05-02T00:22:45Z DEBUG Destroyed connection context.ldap2_2991558640 > 2018-05-02T00:22:45Z DEBUG Backing up system configuration file > '/etc/ipa/default.conf' > 2018-05-02T00:22:45Z DEBUG Saving Index File to > '/var/lib/ipa/sysrestore/sysrestore.index' > 2018-05-02T00:22:45Z DEBUG File > "/usr/lib/python3.6/site-packages/ipapython/admintool.py", line 174, in > execute > return_value = self.run() > File "/usr/lib/python3.6/site-packages/ipapython/install/cli.py", > line 319, in run > cfgr.run() > File "/usr/lib/python3.6/site-packages/ipapython/install/core.py", > line 364, in run > self.execute() > File "/usr/lib/python3.6/site-packages/ipapython/install/core.py", > line 388, in execute > for _nothing in self._executor(): > File "/usr/lib/python3.6/site-packages/ipapython/install/core.py", > line 430, in __runner > exc_handler(exc_info) > File "/usr/lib/python3.6/site-packages/ipapython/install/core.py", > line 459, in _handle_execute_exception > self._handle_exception(exc_info) > File "/usr/lib/python3.6/site-packages/ipapython/install/core.py", > line 449, in _handle_exception > six.reraise(*exc_info) > File "/usr/lib/python3.6/site-packages/six.py", line 693, in reraise > raise value > File "/usr/lib/python3.6/site-packages/ipapython/install/core.py", > line 420, in __runner > step() > File "/usr/lib/python3.6/site-packages/ipapython/install/core.py", > line 417, in <lambda> > step = lambda: next(self.__gen) > File "/usr/lib/python3.6/site-packages/ipapython/install/util.py", > line 81, in run_generator_with_yield_from > six.reraise(*exc_info) > File "/usr/lib/python3.6/site-packages/six.py", line 693, in reraise > raise value > File "/usr/lib/python3.6/site-packages/ipapython/install/util.py", > line 59, in run_generator_with_yield_from > value = gen.send(prev_value) > File "/usr/lib/python3.6/site-packages/ipapython/install/core.py", > line 654, in _configure > next(executor) > File "/usr/lib/python3.6/site-packages/ipapython/install/core.py", > line 430, in __runner > exc_handler(exc_info) > File "/usr/lib/python3.6/site-packages/ipapython/install/core.py", > line 459, in _handle_execute_exception > self._handle_exception(exc_info) > File "/usr/lib/python3.6/site-packages/ipapython/install/core.py", > line 517, in _handle_exception > self.__parent._handle_exception(exc_info) > File "/usr/lib/python3.6/site-packages/ipapython/install/core.py", > line 449, in _handle_exception > six.reraise(*exc_info) > File "/usr/lib/python3.6/site-packages/six.py", line 693, in reraise > raise value > File "/usr/lib/python3.6/site-packages/ipapython/install/core.py", > line 514, in _handle_exception > super(ComponentBase, self)._handle_exception(exc_info) > File "/usr/lib/python3.6/site-packages/ipapython/install/core.py", > line 449, in _handle_exception > six.reraise(*exc_info) > File "/usr/lib/python3.6/site-packages/six.py", line 693, in reraise > raise value > File "/usr/lib/python3.6/site-packages/ipapython/install/core.py", > line 420, in __runner > step() > File "/usr/lib/python3.6/site-packages/ipapython/install/core.py", > line 417, in <lambda> > step = lambda: next(self.__gen) > File "/usr/lib/python3.6/site-packages/ipapython/install/util.py", > line 81, in run_generator_with_yield_from > six.reraise(*exc_info) > File "/usr/lib/python3.6/site-packages/six.py", line 693, in reraise > raise value > File "/usr/lib/python3.6/site-packages/ipapython/install/util.py", > line 59, in run_generator_with_yield_from > value = gen.send(prev_value) > File "/usr/lib/python3.6/site-packages/ipapython/install/common.py", > line 66, in _install > for unused in self._installer(self.parent): > File > "/usr/lib/python3.6/site-packages/ipaserver/install/server/__init__.py", > line 622, in main > replica_install(self) > File > "/usr/lib/python3.6/site-packages/ipaserver/install/server/replicainstall.py", > line 388, in decorated > func(installer) > File > "/usr/lib/python3.6/site-packages/ipaserver/install/server/replicainstall.py", > line 1407, in install > pkcs12_info=dirsrv_pkcs12_info) > File > "/usr/lib/python3.6/site-packages/ipaserver/install/server/replicainstall.py", > line 110, in install_replica_ds > setup_pkinit=not options.no_pkinit, > File > "/usr/lib/python3.6/site-packages/ipaserver/install/dsinstance.py", line > 419, in create_replica > self.start_creation(runtime=30) > File "/usr/lib/python3.6/site-packages/ipaserver/install/service.py", > line 506, in start_creation > run_step(full_msg, method) > File "/usr/lib/python3.6/site-packages/ipaserver/install/service.py", > line 496, in run_step > method() > File > "/usr/lib/python3.6/site-packages/ipaserver/install/dsinstance.py", line > 977, in __setup_s4u2proxy > __add_principal('ipa-http-delegation', 'HTTP', self) > File > "/usr/lib/python3.6/site-packages/ipaserver/install/dsinstance.py", line > 973, in __add_principal > api.Backend.ldap2.update_entry(entry) > File "/usr/lib/python3.6/site-packages/ipapython/ipaldap.py", line > 1572, in update_entry > self.conn.modify_s(str(entry.dn), modlist) > File "/usr/lib/python3.6/contextlib.py", line 99, in __exit__ > self.gen.throw(type, value, traceback) > File "/usr/lib/python3.6/site-packages/ipapython/ipaldap.py", line > 1028, in error_handler > error=info) > > 2018-05-02T00:22:45Z DEBUG The ipa-replica-install command failed, > exception: NetworkError: cannot connect to > 'ldapi://%2Fvar%2Frun%2Fslapd-COMPANY-INTERNAL.socket': > 2018-05-02T00:22:45Z ERROR cannot connect to > 'ldapi://%2Fvar%2Frun%2Fslapd-COMPANY-INTERNAL.socket': > 2018-05-02T00:22:45Z ERROR The ipa-replica-install command failed. See > /var/log/ipareplica-install.log for more information > > Maybe it just is trying to soon and it hasn't fully started yet? Because > now I see that the previous step ALSO shows the URL encoded socket path, > and it worked fine - but it looks like the previous step used > ldapmodify, but the failing step was accessing LDAP from Python? Perhaps > it works fine one way and not the other ? I won't rule it out but I doubt it. Is ns-slapd still running at this point? This could happen, for example, if ns-slapd crashed after enabling the automember plugin. The DS error log might have something to say as well. rob > > On Wed, May 2, 2018 at 3:29 PM, Rob Crittenden <rcritten(a)redhat.com > <mailto:rcritten@redhat.com>> wrote: > > Jonathan Vaughn via FreeIPA-users wrote: > > Yes, I know, not recommended etc, low performance. I'm not going > to run the CA on it. I just want to have a backup LDAP/Kerberos > server. > > Right now I'm just trying to test things out. I've got a master > and a replica (so you could say two masters I suppose) running > in Virtualbox VMs, and I'm trying to set up a 3rd replica on a > Pi. All are Fedors 27. I had to downgrade httpd due to > https://pagure.io/freeipa/issue/7493 > <https://pagure.io/freeipa/issue/7493> to even set up the first > VM replica, but this issue is separate. > > Currently, the problem is it can't connect to it's own LDAP > instance due to some kind of error ... ipa-replica-install > worked fine on the x86_64 VM but on the armv71 Pi 3B when it > tries to connect to LDAPI instead of > using 'ldapi:///var/run//slapd-COMPANY-INTERNAL.socket' it > uses 'ldapi://%2Fvar%2Frun%2Fslapd-COMPANY-INTERNAL.socket'. > > So it seems there is yet another ARM (or non-x86_64) bug ... > similar to the problem with httpd and passing the KRB5CCNAME > properly https://pagure.io/freeipa/issue/7337 > <https://pagure.io/freeipa/issue/7337> > > Any ideas on where to look to patch in a fix to this so it uses > the correct filename? The socket file is there ... and (at the > time it tries) LDAP is running. > > > What makes you think the ldapi URI is the problem? > > Can you share the logs? > > rob > >

3 years, 11 months

4
36
0 / 0

Logon by ssh but not console?

by Bret Wortman

Any ideas why I might be prevented from logging in on a system through GDM and the console, but if I log in as root and: # ssh bretw@localhost I'm able to log in without issues? And it'll tell me about failed logins for every time I try through GDM or the console. This is on a brand new IPA server I'm setting up using data from our older ones but it's not set up as a replica. -- photo *Bret Wortman* President, Damascus Products LLC 855-644-2783 <tel:855-644-2783> | 303-523-8037 <tel:303-523-8037> | bret(a)damascusproducts.com <mailto:bret@damascusproducts.com> | http://damascusproducts.com/ | 10332 Main St Suite 319 Fairfax, VA 22030 <http://facebook.com/wrapbuddiesco> <http://twitter.com/wrapbuddiesco> <http://instagram.com/wrapbuddies> <https://facebook.com/wrapbuddiesco><https://instagram.com/wrapbuddies>

3 years, 11 months

4
8
0 / 0

CA_UNREACHABLE during ipa-replica-install

by Jan Gardian

Hello, We had two ipa replicas ipa1 with CA and ipa2. Those servers were on Ubuntu 16. I successfully installed ipa3 replica with CA that is running on newer version of IPA and Centos 7. After that I stopped old ipa2 and successfully installed new ipa2 with CA on Centos 7. Lastly I setup CA master to be new ipa2 following https://www.freeipa.org/page/Howto/Promote_CA_to_Renewal_and_CRL_Master#P... and turned off old ipa1 server. Problem occurred when I was installing replica with CA to new ipa1 server running at Centos 7. I can successfully install ipa client and create ticket under admin user but when trying to install replica it fails with "ERROR Certificate issuance failed (CA_UNREACHABLE)". Somehow it tries to get certificates during replica install from ipa1 server when it does not have yet httpd installed. I thought it could be problem that certificate was primary created at old ipa1 and we have it signed by our own certificates as well so I created another ipa4 server on Centos 7. And again it crashed at the same point trying to get certificate from itself when it did not have httpd installed yet. OS: CentOS Linux release 7.4.1708 IPA: VERSION: 4.5.0, API_VERSION: 2.228 Attached are logs from ipa client installation and ipa replica installation for ipa4 server. Please ask if you require any different logs. I tried also to follow debugging from https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedoraho... but in my case it end earlier because it try to get certificate from itself and does not get to master. This can be also seen in output of command getcert list(in attachement). Thank you for checking. With kind regards, *Ján Gardian* Administrator

3 years, 12 months

5
13
0 / 0

Odd - random failed from PAM?

by Kat

Hi all - Here is an odd one. I have a group of userIDs that login via SSH keys (stored in .ssh/authorized_keys and NOT in IPA) to a system enrolled in IPA of course. Actually all the systems are enrolled in IPA, so that should be a given. Environment - RHEL 7.4 or 7.5 with current IPA on all. Even tried adding the SSH pubkey to IPA to see if there was any difference, but still just as random. 2 IPA servers in the environment -- checked and double-checked for SYNC - although with the key in the local file, I would think sync would not be an issue, but just figured I would mention. Now for the explanation - most of the time, logins work just fine - but randomly, they fail with errors as shown - and I just enabled debug_level = 7, so hopefully will have more info, but just wondering if anyone has any ideas where to start looking that might cause the randomness. The odd part - I have never been able to repeat this with my own account, and never seen a failure personally, only relying on logs. In some cases, it is only a few seconds later that the operation fails, and then 15-20 seconds later, it works again.: May 30 20:55:21 grover1-prod sshd[73862]: Accepted publickey for blahblahusername from 10.1.5.253 port 45650 ssh2: RSA SHA256:8D1E+mNqphs3bNxH28JYYpkzM9MeWcr7v8 May 30 20:55:21 grover1-prod sshd[73862]: pam_unix(sshd:session): session opened for user blahblahusername by (uid=0) May 30 20:55:21 grover1-prod sshd[73862]: pam_unix(sshd:session): session closed for user blahblahusername May 30 21:00:06 grover1-prod sshd[87570]: pam_sss(sshd:account): Access denied for user blahblahusername: 4 (System error) May 30 21:00:06 grover1-prod sshd[87570]: fatal: Access denied for user blahblahusername by PAM account configuration [preauth] May 30 23:21:10 grover1-prod sshd[1083]: Accepted publickey for blahblahusername from 10.1.5.253 port 40802 ssh2: RSA SHA256:8D1E+mNqphs3bNxH28JYYpkzM9MeWcr7v8 May 30 23:21:10 grover1-prod sshd[1083]: pam_unix(sshd:session): session opened for user blahblahusername by (uid=0) May 30 23:21:10 grover1-prod sshd[1083]: pam_unix(sshd:session): session closed for user blahblahusername May 30 23:21:10 grover1-prod sshd[1137]: Accepted publickey for blahblahusername from 10.1.5.253 port 40804 ssh2: RSA SHA256:8D1E+mNqphs3bNxH28JYYpkzM9MeWcr7v8 May 30 23:21:10 grover1-prod sshd[1137]: pam_unix(sshd:session): session opened for user blahblahusername by (uid=0) May 30 23:21:10 grover1-prod sshd[1137]: pam_unix(sshd:session): session closed for user blahblahusername May 31 02:00:06 grover1-prod sshd[3982]: pam_sss(sshd:account): Access denied for user blahblahusername: 4 (System error) May 31 02:00:06 grover1-prod sshd[3982]: fatal: Access denied for user blahblahusername by PAM account configuration [preauth] May 31 02:56:46 grover1-prod sshd[89318]: pam_sss(sshd:auth): authentication success; logname= uid=0 euid=0 tty=ssh ruser= rhost=bastionp1.example.com user=blahblahusername May 31 02:56:47 grover1-prod sshd[89315]: Accepted keyboard-interactive/pam for blahblahusername from 10.1.3.18 port 42302 ssh2 May 31 02:56:47 grover1-prod sshd[89315]: pam_unix(sshd:session): session opened for user blahblahusername by (uid=0) May 31 03:21:35 grover1-prod sshd[89315]: pam_unix(sshd:session): session closed for user blahblahusername May 31 03:24:53 grover1-prod sshd[50179]: pam_sss(sshd:auth): authentication success; logname= uid=0 euid=0 tty=ssh ruser= rhost=bastionp1.example.com user=blahblahusername May 31 03:45:42 grover1-prod sshd[6121]: Accepted keyboard-interactive/pam for blahblahusername from 10.1.3.18 port 42422 ssh2 May 31 03:45:42 grover1-prod sshd[6121]: pam_unix(sshd:session): session opened for user blahblahusername by (uid=0) May 31 03:53:54 grover1-prod sshd[25509]: pam_sss(sshd:auth): authentication success; logname= uid=0 euid=0 tty=ssh ruser= rhost=bastionp1.example.com user=blahblahusername May 31 03:53:55 grover1-prod sshd[25506]: Accepted keyboard-interactive/pam for blahblahusername from 10.1.3.18 port 42474 ssh2 May 31 03:53:55 grover1-prod sshd[25506]: pam_unix(sshd:session): session opened for user blahblahusername by (uid=0) May 31 05:58:04 grover1-prod sshd[6121]: pam_unix(sshd:session): session closed for user blahblahusername May 31 06:55:24 grover1-prod sshd[25506]: pam_unix(sshd:session): session closed for user blahblahusername May 31 06:55:24 grover1-prod sshd[50177]: pam_unix(sshd:session): session closed for user blahblahusername Any ideas where I might start looking?

3 years, 12 months

2
1
0 / 0

concept at migration of http://server.com/ipa/migration

by barrykfl＠gmail.com

Hi all: After I migrated to new Servers .using migrateds command..I used server.com:389 connect and embedded in 3 rd opensource. I found user can login successfully ...but the http://server.com/ipa/ui cannot ... user have to use http://server.com/ipa/migration then can success login the UI. So what are the difference is these password migration ? actually at 3 rd part opensource user use ldap password login successfully but the UI fail..

3 years, 12 months

4
7
0 / 0

[BLOG] Replacing a lost or broken CA in FreeIPA

by Fraser Tweedale

My latest blog post looks at how to clean up and install a *new* CA within an existing FreeIPA deployment. This handles scenarios were a CA installation has failed, or the original CA has been lost (e.g. all CA replicas decommissioned). Enjoy! As usual, I am keen for whatever feedback or questions you might have. https://frasertweedale.github.io/blog-redhat/posts/2018-05-31-replacing-l... Thanks, Fraser

3 years, 12 months

2
1
0 / 0

Are freeipa kerberos account and freeipa user ldap account two differenct things?

by barrykfl＠gmail.com

I used the following command trsnafere acc/group from 3.0 -4.0 successfuly ipa migrate-ds --bind-dn="cn=Directory Manager" --user-container=cn=users,cn=accounts --group-container=cn=groups,cn=accounts --user-ignore-attribute={krbPrincipalName,krbextradata,krblastfailedauth,krblastpwdchange,krblastsuccessfulauth,krbloginfailedcount,krbpasswordexpiration,krbticketflags,krbpwdpolicyreference,mepManagedEntry} --user-ignore-objectclass=mepOriginEntry --with-compat ldap://abc.cde.com BUT not all users transfer Kerberos account http://abc.cde.com/ipa/migration The strange is that I use abc.cde.com:389 in some 3rd party apps it can still read all users 's passwords. SO kerberos account and ldap accounts are different things ? LDAP passwords success transferred? I no need to askall users to http://abc.cde.com/ipa/migration change right ? the Admin UI only need admin to launch .. Regards Barry

3 years, 12 months

1
0
0 / 0

FreeIPA 4.6.3 on CentOS 7.5?

by Zak Wolfinger

Is it possible to run FreeIPA 4.6.3 on CentOS 7.5 (build 1804)? It appears to me that 4.6.3 is only available in the Fedora COPR repo. Can anyone direct me to instructions on getting it going on CentOS 7.5.1804? Cheers, Zak Wolfinger Infrastructure Engineer | Emma® zak.wolfinger(a)myemma.com <mailto:zak.wolfinger@myemma.com> 800.595.4401 or 615.292.5888 x197 615.292.0777 (fax) Emma helps organizations everywhere communicate & market in style. Visit us online at www.myemma.com <http://myemma.com/?utm_source=%20EmmaSignatures&utm_medium=%20email&utm_c...>

3 years, 12 months

3
2
0 / 0

2022

2021

2020

2019

2018

2017

FreeIPA-users May 2018