I do not suppose it is possible, but would be great to get absolute
clarification - AD trust cannot be established, but even it it can be
then cannot work later at all, if Samba is not under IPA's rule -
correct? It is simply is not possible, right?
many thanks, L
I need to setup a freeIPA replica and not sure which is the best and more
I found a few people preparing the replica from the server others just
installing the replica on another machine with the appropriate
I and Stanislav have been setting up Travis CI for the
repository. We now run docker build operations for pull requests
and commits, and I've been trying to add docker run tests as well.
Example Travis build
seems to pass on CentOS and rawhide images but fails on other Fedoras.
All the failures are in the
Configuring certificate server (pki-tomcatd). Estimated time: 3 minutes
[1/28]: configuring certificate server instance
[error] RuntimeError: CA configuration failed.
step. I remember that due to the way systemd was handling KEYRING
operations, seccomp:unconfined was one of the things that has been
causing issues in our tests on Fedora hosts. Running
in Travis CI shows that it's running 17.09.0-ce and there are no
Security Options listed, unlike on my Fedora 28's
docker-1.13.1-59.gitaf6b32b.fc28.x86_64 which has
Are there people around with Ubuntu knowledge who could check what
the docker 17.09.0-ce behaviour on that system is and if seccomp can
somehow be tweaked?
Senior Principal Software Engineer, Security Engineering, Red Hat
I have a question about the best pratice use of freeipa with trust AD
and/or sync relationship from winsync users.
to set up an smb file sharing service via samba, would you advise to
integrate it in the IPA realm or in the AD domain?
Both are possible, but why one more than the other? in terms of file
access performance (metadata, acl ,etc....) managed via the smb protocol
isn't there a drawback related to samba in royaume ipa to serve users
who use a windows client?
do you have the same response arguments in the case of a sync between AD
I have a synology NAS which hosts some SMB shares on my network. I would
like to be able to use FreeIPA as the LDAP provider it checks against for
authenticating these shares. I have a system user that I created in
FreeIPA for this purpose.
I configured the NAS to connect to my FreeIPA server for LDAP, but I get a
message about a failure to access some users NT passwords and how the Samba
service may not work for these users. It also says it could be either a
lack of NT passwords for the users or insufficient privileges to access
them. After chatting with Synology support they wanted me to enable CIFS
plaintext password authentication. However, if I select that option it
given me a warning about the share not being able to be the remote mount
target of CIFS anymore due to SMB being set to v1 only and disabling the
SMB related Bonjour service. If the system user doesn't have the needed
privileges, how can I fix that since I can't enroll the NAS?
BYU Dept. of Chemistry and Biochemistry
I changed password AD users.
I can't login on ipa servers with new password, but can - with old. Why?
I tried restart ipa services and reinitializing trust. but it didn't help.
С уважением, Николай.
I've got a system (probably more than one) where I've got clients who
aren't able to bring up SSSD due to this error, as seen in "journalctl -xe".
I've tried unenrolling & re-enrolling. I've tried unenrolling,
uninstalling, reinstalling ipa-client, and re-enrolling. I've tried
unenrolling, deleting the host records from the IPA server, then
re-enrolling. I've tried reinstalling SSSD. None have changed the
behavior at all.
Does anyone know what this error refers to or is caused by?
Founder, Damascus Products, LLC
855-644-2783 <tel:855-644-2783> | bret(a)wrapbuddies.co
10332 Main St Suite 319 Fairfax, VA 22030
I would like to use public key authentication in my FreeIPA setup for the users coming from the AD domain. I have everything set up correctly, public key authentication works great aside from one edge case that may render this setup unacceptable. When I lock an AD account (I test this by logging in with the wrong password more than allowed amount of times) user in question still can access FreeIPA managed hosts via public key authentication.
According to the information I found regarding this behaviour - https://bugzilla.redhat.com/show_bug.cgi?id=973451 - this is a desired behaviour (it's not a bug, it's a feature). Still, it's not the configuration I am happy about :).
Has anything changed since this bug was closed?
Is there a way FreeIPA supports preventing users who are for whatever reason locked in AD from accessing FreeIPA-managed hosts?
If this is not currently supported by default, maybe someone could point me to a way I could implement this myself? I am thinking of checking if the user is locked in AD, hopefully by looking at his/hers ldap attributes in the 389 ds server in FreeIPA if such attributes exist, then removing any public keys that are present in the Default Trust View for this user. At this point I do not know it is possible, it is just an idea.
I would really appreciate your help.