December 2019 - FreeIPA-users - Fedora Mailing-Lists

by S Toulmonde

Hello all! I'm migration our old LDAP infra to IPA 4.6.5 (rhel 7) with an external trust to Windows. Previously, all users were their shortname because we replicated AD users to LDAP. Most users reside in AD, but we have *nix-only users in LDAP. Everything seems fine for rhel7+ because sssd can do multi-domain search and thus allow me to use shortname instead of user+domain. My issue is on the rhel6 servers: sssd there is 1.13.3, so multi-domain isn't available... Which is a bummer for me because we have 1000+ rhel6 servers and this is going to be a pain to have sometimes longnames, sometimes shortnames. Has anyone work around this already? I considered my options: - Try to use sssd proxy - Try sss_override - Write a plugin for sssd to search to IPA's idoverride and return a match - Sob in front of an IPA at a pub :) Thanks for your inputs!

5 hours, 39 minutes

3
2
0 / 0

FreeIPA - EL8 - smart card login

by Winfried de Heiden

Running FreeIPA 4.7.1, on CentOS 8, I configured IPA-server to use smartcard login follwoing https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/... I configured a CentOS 8 machine to use smartcard-login. After configuring the IPA-client, running the scripts produced by ipa-advise will show an error: ./config-client-for-smart-card-auth.sh /etc/ipa/ca.crt ~ ERROR: Failed to add module "OpenSC". Probable cause : "Unknown PKCS #11 error.". Systemwide CA database updated. Systemwide CA database updated. The ipa-certupdate command was successful Logging in a Yubikey 5 works fine. The error is caused by this line: echo "" | modutil -dbdir /etc/pki/nssdb -add "OpenSC" -libfile /usr/lib64/opensc-pkcs11.so Now, what going on here and can this error really be ignored? Is it worth to create a Bugzilla? Same error also aoocurs on a fresh RHEL 8.1 machine. Winfried

10 hours, 48 minutes

2
1
0 / 0

Anyone using FreeIPA/IdM and MicroFocus Network Automation ?

by White, Daniel E. (GSFC-770.0)[NICS]

Despite the fact that we selected "Generic LDAP" rather than "Active Directory", it is still looking for Security Groups and Organization Units. Thanks. ______________________________________________________________________________________________ Daniel E. White daniel.e.white(a)nasa.gov<mailto:daniel.e.white@nasa.gov> NICS Linux Engineer NASA Goddard Space Flight Center 8800 Greenbelt Road Building 14, Room E175 Greenbelt, MD 20771 Office: (301) 286-6919 Mobile: (240) 513-5290

1 day, 7 hours

2
12
0 / 0

How to determine when host last checked in?

by Master Blaster

In large orginizations, hosts can sometimes be retired without following procedures, etc, which leaves host objects in FreeIPA for hosts that no longer exist. Is there anyway to see when a host last checked in with FreeIPA? One could then delete host objects which haven't connected in say 30/60/90 days.

1 day, 7 hours

3
4
0 / 0

have users reset password

by Johan Vermeulen

Hello All, so we have some 200 laptops who are ipa-clients. At the moment the only way for the users on these laptops to reset their passwords is to wait until the password expires. Than they get a message on the login screen and they can reset the password. I would like to have an alternative method. Have them login to the Freeipa server is the obvious, but here they see too much information, like all the users. Is there another way to have users reset their passwords? Many thanks, J.

1 day, 10 hours

4
4
0 / 0

/var/log/pki/pki-tomcat/ca/debug

by Ronald Wimmer

I cannot remember to have set anything to "debug" regarding CA. Nevertheless, these files are growing continuously: -rw-r-----. 1 pkiuser pkiuser 1.6G Dec 10 09:15 /var/log/pki/pki-tomcat/ca/debug -rw-r-----. 1 pkiuser pkiuser 303M Dec 10 09:16 /var/log/pki/pki-tomcat/ca/debug -rw-r-----. 1 pkiuser pkiuser 298M Dec 10 09:17 /var/log/pki/pki-tomcat/ca/debug -rw-r-----. 1 pkiuser pkiuser 5.9G Dec 10 09:16 /var/log/pki/pki-tomcat/ca/debug Where can I turn off debug mode? Cheers, Ronald

1 day, 15 hours

2
1
0 / 0

Crontab not being allowed when using FreeIPA, so what is purpose of crond HBAC service?

by Jones, Bob (rwj5d)

Hello all, We have been in the process of migrating our RHEL/CentOS 7 systems into using IPA. One problem we are encountering is with usage of cron (and specifically crontab to edit/list users cron entries). We have HBAC enabled, and have crond as allowed in the list of services users can access. If I perform a hbactest it shows users have access granted. On the local system, we have the /etc/cron.allow file that just lists user root. I have also test with no cron.allow and cron.deny file existing. Users in IPA cannot issue the crontab command, they get the following message: You (user(a)ipa.domain.com) are not allowed to use this program (crontab) See crontab(1) for more information If we add the user user(a)ipa.domain.com to the /etc/cron.allow file then the user can run the crontab command. If you read the man page for crontab this is the correct described behavior in conjunction with the cron.[allow|deny] files. I have also commented out pam_access.so in the crond pam file to make sure the access.conf file is not interacting with any of this. So I guess my questions are: 1. Is this the expected behavior for users in IPA that are granted access to the crond service? 2. If so, what is the purpose of the crond service in IPA? 3. Is there a way to allow IPA users to use the crontab command without adding them to local /etc/cron.[allow|deny] files? Pertinent version details: IPA servers on RHEL 7.7: IPA VERSION: 4.6.5, API_VERSION: 2.231 sssd version 1.16.4 389 directory server version 1.3.9.1-10 Clients on CentOS/RHEL 7.7: IPA VERSION: 4.6.5, API_VERSION: 2.231 sssd version 1.16.4 Thanks, — Bob Jones Lead Linux Services Engineer ITS ECP - Linux Services

2 days, 4 hours

1
0
0 / 0

ipa-healtcheck: IPACertfileExpirationCheck, IPACertmongerExpirationCheck

by Alex Corcoles

Hi, I've been running ipa-healthcheck for a while and this morning I started to get a few failures: { "source": "ipahealthcheck.ipa.certs", "kw": { "msg": "Request id 20180929065627 expires in 27 days", "expiration_date": "20200104123511Z", "days": 27, "key": "20180929065627" }, "uuid": "02af62dc-ac2c-48a6-951f-884e119be9a7", "duration": "0.046374", "when": "20191208113322Z", "check": "IPACertmongerExpirationCheck", "result": "WARNING" }, { "source": "ipahealthcheck.ipa.certs", "kw": { "msg": "Request id 20180929065620 expires in 27 days", "expiration_date": "20200104123511Z", "days": 27, "key": "20180929065620" }, "uuid": "ce377ee1-6f8a-4921-9c33-01c6d82e91ff", "duration": "0.148693", "when": "20191208113323Z", "check": "IPACertfileExpirationCheck", "result": "WARNING" }, I get a pair of these for a couple of certs. Should WARNING results be ignored (because those should be renewed automatically, perhaps?)? I was running --failures-only, but perhaps I should run --severity CRITICAL,ERROR for monitoring? Cheers, Álex -- ___ {~._.~} ( Y ) ()~*~() mail: alex at corcoles dot net (_)-(_) http://alex.corcoles.net/

2 days, 13 hours

2
2
0 / 0

AD trust CIFS server communication error

by Pontus Bramberg

Hello, When running "ipa trust-add --two-way=true --type=ad ad.domain --admin Administrator --password" I am prompted for AD Administrator password. A few moments after entering the password I receive the following error: ipa: ERROR: CIFS server communication error: code "3221225653", message "{Device Timeout} The specified I/O operation on %hs was not completed before the time-out period expired." (both may be "None") I have verified functioning dns and ability to reach servers (two AD DC on Windows Server 2008 R2, forest functional level 2003 (can't be upgraded due to legacy servers still in use on other forest domain)) in both directions and have also tried disabling all firewalls. dnaRemainingValues is 199994. Any help would be greatly appreciated!

3 days, 11 hours

1
0
0 / 0

FreeIPA/IdM versions on RHEL8

by Vinícius Ferrão

Hello, this is probably a comercial question and not a technical one, but I’m curious about it. As today RHEL8 ships with FreeIPA (IdM) 4.7. The latest release is 4.8 with some interesting features. Since RHEL8 is still fresh, there’s any rebase to a higher version on the map? I see that IdM is now on AppStream: https://access.redhat.com/support/policy/updates/rhel8-app-streams-life-c... so I’m guessing that 4.8 will hit AppStream sooner or later. The point is: is this real or just speculation? I wasn’t able to find a roadmap on this specific issue. Is there anyone available that I can consult? Thanks.

5 days, 7 hours

3
3
0 / 0

2019

2018

2017

FreeIPA-users December 2019