I have managed to login to an IPA client with a non-existing user.
My AD user is z123456(a)addomain.mydomain.at and I have created a similar
user called i123456(a)ipadomain.mydomain.at. What happened now is that I
could log in with the i-User and what I get to see after logging in is this:
[email@example.com(a)as12314 ~]$ id
[firstname.lastname@example.org(a)as12314 ~]$ whoami
The user i123456(a)addomain.mydomain.at does NOT exist.
addomain is set as default domain in the client's sssd.conf.
What is wrong here? Are things just displayed wrong or could it be more?
Which files do you need in order to analyze this issue?
with IPA replication on a "publicly" exposed network what IPA(and
related) services/ports, if any, can be closed? What is that bare
minimum that need to stay opened so replication cannot be harmed?
No IPA clients in traditional sense, except for DNS, on that "public" net.
many thanks, L.
Would a subdomain on a separate subnet (from which nodes do not have
access to IPA's IPs) to which IPA is connect via "secondary" ifaces,
have clients successfully install and connect?
I've crafted a sub domain/zone with, I think, all the records required
and those point to IPAs "secondary" IPs and when I install clients they
Do you want to download the CA cert from
(this is INSECURE) [no]: yes
Downloading the CA certificate via HTTP, this is INSECURE
Successfully retrieved CA cert
Joining realm failed: libcurl failed to execute the HTTP POST
transaction, explaining: Problem with the SSL CA cert (path? access
Installation failed. Rolling back changes.
Still the same client:
$ curl http://ipa2.subdomain.private.freeipa/ipa/config/ca.crt
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<title>301 Moved Permanently</title>
<p>The document has moved <a
That host in returned URL above is where IPA top domain lives, but nodes
on the subnet cannot access there.
This fails by design and what I'm trying will not work? Or it's doable
and I'm only missing something?
If that is how IPA currently works(or rather doesn't) then is this
something that may get included/fixed in the future?
many thanks, L>
On one of 3 IPA servers (most recent centos 7.6, 4.6.4-10.el7.centos.6). I can’t delete hosts. error_log show a bunch of python errors, ending in
Wed Aug 28 15:59:11.634233 2019] [:error] [pid 18035] File "/usr/lib/python2.7/site-packages/ipalib/frontend.py", line 478, in __do_call
[Wed Aug 28 15:59:11.634240 2019] [:error] [pid 18035] ret = self.run(*args, **options)
[Wed Aug 28 15:59:11.634246 2019] [:error] [pid 18035] File "/usr/lib/python2.7/site-packages/ipalib/frontend.py", line 800, in run
[Wed Aug 28 15:59:11.634252 2019] [:error] [pid 18035] return self.execute(*args, **options)
[Wed Aug 28 15:59:11.634258 2019] [:error] [pid 18035] File "/usr/lib/python2.7/site-packages/ipaserver/plugins/cert.py", line 1657, in execute
[Wed Aug 28 15:59:11.634264 2019] [:error] [pid 18035] **options)
[Wed Aug 28 15:59:11.634270 2019] [:error] [pid 18035] File "/usr/lib/python2.7/site-packages/ipaserver/plugins/cert.py", line 1502, in _ca_search
[Wed Aug 28 15:59:11.634277 2019] [:error] [pid 18035] ra = self.api.Backend.ra
[Wed Aug 28 15:59:11.634283 2019] [:error] [pid 18035] File "/usr/lib/python2.7/site-packages/ipalib/plugable.py", line 339, in __getattr__
[Wed Aug 28 15:59:11.634289 2019] [:error] [pid 18035] raise AttributeError(repr(key) + ' ' + repr(self))
[Wed Aug 28 15:59:11.634295 2019] [:error] [pid 18035] AttributeError: 'ra' <ipalib.plugable.APINameSpace object at 0x7f16bdf4fa10>
(I modified the error to give more info, but without getting much useful.)
Any idea what’s going on. It looks like self.api.Backend doesn’t have ra set. It would take quite a while for me to find out where it’s supposed to be set.
Maybe I am confused, but apparently I do not have to activate/modify
host-based access control in Freeipa to support Kerberos for NFS. hbac
is not mentioned on https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/...
Is this correct?
Would you recommend setting up weak crypto for NFS? I still have a
few Centos 5 hosts, but they are supposed to be retired in the near
Freeipa is version 4.6.4, running on Centos 7.6.
Every helpful comment is highly appreciated
Is there any automated or programmatic manner in which a dnszone could
be populated(or created) with all the necessary records, when one needs
a dns subdomain with/on a separate subnet?
many thanks, L.
I'm setting FreeIPA along with Samba and currently I'm running into an
issue with the ipasam module where if I use samba 4.9.X everything works as
expected while upgrading to 4.10.X, samba fails to load ipasam. Since the
ipasam.so comes from ipa-server-trust-ad, I'm linking it to the samba
- Error loading module '/usr/local/samba/lib/pdb/ipasam.so': /usr
/local/samba/lib/pdb/ipasam.so: undefined symbol: DEBUGLEVEL_CLASS
Is there a way of compiling a compatible version of ipasam with samba
I'm running CentOS 7.6.1810 with FreeIPA 4.6.4.
I followed the instructions from this page (https://frasertweedale.github.io/blog-redhat/posts/2015-08-06-freeipa-cus...) to create User Certificates.
While testing I noticed that when I create a User Cert for an account, the ssh keys stopped working for that same account.
I was hoping to have both SSH keys and User Certificates.
Is this a bug, a feature or is there some setting that I'm missing?