macOS-X bound to freeIPA - mkhomedir
by Grant Janssen
I’ve been running a number of macs bound to FreeIPA for years now. The biggest nuisance is that I haven’t found a way to make home directory when one doesn’t exist.
Without a home directory, a users logs in, the beachball spins forever and the user never gets a desktop because there is no user home directory.
"createhomedir -c -a" functions (on most systems), but I’d rather not run this in cron.
Has anyone found the PAM secret to have this function like mkhomedir on a CentOS host?
CentOS 7
grant@outhouse:~[20201213-6:51][#1003]$ authconfig --test | grep mkhome
pam_mkhomedir or pam_oddjob_mkhomedir is enabled (umask=0077)
grant@outhouse:~[20201213-6:51][#1004]$
I wish there were an authconfig on os-x
- grant
This e-mail and any attachments are intended only for use by the addressee(s) named herein and may contain confidential information. If you are not the intended recipient of this e-mail, you are hereby notified any dissemination, distribution or copying of this email and any attachments is strictly prohibited. If you receive this email in error, please immediately notify the sender by return email and permanently delete the original, any copy and any printout thereof. The integrity and security of e-mail cannot be guaranteed.
3 years, 3 months
LDAP client problem after upgrade to 4.8.7
by Avi White
Hello.
I'm experiencing a LDAP client problem on CentOS 7 after upgrade of FreeIPA server from CentOS 8.2 (FreeIPA 4.8.4) to 8.3 (FreeIPA 4.8.7).
Here is what I was able to find. During login, nslcd on client performs LDAP bind using credentials provided by user. Here are the nslcd debug logs:
against 4.8.4 server, working:
nslcd: [8b4567] <authc="myuser"> DEBUG: ldap_simple_bind_s("uid=myuser,cn=users,cn=compat,dc=my,dc=org","***") (uri="ldap://ipa2.my.org")
nslcd: [8b4567] <authc="myuser"> DEBUG: ldap_result(): uid=myuser,cn=users,cn=compat,dc=my,dc=org
nslcd: [8b4567] <authc="myuser"> DEBUG: ldap_unbind()
nslcd: [8b4567] <authc="myuser"> DEBUG: bind successful
against 4.8.7 server, not working:
nslcd: [b0dc51] <authc="myuser"> DEBUG: ldap_start_tls_s()
nslcd: [b0dc51] <authc="myuser"> DEBUG: ldap_simple_bind_s("uid=myuser,cn=users,cn=compat,dc=my,dc=org","***") (uri="ldap://ipa3.my.org")
nslcd: [b0dc51] <authc="myuser"> ldap_result() failed: No such object
nslcd: [b0dc51] <authc="myuser"> uid=myuser,cn=users,cn=compat,dc=my,dc=org: lookup failed: No such object
nslcd: [b0dc51] <authc="myuser"> DEBUG: ldap_unbind()
I attempted to replicate what nslcd does using ldapsearch, and I could not find any difference between output from 4.8.4 and 4.8.7. I can bind as my user and run queries. I also checked the changelog between these server versions and could not find anything suspicious. Any suggestions how to deal with this? Thanks.
3 years, 3 months
FreeIPA with containers
by Kevin Vasko
Hello,
We have our NFS servers kerberized which requires a ticket to be able to access the NFS share. We also have a GPU cluster where people get to launch docker containers to complete work. Unfortunately, within the container users can’t access the NFS share even though its mapped on the host machine and in the container because they don’t have a ticket within the container.
So what are my options to deal with this? Would building a container and when it starts up, automatically enroll itself into FreeIPA be the best solution? As a test I tried to enroll the container in one of our test containers and freeipa-client-install complained that pid 1 wasn’t being ran by systemd, not quite sure how to get around that. However even if this was accomplished could enrolling 100s or 1000s of containers cause an issue for freeIPA?Most of these would be fairly short lived (few days to weeks). At that point I would need to go manually cleanup all of the enrolled machines.
The other and less optimal solution would be to use a non kerberized NFS share, pass through the uid/gid from the host, but with this solution users would know their own UID/GID in the container but wouldn’t know who owns what in the container because they would have nothing tell them in the container what UID/GID is associated with what account so it might get confusing.
I’m really just looking for any suggestions on what other people have done. I’m not even sure if what I’m doing is the right approach at all and I should be doing something totally different. Are there any other solutions/suggestions that people have used to operate with FreeIPA along with docker containers?
-Kevin
3 years, 3 months
"missing attribute sn" error on migration
by Jacquelin Charbonnel
Hi everyone,
To create a nice new proper domain in CentOS8 (with a new name and so), I use
"ipa migrate-ds" on a fresh installed Centos8 server, to retrieve entries from
my current domain in CentOS7 :
ipa migrate-ds ldap://my_current_server:389
--user-container=cn=users,cn=compat,dc=ipa,dc=math --bind-dn="cn=Directory
Manager" --user-objectclass=posixAccount
--group-container=cn=groups,cn=compat,dc=ipa,dc=math --group-objectclass=posixGroup
But "ipa migrate-ds" fails with this message for each user :
xxx: missing attribute "sn" required by object class "organizationalPerson"
with a final :
No users/groups were migrated from ldap://...:389
I try with and without --with-compat option, and with ipa-compat-manage enabled
and disabled.
But when I look at ldap entries on the server in production, I see however a sn
record (containing the last name) for each user. So where is the bug ?
Thanks,
--
Jacquelin Charbonnel - (+33)2 4173 5397
CNRS Mathrice/LAREMA - Campus universitaire d'Angers
3 years, 3 months
FreeIPA 4.9.0 released
by Alexander Bokovoy
Hello,
The FreeIPA team would like to announce FreeIPA 4.9.0 release!
It can be downloaded from http://www.freeipa.org/page/Downloads. Builds
for Fedora distributions will be available from the official repository
soon.
Due to the large size of the updates, please see all the details at
https://www.freeipa.org/page/Releases/4.9.0. Many of the updates were
already seen in FreeIPA 4.8 releases as they were backported there.
Nevertheless, the full list of changes can be found at the page linked
above.
== Highlights in 4.9.0
* 298: [RFE] Add support for cracklib to password policies
FreeIPA password quality checking plugin has been extended to use
libpwquality library. Password policies can now check for a reuse of
a user name, dictionary words using a cracklib package, numbers and
symbols replacement and repeating characters in the passwords.
* 2445: [RFE] IdM password policy should include checks for repeating
characters
FreeIPA password quality checking plugin has been extended to use
libpwquality library. Password policies can now check for a reuse of
a user name, dictionary words using a cracklib package, numbers and
symbols replacement and repeating characters in the passwords.
* 3299: [RFE] Switch the client to JSON RPC
Clients now communicate with FreeIPA server via JSON-RPC instead of
XML-RPC by default. The new interface for example allows sending
additional information (notices, warnings) when a management
operation ends with an error.
* 3687: [RFE] IPA user account expiry warning.
EPN stands for Expiring Password Notification. It is a standalone
tool designed to build a list of users whose password would expire
in the near future, and either display the list in a
machine-readable (JSON) format, or send email notifications to these
users. EPN provides command-line options to display the list of
affected users. This provides data introspection and helps
understand how many emails would be sent for a given day, or a given
date range. The command-line options can also be used by a
monitoring system to alert whenever a number of emails over the SMTP
quota would be sent. EPN is meant to be launched once a day from an
IPA client (preferred) or replica from a systemd timer. EPN does not
keep state: the list of affected users is built at runtime but never
kept.
* 3827: [RFE] Expose TTL in web UI
DNS record time to live (TTL) parameters can be edited in Web UI
* 3999: [RFE] Fix and Document how to set up Samba File Server with IPA
Samba file server can now be configured on the FreeIPA-enrolled
system to provide file services to users in IPA domain and to users
from trusted Active Directory forests
* 4751: Implement ACME certificate enrolment
Configure the Automatic Certificate Management Environment (ACME)
protocol support provided by the dogtag CA.
* 5011: [RFE] Forward CA requests to dogtag or helper by GSSAPI
* 5608: [RFE] Add Dogtag configuration extensions
* 5662: ID Views: do not allow custom Views for the masters
Custom ID views cannot be applied to IPA masters. A check was added
to both IPA CLI and Web UI to prevent applying custom ID views to
avoid confusion and unintended side-effects.
* 5948: [RFE] Implement pam_pwquality featureset in IPA password
policies
* 6783: [RFE] Host-group names command rename
host groups can now be renamed with IPA CLI: 'ipa hostgroup-mod
group-name --rename new-name'. Protected hostgroups ('ipaservers')
cannot be renamed.
* 7137: [RFE]: Able to browse different links from IPA web gui in new
tabs
* 7181: ipa-replica-prepare fails for 2nd replica when passwordHistory
is enabled
FreeIPA password policy plugin in 389-ds was extended to exempt
non-Kerberos LDAP objects from checking Kerberos policy during
password changes by the Directory Manager or a password
synchronization manager. This issue affected, among others, an
integrated CA administrator account during deployment of more than
one replica in some cases.
* 7522: Disable cert publishing in dogtag
Dogtag certificate publishing facility is not configured anymore as
it is not used in FreeIPA.
* 7577: [RFE] DNS package check should be called earlier in installation
routine
The ``--setup-dns`` knob and interactive installer now both check
for the presence of freeipa-server-dns early and abort the installer
with an error before starting actual deployment.
* 7695: ipa service-del should display principal name instead of Invalid
'principal'.
When deleting services, report exact name of a system required
principal that couldn't be deleted.
* 7966: Add support for JSON-RPC in ipa-join
ipa-join tool defaults to use of JSON-RPC protocol when
communicating to IPA masters by default. The choice of JSON-RPC or
XML-RPC is a compile-time setting now.
* 7971: [RFE] Include hint for replication_wait_timeout if timeout fails
* 8106: ca-certificate file not being parsed correctly on Ubuntu with
p11-kit-trust.so due to data inserted by FreeIPA Client install
On Debian-based platforms update-ca-certificates does not support
multiple certificates in a single file. IPA installers now write
individual files per each certificate for Debian-based platforms.
* 8114: [RFE] Delegate group membership management
It is now possible to associate group managers with the groups.
Group managers have rights to add and remove members of the
individual group rather than being administrators for every group.
* 8129: Tests: Replace paramiko with OpenSSH
Paramiko is not compatible with FIPS mode, therefore convert most
tests to using ssh directly. The only non-converted test is the
2-prompt OTP test because sshpass does not support 2-prompt password
authentication ( https://pagure.io/freeipa/issue/8431 ).
* 8151: test_commands timing-out
Re-enable test_sss_ssh_authorizedkeys ; add -v to ssh in order to
get debug information if this test fails or stalls again. The test
was run 16 times without a failure before re-enabling it.
* 8189: NIghtly test failure in
test_integration/test_nfs.py::TestIpaClientAutomountFileRestore::test_nsswitch_backup_restore_sssd
Previously, ipa-client-installation saved the pre-install state
using "authselect current" command and the uninstallation reverted
to the same authselect state. In cases where the system was
installed using authconfig instead of authselect, the uninstallation
was unable to revert to the same state and picked "sssd"'s
authselect profile instead. Now, the client installation relies on
the backup functionality of authselect and is able to revert to the
exact pre-install state
* 8217: RFE: ipa-backup should compare locally and globally installed
server roles
ipa-backup now checks whether the local replica's roles match those
used in the cluster and exits with a warning if this is not the case
as backups taken on this host would not be sufficient for a proper
restore. FreeIPA administrators are advised to double check whether
the host backups are run has all the necessary (used) roles.
* 8222: Upgrade dojo.js
Version of dojo.js framework used by FreeIPA Web UI was upgraded to
1.16.2.
* 8233: 4.8.5 master Installation error
On Debian and ALT Linux setup of AJP connector did restart Apache
instance before it was configured. The restart wasn't actually
needed and thus was removed.
* 8236: Enforce a check to prevent adding objects from IPA as external
members of external groups
Command 'ipa group-add-member' allowed to specify any user or group
for '--external' option. A stricter check is added to verify that a
group or user to be added as an external member does not come from
IPA domain.
* 8239: Actualize Bootstrap version
Bootstrap Javascript framework used by FreeIPA web UI was updated to
version 3.4.1.
* 8241: Build fails on Fedora 30
SELinux rules for ipa-custodia were merged into FreeIPA SELinux
policy. The policy relied on an SELinux interface that is not
available in Fedora 30. The logic was changed to allow better
portability across SELinux versions.
* 8268: Prevent use of too long passwords
Kerberos tools limit password entered in kpasswd or kadmin tools to
1024 characters but do not allow to distinguish between passwords
cut off at 1024 characters and passwords with 1024 characters. Thus,
a limit of 1000 characters is now applied everywhere in FreeIPA.
* 8275: Support systemd-resolved
FreeIPA DNS servers now detect systemd-resolved and configure it to
pass through itself.
* 8276: Add default password policy for sysaccounts
cn=sysaccounts,cn=etc now has a default password policy to permit
system accounts with krbPrincipalAux object class. This allows
system accounts to have a keytab that does not expire. The "Default
System Accounts Password Policy" has a minimum password length in
case the password is directly modified with LDAP.
* 8284: Upgrade jQuery version to actual one
Version of jQuery framework used by FreeIPA Web UI was updated to
3.4.1.
* 8289: ipa servicedelegationtarget-add-member does not allow to add
hosts as targets
service delegation rules and targets now allow to specify hosts as a
rule or a target's member principal.
* 8291: krb5kdc crashes in IPA plugin on use of IPA Windows principal
alias
Memory handling in various FreeIPA KDC functions was improved,
preventing potential crashes when looking up machine account aliases
for Windows machines.
* 8301: The value of the first character in target* keywords is expected
to be a double quote
389-ds 1.4 enforces syntax for target* keywords (targetattr,
targetfilter, etc) to have quoted attributes. Otherwise the aci that
contains unquoted parameters is ignored. Default FreeIPA access
controls were fixed to follow 389-ds syntax. Any third-party ACIs
need to be updated manually.
* 8304: [fed32] client-install does not properly set
ChallengeResponseAuthentication yes in sshd conf
ipa-client-installation now writes the sshd configuration to the
drop-in directory /etc/ssh/sshd_config.d/, in the 04-ipa.conf
snippet, thus ensuring that the setting
"ChallengeResponseAuthentication yes" take precedence.
* 8315: [dirsrv] set 'nsslapd-enable-upgrade-hash: off' as this raises
warnings
389-ds 1.4.1.6 introduced automatic password hash upgrade on LDAP
binds. FreeIPA now disables this feature because changing password
hash in FreeIPA is not allowed by the internal plugins that
synchronize password hashes between LDAP and Kerberos.
* 8322: [RFE] Changing default hostgroup is too easy
In Web UI a confirmation dialog was added to automember
configuration to prevent unintended modification of a default host
group.
* 8325: [WebUI] Fix htmlPrefilter issue in jQuery
CVE-2020-11022: In jQuery versions greater than or equal to 1.2 and
before 3.5.0, passing HTML from untrusted sources - even after
sanitizing it - to one of jQuery's DOM manipulation methods (i.e.
.html(), .append(), and others) may execute untrusted code. FreeIPA
is not allowing to pass arbitrary code into affected jQuery path but
we applied jQuery fix anyway.
* 8335: [WebUI] manage IPA resources as a user from a trusted Active
Directory domain
When users from trusted Active Directory domains have permissions to
manage IPA resources, they can do so through a Web UI management
console.
* 8348: Allow managed permissions with ldap:///self bind rule
Managed permissions can now address self-service operations. This
makes possible for 3rd-party plugins to supply full set of managed
permissions.
* 8357: Allow managing IPA resources as a user from a trusted Active
Directory forest
A 3rd-party plugin to provide management of IPA resources as users
from trusted Active Directory domains was merged into FreeIPA core.
ID user overrides can now be added to IPA management groups and
roles and thus allow AD users to manage IPA.
* 8362: IPA: Ldap authentication failure due to Kerberos principal
expiration UTC timestamp
LDAP authentication now handles Kerberos principal and password
expiration time in UTC time zone. Previously, a local server time
zone was applied even though UTC was implied in the settings.
* 8374: EPN does not ship its default configuration (/etc/ipa/epn.conf)
in freeipa-client-epn
EPN did not ship any configuration file. This was an oversight, but
the tool itself would work fine as it had sane defaults ; moreover,
the man page for the configuration file was present.
* 8391: Remove dnf workaround from test_epn.y
The new PR-CI images are cleaner and do not need the *epn* packages
to be uninstalled/reinstalled.
* 8401: Create platform definitions for freeipa-container
ipaplatform now provides container platform flavors for
freeipa/freeipa-container
* 8404: Detect and fail if not enough memory is available for
installation
FreeIPA server now requires at least 1.2 GiB RAM for installation to
prevent performance degradation.
* 8432: test failure in
test_commands.py::TestIPACommand::test_login_wrong_password:
AssertionError
Sometimes test_login_wrong_password fails because the log window the
string message is searched in is too narrow. Broaden the window by
looking at the past 10 seconds.
* 8444: EPN: enhance input validation
Various input validation checks were added to EPN.
* 8445: EPN: '[Errno 111] Connection refused' when the SMTP is down
EPN now displays a proper message if the configured SMTP server
cannot be contacted.
* 8449: EPN: enhance CLI option tests
EPN: enhance existing tests for --dry-run, --from-nbdays and
--to-nbdays.
* 8488: SELinux blocks custodia key replication / retrieval for sub-CAs
SELinux: Make sure ipa_custodia_t has the necessary rights ; add
dedicated policy rules for ipa-pki-retrieve-key.
* 8490: It is not possible to edit KDC database when the FreeIPA server
is running
kadmin.local command 'getprincs' is now supported
* 8493: Synchronize index LDIF and index update files
Configuration of LDAP indices was moved into a single place. New
indices were added to attributes related to trusted domains
operations. Performance improvement is expected for Kerberos service
tickets requested by users from trusted Active Directory domains.
* 8503: pkispawn logs files are empty
On recent versions of Dogtag PKI, pkispawn does not create logs by
default, making debugging failed IPA installs impossible. Invoke
pkispawn with --debug to revert to the previous behavior.
* 8507: [WebUI] Backport jQuery patches from newer versions of the
library (e.g. 3.5.0)
Support reproducible builds for jQuery library
* 8510: create_active_user and kinit_as_user should collect
kdcinfo.REALM on failure
Sometimes, requesting a TGT after a password reset fails because
SSSD seems to select different hosts for these two sequential tasks,
leaving no time for replication to replicate the password hashes.
Add debug information to the test suites that exhibit the problem
and always display the kdcinfo file maintained by SSSD that contains
the KRB5KDC IP it should be pinned to.
* 8530: Running ipa-server-install fails on machine where libsss_sudo is
not installed
The FreeIPA client RPM now has a soft dependency on libsss_sudo and
sudo itself.
* 8536: RFE: ipatests: run healthcheck on hidden replica
ipatests: freeipa-healthcheck is now executed on each member of a
cluster that contains a hidden replica.
=== Known Issues
* 8240: KRA install fails if all KRA members are Hidden Replicas
If the first KRA instance is installed on a hidden replica, more KRA
instances cannot be added to the cluster. As a workaround,
temporarily make the the hidden replica with the KRA role visible
before adding more KRA instances. The previously-hidden replica can
be hidden again as soon as ipa-kra-install is complete.
=== Bug fixes
FreeIPA 4.9.0 is the first stable release for the features delivered as
a part of 4.9 version series.
There are more than 370 bug-fixes since FreeIPA 4.8.10 release. Details
of the bug-fixes can be seen in the list of resolved tickets.
Due to the large size of the updates, please see all the details at
https://www.freeipa.org/page/Releases/4.9.0
== Upgrading
Upgrade instructions are available on Upgrade page.
== Feedback
Please provide comments, bugs and other feedback via the freeipa-users
mailing list
(https://lists.fedoraproject.org/archives/list/freeipa-users@lists.fedorah...)
or #freeipa channel on Freenode.
--
/ Alexander Bokovoy
Sr. Principal Software Engineer
Security / Identity Management Engineering
Red Hat Limited, Finland
3 years, 3 months
addition of a user with given UID - Samba does not see the user.
by lejeczek
Hi guys,
IPA with Samba integrated and users migrated from another
IPA and a user was available to Samba.
Then on a second master too
-> $ ipa-adtrust-install
was run and I think that was the only bit done. Then user
was removed and added with the same UID and Samba does not
see that user, which user elsewhere works fine.
Removal was done with --no-preserve and also without it but
no difference.
Any suggestions as how to fix it are greatly appreciated.
many thanks, L.
3 years, 3 months
HTTPD very busy while doing nothing - many processes
by lejeczek
hi guys
In a "healthy" domain I see on master(with KRA) which
pretends to be very busy.
-> $ tailf /var/log/httpd/error_log
[Wed Dec 23 11:24:23.364388 2020] [core:notice] [pid 14691]
AH00094: Command line: '/usr/sbin/httpd -D FOREGROUND'
[Wed Dec 23 11:24:29.753445 2020] [mpm_prefork:notice] [pid
14691] AH00171: Graceful restart requested, doing restart
[Wed Dec 23 11:24:33.027682 2020]
[lbmethod_heartbeat:notice] [pid 14691] AH02282: No slotmem
from mod_heartmonitor
[Wed Dec 23 11:24:33.128184 2020] [mpm_prefork:notice] [pid
14691] AH00163: Apache/2.4.6 (CentOS) mod_auth_gssapi/1.5.1
mod_nss/1.0.14 NSS/3.28.4 mod_wsgi/3.4 Python/2.7.5
configured -- resuming normal operations
[Wed Dec 23 11:24:33.128244 2020] [core:notice] [pid 14691]
AH00094: Command line: '/usr/sbin/httpd -D FOREGROUND'
[Wed Dec 23 11:24:39.324905 2020] [mpm_prefork:notice] [pid
14691] AH00171: Graceful restart requested, doing restart
[Wed Dec 23 11:24:42.535391 2020]
[lbmethod_heartbeat:notice] [pid 14691] AH02282: No slotmem
from mod_heartmonitor
[Wed Dec 23 11:24:42.598113 2020] [mpm_prefork:notice] [pid
14691] AH00163: Apache/2.4.6 (CentOS) mod_auth_gssapi/1.5.1
mod_nss/1.0.14 NSS/3.28.4 mod_wsgi/3.4 Python/2.7.5
configured -- resuming normal operations
[Wed Dec 23 11:24:42.598152 2020] [core:notice] [pid 14691]
AH00094: Command line: '/usr/sbin/httpd -D FOREGROUND'
[Wed Dec 23 11:24:48.964880 2020] [mpm_prefork:notice] [pid
14691] AH00171: Graceful restart requested, doing restart
[Wed Dec 23 11:24:51.385796 2020] [:error] [pid 8801] ipa:
INFO: *** PROCESS START ***
[Wed Dec 23 11:24:52.319019 2020]
[lbmethod_heartbeat:notice] [pid 14691] AH02282: No slotmem
from mod_heartmonitor
[Wed Dec 23 11:24:52.389349 2020] [mpm_prefork:notice] [pid
14691] AH00163: Apache/2.4.6 (CentOS) mod_auth_gssapi/1.5.1
mod_nss/1.0.14 NSS/3.28.4 mod_wsgi/3.4 Python/2.7.5
configured -- resuming normal operations
[Wed Dec 23 11:24:52.389404 2020] [core:notice] [pid 14691]
AH00094: Command line: '/usr/sbin/httpd -D FOREGROUND'
[Wed Dec 23 11:24:58.537949 2020] [mpm_prefork:notice] [pid
14691] AH00171: Graceful restart requested, doing restart
And it does not seems to stop.
top agrees:
8801 ipaapi 20 0 609384 48384 7244 R 19.2 0.8
0:00.58 (wsgi:ipa) -DFOREGROUND
8799 ipaapi 20 0 592932 42728 6560 R 16.2 0.7
0:00.49 (wsgi:ipa) -DFOREGROUND
8798 ipaapi 20 0 552124 29548 4892 R 15.9 0.5
0:00.48 (wsgi:ipa) -DFOREGROUND
8800 ipaapi 20 0 551736 29256 4836 R 14.9 0.5
0:00.45 (wsgi:ipa) -DFOREGROUND
8803 apache 20 0 458680 17568 4712 S 7.9 0.3
0:00.24 /usr/sbin/httpd -DFOREGROUND
8802 apache 20 0 458680 17568 4712 S 7.6 0.3
0:00.23 /usr/sbin/httpd -DFOREGROUND
8804 apache 20 0 458680 17568 4712 S 7.6 0.3
0:00.23 /usr/sbin/httpd -DFOREGROUND
8806 apache 20 0 458680 17568 4712 S 7.6 0.3
0:00.23 /usr/sbin/httpd -DFOREGROUND
8805 apache 20 0 458680 17568 4712 S 4.0 0.3
0:00.12 /usr/sbin/httpd -DFOREGROUND
14691 root 20 0 431104 58988 49260 S 3.0 1.0
0:40.05 /usr/sbin/httpd -DFOREGROUND
8796 kdcproxy 20 0 626388 18812 4084 S 2.3 0.3
0:00.07 (wsgi:kdcproxy) -DFOREGROUND
8797 kdcproxy 20 0 691924 18812 4084 S 2.3 0.3
0:00.07 (wsgi:kdcproxy) -DFOREGROUND
That surely is not normal behavior, right?
What here is the suspect I should start interrogating?
many thanks, L.
3 years, 3 months
Re: FreeIPA servers in different dns zones/domains but with the same realm
by Alexander Bokovoy
On ti, 22 joulu 2020, Juarez Souza Junior wrote:
>Hi Alexander, thanks for answering.
>
>I want to deploy a freeipa server for each domain (app.test.local,
>dev.test.local, sec.test.local and etc) but with the same realm for users
>to have the same user database between the servers.
>Could it be possible?
Do not drop the mailing list.
I already answered your question. Please search the mailing list
archives for additional details if you did not understand the answer I
gave _after_ the reference to the archives.
>
>
>Em ter., 22 de dez. de 2020 Ã s 11:22, Alexander Bokovoy <abokovoy(a)redhat.com>
>escreveu:
>
>> On ti, 22 joulu 2020, Juarez Souza Junior via FreeIPA-users wrote:
>> >Hi All! So I'm trying to deploy FreeIPA Servers (with integrated DNS
>> >Server) in a domain and subdomain with the same user realm.
>> >Anyone knows if it would be possible to deploy FreeIPA servers in
>> different
>> >domains but sharing the same realm?
>> >How could I deploy a replica without enrolling it to the same domain of
>> the
>> >master server?
>> >For example:
>> >IPA Server -> realm: TEST.LOCAL domain: test.local (10.1.1.0/24)
>> >REPLICA -> realm: TEST.LOCAL domain: app.test.local (10.1.2.0/24)
>> >
>> >My problem is: I'm working on a project where I have multiple domains
>> (app,
>> >sec, dev and etc) and I need centralized user authentication for each
>> >domain zone.
>> >
>> >I did some test labs without success. (mainly with the replica)
>> >
>> >I hope someone could give me a direction.
>>
>> What exactly did you try?
>>
>> Look at this list archives, this is one of often asked questions. You
>> *should not* specify --domain option to ipa-client-install to be your
>> client's domain: e.g. not --domain=app.test.local but instead
>> --domain=test.local. The hostname can be in any domain, as long as that
>> domain zone exists in DNS and if that domain zone is not managed by IPA
>> DNS server, then the host-to-be-enrolled hostname exists in that zone.
>>
>>
>>
>> --
>> / Alexander Bokovoy
>> Sr. Principal Software Engineer
>> Security / Identity Management Engineering
>> Red Hat Limited, Finland
>>
>>
>
>--
>Atenciosamente,
>
>Juarez Souza Junior
--
/ Alexander Bokovoy
Sr. Principal Software Engineer
Security / Identity Management Engineering
Red Hat Limited, Finland
3 years, 3 months
a year later - non-member Win clients access to IPA's Samba
by lejeczek
hi gents
Longish time ago, I think more than a year, I asked and
gotten a succinct reply about ways to access IPA's
integrated Samba from non-member Win clients.
If I remember correctly it was possible - answer was by I
think one of you IPA devels - for one version of IPA (with
rhel/centos 7) and still is, to have such Win clients to
access Samba, but on newer IPA it was not and at that time
it was undecided - I was told - whether it was going to be
"fixed" in future IPA releases.
Is there more to shed light on now? Is or will there be a
way in which IPA+Samba latest/future releases allow non-members?
many thanks, L
3 years, 3 months
FreeIPA servers in different dns zones/domains but with the same realm
by Juarez Souza Junior
Hi All! So I'm trying to deploy FreeIPA Servers (with integrated DNS
Server) in a domain and subdomain with the same user realm.
Anyone knows if it would be possible to deploy FreeIPA servers in different
domains but sharing the same realm?
How could I deploy a replica without enrolling it to the same domain of the
master server?
For example:
IPA Server -> realm: TEST.LOCAL domain: test.local (10.1.1.0/24)
REPLICA -> realm: TEST.LOCAL domain: app.test.local (10.1.2.0/24)
My problem is: I'm working on a project where I have multiple domains (app,
sec, dev and etc) and I need centralized user authentication for each
domain zone.
I did some test labs without success. (mainly with the replica)
I hope someone could give me a direction.
Thanks!
3 years, 3 months