no new replicas due to ipa compiled against old samba version on centos 8.1
by Rami Elias (TECH V)
Hello,
actually i can't provision new repliacs due to this on Centos 8.1:
https://bugs.centos.org/view.php?id=16929
it seems that the ipa package was compiled against an old samba version but this samba in version 4.9.1 seems to be now removed from the mirrors
dnf install samba-4.9.1
Failed to set locale, defaulting to C.UTF-8
Last metadata expiration check: 0:04:52 ago on Tue May 5 10:54:57 2020.
No match for argument: samba-4.9.1
Error: Unable to find a match: samba-4.9.1
so i tried to download the samba-4.9.1.rpm from here to manually install it, https://koji.mbox.centos.org/koji/buildinfo?buildID=460
but no success because of 403 forbidden ..
maybe i should better write this mail to a centos 8 mailing list but i thought i will try first here, because freeipa is the affected tool ..
does somebody maybe know another workaround for this?
best regards
--
ÖAMTC I BAUMGASSE 129 I 1030 WIEN
Elias Rami | Devops Engineer
M +43 664 613 1346
elias.rami(a)oeamtc.at | www.oeamtc.at<http://www.oeamtc.at/> | ÖAMTC ZVR 7300335108
________________________________
ÖAMTC Fahrraddiebstahl-Versicherung*
Jetzt 6 Monate prämienfrei! Auch online abschließbar.
Nur für Mitglieder.
https://www.oeamtc.at/versicherung/sachversicherungen/fahrrad-diebstahlve...
*Versicherungsagent: ÖAMTC Betriebe Ges.m.b.H., GISA-Zahl: 23409217
Versicherer: Generali Versicherung AG
________________________________
Wichtiger Hinweis/Important Information:
Dieses E-Mail samt Anlagen („E-Mail“) dient nur zur Information. Erklärungen via E-Mail sind nicht rechtsverbindlich, sondern bedürfen der schriftlichen Bestätigung samt firmenmäßiger/statutenmäßiger Unterfertigung durch Mitglieder der Geschäftsleitung in vertretungsbefugter Anzahl. Für die Richtigkeit oder Vollständigkeit der übermittelten Informationen/Daten, für Übermittlungsfehler, für fehlgeleitete E-Mails oder für einen verspäteten Empfang wird nicht gehaftet. Eigene elektronische Empfangs- oder Lesebestätigungen gelten nicht als Bestätigung für den Erhalt eines E-Mails. Der Inhalt dieses E-Mails ist vertraulich. Wenn Sie nicht der angegebene Adressat oder dessen Vertreter sind, informieren Sie bitte umgehend den Absender und löschen Sie dieses E-Mail von Ihrem System. Die unerlaubte Weitergabe oder Nutzung ist nicht gestattet.
This e-mail and any attachment (“e-mail”) serves information purposes only. Statements via e-mail are not legally binding but require written confirmation including the signatures of the required number of managing directors under statutory provisions. We are not liable for the accuracy and sufficiency of the provided information/data, for any transmission error, misdirection, loss or delay of an e-mail. Electronic reading receipts are no confirmation for receipt of an e-mail. This e-mail is confidential. If you are not the addressee or his representative, please notify the sender immediately and delete this e-mail from your system. Any disclosure or use is prohibited.
________________________________
3 years, 12 months
Issue while tying to integrate FreeIPA server (LDAP) with Grafana WebUI
by Saurabh Garg
Hi,
I am trying to integrate Grafana UI with LDAP running on FreeIPA, version: 4.8.4. Could you please help me fix the below error:
t=2020-05-05T18:15:26+0000 lvl=info msg="Ldap enabled, reading config file" logger=ldap file=/etc/grafana/ldap.toml
t=2020-05-05T18:15:26+0000 lvl=eror msg="Error while trying to authenticate user" logger=context userId=0 orgId=0 uname= error="Failed to get LDAP config: Failed to load ldap config file: Near line 34 (last key parsed 'servers.search_base_dns'): expected value but found \"cn\" instead"
t=2020-05-05T18:15:26+0000 lvl=eror msg="Request Completed" logger=context userId=0 orgId=0 uname= method=POST path=/login status=500 remote_addr=49.206.255.126 time_ms=0 size=53 referer=http://13.52.184.58:3000/login
/etc/grafana/ldap.toml:
##################################################
[[servers]]
host = "10.0.0.1"
port = 389
use_ssl = false
start_tls = false
ssl_skip_verify = false
bind_dn = "uid=binduser,cn=users,cn=accounts,dc=domain,dc=com"
bind_password = 'binduser123'
search_filter = "(uid=%s)"
search_base_dns = [cn=users,cn=accounts,dc=domain,dc=com]
group_search_base_dns = [cn=groups,cn=accounts,dc=domain,dc=com]
[servers.attributes]
name = "givenName"
surname = "sn"
username = "uid"
member_of = "memberOf"
email = "mail"
[[servers.group_mappings]]
group_dn = "cn=grafana-admins,cn=groups,cn=accounts,dc=domain,dc=com"
org_role = "Admin"
[[servers.group_mappings]]
group_dn = "cn=grafana-editors,cn=groups,cn=accounts,dc=domain,dc=com"
org_role = "Editor"
[[servers.group_mappings]]
group_dn = "*"
org_role = "Viewer"
##################################################
Regards,
Saurabh Garg
3 years, 12 months
Re: Unset passwords for accounts
by Rob Crittenden
Angus Clarke via FreeIPA-users wrote:
> Hello
>
> We don't use FreeIPA passwords for user accounts however some accounts
> have had passwords set which is noticed from time to time. I would like
> to revert those account passwords to the point when the user was newly
> added but the password not yet set.
>
> I don't see anything obvious in the documentation, perhaps there is some
> behind the scenes way of achieving this? (For reference, I used to put
> "!!" in /etc/shadow when using local files)
There is no equivalent of "no password allowed" in IPA. I think there is
or was an RFE for this at one point.
To clear out existing password attributes you'd need to use ldapmodify
and bind as the Directory Manager to remove them.
$ ldapmodify -x -D 'cn=directory manager' -W
Enter LDAP Password:
dn: uid=tuser1,cn=users,cn=accounts,dc=example,dc=test
changetype: modify
delete: krbprincipalkey
-
delete: userpassword
-
delete: krbextradata
-
delete: krbpasswordexpiration
-
delete: krblastpwdchange
<extra blank line>
^D
rob
3 years, 12 months
Migrating second IPA server in a two node cluster, to a different VLAN + Masking ipa-client-install password.
by TomK
Hey All,
1) When moving an IPA Cluster member to another VLAN, is it only
necessary to change the member's DNS entries in the primary IPA's DNS
config, then change the IP on the secondary's network config? Or is
there more steps that would need to be done?
2) Can I join an IPA client to an IPA server using an alternate
non-previliged account that has minimal permissions, instead of the
admin type account?
ipa-client-install --force-join -p admin -w "$TMPP" --fixed-primary
--server=$IPA01.$NDOMAIN --server=$IPA02.$NDOMAIN --domain=$NDOMAIN
--realm=$UNDOMAIN -U
I've created a user with a role that has Host Enrollment and Host
Administrators. However, perhaps Host Administrators will give too many
permissions, including removal of existing hosts. Wondering if there
isn't a more restrictive set of permissions I could give.
--
Thx,
TK.
3 years, 12 months
Unset passwords for accounts
by Angus Clarke
Hello
We don't use FreeIPA passwords for user accounts however some accounts have had passwords set which is noticed from time to time. I would like to revert those account passwords to the point when the user was newly added but the password not yet set.
I don't see anything obvious in the documentation, perhaps there is some behind the scenes way of achieving this? (For reference, I used to put "!!" in /etc/shadow when using local files)
Thanks a lot
Angus
3 years, 12 months
Users and Admin access for AD Accounts
by TomK
Hey All,
Let's suppose I have two AD groups:
unixadmin
unixusers
In FreeIPA, I would like to give unixadmin group access to ALL FreeIPA
functions.
Whereas for the unixusers, I would like to give R/O access.
I've already done the group mappings from AD to FreeIPA.
What is the best way to achieve this? I'm finding related links online
but not quite what I'm looking for.
I did a test to see if nesting the unixadmin group within the FreeIPA
admins group would work but I still can't login to FreeIPA with my AD
user, despite my ID residing in the unixadmin group which in turn is
nested in the FreeIPA admins group.
This is FreeIPA 4.6.4 .
--
Thx,
TK.
3 years, 12 months
