For information, on a new virgin host under CentOS Stream release 8 :
ends with :
[Errno 2] No such file or directory: '/etc/authselect/user-nsswitch.conf'
The ipa-client-install command failed. See /var/log/ipaclient-install.log for
Configuration of client side components failed!
The ipa-server-install command failed. See /var/log/ipaserver-install.log for
To solve the problem :
# touch /etc/authselect/user-nsswitch.conf
# ipa-server-install --uninstall
Jacquelin Charbonnel - (+33)2 4173 5397
CNRS Mathrice/LAREMA - Campus universitaire d'Angers
I had a problem renewing the SSL for httpd and ldap. I had a new certificate from http://ssl.com/ . So I need clear instructions to add this new certificate to LDAP service and httpd
Thank you in Advance
The CRL being served by the CRL Master has not added a newly revoked certificate for 4 months. The CRL is updated and published as expected every four hours, just with no change to the list of revocations. Currently the CRL lists 34 certificates where as a query with ipa cert-find returns 40.
The missing certificates are not expired.
I do not see any errors in /var/log/pki/pki-tomcat/ca/debug*
I've been through the steps at https://www.freeipa.org/page/Troubleshooting/PKI and checked the CRL settings per https://www.freeipa.org/page/Howto/Promote_CA_to_Renewal_and_CRL_Master
The CRL files in /var/lib/ipa/pki-ca/publish/ are being generated/updated.
OK, I know that the AD-DC and the IDM servers need matching Kerberos realm and DNS domain names
Let's say AD.FOO.BAR.URP / IDM.FOO.BAR.URP for Kerberos and ad.foo.bar.urp / idm.foo.bar.urp for DNS
I am using 4 labels to parallel the environment for which this is intended.
The DNS domain for the environment is foo.bar.urp and there is currently no FOO.BAR.URP AD-DC, but we eventually expect one from "Upstream" and hope to make AD.FOO.BAR.URP a Kerberos sub-realm/domain of it
AD.FOO.BAR.URP and ad.foo.bar.urp were created.
IDM.FOO.BAR.URP and idm.foo.bar.urp will be created shortly and connected by a cross-forest trust. These, of course, will be sub-domains to AD.FOO.BAR.URP/ad.foo.bar.urp
The confuzzlepation is about client domain names.
Do Linux clients need to use the idm.foo.bar.urp DNS domain or can they just use foo.bar.urp ?
Same question for non-Linux clients -- ad.foo.bar.urp DNS domain or can they just use foo.bar.urp ?
And does the lack of the "parent" Kerberos realm/domain FOO.BAR.URP complicate the matter ?
Daniel E. White
NASCOM Linux Engineer
NASA Goddard Space Flight Center
Science Applications International Corporation (SAIC)
Office: (301) 286-6919
Mobile: (240) 513-5290
We have been a big time IPA vault users and managed to accumulate a few hundred thousands KRA requests in our IPA LDAP. This had been going on before ephemeral KRA requests were enabled in our installations and now we have these requests sitting in LDAP.
Is there any (preferably: a safe) way to remove these KRA requests? Even the newest ones are 6+ months old.
Thank you for your help,
We currently have Red Hat IDM implemented on our campus local network. It has a one-way trust with our Active Directory and all of our Linux systems that live in our network use IDM for auth/authz. We are looking to start deploying our linux images into AWS and want to use our Red Hat IDM for auth control there as well and would like, if possible, to remove any dependencies on our local network for systems that live in AWS in doing so.
With that being said, I would like to verify my understanding of how auth/authz works with IDM and Active Directory. A client system will query a freeipa server in order to get HBAC policies, sudo rules/commands, authorization for accounts to use certain services, and user account/group information. The client system will authenticate the user, whether for login or sudo/su, directly to Active Directory without going through the freeipa server. Also, the freeipa servers will query AD for user account/group information if it’s not already cached on the freeipa server. Is my understanding here correct? If not, please enlighten me on where my misunderstanding is.
So, if my understanding as outlined above is correct, then to remove any depency on our local network AD and FreeIPA/IDM for clients that live in AWS, we would need IDM servers and Active Directory servers in AWS for the clients to use, correct? If that is the case, is Azure Active Directory (AAD) a usable option in this case? Is there a way to specify for clients to use the IDM servers and AD that are in AWS first, before attempting to use the ones on our local network? Is there a way to specify for FreeIPA/IDM servers to use the AD in AWS before attempting to use the ones on our local network?
I appreciate anyone who can verify or correct what I have above.
Lead Linux Services Engineer
ITS ECP - Linux Services