February 2022 - FreeIPA-users - Fedora mailing-lists

Increasing SSSD primary-master reconnection interval
by Bill M 11 Feb '22

11 Feb '22

Hi there, I've a primary and three secondary servers in the sssd.conf on my IPA clients. The failover works as expected, and from the logs I can see the client attempting to reconnect to the primary server every 5 minutes. ipa_server = host1-ipa1 ipa_backup_server = host2-ipa1, host3-ipa1, host4-ipa1 Is there an option in sssd.conf to increase this 5 minute interval? So in case host1 and host2 are down, and current active server is host3, I'd like the sssd client to attempt a reconnect to the primary server (host1) every 15-20 minutes. have a good day, thanks.

2 2

Adding DNS on a replica
by Simon Matthews 10 Feb '22

10 Feb '22

I set up a replica server, but I omitted the "--setup-dns" option when installing the replica. Is there any way to add this, without uninstalling completely and re-installing?

2 1

Monitoring for changes
by Yehuda Katz 10 Feb '22

10 Feb '22

We have an operational need to track the userClass attribute for our IPA hosts over time, specifically in a git repository (don't ask). I thought of several ways of doing this and I am looking for suggestions as to the best option. I also want to make the smallest possible modifications to FreeIPA. 1. Monitor the `cn=changelog` tree for changes affecting hosts. We would keep the last date our script ran and query the tree for items more recent than that. The major issue is that it doesn't look like you can query for ">=" against modifyTimestamp (at least, I get no results). 2. I found references to FreeIPA using `RFC 4533` instead of the old changelog sync. It seems like that might have been superseded by RFC 3928, but I can't find any documentation about that. I have also found references to 389ds supporting Persistent Searches, but again there doesn't seem to be great documentation. I am not sure I want to implement something without documentation about it being a supported feature. Both options 1 and 2 would probably need a full sync every so often to make sure they didn't miss changes. 3. Create a FreeIPA plugin. This seems like overkill since I just need LDAP data and we would need to make sure it gets installed on all of our systems. 4. Just schedule a normal LDAP query every so often (i.e. maybe once an hour) and assume that changes aren't made so quickly that anything important would be lost. I like this option least since I don't know that I can trust that assumption. Any thoughts about these (or other) methods? Thank you, - Y

1 0

Automount options: -ghost or browse
by Simon Matthews 10 Feb '22

10 Feb '22

Can I set the "-ghost" or "browse" option on an automount map? If so, how?

2 1

How to add user directori for jira admin and confluence admin user
by Mehrdad Hosseinzadeh 10 Feb '22

10 Feb '22

How to add user directori for jira admin and confluence admin user?

1 0

new DNS setup
by Stephen Berg, Code 7309 10 Feb '22

10 Feb '22

New-ish ipa-4.9.6 setup on rocky linux 8.5. Initially we just setup the basic IPA services without DNS. I've started setting up ipa-dns now and not quite sure what the best way to proceed. Hypothetical settings: All hosts are set up as: hostname.domain.com All hosts have an alias: hostname.realm.domain.com I do not administer the authoritative DNS but I can add and delete records for the areas I manage. We currently run a few dnsmasq servers on our subnets with manually managed /etc/hosts on each. I want to utilize the ipa-dns to take over for our dnsmasq servers. I've done the ipa-dns-install, pointed forwarders to our authoritative DNS servers. What I can't quite wrap my head around is the best way to proceed from that point? Should I add the zone for the realm version hostnames and a separate zone for the domain level hostnames? Or add one zone and then add a CNAME for the other hostname? Should the zone I setup be the hostname.realm.domain version or the hostname.domain version. Or does it really matter much? I do have quite a few hostnames that do not have a realm hostname setup. They are mostly service ports and won't ever be bound to IPA. After starting to add some of those I seem to be unable to resolve them to an IP. -- Stephen Berg, IT Specialist, Ocean Sciences Division, Code 7309 Naval Research Laboratory W: (228) 688-5738 DSN: (312) 823-5738 C: (228) 365-0162 Email: stephen.berg(a)nrlssc.navy.mil <- (Preferred contact) Flank Speed: stephen.p.berg.civ(a)us.navy.mil

2 2

How to configure random serial numbers for the CA in the Docker container
by Mark Sibering 10 Feb '22

10 Feb '22

I am running FreeIPA 4.9.8 as a Docker container and Firefox refuses the certificate as the serial has been reused. I found this post: https://bugzilla.redhat.com/show_bug.cgi?id=747959 and this post: https://galenabell.com/2018/10/23/random-certificate-serials-in-freeipa/, but the files mentioned do no longer exist in FreeIPA 4.9.8 (or I cannot find them). I tried adding: ``` PKI_RANDOM_SERIAL_NUMBERS_ENABLED="true" export PKI_RANDOM_SERIAL_NUMBERS_ENABLED ``` to /usr/share/pki/etc/pki.conf and I tried adding PKI_RANDOM_SERIAL_NUMBERS_ENABLED=TRUE as environment variable in the docker-compose file. Neither worked. During install I see the variable being set to false in the logs. Any suggestion on how to have random serials after an unattended install?

3 3

SSHFP records
by Simon Matthews 09 Feb '22

09 Feb '22

When enrolling a client, I get the message: Could not update DNS SSHFP records. Everything seems to be working. Is this an issue I need to worry about? The reason it can't update these records is that the master DNS for the network is on a different server and it needs a TSIG in order to accept an update.

3 3

host certs - Organizational Unit - ?
by lejeczek 09 Feb '22

09 Feb '22

Hi guys Is it possible to insert/include Organizational Unit (OU) for host certificates? many thanks, L

2 3

certificate management - best practices - ?
by lejeczek 09 Feb '22

09 Feb '22

Hi guys. I ponder what I think must be trivial for at the same time, also an obvious idea - services & hosts. All the hosts, domain members and all possible or maybe just a handful services, one might run on those hosts - should you want a unique certificate for each host+service or perhaps a single cert for a host which then be used by all services on the host, is a better practice? All ideas & notions shared are greatly appreciated. many thanks, L.

3 5

2025

2024

2023

2022

2021

2020

2019

2018

2017

FreeIPA-users February 2022