April 2022 - FreeIPA-users - Fedora Mailing-Lists

Preserving uidNumber and gidNumber from AD

by Francis Augusto Medeiros-Logeay

Hi, I wonder if there is a way to create an AD trust where users would maintain the uidNumber/gidNumber that are stored in AD. I read on an older question on the nakive forum that if the trust-add command finds users with uidNumbers, so those would be used. I tried, but a random id-range is created every time. Is there a smart way to actually preserve those uidNumbers from AD? Best, Francis

2 years

2
2
0 / 0

user different shells - ? - with rbac

by lejeczek

Hi guys Just got this notion popped in - here is always best to ask before investigations start - can IPA do different shells, perhaps with RBAC somehow? I think it might be so trivial many must have asked already - different login host = different user shell many thanks, L.

2 years

3
2
0 / 0

Login without having to use `@ad_domain` - is it possible?

by Francis Augusto Medeiros-Logeay

Hi, I wonder if it is possible to configure a FreeIPA client to assume that clients logging in are from a trusted AD domain, instead of having those users to type `username@ad_domain` when logging in. I know I could have the user synchronisation approach so that users coexist on both systems, but a trust without sync is less complex, and I will have almost no FreeIPA users - I just want to join linux clients to FreeIPA for better management of linux resources. Any tips on if it is possible at all to do this? Best, Francis

2 years

3
3
0 / 0

issue with group's objectclass attributes

by Kathy Zhu

Hi List, Here is what happened in a timely order. the group "it" was created a long time ago without "groupOfUniqueNames" objectclass. I did following to add "groupOfUniqueNames" objectclass: [root@ipa0 ~]# ipa group-show it --all | grep object objectclass: top, groupofnames, nestedgroup, ipausergroup, ipaobject, posixgroup, ipantgroupattrs [root@ipa0 ~]# [root@ipa0 ~]# ipa group-mod it --addattr=objectclass=groupOfUniqueNames ------------------- Modified group "it" ------------------- Group name: it Description: IT Team GID: 1889600264 Member users: john, rosy, ben, dan, rob, Member of groups: observium Member of Sudo rule: itsysadmins Member of HBAC rule: allow_it_systems, itadmin_systems, allow_it_sre_systems [root@ipa0 ~]# [root@ipa0 ~]# ipa group-show it --all | grep object objectclass: top, groupofnames, nestedgroup, ipausergroup, ipaobject, posixgroup, ipantgroupattrs, groupOfUniqueNames [root@ipa0 ~]# After this, I could not create a group (both GUI and cli) with same error message: [root@ipa0 ~]# ipa group-add testgroup ipa: ERROR: missing attribute "ipaNTSecurityIdentifier" required by object class "ipaNTGroupAttrs" [root@ipa0 ~]# In the log: [31/Mar/2022:10:18:57.626480360 -0700] - ERR - oc_check_required - Entry "cn=testgroup,cn=groups,cn=accounts,dc=example,dc=com" missing attribute "ipaNTSecurityIdentifier" required by object class "ipaNTGroupAttrs" When checked via GUI - IPA Servers / Configuration, the group attribute ipaNTGroupAttrs is there. Any idea what went wrong and how to fix it? Many thanks. Kathy.

2 years

3
10
0 / 0

Is Centos 7.9 with FreeIPA 4.6.8 compatible with Server 2019?

by Jeremy Tourville

I think the title says it all. I can't get ipa trust-add to work. https://lists.fedoraproject.org/archives/list/freeipa-users@lists.fedorah...

2 years

2
2
0 / 0

ipa-sidgen-task failing, can't make trust to work

by Francis Augusto Medeiros-Logeay

Hi, I am trying to establish a trust between my FreeIPA and AD. I ran ipa-ad-trust-install, and chose yes to everything, including running the sidgen-task. I then ran the `ipa trust-add` command, and got this error: ``` ipa: ERROR: CIFS server communication error: code "3221225495", message "{Not Enough Quota} Not enough virtual memory or paging file quota is available to complete the specified operation." (both may be "None") ``` Investigating the issue, I noticed that only my admin user has a SID (ipaNTTrustedDomainSID), and that the `samba` service is not running precisely because of that: ``` Apr 03 18:03:02 free.ipa.med-lo smbd[8660]: GSSAPI client step 2 Apr 03 18:03:02 free.ipa.med-lo smbd[8660]: [2022/04/03 18:03:02.737482, 0, pid=8660] ipa_sam.c:4211(get_fallback_group_sid) Apr 03 18:03:02 free.ipa.med-lo smbd[8660]: Missing mandatory attribute ipaNTSecurityIdentifier. Apr 03 18:03:02 free.ipa.med-lo smbd[8660]: [2022/04/03 18:03:02.737537, 0, pid=8660] ipa_sam.c:5182(pdb_init_ipasam) Apr 03 18:03:02 free.ipa.med-lo smbd[8660]: Cannot find SID of fallback group. Apr 03 18:03:02 free.ipa.med-lo smbd[8660]: [2022/04/03 18:03:02.737556, 0, pid=8660] ../../source3/passdb/pdb_interface.c:179(mak> Apr 03 18:03:02 free.ipa.med-lo smbd[8660]: pdb backend ipasam:ldapi://%2fvar%2frun%2fslapd-IPA-MYDOMAIN.socket did not correctly i> Apr 03 18:03:02 free.ipa.med-lo systemd[1]: smb.service: Main process exited, code=exited, status=1/FAILURE Apr 03 18:03:02 free.ipa.med-lo systemd[1]: smb.service: Failed with result 'exit-code'. ``` I do have a default SMB group, but it doesn't have a SID: ``` dn: cn=Default SMB Group,cn=groups,cn=accounts,dc=ipa,dc=mydomain Group name: Default SMB Group Description: Fallback group for primary group RID, do not add users to this group GID: 1987100500 ipauniqueid: a4cbcef2-9671-11ec-bbb5-000c29945382 objectclass: top, ipaobject, posixgroup ``` I realized that the ipa-sidgen-task failed: ``` [03/Apr/2022:18:02:54.670826769 +0200] - ERR - get_ranges - [file ipa_sidgen_common.c, line 276]: Failed to convert LDAP entry to range struct. [03/Apr/2022:18:02:54.671439501 +0200] - ERR - ipa_sidgen_add_post_op - [file ipa_sidgen.c, line 140]: Failed to get ID ranges. ``` and ``` ipaserver.install.service: CRITICAL Failed to load ipa-sidgen-task-run.ldif: CalledProcessError(Command ['/usr/bin/ldapmodify', '-v', '-f', '/tmp/tmp_d3svukt', '-H', 'ldapi://%2Frun%2Fslapd-IPA-MYDOMAIN.socket', '-Y', 'EXTERNAL'] returned non-zero exit status 1: 'ldap_initialize( ldapi://%2Frun%2Fslapd-IPA-MYDOMAIN.socket/??base )\nSASL/EXTERNAL authentication started\nSASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth\nSASL SSF: 0\nldap_add: Operations error (1)\n') ipaserver.install.adtrustinstance: WARNING Exception occured during SID generation: CalledProcessError(Command ['/usr/bin/ldapmodify', '-v', '-f', '/tmp/tmp_d3svukt', '-H', 'ldapi://%2Frun%2Fslapd-IPA-MYDOMAIN.socket', '-Y', 'EXTERNAL'] returned non-zero exit status 1: 'ldap_initialize( ldapi://%2Frun%2Fslapd-IPA-MYDOMAIN.socket/??base )\nSASL/EXTERNAL authentication started\nSASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth\nSASL SSF: 0\nldap_add: Operations error (1)\n') ``` Could anyone help me with this? I don't know how to generate these SID's, and I got stuck. Worse: my ipa won't start without the --ignore-service-failures, as smb is refusing to start. Best, Francis

2 years

3
10
4 / 0

certs: SAN without othername / NT Principal name

by David Harvey

Hi FreeiPA users, I'm having great fun with a web app that hates the othername/ NT Principal name included with certificates generated with ipa-getcert. I've tried several variations but can't omit this part of the subject alternative name. Is there any way to do so? Thanks in advance, David

2 years

3
3
0 / 0

2024

2023

2022

2021

2020

2019

2018

2017

FreeIPA-users April 2022