a zone for subdomain
by lejeczek
hi guys,
Is there any automated or programmatic manner in which a dnszone could
be populated(or created) with all the necessary records, when one needs
a dns subdomain with/on a separate subnet?
many thanks, L.
4 years, 9 months
Samba 4.10 with ipasam
by João Baúto
Hi all,
I'm setting FreeIPA along with Samba and currently I'm running into an
issue with the ipasam module where if I use samba 4.9.X everything works as
expected while upgrading to 4.10.X, samba fails to load ipasam. Since the
ipasam.so comes from ipa-server-trust-ad, I'm linking it to the samba
modules folder.
- Error loading module '/usr/local/samba/lib/pdb/ipasam.so': /usr
/local/samba/lib/pdb/ipasam.so: undefined symbol: DEBUGLEVEL_CLASS
Is there a way of compiling a compatible version of ipasam with samba
4.10.X?
I'm running CentOS 7.6.1810 with FreeIPA 4.6.4.
Thanks!
JB
4 years, 9 months
ipa_automount_location
by Ronald Wimmer
Is it possible to use multiple automount locations (i.e. sssd.conf
containing ipa_automount_location=locationA,locationB)?
Cheers,
Ronald
4 years, 9 months
Re: Could not chdir to home directory: Permission denied
by Florence Blanc-Renaud
On 8/17/19 10:05 PM, Selman Keskin via FreeIPA-users wrote:
> Any idea?
>
> Sent from Mail <https://go.microsoft.com/fwlink/?LinkId=550986> for
> Windows 10
>
>
> _______________________________________________
> FreeIPA-users mailing list -- freeipa-users(a)lists.fedorahosted.org
> To unsubscribe send an email to freeipa-users-leave(a)lists.fedorahosted.org
> Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
> List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
> List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedoraho...
>
Hi,
we need a little more information in order to help you. When is this
issue happening? I assume you are trying to connect to an IPA client
either using ssh or console login.
First check what is defined as homedir for the user on an IPA server
# kinit admin
# ipa user-show <userlogin> | grep 'Home directory'
/home/<userlogin>
Then on the machine where you got the error 'Could not chdir', check the
directory permissions:
# ls -ld /home/<userlogin>
The directory needs to belong to the user and have the right permissions
(drwx------).
By default, the home directory of every user is computed from
<HomeDirectoryBase>/<userlogin>
and the HomeDirectoryBase can be found with:
# ipa config-show | grep 'Home directory base'
Home directory base: /home
If you want to modify the Home Directory Base, you can use
# ipa config-mod --homedirectory=<newval>
Note that the new setting will be applied to users created after this
command and will not modify existing users' home directory.
If you want to modify the home directory for a specific user, you can use
# ipa user-mod <userlogin> --homedir=<newval>.
HTH,
flo
4 years, 9 months
freeipa-client-install error
by Elhamsadat Azarian
Hi
i install freeipa server base on a windows DNS server. i mean there was a windows DNS Server and while i was installing freeipa i set resolve.conf and hosts base on this windows DNS.
then i installed a freeipa-client on my client server. base on instructions i changed client's resolve.conf to free-ipa IP.
(mean i set DNS of my client to free-ipa-server IP)
when i did freeipa-client-install it show an error:
"Failed to verify that ipa-server.shs.dc is an IPA server.
this may mean that the remote server is not up or reachabe due to network settings."
in ipaclient-install files:
"search DNS for SRV record of _ldap._tcp.shs.dc
DNS record not found: timeout."
of course i opened all ports in firewall and im sure the server is up.
4 years, 9 months
SEC_ERROR_LEGACY_DATABASE: The certificate/key database is in an old, unsupported format
by lune voo
Hello everyone.
I send you this mail because I try to connect an ipa-client 4.6.4 on RHEL7
to an ipa-server 3.0.0 on RHEL6 and I get the following message when I try
to register the client to the server :
###
ipa-client-install \
--domain=<MY_DOMAIN> \
--realm=<MY_REALM> \
--server=<MY_IPA_MASTER> \
--principal=admin \
--password='<admin_password>' \
--mkhomedir \
--hostname=<MY_CLIENT_HOST> \
--no-ntp \
--no-ssh \
--no-sshd \
--unattended \
###
And here is the error I got :
###
WARNING: yacc table file version is out of date
Client hostname: <MY_CLIENT_HOST>
Realm: <MY_REALM>
DNS Domain: <MY_DOMAIN>
IPA Server: <MY_IPA_MASTER>
BaseDN: dc=<MY_REALM>
Skipping synchronizing time with NTP server.
Please make sure the following ports are opened in the firewall settings:
TCP: 80, 88, 389
UDP: 88 (at least one of TCP/UDP ports 88 has to be open)
Also note that following ports are necessary for ipa-client working
properly after enrollment:
TCP: 464
UDP: 464, 123 (if NTP enabled)
Installation failed. Rolling back changes.
Unconfigured automount client failed: Command 'ipa-client-automount
--uninstall --debug' returned non-zero exit status 1
Failed to start certmonger: Command '/bin/systemctl start
certmonger.service' returned non-zero exit status 1
Command '/bin/systemctl start certmonger.service' returned non-zero exit
status 1
Command '/bin/systemctl start certmonger.service' returned non-zero exit
status 1
The ipa-client-install command failed. See /var/log/ipaclient-install.log
for more information
[root@<MY_CLIENT_HOST> ~]# /bin/systemctl start certmonger.service
Job for certmonger.service failed because the control process exited with
error code. See "systemctl status certmonger.service" and "journalctl -xe"
for details.
[root@<MY_CLIENT_HOST> ~]# systemctl status certmonger.service
● certmonger.service - Certificate monitoring and PKI enrollment
Loaded: loaded (/usr/lib/systemd/system/certmonger.service; disabled;
vendor preset: disabled)
Active: failed (Result: exit-code) since Mon 2019-08-26 11:42:20 CEST;
27s ago
Process: 21027 ExecStart=/usr/sbin/certmonger -S -p
/var/run/certmonger.pid -n $OPTS (code=exited, status=1/FAILURE)
Main PID: 21027 (code=exited, status=1/FAILURE)
Aug 26 11:42:20 <MY_CLIENT_HOST> systemd[1]: Starting Certificate
monitoring and PKI enrollment...
Aug 26 11:42:20 <MY_CLIENT_HOST> certmonger[21027]: 2019-08-26 11:42:20
[21027] Unable to set well-known bus name "org.fedorahosted.certmonger":
Connection ":1.21663" is not allowed to own the service "or...tion file(-1).
Aug 26 11:42:20 <MY_CLIENT_HOST> certmonger[21027]: Error connecting to
D-Bus.
Aug 26 11:42:20 <MY_CLIENT_HOST> systemd[1]: certmonger.service: main
process exited, code=exited, status=1/FAILURE
Aug 26 11:42:20 <MY_CLIENT_HOST> systemd[1]: Failed to start Certificate
monitoring and PKI enrollment.
Aug 26 11:42:20 <MY_CLIENT_HOST> systemd[1]: Unit certmonger.service
entered failed state.
Aug 26 11:42:20 <MY_CLIENT_HOST> systemd[1]: certmonger.service failed.
###
When I retried the command, it said the client was already configured so I
tried to unconfigure it with the following command :
###
ipa-client-install -U --uninstall
###
But then I got the following error :
###
The ipa-client-install command failed, exception: CalledProcessError:
Command '/bin/systemctl start certmonger.service' returned non-zero exit
status 1
Command '/bin/systemctl start certmonger.service' returned non-zero exit
status 1
###
When I enable debug and check the logs, I can see a first error here :
###
Starting external process
args=/usr/bin/certutil -d dbm:/etc/ipa/nssdb -L -n Local IPA host -a -f
/etc/ipa/nssdb/pwdfile.txt
Process finished, return code=255
stdout=
stderr=certutil: function failed: SEC_ERROR_LEGACY_DATABASE: The
certificate/key database is in an old, unsupported format.
###
When I check the content of /etc/ipa/nssdb, I can find only this
pwdfile.txt indeed.
When I check the content of this folder on another RHEL7 host, I see more
content :
###
# ls -l /etc/ipa/nssdb/
total 80
-rw-r--r-- 1 root root 65536 Aug 9 2018 cert8.db
-rw-r--r-- 1 root root 16384 Aug 9 2018 key3.db
-rw------- 1 root root 40 Aug 9 2018 pwdfile.txt
-rw-r--r-- 1 root root 16384 Aug 9 2018 secmod.db
###
May you help me to understand and solve this problem please ?
I tried to use a client version lower than the 4.4.0 instead of 4.6.4 to
register to a 3.0.0 server but I still have the same problem.
How can I properly uninstall the ipa-client to begin again from the start ?
Best regards.
Lune
4 years, 9 months
Create a virtual env python with ipa module included
by lune voo
Hello everyone.
I was wondering if it is possible to embed ipa modules in a python virtual
environment ?
Or is it too tightly linked with the ipa-client installed on the system ?
Best regards.
Lune
4 years, 9 months
Inactive users
by Boyd Ako
Is there any way to check when a user has last logged into any of the systems? I've tried `ipa user-show`, but the "Last Successful Authentication" is N/A.
4 years, 9 months
kadmin principal for an IPA master, but not for slave.
by TomK
Hey All,
The primary master I have has the kadmin principal for it:
kadmin/ipa03.mws.mds.xyz(a)MWS.MDS.XYZ
The slave (idmipa04) doesn't have a corresponding kadmin/... principal
entry. Can't find these principals in the UI.
1) Should the slave installer have created the slave kadmin/... principal?
2) If I wanted to create one, should the pass be any random string or
something specific?
3) Are there specific IPA commands to create the kadmin/... principals with?
Thx for taking a look.
--
Thx,
TK.
4 years, 9 months