PTR?
by Kat
Hi
If this is set:
Allow PTR sync: TRUE
Then why, when a host is added with ipa host-add, does only the forward
DNS record get set and not the PTR?
Anywhere else to look?
Thanks
2 years, 7 months
Permission to allow user to list DNS zones
by John Petrini
Hello List,
Can anyone give me some guidance on how to create a permission that allows
a user to list (search) DNS zones? I know how to setup per-zone permissions
using dnszone-add-permission but in this case I just want the user to be
able to get a list of zones, not modify individual zones.
Thanks,
John
2 years, 7 months
System Account for Client Enrollment
by Peter Tselios
Hello,
I want to create an IPA "system" account that will be able to enroll clients (nothing else). There a discussion (around 2016) but it looks that is not relevant with the FreeIPA 4.5. Also, I cannot find anything in the Red Hat's KB.
So, what is the correct way to create a system account that will join hosts in the IdM domain?
2 years, 7 months
SSO issue on freeipa client
by tarak sinha
Hi Team,
I am not able to ssh my ipaclient host with SSO, it was working few days
back.
Here it is SSH debug:- Any suggestion will be much appreciated.
debug1: Authentications that can continue:
publickey,gssapi-keyex,gssapi-with-mic,password
debug3: start over, passed a different list
publickey,gssapi-keyex,gssapi-with-mic,password
debug3: preferred gssapi-with-mic,publickey,keyboard-interactive,password
debug3: authmethod_lookup gssapi-with-mic
debug3: remaining preferred: publickey,keyboard-interactive,password
debug3: authmethod_is_enabled gssapi-with-mic
debug1: Next authentication method: gssapi-with-mic
debug3: Trying to reverse map address 10.21.113.217.
debug2: we sent a gssapi-with-mic packet, wait for reply
debug1: Delegating credentials
debug1: Delegating credentials
debug1: Unspecified GSS failure. Minor code may provide more information
Generic error (see e-text)
debug1: Authentications that can continue:
publickey,gssapi-keyex,gssapi-with-mic,password
debug2: we sent a gssapi-with-mic packet, wait for reply
debug1: Authentications that can continue:
publickey,gssapi-keyex,gssapi-with-mic,password
debug2: we sent a gssapi-with-mic packet, wait for reply
debug1: Authentications that can continue:
publickey,gssapi-keyex,gssapi-with-mic,password
debug2: we did not send a packet, disable method
debug3: authmethod_lookup publickey
debug3: remaining preferred: keyboard-interactive,password
debug3: authmethod_is_enabled publickey
debug1: Next authentication method: publickey
debug1: Trying private key: /uhome/tsinha/.ssh/id_rsa
debug3: no such identity: /uhome/tsinha/.ssh/id_rsa
debug1: Trying private key: /uhome/tsinha/.ssh/id_dsa
debug3: no such identity: /uhome/tsinha/.ssh/id_dsa
debug2: we did not send a packet, disable method
debug3: authmethod_lookup password
debug3: remaining preferred: ,password
debug3: authmethod_is_enabled password
debug1: Next authentication method: password
2 years, 7 months
Lost Password
by John Ball
Hello All - Our previous employee that set up the Admin and password to
login to our https://ipa-1.int.dplcl.com url, the password is not working.
How can I reset this animal
Many Thanks,
Regards,
John
2 years, 7 months
Using multiple hostnames in freeipa https, ldap, kerberos kdc certificates
by Anvar Kuchkartaev
Hello everyone,
I am planning to deploy replica of freeipa to AWS, and I have following
idea:
* Lets say freeipa domain is example.com
* freeipa domain has it's own CA
* all aws hosts will get hostname automatically over dhcp options in
vpc like ip-xxx-xxx-xxx-xxx.aws.example.com
* Freeipa replica will be reachable one internal IP and one elastic
IP, internal IP will be reachable with hostname ipa.aws.example.com,
external one (elastic IP) will be reachable ipa.example.com, DNS
autodiscovery records will do the rest.
I cannot resolve one part, when using different hostnames, I might run
into TLS, STARTTLS issue, since ipa apache, ldap, kerberos kdc
certificates are issued automatically only to one hostname.
I would like to ask if it is possible to replace ipa apache, ldap,
kerberos kdc certificates with SAN certificates that supports multiple
hostnames?
Thanks,
--
Anvar Kuchkartaev
anvar(a)aegissec.net
2 years, 7 months
using multiple hostnames in freeipa https, ldap, kerberos kdc certificates
by Anvar Kuchkartaev
Hello everyone,
I am planning to deploy replica of freeipa to AWS, and I have following
idea:
* Lets say freeipa domain is example.com
* freeipa domain has it's own CA
* all aws hosts will get hostname automatically over dhcp options in
vpc like ip-xxx-xxx-xxx-xxx.aws.example.com
* Freeipa replica will be reachable one internal IP and one elastic
IP, internal IP will be reachable with hostname ipa.aws.example.com,
external one (elastic IP) will be reachable ipa.example.com, DNS
autodiscovery records will do the rest.
I cannot resolve one part, when using different hostnames, I might run
into TLS, STARTTLS issue, since ipa apache, ldap, kerberos kdc
certificates are issued automatically only to one hostname.
I would like to ask if it is possible to replace ipa apache, ldap,
kerberos kdc certificates with SAN certificates that supports multiple
hostnames?
Thanks,
--
Anvar Kuchkartaev
anvar(a)aegissec.net
2 years, 7 months
is AD trust possible without Samba bits?
by lejeczek
hi guys,
I do not suppose it is possible, but would be great to get absolute
clarification - AD trust cannot be established, but even it it can be
then cannot work later at all, if Samba is not under IPA's rule -
correct? It is simply is not possible, right?
many thanks, L
2 years, 7 months
freeIPa replica setup
by Alfredo De Luca
Hi all.
I need to setup a freeIPA replica and not sure which is the best and more
reliable.
I found a few people preparing the replica from the server others just
installing the replica on another machine with the appropriate
configuration.
Any info/docs?
--
*Alfredo*
2 years, 7 months
