Centos update breaks access to samba shares
by Jeff Goddard
Hi everyone,
Yesterday I updated our (Centos 7) Freeipa servers and it seems that now
the samba shares hosted on one of them is no longer accessible. I've done
some reading and see that authentication now requires the winbind package
to be running, and in our case it is, but I'm still not able to
authenticate users on either Windows or Linux. We do not use AD so there
are no trusts to worry about. Has anyone else experienced this and know a
solution?
Thanks,
Jeff
5 years, 2 months
de/selecting AD's users
by lejeczek
hi guys
I wonder, and hope you guys could tell if it's possible in IPA, when
there is one-way trust established between AD & IPA, to allow only
certain account to login & access IPA's resources?
An ideal scenario I'm looking for is where all users from AD are
initially disallowed to login & access IPA domain, and then admin can
allow such user on per user or group basis.
Is something like that "built-in" IPA's feature?
many thanks, L.
5 years, 2 months
Is IPA's DNS working as a recursive DNS server for internal + external requests
by 74cmonty
Hi,
to my knowledge IPA's DNS server is Bind.
And this server is working as recursive DNS for internal domains.
Question:
Can I use this DNS server for recursive DNS request of external domains, too?
If yes, how?
My intention is to send client request to Pi-hole first for DNS filtering; Pi-hole will act as DHCP, too.
If IPA's DNS server bind does recurse, then I would have it set as the upstream to Pi-hole.
Client --> Pi-hole --> IPA --> Internet
In case IPA's DNS server does not support recurse DNS for external domains, then I consider to add another service proving recurse DNS only: unbound DNS.
Client --> Pi-hole --> IPA --> Unbound --> Internet
5 years, 2 months
IPA's DNS - is global forwarder necessary?
by lejeczek
hi guys
I wonder if global forwarder is a must? And if not by default could it
be a must in a scenario where IPA has no direct Internet access?
Reason I ask is - I have a forward zone but IPA cannot resolve that zone
unless I add global forwarder (which happens to be same one Winbox for
forwarded zone and as global forwarder). That is bit weird don't you say?
many thanks, L.
5 years, 2 months
Re: Lost IPA master Left with replica only
by Rob van Halteren
Thanks,
The working replica was installed without CA.
This is what I can find in the replica install log. from the replica that is working.
ipa-replica-install was invoked with argument "/var/lib/ipa/replica-info-replica.ams.mydomain.gpg" and options: {'no_forwarders': False, 'conf_ssh': True, 'conf_sshd': True, 'ui_redirect': True, 'reverse_zone': None, 'trust_sshfp': False, 'unattended': False, 'no_host_dns': False, 'ip_address': None, 'no_reverse': False, 'setup_dns': False, 'create_sshfp': True, 'setup_ca': False, 'forwarders': None, 'debug': False, 'conf_ntp': True, 'skip_conncheck': False}
DEBUG args=/usr/sbin/ipa-replica-conncheck --master master.bxl.mydomain --auto-master-check --realm MYDOMAIN --principal theboss --hostname replica.ams.mydomain
Is there a command that can be used to poll for the CA master ?
ROB VAN HALTEREN
AV | IT System Engineer
Entrepotdok 66
NL-1018 AD Amsterdam
T: +31 20 530 9696
F: +31 20 530 9697
www.filmmore.eu <http://www.filmmore.eu/>
<http://www.filmmore.eu/>
<http://twitter.com/filmmore> <http://www.facebook.com/FilmmoreINT/>
<http://www.linkedin.com/company/filmmore-amsterdam/>
5 years, 2 months
Login WebUI fails
by 74cmonty
Hi,
starting today I cannot login to WebUI anymore.
This is not a password authentication issue because I can switch to user "admin" in console.
When I enter 'kinit list' as root I get this response:
kinit: general error (see e-text) for Initial credentials will be fetched.
The same error is shown for 'kinit admin'.
How can I fix this issue?
THX
5 years, 2 months
fiddling with Win2016 trust - users
by lejeczek
hi guys
After a longer break from Windowze, I had Win2012 trust okey in the
past, now I'm fiddling with Win2016 and have this question:
After trust (one-way coming from AD) established okey should AD's users
be immediately available to/in IPA?
Usual things such as id, ipa user-show do find them users. I cannot
remember how it was with my Win2012.
many thanks, L.
5 years, 2 months
ipa: ERROR: Nameserver 'd01.unix.dom.name.' does not have a corresponding A/AAAA record
by TomK
Hey All,
I've 4 NS servers:
ipa01.unix.dom.name 192.168.0.44
ipa02.unix.dom.name 192.168.0.45
and remote ones (Just simple named / DNS )
dns01.d01.unix.dom.name 192.168.0.130
dns02.d01.unix.dom.name 192.168.0.132
When using:
1) ipa dnsforwardzone-add d01.unix.dom.name --forwarder=192.168.0.130
--forwarder=192.168.0.132 --forward-policy=only
2) ipa dnsrecord-add unix.dom.name. d01 --ns-rec=d01.unix.dom.name.
I'm greeted with:
ipa: ERROR: Nameserver 'd01.unix.dom.name.' does not have a
corresponding A/AAAA record
So I can add an A record on the IPA servers but perhaps this is looking
for the A record on the forwarding DNS servers 192.168.0.130 and
192.168.0.132?
If I'm adding it on the IPA side then I'll add d01 with two IP addresses
to? Doesn't seem to make sense. I just need to forward on d01. I'm
forwarding the whole subzone.
What I have is:
ipa-common-4.5.0-22.el7.centos.noarch
python2-ipaclient-4.5.0-22.el7.centos.noarch
python-ipaddress-1.0.16-2.el7.noarch
ipa-client-common-4.5.0-22.el7.centos.noarch
python-iniparse-0.4-9.el7.noarch
ipa-server-common-4.5.0-22.el7.centos.noarch
ipa-server-dns-4.5.0-22.el7.centos.noarch
python-libipa_hbac-1.15.2-50.el7_4.8.x86_64
libipa_hbac-1.15.2-50.el7_4.8.x86_64
python2-ipaserver-4.5.0-22.el7.centos.noarch
sssd-ipa-1.15.2-50.el7_4.8.x86_64
ipa-client-4.5.0-22.el7.centos.x86_64
ipa-python-compat-4.5.0-22.el7.centos.noarch
ipa-server-trust-ad-4.5.0-22.el7.centos.x86_64
python2-ipalib-4.5.0-22.el7.centos.noarch
ipa-server-4.5.0-22.el7.centos.x86_64
--
Cheers,
Tom K.
-------------------------------------------------------------------------------------
Living on earth is expensive, but it includes a free trip around the sun.
5 years, 2 months
ManageIQ/Cloudforms integration
by Sigbjorn Lie-Soland
Hi list,
Is there a known repository with an existing ManageIQ/Cloudforms
Automate framework for FreeIPA?
I am primarily looking for the ability to create HBAC and SUDO rules as
part of the provisioning process.
Thanks.
Regards,
Siggi
5 years, 2 months