October 2019 - FreeIPA-users - Fedora Mailing-Lists

SSH Hostbased Authentication with FreeIPA

by Vinícius Ferrão

Hello, I’m trying to implement SSH Hostbased Authentication between IPA joined machines but I’m with difficulties regarding: * The /etc/ssh/ssh_known_hosts file. In a FreeIPA environment the known_hosts are stored on IPA, and I’m aware of the ProxyCommand /usr/bin/sss_ssh_knownhostsproxy; but how can I create this file with the entries from FreeIPA? * Another issue is with the /etc/ssh/shosts.equiv file. It supports plain hostnames or netgroups, which is a NIS thing. FreeIPA offers any netgroups compatibility? I’m expecting to put something like: @nodes on this file to keep it simple. Any changes on IPA hosts would be reflected automatically. Thanks, PS: Further documentation about SSH Hostbased Authentication: https://en.wikibooks.org/wiki/OpenSSH/Cookbook/Host-based_Authentication

4 years, 1 month

3
11
0 / 0

Re: Ipa user can't login via ssh

by Rob Crittenden

Elhamsadat Azarian wrote: > Hi Rob > Thank you for helping > I disabled default HBAC rule and add a new rule that user "elham" could > login and ssh on hosts "ipa-client and ipa-server" > Now it can ssh to ipa-server but still it had problem with ipa-client. > So rules couldnt solve my problem. I don't know what to tell you without more details. rob > > On Tue, 15 Oct 2019, 16:44 Rob Crittenden, <rcritten(a)redhat.com > <mailto:rcritten@redhat.com>> wrote: > > Please keep freeipa-users in the responses. > > Elhamsadat Azarian wrote: > > Hi Rob > > I did it and i got this answer: > > > > Access granted : false > > > > What can i do now? > > IPA ships with a default HBAC rule, allow_all, which allows all users to > authenticate on all hosts. I can only assume you've deleted or disabled > that, and that's fine. > > But if you do then you need to create the set of rules to grant access > to hosts for the appropriate users. > > To provide specific assistance you'd need to share a bit of internal > details, current HBAC rules, etc. It is understandable if you can't > do that. > > But basically you need to evaluate your HBAC rules to find out why this > user can't log into hosts. The user may be missing from a group, for > example. > > rob > > > > On Mon, 14 Oct 2019, 18:07 Rob Crittenden, <rcritten(a)redhat.com > <mailto:rcritten@redhat.com> > > <mailto:rcritten@redhat.com <mailto:rcritten@redhat.com>>> wrote: > > > > Elhamsadat Azarian wrote: > > > I tryed to add HBAC rules to my user but it said : some > operation > > > failed. Users cannot be added when user category = all > > > > Adding list back. > > > > Try something like: > > > > ipa hbactest --user elham --service ssh --host <your host> > > > > There is an equivalent way to do it in the UI. > > > > rob > > > > > > > > On Wed, 9 Oct 2019, 17:19 Rob Crittenden, > <rcritten(a)redhat.com <mailto:rcritten@redhat.com> > > <mailto:rcritten@redhat.com <mailto:rcritten@redhat.com>> > > > <mailto:rcritten@redhat.com <mailto:rcritten@redhat.com> > <mailto:rcritten@redhat.com <mailto:rcritten@redhat.com>>>> wrote: > > > > > > Kevin Vasko via FreeIPA-users wrote: > > > > Have you made sure your “elham” user has the correct > permissions > > > to access the machines? Take a look in the UI at the > > > groups/permissions that user elham has. Take a look at > your HBAC > > > rules as well. That would be my first recommendation to > check > > if it > > > was me. > > > > > > Right, and the troubleshooting page suggests that (and > > increasing debug > > > logging). > > > > > > Please provide the output of the things you have already > > looked at. > > > > > > rob > > > > > > > > > > > -Kevin > > > > > > > >> On Oct 9, 2019, at 7:23 AM, Elhamsadat Azarian via > > FreeIPA-users > > > <freeipa-users(a)lists.fedorahosted.org > <mailto:freeipa-users@lists.fedorahosted.org> > > <mailto:freeipa-users@lists.fedorahosted.org > <mailto:freeipa-users@lists.fedorahosted.org>> > > > <mailto:freeipa-users@lists.fedorahosted.org > <mailto:freeipa-users@lists.fedorahosted.org> > > <mailto:freeipa-users@lists.fedorahosted.org > <mailto:freeipa-users@lists.fedorahosted.org>>>> wrote: > > > >> > > > >> ### Request for enhancement > > > >> as a Linux admin i want to login into my ipa client > with a user > > > that is defined in ipa-server UI. > > > >> > > > >> ### Issue > > > >> I installed Ipa-server and an Ipa-client on CentOS7.6 > > > >> I defined Internal DNS on ipa-server and i defined A > and PTR > > > records for client on ipa-server. > > > >> now i can see my client in ipa-UI and i defined a > user with > > name > > > "elham" and i expect that it can login into ipa-client. > > > >> when i login with root in ipa-client and i do sudo > elham, it > > > works and kinit elham works too but > > > >> when i do ssh into ipa-client with this user, it show > > "Access denied" > > > >> i have errors with this context: > > > >> pam_reply : authentication failure to the client > > > >> pam_sss: authentication falure > > > >> > > > >> im tired of this issue. please help me if you know the > > solution. > > > >> > > > >> #### Steps to Reproduce > > > >> 1. define new user "elham" in ipa UI > > > >> 2. SSH to ipa-client with elham > > > >> 3. access denied > > > >> > > > >> #### Actual behavior > > > >> (what happens) > > > >> > > > >> #### Expected behavior > > > >> login into ipa-client successfully > > > >> > > > >> #### Version/Release/Distribution > > > >> ipa-server 4.6.5-11.el7 > > > >> ipa-client 4.6.4-10.el7.centos.3 > > > >> Log files and config files are added below: > > > >> > > > >> > > > >> > > > >> krb5.conf > > > >> ------------ > > > >> #File modified by ipa-client-install > > > >> > > > >> includedir /etc/krb5.conf.d/ > > > >> includedir /var/lib/sss/pubconf/krb5.include.d/ > > > >> > > > >> > > > >> [logging] > > > >> default = FILE:/var/log/krb5libs.log > > > >> kdc = FILE:/var/log/krb5kdc.log > > > >> admin_server = FILE:/var/log/kadmind.log > > > >> [libdefaults] > > > >> default_realm = LSHS.DC > > > >> dns_lookup_realm = false > > > >> dns_lookup_kdc = false > > > >> rdns = false > > > >> ticket_lifetime = 24h > > > >> forwardable = yes > > > >> allow_weak_crypto = true > > > >> default_ccache_name = KEYRING:persistent:%{uid} > > > >> > > > >> [realms] > > > >> LSHS.DC = { > > > >> kdc = ipa-irvlt01.example.dc:88 > > > >> admin_server = ipa-irvlt01.example.dc:749 > > > >> default_domain = example.dc > > > >> } > > > >> [domain_realm] > > > >> .example.com <http://example.com> > <http://example.com> <http://example.com> = > > LSHS.DC > > > >> example.com <http://example.com> <http://example.com> > <http://example.com> = LSHS.DC > > > >> ############################################ > > > >> > > > >> > > > >> sssd.conf > > > >> ------------- > > > >> [domain/example.dc] > > > >> > > > >> cache_credentials = True > > > >> krb5_store_password_if_offline = True > > > >> ipa_domain = example.dc > > > >> id_provider = ipa > > > >> auth_provider = ipa > > > >> access_provider = ipa > > > >> ldap_tls_cacert = /etc/ipa/ca.crt > > > >> ipa_hostname = ipacli-irvlt01.example.dc > > > >> chpass_provider = ipa > > > >> dyndns_update = True > > > >> ipa_server = _srv_, ipa-irvlt01.example.dc > > > >> dyndns_iface = ens160 > > > >> dns_discovery_domain = example.dc > > > >> > > > >> debug_level = 10 > > > >> [sssd] > > > >> ########### AFTER IPA ################### > > > >> #services = nss, sudo, pam, ssh > > > >> services = nss, pam > > > >> config_file_version = 2 > > > >> ######################################### > > > >> domains = example.dc > > > >> > > > >> debug_level = 10 > > > >> [nss] > > > >> homedir_substring = /home > > > >> > > > >> [pam] > > > >> debug_level = 10 > > > >> > > > >> [sudo] > > > >> > > > >> [autofs] > > > >> > > > >> [ssh] > > > >> > > > >> [pac] > > > >> > > > >> [ifp] > > > >> > > > >> [secrets] > > > >> > > > >> [session_recording] > > > >> > > > >> ########################################## > > > >> > > > >> > > > >> _______________________________________________ > > > >> FreeIPA-users mailing list -- > > > freeipa-users(a)lists.fedorahosted.org > <mailto:freeipa-users@lists.fedorahosted.org> > > <mailto:freeipa-users@lists.fedorahosted.org > <mailto:freeipa-users@lists.fedorahosted.org>> > > > <mailto:freeipa-users@lists.fedorahosted.org > <mailto:freeipa-users@lists.fedorahosted.org> > > <mailto:freeipa-users@lists.fedorahosted.org > <mailto:freeipa-users@lists.fedorahosted.org>>> > > > >> To unsubscribe send an email to > > > freeipa-users-leave(a)lists.fedorahosted.org > <mailto:freeipa-users-leave@lists.fedorahosted.org> > > <mailto:freeipa-users-leave@lists.fedorahosted.org > <mailto:freeipa-users-leave@lists.fedorahosted.org>> > > > <mailto:freeipa-users-leave@lists.fedorahosted.org > <mailto:freeipa-users-leave@lists.fedorahosted.org> > > <mailto:freeipa-users-leave@lists.fedorahosted.org > <mailto:freeipa-users-leave@lists.fedorahosted.org>>> > > > >> Fedora Code of Conduct: > > > > https://docs.fedoraproject.org/en-US/project/code-of-conduct/ > > > >> List Guidelines: > > > https://fedoraproject.org/wiki/Mailing_list_guidelines > > > >> List Archives: > > > > > > https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org > > > > _______________________________________________ > > > > FreeIPA-users mailing list -- > > freeipa-users(a)lists.fedorahosted.org > <mailto:freeipa-users@lists.fedorahosted.org> > > <mailto:freeipa-users@lists.fedorahosted.org > <mailto:freeipa-users@lists.fedorahosted.org>> > > > <mailto:freeipa-users@lists.fedorahosted.org > <mailto:freeipa-users@lists.fedorahosted.org> > > <mailto:freeipa-users@lists.fedorahosted.org > <mailto:freeipa-users@lists.fedorahosted.org>>> > > > > To unsubscribe send an email to > > > freeipa-users-leave(a)lists.fedorahosted.org > <mailto:freeipa-users-leave@lists.fedorahosted.org> > > <mailto:freeipa-users-leave@lists.fedorahosted.org > <mailto:freeipa-users-leave@lists.fedorahosted.org>> > > > <mailto:freeipa-users-leave@lists.fedorahosted.org > <mailto:freeipa-users-leave@lists.fedorahosted.org> > > <mailto:freeipa-users-leave@lists.fedorahosted.org > <mailto:freeipa-users-leave@lists.fedorahosted.org>>> > > > > Fedora Code of Conduct: > > > > https://docs.fedoraproject.org/en-US/project/code-of-conduct/ > > > > List Guidelines: > > > https://fedoraproject.org/wiki/Mailing_list_guidelines > > > > List Archives: > > > > > > https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org > > > > > > > > > >

4 years, 1 month

1
0
0 / 0

Freeipa homedir overrides

by Matthias Salzmann

Hello together I'am a newby in Freeipa I have a ( one-side ) cross-forrest trust with an Active Directory Domain. AD user are able to login with ssh on the linux server. That works fine. With sssd i am able to override the homedir. (override_homedir = /home/%u) Unfortunately it is not possible to override the homedir with an additional variable. Example: /home/%g/%u ( %g = $group ) The default group of each user should be included in homedir like /home/merchandising/paul in FreeIpa server i am able to override a user homedir with ID views but only for a single user. Does it anyone knows how i can override the homedir for a special group? Many Thanks Matthias

4 years, 1 month

1
0
0 / 0

ns-slapd hangs several times a day

by Sylvain Coutant

Hello gurus, We are running a 3 nodes FreeIPA cluster for some time without major trouble. One server may stale from time to time, without real trouble to restart it. A few days ago, we had to migrate the VMs between two clouds (disk image copied from one to the other). They have been renumbered from old to new IPv4 address space. Not that easy, but we finally got it done with all DNS entries in sync. Yet, since the migration, ns-slapd process hangs randomly way more often than before (went from once every few months to several times a day) and is especially hard to restart on any node. While starting up, the netstat output is like: Active Internet connections (w/o servers) Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name tcp6 184527 0 10.217.151.3:389 10.217.151.2:52314 ESTABLISHED 29948/ns-slapd Netstat and tcpdump show it processes very slowly the recvq (sometimes like 79 bytes per 1-2 seconds). At some point it just stops processing it and hangs (only kill -9 works to take it down). When stale, strace shows the process loops only on : getpeername(8, 0x7ffe62c49fd0, 0x7ffe62c49f94) = -1 ENOTCONN (Transport endpoint is not connected) poll([{fd=50, events=POLLIN}, {fd=7, events=POLLIN}, {fd=8, events=POLLIN}, {fd=9, events=POLLIN}, {fd=117, events=POLLIN}, {fd=116, events=POLLIN}, {fd=115, events=POLLIN}, {fd=114, events=POLLIN}, {fd=89, events=POLLIN}, {fd=85, events=POLLIN}, {fd=83, events=POLLIN}, {fd=82, events=POLLIN}, {fd=81, events=POLLIN}, {fd=80, events=POLLIN}, {fd=79, events=POLLIN}, {fd=78, events=POLLIN}, {fd=77, events=POLLIN}, {fd=76, events=POLLIN}, {fd=67, events=POLLIN}, {fd=72, events=POLLIN}, {fd=69, events=POLLIN}, {fd=64, events=POLLIN}, {fd=66, events=POLLIN}], 23, 250) = 0 (Timeout) If it can go through startup replication, one of the server will hang a little bit later, freezing the whole cluster. Forcing us to restart the faulty node to unlock things. When stale, the dirsrv access log only contains entries like: [20/Oct/2019:17:52:46.950029525 +0100] conn=86 fd=131 slot=131 connection from 10.217.151.4 to 10.217.151.4 [20/Oct/2019:17:52:51.280412883 +0100] conn=87 fd=132 slot=132 SSL connection from 10.217.151.10 to 10.217.151.4 [20/Oct/2019:17:52:54.956204031 +0100] conn=88 fd=133 slot=133 connection from 10.217.151.4 to 10.217.151.4 [20/Oct/2019:17:53:04.966542441 +0100] conn=89 fd=134 slot=134 connection from 10.217.151.2 to 10.217.151.4 [20/Oct/2019:17:53:22.659053020 +0100] conn=90 fd=135 slot=135 SSL connection from 10.217.151.10 to 10.217.151.4 [20/Oct/2019:17:53:51.006707605 +0100] conn=91 fd=136 slot=136 connection from 10.217.151.4 to 10.217.151.4 [20/Oct/2019:17:53:54.514162543 +0100] conn=92 fd=137 slot=137 SSL connection from 10.217.151.10 to 10.217.151.4 [20/Oct/2019:17:53:59.011602776 +0100] conn=93 fd=138 slot=138 connection from 10.217.151.3 to 10.217.151.4 [20/Oct/2019:17:54:09.019296900 +0100] conn=94 fd=139 slot=139 connection from 10.217.151.4 to 10.217.151.4 And netstat lists 10s of accepted network connections that are stale like : tcp6 286 0 10.217.151.4:389 10.217.151.10:32512 ESTABLISHED 29948/ns-slapd The underlying network seams clean and uses jumbo frames. tcpdump and ping show 0 packet loss and no retransmit. Being afraid it could be a jumbo frame issue, mtu was even forced down to 1500. Without success. Entropy seems fine as well : # cat /proc/sys/kernel/random/entropy_avail 3138 Running version on all servers: ipa-client-4.6.5-11.el7.centos.x86_64 ipa-client-common-4.6.5-11.el7.centos.noarch ipa-common-4.6.5-11.el7.centos.noarch ipa-server-4.6.5-11.el7.centos.x86_64 ipa-server-common-4.6.5-11.el7.centos.noarch ipa-server-dns-4.6.5-11.el7.centos.noarch I'd happily listen to any hint regarding this critical problem. /Sylvain.

4 years, 1 month

2
1
0 / 0

NFS Home directories: ipa-client-automount on Ubuntu 18.04

by TomK

Hey All, Are there any recent instructions available for configuring NFS home directories using ipa-client-automount ? Currently above command generates: stderr= Started rpcidmapd Starting external process args=['/bin/systemctl', 'enable', 'nfs-idmapd.service'] Process finished, return code=0 stdout= stderr=The unit files have no installation config (WantedBy, RequiredBy, Also, Alias settings in the [Install] section, and DefaultInstance for template units). This means they are not meant to be enabled using systemctl. Possible reasons for having this kind of units are: 1) A unit may be statically enabled by being symlinked from another unit's .wants/ or .requires/ directory. 2) A unit's purpose may be to act as a helper for some other unit which has a requirement dependency on it. 3) A unit may be started when needed via activation (socket, path, timer, D-Bus, udev, scripted systemctl call, ...). 4) In case of template units, the unit is meant to be enabled with some instance name specified. stderr= Started rpcgssd Starting external process args=['/bin/systemctl', 'enable', 'rpc-gssd.service'] Process finished, return code=0 stdout= stderr=The unit files have no installation config (WantedBy, RequiredBy, Also, Alias settings in the [Install] section, and DefaultInstance for template units). This means they are not meant to be enabled using systemctl. Possible reasons for having this kind of units are: 1) A unit may be statically enabled by being symlinked from another unit's .wants/ or .requires/ directory. 2) A unit's purpose may be to act as a helper for some other unit which has a requirement dependency on it. 3) A unit may be started when needed via activation (socket, path, timer, D-Bus, udev, scripted systemctl call, ...). 4) In case of template units, the unit is meant to be enabled with some instance name specified. And mount doesn't work. -- Thx, TK.

4 years, 1 month

1
1
0 / 0

Re: Internal vs External CA

by Kristian Petersen

OK I must have missed that and I think I have the root cert now. I ran ipa-cacert-manage -n Digicert_Root -t C,, install DigiCert_Global_Root_CA.crt The message I got back said that this cert was installed successfully. So now I tried adding the others using the same command as above (with a different nickname and file for each) and that failed. I tried adding them with ipa-server-certinstall but that didn't seem to work either. I ran: ipa-server-certinstall -w -d odin_chem_byu_edu.key odin_chem_byu_edu.crt DigiCertCA.crt DigiCert_Global_Root_CA.crt entered the Directory Manager password then it prompts for the private key password (there isn't one) on this. That didn't work saying I still don't have the entire chain. I contacted Digicert about this and they pointed me to an intermediate certificate I could download, but it isn't in the same format so I'm not sure what to do with it as I cannot check the subject/issuer info on it with the openssl command like the others. I attempted to just add it to the command above, but it still said I didn't have the entire chain. On Wed, Oct 16, 2019 at 1:50 PM Rob Crittenden <rcritten(a)redhat.com> wrote: > Kristian Petersen wrote: > > > https://drive.google.com/file/d/1Ygi85YAGh-DKfOXPz0mi9zIEbFwrSKnh/view?us... > > > https://drive.google.com/file/d/1nuOGG4zrhq9mAZaLMqFBHgxx3d22XKW_/view?us... > > > > Try using these links to my Google Drive. Sending them to > > rcritten(a)redhat.com <mailto:rcritten@redhat.com> failed. > > I don't have access to the first one. The second one containing > DigiCertCA.crt is not a root: > > Issuer: C = US, O = DigiCert Inc, OU = www.digicert.com, CN = DigiCert H > igh Assurance EV Root CA > Subject: C = US, O = DigiCert Inc, OU = www.digicert.com, CN = DigiCert > SHA2 High Assurance Server CA > > rob > > > > > On Wed, Oct 16, 2019 at 1:02 PM Rob Crittenden <rcritten(a)redhat.com > > <mailto:rcritten@redhat.com>> wrote: > > > > Kristian Petersen wrote: > > > I tried attaching the files to my reply but that was rejected. So > > what > > > is the best way to share them with you? > > > > You can send them directly to me if you'd like. > > > > rob > > > > > > > > On Tue, Oct 15, 2019 at 3:32 PM Rob Crittenden > > <rcritten(a)redhat.com <mailto:rcritten@redhat.com> > > > <mailto:rcritten@redhat.com <mailto:rcritten@redhat.com>>> wrote: > > > > > > Kristian Petersen via FreeIPA-users wrote: > > > > They aren't in one file. But the server cert's issuer is the > > > subject of > > > > the DigiCert.crt file. I have already tried adding just the > > > > Digicert.crt file only to have it tell me it's Peer's > > Certificate > > > isn't > > > > trusted. I don't even know what certificate that is talking > > about. > > > > > > Can you share the files? > > > > > > rob > > > > > > > > > > > On Tue, Oct 15, 2019 at 7:27 AM Rob Crittenden > > > <rcritten(a)redhat.com <mailto:rcritten@redhat.com> > > <mailto:rcritten@redhat.com <mailto:rcritten@redhat.com>> > > > > <mailto:rcritten@redhat.com <mailto:rcritten@redhat.com> > > <mailto:rcritten@redhat.com <mailto:rcritten@redhat.com>>>> wrote: > > > > > > > > Kristian Petersen wrote: > > > > > Rob, > > > > > > > > > > After investigating the certs as you had suggested, I > do > > > have the > > > > whole > > > > > chain. The server cert has as its issuer: > > > > > Issuer: C = US, O = DigiCert Inc, OU = > > www.digicert.com <http://www.digicert.com> > > > <http://www.digicert.com> > > > > <http://www.digicert.com> > > > > > <http://www.digicert.com>, CN = DigiCert SHA2 High > > Assurance > > > Server CA > > > > > > > > > > And the DigiCert.crt file has as its issuer and > subject: > > > > > Issuer: C = US, O = DigiCert Inc, OU = > > www.digicert.com <http://www.digicert.com> > > > <http://www.digicert.com> > > > > <http://www.digicert.com> > > > > > <http://www.digicert.com>, CN = DigiCert SHA2 High > > Assurance > > > Server CA > > > > > Subject: C = US, O = DigiCert Inc, OU = > > www.digicert.com <http://www.digicert.com> > > > <http://www.digicert.com> > > > > <http://www.digicert.com> > > > > > <http://www.digicert.com>, CN = DigiCert SHA2 High > > Assurance > > > Server CA > > > > > > > > > > Am I missing something here? > > > > > > > > So you have the whole chain in one file? Try adding them > > > individually, > > > > starting at the root. > > > > > > > > rob > > > > > > > > > > > > > > On Fri, Oct 11, 2019 at 12:50 PM Rob Crittenden > > > > <rcritten(a)redhat.com <mailto:rcritten@redhat.com> > > <mailto:rcritten@redhat.com <mailto:rcritten@redhat.com>> > > > <mailto:rcritten@redhat.com <mailto:rcritten@redhat.com> > > <mailto:rcritten@redhat.com <mailto:rcritten@redhat.com>>> > > > > > <mailto:rcritten@redhat.com > > <mailto:rcritten@redhat.com> <mailto:rcritten@redhat.com > > <mailto:rcritten@redhat.com>> > > > <mailto:rcritten@redhat.com <mailto:rcritten@redhat.com> > > <mailto:rcritten@redhat.com <mailto:rcritten@redhat.com>>>>> wrote: > > > > > > > > > > Kristian Petersen wrote: > > > > > > New but related question: Iff I just want to > > add new LDAP > > > > and HTTPS > > > > > > certs (not replacing the current ones) I know > > that can be > > > > done. I > > > > > read > > > > > > an article from Florence Blanc-Renaud that > mentions > > > it, but > > > > I ran into > > > > > > some errors and I'm trying to troubleshoot them. > > When > > > I ran > > > > > > ipa-server-certinstall and gave it the key I > > generated and > > > > the crt > > > > > file > > > > > > I got from Digicert it said the entire chain was > not > > > > present. So > > > > > then I > > > > > > tried including the DigiCertCA.crt file as well, > > > however, I got > > > > > the same > > > > > > result. > > > > > > > > > > > > I next tried adding the DigiCert certificate to > IPA > > > > > > usingipa-cacert-manage -p DM_PASSWORD -n > NICKNAME -t > > > C,, install > > > > > > DigiCertCA.crt > > > > > > This also failed giving an error that the cert > > was invalid > > > > because the > > > > > > Peer's Certificate issuer was not recognized. > Any > > > thoughts > > > > about > > > > > what I > > > > > > might have missed? > > > > > > > > > > You don't have the full chain. It can be tricky to > > find the > > > > whole list > > > > > even on CA's that make it relatively easy. > > > > > > > > > > What you want to do is use a tool like openssl > x509 to > > > display the > > > > > subject and issuer: > > > > > > > > > > openssl x509 -text -noout -in /path/to/cert > > > > > > > > > > I'd start with the server cert you've been issued. > > Find a > > > > matching CA > > > > > cert where the subject of the CA cert matches the > > issuer > > > on the > > > > > server cert. > > > > > > > > > > Then find another CA cert whose subject matches the > > > issuer of > > > > the bottom > > > > > of the chain, and work upwards until you find a CA > > cert > > > where > > > > the issuer > > > > > and subject match. Then you've found the root. > > That plus > > > the other > > > > > matching CA certs is your chain. > > > > > > > > > > I'll also note about the "add but not replace" the > > LDAP and > > > > Web certs. > > > > > There can only be one active. You can certainly use > > > different > > > > physical > > > > > files and nicknames to store the new certs but > > only one > > > set is > > > > active at > > > > > a time. > > > > > > > > > > rob > > > > > > > > > > > > > > > > > > > > > > > On Fri, Oct 11, 2019 at 11:20 AM Rob Crittenden > > > > > <rcritten(a)redhat.com <mailto:rcritten@redhat.com> > > <mailto:rcritten@redhat.com <mailto:rcritten@redhat.com>> > > > <mailto:rcritten@redhat.com <mailto:rcritten@redhat.com> > > <mailto:rcritten@redhat.com <mailto:rcritten@redhat.com>>> > > > > <mailto:rcritten@redhat.com <mailto:rcritten@redhat.com> > > <mailto:rcritten@redhat.com <mailto:rcritten@redhat.com>> > > > <mailto:rcritten@redhat.com <mailto:rcritten@redhat.com> > > <mailto:rcritten@redhat.com <mailto:rcritten@redhat.com>>>> > > > > > > <mailto:rcritten@redhat.com > > <mailto:rcritten@redhat.com> > > > <mailto:rcritten@redhat.com <mailto:rcritten@redhat.com>> > > <mailto:rcritten@redhat.com <mailto:rcritten@redhat.com> > > > <mailto:rcritten@redhat.com <mailto:rcritten@redhat.com>>> > > > > <mailto:rcritten@redhat.com <mailto:rcritten@redhat.com> > > <mailto:rcritten@redhat.com <mailto:rcritten@redhat.com>> > > > <mailto:rcritten@redhat.com <mailto:rcritten@redhat.com> > > <mailto:rcritten@redhat.com <mailto:rcritten@redhat.com>>>>>> wrote: > > > > > > > > > > > > Kristian Petersen via FreeIPA-users wrote: > > > > > > > That outlines the options, but not why I > > should or > > > > shouldn't use > > > > > > any of > > > > > > > them. That is more of what I am looking > for. > > > > > > > > > > > > It's less benefit analysis and more forced > > by internal > > > > > requirements. > > > > > > > > > > > > Often an organization already has a CA and > > wants any > > > > > additional CA's to > > > > > > be subordinates. > > > > > > > > > > > > The downsides of an external CA is some > > additional > > > > complexity. > > > > > > > > > > > > Installation can be more difficult (users > often > > > have issues > > > > > getting > > > > > > their external CA to properly sign the IPA > CSR), > > > dealing > > > > with > > > > > a longer > > > > > > certificate chain and being bound by the > > > expiration date > > > > of the > > > > > > external CA. > > > > > > > > > > > > rob > > > > > > > > > > > > > > > > > > > > On Fri, Oct 11, 2019 at 9:47 AM François > Cami > > > > > <fcami(a)redhat.com <mailto:fcami@redhat.com> > > <mailto:fcami@redhat.com <mailto:fcami@redhat.com>> > > > <mailto:fcami@redhat.com <mailto:fcami@redhat.com> > > <mailto:fcami@redhat.com <mailto:fcami@redhat.com>>> > > > > <mailto:fcami@redhat.com <mailto:fcami@redhat.com> > > <mailto:fcami@redhat.com <mailto:fcami@redhat.com>> > > > <mailto:fcami@redhat.com <mailto:fcami@redhat.com> > > <mailto:fcami@redhat.com <mailto:fcami@redhat.com>>>> > > > > > > <mailto:fcami@redhat.com > > <mailto:fcami@redhat.com> <mailto:fcami@redhat.com > > <mailto:fcami@redhat.com>> > > > <mailto:fcami@redhat.com <mailto:fcami@redhat.com> > > <mailto:fcami@redhat.com <mailto:fcami@redhat.com>>> > > > > <mailto:fcami@redhat.com <mailto:fcami@redhat.com> > > <mailto:fcami@redhat.com <mailto:fcami@redhat.com>> > > > <mailto:fcami@redhat.com <mailto:fcami@redhat.com> > > <mailto:fcami@redhat.com <mailto:fcami@redhat.com>>>>> > > > > > > > <mailto:fcami@redhat.com > > <mailto:fcami@redhat.com> > > > <mailto:fcami@redhat.com <mailto:fcami@redhat.com>> > > <mailto:fcami@redhat.com <mailto:fcami@redhat.com> > > > <mailto:fcami@redhat.com <mailto:fcami@redhat.com>>> > > > > <mailto:fcami@redhat.com <mailto:fcami@redhat.com> > > <mailto:fcami@redhat.com <mailto:fcami@redhat.com>> > > > <mailto:fcami@redhat.com <mailto:fcami@redhat.com> > > <mailto:fcami@redhat.com <mailto:fcami@redhat.com>>>> > > > > > <mailto:fcami@redhat.com <mailto:fcami@redhat.com> > > <mailto:fcami@redhat.com <mailto:fcami@redhat.com>> > > > <mailto:fcami@redhat.com <mailto:fcami@redhat.com> > > <mailto:fcami@redhat.com <mailto:fcami@redhat.com>>> > > > > <mailto:fcami@redhat.com <mailto:fcami@redhat.com> > > <mailto:fcami@redhat.com <mailto:fcami@redhat.com>> > > > <mailto:fcami@redhat.com <mailto:fcami@redhat.com> > > <mailto:fcami@redhat.com <mailto:fcami@redhat.com>>>>>>> wrote: > > > > > > > > > > > > > > Hi, > > > > > > > > > > > > > > On Fri, Oct 11, 2019 at 5:34 PM > Kristian > > > Petersen via > > > > > > FreeIPA-users > > > > > > > <freeipa-users(a)lists.fedorahosted.org > > <mailto:freeipa-users@lists.fedorahosted.org> > > > <mailto:freeipa-users@lists.fedorahosted.org > > <mailto:freeipa-users@lists.fedorahosted.org>> > > > > <mailto:freeipa-users@lists.fedorahosted.org > > <mailto:freeipa-users@lists.fedorahosted.org> > > > <mailto:freeipa-users@lists.fedorahosted.org > > <mailto:freeipa-users@lists.fedorahosted.org>>> > > > > > <mailto:freeipa-users@lists.fedorahosted.org > > <mailto:freeipa-users@lists.fedorahosted.org> > > > <mailto:freeipa-users@lists.fedorahosted.org > > <mailto:freeipa-users@lists.fedorahosted.org>> > > > > <mailto:freeipa-users@lists.fedorahosted.org > > <mailto:freeipa-users@lists.fedorahosted.org> > > > <mailto:freeipa-users@lists.fedorahosted.org > > <mailto:freeipa-users@lists.fedorahosted.org>>>> > > > > > > <mailto:freeipa-users@lists.fedorahosted.org > > <mailto:freeipa-users@lists.fedorahosted.org> > > > <mailto:freeipa-users@lists.fedorahosted.org > > <mailto:freeipa-users@lists.fedorahosted.org>> > > > > <mailto:freeipa-users@lists.fedorahosted.org > > <mailto:freeipa-users@lists.fedorahosted.org> > > > <mailto:freeipa-users@lists.fedorahosted.org > > <mailto:freeipa-users@lists.fedorahosted.org>>> > > > > > <mailto:freeipa-users@lists.fedorahosted.org > > <mailto:freeipa-users@lists.fedorahosted.org> > > > <mailto:freeipa-users@lists.fedorahosted.org > > <mailto:freeipa-users@lists.fedorahosted.org>> > > > > <mailto:freeipa-users@lists.fedorahosted.org > > <mailto:freeipa-users@lists.fedorahosted.org> > > > <mailto:freeipa-users@lists.fedorahosted.org > > <mailto:freeipa-users@lists.fedorahosted.org>>>>> > > > > > > > > > <mailto:freeipa-users@lists.fedorahosted.org > > <mailto:freeipa-users@lists.fedorahosted.org> > > > <mailto:freeipa-users@lists.fedorahosted.org > > <mailto:freeipa-users@lists.fedorahosted.org>> > > > > <mailto:freeipa-users@lists.fedorahosted.org > > <mailto:freeipa-users@lists.fedorahosted.org> > > > <mailto:freeipa-users@lists.fedorahosted.org > > <mailto:freeipa-users@lists.fedorahosted.org>>> > > > > > <mailto:freeipa-users@lists.fedorahosted.org > > <mailto:freeipa-users@lists.fedorahosted.org> > > > <mailto:freeipa-users@lists.fedorahosted.org > > <mailto:freeipa-users@lists.fedorahosted.org>> > > > > <mailto:freeipa-users@lists.fedorahosted.org > > <mailto:freeipa-users@lists.fedorahosted.org> > > > <mailto:freeipa-users@lists.fedorahosted.org > > <mailto:freeipa-users@lists.fedorahosted.org>>>> > > > > > > <mailto:freeipa-users@lists.fedorahosted.org > > <mailto:freeipa-users@lists.fedorahosted.org> > > > <mailto:freeipa-users@lists.fedorahosted.org > > <mailto:freeipa-users@lists.fedorahosted.org>> > > > > <mailto:freeipa-users@lists.fedorahosted.org > > <mailto:freeipa-users@lists.fedorahosted.org> > > > <mailto:freeipa-users@lists.fedorahosted.org > > <mailto:freeipa-users@lists.fedorahosted.org>>> > > > > > <mailto:freeipa-users@lists.fedorahosted.org > > <mailto:freeipa-users@lists.fedorahosted.org> > > > <mailto:freeipa-users@lists.fedorahosted.org > > <mailto:freeipa-users@lists.fedorahosted.org>> > > > > <mailto:freeipa-users@lists.fedorahosted.org > > <mailto:freeipa-users@lists.fedorahosted.org> > > > <mailto:freeipa-users@lists.fedorahosted.org > > <mailto:freeipa-users@lists.fedorahosted.org>>>>>>> wrote: > > > > > > > > > > > > > > > > Hey y'all, > > > > > > > > > > > > > > > > What are the pros and cons of using > and > > > external or > > > > > internal CA > > > > > > > for FreeIPA/IdM? I am trying to > > decide which to > > > > do but > > > > > having > > > > > > > trouble finding a lot of info about > > why I would > > > > want to > > > > > do one or > > > > > > > the other. > > > > > > > > > > > > > > The choices are documented there: > > > > > > > > > > > > > > > > > > > > > > > > > > > > https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/... > > > > > > > > > > > > > > François > > > > > > > > > > > > > > > Thanks in advance! > > > > > > > > > > > > > > > > -- > > > > > > > > Kristian Petersen > > > > > > > > System Administrator > > > > > > > > BYU Dept. of Chemistry and > Biochemistry > > > > > > > > > > > _______________________________________________ > > > > > > > > FreeIPA-users mailing list -- > > > > > > freeipa-users(a)lists.fedorahosted.org > > <mailto:freeipa-users@lists.fedorahosted.org> > > > <mailto:freeipa-users@lists.fedorahosted.org > > <mailto:freeipa-users@lists.fedorahosted.org>> > > > > <mailto:freeipa-users@lists.fedorahosted.org > > <mailto:freeipa-users@lists.fedorahosted.org> > > > <mailto:freeipa-users@lists.fedorahosted.org > > <mailto:freeipa-users@lists.fedorahosted.org>>> > > > > > <mailto:freeipa-users@lists.fedorahosted.org > > <mailto:freeipa-users@lists.fedorahosted.org> > > > <mailto:freeipa-users@lists.fedorahosted.org > > <mailto:freeipa-users@lists.fedorahosted.org>> > > > > <mailto:freeipa-users@lists.fedorahosted.org > > <mailto:freeipa-users@lists.fedorahosted.org> > > > <mailto:freeipa-users@lists.fedorahosted.org > > <mailto:freeipa-users@lists.fedorahosted.org>>>> > > > > > > <mailto:freeipa-users@lists.fedorahosted.org > > <mailto:freeipa-users@lists.fedorahosted.org> > > > <mailto:freeipa-users@lists.fedorahosted.org > > <mailto:freeipa-users@lists.fedorahosted.org>> > > > > <mailto:freeipa-users@lists.fedorahosted.org > > <mailto:freeipa-users@lists.fedorahosted.org> > > > <mailto:freeipa-users@lists.fedorahosted.org > > <mailto:freeipa-users@lists.fedorahosted.org>>> > > > > > <mailto:freeipa-users@lists.fedorahosted.org > > <mailto:freeipa-users@lists.fedorahosted.org> > > > <mailto:freeipa-users@lists.fedorahosted.org > > <mailto:freeipa-users@lists.fedorahosted.org>> > > > > <mailto:freeipa-users@lists.fedorahosted.org > > <mailto:freeipa-users@lists.fedorahosted.org> > > > <mailto:freeipa-users@lists.fedorahosted.org > > <mailto:freeipa-users@lists.fedorahosted.org>>>>> > > > > > > > > > <mailto:freeipa-users@lists.fedorahosted.org > > <mailto:freeipa-users@lists.fedorahosted.org> > > > <mailto:freeipa-users@lists.fedorahosted.org > > <mailto:freeipa-users@lists.fedorahosted.org>> > > > > <mailto:freeipa-users@lists.fedorahosted.org > > <mailto:freeipa-users@lists.fedorahosted.org> > > > <mailto:freeipa-users@lists.fedorahosted.org > > <mailto:freeipa-users@lists.fedorahosted.org>>> > > > > > <mailto:freeipa-users@lists.fedorahosted.org > > <mailto:freeipa-users@lists.fedorahosted.org> > > > <mailto:freeipa-users@lists.fedorahosted.org > > <mailto:freeipa-users@lists.fedorahosted.org>> > > > > <mailto:freeipa-users@lists.fedorahosted.org > > <mailto:freeipa-users@lists.fedorahosted.org> > > > <mailto:freeipa-users@lists.fedorahosted.org > > <mailto:freeipa-users@lists.fedorahosted.org>>>> > > > > > > <mailto:freeipa-users@lists.fedorahosted.org > > <mailto:freeipa-users@lists.fedorahosted.org> > > > <mailto:freeipa-users@lists.fedorahosted.org > > <mailto:freeipa-users@lists.fedorahosted.org>> > > > > <mailto:freeipa-users@lists.fedorahosted.org > > <mailto:freeipa-users@lists.fedorahosted.org> > > > <mailto:freeipa-users@lists.fedorahosted.org > > <mailto:freeipa-users@lists.fedorahosted.org>>> > > > > > <mailto:freeipa-users@lists.fedorahosted.org > > <mailto:freeipa-users@lists.fedorahosted.org> > > > <mailto:freeipa-users@lists.fedorahosted.org > > <mailto:freeipa-users@lists.fedorahosted.org>> > > > > <mailto:freeipa-users@lists.fedorahosted.org > > <mailto:freeipa-users@lists.fedorahosted.org> > > > <mailto:freeipa-users@lists.fedorahosted.org > > <mailto:freeipa-users@lists.fedorahosted.org>>>>>> > > > > > > > > To unsubscribe send an email to > > > > > > > > > freeipa-users-leave(a)lists.fedorahosted.org > > <mailto:freeipa-users-leave@lists.fedorahosted.org> > > > <mailto:freeipa-users-leave@lists.fedorahosted.org > > <mailto:freeipa-users-leave@lists.fedorahosted.org>> > > > > <mailto:freeipa-users-leave@lists.fedorahosted.org > > <mailto:freeipa-users-leave@lists.fedorahosted.org> > > > <mailto:freeipa-users-leave@lists.fedorahosted.org > > <mailto:freeipa-users-leave@lists.fedorahosted.org>>> > > > > > <mailto:freeipa-users-leave@lists.fedorahosted.org > > <mailto:freeipa-users-leave@lists.fedorahosted.org> > > > <mailto:freeipa-users-leave@lists.fedorahosted.org > > <mailto:freeipa-users-leave@lists.fedorahosted.org>> > > > > <mailto:freeipa-users-leave@lists.fedorahosted.org > > <mailto:freeipa-users-leave@lists.fedorahosted.org> > > > <mailto:freeipa-users-leave@lists.fedorahosted.org > > <mailto:freeipa-users-leave@lists.fedorahosted.org>>>> > > > > > > > > <mailto:freeipa-users-leave@lists.fedorahosted.org > > <mailto:freeipa-users-leave@lists.fedorahosted.org> > > > <mailto:freeipa-users-leave@lists.fedorahosted.org > > <mailto:freeipa-users-leave@lists.fedorahosted.org>> > > > > <mailto:freeipa-users-leave@lists.fedorahosted.org > > <mailto:freeipa-users-leave@lists.fedorahosted.org> > > > <mailto:freeipa-users-leave@lists.fedorahosted.org > > <mailto:freeipa-users-leave@lists.fedorahosted.org>>> > > > > > <mailto:freeipa-users-leave@lists.fedorahosted.org > > <mailto:freeipa-users-leave@lists.fedorahosted.org> > > > <mailto:freeipa-users-leave@lists.fedorahosted.org > > <mailto:freeipa-users-leave@lists.fedorahosted.org>> > > > > <mailto:freeipa-users-leave@lists.fedorahosted.org > > <mailto:freeipa-users-leave@lists.fedorahosted.org> > > > <mailto:freeipa-users-leave@lists.fedorahosted.org > > <mailto:freeipa-users-leave@lists.fedorahosted.org>>>>> > > > > > > > > > > <mailto:freeipa-users-leave@lists.fedorahosted.org > > <mailto:freeipa-users-leave@lists.fedorahosted.org> > > > <mailto:freeipa-users-leave@lists.fedorahosted.org > > <mailto:freeipa-users-leave@lists.fedorahosted.org>> > > > > <mailto:freeipa-users-leave@lists.fedorahosted.org > > <mailto:freeipa-users-leave@lists.fedorahosted.org> > > > <mailto:freeipa-users-leave@lists.fedorahosted.org > > <mailto:freeipa-users-leave@lists.fedorahosted.org>>> > > > > > <mailto:freeipa-users-leave@lists.fedorahosted.org > > <mailto:freeipa-users-leave@lists.fedorahosted.org> > > > <mailto:freeipa-users-leave@lists.fedorahosted.org > > <mailto:freeipa-users-leave@lists.fedorahosted.org>> > > > > <mailto:freeipa-users-leave@lists.fedorahosted.org > > <mailto:freeipa-users-leave@lists.fedorahosted.org> > > > <mailto:freeipa-users-leave@lists.fedorahosted.org > > <mailto:freeipa-users-leave@lists.fedorahosted.org>>>> > > > > > > > > <mailto:freeipa-users-leave@lists.fedorahosted.org > > <mailto:freeipa-users-leave@lists.fedorahosted.org> > > > <mailto:freeipa-users-leave@lists.fedorahosted.org > > <mailto:freeipa-users-leave@lists.fedorahosted.org>> > > > > <mailto:freeipa-users-leave@lists.fedorahosted.org > > <mailto:freeipa-users-leave@lists.fedorahosted.org> > > > <mailto:freeipa-users-leave@lists.fedorahosted.org > > <mailto:freeipa-users-leave@lists.fedorahosted.org>>> > > > > > <mailto:freeipa-users-leave@lists.fedorahosted.org > > <mailto:freeipa-users-leave@lists.fedorahosted.org> > > > <mailto:freeipa-users-leave@lists.fedorahosted.org > > <mailto:freeipa-users-leave@lists.fedorahosted.org>> > > > > <mailto:freeipa-users-leave@lists.fedorahosted.org > > <mailto:freeipa-users-leave@lists.fedorahosted.org> > > > <mailto:freeipa-users-leave@lists.fedorahosted.org > > <mailto:freeipa-users-leave@lists.fedorahosted.org>>>>>> > > > > > > > > Fedora Code of Conduct: > > > > > > > > > > > > > > > > https://docs.fedoraproject.org/en-US/project/code-of-conduct/ > > > > > > > > List Guidelines: > > > > > > > > > > https://fedoraproject.org/wiki/Mailing_list_guidelines > > > > > > > > List Archives: > > > > > > > > > > > > > > > > > > > > > > > > > > > > https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedoraho... > > > > > > > > > > > > > > > > > > > > > > > > > > > > -- > > > > > > > Kristian Petersen > > > > > > > System Administrator > > > > > > > BYU Dept. of Chemistry and Biochemistry > > > > > > > > > > > > > > > > > > > > > > > _______________________________________________ > > > > > > > FreeIPA-users mailing list -- > > > > > freeipa-users(a)lists.fedorahosted.org > > <mailto:freeipa-users@lists.fedorahosted.org> > > > <mailto:freeipa-users@lists.fedorahosted.org > > <mailto:freeipa-users@lists.fedorahosted.org>> > > > > <mailto:freeipa-users@lists.fedorahosted.org > > <mailto:freeipa-users@lists.fedorahosted.org> > > > <mailto:freeipa-users@lists.fedorahosted.org > > <mailto:freeipa-users@lists.fedorahosted.org>>> > > > > > <mailto:freeipa-users@lists.fedorahosted.org > > <mailto:freeipa-users@lists.fedorahosted.org> > > > <mailto:freeipa-users@lists.fedorahosted.org > > <mailto:freeipa-users@lists.fedorahosted.org>> > > > > <mailto:freeipa-users@lists.fedorahosted.org > > <mailto:freeipa-users@lists.fedorahosted.org> > > > <mailto:freeipa-users@lists.fedorahosted.org > > <mailto:freeipa-users@lists.fedorahosted.org>>>> > > > > > > <mailto:freeipa-users@lists.fedorahosted.org > > <mailto:freeipa-users@lists.fedorahosted.org> > > > <mailto:freeipa-users@lists.fedorahosted.org > > <mailto:freeipa-users@lists.fedorahosted.org>> > > > > <mailto:freeipa-users@lists.fedorahosted.org > > <mailto:freeipa-users@lists.fedorahosted.org> > > > <mailto:freeipa-users@lists.fedorahosted.org > > <mailto:freeipa-users@lists.fedorahosted.org>>> > > > > > <mailto:freeipa-users@lists.fedorahosted.org > > <mailto:freeipa-users@lists.fedorahosted.org> > > > <mailto:freeipa-users@lists.fedorahosted.org > > <mailto:freeipa-users@lists.fedorahosted.org>> > > > > <mailto:freeipa-users@lists.fedorahosted.org > > <mailto:freeipa-users@lists.fedorahosted.org> > > > <mailto:freeipa-users@lists.fedorahosted.org > > <mailto:freeipa-users@lists.fedorahosted.org>>>>> > > > > > > > To unsubscribe send an email to > > > > > > freeipa-users-leave(a)lists.fedorahosted.org > > <mailto:freeipa-users-leave@lists.fedorahosted.org> > > > <mailto:freeipa-users-leave@lists.fedorahosted.org > > <mailto:freeipa-users-leave@lists.fedorahosted.org>> > > > > <mailto:freeipa-users-leave@lists.fedorahosted.org > > <mailto:freeipa-users-leave@lists.fedorahosted.org> > > > <mailto:freeipa-users-leave@lists.fedorahosted.org > > <mailto:freeipa-users-leave@lists.fedorahosted.org>>> > > > > > <mailto:freeipa-users-leave@lists.fedorahosted.org > > <mailto:freeipa-users-leave@lists.fedorahosted.org> > > > <mailto:freeipa-users-leave@lists.fedorahosted.org > > <mailto:freeipa-users-leave@lists.fedorahosted.org>> > > > > <mailto:freeipa-users-leave@lists.fedorahosted.org > > <mailto:freeipa-users-leave@lists.fedorahosted.org> > > > <mailto:freeipa-users-leave@lists.fedorahosted.org > > <mailto:freeipa-users-leave@lists.fedorahosted.org>>>> > > > > > > > > <mailto:freeipa-users-leave@lists.fedorahosted.org > > <mailto:freeipa-users-leave@lists.fedorahosted.org> > > > <mailto:freeipa-users-leave@lists.fedorahosted.org > > <mailto:freeipa-users-leave@lists.fedorahosted.org>> > > > > <mailto:freeipa-users-leave@lists.fedorahosted.org > > <mailto:freeipa-users-leave@lists.fedorahosted.org> > > > <mailto:freeipa-users-leave@lists.fedorahosted.org > > <mailto:freeipa-users-leave@lists.fedorahosted.org>>> > > > > > <mailto:freeipa-users-leave@lists.fedorahosted.org > > <mailto:freeipa-users-leave@lists.fedorahosted.org> > > > <mailto:freeipa-users-leave@lists.fedorahosted.org > > <mailto:freeipa-users-leave@lists.fedorahosted.org>> > > > > <mailto:freeipa-users-leave@lists.fedorahosted.org > > <mailto:freeipa-users-leave@lists.fedorahosted.org> > > > <mailto:freeipa-users-leave@lists.fedorahosted.org > > <mailto:freeipa-users-leave@lists.fedorahosted.org>>>>> > > > > > > > Fedora Code of Conduct: > > > > > > > > > > > > https://docs.fedoraproject.org/en-US/project/code-of-conduct/ > > > > > > > List Guidelines: > > > > > > > > https://fedoraproject.org/wiki/Mailing_list_guidelines > > > > > > > List Archives: > > > > > > > > > > > > > > > > > > > > > https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedoraho... > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > -- > > > > > > Kristian Petersen > > > > > > System Administrator > > > > > > BYU Dept. of Chemistry and Biochemistry > > > > > > > > > > > > > > > > > > > > -- > > > > > Kristian Petersen > > > > > System Administrator > > > > > BYU Dept. of Chemistry and Biochemistry > > > > > > > > > > > > > > > > -- > > > > Kristian Petersen > > > > System Administrator > > > > BYU Dept. of Chemistry and Biochemistry > > > > > > > > > > > > _______________________________________________ > > > > FreeIPA-users mailing list -- > > freeipa-users(a)lists.fedorahosted.org > > <mailto:freeipa-users@lists.fedorahosted.org> > > > <mailto:freeipa-users@lists.fedorahosted.org > > <mailto:freeipa-users@lists.fedorahosted.org>> > > > > To unsubscribe send an email to > > > freeipa-users-leave(a)lists.fedorahosted.org > > <mailto:freeipa-users-leave@lists.fedorahosted.org> > > > <mailto:freeipa-users-leave@lists.fedorahosted.org > > <mailto:freeipa-users-leave@lists.fedorahosted.org>> > > > > Fedora Code of Conduct: > > > https://docs.fedoraproject.org/en-US/project/code-of-conduct/ > > > > List Guidelines: > > > https://fedoraproject.org/wiki/Mailing_list_guidelines > > > > List Archives: > > > > > > https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedoraho... > > > > > > > > > > > > > > > > -- > > > Kristian Petersen > > > System Administrator > > > BYU Dept. of Chemistry and Biochemistry > > > > > > > > -- > > Kristian Petersen > > System Administrator > > BYU Dept. of Chemistry and Biochemistry > > -- Kristian Petersen System Administrator BYU Dept. of Chemistry and Biochemistry

4 years, 1 month

2
1
0 / 0

Windows clients and domain_realm mappings

by Pieter Baele

The only open issue we have with IPA is Windows clients not being directed to the Kerberos servers of the IPA realm. We can solve this issue using domain_realm registry keys as mentioned on the mailing list before. But is there any different method to accomplish this? As far as I know/read, Windows clients only use SRV DNS records (and can fail back to NetBIOS-based discovery) to locate domain services, not TXT records. As IETF Kerberos Clarification drafts recommend against using (then) unsecured DNS for domain_realm mappings. So TXT DNS domain_realm mappings are also not an option. Sincerely Pieter

4 years, 1 month

2
5
0 / 0

autofs debugging

by danielle lampert

Hello, I'm running CENTOS 7.4 and I'm struggling to make autofs work with a direct map. I believe I followed correctly the documentation (Linux Domain Identity, Authentication, and Policy Guide) but I can't find why it's not working. Mounting manually is OK. Where should I start to look ? thanks in advance

4 years, 1 month

2
2
0 / 0

FreeIPA new network with DNS

by Jason Dunham

I am trying to set up a small office of software developers with FreeIPA. My ipa-server-install fails with "DNS zone example.com. already exists in DNS and is handled by servers foo1.myisp.net...". We do have basic hosted dns for our few public facing servers but I want to run an internal DNS on the LAN (and on the OpenVPN) to do name resolution. We don't currently have any AD or Kerberos, this is basically a new company with just a few people and a few workstations and will probably never grow very large without massive infrastructure changes that would be way out of scope for what I am trying to do. I was going to set up the internal computers as workstation1.internal.mycompany.com, workstation2.internal.mycompany.com, etc. since my understanding is that I can't do it without a subdomain since the primary domain DNS server already exists. I am putting this on a new server with a fresh install of CentOS 8. The ipa server is ipa.mycompany.com, or is it supposed to be ipa.internal.mycompany.com? I was trying to use all the defaults when calling ipa-server-install --setup-dns, but I don't really understand where to tell it about the subdomain. None of the many tutorials I have read seem to deal with my use case even though it seems like something lots of people would want to do. Am I using the right tool for this job? Am I just not finding the right web page that makes it easy? Can I run a small network with about 10 hosts and about 10 users on one freeipa host? I also have a separate box for pfsense/openvpn and maybe I could run a failover dns server on that, but I can't even get the main server running. Thanks in advance for any help with this.

4 years, 1 month

3
3
0 / 0

Commands ipa topologysegment-find/show are confusing

by Jesús Marín García

Hello everyone: These days I have been doing a freeipa upgrade on a production cluster, what requires to perform multiple operations on the cluster for doing it without service interruption. One of the tasks was to ensure the topology is a complete graph, where each node have a connection with all the other nodes. In order to get the current topology, the command is `ipa topologysegment-find ca/domain` But this is confusing since there is another command named `ipa topologysegment-show...`. A user could expect the following behaviour: - topologysegment-show -> List all the elements, since "show" means you want to see something in general terms. - topologysegment-find -> List filtered elements by a given value, since "find" means you want to see something concrete. This is the same with other topics of the IPA command. I think this sould be changed in order to be more clear. My proposal is as follows: - "topic"-list -> in order to list all the elements. - "topic"-find -> in order to get certain elements filtered by a given value. - "topic"-detail or "topic"-describe -> in order to see the details of a given element. What do you think? Do you also find current commands confusing? Thanks, Regards

4 years, 1 month

2
1
0 / 0

2023

2022

2021

2020

2019

2018

2017

FreeIPA-users October 2019