May 2019 - FreeIPA-users - Fedora mailing-lists

Login to Web UI
by Markus Roth 23 May '19

23 May '19

2 3

Add SAN to cert (without adding it to the CSR)
by Ian Pilcher 22 May '19

22 May '19

I am trying to create a certificate for an older network printer. Unfortunately, I cannot just load a certificate and private key of my own creation. The printer only supports certificates created from a CSR of its own creation, which does not include the SAN. Is it possible to make IPA copy the CN into the SAN? Thanks! -- ======================================================================== Ian Pilcher arequipeno(a)gmail.com -------- "I grew up before Mark Zuckerberg invented friendship" -------- ========================================================================

1 1

DNS problems
by Kristian Petersen 22 May '19

22 May '19

Hey all, I am using IPA for my DNS and have 3 total servers in the group. 2 of them are responding to queries just fine, but the 3rd (which is bare metal, not a VM like the others) is not resolving the queries issued to it. Running ipactl status returns all services running: [root@ipa3 /]# ipactl status Directory Service: RUNNING krb5kdc Service: RUNNING kadmin Service: RUNNING *named Service: RUNNING * httpd Service: RUNNING ipa-custodia Service: RUNNING ntpd Service: RUNNING pki-tomcatd Service: RUNNING ipa-otpd Service: RUNNING ipa-dnskeysyncd Service: RUNNING ipa: INFO: The ipactl command was successful We tried restarting the services but didn't change anything. Next we tries to do a forced sync of the server with one of its working replicas: ipa-replica-manage force-sync --from ipa1.example.com We also tried re-initializing the non-working replica: ipa-replica-manage re-initialize --from ipa1.example.com However, it still won't resolve any queries directed to it. Any ideas of what to try next? -- Kristian Petersen System Administrator BYU Dept. of Chemistry and Biochemistry

3 3

Everyone is disabled in UI
by Andrey Bondarenko 22 May '19

22 May '19

Hi, My IPA shows every user as "disabled" when in UI I go to the user's page. Also the password policy fields are empty and if I am filling in something new like phone number it's not showing up in the IU after I save it. But in cli everything is correct and shown. Users list also shows everyone as "enabled". Did anyone have seen something like this? Version: 4.6.4-10 CentOS 7 -- With best regards, Andrey Bondarenkomail:me@andreybondarenko.comhttps://andreybondarenko.com skype:andrey.bondarenko phone, Telegram, WhatsApp, etc:+420-773-591-443 7758 40AC 88CC 96C9 0C9A 9EE4 3B72 547B 7538 D41B

1 0

Access IPA Vault from container
by Dmitry Perets 21 May '19

21 May '19

Hi, I have a use-case when an application needs to access the secret stored in IPA Vault. The problem is that the application is containerized... So what would be the best practice to authenticate to the Vault? The logic says we should use REST API, but how to authenticate to the IPA, without having to put user/password in a file inside the container...? Enroll the container with IPA and use Kerberos...? Or mount a keytab file from the enrolled parent host and install Kerberos package in the container to use it...? Does anyone have an experience with this? Thanks.

2 1

AD->IPA Synchronisation: Staged versus Active users
by Robert Sturrock 21 May '19

21 May '19

Hi All. I’m exploring the use of IPA in a synchronisation (rather than trust) arrangement with AD, as this fits a particular use-case we have here quite well. Our AD is very large, so a large number of users are synchronised into IPA and they come across by default as ‘Disabled’. This is fine - an administrator can easily enable those who need access. However, the users all show up as ‘Active users’, rather than ‘Stage users’. But it would be much better if they were ‘Stage users’ to start with, and needed to be explicitly activated before moving into ‘Active users’. It seems that IPA doesn’t work this way in a synchronisation agreement? Is there any way to configure the system so that it does? Regards, Robert.

2 1

OTP check via API
by Adam Bishop 20 May '19

20 May '19

Is there an API endpoint I can use to perform OTP verification without the users password (i.e. just with their DN or uid)? I've got a non-web application with its own authentication system that I'd like to add MFA to, and I'd rather avoid copying the OTP secrets to it or re-writing the application.

2 1

cert validation failed
by Petar Kozić 20 May '19

20 May '19

Hi folks, one question. These days I join my machine into IPA. Almost all machine have Ubuntu 18.04. I jointed about 10 machine in last two days. Today I tried to join Debian 8 jessie but I have problem. All machine I join with same command: ipa-client-install -U —domain=example.com —hostname=clientexample.com —server=ipa.example.com —realm=EXAMPLE.com —password=XXXxxxXXX --principal=admin —mkhomedir On Debian machine I got this error in process of join: Forwarding 'ping' to json server 'https://ipa.example.com/ipa/json' cert validation failed for “CN=ipa.example.com" ((SEC_ERROR_UNKNOWN_ISSUER) Peer's Certificate issuer is not recognized.) Cannot connect to the server due to generic error: cannot connect to ' https://ipa.example.com/ipa/json': (SEC_ERROR_UNKNOWN_ISSUER) Peer's Certificate issuer is not recognized. Installation failed. Rolling back changes. Some help? Petar

2 11

IPA Trust between Samba 4.10 and FreeIPA 4.7
by Dirk Streubel 20 May '19

20 May '19

Hello everyone, does somebody now if it now possible to build a Trust between Samba 4.10 with MIT-Kerberos and Freeipa Version 4.7. The last entry about this thing is about a year old. Maybe someone here in this List have new Information for me. Regards Dirk

3 8

UNIX ACL's
by Jim Rice 18 May '19

18 May '19

Does FreeIPA support ACL's, as in getfacl, setfacl? entry_type:[uid|gid]:perms

3 3

2025

2024

2023

2022

2021

2020

2019

2018

2017

FreeIPA-users May 2019