Everyone is disabled in UI
by Andrey Bondarenko
Hi,
My IPA shows every user as "disabled" when in UI I go to the user's page.
Also the password policy fields are empty and if I am filling in something
new like phone number it's not showing up in the IU after I save it. But in
cli everything is correct and shown. Users list also shows everyone as
"enabled". Did anyone have seen something like this?
Version: 4.6.4-10
CentOS 7
--
With best regards,
Andrey Bondarenkomail:me@andreybondarenko.comhttps://andreybondarenko.com
skype:andrey.bondarenko
phone, Telegram, WhatsApp, etc:+420-773-591-443
7758 40AC 88CC 96C9 0C9A 9EE4 3B72 547B 7538 D41B
4 years, 4 months
Access IPA Vault from container
by Dmitry Perets
Hi,
I have a use-case when an application needs to access the secret stored in IPA Vault. The problem is that the application is containerized...
So what would be the best practice to authenticate to the Vault?
The logic says we should use REST API, but how to authenticate to the IPA, without having to put user/password in a file inside the container...?
Enroll the container with IPA and use Kerberos...?
Or mount a keytab file from the enrolled parent host and install Kerberos package in the container to use it...?
Does anyone have an experience with this?
Thanks.
4 years, 4 months
AD->IPA Synchronisation: Staged versus Active users
by Robert Sturrock
Hi All.
I’m exploring the use of IPA in a synchronisation (rather than trust) arrangement with AD, as this fits a particular use-case we have here quite well.
Our AD is very large, so a large number of users are synchronised into IPA and they come across by default as ‘Disabled’. This is fine - an administrator can easily enable those who need access.
However, the users all show up as ‘Active users’, rather than ‘Stage users’. But it would be much better if they were ‘Stage users’ to start with, and needed to be explicitly activated before moving into ‘Active users’.
It seems that IPA doesn’t work this way in a synchronisation agreement? Is there any way to configure the system so that it does?
Regards,
Robert.
4 years, 4 months
OTP check via API
by Adam Bishop
Is there an API endpoint I can use to perform OTP verification without the users password
(i.e. just with their DN or uid)?
I've got a non-web application with its own authentication system that I'd like to
add MFA to, and I'd rather avoid copying the OTP secrets to it or re-writing the
application.
4 years, 4 months
cert validation failed
by Petar Kozić
Hi folks,
one question.
These days I join my machine into IPA. Almost all machine have Ubuntu
18.04. I jointed about 10 machine in last two days. Today I tried to join
Debian 8 jessie but I have problem.
All machine I join with same command:
ipa-client-install -U —domain=example.com —hostname=clientexample.com
—server=ipa.example.com —realm=EXAMPLE.com —password=XXXxxxXXX
--principal=admin —mkhomedir
On Debian machine I got this error in process of join:
Forwarding 'ping' to json server 'https://ipa.example.com/ipa/json'
cert validation failed for “CN=ipa.example.com" ((SEC_ERROR_UNKNOWN_ISSUER)
Peer's Certificate issuer is not recognized.)
Cannot connect to the server due to generic error: cannot connect to '
https://ipa.example.com/ipa/json': (SEC_ERROR_UNKNOWN_ISSUER) Peer's
Certificate issuer is not recognized.
Installation failed. Rolling back changes.
Some help?
Petar
4 years, 4 months
IPA Trust between Samba 4.10 and FreeIPA 4.7
by Dirk Streubel
Hello everyone,
does somebody now if it now possible to build a Trust between Samba 4.10 with MIT-Kerberos and Freeipa Version 4.7.
The last entry about this thing is about a year old.
Maybe someone here in this List have new Information for me.
Regards
Dirk
4 years, 4 months
UNIX ACL's
by Jim Rice
Does FreeIPA support ACL's, as in getfacl, setfacl?
entry_type:[uid|gid]:perms
4 years, 4 months
Simple help with User Groups
by SOLER SANGUESA Miguel
Hello,
I don't think it is a good idea to create a IPA posix group with the same GID. I think the best option is adding the IPA user to the local group as you tried to do. The only problem is that you used the short username, and you need to use username@domain. Something like this:
# groupmems -g admins -a ricky(a)ipa.domain.com
Thanks & Regards.
4 years, 4 months
Simple help with User Groups
by Jim Rice
I have a host (lucee) and a user (ricky).
I want to allow ricky to modify files on lucee owned by a group (admins).
How is this accomplished using the freeIPA server?
I tried adding the host, and the user, then created a user group and added the user to it.
The user group was added to the host.
The user is able to login to the host, but is not able to modify group owned files,
and the group admins does not show up in his id ...
[lucee]$ id
uid=158600004(ricky) gid=158600004(ricky) groups=158600004(ricky),158600005(devops) context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
There is an entry in the local /etc/group file:
admins:x:2000:ricky
Is this the wrong approach?
When the User Group is being added, there is a Group Type selection.
What is the difference between Non-POSIX, External, and POSIX?
Would I need to set the GID to 2000 in freeIPA, or something else?
(Actually, is you select External, the GID becomes grayed out.)
I can't seem to find any documentation on how to set this up.
admins:x:2000:luceeuser,rick
4 years, 4 months
AD integration for ssh with kerberos
by lejeczek
hi everyone,
I'm having IPA with one-way trust to AD and it all seems to be working okey.
What I would like to see is, a ssh which work off kerberos for AD's
users logins, and also same for cifs clients to Samba.
I'm reading up on OK_AS_DELEGATE but still it's not clear to me whether
separate services needs to be created(then configured) for that (as I do
not see anything regarding ssh nor cifs after plain trust setup). I'm
trying(hoping it's possible) to do it without web/gui.
Would you know of a doc/howto showing a process of getting sshd/samba to
use kerberos for AD members?
many thanks, L.
4 years, 4 months
