August 2019 - FreeIPA-users - Fedora mailing-lists

a zone for subdomain
by lejeczek 28 Aug '19

28 Aug '19

hi guys, Is there any automated or programmatic manner in which a dnszone could be populated(or created) with all the necessary records, when one needs a dns subdomain with/on a separate subnet? many thanks, L.

1 0

Samba 4.10 with ipasam
by João Baúto 28 Aug '19

28 Aug '19

Hi all, I'm setting FreeIPA along with Samba and currently I'm running into an issue with the ipasam module where if I use samba 4.9.X everything works as expected while upgrading to 4.10.X, samba fails to load ipasam. Since the ipasam.so comes from ipa-server-trust-ad, I'm linking it to the samba modules folder. - Error loading module '/usr/local/samba/lib/pdb/ipasam.so': /usr /local/samba/lib/pdb/ipasam.so: undefined symbol: DEBUGLEVEL_CLASS Is there a way of compiling a compatible version of ipasam with samba 4.10.X? I'm running CentOS 7.6.1810 with FreeIPA 4.6.4. Thanks! JB

3 3

Keys vs certificates
by Patterson, David 28 Aug '19

28 Aug '19

Hello, I followed the instructions from this page (https://frasertweedale.github.io/blog-redhat/posts/2015-08-06-freeipa-custo…) to create User Certificates. While testing I noticed that when I create a User Cert for an account, the ssh keys stopped working for that same account. I was hoping to have both SSH keys and User Certificates. Is this a bug, a feature or is there some setting that I'm missing? Thanks! David Patterson

2 3

ipa_automount_location
by Ronald Wimmer 27 Aug '19

27 Aug '19

Is it possible to use multiple automount locations (i.e. sssd.conf containing ipa_automount_location=locationA,locationB)? Cheers, Ronald

2 2

Re: Could not chdir to home directory: Permission denied
by Florence Blanc-Renaud 27 Aug '19

27 Aug '19

On 8/17/19 10:05 PM, Selman Keskin via FreeIPA-users wrote: > Any idea? > > Sent from Mail <https://go.microsoft.com/fwlink/?LinkId=550986> for > Windows 10 > > > _______________________________________________ > FreeIPA-users mailing list -- freeipa-users(a)lists.fedorahosted.org > To unsubscribe send an email to freeipa-users-leave(a)lists.fedorahosted.org > Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines > List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahost… > Hi, we need a little more information in order to help you. When is this issue happening? I assume you are trying to connect to an IPA client either using ssh or console login. First check what is defined as homedir for the user on an IPA server # kinit admin # ipa user-show <userlogin> | grep 'Home directory' /home/<userlogin> Then on the machine where you got the error 'Could not chdir', check the directory permissions: # ls -ld /home/<userlogin> The directory needs to belong to the user and have the right permissions (drwx------). By default, the home directory of every user is computed from <HomeDirectoryBase>/<userlogin> and the HomeDirectoryBase can be found with: # ipa config-show | grep 'Home directory base' Home directory base: /home If you want to modify the Home Directory Base, you can use # ipa config-mod --homedirectory=<newval> Note that the new setting will be applied to users created after this command and will not modify existing users' home directory. If you want to modify the home directory for a specific user, you can use # ipa user-mod <userlogin> --homedir=<newval>. HTH, flo

1 0

freeipa-client-install error
by Elhamsadat Azarian 27 Aug '19

27 Aug '19

Hi i install freeipa server base on a windows DNS server. i mean there was a windows DNS Server and while i was installing freeipa i set resolve.conf and hosts base on this windows DNS. then i installed a freeipa-client on my client server. base on instructions i changed client's resolve.conf to free-ipa IP. (mean i set DNS of my client to free-ipa-server IP) when i did freeipa-client-install it show an error: "Failed to verify that ipa-server.shs.dc is an IPA server. this may mean that the remote server is not up or reachabe due to network settings." in ipaclient-install files: "search DNS for SRV record of _ldap._tcp.shs.dc DNS record not found: timeout." of course i opened all ports in firewall and im sure the server is up.

2 2

SEC_ERROR_LEGACY_DATABASE: The certificate/key database is in an old, unsupported format
by lune voo 26 Aug '19

26 Aug '19

Hello everyone. I send you this mail because I try to connect an ipa-client 4.6.4 on RHEL7 to an ipa-server 3.0.0 on RHEL6 and I get the following message when I try to register the client to the server : ### ipa-client-install \ --domain=<MY_DOMAIN> \ --realm=<MY_REALM> \ --server=<MY_IPA_MASTER> \ --principal=admin \ --password='<admin_password>' \ --mkhomedir \ --hostname=<MY_CLIENT_HOST> \ --no-ntp \ --no-ssh \ --no-sshd \ --unattended \ ### And here is the error I got : ### WARNING: yacc table file version is out of date Client hostname: <MY_CLIENT_HOST> Realm: <MY_REALM> DNS Domain: <MY_DOMAIN> IPA Server: <MY_IPA_MASTER> BaseDN: dc=<MY_REALM> Skipping synchronizing time with NTP server. Please make sure the following ports are opened in the firewall settings: TCP: 80, 88, 389 UDP: 88 (at least one of TCP/UDP ports 88 has to be open) Also note that following ports are necessary for ipa-client working properly after enrollment: TCP: 464 UDP: 464, 123 (if NTP enabled) Installation failed. Rolling back changes. Unconfigured automount client failed: Command 'ipa-client-automount --uninstall --debug' returned non-zero exit status 1 Failed to start certmonger: Command '/bin/systemctl start certmonger.service' returned non-zero exit status 1 Command '/bin/systemctl start certmonger.service' returned non-zero exit status 1 Command '/bin/systemctl start certmonger.service' returned non-zero exit status 1 The ipa-client-install command failed. See /var/log/ipaclient-install.log for more information [root@<MY_CLIENT_HOST> ~]# /bin/systemctl start certmonger.service Job for certmonger.service failed because the control process exited with error code. See "systemctl status certmonger.service" and "journalctl -xe" for details. [root@<MY_CLIENT_HOST> ~]# systemctl status certmonger.service ● certmonger.service - Certificate monitoring and PKI enrollment Loaded: loaded (/usr/lib/systemd/system/certmonger.service; disabled; vendor preset: disabled) Active: failed (Result: exit-code) since Mon 2019-08-26 11:42:20 CEST; 27s ago Process: 21027 ExecStart=/usr/sbin/certmonger -S -p /var/run/certmonger.pid -n $OPTS (code=exited, status=1/FAILURE) Main PID: 21027 (code=exited, status=1/FAILURE) Aug 26 11:42:20 <MY_CLIENT_HOST> systemd[1]: Starting Certificate monitoring and PKI enrollment... Aug 26 11:42:20 <MY_CLIENT_HOST> certmonger[21027]: 2019-08-26 11:42:20 [21027] Unable to set well-known bus name "org.fedorahosted.certmonger": Connection ":1.21663" is not allowed to own the service "or...tion file(-1). Aug 26 11:42:20 <MY_CLIENT_HOST> certmonger[21027]: Error connecting to D-Bus. Aug 26 11:42:20 <MY_CLIENT_HOST> systemd[1]: certmonger.service: main process exited, code=exited, status=1/FAILURE Aug 26 11:42:20 <MY_CLIENT_HOST> systemd[1]: Failed to start Certificate monitoring and PKI enrollment. Aug 26 11:42:20 <MY_CLIENT_HOST> systemd[1]: Unit certmonger.service entered failed state. Aug 26 11:42:20 <MY_CLIENT_HOST> systemd[1]: certmonger.service failed. ### When I retried the command, it said the client was already configured so I tried to unconfigure it with the following command : ### ipa-client-install -U --uninstall ### But then I got the following error : ### The ipa-client-install command failed, exception: CalledProcessError: Command '/bin/systemctl start certmonger.service' returned non-zero exit status 1 Command '/bin/systemctl start certmonger.service' returned non-zero exit status 1 ### When I enable debug and check the logs, I can see a first error here : ### Starting external process args=/usr/bin/certutil -d dbm:/etc/ipa/nssdb -L -n Local IPA host -a -f /etc/ipa/nssdb/pwdfile.txt Process finished, return code=255 stdout= stderr=certutil: function failed: SEC_ERROR_LEGACY_DATABASE: The certificate/key database is in an old, unsupported format. ### When I check the content of /etc/ipa/nssdb, I can find only this pwdfile.txt indeed. When I check the content of this folder on another RHEL7 host, I see more content : ### # ls -l /etc/ipa/nssdb/ total 80 -rw-r--r-- 1 root root 65536 Aug 9 2018 cert8.db -rw-r--r-- 1 root root 16384 Aug 9 2018 key3.db -rw------- 1 root root 40 Aug 9 2018 pwdfile.txt -rw-r--r-- 1 root root 16384 Aug 9 2018 secmod.db ### May you help me to understand and solve this problem please ? I tried to use a client version lower than the 4.4.0 instead of 4.6.4 to register to a 3.0.0 server but I still have the same problem. How can I properly uninstall the ipa-client to begin again from the start ? Best regards. Lune

2 4

Create a virtual env python with ipa module included
by lune voo 26 Aug '19

26 Aug '19

Hello everyone. I was wondering if it is possible to embed ipa modules in a python virtual environment ? Or is it too tightly linked with the ipa-client installed on the system ? Best regards. Lune

2 6

Inactive users
by Boyd Ako 23 Aug '19

23 Aug '19

Is there any way to check when a user has last logged into any of the systems? I've tried `ipa user-show`, but the "Last Successful Authentication" is N/A.

4 6

kadmin principal for an IPA master, but not for slave.
by TomK 22 Aug '19

22 Aug '19

Hey All, The primary master I have has the kadmin principal for it: kadmin/ipa03.mws.mds.xyz(a)MWS.MDS.XYZ The slave (idmipa04) doesn't have a corresponding kadmin/... principal entry. Can't find these principals in the UI. 1) Should the slave installer have created the slave kadmin/... principal? 2) If I wanted to create one, should the pass be any random string or something specific? 3) Are there specific IPA commands to create the kadmin/... principals with? Thx for taking a look. -- Thx, TK.

2 3

2025

2024

2023

2022

2021

2020

2019

2018

2017

FreeIPA-users August 2019