December 2020 - FreeIPA-users - Fedora Mailing-Lists

ipa-idoverride-memberof-plugin issue, ipa 4.8.7 rhel 8.3

by Lachlan Musicman

Hola, When I browse to the webUI for IDM, I'm getting nothing. The http error log is showing: [Thu Dec 10 15:30:44.429646 2020] [wsgi:error] [pid 1773:tid 139794280646400] [remote 172.26.33.93:42908] ipa: INFO: [jsonserver_i18n_messages] UNKNOWN: i18n_messages(version='2.239'): SUCCESS [Thu Dec 10 15:32:28.088766 2020] [wsgi:error] [pid 1773:tid 139794280646400] [remote 172.26.33.93:42932] ipa: INFO: [jsonserver_i18n_messages] UNKNOWN: i18n_messages(version='2.239'): SUCCESS [Thu Dec 10 15:32:39.316974 2020] [wsgi:error] [pid 1773:tid 139794280646400] [remote 172.26.33.93:42932] ipa: INFO: [jsonserver_i18n_messages] UNKNOWN: i18n_messages(version='2.239'): SUCCESS [Thu Dec 10 15:32:53.657573 2020] [wsgi:error] [pid 1774:tid 139794280646400] [remote 172.26.33.93:42932] ipa: INFO: [jsonserver_i18n_messages] UNKNOWN: i18n_messages(version='2.239'): SUCCESS The http access log is more interesting: 172.26.33.93 - - [10/Dec/2020:15:32:53 +1100] "GET /ipa/ui/js/plugins/idoverride-memberof/idoverride-memberof.js?40807 HTTP/1.1" 404 19 When I go hunting, I see this: [root@idm httpd]# ls -la /usr/share/ipa/ui/js/plugins/idoverride-memberof/ total 0 drwxr-xr-x. 2 root root 6 Dec 10 13:36 . drwxr-xr-x. 3 root root 33 Oct 9 00:45 .. I see there is a package available; [root@idm httpd]# dnf info ipa-idoverride-memberof-plugin --all ... Available Packages Name : ipa-idoverride-memberof-plugin Version : 0.0.4 Release : 6.module+el8+2555+b334d87b Architecture : x86_64 Size : 31 k Source : ipa-idoverride-memberof-0.0.4-6.module+el8+2555+b334d87b.src.rpm But I see that it's already installed: Package ipa-server-trust-ad-4.8.7-13.module+el8.3.0+8376+0bba7131.x86_64 is already installed. I updated from RHEL 8.2 to 8.3 this AM. It was working last week with 8.2. Is there meant to be an idoverride-memberof.js file? cheers L.

2 months, 3 weeks

2
2
1 / 0

freeIPA Status Debian/Ubuntu

by Nico Maas

Hello there, with the decline of CentOS I need to migrate away from CentOS 8 to something different. I just wanted to ask how currently the status of the Debian or Ubuntu versions of freeIPA is - and if there is any possibility to migrate freeIPA installation / "backup and restore"? Best regards, Nico

2 months, 3 weeks

4
4
0 / 0

FreeIPA 4.9.0 release candidate 3 released

by Alexander Bokovoy

The FreeIPA team would like to announce FreeIPA 4.9.0 release candidate 3! It can be downloaded from http://www.freeipa.org/page/Downloads. Builds for Fedora Rawhide will be available from the official repository soon. == Highlights in 4.9.0 No major changes since release candidate 2, only fixes to regressions found in Rawhide and RHEL 8.4 development builds. === Bug fixes FreeIPA 4.9.0 release candidate 3 is a stabilization release for the features delivered as a part of 4.9 version series. There are 6 bug-fixes since FreeIPA 4.9.0 release candidate 2 release. Details of the bug-fixes can be seen in the list of resolved tickets below. == Upgrading Upgrade instructions are available on Upgrade page. == Feedback Please provide comments, bugs and other feedback via the freeipa-users mailing list (https://lists.fedoraproject.org/archives/list/freeipa-users@lists.fedorah...) or #freeipa channel on Freenode. == Resolved tickets * https://pagure.io/freeipa/issue/8595[#8595] Allow ipa-ca as a name for an IPA server * https://pagure.io/freeipa/issue/8596[#8596] (https://bugzilla.redhat.com/show_bug.cgi?id=1895197[rhbz#1895197]) improve IPA PKI susbsystem detection by other means than a directory presence, use pki-server subsystem-find * https://pagure.io/freeipa/issue/8613[#8613] mod_auth_gssapi cannot create unique ccache as it runs under apache and not ipaapi * https://pagure.io/freeipa/issue/8615[#8615] ipa-rewrite.conf upgrade is failing due to missing variable definition * https://pagure.io/freeipa/issue/8616[#8616] xmlrpc tests test_user_plugin failure * https://pagure.io/freeipa/issue/8617[#8617] systemd: enforce en_US.UTF-8 locale in systemd units == Detailed changelog since 4.9.0rc2 === Alexander Bokovoy (6) * Become FreeIPA 4.9.0rc3 https://pagure.io/freeipa/c/502d29107a458717b4ae1b3f7b17fb1159e3a135[commit] * systemd: enforce en_US.UTF-8 locale in systemd units https://pagure.io/freeipa/c/184997e85d03c30a34fbe268d1e9f39206178a1e[commit] https://pagure.io/freeipa/issue/8617[#8617] * upgrade: provide DOMAIN to the server upgrade dictionary https://pagure.io/freeipa/c/cc51feb106d6dee655c55adb802b3cfdac778fca[commit] https://pagure.io/freeipa/issue/8595[#8595], https://pagure.io/freeipa/issue/8615[#8615] * Allow mod_auth_gssapi to create and access ccaches in /run/ipa/ccaches https://pagure.io/freeipa/c/7d1a6886538360fb340eb4423660d11ee4af7e39[commit] https://pagure.io/freeipa/issue/8613[#8613] * Correct SELinux policy requirements https://pagure.io/freeipa/c/0cb8f065ac7bcf814c4991aeca3be8b590c7b5f6[commit] * Back to git snapshots https://pagure.io/freeipa/c/77674077b4e1e6ff2d2608ad0661704d4a47ac41[commit] === Florence Blanc-Renaud (3) * ipatests: add test for PKI subsystem detection https://pagure.io/freeipa/c/24f6a36b82d2a8bd8f2283457fcb415e5898a1b1[commit] https://pagure.io/freeipa/issue/8596[#8596] * Improve PKI subsystem detection https://pagure.io/freeipa/c/cf30cc3f63fbce2a3ff9c53ae4cd177a3bf4e527[commit] https://pagure.io/freeipa/issue/8596[#8596] * xmlrpctests: remove harcoded expiration date from test_user_plugin https://pagure.io/freeipa/c/f2bc3f1c5baff68e4c8d5f1e5c38b5647eac4cf4[commit] https://pagure.io/freeipa/issue/8616[#8616] -- / Alexander Bokovoy Sr. Principal Software Engineer Security / Identity Management Engineering Red Hat Limited, Finland

2 months, 3 weeks

1
0
0 / 0

Re: freeIPA Status Debian/Ubuntu

by Nico Maas

Yes, however, rolling-release is not for everyone and every usecase, hence I am asking of the status of the Debian and Ubuntu implementations :). Thanks!

2 months, 3 weeks

5
9
0 / 0

Re: freeIPA Status Debian/Ubuntu

by Alexander Bokovoy

On ke, 09 joulu 2020, VinÃcius FerrÃ£o wrote: >Alexander, as a user without support from Red Hat, can we report >bugs/issues for the IdM product here on the FreeIPA list? Because, as >far as I know, with RHEL there's no way to install FreeIPA branded as >it. It will always be Red Hat IdM. On freeipa-users@ we are relying on a community support, regardless where the issue is observed. In my community member capacity I am helping with those issues where I can, as well as other community members. This comes without expectations for urgency and so on but I think there are plenty of examples that community-wide support does work on this list already. I don't see that changing. As for installing something that is not part of your distribution, I'd rather suggest you to stick to the bits provided by your distribution, if possible. As much as I love Frankenstein-style stories, they aren't fun to live by. ;) -- / Alexander Bokovoy Sr. Principal Software Engineer Security / Identity Management Engineering Red Hat Limited, Finland

2 months, 3 weeks

1
0
0 / 0

Re: freeIPA Status Debian/Ubuntu

by Alexander Bokovoy

On ke, 09 joulu 2020, Marc Pearson | i-Neda Ltd via FreeIPA-users wrote: >I think they're referring to this: >https://www.cyberciti.biz/linux-news/centos-linux-8-will-end-in-2021-and-... > >Where it looks like CentOS is to become a rolling distro after 8, it's >not going away though, and being rolling isn't a bad thing as most >distro's are rolling now. I agree. There is another perspective to this. From FreeIPA upstream point of view, CentOS is not a distribution we work on. We cannot fix any bug in CentOS directly and there were plenty of cases in past two years when CentOS rebuild of IPA components led to a non-working setup for months, with no way to fix those. With CentOS 8 Stream as a rolling distro, it will be built directly from the sources and commits done in RHEL development once the packages pass internal QE pre-verification. Aside from a practical meaning that my team will be able to affect CentOS 8 Stream builds better than we have it with CentOS 7 or 8, the testing of those bits in C8S would be integral part of the RHEL QE process. In addition to that, https://www.redhat.com/en/blog/faq-centos-stream-updates gives a numer of answers. In particular, https://www.redhat.com/en/blog/faq-centos-stream-updates#Q10 says: --------- In the first half of 2021, we will be introducing low- or no-cost programs for a variety of use cases, including options for open source projects and communities, partner ecosystems and an expansion of the use cases of the Red Hat Enterprise Linux Developer subscription to better serve the needs of systems administrators and partner developers. We’ll share more details on these initiatives as they become available. For those converting to RHEL, there is guidance available today for converting from CentOS Linux to RHEL. --------- I hope an improvement on the RHEL Developer subscription would allow to run RHEL for those who uses CentOS for IPA workloads. It is not accessible for that purpose right now but the change is coming, according to what I have heard and read. I have no insight into what exactly that means myself but I hope for a reasonable expansion of the use cases. I did argue for that myself in past as many upstreams of the packages included in RHEL and CentOS struggle to do upstream testing with the same setup as in RHEL (modules, etc). Hopefully, it is an answer to our requests too. > >-----Original Message----- >From: Jonathan Aquilina via FreeIPA-users <freeipa-users(a)lists.fedorahosted.org> >Sent: 09 December 2020 11:54 >To: FreeIPA users list <freeipa-users(a)lists.fedorahosted.org> >Cc: Nico Maas <mail(a)nico-maas.de>; LHEUREUX Bernard <Bernard.LHEUREUX(a)nethys.be>; Jonathan Aquilina <jaquilina(a)eagleeyet.net> >Subject: [Freeipa-users] Re: freeIPA Status Debian/Ubuntu > >From what I understand Centos Stream is going to be a rolling distro. > >-----Original Message----- >From: LHEUREUX Bernard via FreeIPA-users <freeipa-users(a)lists.fedorahosted.org> >Sent: 09 December 2020 12:51 >To: FreeIPA users list <freeipa-users(a)lists.fedorahosted.org> >Cc: Nico Maas <mail(a)nico-maas.de>; LHEUREUX Bernard <Bernard.LHEUREUX(a)nethys.be> >Subject: [Freeipa-users] Re: freeIPA Status Debian/Ubuntu > >Decline of CentOS ??? > >-----Message d'origine----- >De : Nico Maas via FreeIPA-users <freeipa-users(a)lists.fedorahosted.org> >Envoyé : mercredi 9 décembre 2020 12:30 >À : freeipa-users(a)lists.fedorahosted.org >Cc : Nico Maas <mail(a)nico-maas.de> >Objet : [Freeipa-users] freeIPA Status Debian/Ubuntu > >Hello there, > >with the decline of CentOS I need to migrate away from CentOS 8 to something different. >I just wanted to ask how currently the status of the Debian or Ubuntu versions of freeIPA is - and if there is any possibility to migrate freeIPA installation / "backup and restore"? > >Best regards, > >Nico >_______________________________________________ >FreeIPA-users mailing list -- freeipa-users(a)lists.fedorahosted.org >To unsubscribe send an email to freeipa-users-leave(a)lists.fedorahosted.org >Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ >List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines >List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedoraho... >Ce message transmis par voie électronique ainsi que toutes ses annexes contiennent des informations qui peuvent être confidentielles ou protégées. Ces informations sont uniquement destinées à l’usage des personnes ou des entités précisées dans les champs ‘A’, ‘Cc’ et ‘Cci’. Si vous n’êtes pas l’un de ces destinataires, soyez conscient que toute forme, partielle ou complète, de divulgation, copie, distribution ou utilisation de ces informations est strictement interdite. Si vous avez reçu ce message par erreur, veuillez nous en informer par téléphone ou par message électronique et détruire les informations immédiatement. Ce message n’engage que son signataire et aucunement son employeur. >_______________________________________________ >FreeIPA-users mailing list -- freeipa-users(a)lists.fedorahosted.org >To unsubscribe send an email to freeipa-users-leave(a)lists.fedorahosted.org >Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ >List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines >List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedoraho... >_______________________________________________ >FreeIPA-users mailing list -- freeipa-users(a)lists.fedorahosted.org >To unsubscribe send an email to freeipa-users-leave(a)lists.fedorahosted.org >Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ >List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines >List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedoraho... >_______________________________________________ >FreeIPA-users mailing list -- freeipa-users(a)lists.fedorahosted.org >To unsubscribe send an email to freeipa-users-leave(a)lists.fedorahosted.org >Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ >List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines >List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedoraho... -- / Alexander Bokovoy Sr. Principal Software Engineer Security / Identity Management Engineering Red Hat Limited, Finland

2 months, 3 weeks

1
0
0 / 0

Re: freeIPA Status Debian/Ubuntu

by Marc Pearson | i-Neda Ltd

I think they're referring to this: https://www.cyberciti.biz/linux-news/centos-linux-8-will-end-in-2021-and-... Where it looks like CentOS is to become a rolling distro after 8, it's not going away though, and being rolling isn't a bad thing as most distro's are rolling now. -----Original Message----- From: Jonathan Aquilina via FreeIPA-users <freeipa-users(a)lists.fedorahosted.org> Sent: 09 December 2020 11:54 To: FreeIPA users list <freeipa-users(a)lists.fedorahosted.org> Cc: Nico Maas <mail(a)nico-maas.de>; LHEUREUX Bernard <Bernard.LHEUREUX(a)nethys.be>; Jonathan Aquilina <jaquilina(a)eagleeyet.net> Subject: [Freeipa-users] Re: freeIPA Status Debian/Ubuntu From what I understand Centos Stream is going to be a rolling distro. -----Original Message----- From: LHEUREUX Bernard via FreeIPA-users <freeipa-users(a)lists.fedorahosted.org> Sent: 09 December 2020 12:51 To: FreeIPA users list <freeipa-users(a)lists.fedorahosted.org> Cc: Nico Maas <mail(a)nico-maas.de>; LHEUREUX Bernard <Bernard.LHEUREUX(a)nethys.be> Subject: [Freeipa-users] Re: freeIPA Status Debian/Ubuntu Decline of CentOS ??? -----Message d'origine----- De : Nico Maas via FreeIPA-users <freeipa-users(a)lists.fedorahosted.org> Envoyé : mercredi 9 décembre 2020 12:30 À : freeipa-users(a)lists.fedorahosted.org Cc : Nico Maas <mail(a)nico-maas.de> Objet : [Freeipa-users] freeIPA Status Debian/Ubuntu Hello there, with the decline of CentOS I need to migrate away from CentOS 8 to something different. I just wanted to ask how currently the status of the Debian or Ubuntu versions of freeIPA is - and if there is any possibility to migrate freeIPA installation / "backup and restore"? Best regards, Nico _______________________________________________ FreeIPA-users mailing list -- freeipa-users(a)lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave(a)lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedoraho... Ce message transmis par voie électronique ainsi que toutes ses annexes contiennent des informations qui peuvent être confidentielles ou protégées. Ces informations sont uniquement destinées à l’usage des personnes ou des entités précisées dans les champs ‘A’, ‘Cc’ et ‘Cci’. Si vous n’êtes pas l’un de ces destinataires, soyez conscient que toute forme, partielle ou complète, de divulgation, copie, distribution ou utilisation de ces informations est strictement interdite. Si vous avez reçu ce message par erreur, veuillez nous en informer par téléphone ou par message électronique et détruire les informations immédiatement. Ce message n’engage que son signataire et aucunement son employeur. _______________________________________________ FreeIPA-users mailing list -- freeipa-users(a)lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave(a)lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedoraho... _______________________________________________ FreeIPA-users mailing list -- freeipa-users(a)lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave(a)lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedoraho...

2 months, 3 weeks

1
0
0 / 0

AD trusted group incomplet list of members in client

by Natxo Asenjo

hi, reposting with zipped log. we have a trust between an AD forest (2016) and an RHEL 7 Idm environment. We have this ad group: $ ipa group-show d-xxx-platform-admins Group name: d-xxx-platform-admins Description: AD d-xxx-platform-admins External member: d-xxx-platform-admins(a)ad.local Member of groups: xxx-platform-admins When I run the command getent group xxx-platform-admins on the kdc, I get the full list of users in the AD group: $ getent group xxx-platform-admins xxx-platform-admins:*:1679450504:a-user1@ad.local,a-user2@ad.local ,a-user3@ad.local,a-user4@ad.local,a-user5@ad.local,a-user6(a)ad.local ,a-user7@ad.local,a-user8@ad.local,a-user9@ad.local,a-user10(a)ad.local ,a-user11@ad.local,a-user12@ad.local,a-user12@ad.local,a-user13(a)ad.local ,a-user14@ad.local,a-user15@ad.local,a-user16(a)ad.local but on the idm client: # getent group xxx-platform-admins xxx-platform-admins:*:1679450504:a-user1@ad.local,a-user2@ad.local Attached the sssd_nss.log with debuggging enabled. Thanks in advance. -- regards, Natxo

3 months

2
4
0 / 0

Re: Reinstalling client's OS

by Roberto Cornacchia

Thank you Angus and Detlev! On Fri, 4 Dec 2020, 12:46 Angus Clarke via FreeIPA-users, < freeipa-users(a)lists.fedorahosted.org> wrote: > The steps you mention seem fine to me Roberto, Detlev has detailed an > alternative. > > If you lose a client and need to rebuild (i.e. you didn't get chance to > run the "--uninstall" option) then you can also just delete the host entry > from IPA through the web gui or ipa command line before running the > ipa-client-install (join) command. > > When I have issues with clients (very infrequent and I have some 5000 > clients) I find that running the "--uninstall" and then the install (steps > 1 and 3) fix most issues without having to look into them (blind fix for > the time wary!) > > Regards > Angus > > ------------------------------ > *From:* Detlev Habicht via FreeIPA-users < > freeipa-users(a)lists.fedorahosted.org> > *Sent:* 04 December 2020 11:59 > *To:* FreeIPA users list <freeipa-users(a)lists.fedorahosted.org> > *Cc:* Detlev Habicht <detlev.habicht(a)ims.uni-hannover.de> > *Subject:* [Freeipa-users] Re: Reinstalling client's OS > > Hi, > > you can reinstall a client with something like this: > > /usr/sbin/ipa-client-install --force --unattended —domain=xxx —realm=xxx > —server=xxx —server=yyy --force-ntpd —keytab=./krb5.keytab > --ca-cert-file=./ca.crt > > But you must save your keytab and ca file before. > > For me it is working … > > Detlev > > -- > Detlev | Institut fuer Mikroelektronische Systeme > Habicht | D-30167 Hannover +49 511 76219662 habicht(a)ims.uni-hannover.de > --------+-------- Handy +49 172 5415752 --------------------------- > > > > > Am 04.12.2020 um 11:46 schrieb Roberto Cornacchia via FreeIPA-users < > freeipa-users(a)lists.fedorahosted.org>: > > > > Hello, > > > > Apologies if this is a trivial question, I could not find an obvious > answer anywhere. > > > > If I want to reinstall from scratch the OS of an already enrolled > client, is this the right procedure? > > > > 1. ipa-client-install --uninstall > > 2. <reinstall OS> > > 3. ipa-client-install > > > > Best regards, > > Roberto > > _______________________________________________ > > FreeIPA-users mailing list -- freeipa-users(a)lists.fedorahosted.org > > To unsubscribe send an email to > freeipa-users-leave(a)lists.fedorahosted.org > > Fedora Code of Conduct: > https://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Fdocs.fe... > > List Guidelines: > https://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Ffedorap... > > List Archives: > https://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Flists.f... > _______________________________________________ > FreeIPA-users mailing list -- freeipa-users(a)lists.fedorahosted.org > To unsubscribe send an email to freeipa-users-leave(a)lists.fedorahosted.org > Fedora Code of Conduct: > https://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Fdocs.fe... > List Guidelines: > https://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Ffedorap... > List Archives: > https://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Flists.f... > _______________________________________________ > FreeIPA-users mailing list -- freeipa-users(a)lists.fedorahosted.org > To unsubscribe send an email to freeipa-users-leave(a)lists.fedorahosted.org > Fedora Code of Conduct: > https://docs.fedoraproject.org/en-US/project/code-of-conduct/ > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines > List Archives: > https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedoraho... >

3 months

1
0
0 / 0

Reinstalling client's OS

by Roberto Cornacchia

Hello, Apologies if this is a trivial question, I could not find an obvious answer anywhere. If I want to reinstall from scratch the OS of an already enrolled client, is this the right procedure? 1. ipa-client-install --uninstall 2. <reinstall OS> 3. ipa-client-install Best regards, Roberto

3 months

3
2
0 / 0

2021

2020

2019

2018

2017

FreeIPA-users December 2020