macOS-X bound to freeIPA - mkhomedir
by Grant Janssen
I’ve been running a number of macs bound to FreeIPA for years now. The biggest nuisance is that I haven’t found a way to make home directory when one doesn’t exist.
Without a home directory, a users logs in, the beachball spins forever and the user never gets a desktop because there is no user home directory.
"createhomedir -c -a" functions (on most systems), but I’d rather not run this in cron.
Has anyone found the PAM secret to have this function like mkhomedir on a CentOS host?
CentOS 7
grant@outhouse:~[20201213-6:51][#1003]$ authconfig --test | grep mkhome
pam_mkhomedir or pam_oddjob_mkhomedir is enabled (umask=0077)
grant@outhouse:~[20201213-6:51][#1004]$
I wish there were an authconfig on os-x
- grant
This e-mail and any attachments are intended only for use by the addressee(s) named herein and may contain confidential information. If you are not the intended recipient of this e-mail, you are hereby notified any dissemination, distribution or copying of this email and any attachments is strictly prohibited. If you receive this email in error, please immediately notify the sender by return email and permanently delete the original, any copy and any printout thereof. The integrity and security of e-mail cannot be guaranteed.
3 years, 4 months
Stateless Machines and Force Join
by Mark Potter
We boot everything stateless in our environment and are using FreeIPA for
authentication. I started discussing this a while ago but ended up with
other things taking priority. The number of machines we have make managing
keys an untenable solution so we are using
ipa-client-install -U -q -p <join user> -w <password --domain=domain.com
--server=ipaserver.domain.com --fixed-primary --force-join
called from rc.local during boot to rejoin machines to the FreeIPA
environment (we will be moving away from --fixed-primary but aren't there
yet). While this works it, potentially, exposes a password. I am looking
for a better way to handle machines that need to re-join at every boot.
We have access to ansible as well a decent, in house, templating system for
configuration. Please forgive my starting this discussion anew and not
resurrecting a zombie and thanks in advance for your help!
--
*Mark Potter*
Senior Linux Administrator
3 years, 4 months
odd problem updating to Centos 8.3
by Charles Hedrick
I just upgraded copies of our 3 servers from Centos 8.2 to 8.3. I always try it on copies before doing it on the real thing.
The upgrades all went fine, but on one of the servers, the services weren’t running, and ipactl status complained
Failed to get list of services to probe status!
Configured hostname z does not match any master server in LDAP:
x
y
z
Adding prints to the python code, I found the issue was that the services, e.g.
dn: cn=KPASSWD,cn=z,cn=masters,cn=ipa,cn=etc,dc=cs,dc=rutgers,dc=edu
had
ipaConfigString: configuredService
when they should have had
ipaConfigString: enabledService
It was easy to fix. Things now look OK.
Since I’ve fixed it, I don’t need any help, but I thought it was worth reporting. There were some oddities in getting the copies working. Initially I had bad IP addresses various places. That broke synchronization, and I had to reinitialize server z by copying from x. But that was before the upgrade. Before doing any upgrades I made sure everything worked, and the replicas were all syncing.
The fix did sync to the other servers.
The error message wasn’t entirely helpful.
3 years, 4 months
FreeIPA server packages for Ubuntu
by iulian roman
Hello !
Does anyone know what version of Ubuntu does support Freeipa server ? I have tried with 18.04 which fails always due to pki-tomcatd issues and Ubuntu 20 seems to not have the packages in the repository.
Any suggestion/help is appreciated.
Thanks
3 years, 4 months
ipa-idoverride-memberof-plugin issue, ipa 4.8.7 rhel 8.3
by Lachlan Musicman
Hola,
When I browse to the webUI for IDM, I'm getting nothing.
The http error log is showing:
[Thu Dec 10 15:30:44.429646 2020] [wsgi:error] [pid 1773:tid 139794280646400] [remote 172.26.33.93:42908] ipa: INFO: [jsonserver_i18n_messages] UNKNOWN: i18n_messages(version='2.239'): SUCCESS
[Thu Dec 10 15:32:28.088766 2020] [wsgi:error] [pid 1773:tid 139794280646400] [remote 172.26.33.93:42932] ipa: INFO: [jsonserver_i18n_messages] UNKNOWN: i18n_messages(version='2.239'): SUCCESS
[Thu Dec 10 15:32:39.316974 2020] [wsgi:error] [pid 1773:tid 139794280646400] [remote 172.26.33.93:42932] ipa: INFO: [jsonserver_i18n_messages] UNKNOWN: i18n_messages(version='2.239'): SUCCESS
[Thu Dec 10 15:32:53.657573 2020] [wsgi:error] [pid 1774:tid 139794280646400] [remote 172.26.33.93:42932] ipa: INFO: [jsonserver_i18n_messages] UNKNOWN: i18n_messages(version='2.239'): SUCCESS
The http access log is more interesting:
172.26.33.93 - - [10/Dec/2020:15:32:53 +1100] "GET /ipa/ui/js/plugins/idoverride-memberof/idoverride-memberof.js?40807 HTTP/1.1" 404 19
When I go hunting, I see this:
[root@idm httpd]# ls -la /usr/share/ipa/ui/js/plugins/idoverride-memberof/
total 0
drwxr-xr-x. 2 root root 6 Dec 10 13:36 .
drwxr-xr-x. 3 root root 33 Oct 9 00:45 ..
I see there is a package available;
[root@idm httpd]# dnf info ipa-idoverride-memberof-plugin --all
...
Available Packages
Name : ipa-idoverride-memberof-plugin
Version : 0.0.4
Release : 6.module+el8+2555+b334d87b
Architecture : x86_64
Size : 31 k
Source : ipa-idoverride-memberof-0.0.4-6.module+el8+2555+b334d87b.src.rpm
But I see that it's already installed:
Package ipa-server-trust-ad-4.8.7-13.module+el8.3.0+8376+0bba7131.x86_64 is already installed.
I updated from RHEL 8.2 to 8.3 this AM. It was working last week with 8.2. Is there meant to be an idoverride-memberof.js file?
cheers
L.
3 years, 4 months
Re: freeIPA Status Debian/Ubuntu
by Nico Maas
Yes, however, rolling-release is not for everyone and every usecase, hence I am asking of the status of the Debian and Ubuntu implementations :).
Thanks!
3 years, 4 months
Re: freeIPA Status Debian/Ubuntu
by Alexander Bokovoy
On ke, 09 joulu 2020, VinÃcius Ferrão wrote:
>Alexander, as a user without support from Red Hat, can we report
>bugs/issues for the IdM product here on the FreeIPA list? Because, as
>far as I know, with RHEL there's no way to install FreeIPA branded as
>it. It will always be Red Hat IdM.
On freeipa-users@ we are relying on a community support, regardless
where the issue is observed. In my community member capacity I am
helping with those issues where I can, as well as other community
members. This comes without expectations for urgency and so on but I
think there are plenty of examples that community-wide support does work
on this list already.
I don't see that changing.
As for installing something that is not part of your distribution, I'd
rather suggest you to stick to the bits provided by your distribution,
if possible. As much as I love Frankenstein-style stories, they aren't
fun to live by. ;)
--
/ Alexander Bokovoy
Sr. Principal Software Engineer
Security / Identity Management Engineering
Red Hat Limited, Finland
3 years, 4 months
Re: freeIPA Status Debian/Ubuntu
by Alexander Bokovoy
On ke, 09 joulu 2020, Marc Pearson | i-Neda Ltd via FreeIPA-users wrote:
>I think they're referring to this:
>https://www.cyberciti.biz/linux-news/centos-linux-8-will-end-in-2021-and-...
>
>Where it looks like CentOS is to become a rolling distro after 8, it's
>not going away though, and being rolling isn't a bad thing as most
>distro's are rolling now.
I agree. There is another perspective to this. From FreeIPA upstream
point of view, CentOS is not a distribution we work on. We cannot fix
any bug in CentOS directly and there were plenty of cases in past two
years when CentOS rebuild of IPA components led to a non-working setup
for months, with no way to fix those.
With CentOS 8 Stream as a rolling distro, it will be built directly from
the sources and commits done in RHEL development once the packages pass
internal QE pre-verification. Aside from a practical meaning that my
team will be able to affect CentOS 8 Stream builds better than we have
it with CentOS 7 or 8, the testing of those bits in C8S would be
integral part of the RHEL QE process.
In addition to that,
https://www.redhat.com/en/blog/faq-centos-stream-updates gives a numer
of answers. In particular,
https://www.redhat.com/en/blog/faq-centos-stream-updates#Q10 says:
---------
In the first half of 2021, we will be introducing low- or no-cost
programs for a variety of use cases, including options for open source
projects and communities, partner ecosystems and an expansion of the use
cases of the Red Hat Enterprise Linux Developer subscription to better
serve the needs of systems administrators and partner developers. We’ll
share more details on these initiatives as they become available. For
those converting to RHEL, there is guidance available today for
converting from CentOS Linux to RHEL.
---------
I hope an improvement on the RHEL Developer subscription would allow to
run RHEL for those who uses CentOS for IPA workloads. It is not
accessible for that purpose right now but the change is coming,
according to what I have heard and read. I have no insight into what
exactly that means myself but I hope for a reasonable expansion of the
use cases. I did argue for that myself in past as many upstreams of the
packages included in RHEL and CentOS struggle to do upstream testing
with the same setup as in RHEL (modules, etc). Hopefully, it is an
answer to our requests too.
>
>-----Original Message-----
>From: Jonathan Aquilina via FreeIPA-users <freeipa-users(a)lists.fedorahosted.org>
>Sent: 09 December 2020 11:54
>To: FreeIPA users list <freeipa-users(a)lists.fedorahosted.org>
>Cc: Nico Maas <mail(a)nico-maas.de>; LHEUREUX Bernard <Bernard.LHEUREUX(a)nethys.be>; Jonathan Aquilina <jaquilina(a)eagleeyet.net>
>Subject: [Freeipa-users] Re: freeIPA Status Debian/Ubuntu
>
>From what I understand Centos Stream is going to be a rolling distro.
>
>-----Original Message-----
>From: LHEUREUX Bernard via FreeIPA-users <freeipa-users(a)lists.fedorahosted.org>
>Sent: 09 December 2020 12:51
>To: FreeIPA users list <freeipa-users(a)lists.fedorahosted.org>
>Cc: Nico Maas <mail(a)nico-maas.de>; LHEUREUX Bernard <Bernard.LHEUREUX(a)nethys.be>
>Subject: [Freeipa-users] Re: freeIPA Status Debian/Ubuntu
>
>Decline of CentOS ???
>
>-----Message d'origine-----
>De : Nico Maas via FreeIPA-users <freeipa-users(a)lists.fedorahosted.org>
>Envoyé : mercredi 9 décembre 2020 12:30
>À : freeipa-users(a)lists.fedorahosted.org
>Cc : Nico Maas <mail(a)nico-maas.de>
>Objet : [Freeipa-users] freeIPA Status Debian/Ubuntu
>
>Hello there,
>
>with the decline of CentOS I need to migrate away from CentOS 8 to something different.
>I just wanted to ask how currently the status of the Debian or Ubuntu versions of freeIPA is - and if there is any possibility to migrate freeIPA installation / "backup and restore"?
>
>Best regards,
>
>Nico
>_______________________________________________
>FreeIPA-users mailing list -- freeipa-users(a)lists.fedorahosted.org
>To unsubscribe send an email to freeipa-users-leave(a)lists.fedorahosted.org
>Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
>List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
>List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedoraho...
>Ce message transmis par voie électronique ainsi que toutes ses annexes contiennent des informations qui peuvent être confidentielles ou protégées. Ces informations sont uniquement destinées à l’usage des personnes ou des entités précisées dans les champs ‘A’, ‘Cc’ et ‘Cci’. Si vous n’êtes pas l’un de ces destinataires, soyez conscient que toute forme, partielle ou complète, de divulgation, copie, distribution ou utilisation de ces informations est strictement interdite. Si vous avez reçu ce message par erreur, veuillez nous en informer par téléphone ou par message électronique et détruire les informations immédiatement. Ce message n’engage que son signataire et aucunement son employeur.
>_______________________________________________
>FreeIPA-users mailing list -- freeipa-users(a)lists.fedorahosted.org
>To unsubscribe send an email to freeipa-users-leave(a)lists.fedorahosted.org
>Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
>List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
>List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedoraho...
>_______________________________________________
>FreeIPA-users mailing list -- freeipa-users(a)lists.fedorahosted.org
>To unsubscribe send an email to freeipa-users-leave(a)lists.fedorahosted.org
>Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
>List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
>List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedoraho...
>_______________________________________________
>FreeIPA-users mailing list -- freeipa-users(a)lists.fedorahosted.org
>To unsubscribe send an email to freeipa-users-leave(a)lists.fedorahosted.org
>Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
>List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
>List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedoraho...
--
/ Alexander Bokovoy
Sr. Principal Software Engineer
Security / Identity Management Engineering
Red Hat Limited, Finland
3 years, 4 months
Re: freeIPA Status Debian/Ubuntu
by Marc Pearson | i-Neda Ltd
I think they're referring to this: https://www.cyberciti.biz/linux-news/centos-linux-8-will-end-in-2021-and-...
Where it looks like CentOS is to become a rolling distro after 8, it's not going away though, and being rolling isn't a bad thing as most distro's are rolling now.
-----Original Message-----
From: Jonathan Aquilina via FreeIPA-users <freeipa-users(a)lists.fedorahosted.org>
Sent: 09 December 2020 11:54
To: FreeIPA users list <freeipa-users(a)lists.fedorahosted.org>
Cc: Nico Maas <mail(a)nico-maas.de>; LHEUREUX Bernard <Bernard.LHEUREUX(a)nethys.be>; Jonathan Aquilina <jaquilina(a)eagleeyet.net>
Subject: [Freeipa-users] Re: freeIPA Status Debian/Ubuntu
From what I understand Centos Stream is going to be a rolling distro.
-----Original Message-----
From: LHEUREUX Bernard via FreeIPA-users <freeipa-users(a)lists.fedorahosted.org>
Sent: 09 December 2020 12:51
To: FreeIPA users list <freeipa-users(a)lists.fedorahosted.org>
Cc: Nico Maas <mail(a)nico-maas.de>; LHEUREUX Bernard <Bernard.LHEUREUX(a)nethys.be>
Subject: [Freeipa-users] Re: freeIPA Status Debian/Ubuntu
Decline of CentOS ???
-----Message d'origine-----
De : Nico Maas via FreeIPA-users <freeipa-users(a)lists.fedorahosted.org>
Envoyé : mercredi 9 décembre 2020 12:30
À : freeipa-users(a)lists.fedorahosted.org
Cc : Nico Maas <mail(a)nico-maas.de>
Objet : [Freeipa-users] freeIPA Status Debian/Ubuntu
Hello there,
with the decline of CentOS I need to migrate away from CentOS 8 to something different.
I just wanted to ask how currently the status of the Debian or Ubuntu versions of freeIPA is - and if there is any possibility to migrate freeIPA installation / "backup and restore"?
Best regards,
Nico
_______________________________________________
FreeIPA-users mailing list -- freeipa-users(a)lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-leave(a)lists.fedorahosted.org
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedoraho...
Ce message transmis par voie électronique ainsi que toutes ses annexes contiennent des informations qui peuvent être confidentielles ou protégées. Ces informations sont uniquement destinées à l’usage des personnes ou des entités précisées dans les champs ‘A’, ‘Cc’ et ‘Cci’. Si vous n’êtes pas l’un de ces destinataires, soyez conscient que toute forme, partielle ou complète, de divulgation, copie, distribution ou utilisation de ces informations est strictement interdite. Si vous avez reçu ce message par erreur, veuillez nous en informer par téléphone ou par message électronique et détruire les informations immédiatement. Ce message n’engage que son signataire et aucunement son employeur.
_______________________________________________
FreeIPA-users mailing list -- freeipa-users(a)lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-leave(a)lists.fedorahosted.org
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedoraho...
_______________________________________________
FreeIPA-users mailing list -- freeipa-users(a)lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-leave(a)lists.fedorahosted.org
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedoraho...
3 years, 4 months