December 2020 - FreeIPA-users - Fedora Mailing-Lists

by Grant Janssen

I’ve been running a number of macs bound to FreeIPA for years now. The biggest nuisance is that I haven’t found a way to make home directory when one doesn’t exist. Without a home directory, a users logs in, the beachball spins forever and the user never gets a desktop because there is no user home directory. "createhomedir -c -a" functions (on most systems), but I’d rather not run this in cron. Has anyone found the PAM secret to have this function like mkhomedir on a CentOS host? CentOS 7 grant@outhouse:~[20201213-6:51][#1003]$ authconfig --test | grep mkhome pam_mkhomedir or pam_oddjob_mkhomedir is enabled (umask=0077) grant@outhouse:~[20201213-6:51][#1004]$ I wish there were an authconfig on os-x - grant This e-mail and any attachments are intended only for use by the addressee(s) named herein and may contain confidential information. If you are not the intended recipient of this e-mail, you are hereby notified any dissemination, distribution or copying of this email and any attachments is strictly prohibited. If you receive this email in error, please immediately notify the sender by return email and permanently delete the original, any copy and any printout thereof. The integrity and security of e-mail cannot be guaranteed.

3 years, 4 months

1
0
0 / 0

Stateless Machines and Force Join

by Mark Potter

We boot everything stateless in our environment and are using FreeIPA for authentication. I started discussing this a while ago but ended up with other things taking priority. The number of machines we have make managing keys an untenable solution so we are using ipa-client-install -U -q -p <join user> -w <password --domain=domain.com --server=ipaserver.domain.com --fixed-primary --force-join called from rc.local during boot to rejoin machines to the FreeIPA environment (we will be moving away from --fixed-primary but aren't there yet). While this works it, potentially, exposes a password. I am looking for a better way to handle machines that need to re-join at every boot. We have access to ansible as well a decent, in house, templating system for configuration. Please forgive my starting this discussion anew and not resurrecting a zombie and thanks in advance for your help! -- *Mark Potter* Senior Linux Administrator

3 years, 4 months

3
5
0 / 0

odd problem updating to Centos 8.3

by Charles Hedrick

I just upgraded copies of our 3 servers from Centos 8.2 to 8.3. I always try it on copies before doing it on the real thing. The upgrades all went fine, but on one of the servers, the services weren’t running, and ipactl status complained Failed to get list of services to probe status! Configured hostname z does not match any master server in LDAP: x y z Adding prints to the python code, I found the issue was that the services, e.g. dn: cn=KPASSWD,cn=z,cn=masters,cn=ipa,cn=etc,dc=cs,dc=rutgers,dc=edu had ipaConfigString: configuredService when they should have had ipaConfigString: enabledService It was easy to fix. Things now look OK. Since I’ve fixed it, I don’t need any help, but I thought it was worth reporting. There were some oddities in getting the copies working. Initially I had bad IP addresses various places. That broke synchronization, and I had to reinitialize server z by copying from x. But that was before the upgrade. Before doing any upgrades I made sure everything worked, and the replicas were all syncing. The fix did sync to the other servers. The error message wasn’t entirely helpful.

3 years, 4 months

3
2
0 / 0

FreeIPA server packages for Ubuntu

by iulian roman

Hello ! Does anyone know what version of Ubuntu does support Freeipa server ? I have tried with 18.04 which fails always due to pki-tomcatd issues and Ubuntu 20 seems to not have the packages in the repository. Any suggestion/help is appreciated. Thanks

3 years, 4 months

2
5
0 / 0

ipa-idoverride-memberof-plugin issue, ipa 4.8.7 rhel 8.3

by Lachlan Musicman

Hola, When I browse to the webUI for IDM, I'm getting nothing. The http error log is showing: [Thu Dec 10 15:30:44.429646 2020] [wsgi:error] [pid 1773:tid 139794280646400] [remote 172.26.33.93:42908] ipa: INFO: [jsonserver_i18n_messages] UNKNOWN: i18n_messages(version='2.239'): SUCCESS [Thu Dec 10 15:32:28.088766 2020] [wsgi:error] [pid 1773:tid 139794280646400] [remote 172.26.33.93:42932] ipa: INFO: [jsonserver_i18n_messages] UNKNOWN: i18n_messages(version='2.239'): SUCCESS [Thu Dec 10 15:32:39.316974 2020] [wsgi:error] [pid 1773:tid 139794280646400] [remote 172.26.33.93:42932] ipa: INFO: [jsonserver_i18n_messages] UNKNOWN: i18n_messages(version='2.239'): SUCCESS [Thu Dec 10 15:32:53.657573 2020] [wsgi:error] [pid 1774:tid 139794280646400] [remote 172.26.33.93:42932] ipa: INFO: [jsonserver_i18n_messages] UNKNOWN: i18n_messages(version='2.239'): SUCCESS The http access log is more interesting: 172.26.33.93 - - [10/Dec/2020:15:32:53 +1100] "GET /ipa/ui/js/plugins/idoverride-memberof/idoverride-memberof.js?40807 HTTP/1.1" 404 19 When I go hunting, I see this: [root@idm httpd]# ls -la /usr/share/ipa/ui/js/plugins/idoverride-memberof/ total 0 drwxr-xr-x. 2 root root 6 Dec 10 13:36 . drwxr-xr-x. 3 root root 33 Oct 9 00:45 .. I see there is a package available; [root@idm httpd]# dnf info ipa-idoverride-memberof-plugin --all ... Available Packages Name : ipa-idoverride-memberof-plugin Version : 0.0.4 Release : 6.module+el8+2555+b334d87b Architecture : x86_64 Size : 31 k Source : ipa-idoverride-memberof-0.0.4-6.module+el8+2555+b334d87b.src.rpm But I see that it's already installed: Package ipa-server-trust-ad-4.8.7-13.module+el8.3.0+8376+0bba7131.x86_64 is already installed. I updated from RHEL 8.2 to 8.3 this AM. It was working last week with 8.2. Is there meant to be an idoverride-memberof.js file? cheers L.

3 years, 4 months

2
2
1 / 0

FreeIPA 4.9.0 release candidate 3 released

by Alexander Bokovoy

The FreeIPA team would like to announce FreeIPA 4.9.0 release candidate 3! It can be downloaded from http://www.freeipa.org/page/Downloads. Builds for Fedora Rawhide will be available from the official repository soon. == Highlights in 4.9.0 No major changes since release candidate 2, only fixes to regressions found in Rawhide and RHEL 8.4 development builds. === Bug fixes FreeIPA 4.9.0 release candidate 3 is a stabilization release for the features delivered as a part of 4.9 version series. There are 6 bug-fixes since FreeIPA 4.9.0 release candidate 2 release. Details of the bug-fixes can be seen in the list of resolved tickets below. == Upgrading Upgrade instructions are available on Upgrade page. == Feedback Please provide comments, bugs and other feedback via the freeipa-users mailing list (https://lists.fedoraproject.org/archives/list/freeipa-users@lists.fedorah...) or #freeipa channel on Freenode. == Resolved tickets * https://pagure.io/freeipa/issue/8595[#8595] Allow ipa-ca as a name for an IPA server * https://pagure.io/freeipa/issue/8596[#8596] (https://bugzilla.redhat.com/show_bug.cgi?id=1895197[rhbz#1895197]) improve IPA PKI susbsystem detection by other means than a directory presence, use pki-server subsystem-find * https://pagure.io/freeipa/issue/8613[#8613] mod_auth_gssapi cannot create unique ccache as it runs under apache and not ipaapi * https://pagure.io/freeipa/issue/8615[#8615] ipa-rewrite.conf upgrade is failing due to missing variable definition * https://pagure.io/freeipa/issue/8616[#8616] xmlrpc tests test_user_plugin failure * https://pagure.io/freeipa/issue/8617[#8617] systemd: enforce en_US.UTF-8 locale in systemd units == Detailed changelog since 4.9.0rc2 === Alexander Bokovoy (6) * Become FreeIPA 4.9.0rc3 https://pagure.io/freeipa/c/502d29107a458717b4ae1b3f7b17fb1159e3a135[commit] * systemd: enforce en_US.UTF-8 locale in systemd units https://pagure.io/freeipa/c/184997e85d03c30a34fbe268d1e9f39206178a1e[commit] https://pagure.io/freeipa/issue/8617[#8617] * upgrade: provide DOMAIN to the server upgrade dictionary https://pagure.io/freeipa/c/cc51feb106d6dee655c55adb802b3cfdac778fca[commit] https://pagure.io/freeipa/issue/8595[#8595], https://pagure.io/freeipa/issue/8615[#8615] * Allow mod_auth_gssapi to create and access ccaches in /run/ipa/ccaches https://pagure.io/freeipa/c/7d1a6886538360fb340eb4423660d11ee4af7e39[commit] https://pagure.io/freeipa/issue/8613[#8613] * Correct SELinux policy requirements https://pagure.io/freeipa/c/0cb8f065ac7bcf814c4991aeca3be8b590c7b5f6[commit] * Back to git snapshots https://pagure.io/freeipa/c/77674077b4e1e6ff2d2608ad0661704d4a47ac41[commit] === Florence Blanc-Renaud (3) * ipatests: add test for PKI subsystem detection https://pagure.io/freeipa/c/24f6a36b82d2a8bd8f2283457fcb415e5898a1b1[commit] https://pagure.io/freeipa/issue/8596[#8596] * Improve PKI subsystem detection https://pagure.io/freeipa/c/cf30cc3f63fbce2a3ff9c53ae4cd177a3bf4e527[commit] https://pagure.io/freeipa/issue/8596[#8596] * xmlrpctests: remove harcoded expiration date from test_user_plugin https://pagure.io/freeipa/c/f2bc3f1c5baff68e4c8d5f1e5c38b5647eac4cf4[commit] https://pagure.io/freeipa/issue/8616[#8616] -- / Alexander Bokovoy Sr. Principal Software Engineer Security / Identity Management Engineering Red Hat Limited, Finland

3 years, 4 months

1
0
0 / 0

Re: freeIPA Status Debian/Ubuntu

by Nico Maas

Yes, however, rolling-release is not for everyone and every usecase, hence I am asking of the status of the Debian and Ubuntu implementations :). Thanks!

3 years, 4 months

5
9
0 / 0

Re: freeIPA Status Debian/Ubuntu

by Alexander Bokovoy

On ke, 09 joulu 2020, VinÃcius FerrÃ£o wrote: >Alexander, as a user without support from Red Hat, can we report >bugs/issues for the IdM product here on the FreeIPA list? Because, as >far as I know, with RHEL there's no way to install FreeIPA branded as >it. It will always be Red Hat IdM. On freeipa-users@ we are relying on a community support, regardless where the issue is observed. In my community member capacity I am helping with those issues where I can, as well as other community members. This comes without expectations for urgency and so on but I think there are plenty of examples that community-wide support does work on this list already. I don't see that changing. As for installing something that is not part of your distribution, I'd rather suggest you to stick to the bits provided by your distribution, if possible. As much as I love Frankenstein-style stories, they aren't fun to live by. ;) -- / Alexander Bokovoy Sr. Principal Software Engineer Security / Identity Management Engineering Red Hat Limited, Finland

3 years, 4 months

1
0
0 / 0

Re: freeIPA Status Debian/Ubuntu

by Alexander Bokovoy

On ke, 09 joulu 2020, Marc Pearson | i-Neda Ltd via FreeIPA-users wrote: >I think they're referring to this: >https://www.cyberciti.biz/linux-news/centos-linux-8-will-end-in-2021-and-... > >Where it looks like CentOS is to become a rolling distro after 8, it's >not going away though, and being rolling isn't a bad thing as most >distro's are rolling now. I agree. There is another perspective to this. From FreeIPA upstream point of view, CentOS is not a distribution we work on. We cannot fix any bug in CentOS directly and there were plenty of cases in past two years when CentOS rebuild of IPA components led to a non-working setup for months, with no way to fix those. With CentOS 8 Stream as a rolling distro, it will be built directly from the sources and commits done in RHEL development once the packages pass internal QE pre-verification. Aside from a practical meaning that my team will be able to affect CentOS 8 Stream builds better than we have it with CentOS 7 or 8, the testing of those bits in C8S would be integral part of the RHEL QE process. In addition to that, https://www.redhat.com/en/blog/faq-centos-stream-updates gives a numer of answers. In particular, https://www.redhat.com/en/blog/faq-centos-stream-updates#Q10 says: --------- In the first half of 2021, we will be introducing low- or no-cost programs for a variety of use cases, including options for open source projects and communities, partner ecosystems and an expansion of the use cases of the Red Hat Enterprise Linux Developer subscription to better serve the needs of systems administrators and partner developers. We’ll share more details on these initiatives as they become available. For those converting to RHEL, there is guidance available today for converting from CentOS Linux to RHEL. --------- I hope an improvement on the RHEL Developer subscription would allow to run RHEL for those who uses CentOS for IPA workloads. It is not accessible for that purpose right now but the change is coming, according to what I have heard and read. I have no insight into what exactly that means myself but I hope for a reasonable expansion of the use cases. I did argue for that myself in past as many upstreams of the packages included in RHEL and CentOS struggle to do upstream testing with the same setup as in RHEL (modules, etc). Hopefully, it is an answer to our requests too. > >-----Original Message----- >From: Jonathan Aquilina via FreeIPA-users <freeipa-users(a)lists.fedorahosted.org> >Sent: 09 December 2020 11:54 >To: FreeIPA users list <freeipa-users(a)lists.fedorahosted.org> >Cc: Nico Maas <mail(a)nico-maas.de>; LHEUREUX Bernard <Bernard.LHEUREUX(a)nethys.be>; Jonathan Aquilina <jaquilina(a)eagleeyet.net> >Subject: [Freeipa-users] Re: freeIPA Status Debian/Ubuntu > >From what I understand Centos Stream is going to be a rolling distro. > >-----Original Message----- >From: LHEUREUX Bernard via FreeIPA-users <freeipa-users(a)lists.fedorahosted.org> >Sent: 09 December 2020 12:51 >To: FreeIPA users list <freeipa-users(a)lists.fedorahosted.org> >Cc: Nico Maas <mail(a)nico-maas.de>; LHEUREUX Bernard <Bernard.LHEUREUX(a)nethys.be> >Subject: [Freeipa-users] Re: freeIPA Status Debian/Ubuntu > >Decline of CentOS ??? > >-----Message d'origine----- >De : Nico Maas via FreeIPA-users <freeipa-users(a)lists.fedorahosted.org> >Envoyé : mercredi 9 décembre 2020 12:30 >À : freeipa-users(a)lists.fedorahosted.org >Cc : Nico Maas <mail(a)nico-maas.de> >Objet : [Freeipa-users] freeIPA Status Debian/Ubuntu > >Hello there, > >with the decline of CentOS I need to migrate away from CentOS 8 to something different. >I just wanted to ask how currently the status of the Debian or Ubuntu versions of freeIPA is - and if there is any possibility to migrate freeIPA installation / "backup and restore"? > >Best regards, > >Nico >_______________________________________________ >FreeIPA-users mailing list -- freeipa-users(a)lists.fedorahosted.org >To unsubscribe send an email to freeipa-users-leave(a)lists.fedorahosted.org >Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ >List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines >List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedoraho... >Ce message transmis par voie électronique ainsi que toutes ses annexes contiennent des informations qui peuvent être confidentielles ou protégées. Ces informations sont uniquement destinées à l’usage des personnes ou des entités précisées dans les champs ‘A’, ‘Cc’ et ‘Cci’. Si vous n’êtes pas l’un de ces destinataires, soyez conscient que toute forme, partielle ou complète, de divulgation, copie, distribution ou utilisation de ces informations est strictement interdite. Si vous avez reçu ce message par erreur, veuillez nous en informer par téléphone ou par message électronique et détruire les informations immédiatement. Ce message n’engage que son signataire et aucunement son employeur. >_______________________________________________ >FreeIPA-users mailing list -- freeipa-users(a)lists.fedorahosted.org >To unsubscribe send an email to freeipa-users-leave(a)lists.fedorahosted.org >Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ >List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines >List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedoraho... >_______________________________________________ >FreeIPA-users mailing list -- freeipa-users(a)lists.fedorahosted.org >To unsubscribe send an email to freeipa-users-leave(a)lists.fedorahosted.org >Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ >List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines >List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedoraho... >_______________________________________________ >FreeIPA-users mailing list -- freeipa-users(a)lists.fedorahosted.org >To unsubscribe send an email to freeipa-users-leave(a)lists.fedorahosted.org >Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ >List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines >List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedoraho... -- / Alexander Bokovoy Sr. Principal Software Engineer Security / Identity Management Engineering Red Hat Limited, Finland

3 years, 4 months

1
0
0 / 0

Re: freeIPA Status Debian/Ubuntu

by Marc Pearson | i-Neda Ltd

I think they're referring to this: https://www.cyberciti.biz/linux-news/centos-linux-8-will-end-in-2021-and-... Where it looks like CentOS is to become a rolling distro after 8, it's not going away though, and being rolling isn't a bad thing as most distro's are rolling now. -----Original Message----- From: Jonathan Aquilina via FreeIPA-users <freeipa-users(a)lists.fedorahosted.org> Sent: 09 December 2020 11:54 To: FreeIPA users list <freeipa-users(a)lists.fedorahosted.org> Cc: Nico Maas <mail(a)nico-maas.de>; LHEUREUX Bernard <Bernard.LHEUREUX(a)nethys.be>; Jonathan Aquilina <jaquilina(a)eagleeyet.net> Subject: [Freeipa-users] Re: freeIPA Status Debian/Ubuntu From what I understand Centos Stream is going to be a rolling distro. -----Original Message----- From: LHEUREUX Bernard via FreeIPA-users <freeipa-users(a)lists.fedorahosted.org> Sent: 09 December 2020 12:51 To: FreeIPA users list <freeipa-users(a)lists.fedorahosted.org> Cc: Nico Maas <mail(a)nico-maas.de>; LHEUREUX Bernard <Bernard.LHEUREUX(a)nethys.be> Subject: [Freeipa-users] Re: freeIPA Status Debian/Ubuntu Decline of CentOS ??? -----Message d'origine----- De : Nico Maas via FreeIPA-users <freeipa-users(a)lists.fedorahosted.org> Envoyé : mercredi 9 décembre 2020 12:30 À : freeipa-users(a)lists.fedorahosted.org Cc : Nico Maas <mail(a)nico-maas.de> Objet : [Freeipa-users] freeIPA Status Debian/Ubuntu Hello there, with the decline of CentOS I need to migrate away from CentOS 8 to something different. I just wanted to ask how currently the status of the Debian or Ubuntu versions of freeIPA is - and if there is any possibility to migrate freeIPA installation / "backup and restore"? Best regards, Nico _______________________________________________ FreeIPA-users mailing list -- freeipa-users(a)lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave(a)lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedoraho... Ce message transmis par voie électronique ainsi que toutes ses annexes contiennent des informations qui peuvent être confidentielles ou protégées. Ces informations sont uniquement destinées à l’usage des personnes ou des entités précisées dans les champs ‘A’, ‘Cc’ et ‘Cci’. Si vous n’êtes pas l’un de ces destinataires, soyez conscient que toute forme, partielle ou complète, de divulgation, copie, distribution ou utilisation de ces informations est strictement interdite. Si vous avez reçu ce message par erreur, veuillez nous en informer par téléphone ou par message électronique et détruire les informations immédiatement. Ce message n’engage que son signataire et aucunement son employeur. _______________________________________________ FreeIPA-users mailing list -- freeipa-users(a)lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave(a)lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedoraho... _______________________________________________ FreeIPA-users mailing list -- freeipa-users(a)lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave(a)lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedoraho...

3 years, 4 months

1
0
0 / 0

2024

2023

2022

2021

2020

2019

2018

2017

FreeIPA-users December 2020