I recently installed freeIPA on ubuntu 18 and tested client both from ubuntu and centos , but except default admin user, I'm not able to login using any user from any client . it says permission denied error
I am trying to get OpenShift to use my FreeIPA installation
(ipa-server-4.6.5-11.el7.centos.4.x86_64) as an identity provider.
OpenShift is refusing to talk to the LDAP server, because its
certificate doesn't contain a subjectAltName.
So I need to re-request/re-issue the certificate with the SAN. Will it
be sufficient to modify the caIPAserviceCert profile to copy the host-
name from the CN to the SAN (as discussed in ) and then use
Will this break anything? (I only have a single IPA server/CA.)
In Soviet Russia, Google searches you!
Hello , I recently installed freeIPA on ubuntu 18 and tested client both
from ubuntu and centos , but except default admin user, I'm not able to
login using any user from any client . it says permission denied error pls
Should i create a single reverse zone or should there be zones for each subnet? 10.1.1/24 10.1.2/24 10.1.3/26 10.1.3.192/26 etc? 10.1.1-50/ is the likely used ip range with a few /25-26's
It would appear that this page is over 6 years old.
The link for the Auth_remoteuser tar-ball does not exist. and the extension installation instructions are obsolete.
Daniel E. White
NICS Linux Engineer
NASA Goddard Space Flight Center
8800 Greenbelt Road
Building 14, Room E175
Greenbelt, MD 20771
Office: (301) 286-6919
Mobile: (240) 513-5290
I would like to know what do you think about using the management network (eth1) to enable the flow from clients to IPA servers? My company is concerned about using the production network interface (eth0) and is considering doing everything on the second interface.
Is it worth it?
Pros and cons?
What does your experience say?
I ran into a perplexing problem recently:
We have all of our users/groups stored in ipa, including some "service
accounts" that we run services under. As we started migrating to CentOS 7
we came across the issue with some services configured to store their PID
files in /run (or /var/run) which is tmpfs and the services would fail to
start due to missing pid directories.
We learned that we could create a conf in /usr/lib/tmpfiles.d that would
create the necessary directories on startup. Well, it didn't work. It took
us a while to figure out, but the issue is that the user/group ownership of
the directory was set to a user that is looked up from IPA (via sssd) and
was failing with:
systemd-tmpfiles: [/usr/lib/tmpfiles.d/my-service.conf:1] Unknown
systemd-tmpfiles-setup.service: main process exited, code=exited,
BUT it seems that because sssd.service relies
on systemd-tmpfiles-setup.service, we have a race condition.
sssd.service +271ms └─basic.target @976ms └─sockets.target @975ms
└─rpcbind.socket @975ms └─sysinit.target @969ms
└─systemd-update-utmp.service @963ms +5ms └─auditd.service @933ms +28ms -->
└─systemd-tmpfiles-setup.service @903ms +29ms └─rhel-import-state.service
@874ms +28ms └─local-fs.target @872ms └─run-user-20137.mount @20.363s
└─local-fs-pre.target @680ms └─lvm2-monitor.service @260ms +418ms
└─lvm2-lvmetad.service @306ms └─lvm2-lvmetad.socket @260ms └─-.slice
At first, I thought it might be due to the order of nsswitch.conf, but I
group: files sss
group: sss files
and that didn't seem to make a difference.
Curiously: it is not complaining that it can't find the user, only the
Once the system is up, I can log in and:
getent group my_group
So if sssd is waiting on systemd-tmpfiles, how on earth can we ever use
tmpfiles.d with users/groups stored in IPA if sssd isn't "up" yet?
I am not sure how to handle this... just wondering in anyone has come
across this before and if there is a solution.
For some reason, for a particular user, sss_ssh_authorizedkeys is extremely slow on the IPA-server:
time /usr/bin/sss_ssh_authorizedkeys <username>~real 0m9.520suser 0m0.022ssys 0m0.018s
It will return all the public keys, but is is slow, causing SSH-login delays using a ssh-keys.
On another CentOS Stream (8.1) IPA-client, using the same IPA-server:
time /usr/bin/sss_ssh_authorizedkeys <username>~real 0m0.020suser 0m0.005ssys 0m0.003s
Some difference...Adding "certificate_verification = no_ocsp" to sssd.conf on the IPA-server will bring back performance, but sound like a poor workaround.
Any idea what is happening here?
Some more details:CentOS Linux release 8.1.1911 (Core) (stream)ipa-client-4.8.0-13.module_el8.1.0+265+e1e65be4.x86_64sssd-common-2.2.0-19.el8.x86_64
I'd like to monitor couple of FreeIPA servers with prometheus.
What to use to monitor FreeIPA via prometheus? Any tips?
I only found 389ds_exporter but's there's an error when it tries to get
replica agreements. Otherwise it seems to return valid metrics.
DEBU getting replication agreements
ERRO Scrape failed, error is:1 error occurred:
* LDAP Result Code 32 "No Such Object":
I have a CentOS8 FreeIPA 4.8.0 test environment with a CentOS8 client. I'm enforcing smart card authentication on the client by setting the "authentication indicator" to "pkinit" with the command "ipa host-mod <client> --auth-ind=pkinit". This works fine to restrict SSH, GDM and Console logins to smart card only, however, if I SSH into the client and try to SUDO, it of course doesn't accept the password anymore, and since the card is not connected locally to the client, it doesn't prompt for the pin.
Is there a way to enforce smart card to login, but still allow sudo to accept passwords?
Or to allow sudo to use the ssh-agent auth? (ssh-agent is working fine forwarding auth for SSH connections)
yum install -y pam_ssh_agent_auth
Defaults env_keep += "SSH_AUTH_SOCK"
auth sufficient pam_ssh_agent_auth.so
But "sudo -i" still prompts for the password.
Any suggestions would be appreciated.