ipantuserattrs - newly created users lack
by lejeczek
Hi guys.
I create new users - goes error-free seemingly - and
integrated Samba does not see those. "Old" users are fine
and one obvious, easy to spot thing is that new users lack
'ipantuserattrs'
An old user:
objectclass: top, person, organizationalperson,
inetorgperson, inetuser, posixaccount,
krbprincipalaux, krbticketpolicyaux,
ipaobject, ipasshuser,
ipaSshGroupOfPubKeys, mepOriginEntry,
ipantuserattrs
a new one:
objectclass: top, person, organizationalperson,
inetorgperson, inetuser, posixaccount,
krbprincipalaux, krbticketpolicyaux,
ipaobject, ipasshuser,
ipaSshGroupOfPubKeys, mepOriginEntry
is Samba integrations broken and if yes then how to check
and fix it?
many thanks, L.
1 year, 11 months
FreeIPA - clean off-line cache
by m57n2
Hello,
I have had set up a test-bed environment consist of:
IPA server [master] - OL8.4
IPA server [replica] - OL8.4
IPA client1 - OL8.4
IPA client2 - OL8.4
IPA client3 - Ubuntu20.04LTS
//I've installed "master" manually and the rest of hosts via ansible playbooks.
All works fine: user created on IPA directory [let's say: "adminux"] can succesfully login on clients with SUDO priviliges.
Now I started to test offline [sssd] login ....and it works [too]fine => user can log into system even though it was disabled on IPA server!
I started to tune-up sssd.conf parameters:
------------------------------------------------------
root@cl3:~# vim /etc/sssd/sssd.conf
[domain/ux.example.com]
id_provider = ipa
ipa_server = _srv_, idm1.ux.example.com
ipa_domain = ux.example.com
ipa_hostname = cl3.ux.example.com
auth_provider = ipa
chpass_provider = ipa
access_provider = ipa
cache_credentials = True
ldap_tls_cacert = /etc/ipa/ca.crt
dyndns_update = True
dyndns_iface = ens33
krb5_store_password_if_offline = True
entry_cache_timeout = 60
account_cache_expiration = 1
[sssd]
services = nss, pam, ssh, sudo
domains = ux.example.com
[nss]
homedir_substring = /home
enum_cache_timeout = 10
entry_cache_nowait_percentage = 0
[pam]
pam_verbosity = 3
offline_credentials_expiration = 1
[sudo]
[sudo]
[autofs]
[ssh]
[pac]
[ifp]
[secrets]
[session_recording]
--------------------------------------------------
I was also trying to erase sssd cache with command:
#sss_cache -E
...but it doesn't work in my test env!
I'll appreciate any suggestions "How can I control off-line logon cache in case of user creation, user deletion, user rights change and so on..." ?
Regards,
m.
Sent with [ProtonMail](https://protonmail.com/) Secure Email.
1 year, 11 months
How to allow gitlab with letsencrypt certificate to query freeipa AD
by MERCIER Jonathan
Dear,
I would like to allow gitlab instance to query the 389 AD but when I try to loging through the LDAP form I got this error:
Could not authenticate you from Ldapmain because "Ssl connect returned=1 errno=0 state=error: certificate verify failed (self signed certificate in certificate chain)".
I tried this to solve it without success:
I picked the gitlab *.crt file and throught freeipa UI from host tab I selected the gitlab host and after thjis I added the certicates
but the error is still here
1 year, 12 months
How to update the certificate authority
by MERCIER Jonathan
Dear,
Firstly thanks to freeipa team for their amazing works on this tools suite.
I would like to know how to change the self signed certificate by a bought domain certificate in order to get a signed certificate for each services?
Thanks a lot
Have a nice day (and weekend)
1 year, 12 months
After waking up from suspend krb5_child: DIsk quota exceeded
by Kees Bakker
Hi,
Every now and then I cannot login anymore after waking up from a suspend.
I'm getting krb5_child: DIsk quota exceeded
I suspend my PC at the end of the working day. Most of the time I can unlock
my screen after waking up. But now it happened two days in a row.
I have tried restarting sssd, certmonger (after logging in with a local user).
That doesn't help.
The only thing that seems to help is a reboot.
This happens on a Ubuntu 20.04 system with freeipa-client 4.8.6-1ubuntu2,
sssd 2.2.3-3ubuntu0.6
Can anyone give me a hint how to enable more debug/logging? Or should
I ask help in another ml?
--
Kees
1 year, 12 months
Migration UI endpoint broken (missing user.js)
by Peter Fern
Hi all,
I'm performing a migration currently, and migrate-ds went smoothly,
however when attempting to generate the kerberos credentials as a user,
by visiting the documented http://server/ui/migration/ endpoint, the
page fails to load entirely, by attempting to load a non-existent
Javascript file (user.js). The result is an empty white page, with no
elements.
IPA v4.9.2
Error from JS console:
GET https://myipaserver/ipa/ui/js/freeipa/user.js?40902 net::ERR_ABORTED
404 (Not Found)
dojo.js?v=40902:formatted:1331 Error: scriptError: js/freeipa/user.js?40902
at makeError (dojo.js?v=40902:formatted:43)
at HTMLScriptElement.<anonymous> (dojo.js?v=40902:formatted:1205)
<stacktrace snipped>
Any thoughts as to why this is broken, and anything I can do to hack
around it in the very short term?
Cheers,
Pete
1 year, 12 months
freeipa servers - centos and redhat
by Kathy Zhu
Hi List,
All our current freeipa servers are running Centos OS 7. We are thinking of
moving to Red Hat in order to get better support. Is it possible and safe
to have some Centos ipa masters and some Red Hat ipa masters in the same
domain/cluster? If yes, that could make this move very easy and smooth -
just swap in RedHat master and swap out Centos masters.
I'd like to know if any one made such a move in the past and how it went.
Thanks!
Kathy.
1 year, 12 months
