Having a IPA Samba's share mapped in Windows and wanting to
amend a folder permission:
"Select User or Group" -> "Advanced" -> "Find Now"
such Win10 client will list, show everything but users.
I do it on freshly install IPA, very little there, only a
couple of users.
would you care to share thoughts as to why 'users' do not
If it may make is more interesting - when in first step a
username is typed in and then "Check Names" is clicked then
give user is found and shown.
many thanks, L.
Can anyone confirm if RedHat IDM is supported/recommended to run in containers in a production environment ? I would like to know if there are any drawbacks before I'll put any effort in implementing it. I would like to use it with one replica and trust with Active Directory.
Thank You !
I would like to know the best practice for patching FreeIPA-Server
packages. We generally have daily patching enabled in our servers. Will it
be a good idea to do automatic patching of FreeIPA-Server packages?
If we want to restrict the FreeIPA-Server packages from automatomatic
upgrade and rather keep it for manual upgrade, what are the packages we
should hold back with a version restriction? And how frequently should we
do the manual upgrade? If the FreeIPA-client packages are upgraded
regularly by daily patching(yum-cron or unattended upgrade) will there be
any problem with authentication, if the FreeIPA-Servers are behind version
We have two FreeIPA environments, one with CentOS7 and another with
CentOS8. And we have FreeIPA clients mostly with Ubuntu(18 and 20) and
CentOS (7 and 8).
Any help and guidance is appreciated.
If I successfully install FreeIPA in FIPS mode, does that mean that all my clients that call on the server need to be in FIPS mode as well? Or can I just have the server in FIPS mode and the clients in whatever mode I want?
Thanks in advance.
We've been trying to figure this out for a day. Looking for some help please.
We have servers ipa1 and ipa2. The ipa1 was installed first and it can delegate to a subdomain fine. The ipa2 server does not get an answer. Looking at packets on ipa2, they end up going to my general forwarders to the outside world.
This must have been seen before but I can't find a previous post.
Thanks so much!
# ipa dnsforwardzone-find emcisi2.emc2.
Zone name: emcisi2.emc2.
Active zone: TRUE
Zone forwarders: 192.168.75.175
Forward policy: first
# ipa dnsrecord-find example.com emc2
Record name: emc2
NS record: emcisi2.emc2.example.com.
Record name: emcisi2.emc2
A record: 192.168.75.175
# ipa dnsrecord-find 75.168.192.in-addr.arpa. 175
Record name: 175
PTR record: emcisi2.emc2.example.com.
I've just perused the list and seem to have found a single entry where
an IPA master/replica is configured with the following items:
1.) ipa_server_mode = true
2.) ipa_server = master, replica1, replica2
Is it recommended to have all IPA servers listed in the server's
sssd.conf? For example:
ipa_server = master.domain, replica.domain
ipa_server_mode = true
ipa_server = replica.domain, master.domain
ipa_server_mode = true
The idea is that `sssctl domain-status` would return all possible IPA
servers on the server itself, vs. just itself.
I apologize if this should have gone to the SSSD list instead.
I have been trying to create a Docker container using Debian 10 for the FreeIPA server installation and I am getting the following error almost at the end of the installation after running:
The IPA Master Server will be configured with:
IP address(es): x.x.x.x
Domain name: test.com
Realm name: TEST.COM
The CA will be configured with:
Subject DN: CN=Certificate Authority,O=TEST.COM
Subject base: O=TEST.COM
The interesting part is that almost finishes the installation, but fails at the end with this. I really think is nothing related with cert as I selected self signed certificate during the installation of the freeipa.
[11/30]: starting certificate server instance
[12/30]: configure certmonger for renewals
[13/30]: requesting RA certificate from CA
[error] RuntimeError: Certificate issuance failed (CA_REJECTED: Server at "https://freeipa.******.com:8443/ca/agent/ca//profileProcess" replied: 1: You did not provide a valid certificate for this operation)
Certificate issuance failed (CA_REJECTED: Server at "https://freeipa.*****.com:8443/ca/agent/ca//profileProcess" replied: 1: You did not provide a valid certificate for this operation)
The ipa-server-install command failed. See /var/log/ipaserver-install.log for more information
I am not sure if there is any relation with my host file configuration, though it is talking about the certificate in the following message.
Checking the freeipa logs I have got the following log in /var/log/ipaserver-install.log:
File "/usr/lib/python3/dist-packages/ipaserver/install/dogtaginstance.py", line 520, in handle_setup_error
raise RuntimeError("%s configuration failed." % self.subsystem)
2021-04-10T17:00:51Z DEBUG The ipa-server-install command failed, exception: RuntimeError: CA configuration failed.
2021-04-10T17:00:51Z ERROR CA configuration failed.
I provide more information: I can see the following services related with this already running:
pki-tomcatd(a)pki-tomcat.service loaded active running PKI Tomcat Server pki-tomcat
systemd-journal-flush.service loaded active exited Flush Journal to Persistent Storage
systemd-journald.service loaded active running Journal Service
systemd-remount-fs.service loaded active exited Remount Root and Kernel File Systems
systemd-sysusers.service loaded active exited Create System Users
systemd-tmpfiles-setup-dev.service loaded active exited Create Static Device Nodes in /dev
systemd-tmpfiles-setup.service loaded active exited Create Volatile Files and Directories
systemd-update-utmp.service loaded active exited Update UTMP about System Boot/Shutdown
systemd-user-sessions.service loaded active exited Permit User Sessions
-.slice loaded active active Root Slice
system-dirsrv.slice loaded active active system-dirsrv.slice
system-getty.slice loaded active active system-getty.slice
system-modprobe.slice loaded active active system-modprobe.slice
system-pki\x2dtomcatd.slice loaded active active system-pki\x2dtomcatd.slice
system.slice loaded active active System Slice
dbus.socket loaded active running D-Bus System Message Bus Socket
systemd-initctl.socket loaded active listening initctl Compatibility Named Pipe
systemd-journald-dev-log.socket loaded active running Journal Socket (/dev/log)
systemd-journald.socket loaded active running Journal Socket
Not sure what is the issue. the /var/log/pki/pki-tomcat doesn't show much. : /
There is not much help with the logs, just trying to confirm if someone has seen something similar.
Thank you for your help,
I tried to promote an ipa-client to an ipa-replica. That particular host
has previously been a replica but has been removed due to a faulty base
OS configuration. When I do an ldapsearch from the top of the LDAP tree
(dc=linux,dc=mydomain,dc=at) I could not find any entries before
ipa-replica-install fails with "DEBUG The ipa-replica-install command
failed, exception: ScriptError: A replication agreement for this host
already exists. It needs to be removed." Why do I get this error? I
cannot find ANY topology-related entries in LDAP.
Is there a way to enable a user to be able to retrieve all host keytabs
without explicitly allowing for each host?
In short we have a very large, stateless environment. We are currently in
the process of converting to RHEL in order to receive support. The size of
our environment makes force joining on boot a nightmare even though it
worked in testing. I have spoken with our RH rep and the advice we received
from the IDM team, via our rep, was to retrieve the host keytab on boot for
registered machines. We are aware of the risks involved but need a solution
that allows 8k plus hosts to boot without completely overloading the
FreeIPA cluster. With the available documentation I cannot find a way to
allow the service account we will be using to retrieve all host keytabs. As
you can imagine, explicitly allowing for each host would a tedious process
and prone to error.
Thanks in advance for any responses.
Senior Linux Administrator
16200 Park Row Drive, Suite 100
Houston TX 77084, USA
tel +1 832 582 3221
I have recently found out that when adding SUDO rules to my IPA server, the host groups are not evaluated correctly. I am using the same host groups in my HBAC and they are working correctly. If I remove the host groups from the SUDO rule, and instead directly put the server in as an individual host, the SUDO rule works correctly. If simply set it to allow "all" hosts, while leaving the rest of the SUDO rule the same, it also works.
Running a sudo command with the host groups provides the error:
"test1 is not allowed to run sudo on srv1. This incident will be reported."
I have turned on some debugging for SSSD and SUDO but it is extremely verbose, and after realizing the same host groups work with HBAC, I am skeptical this is an issue with my configuration. Anyone have some troubleshooting or work arounds? Is there perhaps a known bug I didn't find about this? As much as I hate it, my "right now" work around is to just allow it on all hosts, and rely on my HBAC to determine what groups can log into what hosts. However this isn't a true fix, just a stop gap while I look into this.
IPA Client versions:
VERSION: 4.6.8, API_VERSION: 2.237
IPA Server version:
VERSION: 4.6.8, API_VERSION: 2.237