Freeipa docker with Traefik docker
by Sami Hulkko
Hi,
Is there anyone who could point me into some info about this matter of
having Freeipa Docker behind Traefik Docker reverse proxy? I could not
make it work with both dockers on same machine. I got 404 from Traefik
and with extensive search found only one post chain about the problem.
My wild guess is that due to the large number of open ports on Freeipa
Docker the Traefik proxy gets confused.
There is also the issue of certificates, if one uses Letsencrypt certs
for IPA frontend (www) and these certificates must be inside Docker
container (ipa cert install....) the certs on Traefik can get off-sync
with IPA ones. Now I have them with certmonger from Letsencrypt with
deploy-hooks script installing them automatically into IPA Docker &
reboots the docker.
--
Me worry? That's why my first CD was Peter Gabriel SO....
Sami Hulkko
sahulkko(a)gmail.com
sahulkko(a)icloud.com
samihulkko(a)quantum-black-hole.com
+358 45 85693 919
1 year, 6 months
newbie question, LDAP
by Günther J. Niederwimmer
Hello List,
is it actually possible to display the LDAP database with phpLDAPadmin (from
EPEL) or does this destroy the FreeIPA installation?
Or can't phpLDAPadmin handle the 389 Directory Server?
Thanks for an answer,
--
mit freundlichen Grüßen / best Regards,
Günther J. Niederwimmer
1 year, 6 months
Connection Reset upon kinit
by Ronald Wimmer
Hi,
on one of our ipa servers kinit stopped working. kinit admin shows an error:
kinit: Connection reset by peer while getting default ccache
Why? What could possibly be wrong? (the default ccache should be on the
same machine so why do I get a conn reset here?)
Cheers,
Ronald
1 year, 6 months
[hbac_evaluate] (0x0100): The rule [somerulename] did not match.
by Ronald Wimmer
I tried to give user access permissions to a specific host but when I
try to log in via ssh I get an error:
[hbac_evaluate] (0x0100): The rule [somerulename] did not match.
somegroup (POSIX)
-somegroup-external
-some AD user
-another AD user
ipa hbacrule-show somerulename
Rule name: somerulename
Enabled: TRUE
User Groups: somegroup
Hosts: somehost.doma.mydomain.at
HBAC Services: sshd, sudo, sudo-i
As we were relatively new to IPA we set up the trust to the domain where
these users come to "Non-transitive external trust to a domain in
another Active Directory forest" ages ago. However, both users can be
resolved on somehost.doma.mydomain.at with getent or id.
Can you think of a reason why these users get an access denied error?
Any hints would be highly appreciated!
Cheers,
Ronald
1 year, 6 months
Extraction timestamp of nsAccountLock change
by Jim Kinney
Is there a way get the timestamp of when a user account was marked locked?
I'm trying to show that a locked out user had an existing open connection
before the lockout happened. The next process that ran through a pam login
was properly denied but the screen shot indicates they were already on a
system.
And, yes, policy change will include the account lock followed by an
aggressive kill -9 of all running process on all nodes.
1 year, 6 months
Issue logging to desktop sessions
by Antoine Gatineau
Dear freeipa-users,
I recently am having trouble logging into my kde sessions.
Client OS: Fedora 36 Kde Plasma (up to date) (freeipa-client 4.10.0-4 , sssd 2.7.4-1)
Server: Centos Stream 9 (ipa 4.10.0-6)
Here are my symptoms :
ipa user on KDE Wayland: kwin_wayland_wrapper crashes
ipa user on KDE X11: login ok but policykit integration seems broken. Can't connect to qemu for instance or apply system settings. Running `id` returns the expected groups and uid.
ipa user on Console: login ok
ipa user on ssh: login ok.
Local users : no problem
Brand new ipa user : same login issues
The only way I found to be able to correctly login is to stop sssd , remove the cache files and reboot:
systemctl stop sssd && rm -rf /var/lib/sss/db/* && reboot
After that I can successfully login with wayland and X11 session. At the next reboot, session login will fail.
I am not sure there is an issue with the freeipa integration itself but the fact that rebooting with a clean sssd context makes it work, I assume sssd and freeipa are involved somehow.
It could also be an issue with kde itself or my IPA configuration.
I still need to start troubleshooting somewhere.
Find attached sssd debug logs on the client. I didn't find anything strange but someone else might.
If logs are need, I can easily reproduce the issue and generate logs or test changes.
If someone with the same setup can confirm it works for them, that would be great.
If this is absolutely not the place for this request, please say so ;-)
Any help troubleshooting this issue is appreciated
Regards
1 year, 7 months
Why 80 port in IPA instead of 443
by MANIDEEP SAI
Hi Team,
Why 80 port is checking during the connection between IPA central server
and IPA Replica
During IPA Replica installation is 80 Port mandatory?
Without 80 port can we proceed with installation with only 443?
Regards
ManideepSai
1 year, 7 months
Changing the IP address of IPA Replica Server
by MANIDEEP SAI
Hi Team,
Changing the IP Address of IPA Replica server
I have an IPA Replica Server and 10 hosts integrated to it
If i change the IP address of the Replica server what will be the impact
from Central IPA Server and towards on IPA client hosts
What are the steps that i need to follow to change the IP
1 year, 7 months
