Re: ipa upgrade failed
by Johannes Falke
How did you actually manage to resolve this issue? I'm seeing the same
thing trying to upgrade either f35->f37 or f35->f36 (and NO ldap errors).
On f35, freeipa says it's healthy.
1 day, 8 hours
Override Sudo Rule for one host
by Russ Long
I'm setting up a new FreeIPA cluster/environment, and have one host that I do not want included in my sudo rule that normally allows sudo to all hosts.
Basically this machine is holding highly sensitive data, and will be used by multiple people who normally have sudo to all hosts, but I do not want them to have sudo on this host.
I do not see a way to exclude a host, is the only option to add every other host manually to a rule or is there a way to "blacklist" a certain host in a sudo rule.
--Russ
1 day, 15 hours
SMB share with IPA ID Views user and group mapping
by Yossi Hayat
Hi,
To centrally manage all credentials from Active Directory, we configured FreeIPA integration with Active Directory to authenticate users to IPA-joined Linux machines via SSSD using AD credentials.
The Linux machines have NFS shares mounted on their local filesystems which we use to work in a sharable way.
We have configured FreeIPA "ID Views" for each user to override the AD-originating generic UID and GID with shorter UID and GID values. This is to preserve IPA-authenticated users' NFS permissions that were inherited from the previous Linux directory management system (NIS) we used and for simplicity.
When working locally or remotely (SSH/VNC) on the Linux machines, everything is working as expected with no issues.
Our problem is with SMB - We need to share the NFS shares over SMB for direct File Explorer access for Windows users. For this purpose, we have an Ubuntu machine we use as an SMB server.
The server is joined to IPA as a client and has all NFS shares mounted locally on its filesystem.
The ideal way is to somehow configure SMB to forward authentication to IPA (as it was a local/SSH authentication to the server) and map the ID views user and group IDs to preserve permissions.
We searched all over the internet and didn't find a working solution for this use case.
Is this supported? If yes, how can this be implemented?
1 day, 17 hours
replica in DMZ with trust-agent
by slek kus
Hi I deployed a third replica in a dmz network for clients that do not route to the main ipa masters. Not sure if this is a workable setup.
I can join clients using --fixed-primary and can logon with AD (one-way trust). This third replica has the trust-agent role.
I might be approaching this incorrectly. Posting here for advise, has anyone attepted this and how to approach?
It seems to be working, except the sudo rules.
I have posted a diagram here: https://ibb.co/WkQj9yD
1 day, 20 hours
Prevent domain-local groups from being mapped at all
by Ronald Wimmer
Is there a way for preventing AD domain-local groups from being mapped
into IPA? From time to time colleagues try to use AD groups with scope
'domain local'. Personally, I do not see a use case for these groups
mapped into IPA...
Cheers,
Ronald
1 day, 21 hours
Ranger FreeIPA Integration
by Mike Patterson
Anyone have success with integrating FreeIPA with Ranger?
I have them sync-ed and it generally works, but I'm confused by the lack of attributes being shared by FreeIPA concerning Users.
I'm unclear if FreeIPA isnt sharing attributes (beyond the most basic) via the LDAP protocol or if Ranger is not setup to read/display/use them or both.
Any suggestions are greatly appreciated.
Mike
5 days, 18 hours
Ranger FreeIPA Integration
by Mike Patterson
Anyone have success with integrating FreeIPA with Ranger?
I have them sync-ed and it generally works, but I'm confused by the lack of attributes being shared by FreeIPA concerning Users.
I'm unclear if FreeIPA isnt sharing attributes (beyond the most basic) via the LDAP protocol or if Ranger is not setup to read/display/use them or both.
Any suggestions are greatly appreciated.
Mike
6 days, 15 hours
Ranger FreeIPA Integration
by Mike Patterson
Anyone have success with integrating FreeIPA with Ranger?
I have them sync-ed and it generally works, but I'm confused by the lack of attributes being shared by FreeIPA concerning Users.
I'm unclear if FreeIPA isnt sharing attributes (beyond the most basic) via the LDAP protocol or if Ranger is not setup to read/display/use them or both.
Any suggestions are greatly appreciated.
Mike
6 days, 15 hours
FreeIPA on CentOS 7 fails with latest bind packages
by Jeremy Utley
Hello Everyone!
We have a pair of IPA servers running under CentOS 7 (I know, EOL is approaching, and we are working on migrating!). When we applied the latest patches this morning, the new bind packages were causing named-pkcs11 to core dump during ipa-server-upgrade. The new package versions were:
bind-9.11.4-26.P2.el7_9.16.x86_64
bind-dyndb-ldap-11.1-7.el7_9.1.x86_64.rpm
The error we saw is almost identical to what is documented at:
https://access.redhat.com/solutions/7065748
for RHEL8/9, but the recommended fixes did not help.
We rolled our installation back to the previous bind packages and everything works again. I don't think there's anyplace remaining to submit CentOS 7 bug reports, and I'm also not sure if this same issue would impact the remaining RHEL 7 installs, since we have no RHEL licensing. So I thought I would put it out on here, so at least others are aware of the issue!
6 days, 21 hours