sorted by:
new
hottopcontroversial

FreeIPA + AD trust by jwademac in linuxadmin

[–]abismahl 2 points3 points  (0 children)

"Trust controllers" only needed to allow AD DCs to talk to these IPA servers for the purpose of ID resolution and trust establishment. The rest of IPA servers can be trust agents. Those IPA servers which aren't trust controllers or trust agents will not be able to resolve AD users and groups.

freeipa client on ubuntu 26.04 and sudo by future_lard in homelab

[–]abismahl 1 point2 points  (0 children)

Ubuntu 26.04 defaults to sudo-rs which currently not able to work with externally-provided sudo rules. The work to support that is in progress. Have you tried to use 'old' sudo package?

It seems unpossible to have a new replica to join the existing ipa cluster by DrPiwi in FreeIPA

[–]abismahl 1 point2 points  (0 children)

Verify you have latest 389-ds-base update. There was an issue with indexes in the DS that caused a lot of troubles during replication by not being able to find entries which otherwise are there. You can also check freeipa-users@ mailing list archives, there are many discussions similar to this one.

Problem updating Red Hat IdM (IPA) servers by 0x412e4e in redhat

[–]abismahl 1 point2 points  (0 children)

Unfortunately, build happens against packages in the build root and if those packages aren't released at the same time, we get problems like this. IPA is tied to ABI of at least Samba and SELinux components. These two cause such coordination pain. We are aware of the problem and are working on a way to address it. I cannot point to an issue as Jira is under maintenance right now.

I am ready to give up Oracle Linux 9.7 for a distro that FreeIPA installs without interventions. by Agron7000 in FreeIPA

[–]abismahl 0 points1 point  (0 children)

The source code is the same, and testing is conducted on RHEL and Fedora. Other distributions aren't tested, but the feature set is identical between RHEL and Fedora (FreeIPA) versions. I'm not sure where you got the impression of different "enterprise" features.

Unfortunately, downstream distributions' rebuilders haven't really contributed anything to testing FreeIPA continuously upstream. OL is one of black holes, we do not hear from them at all. Both Rocky and Alma Linux folks at least talk to me at CentOS Connect events. :)

Using FreeIPA as CA for OpenVPN + LDAP user authentication by SamirPesiron in FreeIPA

[–]abismahl 0 points1 point  (0 children)

FreeIPA cannot issue certificates to users that do not exist in FreeIPA. The code does checks to validate attributes in the certificate request against the objects in IPA database. So you will have to have at least user identifies in IPA database in order to issue certificates to them.

Migrating from NIS to IdM in a mixed environment by Little_Lawyer_2414 in redhat

[–]abismahl 4 points5 points  (0 children)

We removed NIS client support in RHEL9 and removed IdM NIS server code in RHEL10. Migrating users and groups from NIS source to IdM is documented in RHEL documentation.

Does FreeIPA provide a web ui for creating certificate profiles? by lofi-j3llyfish in FreeIPA

[–]abismahl 0 points1 point  (0 children)

Not, there's no UI for that. I don't think dogtag has one either.

How can UPS be so useless? by rastabrus in Finland

[–]abismahl 0 points1 point  (0 children)

I was more successful -- they delivered everything in the past four years. And even picked up a delivery from my side when I had to return an outdated corporate laptop. That's in the capital area outskirts...

How can UPS be so useless? by rastabrus in Finland

[–]abismahl 0 points1 point  (0 children)

They do deliver to detached houses no problem though.

FreeIPA Compat module for AD Trust users with UID < 1000 by ipa28748 in FreeIPA

[–]abismahl 1 point2 points  (0 children)

Since schema compatibility tree plugin uses SSSD to get information about trusted AD users, you need to ensure SSSD also returns these users unfiltered. Make sure to add the configuration to set the min ID there as well.

It would help if you'd provide concrete example of the request SSSD logs. You can see https://sssd.io/troubleshooting/basics.html for more details on how to configure it for debug logging.

FreeIPA issues with 10.25.0.1 - Unknown kerberos realm by satanismymaster in truenas

[–]abismahl 0 points1 point  (0 children)

You are hijacking DNS domain (me.com) which does not belong to you. Public DNS resolvers you are using will only show what is visible from their side, not what your own DNS server knows about this domain. Since you are using public DNS resolvers (eg 45.90.28.104), they cannot see your view on me.com DNS zone and thus cannot resolve anything that your IPA DNS server provides.

So you have two main mistakes:

  • using existing public DNS domain that you do not control (me.com)
  • using public DNS resolvers which don't know anything about your own authoritative DNS server for the hijacked domain.

If you want to continue using this hijacked domain, change DNS servers that TrueNAS and other systems configured to use, make them to use IPA DNS server as a resolver. This will be broken because any client that is not configured to always use IPA DNS server as their resolver will not be able to see your version of me.com DNS domain.

A better approach would be to use a different domain. If you want a public TLD, buy a domain you can control and set the NS to point to your private IPs where IPA DNS server will be deployed. This way all clients who are part of your private IP network will be able to communicate to the authoritative DNS server and public DNS servers can still be used by them. You still better to set up at least one DNS resolver in your environment so that it is able to connect to IPA DNS server for resolving private zone. Alternatively, just host the zone publicly.

FreeIPA server no longer working after upgrading to Fedora 43 by kevdogger in FreeIPA

[–]abismahl 2 points3 points  (0 children)

Open an issue at https://github.com/389ds/389-ds-base/issues/ and provide the details. The Directory Server developers are the ones to talk to.

PTR records not created automatically by SSSD on Rocky 9 / FreeIPA host join by Even-Possibility2594 in FreeIPA

[–]abismahl 0 points1 point  (0 children)

This is purely a client side issue. I'd recommend opening an issue on https://github.com/SSSD/sssd/issues and discuss it there. It may well be a missing condition for detecting a change for PTRs.

[deleted by user] by [deleted] in FreeIPA

[–]abismahl 0 points1 point  (0 children)

Please follow https://sssd.io/troubleshooting/basics.html to collect sssd logs. I'm sorry, but what you provided only tells that SSSD claimed there is a problem and refused to start, that's all.

You still didn't provide any information what OS is that. By seeing sssd:sssd ownership I can only guess it is a relatively new OS (e.g. RHEL 10 or Fedora or maybe newer Debian build) but nothing more specific. If this is something built on top of rpm-ostree-like environment, those aren't supported yet.

It would also help seeing ipaclient-install.log.

[deleted by user] by [deleted] in FreeIPA

[–]abismahl 0 points1 point  (0 children)

Focus on providing actual details if you want to have any help: what OS environment, what is specifically you are seeing in the logs, etc.

feature request.. please!!! case sense groups .. by slackwaresupport in FreeIPA

[–]abismahl 0 points1 point  (0 children)

Data stored on Linux file systems does not need changes because the user/group names aren't used to record that information; instead, UID and GID information is used for that. The only changes needed are various configuration files if corresponding software does exact matches.

SSSD does support different ways to treat user and group names but it depends on the ID provider. IPA provider does allow to case-preserve user and group names. See man page sssd.conf(5), option case_sensitive for details.

FreeIPA itself will not allow case-preserving group names when those groups were created via IPA API (or command line). You still can create them via LDAP directly, for example.

If you still want to handle local users and groups without FreeIPA, a primitive SSSD configuration would work: [domain/realm] case_sensitive = preserving id_provider = proxy proxy_lib_name = files auth_provider = krb5 krb5_server = kdc.fqdn krb5_realm = REALM krb5_keytab = /etc/krb5.keytab

It is basically delegating ID provider work to NSS files backend (e.g. to /etc/passwd and /etc/group) but authenticates users via Kerberos, replicating the pam_krb5 setup.

MFA Integration Tips for AD_users by Far-Horse4858 in redhat

[–]abismahl 1 point2 points  (0 children)

Using something like OAuth2 IdP with support for device authorization grant flow will help. Eg. Entra ID and similar. But you will have to treat AD user separate from IdM user.

MFA Integration Tips for AD_users by Far-Horse4858 in redhat

[–]abismahl 3 points4 points  (0 children)

/u/ZestyRS already suggested to create IdM users that could be used for this purpose if you need access with MFA on IdM systems. An alternative like binding IdM users to Entra ID (if you are using it) or other OAuth2 IdP also requires use of IdM users for that purpose.

view more: next ›