August 2019 - FreeIPA-users - Fedora mailing-lists

External groups from AD trust fail with "Incomplete group object for ...[0]! Skipping" (although in the logs all members seem to be fetched)
by Blake Dworaczyk 16 Aug '19

16 Aug '19

I have an IPA domain (ipa.engr.tamu.edu) that has a one-way trust with an AD domain (engr.tamu.edu). I've created a POSIX group called 'linux_team' that contains an external group called 'linux_team_ext', which itself contains the AD group linux_team(a)engr.tamu.edu (from the trusted domain). When I run a 'getent group linux_team', I get nothing back at all. However, it seems that from the logs it does fetch all of the group members: (Fri Aug 16 16:16:37 2019) [sssd[nss]] [sysdb_add_group_member_overrides] (0x4000): No override name available. (Fri Aug 16 16:16:37 2019) [sssd[nss]] [sysdb_add_group_member_overrides] (0x4000): Added [coe-william.luke(a)engr.tam u.edu] to [overridememberUid]. (Fri Aug 16 16:16:37 2019) [sssd[nss]] [sysdb_add_group_member_overrides] (0x4000): No override name available. (Fri Aug 16 16:16:37 2019) [sssd[nss]] [sysdb_add_group_member_overrides] (0x4000): Added [coe-andrew.eggleston@engr .tamu.edu] to [overridememberUid]. (Fri Aug 16 16:16:37 2019) [sssd[nss]] [sysdb_add_group_member_overrides] (0x4000): Added [coe-blake.dworaczyk@engr. tamu.edu] to [overridememberUid]. (Fri Aug 16 16:16:37 2019) [sssd[nss]] [sysdb_add_group_member_overrides] (0x4000): No override name available. (Fri Aug 16 16:16:37 2019) [sssd[nss]] [sysdb_add_group_member_overrides] (0x4000): Added [coe-david.miller(a)engr.tam u.edu] to [overridememberUid]. (Fri Aug 16 16:16:37 2019) [sssd[nss]] [sysdb_add_group_member_overrides] (0x4000): No override name available. (Fri Aug 16 16:16:37 2019) [sssd[nss]] [sysdb_add_group_member_overrides] (0x4000): Added [coe-j.polasek(a)engr.tamu.edu] to [overridememberUid]. (Fri Aug 16 16:16:37 2019) [sssd[nss]] [sysdb_add_group_member_overrides] (0x4000): No override name available. (Fri Aug 16 16:16:37 2019) [sssd[nss]] [sysdb_add_group_member_overrides] (0x4000): Added [coe-matthew.mjelde(a)engr.tamu.edu] to [overridememberUid]. (Fri Aug 16 16:16:37 2019) [sssd[nss]] [sysdb_add_group_member_overrides] (0x4000): No override name available. (Fri Aug 16 16:16:37 2019) [sssd[nss]] [sysdb_add_group_member_overrides] (0x4000): Added [coe-steve.herring(a)engr.tamu.edu] to [overridememberUid]. Ultimately I see this log entry: (Fri Aug 16 16:16:37 2019) [sssd[nss]] [nss_get_grent] (0x0040): Incomplete group object for linux_team(a)engr.tamu.edu[0]! Skipping I've tested the trust relationship and it seems to work fine. I've also added a user override to the 'Default Trust View' and I'm able to fetch the user without a problem. Everything except for group membership from the trusted AD domain seems to be working. Here are the complete logs: https://drive.google.com/file/d/164_zRBreVtA4P9-MZ0r8MIx-ElFOful-/view?usp=…

1 0

Create kerberos keytab
by Boyd Ako 16 Aug '19

16 Aug '19

So, I tried doing the test section in the V4 doc below. However, I get an error. https://www.freeipa.org/page/V4/Keytab_Retrieval ===================== [root@ipa home]# ipa-getkeytab -r -s ipa.neverland.ddns.me -p NFS/abyss.neverland.ddns.me -k abyss-nfs.keytab Failed to parse result: Insufficient access rights Failed to get keytab

3 7

[Announce] FreeIPA 4.8.1 released
by Alexander Bokovoy 14 Aug '19

14 Aug '19

Hello! The FreeIPA team would like to announce FreeIPA 4.8.1 release! It can be downloaded from http://www.freeipa.org/page/Downloads. Builds for Fedora 30 will be available in the official Fedora repository soon. == Highlights in 4.8.1 == * 5608: [RFE] Add Dogtag configuration extensions It is now possible to tune Dogtag configuration when creating a CA by passing an overlay configuration file with --pki-config-override option. Not all options are supported yet and documentation is being worked on. -------- * Release tarball corrections FreeIPA 4.8.0 release tarball did lack two update files. This release adds them back. The files existed in git but weren't installed when building distribution packages. -------- * 8040: ipa migrade-ds regression FreeIPA 4.8.0 tightened access to LDAP connections to disallow passing plainttext credentials over an insecure connection. This broke 'ipa migrate-ds' functionality where in order to migrate to FreeIPA one often needs to connect to a legacy LDAP server which might not be using TLS certificates. FreeIPA 4.8.1 restores ability to use insecure LDAP connections in 'ipa migrate-ds' for migration purposes only. === Enhancements === * 7932 and 7933: index certmap attributes and allow altSecurityIdentities in schema For certificate mapping operations it is possible to specify altSecurityIdentities in the certification mapping filters. The filter is applied by SSSD at both FreeIPA and Active Directory LDAP servers. While nothing is using altSecurityIdentities in FreeIPA now, the schema allows to optimize queries better at LDAP server side. Additionally, other certificate mapping attributes are now indexed to allow faster operations for environments with a large set of mapping rules. -------- * 7991: Profile-based renewal of system certificates FreeIPA-specific certificates tracked by certmonger can now be renewed with preservation of a certificate profile used to issue them. It is also possible to change the certificate profile during update. This is required to allow updating certain profile-specific attributes of the system certificates in future. -------- === Known Issues === === Bug fixes === FreeIPA 4.8.1 is a stabilization release for the features delivered as a part of FreeIPA 4.8 series. There are more than 30 bug-fixes details of which can be seen in the list of resolved tickets below. == Upgrading == Upgrade instructions are available on [[Upgrade]] page. == Feedback == Please provide comments, bugs and other feedback via the freeipa-users mailing list (https://lists.fedoraproject.org/archives/list/freeipa-users@lists.fedorahos…) or #freeipa channel on Freenode. == Resolved tickets == * 5608 [RFE] Add Dogtag configuration extensions * 7305 PKINIT status not displayed in the web UI (IPA Server > Configuration) * 7329 update_ra_cert_store does not remove private key from NSSDB * 7548 Need integration test for --external-ca-type=ms-cs * 7597 IPA: IDM drops all custom attributes when moving account from preserved to stage * 7677 HSM: ipa ca-add fails with error in ipa-pki-retrieve-key * 7810 [F28] Require NSS with fix for p11-kit issue. * 7902 389-ds-base-1.4.0.22-1 breaks TestAutomemberFindOrphans.test_find_orphan_automember_rules * 7908 Write tests for interactive prompt for NTP options. * 7929 ERROR: invalid 'PKINIT enabled server': all masters must have IPA master role enabled * 7932 FreeIPA queries rely on missing attribute altsecurityidentities * 7933 FreeIPA must index certmap attributes. * 7949 test_integration/test_nfs.py fails at cleanup * 7991 Use profile-based renewal for system certificates * 7996 `test_selinuxusermap_plugin` fails against not default SELinux settings * 8004 RHEL 8 uses nis-domainname instead of rhel-domainname * 8005 User field separator uses '$$' within ipaSELinuxUserMapOrder * 8007 Not stable nodeids within pytest * 8008 Azure Pipeline slicing * 8009 Missing execution bit on `ipa-run-tests` within virtualenv * 8012 test_webui/test_loginscreen.py::TestLoginScreen::()::test_reset_password_and_login_view failure * 8013 ipa service-find does not list cifs service created by ipa-client-samba * 8015 p11helper: insufficient logging when loading LIBSOFTHSM2_SO * 8019 repeated uninstallation of ipa-client-samba crashes * 8021 ipa-client-samba can not install samba after uninstallation * 8022 azure pipeline: fail if dnf builddep exits on failure * 8024 [WebUI] test_webui/test_trust.py failed because of request timeout * 8026 Update pr-ci definitions with master_3client topology * 8027 test_nfs.py: migrate to master_3client * 8029 ipa host-find --pkey-only includes SSH keys in output * 8030 azure pipelines fail at "Install prerequisites" of Tox job * 8040 ipa migrate-ds fails with internal error. == Detailed changelog since 4.8.0 == === Armando Neto (1) === * travis: update container used for testing ipa-4-8 branch === Alexander Bokovoy (14) === * Update translation and code contributors for FreeIPA 4.8.1 * Switch ipa-4-8 branch to track Zanata ipa-4-8 branch * Update translations for FreeIPA 4.8 branch * Add Theodor van Nahl to the Contributors.txt * Update translations for FreeIPA 4.8.1 * Restore SELinux context for p11-kit config overrides * Change RA agent certificate profile to caSubsystemCert * certmaprule: add negative test for altSecurityIdentities * certmap rules: altSecurityIdentities should only be used for trusted domains * Create indexes for altSecurityIdentities and ipaCertmapData attributes * Add altSecurityIdentities attribute from MS-WSPP schema definition * Use stage and phase attempt counters when saving test artifacts * Use any nodejs version instead of forcing a version before nodejs 11 * Fix rpmlint errors for Rawhide === Christian Heimes (6) === * Allow insecure binds for migration * Don't move keys when key backup is disabled * Update comments to explain caSubsystemCert switch * Test external CA with DNS name constraints * Add PKCS#11 module name to p11helper errors * Use nis-domainname.service on all RH platforms === François Cami (11) === * azure-pipelines.yml: switch to Python 3.7 * test_nfs.py: switch to master_3repl * ipatests: rename config_replica_resolvconf_with_master_data() * test_nfs.py: switch to tasks.config_replica_resolvconf_with_master_data() * prci_definitions: add master_3client topology * ipapython/admintool.py: use SERVER_NOT_CONFIGURED * ipa-client-samba: remove state on uninstall * ipatests: test ipa-client-samba after --uninstall * ipa-client-samba: remove and restore smb.conf only on first uninstall * ipatests: test multiple invocations of ipa-client-samba --uninstall * ipatests/azure: display actual dnf repo URLs === Florence Blanc-Renaud (6) === * Nightly test definition: add missing tests * xmlrpc test: add test for preserved > stage user * user-stage: transfer all attributes from preserved to stage user * test_xmlrpc: fix TestAutomemberFindOrphans.test_find_orphan_automember_rules * Azure pipeline: report failure in prepare-build step * upgrade: remove ipaCert and key from /etc/httpd/alias === Fraser Tweedale (20) === * Add more tests for --external-ca-profile handling * dsinstance: add proflie when tracking certificate * ipatests: test ipa-server-upgrade in CA-less deployment * Use RENEWAL_CA_NAME and RA_AGENT_PROFILE constants * cainstance: add profile to IPA RA tracking request * upgrade: fix spurious certmonger re-tracking * upgrade: log missing/misconfigured tracking requests * upgrade: update KRA tracking requests * upgrade: always add profile to tracking requests * dogtaginstance: avoid special cases for Server-Cert * dogtag-ipa-ca-renew-agent: always use profile-based renewal * certmonger: use long options when invoking dogtag-ipa-renew-agent * upgrade: add profile to Dogtag tracking requests * dogtaginstance: add profile to tracking requests * ci: add --external-ca-profile tests to gating * ci: add --external-ca-profile tests to nightly * Collapse --external-ca-profile tests into single class * Fix use of incorrect variable * install: fix --external-ca-profile option * move MSCSTemplate classes to ipalib === Christian Hermann (1) === * configure.ac: don't rely on bashisms === Rob Crittenden (3) === * Don't return SSH keys with ipa host-find --pkey-only * httpinstance: add pinfile when tracking certificate * Remove posixAccount from service_find search filter === Stanislav Levin (4) === * Avoid use of '/tmp' for pip operations * Make use of Azure Pipeline slicing * Simplify ipa-run-tests script * Fix `test_webui.test_selinuxusermap` === Sergey Orlov (3) === * ipatests: new test for trust with partially unreachable AD topology * ipatests: mark test_domain_resolution_order as expectedly failing * ipatests: add test for sudo with runAsUser and domain resolution order. === Sumedh Sidhaye (2) === * Test: Test to check whether ssh from ipa client to ipa master is successful after adding ldap_deref_threshold=0 in sssd.conf * Test: To check ipa replica-manage del <FQDN> does not fail === Serhii Tsymbaliuk (3) === * WebUI tests: Fix request timeout for test_trust * WebUI: Add PKINIT status field to 'Configuration' page * WebUI tests: Fix timeout issues for reset password tests === Tibor Dudlák (4) === * Increase ntp_options test timeout * ipatests: refactor TestNTPoptions * ipatests: Add tests for interactive chronyd config * ipatests: Update test tasks for client to be interactive === Timo Aaltonen (1) === * install: Add missing scripts to app_DATA. === Theodor van Nahl (1) === * Fix UnboundLocalError in ipa-replica-manage on errors -- / Alexander Bokovoy Sr. Principal Software Engineer Security / Identity Management Engineering Red Hat Limited, Finland

1 0

Puppet user management with FreeIPA
by Dan White 14 Aug '19

14 Aug '19

Has anyone out there successfully set up Puppet to use FreeIPA as an LDAP provider for user resources ? I found https://www.freeipa.org/page/HowTo/LDAP which says: This use also has no special rights and is unable to write any data in the IPA LDAP server, only read. but this page https://puppet.com/docs/puppet/6.7/types/user.html#user-provider-ldap says: User management via LDAP: This provider requires that you have valid values for all of the LDAP-related settings in puppet.conf, including ldapbase. You will almost definitely need settings for ldapuser and ldappassword in order for your clients to write to LDAP. Thus my dilemma. Can I make the IPA "service account" read-write or can Puppet live with read-only ? ------------------------------------------------ “Sometimes I think the surest sign that intelligent life exists elsewhere in the universe is that none of it has tried to contact us.” (Bill Waterson: Calvin & Hobbes)

1 0

DIRSRV external signed cert questions
by Boyd Ako 12 Aug '19

12 Aug '19

This involves the `ipa-server-certinstall` command. 1) If I used the option to install P12 for dirsrv, will dirsrv being doing OCSP validation? If so, is there away for me to disable OCSP validation? 2) Is there any documentation or information on what kind of cert the DIRSRV service needs? ==== Cert Info === Version: 3 (0x2) Signature Algorithm: sha256WithRSAEncryption Subject Public Key Info: Public Key Algorithm: rsaEncryption Public-Key: (2048 bit) Modulus: 00:97:33:d2:6d:a9:98:72:4c:b0:3d:3e:dc:4c:a5: 7d:61:d2:ae:b9:4b:eb:5e:71:ec:3e:45:62:75:24: 72:06:74:a3:94:03:c4:80:eb:4e:bc:5c:4e:f9:39: 0c:b1:5d:8e:57:ea:42:fb:70:3a:0e:3e:a0:83:62: 6a:1a:47:44:2c:b3:31:cf:26:f0:63:d7:3e:c7:51: 3b:d8:04:17:68:d5:d9:0d:ab:8d:ea:2e:b1:c8:a0: 14:ff:d6:9c:ed:86:ec:2f:07:73:68:c3:5b:2d:bd: d4:03:74:c7:82:7d:34:fe:d0:9c:fd:cf:8d:50:c9: d5:eb:eb:af:e8:39:d3:75:e9:c3:d9:78:1c:46:97: 84:91:d5:b4:57:48:d6:c8:4b:ae:64:87:c6:04:94: 8d:c1:8e:ee:f5:59:27:e8:16:9a:92:c2:2a:48:71: aa:11:10:19:2e:97:7a:d6:b6:76:ba:0d:36:7b:b7: a1:45:7c:d6:6d:05:13:ff:ba:0a:55:47:8e:86:72: a2:42:6a:ce:df:2c:78:e6:ab:61:0e:df:eb:99:79: 82:f3:87:97:df:3b:06:f7:9b:47:d8:1f:cb:b3:f0: d2:58:2c:5a:40:39:00:78:2e:53:e4:c5:70:0a:90: 62:25:f3:88:fc:58:2c:4e:11:47:b7:76:25:a9:68: 16:cb Exponent: 65537 (0x10001) X509v3 extensions: X509v3 Authority Key Identifier: keyid:51:C4:8B:33:99:94:C0:7E:BB:36:1D:E3:E2:3A:05:BD:32:74:9D:53 X509v3 Subject Key Identifier: 32:E1:3A:F5:1D:26:AB:A2:FE:E2:E7:6E:21:D2:96:99:87:49:1E:0F Authority Information Access: X509v3 Key Usage: critical Digital Signature, Key Encipherment X509v3 CRL Distribution Points: Full Name: X509v3 Subject Alternative Name: X509v3 Certificate Policies: Policy: 2.16.840.1.101.2.1.11.39 X509v3 Extended Key Usage: TLS Web Server Authentication, TLS Web Client Authentication, 1.3.6.1.5.5.8.2.2

2 2

Tomcat certificate issue
by Louis Lagendijk 09 Aug '19

09 Aug '19

I have similar problems as the ones described in https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahost… My IPA setup has 2 masters, both running Centos7.6. Today I got notified by Nagios that there were issues with my second server, ipa2. Checking ipactl I noticed that nothing much was running. ipactl start brought up a message that an upgrade was required (I apparently got an ipa update yesterday that I installed). The upgrade failed. Checking my certifcates with getcert list gave me: . . . Request ID '20181001154055': status: MONITORING stuck: no key pair storage: type=NSSDB,location='/etc/pki/pki- tomcat/alias',nickname='Server-Cert cert-pki-ca',token='NSS Certificate DB',pin set certificate: type=NSSDB,location='/etc/pki/pki- tomcat/alias',nickname='Server-Cert cert-pki-ca',token='NSS Certificate DB' CA: dogtag-ipa-ca-renew-agent issuer: CN=Certificate Authority,O=HOME.FAZANT.NET subject: CN=ipa2.home.fazant.net,O=HOME.FAZANT.NET expires: 2019-04-25 21:33:46 UTC key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment eku: id-kp-serverAuth,id-kp-clientAuth,id-kp-emailProtection pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert "Server-Cert cert-pki-ca" track: yes auto-renew: yes Request ID '20181001154056': so I reset the date to Mar 20 and did a resubmit for the certificate, that failed (as in the submission went ok, but the cert did not get renewed) Checking Flo's blog: https://floblanc.wordpress.com/2017/09/11/troubleshooting-freeipa-pki-tomca… and https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahost… made me execute: [root@ipa2 ~]# certutil -d /etc/pki/pki-tomcat/alias -L Certificate Nickname Trust Attributes SSL,S/MIME ,JAR/XPI ocspSigningCert cert-pki-ca u,u,u Server-Cert cert-pki-ca u,u,u auditSigningCert cert-pki-ca u,u,Pu subsystemCert cert-pki-ca u,u,u caSigningCert cert-pki-ca CTu,Cu,Cu [root@ipa2 ~]# and #!/bin/bash for i in $(certutil -d /etc/pki/pki-tomcat/alias -L | grep cert-pki | awk '{print $1}') ; do certutil -d /etc/pki/pki-tomcat/alias -K -f /tmp/pwdfile.txt -n "$i cert-pki-ca"; done which resulted in: root@ipa2 ~]# bash /root/ss certutil: Checking token "NSS Certificate DB" in slot "NSS User Private Key and Certificate Services" certutil: problem listing keys: SEC_ERROR_UNRECOGNIZED_OID: Unrecognized Object Identifier. certutil: Checking token "NSS Certificate DB" in slot "NSS User Private Key and Certificate Services" certutil: problem listing keys: SEC_ERROR_UNRECOGNIZED_OID: Unrecognized Object Identifier. certutil: Checking token "NSS Certificate DB" in slot "NSS User Private Key and Certificate Services" certutil: problem listing keys: SEC_ERROR_UNRECOGNIZED_OID: Unrecognized Object Identifier. certutil: Checking token "NSS Certificate DB" in slot "NSS User Private Key and Certificate Services" certutil: problem listing keys: SEC_ERROR_UNRECOGNIZED_OID: Unrecognized Object Identifier. certutil: Checking token "NSS Certificate DB" in slot "NSS User Private Key and Certificate Services" < 0> rsa 4286ed93407806ec2727e6244cc3959ec726265e caSigningCert cert-pki-ca To answer Frazer's question in the follow up to the mail from last year: no pki-tomcat is non functional, I do have my second server though. Certutil -L gives me: [root@ipa2 ~]# certutil -L 'ocspSigningCert cert-pki-ca' certutil: function failed: SEC_ERROR_LEGACY_DATABASE: The certificate/key database is in an old, unsupported format. Any help getting this issue resolved would be much appreciated. kind regards, Louis

2 3

mkhomedir option not working on ubuntu 16.04 clients
by Saurabh Garg 09 Aug '19

09 Aug '19

We have our domain controller (ipa-server) running on Redhat 7.6 and ipa-clients are running ubuntu 16.04. We are using below command for enrolling these ubuntu machines into the domain controller: ipa-client-install --unattended --domain=example.com --principal=admin --password=changeit@123 --mkhomedir --server=idm.example.com --force-join When a domain user ssh into any of these ubuntu servers he doesn't see his/her home directory created (although we are using --mkhomedir switch in our enrolment command). We have 150+ servers to fix this problem. Any suggestions. Thanks, Saurabh Garg

3 2

Removing first freeipa master
by Jo Domsic 08 Aug '19

08 Aug '19

Hi to the good people of FreeIPA! I'm in the process of removing old servers from my datacentar, and I was wondering if I can delete/remove (first created) freeipa server? I have 4 masters: [root@server] ipa-replica-manage list freeipa03.lan: master freeipa04.lan: master freeipa01.lan: master <--- I want to delete this one freeipa02.lan: master What will happen to servers that have: [root@server2] cat /etc/ipa/default.conf #File modified by ipa-client-install [global] basedn = dc=lan realm = LAN domain = lan server = freeipa01.lan host = server2.lan xmlrpc_uri = https://freeipa01.lan/ipa/xml enable_ra = True

2 2

IPA with multiple legs: hostname resolution
by Dmitry Perets 08 Aug '19

08 Aug '19

Hi, I'd like to ask for your advise for the following topology... On a given site, IPA server has two legs (two NICs), let's call them "inside NIC" and "outside NIC". The inside NIC subnet is local to the site. The outside NIC subnet is interconnecting sites. All the local clients talk to IPA via the inside NIC. But to setup a replica on another site, we must reach IPA via outside NIC (the inside subnet is not routable beyond the local site boundaries). So the question arises: how to configure proper DNS resolution for the hostname of the IPA server itself? DNS is handled by IPA itself, fully in our control. So we have two options: 1. We create two A records for the same IPA hostname, let's say "ipa.site1.example.com". But then not sure if it will work fine... Technically, two IPs for the same name means load-balancing, right? So will I have intermittent connectivity issues, because it will return inside and outside IP interchangebly? 2. We create a new DNS name, e.g. "ipa-outside-site1.example.com", for the outside IP, and manually add it to the @ entry of "example.com", so that wannabe-replica on the remote site can use that FQDN as its master IPA. Will this work fine..? Will it not cause issues to the local clients on site1, who must keep using IPA with inside IP? Will it not cause issues on IPA server itself for some reason? Please share your experience on this! Thanks.

4 13

SNI Certificates
by Christian Reiss 08 Aug '19

08 Aug '19

Hey folks, Really quick question. If a host, say web01.example.com is online, in IPA et all but serving supremecustomer.com and I would need a (ipa-signed, which suffices) cert, would this be the right way? Assumptions: - All commands executed on web01.example.com - /etc/ssl/ipa & perms are OK. cert="supremecustomer.com" ipa host-add ${cert} --desc="Dummy Host / ${cert}" --location="$(hostname -f)" ipa host-add-managedby ${cert} --hosts="$(hostname -f)" ipa service-add HTTP/${cert} ipa service-add-host HTTP/${cert} --hosts="$(hostname -f)" ipa-getcert request -r -f /etc/ssl/ipa/${cert}.crt -k /etc/ssl/ipa/${cert}.key -N CN=${cert} -D ${cert} -K HTTP/${cert} chown root:nginx /etc/ssl/ipa/${cert}.{key,crt} chmod 0640 /etc/ssl/ipa/${cert}.{key,crt} Is this still the way to go? Is there a way around "One dummy host per SNI Certificate" in any way? Cheers, Chris. -- Christian Reiss - email(a)christian-reiss.de /"\ ASCII Ribbon support(a)alpha-labs.net \ / Campaign X against HTML WEB alpha-labs.net / \ in eMails GPG Retrieval https://gpg.christian-reiss.de GPG ID ABCD43C5, 0x44E29126ABCD43C5 GPG fingerprint = 9549 F537 2596 86BA 733C A4ED 44E2 9126 ABCD 43C5 "It's better to reign in hell than to serve in heaven.", John Milton, Paradise lost.

3 2

2024

2023

2022

2021

2020

2019

2018

2017

FreeIPA-users August 2019