January 2020 - FreeIPA-users - Fedora mailing-lists

Re: FreeIPA ipa-replica-install hangs on "No status yet" during the first replication
by Florence Blanc-Renaud 19 Jan '20

19 Jan '20

On 1/17/20 4:32 PM, Damien Bras via FreeIPA-users wrote: > Hi, > > During the installation of one of our FreeIPA replica (with > ipa-replica-install), the process hangs on "No status yet". > > Our domain is in domain level 1. > > It seems that the script is waiting for an attribute > nsds5ReplicaLastInitStatus. > > The master server is up & running and we want to have a multimaster > environment. > > We don't find any error related to the replication process in the log. > > The version installed: 4.6.5-11.0.1.el7_7.3 > > First, the ipa client is correctly installed on the server. Then we use > the comment ipa-replica-install to promote it as IPA server with: > > ipa-replica-install -U --principal admin --admin-password > $admin_password --domain domain.com --server server2.domain.com > --setup-ca --setup-dns --no-forwarders --forward-policy=first > --no-dnssec-validation --allow-zone-overlap > --reverse-zone=xx.xx.in-addr.arpa --mkhomedir --force-join > > In the ipareplica-install.log we just have this: > > … > > 2020-01-17T10:25:46Z DEBUG [28/41]: setting up initial replication > > 2020-01-17T10:25:46Z DEBUG retrieving schema for SchemaCache > url=ldapi://%2fvar%2frun%2fslapd-DOMAIN-COM.socket > conn=<ldap.ldapobject.SimpleLDAPObject instance at 0x7f2c94db6248> > > 2020-01-17T10:25:47Z DEBUG Destroyed connection > context.ldap2_139829518113296 > > 2020-01-17T10:25:47Z DEBUG Starting external process > > 2020-01-17T10:25:47Z DEBUG args=/bin/systemctl --system daemon-reload > > 2020-01-17T10:25:47Z DEBUG Process finished, return code=0 > > 2020-01-17T10:25:47Z DEBUG stdout= > > 2020-01-17T10:25:47Z DEBUG stderr= > > 2020-01-17T10:25:47Z DEBUG Starting external process > > 2020-01-17T10:25:47Z DEBUG args=/bin/systemctl restart > dirsrv(a)DOMAIN-COM.service > > 2020-01-17T10:25:53Z DEBUG Process finished, return code=0 > > 2020-01-17T10:25:53Z DEBUG stdout= > > 2020-01-17T10:25:53Z DEBUG stderr= > > 2020-01-17T10:25:53Z DEBUG Restart of > dirsrv(a)HS2-VDC-CORP-HOMESEND-COM.service complete > > 2020-01-17T10:25:53Z DEBUG Created connection context.ldap2_139829518113296 > > 2020-01-17T10:25:53Z DEBUG Fetching nsDS5ReplicaId from master [attempt 1/5] > > 2020-01-17T10:25:53Z DEBUG retrieving schema for SchemaCache > url=ldap://server2.domain.com:389 conn=<ldap.ldapobject.SimpleLDAPObject > instance at 0x7f2c95da8320> > > 2020-01-17T10:25:54Z DEBUG Successfully updated nsDS5ReplicaId. > > 2020-01-17T10:25:54Z DEBUG Add or update replica config > cn=replica,cn=dc\=domain\,dc\=com,cn=mapping tree,cn=config > > 2020-01-17T10:25:54Z DEBUG Added replica config > cn=replica,cn=dc\=domain\,dc\=com,cn=mapping tree,cn=config > > 2020-01-17T10:25:54Z DEBUG Add or update replica config > cn=replica,cn=dc\=domain\,dc\=com,cn=mapping tree,cn=config > > 2020-01-17T10:25:54Z DEBUG No update to > cn=replica,cn=dc\=domain\,dc\=com,cn=mapping tree,cn=config necessary > > 2020-01-17T10:25:54Z DEBUG Waiting for replication > (ldapi://%2fvar%2frun%2fslapd-DOMAIN-COM.socket) > cn=meToserver2.domain.com,cn=replica,cn=dc\=domain\,dc\=com,cn=mapping > tree,cn=config (objectclass=*) > > 2020-01-17T10:25:54Z DEBUG Entry found > [LDAPEntry(ipapython.dn.DN('cn=meToserver2.domain.com,cn=replica,cn=dc\=domain\,dc\=com,cn=mapping > tree,cn=config'), {u'nsds5replicaLastInitStart': ['19700101000000Z'], > u'nsds5replicaUpdateInProgress': ['FALSE'], u'cn': > ['meToserver2.domain.com'], u'objectClass': > ['nsds5replicationagreement', 'top'], u'nsds5replicaLastUpdateEnd': > ['19700101000000Z'], u'nsDS5ReplicaRoot': ['dc=domain,dc=com'], > u'nsDS5ReplicaHost': ['server2.domain.com'], > u'nsds5replicaLastUpdateStatus': ['Error (0) No replication sessions > started since server startup'], u'nsDS5ReplicaBindMethod': > ['SASL/GSSAPI'], u'nsds5ReplicaStripAttrs': ['modifiersName > modifyTimestamp internalModifiersName internalModifyTimestamp'], > u'nsds5replicaLastUpdateStart': ['19700101000000Z'], > u'nsDS5ReplicaPort': ['389'], u'nsDS5ReplicaTransportInfo': ['LDAP'], > u'description': ['me to server2.domain.com'], u'nsds5replicareapactive': > ['0'], u'nsds5replicaChangesSentSinceStartup': [''], > u'nsds5replicaTimeout': ['120'], u'nsDS5ReplicatedAttributeList': > ['(objectclass=*) $ EXCLUDE memberof idnssoaserial entryusn > krblastsuccessfulauth krblastfailedauth krbloginfailedcount'], > u'nsds5replicaLastInitEnd': ['19700101000000Z'], > u'nsDS5ReplicatedAttributeListTotal': ['(objectclass=*) $ EXCLUDE > entryusn krblastsuccessfulauth krblastfailedauth krbloginfailedcount']})] > Hi, can you also paste the lines that contain the install error? > On the live master, there is a strange behavior also: > > It seems the ldap is like in read only mode. For exemple, if I reset the > password of an account, I don’t have any error but nothing happened. > > I have also those errors on this server: > > Jan 17 16:27:57 hs2-man-idm-02 ns-slapd: [17/Jan/2020:16:27:57.102642397 > +0100] - ERR - csngen_adjust_time - Adjustment limit exceeded; value - > 2711289715, limit - 86400 Are your servers synchronized (either with ntpd or chronyd)? Maybe the time is different and prevents correct replication. flo > > Jan 17 16:27:57 hs2-man-idm-02 ns-slapd: [17/Jan/2020:16:27:57.110464100 > +0100] - WARN - NSMMReplicationPlugin - replica_generate_next_csn - > opcsn=5e21d27e000000050000 <= basecsn=ffbcd1f1522600040000, adjusted > opcsn=5e21d27e522700050000 > > But we don’t have any replication because no other servers: > > # ipa-replica-manage list > > server2.domain.com: master > > # ipa-replica-manage list-ruv > > Directory Manager password: > > Replica Update Vectors: > > server2.domain.com:389: 5 > > Certificate Server Replica Update Vectors: > > server2.domain.com:389: 6 > > # ipa topologysuffix-find > > --------------------------- > > 2 topology suffixes matched > > --------------------------- > > Suffix name: ca > > Managed LDAP suffix DN: o=ipaca > > Suffix name: domain > > Managed LDAP suffix DN: dc=domain,dc=com > > ---------------------------- > > Number of entries returned 2 > > ---------------------------- > > # ipa topologysegment-find > > Suffix name: domain > > ------------------ > > 0 segments matched > > ------------------ > > ---------------------------- > > Number of entries returned 0 > > ---------------------------- > > I really don’t know what happened here. Could you help us on that ? > > Best regards, > > Damien > > > _______________________________________________ > FreeIPA-users mailing list -- freeipa-users(a)lists.fedorahosted.org > To unsubscribe send an email to freeipa-users-leave(a)lists.fedorahosted.org > Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines > List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahost… >

2 1

kinit: Pre-authentication failed: Invalid argument while getting initial credentials
by John Louis 19 Jan '20

19 Jan '20

Hi, on CentOS 7 I installed Freeipa using "yum install ipa-server". Everything including client is on the same machine itself. All went well, I can now login to the web as "admin" and create user account etc. And "kinit admin", "kinit list" etc all worked as expected right after installation. But a couple days later, even though I can still login as "admin" web user, on the server ssh session I get the following (I replaced REALM name with "REALM" here): # kinit kinit: Client 'root@REALM' not found in Kerberos database while getting initial credentials # kinit admin kinit: Pre-authentication failed: Invalid argument while getting initial credentials # kinit list kinit: Client 'list@REALM' not found in Kerberos database while getting initial credentials # env KRB5_TRACE=/dev/stdout kinit admin 2>&1 [11612] 1578511115.54729: Getting initial credentials for admin@REALM [11612] 1578511115.54731: Sending unauthenticated request [11612] 1578511115.54732: Sending request (167 bytes) to REALM [11612] 1578511115.54733: Initiating TCP connection to stream 127.0.0.1:88 [11612] 1578511115.54734: Sending TCP request to stream 127.0.0.1:88 [11612] 1578511115.54735: Received answer (240 bytes) from stream 127.0.0.1:88 [11612] 1578511115.54736: Terminating TCP connection to stream 127.0.0.1:88 [11612] 1578511115.54737: Response was from master KDC [11612] 1578511115.54738: Received error from KDC: -1765328359/Additional pre-authentication required [11612] 1578511115.54741: Preauthenticating using KDC method data [11612] 1578511115.54742: Processing preauth types: PA-PK-AS-REQ (16), PA-PK-AS-REP_OLD (15), PA-PK-AS-REQ_OLD (14), PA-FX-FAST (136), PA-PKINIT-KX (147), PA-FX-COOKIE (133) [11612] 1578511115.54743: Received cookie: MIT [11612] 1578511115.54744: PKINIT client has no configured identity; giving up [11612] 1578511115.54745: Preauth module pkinit (147) (info) returned: 0/Success [11612] 1578511115.54746: PKINIT client has no configured identity; giving up [11612] 1578511115.54747: Preauth module pkinit (16) (real) returned: 22/Invalid argument [11612] 1578511115.54748: PKINIT client has no configured identity; giving up [11612] 1578511115.54749: Preauth module pkinit (14) (real) returned: 22/Invalid argument kinit: Pre-authentication failed: Invalid argument while getting initial credentials # klist -ek Keytab name: FILE:/etc/krb5.keytab KVNO Principal ---- -------------------------------------------------------------------------- 2 host/ipa.host.name@REALM (aes256-cts-hmac-sha1-96) 2 host/ipa.host.name@REALM (aes128-cts-hmac-sha1-96) 2 host/ipa.host.name@REALM (des3-cbc-sha1) 2 host/ipa.host.name@REALM (arcfour-hmac) 2 host/ipa.host.name@REALM (camellia128-cts-cmac) 2 host/ipa.host.name@REALM (camellia256-cts-cmac) So looks like I lost "admin" in kerboros? The only thing I think I did, is I have changed the server's time and hwclock time, by 9 minutes. Thanks!

4 16

Kerberized NFS Home directories
by Kristian Petersen 17 Jan '20

17 Jan '20

Hey all, I am trying to get kerberized NFS home directories working in Ubuntu 18.04 with the mapping info coming from IPA. I can get them to mount on login in a multi-user target (terminal only), but not a graphical one (using gdm for login). The messages I am seeing in the syslog seem to indicate that it is having issues communicating with the server hosting the NFS share and times out. That doesn't make sense though since it works to mount in the terminal like I would expect. -- Kristian Petersen System Administrator BYU Dept. of Chemistry and Biochemistry

3 4

Proxy LDAP queries to Active Directory
by White, David 17 Jan '20

17 Jan '20

Is there a way to proxy client LDAP requests to the upstream Active Directory that FreeIPA is configured to trust? I have AD, where users live. I have FreeIPA / RedHat IdM. And I have servers that are registered to FreeIPA. But I also have applications (such as Mediawiki, or Red Hat Satellite to name a few) that support LDAP authentication. I want to be able to use my AD credentials to login to Mediawiki or Satellite, but have the application bind to FreeIPA, instead of binding it to AD. Is this possible? I currently: Have successfully bound Mediawiki to FreeIPA, and I can login to Mediawiki using an account that is built locally instead of FreeIPA, but I cannot login to Mediawiki using my AD credentials. ----- David White Engineer II, Fiber Systems Engineering (423) 648-1500, Option 2 [/var/folders/7m/l5bzdbz14c9bkrwxvn2ffnjc0000gq/T/com.microsoft.Outlook/WebArchiveCopyPasteTempFiles/cidimage001.jpg(a)01D4B3F3.F5D81170]

2 4

FreeIPA ipa-replica-install hangs on "No status yet" during the first replication
by Damien Bras 17 Jan '20

17 Jan '20

Hi, During the installation of one of our FreeIPA replica (with ipa-replica-install), the process hangs on "No status yet". Our domain is in domain level 1. It seems that the script is waiting for an attribute nsds5ReplicaLastInitStatus. The master server is up & running and we want to have a multimaster environment. We don't find any error related to the replication process in the log. The version installed: 4.6.5-11.0.1.el7_7.3 First, the ipa client is correctly installed on the server. Then we use the comment ipa-replica-install to promote it as IPA server with: ipa-replica-install -U --principal admin --admin-password $admin_password --domain domain.com --server server2.domain.com --setup-ca --setup-dns --no-forwarders --forward-policy=first --no-dnssec-validation --allow-zone-overlap --reverse-zone=xx.xx.in-addr.arpa --mkhomedir --force-join In the ipareplica-install.log we just have this: … 2020-01-17T10:25:46Z DEBUG [28/41]: setting up initial replication 2020-01-17T10:25:46Z DEBUG retrieving schema for SchemaCache url=ldapi://%2fvar%2frun%2fslapd-DOMAIN-COM.socket conn=<ldap.ldapobject.SimpleLDAPObject instance at 0x7f2c94db6248> 2020-01-17T10:25:47Z DEBUG Destroyed connection context.ldap2_139829518113296 2020-01-17T10:25:47Z DEBUG Starting external process 2020-01-17T10:25:47Z DEBUG args=/bin/systemctl --system daemon-reload 2020-01-17T10:25:47Z DEBUG Process finished, return code=0 2020-01-17T10:25:47Z DEBUG stdout= 2020-01-17T10:25:47Z DEBUG stderr= 2020-01-17T10:25:47Z DEBUG Starting external process 2020-01-17T10:25:47Z DEBUG args=/bin/systemctl restart dirsrv(a)DOMAIN-COM.service 2020-01-17T10:25:53Z DEBUG Process finished, return code=0 2020-01-17T10:25:53Z DEBUG stdout= 2020-01-17T10:25:53Z DEBUG stderr= 2020-01-17T10:25:53Z DEBUG Restart of dirsrv(a)HS2-VDC-CORP-HOMESEND-COM.service complete 2020-01-17T10:25:53Z DEBUG Created connection context.ldap2_139829518113296 2020-01-17T10:25:53Z DEBUG Fetching nsDS5ReplicaId from master [attempt 1/5] 2020-01-17T10:25:53Z DEBUG retrieving schema for SchemaCache url=ldap://server2.domain.com:389 conn=<ldap.ldapobject.SimpleLDAPObject instance at 0x7f2c95da8320> 2020-01-17T10:25:54Z DEBUG Successfully updated nsDS5ReplicaId. 2020-01-17T10:25:54Z DEBUG Add or update replica config cn=replica,cn=dc\=domain\,dc\=com,cn=mapping tree,cn=config 2020-01-17T10:25:54Z DEBUG Added replica config cn=replica,cn=dc\=domain\,dc\=com,cn=mapping tree,cn=config 2020-01-17T10:25:54Z DEBUG Add or update replica config cn=replica,cn=dc\=domain\,dc\=com,cn=mapping tree,cn=config 2020-01-17T10:25:54Z DEBUG No update to cn=replica,cn=dc\=domain\,dc\=com,cn=mapping tree,cn=config necessary 2020-01-17T10:25:54Z DEBUG Waiting for replication (ldapi://%2fvar%2frun%2fslapd-DOMAIN-COM.socket) cn=meToserver2.domain.com,cn=replica,cn=dc\=domain\,dc\=com,cn=mapping tree,cn=config (objectclass=*) 2020-01-17T10:25:54Z DEBUG Entry found [LDAPEntry(ipapython.dn.DN('cn=meToserver2.domain.com,cn=replica,cn=dc\=domain\,dc\=com,cn=mapping tree,cn=config'), {u'nsds5replicaLastInitStart': ['19700101000000Z'], u'nsds5replicaUpdateInProgress': ['FALSE'], u'cn': ['meToserver2.domain.com'], u'objectClass': ['nsds5replicationagreement', 'top'], u'nsds5replicaLastUpdateEnd': ['19700101000000Z'], u'nsDS5ReplicaRoot': ['dc=domain,dc=com'], u'nsDS5ReplicaHost': ['server2.domain.com'], u'nsds5replicaLastUpdateStatus': ['Error (0) No replication sessions started since server startup'], u'nsDS5ReplicaBindMethod': ['SASL/GSSAPI'], u'nsds5ReplicaStripAttrs': ['modifiersName modifyTimestamp internalModifiersName internalModifyTimestamp'], u'nsds5replicaLastUpdateStart': ['19700101000000Z'], u'nsDS5ReplicaPort': ['389'], u'nsDS5ReplicaTransportInfo': ['LDAP'], u'description': ['me to server2.domain.com'], u'nsds5replicareapactive': ['0'], u'nsds5replicaChangesSentSinceStartup': [''], u'nsds5replicaTimeout': ['120'], u'nsDS5ReplicatedAttributeList': ['(objectclass=*) $ EXCLUDE memberof idnssoaserial entryusn krblastsuccessfulauth krblastfailedauth krbloginfailedcount'], u'nsds5replicaLastInitEnd': ['19700101000000Z'], u'nsDS5ReplicatedAttributeListTotal': ['(objectclass=*) $ EXCLUDE entryusn krblastsuccessfulauth krblastfailedauth krbloginfailedcount']})] On the live master, there is a strange behavior also: It seems the ldap is like in read only mode. For exemple, if I reset the password of an account, I don’t have any error but nothing happened. I have also those errors on this server: Jan 17 16:27:57 hs2-man-idm-02 ns-slapd: [17/Jan/2020:16:27:57.102642397 +0100] - ERR - csngen_adjust_time - Adjustment limit exceeded; value - 2711289715, limit - 86400 Jan 17 16:27:57 hs2-man-idm-02 ns-slapd: [17/Jan/2020:16:27:57.110464100 +0100] - WARN - NSMMReplicationPlugin - replica_generate_next_csn - opcsn=5e21d27e000000050000 <= basecsn=ffbcd1f1522600040000, adjusted opcsn=5e21d27e522700050000 But we don’t have any replication because no other servers: # ipa-replica-manage list server2.domain.com: master # ipa-replica-manage list-ruv Directory Manager password: Replica Update Vectors: server2.domain.com:389: 5 Certificate Server Replica Update Vectors: server2.domain.com:389: 6 # ipa topologysuffix-find --------------------------- 2 topology suffixes matched --------------------------- Suffix name: ca Managed LDAP suffix DN: o=ipaca Suffix name: domain Managed LDAP suffix DN: dc=domain,dc=com ---------------------------- Number of entries returned 2 ---------------------------- # ipa topologysegment-find Suffix name: domain ------------------ 0 segments matched ------------------ ---------------------------- Number of entries returned 0 ---------------------------- I really don’t know what happened here. Could you help us on that ? Best regards, Damien

1 0

Approval workflow
by Daniel PC 17 Jan '20

17 Jan '20

Hi all, Does anyone know if it is possible to implement an approval workflow to enable a user to access a host? My idea is, for a limited number of users, allow access only after receiving OK from a responsible. Thank you DPC

2 3

Certificate not found: auditSigningCert cert-pki-ca - Can't run pki-tomcatd Service
by Ferdinand Babas 17 Jan '20

17 Jan '20

Hi All, I've been trying to work through this issue but can't find the magic formula to get it working so I'm turning to the community for help. We are currently running VERSION: 4.4.0, API_VERSION: 2.213 in a 4 node multi master environment and the steps listed below were performed on the IPA CA renewal master. Please let me know if any additional information is needed regarding the environment. As background we had expired certificates (both /etc/httpd/alias and /etc/pki/pki-tomcat/alias) which were renewed by setting the date in the past and restarting certmonger. Now on the IPA CA renewal master all certs have valid 'expires' dates and have a status of MONITORING. Note that the other nodes still have expired certs. On the IPA CA renewal master when I start up the pki-tomcatd(a)pki-tomcat.service with the default CS.cfg and password.conf file I get the following error: Internal Database Error encountered: Could not connect to LDAP server host francolin.local port 636 Error netscape.ldap.LDAPException: Authentication failed (48) So I changed the CS.cfg file to use Basic Auth and added the directory-manager-password to password.conf, restarted pki-tomcatd(a)pki-tomcat.service and now I get the following: /var/log/messages Jan 6 10:54:30 francolin systemd: Started PKI Tomcat Server pki-tomcat. Jan 6 10:54:30 francolin server: Java virtual machine used: /usr/lib/jvm/jre-1.8.0-openjdk/bin/java Jan 6 10:54:30 francolin server: classpath used: /usr/share/tomcat/bin/bootstrap.jar:/usr/share/tomcat/bin/tomcat-juli.jar:/usr/share/java/commons-daemon.jar Jan 6 10:54:30 francolin server: main class used: org.apache.catalina.startup.Bootstrap Jan 6 10:54:30 francolin server: flags used: -DRESTEASY_LIB=/usr/share/java/resteasy-base -Djava.library.path=/usr/lib64/nuxwdog-jni Jan 6 10:54:30 francolin server: options used: -Dcatalina.base=/var/lib/pki/pki-tomcat -Dcatalina.home=/usr/share/tomcat -Djava.endorsed.dirs= -Djava.io.tmpdir=/var/lib/pki/pki-tomcat/temp -Djava.util.logging.config.file=/var/lib/pki/pki-tomcat/conf/logging.properties -Djava.util.logging.manager=org.apache.juli.ClassLoaderLogManager -Djava.security.manager -Djava.security.policy==/var/lib/pki/pki-tomcat/conf/catalina.policy Jan 6 10:54:30 francolin server: arguments used: start Jan 6 10:54:30 francolin server: WARNING: Problem with JAR file [/usr/share/pki/server/common/lib/symkey.jar], exists: [false], canRead: [false] Jan 6 10:54:31 francolin server: WARNING: [SetAllPropertiesRule]{Server/Service/Connector} Setting property 'enableOCSP' to 'false' did not find a matching property. Jan 6 10:54:31 francolin server: WARNING: [SetAllPropertiesRule]{Server/Service/Connector} Setting property 'ocspResponderURL' to 'http://francolin.local:9080/ca/ocsp' did not find a matching property. Jan 6 10:54:31 francolin server: WARNING: [SetAllPropertiesRule]{Server/Service/Connector} Setting property 'ocspResponderCertNickname' to 'ocspSigningCert cert-pki-ca' did not find a matching property. Jan 6 10:54:31 francolin server: WARNING: [SetAllPropertiesRule]{Server/Service/Connector} Setting property 'ocspCacheSize' to '1000' did not find a matching property. Jan 6 10:54:31 francolin server: WARNING: [SetAllPropertiesRule]{Server/Service/Connector} Setting property 'ocspMinCacheEntryDuration' to '60' did not find a matching property. Jan 6 10:54:31 francolin server: WARNING: [SetAllPropertiesRule]{Server/Service/Connector} Setting property 'ocspMaxCacheEntryDuration' to '120' did not find a matching property. Jan 6 10:54:31 francolin server: WARNING: [SetAllPropertiesRule]{Server/Service/Connector} Setting property 'ocspTimeout' to '10' did not find a matching property. Jan 6 10:54:31 francolin server: WARNING: [SetAllPropertiesRule]{Server/Service/Connector} Setting property 'strictCiphers' to 'true' did not find a matching property. Jan 6 10:54:31 francolin server: WARNING: [SetAllPropertiesRule]{Server/Service/Connector} Setting property 'sslOptions' to 'ssl2=false,ssl3=false,tls=true' did not find a matching property. Jan 6 10:54:31 francolin server: WARNING: [SetAllPropertiesRule]{Server/Service/Connector} Setting property 'ssl2Ciphers' to '-SSL2_RC4_128_WITH_MD5,-SSL2_RC4_128_EXPORT40_WITH_MD5,-SSL2_RC2_128_CBC_WITH_MD5,-SSL2_RC2_128_CBC_EXPORT40_WITH_MD5,-SSL2_DES_64_CBC_WITH_MD5,-SSL2_DES_192_EDE3_CBC_WITH_MD5' did not find a matching property. Jan 6 10:54:31 francolin server: WARNING: [SetAllPropertiesRule]{Server/Service/Connector} Setting property 'ssl3Ciphers' to '-SSL3_FORTEZZA_DMS_WITH_NULL_SHA,-SSL3_FORTEZZA_DMS_WITH_RC4_128_SHA,+SSL3_RSA_WITH_RC4_128_SHA,-SSL3_RSA_EXPORT_WITH_RC4_40_MD5,+SSL3_RSA_WITH_3DES_EDE_CBC_SHA,-SSL3_RSA_WITH_DES_CBC_SHA,-SSL3_RSA_EXPORT_WITH_RC2_CBC_40_MD5,-SSL3_FORTEZZA_DMS_WITH_FORTEZZA_CBC_SHA,-SSL_RSA_FIPS_WITH_DES_CBC_SHA,+SSL_RSA_FIPS_WITH_3DES_EDE_CBC_SHA,-SSL3_RSA_WITH_NULL_MD5,-TLS_RSA_EXPORT1024_WITH_RC4_56_SHA,-TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA,+TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA' did not find a matching property. Jan 6 10:54:31 francolin server: WARNING: [SetAllPropertiesRule]{Server/Service/Connector} Setting property 'tlsCiphers' to '-TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA,-TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA,+TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA,+TLS_ECDH_RSA_WITH_AES_128_CBC_SHA,+TLS_ECDH_RSA_WITH_AES_256_CBC_SHA,-TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA,+TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA,+TLS_RSA_WITH_3DES_EDE_CBC_SHA,+TLS_RSA_WITH_AES_128_CBC_SHA,+TLS_RSA_WITH_AES_256_CBC_SHA,+TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA,+TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,-TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA,-TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,-TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,+TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA,+TLS_DHE_DSS_WITH_AES_128_CBC_SHA,+TLS_DHE_DSS_WITH_AES_256_CBC_SHA,+TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA,+TLS_DHE_RSA_WITH_AES_128_CBC_SHA,+TLS_DHE_RSA_WITH_AES_256_CBC_SHA' did not find a matching property. Jan 6 10:54:31 francolin server: WARNING: [SetAllPropertiesRule]{Server/Service/Connector} Setting property 'sslVersionRangeStream' to 'tls1_0:tls1_2' did not find a matching property. Jan 6 10:54:31 francolin server: WARNING: [SetAllPropertiesRule]{Server/Service/Connector} Setting property 'sslVersionRangeDatagram' to 'tls1_1:tls1_2' did not find a matching property. Jan 6 10:54:31 francolin server: WARNING: [SetAllPropertiesRule]{Server/Service/Connector} Setting property 'sslRangeCiphers' to '-TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA,-TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA,-TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA,-TLS_ECDH_RSA_WITH_AES_128_CBC_SHA,-TLS_ECDH_RSA_WITH_AES_256_CBC_SHA,-TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA,-TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA,-TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA,-TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,-TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA,-TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,-TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,-TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA,-TLS_DHE_DSS_WITH_AES_128_CBC_SHA,-TLS_DHE_DSS_WITH_AES_256_CBC_SHA,-TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA,-TLS_DHE_RSA_WITH_AES_128_CBC_SHA,-TLS_DHE_RSA_WITH_AES_256_CBC_SHA,-TLS_DHE_RSA_WITH_AES_128_CBC_SHA256,-TLS_DHE_RSA_WITH_AES_256_CBC_SHA256,-TLS_DHE_RSA_WITH_AES_128_GCM_SHA256,-TLS_DHE_DSS_WITH_AES_128_GCM_SHA256,-TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256,-TLS_ECDHE_RSA_WITH_AES_128_CB C_SHA256,-TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,-TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,-TLS_RSA_WITH_AES_128_CBC_SHA256,-TLS_RSA_WITH_AES_256_CBC_SHA256,-TLS_RSA_WITH_AES_128_GCM_SHA256,+TLS_RSA_WITH_3DES_EDE_CBC_SHA,+TLS_RSA_WITH_AES_128_CBC_SHA,+TLS_RSA_WITH_AES_256_CBC_SHA' did not find a matching property. Jan 6 10:54:31 francolin server: WARNING: [SetAllPropertiesRule]{Server/Service/Connector} Setting property 'serverCertNickFile' to '/var/lib/pki/pki-tomcat/conf/serverCertNick.conf' did not find a matching property. Jan 6 10:54:31 francolin server: WARNING: [SetAllPropertiesRule]{Server/Service/Connector} Setting property 'passwordFile' to '/var/lib/pki/pki-tomcat/conf/password.conf' did not find a matching property. Jan 6 10:54:31 francolin server: WARNING: [SetAllPropertiesRule]{Server/Service/Connector} Setting property 'passwordClass' to 'org.apache.tomcat.util.net.jss.PlainPasswordFile' did not find a matching property. Jan 6 10:54:31 francolin server: WARNING: [SetAllPropertiesRule]{Server/Service/Connector} Setting property 'certdbDir' to '/var/lib/pki/pki-tomcat/alias' did not find a matching property. Jan 6 10:54:31 francolin server: WARNING: [SetPropertiesRule]{Server/Service/Engine/Host} Setting property 'xmlValidation' to 'false' did not find a matching property. Jan 6 10:54:31 francolin server: WARNING: [SetPropertiesRule]{Server/Service/Engine/Host} Setting property 'xmlNamespaceAware' to 'false' did not find a matching property. Jan 6 10:54:31 francolin server: PKIListener: org.apache.catalina.core.StandardServer[before_init] Jan 6 10:54:31 francolin server: PKIListener: org.apache.catalina.core.StandardServer[after_init] Jan 6 10:54:31 francolin server: PKIListener: org.apache.catalina.core.StandardServer[before_start] Jan 6 10:54:31 francolin server: PKIListener: org.apache.catalina.core.StandardServer[configure_start] Jan 6 10:54:31 francolin server: PKIListener: org.apache.catalina.core.StandardServer[start] Jan 6 10:54:31 francolin server: SSLAuthenticatorWithFallback: Creating SSL authenticator with fallback Jan 6 10:54:31 francolin server: SSLAuthenticatorWithFallback: Setting container Jan 6 10:54:32 francolin server: SSLAuthenticatorWithFallback: Initializing authenticators Jan 6 10:54:32 francolin server: SSLAuthenticatorWithFallback: Starting authenticators Jan 6 10:54:33 francolin server: CMSEngine.initializePasswordStore() begins Jan 6 10:54:33 francolin server: CMSEngine.initializePasswordStore(): tag=internaldb Jan 6 10:54:33 francolin server: testLDAPConnection connecting to francolin.local:389 Jan 6 10:54:33 francolin server: CMSEngine.initializePasswordStore(): tag=replicationdb Jan 6 10:54:33 francolin server: testLDAPConnection connecting to francolin.local:389 Jan 6 10:54:33 francolin server: testLDAPConnection: The specified user cn=Replication Manager masterAgreement1-francolin.local-pki-tomcat,cn=config does not exist Jan 6 10:54:33 francolin server: CMSEngine: init(): password test execution failed for replicationdbwith NO_SUCH_USER. This may not be a latest instance. Ignoring .. Jan 6 10:54:34 francolin server: SelfTestSubsystem: Disabling "ca" subsystem due to selftest failure. Jan 6 10:54:34 francolin server: ----------------------- Jan 6 10:54:34 francolin server: Disabled "ca" subsystem Jan 6 10:54:34 francolin server: ----------------------- Jan 6 10:54:34 francolin server: Subsystem ID: ca Jan 6 10:54:34 francolin server: Instance ID: pki-tomcat Jan 6 10:54:34 francolin server: Enabled: False Jan 6 10:54:34 francolin server: Invalid class name repositorytop Jan 6 10:54:35 francolin server: Invalid class name repositorytop Jan 6 10:54:35 francolin server: at com.netscape.cmscore.dbs.DBRegistry.createObject(DBRegistry.java:485) Jan 6 10:54:35 francolin server: at com.netscape.cmscore.dbs.DBSSession.read(DBSSession.java:167) Jan 6 10:54:35 francolin server: at com.netscape.cmscore.dbs.DBSSession.read(DBSSession.java:137) Jan 6 10:54:35 francolin server: at com.netscape.cmscore.dbs.Repository.getSerialNumber(Repository.java:125) Jan 6 10:54:35 francolin server: at com.netscape.cmscore.dbs.Repository.initCache(Repository.java:244) Jan 6 10:54:35 francolin server: at com.netscape.cmscore.dbs.Repository.checkRanges(Repository.java:460) Jan 6 10:54:35 francolin server: at com.netscape.cmscore.apps.CMSEngine.startup(CMSEngine.java:1374) Jan 6 10:54:35 francolin server: at com.netscape.certsrv.apps.CMS.startup(CMS.java:201) Jan 6 10:54:35 francolin server: at com.netscape.certsrv.apps.CMS.start(CMS.java:1622) Jan 6 10:54:35 francolin server: at com.netscape.cms.servlet.base.CMSStartServlet.init(CMSStartServlet.java:114) Jan 6 10:54:35 francolin server: at javax.servlet.GenericServlet.init(GenericServlet.java:158) Jan 6 10:54:35 francolin server: at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) Jan 6 10:54:35 francolin server: at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62) Jan 6 10:54:35 francolin server: at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) Jan 6 10:54:35 francolin server: at java.lang.reflect.Method.invoke(Method.java:498) Jan 6 10:54:35 francolin server: at org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:288) Jan 6 10:54:35 francolin server: at org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:285) Jan 6 10:54:35 francolin server: at java.security.AccessController.doPrivileged(Native Method) Jan 6 10:54:35 francolin server: at javax.security.auth.Subject.doAsPrivileged(Subject.java:549) Jan 6 10:54:35 francolin server: at org.apache.catalina.security.SecurityUtil.execute(SecurityUtil.java:320) Jan 6 10:54:35 francolin server: at org.apache.catalina.security.SecurityUtil.doAsPrivilege(SecurityUtil.java:175) Jan 6 10:54:35 francolin server: at org.apache.catalina.security.SecurityUtil.doAsPrivilege(SecurityUtil.java:124) Jan 6 10:54:35 francolin server: at org.apache.catalina.core.StandardWrapper.initServlet(StandardWrapper.java:1270) Jan 6 10:54:35 francolin server: at org.apache.catalina.core.StandardWrapper.loadServlet(StandardWrapper.java:1195) Jan 6 10:54:35 francolin server: at org.apache.catalina.core.StandardWrapper.load(StandardWrapper.java:1085) Jan 6 10:54:35 francolin server: at org.apache.catalina.core.StandardContext.loadOnStartup(StandardContext.java:5318) Jan 6 10:54:35 francolin server: at org.apache.catalina.core.StandardContext.startInternal(StandardContext.java:5610) Jan 6 10:54:35 francolin server: at org.apache.catalina.util.LifecycleBase.start(LifecycleBase.java:147) Jan 6 10:54:35 francolin server: at org.apache.catalina.core.ContainerBase.addChildInternal(ContainerBase.java:899) Jan 6 10:54:35 francolin server: at org.apache.catalina.core.ContainerBase.access$000(ContainerBase.java:133) Jan 6 10:54:35 francolin server: at org.apache.catalina.core.ContainerBase$PrivilegedAddChild.run(ContainerBase.java:156) Jan 6 10:54:35 francolin server: at org.apache.catalina.core.ContainerBase$PrivilegedAddChild.run(ContainerBase.java:145) Jan 6 10:54:35 francolin server: at java.security.AccessController.doPrivileged(Native Method) Jan 6 10:54:35 francolin server: at org.apache.catalina.core.ContainerBase.addChild(ContainerBase.java:873) Jan 6 10:54:35 francolin server: at org.apache.catalina.core.StandardHost.addChild(StandardHost.java:652) Jan 6 10:54:35 francolin server: at org.apache.catalina.startup.HostConfig.deployDescriptor(HostConfig.java:679) Jan 6 10:54:35 francolin server: at org.apache.catalina.startup.HostConfig$DeployDescriptor.run(HostConfig.java:1966) Jan 6 10:54:35 francolin server: at java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:511) Jan 6 10:54:35 francolin server: at java.util.concurrent.FutureTask.run(FutureTask.java:266) Jan 6 10:54:35 francolin server: at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142) Jan 6 10:54:35 francolin server: at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617) Jan 6 10:54:35 francolin server: at java.lang.Thread.run(Thread.java:748) Jan 6 10:54:36 francolin server: PKIListener: org.apache.catalina.core.StandardServer[after_start] Jan 6 10:54:36 francolin server: PKIListener: Subsystem CA is disabled. Jan 6 10:54:36 francolin server: PKIListener: Check /var/log/pki/pki-tomcat/ca/selftests.log for possible errors. Jan 6 10:54:36 francolin server: PKIListener: To enable the subsystem: Jan 6 10:54:36 francolin server: PKIListener: pki-server subsystem-enable -i pki-tomcat ca Jan 6 10:54:47 francolin server: SSLAuthenticatorWithFallback: Stopping authenticators Jan 6 10:54:47 francolin server: SEVERE: The web application [/ca] appears to have started a thread named [LDAPConnThread-3 ldaps://francolin.local:389] but has failed to stop it. This is very likely to create a memory leak. Jan 6 10:54:47 francolin server: SEVERE: The web application [/ca] appears to have started a thread named [LDAPConnThread-7 ldaps://francolin.local:389] but has failed to stop it. This is very likely to create a memory leak. Jan 6 10:54:47 francolin server: SEVERE: The web application [/ca] appears to have started a thread named [authorityMonitor] but has failed to stop it. This is very likely to create a memory leak. Jan 6 10:54:47 francolin server: SEVERE: The web application [/ca] appears to have started a thread named [LDAPConnThread-9 ldaps://francolin.local:389] but has failed to stop it. This is very likely to create a memory leak. Jan 6 10:54:47 francolin server: SEVERE: The web application [/ca] appears to have started a thread named [profileChangeMonitor] but has failed to stop it. This is very likely to create a memory leak. Jan 6 10:54:47 francolin server: SSLAuthenticatorWithFallback: Setting container /var/log/pki/pki-tomcat/ca/selftests.log 0.localhost-startStop-2 - [06/Jan/2020:10:56:29 HST] [20] [1] SelfTestSubsystem: Initializing self test plugins: 0.localhost-startStop-2 - [06/Jan/2020:10:56:29 HST] [20] [1] SelfTestSubsystem: loading all self test plugin logger parameters 0.localhost-startStop-2 - [06/Jan/2020:10:56:29 HST] [20] [1] SelfTestSubsystem: loading all self test plugin instances 0.localhost-startStop-2 - [06/Jan/2020:10:56:29 HST] [20] [1] SelfTestSubsystem: loading all self test plugin instance parameters 0.localhost-startStop-2 - [06/Jan/2020:10:56:29 HST] [20] [1] SelfTestSubsystem: loading self test plugins in on-demand order 0.localhost-startStop-2 - [06/Jan/2020:10:56:29 HST] [20] [1] SelfTestSubsystem: loading self test plugins in startup order 0.localhost-startStop-2 - [06/Jan/2020:10:56:29 HST] [20] [1] SelfTestSubsystem: Self test plugins have been successfully loaded! 0.localhost-startStop-2 - [06/Jan/2020:10:56:29 HST] [20] [1] SelfTestSubsystem: Running self test plugins specified to be executed at startup: 0.localhost-startStop-2 - [06/Jan/2020:10:56:29 HST] [20] [1] CAPresence: CA is present 0.localhost-startStop-2 - [06/Jan/2020:10:56:29 HST] [20] [1] SystemCertsVerification: system certs verification failure: Certificate not found: auditSigningCert cert-pki-ca 0.localhost-startStop-2 - [06/Jan/2020:10:56:29 HST] [20] [1] SelfTestSubsystem: The CRITICAL self test plugin called selftests.container.instance.SystemCertsVerification running at startup FAILED! I can also confirm that the 'auditSigningCert cert-pka-ca' isn't there when I run certutil -L -d /etc/pki/pki-tomcat/alias/. The output is listed below: Certificate Nickname Trust Attributes SSL,S/MIME,JAR/XPI subsystemCert cert-pki-ca ,, Server-Cert cert-pki-ca u,u,u caSigningCert cert-pki-ca CTu,Cu,Cu ocspSigningCert cert-pki-ca u,u,u The 'auditSigningCert cert-pka-ca' shows up on the other nodes however: auditSigningCert cert-pki-ca u,u,Pu Let me know if there is more information that is needed. This one is baffling me. Thanks, Ferdinand

2 11

Integrated DNS - best solution to unique domain
by Daniel PC 17 Jan '20

17 Jan '20

Hi, Red Hat strongly recommends IdM-integrated DNS for basic usage within the IdM deployment but at the same time declares "It does not support some of the advanced DNS features" and must be used only for IdM purposes. I have a DNS for a domain that resolves names to Linux hostnames, VIPs, application names, databases scan, and more. From my understanding, IdM must resolve DNS only for hostnames. Other services should be delegated to a true DNS server. I understand that it's not normal the use of two DNS for one domain, but in my case how can I build my DNS system? Any advice? Thank you DC

5 5

Re: Where is the "Audit" in IPA?
by Charles Hedrick 16 Jan '20

16 Jan '20

I’ve thought about this a bit more. I think it would be useful if log entries showing changes could be routed differently by syslog. The simplest would be to use a different log level, e.g. NOTICE, where other things are INFO. Another approach would be to put a specific tag in the try, e.g. AUDIT. On Jan 15, 2020, at 5:20 PM, Angus Clarke <post(a)angusclarke.com<mailto:post@angusclarke.com>> wrote: Yeah, to find what I'm looking for I keep a list of grep examples, as auditors generally ask for the same things! I modify httpd.conf to send ErrorLog messages to syslog and then use syslog to send those to a server with cheap storage to keep a long history. Regards Angus ________________________________ From: Charles Hedrick <hedrick(a)rutgers.edu<mailto:hedrick@rutgers.edu>> Sent: 15 January 2020 22:54 To: FreeIPA users list <freeipa-users(a)lists.fedorahosted.org<mailto:freeipa-users@lists.fedorahosted.org>> Cc: Ryan Slominski <ryans(a)jlab.org<mailto:ryans@jlab.org>>; Angus Clarke <post(a)angusclarke.com<mailto:post@angusclarke.com>> Subject: Re: [Freeipa-users] Where is the "Audit" in IPA? This looks pretty reasonable. Unfortunately it intermixed lots of info. The files grow rapidly enough that it’s probably not practical to keep them for a long time. It might not be hard to pull out just the things that make changes. On Jan 15, 2020, at 4:47 PM, Angus Clarke via FreeIPA-users <freeipa-users(a)lists.fedorahosted.org<mailto:freeipa-users@lists.fedorahosted.org>> wrote: Just a note from a fellow user ... Changes made through the API are logged via apache's ErrorLog directive, I've been using this to some degree of success to answer 3rd party audit queries. However it does miss things like "which groups was this user a member of when they were deleted" though ... The facilities you are asking about sound excellent Ryan! Regards Angus ________________________________ From: Ryan Slominski via FreeIPA-users <freeipa-users(a)lists.fedorahosted.org<mailto:freeipa-users@lists.fedorahosted.org>> Sent: 15 January 2020 20:28 To: freeipa-users(a)lists.fedorahosted.org<mailto:freeipa-users@lists.fedorahosted.org> <freeipa-users(a)lists.fedorahosted.org<mailto:freeipa-users@lists.fedorahosted.org>> Cc: Ryan Slominski <ryans(a)jlab.org<mailto:ryans@jlab.org>> Subject: [Freeipa-users] Where is the "Audit" in IPA? Hi FreeIPA dudes, What is the status of audit in IPA? Specifically, is there an easy way to determine what was the group membership of a particular group was at a particular point in time, say last October? I noticed there is an audit log file (disabled by default), but that is going to be a not-so-easy way to try to re-construct group membership at a point in time in the past. I was hoping to just navigate to a "history" tab on the GUI, but no such luck. Is this on anyone's todo list? I also noticed a "Centralized Logging" webpage that suggest setting up an ELK stack, but that doesn't quite provide snapshots of group membership. What about the ability to subscribe to changes (as opposed to poll them)? I suppose the replication features could be used somehow, but those are also polling based? Would be nice to configure simple callbacks (perhaps HTTP post) when things change. I believe this is called a webhook. Any support for this kind of notification system? Thanks, Ryan _______________________________________________ FreeIPA-users mailing list -- freeipa-users(a)lists.fedorahosted.org<mailto:freeipa-users@lists.fedorahosted.org> To unsubscribe send an email to freeipa-users-leave(a)lists.fedorahosted.org<mailto:freeipa-users-leave@lists.fedorahosted.org> Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/<https://nam03.safelinks.protection.outlook.com/?url=https%3A%2F%2Fdocs.fedo…> List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines<https://nam03.safelinks.protection.outlook.com/?url=https%3A%2F%2Ffedorapro…> List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahost…<https://nam03.safelinks.protection.outlook.com/?url=https%3A%2F%2Flists.fed…> _______________________________________________ FreeIPA-users mailing list -- freeipa-users(a)lists.fedorahosted.org<mailto:freeipa-users@lists.fedorahosted.org> To unsubscribe send an email to freeipa-users-leave(a)lists.fedorahosted.org<mailto:freeipa-users-leave@lists.fedorahosted.org> Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/<https://nam03.safelinks.protection.outlook.com/?url=https%3A%2F%2Fdocs.fedo…> List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines<https://nam03.safelinks.protection.outlook.com/?url=https%3A%2F%2Ffedorapro…> List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahost…<https://nam03.safelinks.protection.outlook.com/?url=https%3A%2F%2Flists.fed…>

1 0

Question about ipa group-add-member
by White, Daniel E. (GSFC-770.0)[NICS] 16 Jan '20

16 Jan '20

Adding multiple users to one group is documented, but the other way around seems to be missing. Is there a way to add one user to multiple groups with one command ? If not, I can deal with it.

2 2

2024

2023

2022

2021

2020

2019

2018

2017

FreeIPA-users January 2020