Skip to main content

Questions tagged [freeipa]

FreeIPA is an integrated Identity and Authentication solution for Linux/UNIX networked environments. A FreeIPA server provides centralized authentication, authorization and account information by storing data about user, groups, hosts and other objects necessary to manage the security aspects of a network of computers.

Filter by
Sorted by
Tagged with
18 votes
1 answer
19k views

IPA vs just LDAP for Linux boxes - looking for a comparison

There are few (~30) Linux (RHEL) boxes and I'm looking for centralized and easy managed solution, mostly for control user accounts. I'm familiar with LDAP, and I deployed a pilot of IPA ver2 from Red ...
Vitaly Karasik DevOps's user avatar
14 votes
2 answers
32k views

Using FreeIPA for centralized sudo - how to specify ALL commands?

I'm having a hard time wrapping my head around FreeIPA's model. The FreeIPA manual states: FreeIPA adds an extra control measure with sudo command groups, which allow a group of commands to be ...
HTTP500's user avatar
  • 4,853
11 votes
3 answers
3k views

IPA dynamic DNS updates only the AAAA record. Where are my A records?

I'm setting up a FreeIPA domain. In my lab are three virtual machines: the domain controller ipadc1, and two clients puppet and wordpress (creative, yes, I know). All three VMs are running freshly ...
Michael Hampton's user avatar
9 votes
2 answers
3k views

VMware vCenter/ESXi with FreeIPA instead of Active Directory?

Can vCenter authenticate against FreeIPA instead of Active Directory? If so, how would you set it up? We have a pure Linux environment (CentOS) and need to have vCenter and our VM's have the same ...
Luke's user avatar
  • 1,962
8 votes
1 answer
5k views

Windows 7 NFS Client Using Kerberos and Linux KDC

I am trying to configure a Windows 7 Enterprise client to mount a NFSv4 share on a Linux NFS server using Kerberos and a Linux KDC. The setup is: IPA Server (OS: Scientific Linux 6.4, Pkg: ipa-...
Mike's user avatar
  • 295
7 votes
1 answer
7k views

Can't change password of FreeIPA admin - "Current password's minimum life has not expired"

We have a FreeIPA-based system, admin's password has expired and needs to be changed but the standard password changing procedure over SSH fails: sashka@cellar ~ ssh [email protected] admin@...
Alex's user avatar
  • 8,009
6 votes
3 answers
2k views

freeipa ssl ldap and round robin dns

I'm trying to ask this question in a way that's answerable, but part of the issue is knowing the implications of my current situation and if there's an issue or technical debt which'll bite me further ...
Sirex's user avatar
  • 5,557
6 votes
3 answers
6k views

backup and restoration of a freeipa infrastructure

I'm finding the documentation on ipa server backup and restoration sadly lacking, and being so centrally critical it's not something i'm really happy about shooting in the dark with - could some kind ...
Sirex's user avatar
  • 5,557
6 votes
4 answers
4k views

FreeIPA: prevent local root accessing user accounts

So after asking this question, I've been test-driving FreeIPA as a central authentication source based on this question: Managing access to multiple linux system One problem I ran into is that if a ...
Swartz's user avatar
  • 304
6 votes
1 answer
19k views

Using FreeIPA for centralized sudo - using SSSD for sudoers

I have setup FreeIPA for centralized sudo and all is working well with the exception of being able to use SSSD for sudoers. If I have in my client /etc/nsswitch.conf the following: sudoers: files ...
HTTP500's user avatar
  • 4,853
6 votes
1 answer
3k views

Configuring Synology NAS as freeIPA client

I'm attempting to deploy freeIPA in my company. The network is quite simple: < 10 FC20 (and FC21 beta) desktops < 5 FC20 servers (including the one with freeIPA) 1 Synology NAS DS1813+ (DSM 5....
cornuz's user avatar
  • 437
5 votes
2 answers
11k views

how to export all FreeIPA users list to a csv format?

How can export all FreeIPA users to a csv file?
sanjayparmar's user avatar
5 votes
2 answers
6k views

Google authenticator with Openldap or Fedora 389 Server or FreeIPA

After a little googling I could see some references of configuring Google Authenticator with Windows Active Directory, however, I could not see how I could do it on Linux/CentOS system. What would be ...
chandank's user avatar
  • 857
5 votes
3 answers
4k views

FreeIPA without web UI or change of ports

Can I install FreeIPA server without httpd (without web UI)?? Or at least can I change the ports?? (80->8880 and 443->8443)
jjaros's user avatar
  • 259
5 votes
1 answer
10k views

Granting sudo access to a SELinux confined user in freeIPA

I'm using freeIPA to define RBAC, HBAC and sudo rules, as well as SELinux user mappings for a domain of a couple hundred virtual machines, where I need to grant different levels of access to several ...
dawud's user avatar
  • 15.3k
5 votes
1 answer
2k views

How do I sign a new FreeIPA Server's internal CA with my organizational internal CA?

My organization has an internal Certificate Authority (CA) which we have already generated many internal certificates and have installed on machines. I am setting up a FreeIPA LDAP/Kerberos server ...
Josh's user avatar
  • 9,258
4 votes
2 answers
4k views

How to automate directory creation on NFS-Server?

I created and configured a test-environment of 3 virtual machines: A FreeIPA server which provides krb5-authentication A NFS-Server using server 1 to secure itself A client that automounts home ...
Richard's user avatar
  • 749
4 votes
4 answers
36k views

How to reset Keytab for FreeIPA Server and Client

I followed the standard documentation to install FreeIPA server and client on hosts 'SRV' and 'CLT' respectively. I then added a user 'X' to FreeIPA using Web UI. Now when i try to SSH as X to CLT, i ...
Quest Monger's user avatar
4 votes
1 answer
4k views

Integrating FreeIPA or RH IdM in an existing MS AD environment

I want to deploy FreeIPA or Red Hat IdM in my existing environment Currently my domain is managed by MS AD which is controlled by a separate group. Assume that changing anything in MS AD is going to ...
xdfil's user avatar
  • 521
4 votes
1 answer
24k views

FreeIPA: command-line tools do not work, 'No Kerberos credentials available'

We have a working FreeIPA installation, it's in production since February. Almost everything works as expected but when we try to run command-line FreeIPA-related tools none of them work: [admin@ipa ~...
Alex's user avatar
  • 8,009
4 votes
2 answers
5k views

Why does ipa-client-install fail when downloading the CA cert

I want to setup centralized user management. First to grant access to Linux servers and later also to grant access to other services via LDAP. As i'm new to this, I did some research on Google and I ...
CodeNinja's user avatar
  • 325
4 votes
0 answers
662 views

How do I add an entryUUID field to the FreeIPA compat schema?

I am trying to add an entryUUID field to groups in the FreeIPA compat schema, but I am struggling to create the required attributeType. My LDIF for creating it is: dn: cn=schema changetype: modify add:...
Mutantoe's user avatar
  • 101
4 votes
0 answers
2k views

DNSSEC for private internal sub zones of an external domain

Consider the following scenario: example.com is hosted on CloudFlare and it's signed by CloudFlare DNSSEC. Everything works as expected for example.com. Inside the company we have some internal ...
Vinícius Ferrão's user avatar
3 votes
3 answers
16k views

FreeIPA : Installer not resolving domain name from hosts file

I have been having an issue while installing FreeIPA. The problem is that every time I run the installer the FreeIPA application does not read from the host file rather tries to resolve the domain ...
Mustafa Mujahid's user avatar
3 votes
1 answer
11k views

FreeIPA sudoers rule - how to add NOPASSWD for ALL commands (no prompt for password)

Using FreeIPA for sudoers rules and I am attempting to create what would be the same as standard sudoers line(s) of: user ALL=(ALL) NOPASSWD:ALL group ALL=(ALL) NOPASSWD:ALL to allow a specific user ...
Alex's user avatar
  • 31
3 votes
2 answers
6k views

Configure Gitlab to use FreeIPA as LDAP server

I'm running in ran into a bit of a trouble and I don't seem to be able to fix it. Please follow the scenario bellow: I have two servers: ONE (10.0.3.10): Ubuntu based, having Gitlab (as deb package)...
Dragos Cirjan's user avatar
3 votes
2 answers
985 views

VCenter 5.5 Appliance and FreeIPA 3 authentication

I have a vcenter appliance and freeipa running in my environment. There are no windows machines at all, nor will there be. I have setup vca to authenticate via LDAP to IPA and this works PER USER. the ...
driz's user avatar
  • 267
3 votes
1 answer
2k views

macOS High Sierra issues mounting Kerberized NFSv4 shares

I'm using FreeIPA for LDAP/Kerberos and I've created a principal for a storage appliance (Dell/EMC UnityVSA VM). I have setup the VSA with a keytab from IPA, I've also setup within the VSA the LDAP ...
user3814483's user avatar
3 votes
1 answer
11k views

LDAP + KERBEROS + NFS. Why do I need idmapd?

What I am trying to do I have a freeIPA domain, with a few clients and a Synology NAS (also enrolled in freeIPA). I created a shared folder on the NAS, with NFSv4 + krb5 support. From the client, I ...
cornuz's user avatar
  • 437
3 votes
1 answer
1k views

Extremely slow NFS openat performance

I've installed an NFS server on Ubuntu 20.04 and a FreeIPA Ubuntu 20.04 client with the users home directories served by the NFS server. Performance is extremely slow when accessing files. When I ...
YuvGM's user avatar
  • 153
3 votes
2 answers
10k views

Unable to log in to FreeIPA web ui - "Login failed due to an unknown reason."

After Fedora server update, my Freeipa broke and I am not sure how to deal with it. Does anyone have some ideas what might be the issue? I am unable to log in to web UI nor execute any IPA command. $...
tmdag's user avatar
  • 153
3 votes
1 answer
2k views

IPA server NFS services adding issue centos 7.2

I'm having an issue with adding NFS services to IPA server (after login to the IPA server and kinit admin). When I execute the line below: [root@ipa ~]# ipa service-add nfs/server1.example.com I'm ...
cms 54's user avatar
  • 31
3 votes
1 answer
2k views

Wrong user mapping in kerberized NFSv4 automounted homedirs

Short problem description This question is about id mapping in NFSv4 going wrong. NFS server: a Synology DS, with DSM 5.2. Client: A regular FC22 machine, which automounts as /home one of the ...
cornuz's user avatar
  • 437
3 votes
1 answer
1k views

NFS/krb5 authentication server lookup fails due to wrong principal name

When mounting an NFSv4 with Kerberos, authentication fails and krb5kdc.log shows the wrong principal name for the NFS server. LOOKING_UP_SERVER: ... host/[email protected] ...
ifndef's user avatar
  • 31
3 votes
0 answers
592 views

FreeIPA : Keytab File for Adding Multiple NFS Clients

I'm relatively new to IPA and have been practicing setting up Kerberized NFS. I succeeded in initially sharing a directory from my VM Server1 to Server2. I accomplished the above by adding the NFS ...
Mustafa Mujahid's user avatar
3 votes
0 answers
154 views

Is it possible to use Active directory without a trust relationship for FreeIPA passwords?

I am looking to integrate FreeIPA with an Active Directory environment that I do not have full control over and most likely will not be able to get a trust relationship setup with my FreeIPA install. ...
user165520's user avatar
3 votes
0 answers
376 views

Multiple passwordStorageScheme values on same user on 389ds / FreeIPA

I have deployed a FreeIPA identity solution which is backed inside by a 389 directory server. Due to the need of periodically syncing user passwords to another platform (Google Apps for Work), I need ...
Andor's user avatar
  • 601
2 votes
1 answer
4k views

FreeIPA in LXD/LXC containers - cannot switch user

The Setup consists of one FreeIPA-Server and one Client, which both reside in unprivileged LXD-Containers on the same Host. Both containers and the host machine run Ubuntu 16.04. All Settings are ...
zenyatta's user avatar
2 votes
1 answer
2k views

Freeipa web interface behind HAProxy

I am trying to configure the FreeIPA web interface to work behind my HAProxy instance. I found an old GitHub Gist for the configuration (https://gist.github.com/m4ce/d081ab39654c3e13bbe8b150986526a3) ...
Computroniks's user avatar
2 votes
1 answer
6k views

Multiple sites/realms in FreeIPA

To start off, my experience lies in networking (Cisco) and Windows. That being said, I have been set off on a project to design a multi-site FreeIPA installation. I have single site FreeIPA without ...
user396032's user avatar
2 votes
1 answer
2k views

Migrate logcal linux users to FreeIPA ones

We have several Linux machine (running various versions of Fedora and CentOS, but that should not be relevant) with local users. Most of those local users are the same login name but might have ...
Sardathrion - against SE abuse's user avatar
2 votes
1 answer
9k views

FreeIPA show all dns records

Just as the title says. I'm stuck at ipa dnsrecord-show mydomain.com I get prompted for a hostname Usage: ipa [global-options] dnsrecord-show DNSZONE NAME [options] I've tried wildcards but it is ...
solly989's user avatar
2 votes
1 answer
596 views

How do I update my machine time when there is a local ntpd server reference in ntpd.conf

My FreeIPA server's datetime had drifted about 10 min causing login failures. The ntpd service was functioning up and running. I checked the configuration and noticed that freeIPA had added a local ...
Kevin Vasko's user avatar
2 votes
1 answer
3k views

FreeIPA (LDAP): Refuse auth for users with expired password

I have a FreeIPA used mostly for LDAP-based authentication in many local web services. Unfortunately, LDAP authorizes users to login to 3-rd party applications even when user's password is expired (...
igann's user avatar
  • 188
2 votes
1 answer
100 views

FreeIPA re-arrange custom attributes

I created several custom attributes and added them to LDAP and FreeIPA, but their order in the user page is very messy. I want to re-arrange them and put the related attributes together (such as '...
Muhmmad Aziz's user avatar
2 votes
1 answer
1k views

Extending LDAP and FreeIPA

I'm working with FreeIPA and I've extended its attributes successfully, but noticed that the verification function in the Python plugin, added to FreeIPA, only works for the values entered through the ...
Muhmmad Aziz's user avatar
2 votes
1 answer
3k views

In FreeIPA, how do you add multiple external accounts to a group using the CLI?

I've tried multiple methods that don't appear to work, but I'm ultimately trying to add multiple external users to a non-POSIX group using the ipa group-add-member ... command. NOTE: These external ...
slm's user avatar
  • 7,810
2 votes
1 answer
5k views

Problems connecting to a freeIPA client host via ssh

I am trying to set up an IPA environment with a CentOS 7.3 server and clients and I am experiencing a behavior that I am not able to understand. I am using IPA version 4.4.0. I was able to run ipa-...
andreee's user avatar
  • 133
2 votes
1 answer
9k views

ipa users cannot sudo on some machines only, including the ipa server

I'm having trouble with freeipa on a few machines. It's been very frustrating to debug so far. Here's the details of the issue; How it manifests: The user can login just fine to any host, but on ...
Sirex's user avatar
  • 5,557
2 votes
1 answer
2k views

FreeIPA and AD password synchronisation

I am attempting to integrate FreeIPA with Active Directory to provide single-sign-on for Windows and Linux users by following this guide. I have successfully created the 'winsync' agreement and ...
KingBob's user avatar
  • 153

1
2 3 4 5