Hello. I'm currently looking at implementing IPA in a mixed environment, consisting of RHEL6, RHEL5 and Solaris 10 systems. The IPA server(s) is the most recent one bundled with RHEL 6.2.
I have some general rules I'll need to follow as best as I can, but I'm not really sure how to do this in IPA without it seeming like a huge work-around. This seems easy enough had it been for a pure RHEL6 environment, but with Solaris there's no SSSD, I apparantly might need to downgrade the encryption types for "older" Solaris 10, etc. All of this is making my head dizzy, and I'd appreciate any help and pointers to clear my mind :) Examples of the basic rules are (there's more of them, it's not only for the DNS servers for example, but the other cases can be solved in the same way): - all sysadmins should be allowed to log into every system in the realm - all sysadmins should be allowed to run certain commands (or to make it easy, any command) through the use of "sudo", on all systems - some users will be part of certain groups, giving them permission to log into certain servers and run a set of commands through "sudo", for example: members of the dns-managers group should be allowed to ssh into the DNS servers (which consist of both RHEL6 and Solaris 10), and run certain commands through "sudo" - certain other users will be allowed to log into some systems, but without any additional access through "sudo" (the fact that they're allowed to log into system X doesn't mean they should be allowed to become root, etc). I've read a suggestion about making a host group for the Red Hat systems, a netgroup for the Solaris systems, and creating a user group which is added as a member of both the host group and netgroup. But, will I still need to worry about the old issue of Solaris apparantly not coping well with users that have >16 additional groups to their name? I have also read about having to add / change compatibility plugins, having to downgrade the algorithm for the Solaris 10 encryption type for older Solaris 10 releases, etc. And there's probably a few more things I need to watch out for and that aren't directly mentioned in the IPA documentation. Oh, in case it matters - there's no common NFS home directories, so I'll also need to automatically create the home directories (I've got this bit sorted on RHEL6 with help from oddjob-mkhomedir). For Solaris, I've read suggestions about using executable autofs maps to create home directories in /export/home and have tham loopback-mounted to /home so they match the homeDirectory attribute. Regards Eivind "Confused" Olsen _______________________________________________ Freeipa-users mailing list Freeipaemail@example.com https://www.redhat.com/mailman/listinfo/freeipa-users