On 11/04/2012 01:25 PM, Steven Jones wrote:
Hi,
Yes you can winsync and passsync RHEL6.3 IPA from win2k3 r2 + AD, it should be
in your RH supported channel tree?
The passsync.msi has to go on each AD box
Each Domain Controller.
Also note that you asked if "Can I be able to synchronize the current AD
user credentials with
FreeIPA 2.2 or do I have to upgrade to FreeIPA 3.0"
You cannot synchronize already existing passwords with IPA 2.x. You
would have to force AD users to change their passwords in order to get
the clear text password to send to IPA.
and is a MSI supplied by RH, I think that's also in the RH support channel but
for some strange reason I think it might be in the workstation tree and not
server tree.
> From what I can read there are some caveats,
1) Only one AD domain, so if you have a AD "forest" you can only do one sub-domain. So if the root is
"example.com" and you have "staff.example.com" and "clients.example.com" you can do only
one, say staff.example.com to IPA.
Possible issues,
2) There is a bug in the setup where you have to be careful that you specify
the right OU= IF your users are not in the expected default (cn=users?),
otherwise the IPA users get deleted rather than ignored, you end up with an
empty IPA....frightened me senseless!
https://fedorahosted.org/freeipa/ticket/2688
and
https://fedorahosted.org/389/ticket/355
The problem is caused when you have a user ID in IPA that has the same
user ID as a user in AD, but you didn't want them to be synced, and the
AD user entry is outside the scope of the windows sync agreement. This
may or may not be a problem in your deployment.
So,
a) If you have users in multiple ou's then only one set is synced the rest
in IPA will go bye bye, unless they are unique to IPA.
See above.
b) If some users have a smartphone to exchange setup the winsync agreement
sees that as the user having 2 ous's and first adds and then deletes those
users......oops.....I lost 20% of my users that way....
Is there a ticket/bz for this issue, or is this the same issue as above?
These are with RH support, I have a hot fix, I am testing.
c) Its really hard to make sure all users have been transferred as you can
only see 2000 users in IPA so something like an external tool like xplorer seem
to be the only way for simpletons like myself to look at and compare.
This is with RH support.
There are workarounds.
3) Also with 6.2 or 6.2 upgraded to 6.3 you may find that when the winsync
syncs, the IPA users lose all their groups. I have tested a 6.2 upgraded to 6.3
several times and this happens each time but a clean 6.3 IPA seems fine....we
dont know why that is yet.
This is with RH support,
So if you are going to do this you need an isolated test setup to test for un-expected
"features" that could really spoil your day.
:(
My main advice would be restart with a clean 6.3 setup and not an upgraded from
6.2. Ive rebuilt 2 of my three IPA servers and teh 6.3 clean builds seem a lot
more stable.
Also use db2ldif to make backups of your database before you do it....also you
might want to halt and turn off any IPA replicas when you do it until after you
are happy its stable and OK.
You can also use db2ldif to get around the 2000 user limit mentioned above.
regards
Steven Jones
Technical Specialist - Linux RHCE
Victoria University, Wellington, NZ
0064 4 463 6272
________________________________________
From: freeipa-users-boun...@redhat.com [freeipa-users-boun...@redhat.com] on
behalf of William Muriithi [william.murii...@gmail.com]
Sent: Monday, 5 November 2012 8:23 a.m.
To: freeipa-users@redhat.com
Subject: [Freeipa-users] FreeIPA v 2.2 in an AD environment
Hi all,
I am in the process of deploying freeIPA 2.2 to authenticate Linux
systems and have been able to setup everything nicely with separate
domain. I mean users are currently using separate password to access
Linux system and another set of password from AD for desktop stuff. On
Friday, I came across an article on freeIPA v 3 and noticed one can
use the same username& password for both Linux and Windows systems.
I have since felt this would be a better setup and but feel like the
documentation are not clear on how to achieve the above.
Would anyone be able to clarify this:
- Can I be able to synchronize the current AD user credentials with
FreeIPA 2.2 or do I have to upgrade to FreeIPA 3.0 ?
- If upgrading is necessary, is there an RPM that can run on RHEL 6.2
? I can only seem to find freeIPA v3 RPM for Fedora 17. Was hoping
to use a blessed RPM instead of rolling one which mean be incompatible
with the distribution RPM once it comes around
Regards,
William
_______________________________________________
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users
_______________________________________________
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users
_______________________________________________
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users
