Steve, thanks

> Hi,
>
> Yes you can winsync and passsync RHEL6.3 IPA from win2k3 r2 + AD, it should 
> be in your  RH supported channel tree?
>
Nope, using Centos 6.3.  I checked and looks like I can find
passsync.msi from here.  I am hoping its the same Windows binaries
supplied to RedHat paying customers

http://directory.fedoraproject.org/wiki/Download

>
> 1) Only one AD domain, so if you have a AD "forest" you can only do one 
> sub-domain.   So if the root is "example.com" and you have 
> "staff.example.com" and "clients.example.com" you can do only one, say 
> staff.example.com to IPA.
>
> Possible issues,
>
> 2) There is a bug in the setup where you have to be careful that you specify 
> the right OU= IF your users are not in the expected default (cn=users?), 
> otherwise the IPA users get deleted rather than ignored, you end up with an 
> empty IPA....frightened me senseless!

Do you mind explaining this further please?  Where are you specifying
this? On the passsync.msi application "search base" field? on AD side
or on "ipa-replica-manage --win-subtree" ?  Expected default users CN,
on which side, AD or FreeIPA?  Sorry, I tried to google for the bug
and I can't seem to pick it, so the question.

>
> So,
>
>     a) If you have users in multiple ou's then only one set is synced the 
> rest in IPA will go bye bye, unless they are unique to IPA.
>     b) If some users have a smartphone to exchange setup the winsync 
> agreement sees that as the user having 2 ous's and first adds and then 
> deletes those users......oops.....I lost 20% of my users that way....

Yikes, that would have sucked, hope you had a backup.  I don't have
sub-domain (Forest = domain), but would have been caught by the
smartphone issue.  Thanks for the heads up, really appreciates.
>

> This is with RH support.

Hmm, hopefully their response will get to us none customers somehow.
>
> 3) Also with 6.2 or 6.2 upgraded to 6.3 you may find that when the winsync 
> syncs, the IPA users lose all their groups. I have tested a 6.2 upgraded to 
> 6.3 several times and this happens each time but a clean 6.3 IPA seems 
> fine....we dont know why that is yet.
>
> This is with RH support,
>
> So if you are going to do this you need an isolated test setup to test for 
> un-expected "features" that could really spoil your day.
>
> :(

Yes, I am really grateful for asking before diving in. Looks like I
would have got hurt really bad.

>
> My main advice would be restart with a clean 6.3 setup and not an upgraded 
> from 6.2.  Ive rebuilt 2 of my three IPA servers and teh 6.3 clean builds 
> seem a lot more stable.
>
> Also use db2ldif to make backups of your database before you do it....also 
> you might want to halt and turn off any IPA replicas when you do it until 
> after you are happy its stable and OK.
>

Will use 6.3.  Thank you again for the advice

William

>
> ________________________________________
> From: freeipa-users-boun...@redhat.com [freeipa-users-boun...@redhat.com] on 
> behalf of William Muriithi [william.murii...@gmail.com]
> Sent: Monday, 5 November 2012 8:23 a.m.
> To: freeipa-users@redhat.com
> Subject: [Freeipa-users] FreeIPA v 2.2 in an AD environment
>
> Hi all,
>
> I am in the process of deploying freeIPA 2.2 to authenticate Linux
> systems and have been able to setup everything nicely with separate
> domain.  I mean users are currently using separate password to access
> Linux system and another set of password from AD for desktop stuff. On
> Friday, I came across an article on freeIPA v 3 and noticed one can
> use the same username & password for both Linux and Windows systems.
> I have since felt this would be a better setup and but feel like the
> documentation are not clear on how to achieve the above.
>
> Would anyone be able to clarify this:
>
> - Can I be able to synchronize the current AD user credentials with
> FreeIPA 2.2 or do I have to upgrade to FreeIPA 3.0 ?
> - If upgrading is necessary, is there an RPM that can run on RHEL 6.2
> ?  I can only seem to find freeIPA v3 RPM for Fedora 17.  Was hoping
> to use a blessed RPM instead of rolling one which mean be incompatible
> with the distribution RPM once it comes around
>
> Regards,
>
> William
>
> _______________________________________________
> Freeipa-users mailing list
> Freeipa-users@redhat.com
> https://www.redhat.com/mailman/listinfo/freeipa-users
>
>
>
>
>
> ------------------------------
>
> Message: 3
> Date: Mon, 05 Nov 2012 09:32:42 +0100
> From: Petr Spacek <pspa...@redhat.com>
> To: freeipa-users@redhat.com
> Subject: Re: [Freeipa-users] FreeIPA for AMM users management
> Message-ID: <509779aa.6010...@redhat.com>
> Content-Type: text/plain; charset=ISO-8859-1; format=flowed
>
> On 11/03/2012 01:12 PM, Pavel Zhukov wrote:
>>> Can you do NS lookup of the IPA server from the AMM box?
>> yes
>>> Can you do kinit from the AMM box against IPA?
>>> Can you do ldapsearch from the AMM box against IPA?
>> no, AMM has restricted shell and web GUI.
>
> Hmm, that is unfortunate. Can you run tcpdump (or sniffer provided on AMM) on
> the link between AMM and IPA server? Because there are no records in access
> log I will bet on some name resolution or firewall problem.
>
> Do AMM get right DNS responses (i.e. name and IP address of the IPA server)?
>
> Do AMM established TCP connection with the IPA server?
>
> --
> Petr^2 Spacek
>
>>> Do you see anything in the logs from such activity?
>
>
>
> ------------------------------
>
> Message: 4
> Date: Mon, 05 Nov 2012 08:17:34 -0700
> From: Rich Megginson <rmegg...@redhat.com>
> To: Steven Jones <steven.jo...@vuw.ac.nz>
> Cc: "freeipa-users@redhat.com" <freeipa-users@redhat.com>
> Subject: Re: [Freeipa-users] FreeIPA v 2.2 in an AD environment
> Message-ID: <5097d88e.1020...@redhat.com>
> Content-Type: text/plain; charset=ISO-8859-1; format=flowed
>
> On 11/04/2012 01:25 PM, Steven Jones wrote:
>> Hi,
>>
>> Yes you can winsync and passsync RHEL6.3 IPA from win2k3 r2 + AD, it should 
>> be in your  RH supported channel tree?
>>
>> The passsync.msi has to go on each AD box
> Each Domain Controller.
>
> Also note that you asked if "Can I be able to synchronize the current AD
> user credentials with
> FreeIPA 2.2 or do I have to upgrade to FreeIPA 3.0"
>
> You cannot synchronize already existing passwords with IPA 2.x.  You
> would have to force AD users to change their passwords in order to get
> the clear text password to send to IPA.
>
>> and is a MSI supplied by RH, I think that's also in the RH support channel 
>> but for some strange reason I think it might be in the workstation tree and 
>> not server tree.
>>
>> > From what I can read there are some caveats,
>>
>> 1) Only one AD domain, so if you have a AD "forest" you can only do one 
>> sub-domain.   So if the root is "example.com" and you have 
>> "staff.example.com" and "clients.example.com" you can do only one, say 
>> staff.example.com to IPA.
>>
>> Possible issues,
>>
>> 2) There is a bug in the setup where you have to be careful that you specify 
>> the right OU= IF your users are not in the expected default (cn=users?), 
>> otherwise the IPA users get deleted rather than ignored, you end up with an 
>> empty IPA....frightened me senseless!
> https://fedorahosted.org/freeipa/ticket/2688
> and
> https://fedorahosted.org/389/ticket/355
>
> The problem is caused when you have a user ID in IPA that has the same
> user ID as a user in AD, but you didn't want them to be synced, and the
> AD user entry is outside the scope of the windows sync agreement.  This
> may or may not be a problem in your deployment.
>
>>
>> So,
>>
>>      a) If you have users in multiple ou's then only one set is synced the 
>> rest in IPA will go bye bye, unless they are unique to IPA.
> See above.
>>      b) If some users have a smartphone to exchange setup the winsync 
>> agreement sees that as the user having 2 ous's and first adds and then 
>> deletes those users......oops.....I lost 20% of my users that way....
> Is there a ticket/bz for this issue, or is this the same issue as above?
>>
>> These are with RH support, I have a hot fix, I am testing.
>>
>>      c) Its really hard to make sure all users have been transferred as you 
>> can only see 2000 users in IPA so something like an external tool like 
>> xplorer seem to be the only way for simpletons like myself to look at and 
>> compare.
>>
>> This is with RH support.
> There are workarounds.
>>
>> 3) Also with 6.2 or 6.2 upgraded to 6.3 you may find that when the winsync 
>> syncs, the IPA users lose all their groups. I have tested a 6.2 upgraded to 
>> 6.3 several times and this happens each time but a clean 6.3 IPA seems 
>> fine....we dont know why that is yet.
>>
>> This is with RH support,
>>
>> So if you are going to do this you need an isolated test setup to test for 
>> un-expected "features" that could really spoil your day.
>>
>> :(
>>
>> My main advice would be restart with a clean 6.3 setup and not an upgraded 
>> from 6.2.  Ive rebuilt 2 of my three IPA servers and teh 6.3 clean builds 
>> seem a lot more stable.
>>
>> Also use db2ldif to make backups of your database before you do it....also 
>> you might want to halt and turn off any IPA replicas when you do it until 
>> after you are happy its stable and OK.
> You can also use db2ldif to get around the 2000 user limit mentioned above.
>>
>> regards
>>
>> Steven Jones
>>
>> Technical Specialist - Linux RHCE
>>
>> Victoria University, Wellington, NZ
>>
>> 0064 4 463 6272
>>
>> ________________________________________
>> From: freeipa-users-boun...@redhat.com [freeipa-users-boun...@redhat.com] on 
>> behalf of William Muriithi [william.murii...@gmail.com]
>> Sent: Monday, 5 November 2012 8:23 a.m.
>> To: freeipa-users@redhat.com
>> Subject: [Freeipa-users] FreeIPA v 2.2 in an AD environment
>>
>> Hi all,
>>
>> I am in the process of deploying freeIPA 2.2 to authenticate Linux
>> systems and have been able to setup everything nicely with separate
>> domain.  I mean users are currently using separate password to access
>> Linux system and another set of password from AD for desktop stuff. On
>> Friday, I came across an article on freeIPA v 3 and noticed one can
>> use the same username&  password for both Linux and Windows systems.
>> I have since felt this would be a better setup and but feel like the
>> documentation are not clear on how to achieve the above.
>>
>> Would anyone be able to clarify this:
>>
>> - Can I be able to synchronize the current AD user credentials with
>> FreeIPA 2.2 or do I have to upgrade to FreeIPA 3.0 ?
>> - If upgrading is necessary, is there an RPM that can run on RHEL 6.2
>> ?  I can only seem to find freeIPA v3 RPM for Fedora 17.  Was hoping
>> to use a blessed RPM instead of rolling one which mean be incompatible
>> with the distribution RPM once it comes around
>>
>> Regards,
>>
>> William
>>
>> _______________________________________________
>> Freeipa-users mailing list
>> Freeipa-users@redhat.com
>> https://www.redhat.com/mailman/listinfo/freeipa-users
>>
>>
>>
>> _______________________________________________
>> Freeipa-users mailing list
>> Freeipa-users@redhat.com
>> https://www.redhat.com/mailman/listinfo/freeipa-users
>
>
>
> ------------------------------
>
> Message: 5
> Date: Mon, 05 Nov 2012 10:48:26 -0500
> From: Dmitri Pal <d...@redhat.com>
> To: freeipa-users@redhat.com
> Subject: Re: [Freeipa-users] FreeIPA v 2.2 in an AD environment
> Message-ID: <5097dfca.60...@redhat.com>
> Content-Type: text/plain; charset=ISO-8859-1
>
> On 11/04/2012 02:23 PM, William Muriithi wrote:
>> Hi all,
>>
>> I am in the process of deploying freeIPA 2.2 to authenticate Linux
>> systems and have been able to setup everything nicely with separate
>> domain.  I mean users are currently using separate password to access
>> Linux system and another set of password from AD for desktop stuff. On
>> Friday, I came across an article on freeIPA v 3 and noticed one can
>> use the same username & password for both Linux and Windows systems.
>> I have since felt this would be a better setup and but feel like the
>> documentation are not clear on how to achieve the above.
>>
>> Would anyone be able to clarify this:
>>
>> - Can I be able to synchronize the current AD user credentials with
>> FreeIPA 2.2 or do I have to upgrade to FreeIPA 3.0 ?
>> - If upgrading is necessary, is there an RPM that can run on RHEL 6.2
>> ?  I can only seem to find freeIPA v3 RPM for Fedora 17.  Was hoping
>> to use a blessed RPM instead of rolling one which mean be incompatible
>> with the distribution RPM once it comes around
>>
>> Regards,
>>
>> William
>
> In addition to other comments I want to step back and give a bit of a
> bigger picture.
> 1) Regardless of what approach you choose we recommend using the latest
> available version at the moment of deployment.
> 2) There are two different approached to dealing with AD - sync or
> trust. You need to chose what approach you want to use. Down the road
> there might be some hybrid solutions but so far they are not supported.
>
> Sync: available starting the beginning of the IPA life. It has some
> limitations and we indeed had some issues with the corner cases that
> Steve's environment has. They are not common but you have been warned
> anyways.
>
> Trust:
> a) Trusts are targeting RHEL 6.4
> b) There is no upgrade from Sync to Trust solution. If you want trusts
> you need to upgrade what you have to 6.4 (or start over) and implement
> trusts there and not do Sync.
> c) To take advantage of trusts your clients must be SSSD 1.9.x otherwise
> the trusts would not work. This also means that if you have other UNIXes
> the trusts would not work there.
>
> If you have UNIX clients that need to be accessed by AD users you might
> explore some hybrid solutions that might work but we can't say for sure.
> For example the sync might actually work in parallel to trusts to some
> extent. There is also PAM pass through capability that comes with 6.4 as
> a tech preview. That would allow  pass through LDAP auth for the non
> SSSD 1.9 clients. But this needs to be tried out and there might be dragons.
>
>
>
>>
>> _______________________________________________
>> Freeipa-users mailing list
>> Freeipa-users@redhat.com
>> https://www.redhat.com/mailman/listinfo/freeipa-users
>
>
> --
> Thank you,
> Dmitri Pal
>
> Sr. Engineering Manager for IdM portfolio
> Red Hat Inc.
>
>
> -------------------------------
> Looking to carve out IT costs?
> www.redhat.com/carveoutcosts/
>
>
>
>
>
> ------------------------------
>
> _______________________________________________
> Freeipa-users mailing list
> Freeipa-users@redhat.com
> https://www.redhat.com/mailman/listinfo/freeipa-users
>
> End of Freeipa-users Digest, Vol 52, Issue 9
> ********************************************

_______________________________________________
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Reply via email to