On Tue, Nov 11, 2014 at 07:56:14AM +0100, Martin Kosek wrote:
> On 11/11/2014 06:37 AM, Rolf Nufable wrote:
> > or could you guys direct me or guide me on how to deploy this ipa server? 
> > I've been successful deploying ipa version 3.3.5 before but this 4.0 and 
> > above series is really giving me a headache 
> 
> Hm, that is worrying. FreeIPA 4.0+ should definitely not be more difficult to
> deploy, on the contrary, it should be much cooler than 3.3.
> 
> > On Tuesday, November 11, 2014 1:24 PM, Rolf Nufable 
> > <rolf_16_nufa...@yahoo.com> wrote:
> >  
> > 
> > 
> > well I'll try them now, my sssd config only consists of these lines added 
> > to the sudo area 
> > 
> > sudo_provider = ldap
> > ldap_uri = ldap://myipaserver.example.com
> > ldap_sudo_search_base = ou=sudoers,dc=example,dc=com
> > ldap_sasl_mech = GSSAPI
> > ldap_sasl_authid = host/myipaserver.example.com
> > ldap_sasl_realm = EXAMPLE.COM
> > krb_server = myipaserver.example.com
> 
> BWT, with FreeIPA 4.0+ / RHEL-6.6+ / recent Fedoras you can use "ipa" sudo
> provider. Actually, FreeIPA 4.0+ clients do that for you.

Right, in addition, the above should have been added to the domain
section, not the sudo section with older clients..

> 
> More info here:
> https://www.freeipa.org/images/7/77/Freeipa30_SSSD_SUDO_Integration.pdf
> https://fedorahosted.org/freeipa/ticket/3358
> 
> > plus another question why is it that when I invoke the kinit admin command 
> > for the kerberos I couldnt access the web UI and keeps asking me to 
> > configure my web browser ( firefox) though I've already configured it many 
> > times.. 
> 
> Are you sure that network.negotiate-auth.trusted-uris in about:config
> correctly? Are you saying that your Firefox works with FreeIPA 3.3 server but
> not with FreeIPA 4.0+? What is the domain of the FreeIPA 4.0+ server and what
> is the setting of network.negotiate-auth.trusted-uris?
> 
> In any case, it is still hard to advise as I still did not see any related
> logs, error messages or actual real errors preventing you from enrolling 
> FreeIPA.
> 
> Thanks,
> Martin
> 
> > 
> > 
> > TIA 
> > 
> > 
> > 
> > On Monday, November 10, 2014 8:41 PM, Jakub Hrozek <jhro...@redhat.com> 
> > wrote:
> >  
> > 
> > 
> > On Mon, Nov 10, 2014 at 12:56:00PM +0100, Martin Kosek wrote:
> > 
> >> On 11/10/2014 02:05 AM, Rolf
> >  Nufable wrote:
> >>> Hello 
> >>>
> >>> I have tons of questions on why free ipa wont't work on my network , I've 
> >>> been using fedora 20 as the os for the server and client free ipa .
> >>>
> >>> I deployed freeipa 4.0.3 at the server side and freeipa 4.1.0 for the 
> >>> client side using 2 VM's at first it was okay, got it connected and used 
> >>> ldap to pass sudo for the client side, but when I finally deployed it in 
> >>> our real network consisting of an esxi server and one work station having 
> >>> the same versions of free ipa for server and client, the error that I'm 
> >>> getting is that " the user does not exist " when I invoked the " su - ( 
> >>> user ) " command, so My question is how can I solve this problem?? I've 
> >>> been at it for 3 weeks now ..
> >>
> >> I assume this is on Fedora 20, running from the mkosek/freeipa Copr repo. I
> >> assume this is a problem in SSSD client part, if the user cannot be found.
> >> CCing Lukas and Jakub to advise.
> > 
> > Sorry, I skipped this thread b/c the subject didn't look like it was
> > SSSD-related.
> > 
> > I think we need to examine SSSD logs...
> > 
> 

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go To http://freeipa.org for more info on the project

Reply via email to