Hello, I have found out that on new NM at RHEL hostnames are not sent (so no host authentication)
https://access.redhat.com/site/documentation/de-DE/Red_Hat_Enterprise_Linux/5/html-single/5.3_Release_Notes/ NetworkManager attempted to set a hostname, but only after X had already done so. The user could not then open new windows because the authority files had been set by X with a different hostname. NetworkManager no longer sets hostnames. Can we understand from this that new versions of NM (RHEL 6 uses NetworkManager-0.8.1) does not support this. On Mon, Apr 7, 2014 at 7:58 PM, Dan Williams <[email protected]> wrote: > On Fri, 2014-04-04 at 12:07 +0300, Omer Faruk SEN wrote: > > Hello all, > > > > I see that Ubuntu mistakenly do that. > > http://ubuntuforums.org/showthread.php?t=2202941 Sending > > "host/machine_name" mistakenly then I see that it is achieved > > NetworkManager but i am trying to figure out how can i do that on rhel > > since rhel NetworkManager on RHEL6 uses at > > /etc/NetworkManager/NetworkManager.conf > > [main] > > plugins=ifcfg-rh > > > > > > which uses /etc/sysconfig/network-scripts/ifcfg-* script files. > > NetworkManager sends whatever you want it to send, so if you have a > connection profile stored in /etc/sysconfig/network-scripts/, you can > set the username in the ifcfg file with: > > IEEE_8021X_IDENTITY="whatever you want" > > The password goes into a "keys-<name>" file with the same suffix as the > parent ifcfg-<name> file, so it would be: > > IEEE_8021X_PASSWORD="the password you want" > > note that the 'keys' files must be 0600 permissions, so even though the > password is saved there, it is not accessible to users unless that user > has permissions to edit system connections through PolicyKit. > > There are more examples if ifcfg/keys files at: > > > http://cgit.freedesktop.org/NetworkManager/NetworkManager/tree/src/settings/plugins/ifcfg-rh/tests/network-scripts > > Let us know if you have any more questions! > > Dan > > > Regards. > > > > > > On Fri, Apr 4, 2014 at 5:53 AM, Michael Butash <[email protected]> > wrote: > > > > > Not as far as I have been able to tell per how windoze handles it. I > > > asked this a while back, and short answer is no. > > > > > > Working in an enterprise wireless environment, of course windoze does > this > > > (only at boot/logout), macs do this too (somewhat poorly), but there is > > > nothing analogous in linux directly. I worked with setting up a > > > system-level profile (using the "All users may connect to this network" > > > setting under the profile) for machine certs gotten from M$ Ent CA that > > > would be used by default, but honestly I couldn't get NM to work right > with > > > the certs and gave up before leaving the company. > > > > > > I found prior ubuntu 12.04 wouldn't for whatever reason invoke that > > > profile without login, bumping it up to 13.10 fixed it, so ymmv here > too. > > > In theory, using a general "machine" or system profile should get the > > > system online, and if doing role derivation ala Clearpass/ISE, should > stick > > > you in a suitable quarantine/restricted access to AD, and then once a > user > > > logs in, would then switch profiles to theirs specifically for full > > > access. I never got to see this fully work due to apparently > certificate > > > bugs with NM for eap-tls, but that's another discussion. > > > > > > I'd love to see this work, we had to do some hacks to get linux users > on > > > wireless, as part of our eap server policy was verifying the asset by > > > machine auth, or an MDM in it's place. Since linux really doesn't do > or > > > have either, we ended up fudging it in as an MDM-trusted asset for > blind > > > trust and staying with PEAP passwords, but in a 3500 user company with > 10 > > > linux users, it was good enough. > > > > > > Using machine authentication is almost worse anyways, as no client > handles > > > the transition well when role determines vlan access at the controller > at a > > > L2 level, even windoze without specifically coa bouncing the > association > > > hard (dhcp needs a link down/up to readdress). The whole business was > > > messy honestly, and just taught me not to rely on machine auth. > > > > > > It's be great to see this work still, but maybe something a company > like > > > Likewise/Powerbroker or Centrify can handle to emulate gpo-ish machine > auth > > > function like that for enterprise desktop linux to transition back and > > > forth from computer or user credentials, hopefully working better than > > > either win or mac. > > > > > > -mb > > > > > > > > > > > > On 04/03/2014 07:00 AM, Omer Faruk SEN wrote: > > > > > > Hello, > > > > > > I want to ask how can i use "Computer Authentication" on > > > NetworkManager-0.8.1. Is this a supported mode? If so where can i > configure > > > it on the NM GUI? > > > > > > I am using RHEL 6.5 and I use NetworkManager-0.8.1-66.el6.x86_64 > > > > > > I want to state that RHEL 6.5 has joined to Microsoft AD environment. > On > > > Windows environment we have : > > > > > > > > > > > > As far as I see this is not possible on NM on any version but wanted > to > > > check it. > > > > > > Regards. > > > > > > > > > > > > > > > _______________________________________________ > > > networkmanager-list mailing [email protected]:// > mail.gnome.org/mailman/listinfo/networkmanager-list > > > > > > > > > > > > _______________________________________________ > > > networkmanager-list mailing list > > > [email protected] > > > https://mail.gnome.org/mailman/listinfo/networkmanager-list > > > > > > > > _______________________________________________ > > networkmanager-list mailing list > > [email protected] > > https://mail.gnome.org/mailman/listinfo/networkmanager-list > > >
_______________________________________________ networkmanager-list mailing list [email protected] https://mail.gnome.org/mailman/listinfo/networkmanager-list
