date:20110509


On 05/08/2011 11:57 PM, nasir nasir wrote:


Adam,

I truly appreciate your persistence !

I tried using alien and it generated the .deb file successfully and 
even installed the ipa client package without any error on the client 
machine(Kubuntu 11.04). But when I run the *ipa-client-install* 
command, it gave the following error,



*openway@dl-360:~/rpm$ sudo ipa-client-install *
*There was a problem importing one of the required Python modules. The*
*error was:*
*
*
*No module named ipaclient.ipadiscovery*

I'm guessing that this is a 64 bit system?  It might be an arch issue.  
IU know that Debian and RH mde different choices for 32 on 64.  
RH/Fedora puts the Python code into


/usr/lib64/python2.7/site-packages/

Debian might be looking under /usr/lib/  for Python.

Try a 32bit RPM.


*
*
*openway@dl-360:~/rpm$*

I even created the deb file out of ipa-python package and installed it 
on the kubuntu machine(without any error). Still, its the same. Any idea ?


Thanks and regards,
Nidal

--- On *Sun, 5/8/11, Adam Young //*wrote:


From: Adam Young 
Subject: Re: [Freeipa-users] FreeIPA for Linux desktop deployment
To: "nasir nasir" 
Cc: freeipa-users@redhat.com
Date: Sunday, May 8, 2011, 4:39 PM

On 05/08/2011 06:20 AM, nasir nasir wrote:


Thanks indeed again for the reply. I went through the deployment
guide and installed and configured FreeIPA 2.0 on a RHEL 6.1 beta
machine for testing. I also configured the browsers on this
server and a client Kubuntu machine as per the guide. But I can't
find any doc which explain how to configure a client (kubuntu in
my case) for single sign on or even accessing a service like nfs
using the browser when native ipa-client package is not
available. All the docs are focused on configuring client
machines using ipa-client package. Is this possible? if so could
anyone suggest me some guide lines or docs for the same ?



Did you try installing the ipa-client rpms with Alien?



Thanks and Regards,
Nidal

--- On *Mon, 5/2/11, Adam Young /
/* wrote:


From: Adam Young 

Subject: Re: [Freeipa-users] FreeIPA for Linux desktop deployment
To: "nasir nasir" 

Cc: freeipa-users@redhat.com

Date: Monday, May 2, 2011, 8:03 AM

On 05/01/2011 08:49 AM, nasir nasir wrote:

Thanks for all the replies and great suggestions! I do
appreciate it a lot.

Apologies for being a bit confusing about the cetralized
/home foder in my previous mail. What I want is that all the
users should have their /home folder stored in the storage.
This entire partition (or LUN) can be attached to my
Authentication server(i.e FreeIPA) by using iSCSI. From the
Authentication server, I am NOT looking for iSCSI to get it
mounted to the individual users' machine. I think
NFS/automount would do that(appreciate any suggestion on
this !) And whenever a new user is created, /home should be
allocated out of this partition so that whichever machine
the user is using to login later, she should be able to
access the same /home specific to her regardless of the
machine. I hope it is clear to all :-)

Thanks and regards,
Nidal

> -- Centralized storage with iSCSI for /home folder
for each user by means of a dedicated storage
IPA manages Automount, which is possibly what you want. 
Are you going to give each user their own partition that

follows them around, or are you going to give the a home
directory on a a NAS server?  I Have to admit, the iSCSI
home mount sounds interesting.  You could probably get
automount to help you out there, but at this point I
think that you would need a separate key line for each user.

Note that iSCSI won't help you if you want to mount the
same partition on multiple clients.  For this, you
either need a distributed File System, or stick to NFS.




Nidal,

OK, I'd probably do something like this:  After install IPA,
add one host as an IPA client with the following switch: 
--mkhomedir,, something like  ipa-client-install --mkhomedir

-p admin.   Then, mount the directory that you are going to
use a /home on that machine.  Once you create users in IPA,
the first time you log in as that user, do so from that
client, and it will attempt to create the home directory for
you.This should be the only machine that has permissions
to create directories under /home.  Now, create an automount
location and map, and create a key for /home

The instructions from our test day should get you started:

https://fedoraproject.org/wiki/QA:Testcase_freeipav2_automoun

Re: [Freeipa-users] FreeIPA for Linux desktop deployment


On 05/09/2011 09:12 AM, Dmitri Pal wrote:

On 05/08/2011 07:39 PM, Adam Young wrote:

On 05/08/2011 06:20 AM, nasir nasir wrote:


Thanks indeed again for the reply. I went through the deployment 
guide and installed and configured FreeIPA 2.0 on a RHEL 6.1 beta 
machine for testing. I also configured the browsers on this server 
and a client Kubuntu machine as per the guide. But I can't find any 
doc which explain how to configure a client (kubuntu in my case) for 
single sign on or even accessing a service like nfs using the 
browser when native ipa-client package is not available. All the 
docs are focused on configuring client machines using ipa-client 
package. Is this possible? if so could anyone suggest me some guide 
lines or docs for the same ?






Does the client have SSSD?
If it does making ipa-client work is probably the best path.

If the SSSD is not an option then you are in the realm of PAM_KRB5 for 
the SSO.
Please see the FreeIPA 1.2.1 documentation. There is no exact 
documentation ofr your case but the closest IMO would be the 
instructions for the Solaris client.

http://freeipa.org/docs/1.2/Client_Setup_Guide/en-US/html/chap-Client_Configuration_Guide-Configuring_Solaris_as_an_IPA_Client.html

Also see man pages for pam_krb5.
Hope this helps.

Thanks
Dmitri



According to Stephen, Ubuntu has an older version of sssd available.  
Even Debian sid only has 1.2.1


http://packages.debian.org/unstable/main/sssd




Did you try installing the ipa-client rpms with Alien?



Thanks and Regards,
Nidal

--- On *Mon, 5/2/11, Adam Young //* wrote:


From: Adam Young 
Subject: Re: [Freeipa-users] FreeIPA for Linux desktop deployment
To: "nasir nasir" 
Cc: freeipa-users@redhat.com
Date: Monday, May 2, 2011, 8:03 AM

On 05/01/2011 08:49 AM, nasir nasir wrote:

Thanks for all the replies and great suggestions! I do
appreciate it a lot.

Apologies for being a bit confusing about the cetralized /home
foder in my previous mail. What I want is that all the users
should have their /home folder stored in the storage. This
entire partition (or LUN) can be attached to my Authentication
server(i.e FreeIPA) by using iSCSI. From the Authentication
server, I am NOT looking for iSCSI to get it mounted to the
individual users' machine. I think NFS/automount would do
that(appreciate any suggestion on this !) And whenever a new
user is created, /home should be allocated out of this
partition so that whichever machine the user is using to login
later, she should be able to access the same /home specific to
her regardless of the machine. I hope it is clear to all :-)

Thanks and regards,
Nidal

> -- Centralized storage with iSCSI for /home folder
for each user by means of a dedicated storage
IPA manages Automount, which is possibly what you want. 
Are you going to give each user their own partition that

follows them around, or are you going to give the a home
directory on a a NAS server?  I Have to admit, the iSCSI
home mount sounds interesting.  You could probably get
automount to help you out there, but at this point I think
that you would need a separate key line for each user.

Note that iSCSI won't help you if you want to mount the
same partition on multiple clients.  For this, you either
need a distributed File System, or stick to NFS.




Nidal,

OK, I'd probably do something like this:  After install IPA, add
one host as an IPA client with the following switch: 
--mkhomedir,, something like  ipa-client-install --mkhomedir -p

admin.   Then, mount the directory that you are going to use a
/home on that machine.  Once you create users in IPA, the first
time you log in as that user, do so from that client, and it
will attempt to create the home directory for you.This
should be the only machine that has permissions to create
directories under /home.  Now, create an automount location and
map, and create a key for /home

The instructions from our test day should get you started:

https://fedoraproject.org/wiki/QA:Testcase_freeipav2_automount





___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users



--
Thank you,
Dmitri Pal

Sr. Engineering Manager IPA project,
Red Hat Inc.


---
Looking to carve out IT costs?
www.redhat.com/carveoutcosts/



___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users


___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] FreeIPA for Linux desktop deployment

2011-05-09 Thread Ben Eisenbraun

Hi Nasir,

Here are my notes (in Trac wiki markup format no less) for manually setting
up Ubuntu clients to use our FreeIPA 1.2 server.  I haven't tested the 2.0
branch yet, but I suspect it's primarily the same.

HTH.

-ben

--
| Ben Eisenbraun
| SBGrid Consortium  | http://sbgrid.org   |
| Harvard Medical School | http://hms.harvard.edu  |

== Accounts/Authentication ==
Install required packages:
{{{
apt-get install ldap-utils krb5-user libpam-ldap libnss-ldap nss-updatedb 
libnss-db autofs nfs-common autofs-ldap
}}}
This should spawn a dpkg-configure instance for Kerberos, give the proper 
information.

Edit /etc/nsswitch.conf to include:
{{{
passwd:files ldap
group: files ldap
automount: files ldap 
}}}

Edit /etc/ldap.conf to include:
{{{
uri ldap://your.server.name
basedc=EXAMPLE,dc=COM
bind_policy soft
pam_lookup_policy   yes
pam_passwordmd5
nss_initgroups_ignoreusers  root,ldap
nss_schema  rfc2307bis
nss_map_attribute   uniqueMember member
ssl no
ldap_version3
pam_filter  objectClass=posixAccount
}}}

To enable pam-ldap, run:
{{{
pam-auth-update
}}}

To enable autofs-managed home directories, edit /etc/ldap/ldap.conf to read:
{{{
BASE  dc=EXAMPLE,dc=COM
URI   ldap://your.server.name
}}}

For kerberos config, edit /etc/krb5.conf to include 
{{{
[logging]
 default = FILE:/var/log/krb5libs.log
 kdc = FILE:/var/log/krb5kdc.log
 admin_server = FILE:/var/log/kadmind.log

[libdefaults]
 default_realm = DEV-NETWORK.IN.HWLAB
 dns_lookup_realm = false
 dns_lookup_kdc = false
 ticket_lifetime = 24h
 renew_lifetime = 7d
 forwardable = true

[realms]
 DEV-NETWORK.IN.HWLAB = {
  kdc = your.server.name
  admin_server = your.server.name
 }

[domain_realm]
 dev-network.in.hwlab = EXAMPLE.COM
 .dev-network.in.hwlab = EXAMPLE.COM
}}}

___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] FreeIPA for Linux desktop deployment

2011-05-09 Thread Stephen Gallagher

On Mon, 2011-05-09 at 09:38 -0400, Adam Young wrote:
> On 05/09/2011 09:12 AM, Dmitri Pal wrote: 
> > On 05/08/2011 07:39 PM, Adam Young wrote: 
> > > On 05/08/2011 06:20 AM, nasir nasir wrote: 
> > > > 
> > > > Thanks indeed again for the reply. I went through the deployment
> > > > guide and installed and configured FreeIPA 2.0 on a RHEL 6.1
> > > > beta machine for testing. I also configured the browsers on this
> > > > server and a client Kubuntu machine as per the guide. But I
> > > > can't find any doc which explain how to configure a client
> > > > (kubuntu in my case) for single sign on or even accessing a
> > > > service like nfs using the browser when native ipa-client
> > > > package is not available. All the docs are focused on
> > > > configuring client machines using ipa-client package. Is this
> > > > possible? if so could anyone suggest me some guide lines or docs
> > > > for the same ?
> > > 
> > 
> > Does the client have SSSD?
> > If it does making ipa-client work is probably the best path.
> > 
> > If the SSSD is not an option then you are in the realm of PAM_KRB5
> > for the SSO.
> > Please see the FreeIPA 1.2.1 documentation. There is no exact
> > documentation ofr your case but the closest IMO would be the
> > instructions for the Solaris client.
> > http://freeipa.org/docs/1.2/Client_Setup_Guide/en-US/html/chap-Client_Configuration_Guide-Configuring_Solaris_as_an_IPA_Client.html
> > 
> > Also see man pages for pam_krb5.
> > Hope this helps.
> > 
> > Thanks
> > Dmitri
> 
> 
> According to Stephen, Ubuntu has an older version of sssd available.
> Even Debian sid only has 1.2.1
> 
> http://packages.debian.org/unstable/main/sssd


SSSD 1.2.1 has some caveats with IPA usage. Mostly because the HBAC
format changed in the final FreeIPA v2. SSSD 1.2.1 had been released
with the older format, so it won't work.

However, it should be possible to set up SSSD 1.2.1 for use with FreeIPA
if they set 'access_provider = allow' (instead of 'access_provider =
ipa')

However, it WILL require a few manual steps to set up, notably the
acquisition of the host keytab.


signature.asc
Description: This is a digitally signed message part
___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] FreeIPA for Linux desktop deployment

2011-05-09 Thread nasir nasir

Dimitri/Adam/Stephen,
Thnks a lot for all the replies!
This is a 64 bit machine. So I will try to install 32 bit and let you know the 
result.
Also, I was trying to configure NFS service on the FreeIPA machine. I followed 
exactly as given in the deployment guide and tested with another RHEL 6.1 
client machine with ipa-client installed on it. When I try to mount the nfs 
export I am getting the following error,
[root@abc Packages]# mount -v -t nfs4 -o sec=krb5 openipa.cohort.org:/ 
/mntmount.nfs4: timeout set for Mon May  9 17:36:14 2011mount.nfs4: trying 
text-based options 
'sec=krb5,addr=192.168.1.240,clientaddr=192.168.1.125'mount.nfs4: mount(2): 
Permission deniedmount.nfs4: access denied by server while mounting 
openipa.cohort.org:/[root@abc Packages]#
But when I try to remove the kerberos authentication (i.e without -o sec=krb5) 
it gets mounted without any problem. I googled a lot for this error and tried 
all the suggestions like adding allow_weak_crypto parameter in the krb5.conf 
file, checking host/DNS/Keytab entries etc. Still it does not work. When I give 
weak crypto entry and add some weak crypto like des-cbc-md5, server rejects and 
says that it is not supported. My /etc/export file and all the necessary 
commands are copy pasted from the deployment guide with only the necessary 
modifications to suite my values.
Please suggest me what to do.
Thanks indeed in advance and regards,Nidal


--- On Mon, 5/9/11, Adam Young  wrote:

From: Adam Young 
Subject: Re: [Freeipa-users] FreeIPA for Linux desktop deployment
To: "nasir nasir" 
Cc: freeipa-users@redhat.com
Date: Monday, May 9, 2011, 6:17 AM



  


  
  
On 05/08/2011 11:57 PM, nasir nasir wrote:

  

  


  Adam,
  

  
  I truly
appreciate your persistence ! 
  

  
  I tried
using alien and it generated the .deb file successfully
and even installed the ipa client package without any
error on the client machine(Kubuntu 11.04). But when I
run the ipa-client-install command, it gave the
following error,
  

  
  

  
  
openway@dl-360:~/rpm$ sudo
  ipa-client-install 
There was a problem importing one of the
  required Python modules. The
error was:



    No module named
  ipaclient.ipadiscovery
  

  

  

I'm guessing that this is a 64 bit system?  It might be an arch
issue.  IU know that Debian and RH mde different choices for 32 on
64.  RH/Fedora puts the Python code into 



/usr/lib64/python2.7/site-packages/



Debian might be looking under /usr/lib/  for Python.



Try a 32bit RPM.




  

  

  



openway@dl-360:~/rpm$


  

  I even created the deb file out of ipa-python
package and installed it on the kubuntu
machine(without any error). Still, its the same. Any
idea ?
  

  
  Thanks and regards,
  Nidal
  

  
  --- On Sun, 5/8/11, Adam Young  wrote:



  From: Adam Young 

  Subject: Re: [Freeipa-users] FreeIPA for Linux desktop
  deployment

  To: "nasir nasir" 

  Cc: freeipa-users@redhat.com

  Date: Sunday, May 8, 2011, 4:39 PM

  

  

On 05/08/2011 06:20 AM, nasir nasir wrote:

  

  


  Thanks indeed again for the reply. I went
  through the deployment guide and installed
  and configured FreeIPA 2.0 on a RHEL 6.1
  beta machine for testing. I also
  configured the browsers on this server and
  a client Kubuntu machine as per the guide.
  But I can't find any doc which explain how
  to configure a client (kubuntu in my case)
  for single sign on or even accessing a
  service like nfs using the browser when
  native ipa-client package is not

Re: [Freeipa-users] Disk layout - requirements

Dmitri Pal wrote:

On 05/06/2011 11:58 AM, Sigbjorn Lie wrote:

On 05/06/2011 04:12 PM, Rob Crittenden wrote:

Steven Jones wrote:

Hi,

Digging through docs / googling I cant see any disk partition
suggestions and size thereof requirements...

Suggestions please? sizing for 500 servers, 2000 desktops, 5000+
users...

Especially around having different sections of the IPA master of
different raid groups if that's needed...

It depends in part how you use IPA. A bare-bones user entry is about
1k, a host that has a certificate is about the same. There is some
amount of overhead in the DIT and you'll need to consider the space
for groups, how many kerberos services you'll deploy (also about 1k
in size) and what other features of IPA you'll use. We have quite a
few indexes into the data, that will take some room too.

I think additional RAM will be better than terabytes of disk. 389-ds
is going to try to cache much of this data, and with this number of
entries it can probably keep most if not all of the database in memory.

We haven't done any analysis on different FS performance.

Does that help?

rob

Would you consider these documents describing sizing and performance
tuning of the RH DS to be comparable/transferable to IPA?

http://docs.redhat.com/docs/en-US/Red_Hat_Directory_Server/8.2/html/Installation_Guide/Installation_Guide-Platform_Support.html#Installation_Guide-Platform_Support-Hardware_Requirements

http://docs.redhat.com/docs/en-US/Red_Hat_Directory_Server/8.2/html/Performance_Tuning_Guide/system-tuning.html

Yes these documents are applicable and can be used to tune up DS server
under IPA.

Be careful to note that in the first document the disk space assumptions
are for 100 byte entries and some (but not all) of the IPA entries are
10x that.

Thanks for the links Sigbjorn.

regards

rob

___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] FreeIPA for Linux desktop deployment


On 05/09/2011 10:43 AM, nasir nasir wrote:

Dimitri/Adam/Stephen,

Thnks a lot for all the replies!

This is a 64 bit machine. So I will try to install 32 bit and let you 
know the result.


Also, I was trying to configure NFS service on the FreeIPA machine. I 
followed exactly as given in the deployment guide and tested with 
another *RHEL 6.1 client machine *with ipa-client installed on it. 
When I try to mount the nfs export I am getting the following error,

*
*
*[root@abc Packages]# mount -v -t nfs4 -o sec=krb5 
openipa.cohort.org:/ /mnt*

*mount.nfs4: timeout set for Mon May  9 17:36:14 2011*
*mount.nfs4: trying text-based options 
'sec=krb5,addr=192.168.1.240,clientaddr=192.168.1.125'*

*mount.nfs4: mount(2): Permission denied*
*mount.nfs4: access denied by server while mounting openipa.cohort.org:/*
*[root@abc Packages]#*

But when I try to remove the kerberos authentication (i.e without -o 
sec=krb5) it gets mounted without any problem. I googled a lot for 
this error and tried all the suggestions like adding allow_weak_crypto 
parameter in the krb5.conf file, checking host/DNS/Keytab entries etc. 
Still it does not work. When I give weak crypto entry and add some 
weak crypto like des-cbc-md5, server rejects and says that it is not 
supported. My /etc/export file and all the necessary commands are copy 
pasted from the deployment guide with only the necessary modifications 
to suite my values.


Please suggest me what to do.




Start off by checking the kerberos logs on both the server and client 
machines.


in /var/log/  krb5kdc.log   kadmind.log  secure

I'm not a a Kerberos Guru...bear that in mind

Make sure the clocks are in sync.  Always worth doing .  Kind of the 
Kerberos equivalent of "Make sure the network cable is actually plugged in"


The KDC needs to know about the NFS service in order to grant a ticket.  
Confirm that you can request an nfs ticket for your user and client for 
the given server.


On the IPA server side, you have to create a service entry for your NFS 
server.  Your NFS server needs to know to talk to the IPA Kerberos 
instance.  This is a likely suspect, based on the error message.


Make sure you can kinit and do simple IPA type things on the machine you 
are doing a NFS mount on.  Being able to use the IPA Kerberos ticket to 
ssh from the nfs client machine to the NFS server machine would be a 
good validation that the entire problem is just in the NFS configuration.







Thanks indeed in advance and regards,
Nidal



--- On *Mon, 5/9/11, Adam Young //* wrote:


From: Adam Young 
Subject: Re: [Freeipa-users] FreeIPA for Linux desktop deployment
To: "nasir nasir" 
Cc: freeipa-users@redhat.com
Date: Monday, May 9, 2011, 6:17 AM

On 05/08/2011 11:57 PM, nasir nasir wrote:


Adam,

I truly appreciate your persistence !

I tried using alien and it generated the .deb file successfully
and even installed the ipa client package without any error on
the client machine(Kubuntu 11.04). But when I run the
*ipa-client-install* command, it gave the following error,


*openway@dl-360:~/rpm$ sudo ipa-client-install *
*There was a problem importing one of the required Python
modules. The*
*error was:*
*
*
*No module named ipaclient.ipadiscovery*


I'm guessing that this is a 64 bit system?  It might be an arch
issue.  IU know that Debian and RH mde different choices for 32 on
64.  RH/Fedora puts the Python code into

/usr/lib64/python2.7/site-packages/

Debian might be looking under /usr/lib/  for Python.

Try a 32bit RPM.


*
*
*openway@dl-360:~/rpm$*

I even created the deb file out of ipa-python package and
installed it on the kubuntu machine(without any error). Still,
its the same. Any idea ?

Thanks and regards,
Nidal

--- On *Sun, 5/8/11, Adam Young /
/*wrote:


From: Adam Young 

Subject: Re: [Freeipa-users] FreeIPA for Linux desktop deployment
To: "nasir nasir" 

Cc: freeipa-users@redhat.com

Date: Sunday, May 8, 2011, 4:39 PM

On 05/08/2011 06:20 AM, nasir nasir wrote:


Thanks indeed again for the reply. I went through the
deployment guide and installed and configured FreeIPA 2.0 on
a RHEL 6.1 beta machine for testing. I also configured the
browsers on this server and a client Kubuntu machine as per
the guide. But I can't find any doc which explain how to
configure a client (kubuntu in my case) for single sign on
or even accessing a service like nfs using the browser when
native ipa-client package is not available. All the docs are
focused on configuring client machines using ipa-client
package. Is this possible? if so could anyone suggest me
some guide lines or docs for the same ?



Did you try installing the ipa-client rpms with Alien?



Thanks an

Re: [Freeipa-users] RHEL6.1 beta


Steven Jones wrote:

Hi,

Where are the ipa-server-2.0 packages held these days ?

from previous list posts they were here, but I cant find them now



ipa-server-2.0.0-16.el6.x86_64


Red Hat Enterprise Linux Server Beta (v. 6 for 64-bit x86_64)
ipa-server-2.0.0-16.el6.i686
  




Apparently the beta is over so the packages were removed.

The beta ISO's should still be available and those I'm told have the ipa 
packages via classic RHN. If you use the new entitlement system the beta 
packages are still on cdn.redhat.com.


regards

rob

___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

[Freeipa-users] FreeIPA questions

2011-05-09 Thread SR

I'm new to FreeIPA and this list so please forgive me for the n00b
questions. I have what I think is a pretty straight-forward use for
FreeIPA. We have an Active Directory environment with a few hundred
users. We are starting to increase our number of Macs and need a
directory solution. There are some issues with Macs in AD which Apple
doesn't seem interested in addressing. Open Directory would be nice if
we only had Macs but it doesn't allow for syncing accounts to AD, so it
won't work for us.

Based on what I've read about FreeIPA, it seems like it would be a good
fit for us.

The problem I'm having is that I can't seem to even get FreeIPA
installed. I've tried using Fedora 10 with all the latest updates. I've
tried adding different .repo files I've found on the various FreeIPA
pages, but none of them seem to be working for me.

So, my questions are:

1) What is the best distro for running FreeIPA. I'd rather not purchase
RHEL, so it sounds like Fedora is the way to go. I just finished
downloading Fedora 14 and will give that a try unless someone recommends
something else.

2) Is version 2 highly recommended over version 1 or does version 1 have
sufficient features to use it in a production environment? Essentially,
we have about 30 current Macs users (and growing) that we want to create
accounts for in FreeIPA and have sync'd to AD (or vice versa). The users
will need the ability to change their passwords.

3) What is the best way to install FreeIPA? I'm having problems with yum
(see errors below) so I was wondering if there was another way, e.g., RPMs.

# yum install freeipa-server
Loaded plugins: refresh-packagekit
Could not retrieve mirrorlist
http://mirrors.fedoraproject.org/mirrorlist?repo=fedora-10&arch=x86_64
error was [Errno 4] IOError: unreachable')>
http://archive.fedoraproject.org/pub/archive/fedora/linux/releases/10/Everything/x86_64/os/repodata/repomd.xml:
[Errno 4] IOError:

Trying other mirror.
fedora | 2.8kB 00:00
updates | 3.4kB 00:00
Setting up Install Process
No package freeipa-server available.
Nothing to do

Thanks!

--Steve

___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] FreeIPA questions

Hi,

IMHO.
 
I wouldnt use fedora as a base for a business useits not very stable or 
more importantly long lived.  Ive done a proof of concept on F14, F14 is fine 
for that, unless f15 is out?  to take a good look at yes

You should be able to get the macs to authenticate to AD directlywe do, I 
can ask the Mac guy how its done if that's a help, but its probably out there 
on google.

Distro - there is only RHEL that I can see at present and its a tech 
previewbare in mind that this is a redhat sponsored projectso its 
highly Red Hat centric.   Centos, Im 99% sure there isnt a centos 6 yet (I 
looked last week) so Im not aware there is an alternative.

I would suggest you need at least 2 RHEL instances to give redundancy and the 
extra add on channel(s) so that's some licencingI think RHEL licences are 
cheaper if they are virtualised guests though (we use VMware's ESXi) so ask a 
sales person the cheapest waywe pay per student so I dont know the 
commercial costs/licences fine points.   ESXi is available as a free option...I 
run it at home11 guests per Dell 390.way cool for a second hand $400 
workstation

I have not used 1.0, though I have installed a old version a while back for a 
look, but I like IPA2.0 a lot.its great web interface, easy to use unlike 
most ldap interfaces...the best Ive seen by far, almost unusual for Red Hat as 
their web gui's dont impress me.

There are a lot of dependencies for IPA so doing it via the rpms is a 
nightmare, I tried yesterday off the cd and it was a waste of 3 hours, the 
interdependencies made it impossible

I went and kickstarted the guest again and put ipa-server in the script and it 
installed finebut if you dont have the 6.1 beta dvd that isnt an 
option.really yum is it.

For the repo problem I'd suggest checking your DNS and firewall, I had a lot of 
grief from both because our anal security ppl had stopped outward bound dns 
queries and didnt tell anyone, took me 2+ hours to figure that out .so then 
they blocked outward http because servers "didnt need to do that" another 
1+hour wasted..the security guy was lucky he is way bigger than me..I was 
so p*ssed  ;]

regards




From: freeipa-users-boun...@redhat.com [freeipa-users-boun...@redhat.com] on 
behalf of SR [esopt...@cox.net]
Sent: Tuesday, 10 May 2011 7:36 a.m.
To: freeipa-users@redhat.com
Subject: [Freeipa-users] FreeIPA questions

I'm new to FreeIPA and this list so please forgive me for the n00b
questions. I have what I think is a pretty straight-forward use for
FreeIPA. We have an Active Directory environment with a few hundred
users. We are starting to increase our number of Macs and need a
directory solution. There are some issues with Macs in AD which Apple
doesn't seem interested in addressing. Open Directory would be nice if
we only had Macs but it doesn't allow for syncing accounts to AD, so it
won't work for us.

Based on what I've read about FreeIPA, it seems like it would be a good
fit for us.

The problem I'm having is that I can't seem to even get FreeIPA
installed. I've tried using Fedora 10 with all the latest updates. I've
tried adding different .repo files I've found on the various FreeIPA
pages, but none of them seem to be working for me.

So, my questions are:

1) What is the best distro for running FreeIPA. I'd rather not purchase
RHEL, so it sounds like Fedora is the way to go. I just finished
downloading Fedora 14 and will give that a try unless someone recommends
something else.

2) Is version 2 highly recommended over version 1 or does version 1 have
sufficient features to use it in a production environment? Essentially,
we have about 30 current Macs users (and growing) that we want to create
accounts for in FreeIPA and have sync'd to AD (or vice versa). The users
will need the ability to change their passwords.

3) What is the best way to install FreeIPA? I'm having problems with yum
(see errors below) so I was wondering if there was another way, e.g., RPMs.

# yum install freeipa-server
Loaded plugins: refresh-packagekit
Could not retrieve mirrorlist
http://mirrors.fedoraproject.org/mirrorlist?repo=fedora-10&arch=x86_64
error was [Errno 4] IOError: 
http://archive.fedoraproject.org/pub/archive/fedora/linux/releases/10/Everything/x86_64/os/repodata/repomd.xml:
[Errno 4] IOError: 
Trying other mirror.
fedora   | 2.8kB  00:00
updates   | 3.4kB  00:00
Setting up Install Process
No package freeipa-server available.
Nothing to do

Thanks!

--Steve

___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] Disk layout - requirements

Hi,

Disk space isnt an issue as such as I thin provision the VMWare guest anyway so 
I can be fairly generous, 200gb is easythe thing that interests me is 
splitting up the table spaces to different disks sets for instance  (/dev/sdb1, 
/devsdc1 etc, etc). Later then I can change raid types or spread out to 
different LUNS if there is a performance bottleneck on the flythat's easy 
to do if the "backend" is broken up to different partitions on initial build...

regards

From: freeipa-users-boun...@redhat.com [freeipa-users-boun...@redhat.com] on 
behalf of Rob Crittenden [rcrit...@redhat.com]
Sent: Tuesday, 10 May 2011 3:17 a.m.
To: d...@redhat.com
Cc: freeipa-users@redhat.com
Subject: Re: [Freeipa-users] Disk layout - requirements

Dmitri Pal wrote:
> On 05/06/2011 11:58 AM, Sigbjorn Lie wrote:
>> On 05/06/2011 04:12 PM, Rob Crittenden wrote:
>>> Steven Jones wrote:

 Hi,

 Digging through docs / googling I cant see any disk partition
 suggestions and size thereof requirements...

 Suggestions please?  sizing for 500 servers, 2000 desktops, 5000+
 users...

 Especially around having different sections of the IPA master of
 different raid groups if that's needed...
>>>
>>> It depends in part how you use IPA. A bare-bones user entry is about
>>> 1k, a host that has a certificate is about the same. There is some
>>> amount of overhead in the DIT and you'll need to consider the space
>>> for groups, how many kerberos services you'll deploy (also about 1k
>>> in size) and what other features of IPA you'll use. We have quite a
>>> few indexes into the data, that will take some room too.
>>>
>>> I think additional RAM will be better than terabytes of disk. 389-ds
>>> is going to try to cache much of this data, and with this number of
>>> entries it can probably keep most if not all of the database in memory.
>>>
>>> We haven't done any analysis on different FS performance.
>>>
>>> Does that help?
>>>
>>> rob
>>
>> Would you consider these documents describing sizing and performance
>> tuning of the RH DS to be comparable/transferable to IPA?
>>
>>
>> http://docs.redhat.com/docs/en-US/Red_Hat_Directory_Server/8.2/html/Installation_Guide/Installation_Guide-Platform_Support.html#Installation_Guide-Platform_Support-Hardware_Requirements
>>
>>
>> http://docs.redhat.com/docs/en-US/Red_Hat_Directory_Server/8.2/html/Performance_Tuning_Guide/system-tuning.html
>>
>>
>>
>
> Yes these documents are applicable and can be used to tune up DS server
> under IPA.

Be careful to note that in the first document the disk space assumptions
are for 100 byte entries and some (but not all) of the IPA entries are
10x that.

Thanks for the links Sigbjorn.

regards

rob

___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

[Freeipa-users] test use cases

NB in the test use case at,

https://fedoraproject.org/wiki/QA:Testcase_freeipav2_installation#With_DNS


With DNS

#ipa-server-install -a secret123 -p 123Secret --domain=freeipa.org 
--realm=FREEIPA.ORG --setup-dns -U --selfsign



It is coming back with wanting forwarders set

So that might need updating...

eg

#ipa-server-install -a secret123 -p 123Secret --domain=freeipa.org 
--realm=FREEIPA.ORG --setup-dns --no-forwarders -U --selfsign

Also the above is spitting out the install script because the FQDN isnt set, to 
be correct, where should it be set?

/etc/hosts?

regards

___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] FreeIPA questions

On 05/09/2011 03:36 PM, SR wrote:
I'm new to FreeIPA and this list so please forgive me for the n00b
questions. I have what I think is a pretty straight-forward use for
FreeIPA. We have an Active Directory environment with a few hundred
users. We are starting to increase our number of Macs and need a
directory solution. There are some issues with Macs in AD which Apple
doesn't seem interested in addressing. Open Directory would be nice if
we only had Macs but it doesn't allow for syncing accounts to AD, so
it won't work for us.

Based on what I've read about FreeIPA, it seems like it would be a
good fit for us.

The problem I'm having is that I can't seem to even get FreeIPA
installed. I've tried using Fedora 10 with all the latest updates.
I've tried adding different .repo files I've found on the various
FreeIPA pages, but none of them seem to be working for me.

So, my questions are:

1) What is the best distro for running FreeIPA. I'd rather not
purchase RHEL, so it sounds like Fedora is the way to go. I just
finished downloading Fedora 14 and will give that a try unless someone
recommends something else.

WHile FreeIPA 2.0 has gone GA, it is only supported in Fedora15, which
is currently in Beta. I'd start with that.

2) Is version 2 highly recommended over version 1 or does version 1
have sufficient features to use it in a production environment?
Essentially, we have about 30 current Macs users (and growing) that we
want to create accounts for in FreeIPA and have sync'd to AD (or vice
versa). The users will need the ability to change their passwords.

Yes, there are so many features in 2.0 that you are going to want.

3) What is the best way to install FreeIPA? I'm having problems with
yum (see errors below) so I was wondering if there was another way,
e.g., RPMs.

If you havea F14 Machine installed for testing, upgrade it to F15 Beta,
and youi can do yum install freeipa-server. If you want DNS support, be
sure to install the DNS Bind rpm that makes it talk to the LDAP store
as well: bind-dyndb-ldap

Trying other mirror.
fedora | 2.8kB 00:00
updates | 3.4kB 00:00
Setting up Install Process
No package freeipa-server available.
Nothing to do

Thanks!

--Steve

___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] Disk layout - requirements


Steven Jones wrote:

Hi,

Disk space isnt an issue as such as I thin provision the VMWare guest anyway so I can be 
fairly generous, 200gb is easythe thing that interests me is splitting up the table 
spaces to different disks sets for instance  (/dev/sdb1, /devsdc1 etc, etc). Later then I 
can change raid types or spread out to different LUNS if there is a performance 
bottleneck on the flythat's easy to do if the "backend" is broken up to 
different partitions on initial build...


Apparently the biggest increase will be seen if you move the transaction 
log. See 
http://docs.redhat.com/docs/en-US/Red_Hat_Directory_Server/8.2/html-single/Administration_Guide/index.html#Maintaining_Directory_Databases-Configuring_Transaction_Logs_for_Frequent_Database_Updates


rob



regards



From: freeipa-users-boun...@redhat.com [freeipa-users-boun...@redhat.com] on 
behalf of Rob Crittenden [rcrit...@redhat.com]
Sent: Tuesday, 10 May 2011 3:17 a.m.
To: d...@redhat.com
Cc: freeipa-users@redhat.com
Subject: Re: [Freeipa-users] Disk layout - requirements

Dmitri Pal wrote:

On 05/06/2011 11:58 AM, Sigbjorn Lie wrote:

On 05/06/2011 04:12 PM, Rob Crittenden wrote:

Steven Jones wrote:


Hi,

Digging through docs / googling I cant see any disk partition
suggestions and size thereof requirements...

Suggestions please?  sizing for 500 servers, 2000 desktops, 5000+
users...

Especially around having different sections of the IPA master of
different raid groups if that's needed...


It depends in part how you use IPA. A bare-bones user entry is about
1k, a host that has a certificate is about the same. There is some
amount of overhead in the DIT and you'll need to consider the space
for groups, how many kerberos services you'll deploy (also about 1k
in size) and what other features of IPA you'll use. We have quite a
few indexes into the data, that will take some room too.

I think additional RAM will be better than terabytes of disk. 389-ds
is going to try to cache much of this data, and with this number of
entries it can probably keep most if not all of the database in memory.

We haven't done any analysis on different FS performance.

Does that help?

rob


Would you consider these documents describing sizing and performance
tuning of the RH DS to be comparable/transferable to IPA?


http://docs.redhat.com/docs/en-US/Red_Hat_Directory_Server/8.2/html/Installation_Guide/Installation_Guide-Platform_Support.html#Installation_Guide-Platform_Support-Hardware_Requirements


http://docs.redhat.com/docs/en-US/Red_Hat_Directory_Server/8.2/html/Performance_Tuning_Guide/system-tuning.html





Yes these documents are applicable and can be used to tune up DS server
under IPA.


Be careful to note that in the first document the disk space assumptions
are for 100 byte entries and some (but not all) of the IPA entries are
10x that.

Thanks for the links Sigbjorn.

regards

rob

___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users


___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] FreeIPA questions

SR wrote:

Based on what I've read about FreeIPA, it seems like it would be a good
fit for us.

So, my questions are:

freeipa v2 really only supports Fedora 15 right now, which hasn't quite
shipped yet. It should be released real soon now.

It works on Fedora 14 but you need to get some packages from our
development repo (you can find the link to it on the Download page on
freeipa.org). You'd end up with some unsupported packages which isn't a
good place to be on the core of your infrastructure.

For new users e only do 1-way user sync right now, just AD -> freeipa.
Existing users in both IPA and AD will be kept in sync, as are passwords
if you install the PassSync service on all your AD PDCs.

3) What is the best way to install FreeIPA? I'm having problems with yum
(see errors below) so I was wondering if there was another way, e.g., RPMs.

# yum install freeipa-server
Loaded plugins: refresh-packagekit
Could not retrieve mirrorlist
http://mirrors.fedoraproject.org/mirrorlist?repo=fedora-10&arch=x86_64
error was [Errno 4] IOError:
http://archive.fedoraproject.org/pub/archive/fedora/linux/releases/10/Everything/x86_64/os/repodata/repomd.xml:
[Errno 4] IOError:
Trying other mirror.
fedora | 2.8kB 00:00
updates | 3.4kB 00:00
Setting up Install Process
No package freeipa-server available.
Nothing to do

Fedora 10 is no longer supported by Fedora, though I'm surprised the
archive isn't still up. In any case you want Fedora 15.

rob

___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] test use cases

2011-05-09 Thread Dmitri Pal

On 05/09/2011 04:51 PM, Steven Jones wrote:
> NB in the test use case at,
>
> https://fedoraproject.org/wiki/QA:Testcase_freeipav2_installation#With_DNS
>
> 
> With DNS
>
> #ipa-server-install -a secret123 -p 123Secret --domain=freeipa.org 
> --realm=FREEIPA.ORG --setup-dns -U --selfsign
>
> 
>
> It is coming back with wanting forwarders set
>
> So that might need updating...
>
> eg
>
> #ipa-server-install -a secret123 -p 123Secret --domain=freeipa.org 
> --realm=FREEIPA.ORG --setup-dns --no-forwarders -U --selfsign
>
> Also the above is spitting out the install script because the FQDN isnt set, 
> to be correct, where should it be set?
>
> /etc/hosts?
>

Yes. If the machine does now have DNS provided identity its name should
be added to the /etc/hosts first.
See first paragraph.
https://fedorahosted.org/freeipa/wiki/QuickStartGuide


> regards
>
> ___
> Freeipa-users mailing list
> Freeipa-users@redhat.com
> https://www.redhat.com/mailman/listinfo/freeipa-users
>
>


-- 
Thank you,
Dmitri Pal

Sr. Engineering Manager IPA project,
Red Hat Inc.


---
Looking to carve out IT costs?
www.redhat.com/carveoutcosts/



___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] FreeIPA questions

2011-05-09 Thread SR


Thanks for the feedback, Steven!

The main issue we had with Macs tied directly to AD was 100% CPU 
utilization caused by the DirectoryService. I currently have my Mac tied 
to Open Directory as well as AD. This is working well with one 
exception: Logins (or even unlocking the screen) can take several 
minutes when disconnected from the network. This has been a known issue 
with Macs for quite some time, their forums have tons of complaints 
about it, yet Apple seems uninterested in working on the problem.


We have a bunch of ESXi boxes and I certainly have no problem using 
that. In fact, I'm trying to test FreeIPA on an ESXi box already. :-)


Based on past experience with dependency nightmares as well as your 
advice, I won't bother with RPMs.


I checked yesterday and there is still no CentOS 6. So, it sounds like 
RHEL is really the best way to go. I think there is an eval, so I will 
grab that to try.


Thanks again!

--Steve

Steven Jones wrote:

Hi,

IMHO.
 
I wouldnt use fedora as a base for a business useits not very stable or more importantly long lived.  Ive done a proof of concept on F14, F14 is fine for that, unless f15 is out?  to take a good look at yes


You should be able to get the macs to authenticate to AD directlywe do, I 
can ask the Mac guy how its done if that's a help, but its probably out there 
on google.

Distro - there is only RHEL that I can see at present and its a tech 
previewbare in mind that this is a redhat sponsored projectso its 
highly Red Hat centric.   Centos, Im 99% sure there isnt a centos 6 yet (I 
looked last week) so Im not aware there is an alternative.

I would suggest you need at least 2 RHEL instances to give redundancy and the 
extra add on channel(s) so that's some licencingI think RHEL licences are 
cheaper if they are virtualised guests though (we use VMware's ESXi) so ask a 
sales person the cheapest waywe pay per student so I dont know the 
commercial costs/licences fine points.   ESXi is available as a free option...I 
run it at home11 guests per Dell 390.way cool for a second hand $400 
workstation

I have not used 1.0, though I have installed a old version a while back for a 
look, but I like IPA2.0 a lot.its great web interface, easy to use unlike 
most ldap interfaces...the best Ive seen by far, almost unusual for Red Hat as 
their web gui's dont impress me.

There are a lot of dependencies for IPA so doing it via the rpms is a 
nightmare, I tried yesterday off the cd and it was a waste of 3 hours, the 
interdependencies made it impossible

I went and kickstarted the guest again and put ipa-server in the script and it 
installed finebut if you dont have the 6.1 beta dvd that isnt an 
option.really yum is it.

For the repo problem I'd suggest checking your DNS and firewall, I had a lot of grief 
from both because our anal security ppl had stopped outward bound dns queries and didnt 
tell anyone, took me 2+ hours to figure that out .so then they blocked outward http 
because servers "didnt need to do that" another 1+hour wasted..the security 
guy was lucky he is way bigger than me..I was so p*ssed  ;]

regards




From: freeipa-users-boun...@redhat.com [freeipa-users-boun...@redhat.com] on 
behalf of SR [esopt...@cox.net]
Sent: Tuesday, 10 May 2011 7:36 a.m.
To: freeipa-users@redhat.com
Subject: [Freeipa-users] FreeIPA questions

I'm new to FreeIPA and this list so please forgive me for the n00b
questions. I have what I think is a pretty straight-forward use for
FreeIPA. We have an Active Directory environment with a few hundred
users. We are starting to increase our number of Macs and need a
directory solution. There are some issues with Macs in AD which Apple
doesn't seem interested in addressing. Open Directory would be nice if
we only had Macs but it doesn't allow for syncing accounts to AD, so it
won't work for us.

Based on what I've read about FreeIPA, it seems like it would be a good
fit for us.

The problem I'm having is that I can't seem to even get FreeIPA
installed. I've tried using Fedora 10 with all the latest updates. I've
tried adding different .repo files I've found on the various FreeIPA
pages, but none of them seem to be working for me.

So, my questions are:

1) What is the best distro for running FreeIPA. I'd rather not purchase
RHEL, so it sounds like Fedora is the way to go. I just finished
downloading Fedora 14 and will give that a try unless someone recommends
something else.

2) Is version 2 highly recommended over version 1 or does version 1 have
sufficient features to use it in a production environment? Essentially,
we have about 30 current Macs users (and growing) that we want to create
accounts for in FreeIPA and have sync'd to AD (or vice versa). The users
will need the ability to change their passwords.

3) What is the best way to install FreeIPA? I'm having problems with yum
(see errors below) so I was

[Freeipa-users] failure to un-install FreeIPA