Re: [Freeipa-users] Bug in documentation or in CLI tools?
On Wed, 2012-02-22 at 22:07 +0100, Marco Pizzoli wrote: Hi guys, in a previous question about FreeIPA 2.1.90 I submitted to you, I received from Martin the answer to use the command: ipa dnszone-mod my_zone --dynamic-update=TRUE other_parameters I used it and I successfully achieved my purpose, but comparing this command against the documentation (both RHEL and Fedora) I think I found an incongruence. Both here[1] and here[2] the parameter of dnszone-mod to enable dynamic updates is reported being --allow-dynupdate. Have I found a bug in the documentation? Or is it a difference from FreeIPA 2.1 and FreeIPA 2.1.90? Thanks in advance Marco [1] http://docs.redhat.com/docs/en-US/Red_Hat_Enterprise_Linux/6/html/Identity_Management_Guide/modifying-dns-zones.html#editing-dns-zone-cmd [2] https://docs.fedoraproject.org/en-US/Fedora/15/html/FreeIPA_Guide/modifying-dns-zones.html#editing-dns-zone-cmd Thanks Marco, this is indeed a bug in our documentation. I have created a ticket to fix [1]: https://fedorahosted.org/freeipa/ticket/2434 and [2]: https://bugzilla.redhat.com/show_bug.cgi?id=796751 Just a notice: even though the CLI option name is changed, the option is still backward compatible, i.e. pre-2.1.90 clients will be able to change the attribute value. Martin ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] samba IPA
Hi, Control samba with IPA, aka IPA controlling say ssh, so hbacl control between a samba user group and a samba host group per samba share. So redhat linux clients to redhat linux samba server (rhel6.2's) I need to automount smb shares for linux users who are in IPA. So far I have kerberos going, but I cant control a samba share based on IPA groupsor even users...so far it seems to be valid users = guest1 in the smb.conf, which is close to useless. I need the control of the share(s) valid users = ipaserver/sambagroup/user1,2,3 etc type of thing, can this be done? A useable alternative would be a IPA kerberos ticket to login and use AD for group control, clunky but centralised...I know in ipav3? domain trusts will be possible to look up AD groups..but really I want to use IPA s groups as I have linux users who do not want to be / are not in AD regards Steven Jones Technical Specialist - Linux RHCE Victoria University, Wellington, NZ 0064 4 463 6272 From: Rob Crittenden [rcrit...@redhat.com] Sent: Thursday, 23 February 2012 5:26 p.m. To: Steven Jones Cc: freeipa-users@redhat.com Subject: Re: [Freeipa-users] samba IPA Steven Jones wrote: Hi, Any good docs on making samba / smbclient / clients work with ipa? not having much luck with google What is it you're looking to do? The more details the better. regards rob ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] samba IPA
Steven Jones wrote: Hi, Control samba with IPA, aka IPA controlling say ssh, so hbacl control between a samba user group and a samba host group per samba share. So redhat linux clients to redhat linux samba server (rhel6.2's) I need to automount smb shares for linux users who are in IPA. So far I have kerberos going, but I cant control a samba share based on IPA groupsor even users...so far it seems to be valid users = guest1 in the smb.conf, which is close to useless. I need the control of the share(s) valid users = ipaserver/sambagroup/user1,2,3 etc type of thing, can this be done? I know next to nothing about Samba but I don't think anyone has tried any of this before. In your tests to date where are you storing your Samba users, in IPA? You added the objectclasses to the users, assigned a SID and all that? How/where does one define the kind of controls you're looking for? We don't provide anything like that in IPA now. IPA can provide automount files, so I presume you can store your Samba maps there, as for access control that would be done by automount itself. A useable alternative would be a IPA kerberos ticket to login and use AD for group control, clunky but centralised...I know in ipav3? domain trusts will be possible to look up AD groups..but really I want to use IPA s groups as I have linux users who do not want to be / are not in AD I don't know, I barely grok what it is you're asking (gladly ignorant of AD). regards rob ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
[Freeipa-users] need info on AD / IPA coexistence
I have heard that we currently have problems with IPA and AD existing on the same subnet, possibly only when using AD as DNS servers, possibly even when the realm names are different. I have not been able to find good concrete information or BZ's regarding this. I am looking for clarification as to what problems exist, why, is it a bug or just a fact, is it our bug our is it a MS-AD issue, etc. I need to understand what is going on as I have customers who are looking to deploy mixed IPA / AD environments. Any help or information would be appreciated. Thanks, Brian --- Brian Cook Solutions Architect, West Region Red Hat, Inc. 407-212-7079 bc...@redhat.com ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] need info on AD / IPA coexistence
Hi, Subnet? IP addressing will not matter its DNS as the main issue, for me anyway., I cant see IP / sunbets matter? So, yes if you have AD as the same realm as IPA then only one will work well from what I can read, IPA has to have its neat auto-discovery/balancing features turned off, or at least hobbled. So, as an example I have vuw.ac.nz as the AD DNS domain/ kerberos realm and then unix.vuw.ac.nz as the sub-domain/sub kerberos realm, with AD delegating DNS to the IPA servers. This way the unix domain is independent but referenced... eg I find the auto-discovery is working fine... So windows clients talk to AD directly, linux clients talk to IPA directly, if the linux clients need to DNS the IPA servers get that for them from AD. I have some visio diagrams of how I have done it if you want themit may not be the best way? but with so little architecture info available its all I have. regards Steven Jones Technical Specialist - Linux RHCE Victoria University, Wellington, NZ 0064 4 463 6272 From: freeipa-users-boun...@redhat.com [freeipa-users-boun...@redhat.com] on behalf of Brian Cook [bc...@redhat.com] Sent: Friday, 24 February 2012 9:59 a.m. To: freeipa-users@redhat.com Subject: [Freeipa-users] need info on AD / IPA coexistence I have heard that we currently have problems with IPA and AD existing on the same subnet, possibly only when using AD as DNS servers, possibly even when the realm names are different. I have not been able to find good concrete information or BZ's regarding this. I am looking for clarification as to what problems exist, why, is it a bug or just a fact, is it our bug our is it a MS-AD issue, etc. I need to understand what is going on as I have customers who are looking to deploy mixed IPA / AD environments. Any help or information would be appreciated. Thanks, Brian --- Brian Cook Solutions Architect, West Region Red Hat, Inc. 407-212-7079 bc...@redhat.commailto:bc...@redhat.com ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] samba IPA
On Tue, 21 Feb 2012, Steven Jones wrote: Hi, Any good docs on making samba / smbclient / clients work with ipa? not having much luck with google The stack of protocols that Samba is implementing disassociates authentication and actual connection to the shares. First you authenticate and once authenticated, you can connect to any share within the server. At this point there might be per-share limitations put on but authentication step is done already. As part of authentication, Samba may enforce PAM accounting restrictions if 'obey pam restriction' option is set in the configuration file. This would give you a way to enforce HBAC rules per user connected to the server -- make sure your smbd PAM config is using sssd for accounting purposes and then SSSD would do checks over HBAC rules with 'smbd' service. However, this would only limit access to the host globally as it happens during authentication phase, not later, when actual connection to the share would be done. In order to limit per-share connection, Samba has 'valid users' and 'allow hosts' options. These specify lists of users and hosts correspondingly. Unfortunately, the way it is implemented in Samba, these lists are taken directly from the configuration source, thus no way to dynamically change them other than playing with configuration files. One could do configuration file tuning per connected host, for example, or per user, using 'include = /path/to/config' and Samba configuration macros. This would still not give you dynamic configuration though. One could also do a 'preexec script' hook that is run before connection to a share is made. This approach allows you to implement a simple PAM-enabled tool that could be spawned from Samba at connection to share time and use SSSD HBAC tests (on PAM account) plus something additional to perform per-share restriction (see below why). All other methods would require modifying Samba to change 'allow_access()' function API and implementation. This is not planned at the moment -- neither from FreeIPA nor from Samba Team side. There are also considerable performance requirements to this particular function. However, even if anything like that is performed, we have one specific issue that HBAC rules do not allow to differentiate between service and its (optional) sub-services. You can think about shares as sub-services of a service 'smbd' but HBAC in FreeIPA doesn't allow to specify those. Ideally, ipaHBACService object class could be extended to include sub-services but handling those in UI would become a nightmare -- after all, you'll need to have as much ipaHBACService objects as number of servers x number of shares. Something better needs to be created. -- / Alexander Bokovoy ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] samba IPA
Hi, thanks for the great explanation regards Steven Jones Technical Specialist - Linux RHCE Victoria University, Wellington, NZ 0064 4 463 6272 From: Alexander Bokovoy [aboko...@redhat.com] Sent: Friday, 24 February 2012 11:01 a.m. To: Steven Jones Cc: freeipa-users@redhat.com Subject: Re: [Freeipa-users] samba IPA On Tue, 21 Feb 2012, Steven Jones wrote: Hi, Any good docs on making samba / smbclient / clients work with ipa? not having much luck with google The stack of protocols that Samba is implementing disassociates authentication and actual connection to the shares. First you authenticate and once authenticated, you can connect to any share within the server. At this point there might be per-share limitations put on but authentication step is done already. As part of authentication, Samba may enforce PAM accounting restrictions if 'obey pam restriction' option is set in the configuration file. This would give you a way to enforce HBAC rules per user connected to the server -- make sure your smbd PAM config is using sssd for accounting purposes and then SSSD would do checks over HBAC rules with 'smbd' service. However, this would only limit access to the host globally as it happens during authentication phase, not later, when actual connection to the share would be done. In order to limit per-share connection, Samba has 'valid users' and 'allow hosts' options. These specify lists of users and hosts correspondingly. Unfortunately, the way it is implemented in Samba, these lists are taken directly from the configuration source, thus no way to dynamically change them other than playing with configuration files. One could do configuration file tuning per connected host, for example, or per user, using 'include = /path/to/config' and Samba configuration macros. This would still not give you dynamic configuration though. One could also do a 'preexec script' hook that is run before connection to a share is made. This approach allows you to implement a simple PAM-enabled tool that could be spawned from Samba at connection to share time and use SSSD HBAC tests (on PAM account) plus something additional to perform per-share restriction (see below why). All other methods would require modifying Samba to change 'allow_access()' function API and implementation. This is not planned at the moment -- neither from FreeIPA nor from Samba Team side. There are also considerable performance requirements to this particular function. However, even if anything like that is performed, we have one specific issue that HBAC rules do not allow to differentiate between service and its (optional) sub-services. You can think about shares as sub-services of a service 'smbd' but HBAC in FreeIPA doesn't allow to specify those. Ideally, ipaHBACService object class could be extended to include sub-services but handling those in UI would become a nightmare -- after all, you'll need to have as much ipaHBACService objects as number of servers x number of shares. Something better needs to be created. -- / Alexander Bokovoy ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] samba IPA
On 02/23/2012 05:01 PM, Alexander Bokovoy wrote: On Tue, 21 Feb 2012, Steven Jones wrote: Hi, Any good docs on making samba / smbclient / clients work with ipa? not having much luck with google The stack of protocols that Samba is implementing disassociates authentication and actual connection to the shares. First you authenticate and once authenticated, you can connect to any share within the server. At this point there might be per-share limitations put on but authentication step is done already. As part of authentication, Samba may enforce PAM accounting restrictions if 'obey pam restriction' option is set in the configuration file. This would give you a way to enforce HBAC rules per user connected to the server -- make sure your smbd PAM config is using sssd for accounting purposes and then SSSD would do checks over HBAC rules with 'smbd' service. However, this would only limit access to the host globally as it happens during authentication phase, not later, when actual connection to the share would be done. In order to limit per-share connection, Samba has 'valid users' and 'allow hosts' options. These specify lists of users and hosts correspondingly. Unfortunately, the way it is implemented in Samba, these lists are taken directly from the configuration source, thus no way to dynamically change them other than playing with configuration files. One could do configuration file tuning per connected host, for example, or per user, using 'include = /path/to/config' and Samba configuration macros. This would still not give you dynamic configuration though. One could also do a 'preexec script' hook that is run before connection to a share is made. This approach allows you to implement a simple PAM-enabled tool that could be spawned from Samba at connection to share time and use SSSD HBAC tests (on PAM account) plus something additional to perform per-share restriction (see below why). All other methods would require modifying Samba to change 'allow_access()' function API and implementation. This is not planned at the moment -- neither from FreeIPA nor from Samba Team side. There are also considerable performance requirements to this particular function. However, even if anything like that is performed, we have one specific issue that HBAC rules do not allow to differentiate between service and its (optional) sub-services. You can think about shares as sub-services of a service 'smbd' but HBAC in FreeIPA doesn't allow to specify those. Ideally, ipaHBACService object class could be extended to include sub-services but handling those in UI would become a nightmare -- after all, you'll need to have as much ipaHBACService objects as number of servers x number of shares. Something better needs to be created. You should also be able to use the filesystem to control access to the smb share. If acl support is on the filesytem, you can use these as well. Samba should have nt acl support = Yes set by default. /etc/samba/smb.conf [global] workgroup = HOME netbios name = corona realm = HOME.LAN security = user kerberos method = system keytab [test] comment = test path = /samba writable = yes read only = no create mask = 0660 directory mask = 770 [test2] comment = test2 path = /samba2 writable = yes read only = no create mask = 0660 directory mask = 770 [root@corona samba]# ls -la /samba* /samba: total 108 drwxrws---. 2 jagee ipausers 4096 Feb 23 18:11 . /samba2: total 8 drwxrws---. 2 bob bob 4096 Feb 23 18:14 . [jagee@ultra ~]$ smbclient -k //corona.home.lan/test Domain=[HOME] OS=[Unix] Server=[Samba 3.5.10-114.el6] smb: \ put Resume.odt putting file Resume.odt as \Resume.odt (403.6 kb/s) (average 403.6 kb/s) [jagee@ultra ~]$ smbclient -k //corona.home.lan/test2 Domain=[HOME] OS=[Unix] Server=[Samba 3.5.10-114.el6] smb: \ ls NT_STATUS_ACCESS_DENIED listing \* Error in dskattr: NT_STATUS_ACCESS_DENIED [jagee@ultra ~]$ klist Ticket cache: FILE:/tmp/krb5cc_10003_I3kJiy Default principal: ja...@home.lan Valid starting ExpiresService principal 02/23/12 17:11:46 02/24/12 17:11:46 krbtgt/home@home.lan 02/23/12 17:14:33 02/24/12 17:11:46 cifs/corona.home@home.lan AD support is a lot different from basic security=user access. Regards, Jeremy Agee ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] need info on AD / IPA coexistence
I would not expect that there would be any problem with AD and IPA coexisting when the realm names are different, but I have heard reports that there are problems, especially when Linux clients are configured to use AD for DNS. Trying to figure out what the problem is. I understand your delegated dns setup. What if the customer must use AD for all DNS? -Brian On Feb 23, 2012, at 3:28 PM, Steven Jones steven.jo...@vuw.ac.nz wrote: Hi, Subnet? IP addressing will not matter its DNS as the main issue, for me anyway., I cant see IP / sunbets matter? So, yes if you have AD as the same realm as IPA then only one will work well from what I can read, IPA has to have its neat auto-discovery/balancing features turned off, or at least hobbled. So, as an example I have vuw.ac.nz as the AD DNS domain/ kerberos realm and then unix.vuw.ac.nz as the sub-domain/sub kerberos realm, with AD delegating DNS to the IPA servers. This way the unix domain is independent but referenced... eg I find the auto-discovery is working fine... So windows clients talk to AD directly, linux clients talk to IPA directly, if the linux clients need to DNS the IPA servers get that for them from AD. I have some visio diagrams of how I have done it if you want themit may not be the best way? but with so little architecture info available its all I have. regards Steven Jones Technical Specialist - Linux RHCE Victoria University, Wellington, NZ 0064 4 463 6272 From: freeipa-users-boun...@redhat.com [freeipa-users-boun...@redhat.com] on behalf of Brian Cook [bc...@redhat.com] Sent: Friday, 24 February 2012 9:59 a.m. To: freeipa-users@redhat.com Subject: [Freeipa-users] need info on AD / IPA coexistence I have heard that we currently have problems with IPA and AD existing on the same subnet, possibly only when using AD as DNS servers, possibly even when the realm names are different. I have not been able to find good concrete information or BZ's regarding this. I am looking for clarification as to what problems exist, why, is it a bug or just a fact, is it our bug our is it a MS-AD issue, etc. I need to understand what is going on as I have customers who are looking to deploy mixed IPA / AD environments. Any help or information would be appreciated. Thanks, Brian --- Brian Cook Solutions Architect, West Region Red Hat, Inc. 407-212-7079 bc...@redhat.commailto:bc...@redhat.com ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] need info on AD / IPA coexistence
Hi, Well I can give you how I think this works, but I stand to be corrected... So, there is auto-discovery for kerberos going on via DNS, but AD's DNS already has such kerberos for its services, so a Linux client is going to try and do this, but its going to get AD results and not IPA results, so fail, so you have to be specific in commands, For instance on install with IPA DNS I can type, ip-client-install --mkhomdir and it figures out the DNS entries of the IPA server(s) and picks one to join via If you cant do this as you are using AD's DNS then you have to specify the server and domain I think this might also impact load balancing across IPA' LDAP/kerberos servers, so if you have hard coded the KDC the client wont use dns to pick one of the others (assuming you have any). I assume that any dis-advantage AD suffers from not having its own integrated DNS will also apply to IPA, from my limited reading this seems to be the case. With joining a Linux client to IPA with its own DNS, dns also gets updated.if you are using an AD DNS then that is a manual process? regards Steven Jones Technical Specialist - Linux RHCE Victoria University, Wellington, NZ 0064 4 463 6272 From: Brian Cook [bc...@redhat.com] Sent: Friday, 24 February 2012 3:12 p.m. To: Steven Jones Cc: freeipa-users@redhat.com Subject: Re: [Freeipa-users] need info on AD / IPA coexistence I would not expect that there would be any problem with AD and IPA coexisting when the realm names are different, but I have heard reports that there are problems, especially when Linux clients are configured to use AD for DNS. Trying to figure out what the problem is. I understand your delegated dns setup. What if the customer must use AD for all DNS? -Brian On Feb 23, 2012, at 3:28 PM, Steven Jones steven.jo...@vuw.ac.nz wrote: Hi, Subnet? IP addressing will not matter its DNS as the main issue, for me anyway., I cant see IP / sunbets matter? So, yes if you have AD as the same realm as IPA then only one will work well from what I can read, IPA has to have its neat auto-discovery/balancing features turned off, or at least hobbled. So, as an example I have vuw.ac.nz as the AD DNS domain/ kerberos realm and then unix.vuw.ac.nz as the sub-domain/sub kerberos realm, with AD delegating DNS to the IPA servers. This way the unix domain is independent but referenced... eg I find the auto-discovery is working fine... So windows clients talk to AD directly, linux clients talk to IPA directly, if the linux clients need to DNS the IPA servers get that for them from AD. I have some visio diagrams of how I have done it if you want themit may not be the best way? but with so little architecture info available its all I have. regards Steven Jones Technical Specialist - Linux RHCE Victoria University, Wellington, NZ 0064 4 463 6272 From: freeipa-users-boun...@redhat.com [freeipa-users-boun...@redhat.com] on behalf of Brian Cook [bc...@redhat.com] Sent: Friday, 24 February 2012 9:59 a.m. To: freeipa-users@redhat.com Subject: [Freeipa-users] need info on AD / IPA coexistence I have heard that we currently have problems with IPA and AD existing on the same subnet, possibly only when using AD as DNS servers, possibly even when the realm names are different. I have not been able to find good concrete information or BZ's regarding this. I am looking for clarification as to what problems exist, why, is it a bug or just a fact, is it our bug our is it a MS-AD issue, etc. I need to understand what is going on as I have customers who are looking to deploy mixed IPA / AD environments. Any help or information would be appreciated. Thanks, Brian --- Brian Cook Solutions Architect, West Region Red Hat, Inc. 407-212-7079 bc...@redhat.commailto:bc...@redhat.com ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] need info on AD / IPA coexistence
I think we are doing the same thing here, seemed to have arrived at the same conclusion!.I have the AD DNS servers hand off the sub-domain to the IPA servers, so they are the masters for all things linux/unix, the reverse IP domains on the IPA servers are slaved from the AD DNS however as the subnets are mixed clients. This means I have to add linux servers manually in the reverse AD zones, not sure what I will do with clients as they are dhcp, have a look to see if I can do dns updates for a client dynamically regards Steven Jones Technical Specialist - Linux RHCE Victoria University, Wellington, NZ 0064 4 463 6272 From: Craig T [free...@noboost.org] Sent: Friday, 24 February 2012 3:27 p.m. To: Brian Cook Cc: Steven Jones; freeipa-users@redhat.com Subject: Re: [Freeipa-users] need info on AD / IPA coexistence Hi Brian, I spent a lot of time on this topic. In the end we decided to do the following; Microsoft domain: melb.example.com Linux Domain: group.example.com The linux DNS server is a slave to the Windows AD DNS servers a master DNS for group.example.com. All PCs point to our Linux DNS server which is hosting a slave copy of the melb.example.com. Amazingly this all works fine. note: at the moment at least, we are keeping two separate user lists. I had sync working at one stage, but couldn't get the group memberships to come over correctly when going from Linux -- AD. cya Craig On Thu, Feb 23, 2012 at 09:12:37PM -0500, Brian Cook wrote: I would not expect that there would be any problem with AD and IPA coexisting when the realm names are different, but I have heard reports that there are problems, especially when Linux clients are configured to use AD for DNS. Trying to figure out what the problem is. I understand your delegated dns setup. What if the customer must use AD for all DNS? -Brian On Feb 23, 2012, at 3:28 PM, Steven Jones steven.jo...@vuw.ac.nz wrote: Hi, Subnet? IP addressing will not matter its DNS as the main issue, for me anyway., I cant see IP / sunbets matter? So, yes if you have AD as the same realm as IPA then only one will work well from what I can read, IPA has to have its neat auto-discovery/balancing features turned off, or at least hobbled. So, as an example I have vuw.ac.nz as the AD DNS domain/ kerberos realm and then unix.vuw.ac.nz as the sub-domain/sub kerberos realm, with AD delegating DNS to the IPA servers. This way the unix domain is independent but referenced... eg I find the auto-discovery is working fine... So windows clients talk to AD directly, linux clients talk to IPA directly, if the linux clients need to DNS the IPA servers get that for them from AD. I have some visio diagrams of how I have done it if you want themit may not be the best way? but with so little architecture info available its all I have. regards Steven Jones Technical Specialist - Linux RHCE Victoria University, Wellington, NZ 0064 4 463 6272 From: freeipa-users-boun...@redhat.com [freeipa-users-boun...@redhat.com] on behalf of Brian Cook [bc...@redhat.com] Sent: Friday, 24 February 2012 9:59 a.m. To: freeipa-users@redhat.com Subject: [Freeipa-users] need info on AD / IPA coexistence I have heard that we currently have problems with IPA and AD existing on the same subnet, possibly only when using AD as DNS servers, possibly even when the realm names are different. I have not been able to find good concrete information or BZ's regarding this. I am looking for clarification as to what problems exist, why, is it a bug or just a fact, is it our bug our is it a MS-AD issue, etc. I need to understand what is going on as I have customers who are looking to deploy mixed IPA / AD environments. Any help or information would be appreciated. Thanks, Brian --- Brian Cook Solutions Architect, West Region Red Hat, Inc. 407-212-7079 bc...@redhat.commailto:bc...@redhat.com ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] need info on AD / IPA coexistence
We use the group.example.com as the primary domain name, even for windows clients. So a typical windows pc has: ip: 192.168.0.100 dns1: linux-dns-server1 dns2: linux-dns-server2 search: group.example.com That way the windows pcs only use their melb.example.com domain for authentication and then switch back to group.example.com to communicate with other hosts on the network. Anyaywaz, this is just how I worked it out, there must be a better way out there... cya Craig On Fri, Feb 24, 2012 at 02:44:59AM +, Steven Jones wrote: I think we are doing the same thing here, seemed to have arrived at the same conclusion!.I have the AD DNS servers hand off the sub-domain to the IPA servers, so they are the masters for all things linux/unix, the reverse IP domains on the IPA servers are slaved from the AD DNS however as the subnets are mixed clients. This means I have to add linux servers manually in the reverse AD zones, not sure what I will do with clients as they are dhcp, have a look to see if I can do dns updates for a client dynamically regards Steven Jones Technical Specialist - Linux RHCE Victoria University, Wellington, NZ 0064 4 463 6272 From: Craig T [free...@noboost.org] Sent: Friday, 24 February 2012 3:27 p.m. To: Brian Cook Cc: Steven Jones; freeipa-users@redhat.com Subject: Re: [Freeipa-users] need info on AD / IPA coexistence Hi Brian, I spent a lot of time on this topic. In the end we decided to do the following; Microsoft domain: melb.example.com Linux Domain: group.example.com The linux DNS server is a slave to the Windows AD DNS servers a master DNS for group.example.com. All PCs point to our Linux DNS server which is hosting a slave copy of the melb.example.com. Amazingly this all works fine. note: at the moment at least, we are keeping two separate user lists. I had sync working at one stage, but couldn't get the group memberships to come over correctly when going from Linux -- AD. cya Craig On Thu, Feb 23, 2012 at 09:12:37PM -0500, Brian Cook wrote: I would not expect that there would be any problem with AD and IPA coexisting when the realm names are different, but I have heard reports that there are problems, especially when Linux clients are configured to use AD for DNS. Trying to figure out what the problem is. I understand your delegated dns setup. What if the customer must use AD for all DNS? -Brian On Feb 23, 2012, at 3:28 PM, Steven Jones steven.jo...@vuw.ac.nz wrote: Hi, Subnet? IP addressing will not matter its DNS as the main issue, for me anyway., I cant see IP / sunbets matter? So, yes if you have AD as the same realm as IPA then only one will work well from what I can read, IPA has to have its neat auto-discovery/balancing features turned off, or at least hobbled. So, as an example I have vuw.ac.nz as the AD DNS domain/ kerberos realm and then unix.vuw.ac.nz as the sub-domain/sub kerberos realm, with AD delegating DNS to the IPA servers. This way the unix domain is independent but referenced... eg I find the auto-discovery is working fine... So windows clients talk to AD directly, linux clients talk to IPA directly, if the linux clients need to DNS the IPA servers get that for them from AD. I have some visio diagrams of how I have done it if you want themit may not be the best way? but with so little architecture info available its all I have. regards Steven Jones Technical Specialist - Linux RHCE Victoria University, Wellington, NZ 0064 4 463 6272 From: freeipa-users-boun...@redhat.com [freeipa-users-boun...@redhat.com] on behalf of Brian Cook [bc...@redhat.com] Sent: Friday, 24 February 2012 9:59 a.m. To: freeipa-users@redhat.com Subject: [Freeipa-users] need info on AD / IPA coexistence I have heard that we currently have problems with IPA and AD existing on the same subnet, possibly only when using AD as DNS servers, possibly even when the realm names are different. I have not been able to find good concrete information or BZ's regarding this. I am looking for clarification as to what problems exist, why, is it a bug or just a fact, is it our bug our is it a MS-AD issue, etc. I need to understand what is going on as I have customers who are looking to deploy mixed IPA / AD environments. Any help or information would be appreciated. Thanks, Brian --- Brian Cook Solutions Architect, West Region Red Hat, Inc. 407-212-7079 bc...@redhat.commailto:bc...@redhat.com ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users ___
Re: [Freeipa-users] samba IPA
On Thu, 23 Feb 2012, Jeremy Agee wrote: You should also be able to use the filesystem to control access to the smb share. If acl support is on the filesytem, you can use these as well. Samba should have nt acl support = Yes set by default. Yes, this will work -- as long as SSSD or nss_ldap would be delivering IPA users and groups properly. This does not give the same centralized way of managing things though, ACLs need to be set on each server separately (for better, probably). Also, you'd still give out the fact test2 is existing on the server which might be unreasonable information leak in certain circumstances. -- / Alexander Bokovoy ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users