Re: [Freeipa-users] How IPA handles AD computer groups

2013-05-31 Thread Dmitri Pal 
On 05/31/2013 08:39 AM, rashard.ke...@sita.aero wrote:
> I am working on a team to plan a migration to IPA on our UNIX based
> systems. One thing I was seeking information on is Computer groups. If
> a trust is established with our campus AD infrasturcture, will its
> computer groups be shared with IPA or just users?
>
> If computer groups are transferred to host groups this will make
> managing permissions easier without having to recreate all the groups
> on the IPA side
>
> I could not find any info in this document
> _http://www.freeipa.org/page/IPAv3_testing_AD_trust_.If someone could
> point me to some documentation about the subject it would be really
> helpful.
>

IPA does not share or transfer host groups from AD and it is
conceptually does not make sense since. The systems managed by AD and
the systems managed by IPA are in our view completely no overlapping
sets of systems. Can you please share your reasoning why it is something
that makes sense to have? So far our view of the world was that AD
manages Windows systems and groupings and polices around those while IPA
does the same for Linux systems.

>
> Thank You,
> *Rashard Kelly**
> S*enior Linux Specialist
>
>
>
>
> From:Martin Kosek 
> To:Sumit Bose 
> Cc:freeipa-users@redhat.com
> Date:05/31/2013 06:41 AM
> Subject:Re: [Freeipa-users] IPA & AD trust question
> Sent by:freeipa-users-boun...@redhat.com
> 
>
>
>
> On 05/31/2013 09:37 AM, Sumit Bose wrote:
> > On Fri, May 31, 2013 at 06:52:27AM +, Ondrej Valousek wrote:
> >> Hi List,
> >>
> >> I have a question - is it possible to use AD trust the way that:
> >> 1. All users are stored in AD
> >> 2. All Unix specific information (automount maps, sudo rules, HBAC
> rules) are stored in IPA?
> >
> > Yes, sudo and HBAC for sure, I haven't tested automount maps but so far
> > I can see no issues.
> >
> >>
> >> If yes then:
> >> 1. Will this scenario honour the RFC2307 user attributes in AD?
> >
> > We are trying to support RFC2307 attributes in AD with the next releases
> > for SSSD and FreeIPA. Currently only algorithmic IP mapping based on the
> > AD user's RID is available.
>
> Ondreji, this is by the way the upstream ticket under which this
> feature is
> being implemented (in case you want to follow it):
>
> https://fedorahosted.org/freeipa/ticket/2904
>
> There are other tickets targeted on AD cooperation in FreeIPA 3.3 release
> (https://fedorahosted.org/freeipa/report/3), you may also want to
> check that
> they address your needs (and provide comments if they don't). We are
> still in a
> design phase, so some amendments are possible.
>
> Thanks,
> Martin
>
> ___
> Freeipa-users mailing list
> Freeipa-users@redhat.com
> https://www.redhat.com/mailman/listinfo/freeipa-users
>
> See you at the 2013 Air Transport IT Summit, Brussels, 18-20 June.
>
> Click here to register
> 
>
>
> This document is strictly confidential and intended only for use by
> the addressee unless otherwise stated. If you are not the intended
> recipient, please notify the sender immediately and delete it from
> your system.
>
>
> ___
> Freeipa-users mailing list
> Freeipa-users@redhat.com
> https://www.redhat.com/mailman/listinfo/freeipa-users


-- 
Thank you,
Dmitri Pal

Sr. Engineering Manager for IdM portfolio
Red Hat Inc.


---
Looking to carve out IT costs?
www.redhat.com/carveoutcosts/



___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] IPA privileges question

2013-05-31 Thread Rob Crittenden 

Guy Matz wrote:

Sorry, should have mentioned that.  I had host principal and have since
added ldap:
# klist -k krb5.keytab
Keytab name: FILE:krb5.keytab
KVNO Principal

--
3 host/ipadevmstr.collmedia@collmedia.net
3 host/ipadevmstr.collmedia@collmedia.net
3 host/ipadevmstr.collmedia@collmedia.net
3 host/ipadevmstr.collmedia@collmedia.net
3 ldap/ipadevmstr.collmedia@collmedia.net
3 ldap/ipadevmstr.collmedia@collmedia.net
3 ldap/ipadevmstr.collmedia@collmedia.net
3 ldap/ipadevmstr.collmedia@collmedia.net

I now get this error:
Insufficient access: SASL(-13): authentication failure: GSSAPI Failure:
gss_accept_sec_context Invalid credentials

with this in my krb5.log:
May 31 14:42:30 ipadevmstr.collmedia.net krb5kdc[4190](info): AS_REQ (4
etypes {18 17 16 23}) 192.168.8.111: NEEDED_PREAUTH:
DNS/ipadevmstr.collmedia@collmedia.net for
krbtgt/collmedia@collmedia.net, Additional pre-authentication required
May 31 14:42:30 ipadevmstr.collmedia.net krb5kdc[4190](info): AS_REQ (4
etypes {18 17 16 23}) 192.168.8.111: ISSUE: authtime 1370025750, etypes
{rep=18 tkt=18 ses=18}, DNS/ipadevmstr.collmedia@collmedia.net for
krbtgt/collmedia@collmedia.net
May 31 14:42:31 ipadevmstr.collmedia.net krb5kdc[4190](info): TGS_REQ (4
etypes {18 17 16 23}) 192.168.8.111: ISSUE: authtime 1370025263, etypes
{rep=18 tkt=18 ses=18}, HTTP/ipadevmstr.collmedia@collmedia.net for
ldap/ipadevmstr.collmedia@collmedia.net
May 31 14:42:31 ipadevmstr.collmedia.net krb5kdc[4190](info): ...
CONSTRAINED-DELEGATION s4u-client=DNS/ipadevmstr.collmedia@collmedia.net

Do I need to add DNS too?


I'm not quite sure what your goal is.

I thought you had created a user for the purpose of creating hosts and 
you wanted to delegate permissions to that user.


Is this what you've done? If so, what roles is the user a member of, and 
what privileges are associated with that role?


rob

___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] IPA privileges question

2013-05-31 Thread Guy Matz 
Sorry, should have mentioned that.  I had host principal and have since
added ldap:
# klist -k krb5.keytab
Keytab name: FILE:krb5.keytab
KVNO Principal

--
   3 host/ipadevmstr.collmedia@collmedia.net
   3 host/ipadevmstr.collmedia@collmedia.net
   3 host/ipadevmstr.collmedia@collmedia.net
   3 host/ipadevmstr.collmedia@collmedia.net
   3 ldap/ipadevmstr.collmedia@collmedia.net
   3 ldap/ipadevmstr.collmedia@collmedia.net
   3 ldap/ipadevmstr.collmedia@collmedia.net
   3 ldap/ipadevmstr.collmedia@collmedia.net

I now get this error:
Insufficient access: SASL(-13): authentication failure: GSSAPI Failure:
gss_accept_sec_context Invalid credentials

with this in my krb5.log:
May 31 14:42:30 ipadevmstr.collmedia.net krb5kdc[4190](info): AS_REQ (4
etypes {18 17 16 23}) 192.168.8.111: NEEDED_PREAUTH:
DNS/ipadevmstr.collmedia@collmedia.net for
krbtgt/collmedia@collmedia.net, Additional pre-authentication required
May 31 14:42:30 ipadevmstr.collmedia.net krb5kdc[4190](info): AS_REQ (4
etypes {18 17 16 23}) 192.168.8.111: ISSUE: authtime 1370025750, etypes
{rep=18 tkt=18 ses=18}, DNS/ipadevmstr.collmedia@collmedia.net for
krbtgt/collmedia@collmedia.net
May 31 14:42:31 ipadevmstr.collmedia.net krb5kdc[4190](info): TGS_REQ (4
etypes {18 17 16 23}) 192.168.8.111: ISSUE: authtime 1370025263, etypes
{rep=18 tkt=18 ses=18}, HTTP/ipadevmstr.collmedia@collmedia.net for
ldap/ipadevmstr.collmedia@collmedia.net
May 31 14:42:31 ipadevmstr.collmedia.net krb5kdc[4190](info): ...
CONSTRAINED-DELEGATION s4u-client=DNS/ipadevmstr.collmedia@collmedia.net

Do I need to add DNS too?

Thanks a lot,
Guy

On 05/31/2013 12:48 PM, Rob Crittenden wrote:
> Guy Matz wrote:
>> Hi!  I'm writing a web UI to front-end a "ipa host-add" . . .  the web
>> ui runs as a special user who I would like to give credentials to allow
>> it to be able to run the ipa commands necessary . . .  I thought I would
>> need to give it a host privilege, but I'm bumping up into the following:
>>
>> ipa: ERROR: Insufficient access: Insufficient 'add' privilege to the
>> 'userPassword' attribute
>>
>> That looks like more of an LDAP issue . . .  Any yous guys know how I
>> get around this?
> What privileges did you assign to the role that this user is a member of?
>
> rob
>
>


___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] IPA privileges question

2013-05-31 Thread Rob Crittenden 

Guy Matz wrote:

Hi!  I'm writing a web UI to front-end a "ipa host-add" . . .  the web
ui runs as a special user who I would like to give credentials to allow
it to be able to run the ipa commands necessary . . .  I thought I would
need to give it a host privilege, but I'm bumping up into the following:

ipa: ERROR: Insufficient access: Insufficient 'add' privilege to the
'userPassword' attribute

That looks like more of an LDAP issue . . .  Any yous guys know how I
get around this?


What privileges did you assign to the role that this user is a member of?

rob

___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

[Freeipa-users] Limiting Host access by UID/GID

2013-05-31 Thread Chandan Kumar 
As far as my understanding goes it does not stop even if I disable cache
credentials. I set following parameters in sssd.conf but still UID 2 is
able to login.

cache_credentials = False
krb5_store_password_if_offline = False
min_id=5000
max_id=5010
enumerate = False
entry_cache_timeout=3

Package Info:
Client;
sssd-client-1.9.2-82.7.el6_4.x86_64

Server:
ipa-server-2.2.0-16.el6.x86_64

Thanks
Chandan

On Friday, May 31, 2013, Jakub Hrozek wrote:

> On Fri, May 31, 2013 at 09:26:40AM -0400, Simo Sorce wrote:
> > On Fri, 2013-05-31 at 11:55 +0200, Jakub Hrozek wrote:
> > > On Thu, May 30, 2013 at 07:23:38PM -0400, Dmitri Pal wrote:
> > > > On 05/30/2013 06:52 PM, Chandan Kumar wrote:
> > > > > Hello,
> > > > >
> > > > > As part of migration from passwd/shadow to IPA, I want to roll out
> > > > > IPA/SSSD based password first for a small number of users and then
> for
> > > > > all. (same goes with host. first small number of host and then
> all).
> > > > >
> > > > > I was trying to limit it using max_id/min_id parameters in sssd
> but it
> > > > > does not seems to work the way I expected.
> > > > > ---
> > > > > min_id = 5000
> > > > > max_id = 5100
> > > > > --
> > > > > So there is a user "kchandan" with UID/GID 2
> > > > > --
> > > > > [root@tipa1 ~]# id kchandan
> > > > > uid=2(kchandan) gid=2 groups=2
> > > > > ---
> > > > >
> > > > > But It is allowing me to login with that ID with only error showing
> > > > > GID 2 not found.
> > > > > ---
> > > > > ssh 10.2.3.105 -l kchandan
> > > > > kchandan@10.2.3.105 's password:
> > > > > id: cannot find name for group ID 2
> > > > > -
> > > > >
> > > > > Is there any way to achieve this?
> > > >
> > > > So you want to allow only a subset of users with a specific range to
> log
> > > > into the systems controlled by SSSD before you open it to a broader
> public?
> > > > I would defer to SSSD gurus but the hack that comes to mind is to
> > > > configure a simple access provider to limit the access to just the
> users
> > > > you care about (man sssd-simple) or configure ldap access provider
> based
> > > > on a filter (man sssd-ldap).
> > >
> > > Hi,
> > >
> > > The user shouldn't be even saved to cache if it's filtered out of
> range.
> > >
> > > But looking at the current NSS code, the entry would have been
> returned if
> > > it was saved *before* you changed the min_id/max_id parameters. Could
> that be
> > > the case? Can you check if after removing the cache the entry still
> shows up?
> > >
> > > I think that the fact that the entry is returned from cache even if it
> > > should be filtered out is a bug:
> > > https://fedorahosted.org/sssd/ticket/1954
> >
> > So far we always maintained that if you consistently change
> > configuration (and a change of ranges is a big change) then it's on the
> > admin to wipe the cache file.
>
> Yes, that's why the ticket is minor. But mostly I don't like the
> inconsistency where some requests check the ranges even in the responder
> and some don't.
>
> ___
> Freeipa-users mailing list
> Freeipa-users@redhat.com
> https://www.redhat.com/mailman/listinfo/freeipa-users
>


-- 

--
http://about.me/chandank
___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

[Freeipa-users] IPA privileges question

2013-05-31 Thread Guy Matz 
Hi!  I'm writing a web UI to front-end a "ipa host-add" . . .  the web
ui runs as a special user who I would like to give credentials to allow
it to be able to run the ipa commands necessary . . .  I thought I would
need to give it a host privilege, but I'm bumping up into the following:

ipa: ERROR: Insufficient access: Insufficient 'add' privilege to the
'userPassword' attribute

That looks like more of an LDAP issue . . .  Any yous guys know how I
get around this?

Thanks a lot,
Guy

___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] Limiting Host access by UID/GID

2013-05-31 Thread Simo Sorce 
On Fri, 2013-05-31 at 11:55 +0200, Jakub Hrozek wrote:
> On Thu, May 30, 2013 at 07:23:38PM -0400, Dmitri Pal wrote:
> > On 05/30/2013 06:52 PM, Chandan Kumar wrote:
> > > Hello,
> > >
> > > As part of migration from passwd/shadow to IPA, I want to roll out
> > > IPA/SSSD based password first for a small number of users and then for
> > > all. (same goes with host. first small number of host and then all).
> > >
> > > I was trying to limit it using max_id/min_id parameters in sssd but it
> > > does not seems to work the way I expected.
> > > ---
> > > min_id = 5000
> > > max_id = 5100
> > > --
> > > So there is a user "kchandan" with UID/GID 2
> > > --
> > > [root@tipa1 ~]# id kchandan
> > > uid=2(kchandan) gid=2 groups=2
> > > ---
> > >
> > > But It is allowing me to login with that ID with only error showing
> > > GID 2 not found.
> > > ---
> > > ssh 10.2.3.105 -l kchandan
> > > kchandan@10.2.3.105 's password: 
> > > id: cannot find name for group ID 2
> > > -
> > >
> > > Is there any way to achieve this?
> > 
> > So you want to allow only a subset of users with a specific range to log
> > into the systems controlled by SSSD before you open it to a broader public?
> > I would defer to SSSD gurus but the hack that comes to mind is to
> > configure a simple access provider to limit the access to just the users
> > you care about (man sssd-simple) or configure ldap access provider based
> > on a filter (man sssd-ldap).
> 
> Hi,
> 
> The user shouldn't be even saved to cache if it's filtered out of range.
> 
> But looking at the current NSS code, the entry would have been returned if
> it was saved *before* you changed the min_id/max_id parameters. Could that be
> the case? Can you check if after removing the cache the entry still shows up?
> 
> I think that the fact that the entry is returned from cache even if it
> should be filtered out is a bug:
> https://fedorahosted.org/sssd/ticket/1954

So far we always maintained that if you consistently change
configuration (and a change of ranges is a big change) then it's on the
admin to wipe the cache file.

Simo.

-- 
Simo Sorce * Red Hat, Inc * New York

___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] Limiting Host access by UID/GID

2013-05-31 Thread Jakub Hrozek 
On Fri, May 31, 2013 at 09:26:40AM -0400, Simo Sorce wrote:
> On Fri, 2013-05-31 at 11:55 +0200, Jakub Hrozek wrote:
> > On Thu, May 30, 2013 at 07:23:38PM -0400, Dmitri Pal wrote:
> > > On 05/30/2013 06:52 PM, Chandan Kumar wrote:
> > > > Hello,
> > > >
> > > > As part of migration from passwd/shadow to IPA, I want to roll out
> > > > IPA/SSSD based password first for a small number of users and then for
> > > > all. (same goes with host. first small number of host and then all).
> > > >
> > > > I was trying to limit it using max_id/min_id parameters in sssd but it
> > > > does not seems to work the way I expected.
> > > > ---
> > > > min_id = 5000
> > > > max_id = 5100
> > > > --
> > > > So there is a user "kchandan" with UID/GID 2
> > > > --
> > > > [root@tipa1 ~]# id kchandan
> > > > uid=2(kchandan) gid=2 groups=2
> > > > ---
> > > >
> > > > But It is allowing me to login with that ID with only error showing
> > > > GID 2 not found.
> > > > ---
> > > > ssh 10.2.3.105 -l kchandan
> > > > kchandan@10.2.3.105 's password: 
> > > > id: cannot find name for group ID 2
> > > > -
> > > >
> > > > Is there any way to achieve this?
> > > 
> > > So you want to allow only a subset of users with a specific range to log
> > > into the systems controlled by SSSD before you open it to a broader 
> > > public?
> > > I would defer to SSSD gurus but the hack that comes to mind is to
> > > configure a simple access provider to limit the access to just the users
> > > you care about (man sssd-simple) or configure ldap access provider based
> > > on a filter (man sssd-ldap).
> > 
> > Hi,
> > 
> > The user shouldn't be even saved to cache if it's filtered out of range.
> > 
> > But looking at the current NSS code, the entry would have been returned if
> > it was saved *before* you changed the min_id/max_id parameters. Could that 
> > be
> > the case? Can you check if after removing the cache the entry still shows 
> > up?
> > 
> > I think that the fact that the entry is returned from cache even if it
> > should be filtered out is a bug:
> > https://fedorahosted.org/sssd/ticket/1954
> 
> So far we always maintained that if you consistently change
> configuration (and a change of ranges is a big change) then it's on the
> admin to wipe the cache file.

Yes, that's why the ticket is minor. But mostly I don't like the
inconsistency where some requests check the ranges even in the responder
and some don't.

___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

[Freeipa-users] How IPA handles AD computer groups

2013-05-31 Thread Rashard . Kelly 
I am working on a team to plan a migration to IPA on our UNIX based 
systems. One thing I was seeking information on is Computer groups. If a 
trust is established with our campus AD infrasturcture, will its computer 
groups be shared with IPA or just users?

If computer groups are transferred to host groups this will make managing 
permissions easier without having to recreate all the groups on the IPA 
side

I could not find any info in this document 
http://www.freeipa.org/page/IPAv3_testing_AD_trust. If someone could point 
me to some documentation about the subject it would be really helpful.


Thank You,
Rashard Kelly
Senior Linux Specialist




From:   Martin Kosek 
To: Sumit Bose 
Cc: freeipa-users@redhat.com
Date:   05/31/2013 06:41 AM
Subject:Re: [Freeipa-users] IPA & AD trust question
Sent by:freeipa-users-boun...@redhat.com



On 05/31/2013 09:37 AM, Sumit Bose wrote:
> On Fri, May 31, 2013 at 06:52:27AM +, Ondrej Valousek wrote:
>> Hi List,
>>
>> I have a question - is it possible to use AD trust the way that:
>> 1. All users are stored in AD
>> 2. All Unix specific information (automount maps, sudo rules, HBAC 
rules) are stored in IPA?
> 
> Yes, sudo and HBAC for sure, I haven't tested automount maps but so far
> I can see no issues.
> 
>>
>> If yes then:
>> 1. Will this scenario honour the RFC2307 user attributes in AD?
> 
> We are trying to support RFC2307 attributes in AD with the next releases
> for SSSD and FreeIPA. Currently only algorithmic IP mapping based on the
> AD user's RID is available.

Ondreji, this is by the way the upstream ticket under which this feature 
is
being implemented (in case you want to follow it):

https://fedorahosted.org/freeipa/ticket/2904

There are other tickets targeted on AD cooperation in FreeIPA 3.3 release
(https://fedorahosted.org/freeipa/report/3), you may also want to check 
that
they address your needs (and provide comments if they don't). We are still 
in a
design phase, so some amendments are possible.

Thanks,
Martin

___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users




This document is strictly confidential and intended only for use by the 
addressee unless otherwise stated.  If you are not the intended recipient, 
please notify the sender immediately and delete it from your system.


___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] IPA & AD trust question

2013-05-31 Thread Martin Kosek 
On 05/31/2013 09:37 AM, Sumit Bose wrote:
> On Fri, May 31, 2013 at 06:52:27AM +, Ondrej Valousek wrote:
>> Hi List,
>>
>> I have a question - is it possible to use AD trust the way that:
>> 1. All users are stored in AD
>> 2. All Unix specific information (automount maps, sudo rules, HBAC rules) 
>> are stored in IPA?
> 
> Yes, sudo and HBAC for sure, I haven't tested automount maps but so far
> I can see no issues.
> 
>>
>> If yes then:
>> 1. Will this scenario honour the RFC2307 user attributes in AD?
> 
> We are trying to support RFC2307 attributes in AD with the next releases
> for SSSD and FreeIPA. Currently only algorithmic IP mapping based on the
> AD user's RID is available.

Ondreji, this is by the way the upstream ticket under which this feature is
being implemented (in case you want to follow it):

https://fedorahosted.org/freeipa/ticket/2904

There are other tickets targeted on AD cooperation in FreeIPA 3.3 release
(https://fedorahosted.org/freeipa/report/3), you may also want to check that
they address your needs (and provide comments if they don't). We are still in a
design phase, so some amendments are possible.

Thanks,
Martin

___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] Limiting Host access by UID/GID

2013-05-31 Thread Jakub Hrozek 
On Thu, May 30, 2013 at 07:23:38PM -0400, Dmitri Pal wrote:
> On 05/30/2013 06:52 PM, Chandan Kumar wrote:
> > Hello,
> >
> > As part of migration from passwd/shadow to IPA, I want to roll out
> > IPA/SSSD based password first for a small number of users and then for
> > all. (same goes with host. first small number of host and then all).
> >
> > I was trying to limit it using max_id/min_id parameters in sssd but it
> > does not seems to work the way I expected.
> > ---
> > min_id = 5000
> > max_id = 5100
> > --
> > So there is a user "kchandan" with UID/GID 2
> > --
> > [root@tipa1 ~]# id kchandan
> > uid=2(kchandan) gid=2 groups=2
> > ---
> >
> > But It is allowing me to login with that ID with only error showing
> > GID 2 not found.
> > ---
> > ssh 10.2.3.105 -l kchandan
> > kchandan@10.2.3.105 's password: 
> > id: cannot find name for group ID 2
> > -
> >
> > Is there any way to achieve this?
> 
> So you want to allow only a subset of users with a specific range to log
> into the systems controlled by SSSD before you open it to a broader public?
> I would defer to SSSD gurus but the hack that comes to mind is to
> configure a simple access provider to limit the access to just the users
> you care about (man sssd-simple) or configure ldap access provider based
> on a filter (man sssd-ldap).

Hi,

The user shouldn't be even saved to cache if it's filtered out of range.

But looking at the current NSS code, the entry would have been returned if
it was saved *before* you changed the min_id/max_id parameters. Could that be
the case? Can you check if after removing the cache the entry still shows up?

I think that the fact that the entry is returned from cache even if it
should be filtered out is a bug:
https://fedorahosted.org/sssd/ticket/1954

___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] IPA & AD trust question

2013-05-31 Thread Sumit Bose 
On Fri, May 31, 2013 at 06:52:27AM +, Ondrej Valousek wrote:
> Hi List,
> 
> I have a question - is it possible to use AD trust the way that:
> 1. All users are stored in AD
> 2. All Unix specific information (automount maps, sudo rules, HBAC rules) are 
> stored in IPA?

Yes, sudo and HBAC for sure, I haven't tested automount maps but so far
I can see no issues.

> 
> If yes then:
> 1. Will this scenario honour the RFC2307 user attributes in AD?

We are trying to support RFC2307 attributes in AD with the next releases
for SSSD and FreeIPA. Currently only algorithmic IP mapping based on the
AD user's RID is available.

> 2. How is the best way to implement this? Imagine AD realm EXAMPLE.COM. Which 
> realm I should chose for IPA? How about DNS?

The only requirement is to use a different DNS domain to make Kerberos
work properly. I would always recommend to use the IPA DNS server to
manage the IPA domain and add delegation and glue record from an to
other domains. See
https://fedorahosted.org/freeipa/attachment/ticket/3268/3268.v2 for
examples.

> 
> Thanks,
> Ondrej
> 
> ___
> Freeipa-users mailing list
> Freeipa-users@redhat.com
> https://www.redhat.com/mailman/listinfo/freeipa-users

___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users