Re: [Freeipa-users] Desperate help requested.
On 09/06/2012 09:32 PM, KodaK wrote: Thank you everyone. We finally had our meeting today (it was delayed from Tuesday.) It went much better than I was expecting. Regardless of the email that said we can't authenticate to anything but MS AD, apparently his *actual* concern was having a third party tie-in to Active Directory that would keep them from applying patches to AD. Pretty much all I had to say was good news, everyone! We don't need AD! It pissed off the Windows Director who was in the room and was pushing for us to auth directly against AD, but the veep who had the initial problem was satiated. All is right with the world again. Or at least my tiny piece of it. Until tomorrow. Thanks again, --Jason Would you ask too much if I ask to write a blog about all this somewhere ;-) ? And thank you all for the kind words towards IPA project. We are here to give you control that you need and we are very glad we are on the right track. -- Thank you, Dmitri Pal Sr. Engineering Manager for IdM portfolio Red Hat Inc. --- Looking to carve out IT costs? www.redhat.com/carveoutcosts/ ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Desperate help requested.
Thanks. I believe Rob already created the account. I got some emails regarding a wiki account. Haven't had time to check it out yet. Rgds Siggi Dmitri Pal d...@redhat.com wrote: On 09/06/2012 09:32 PM, KodaK wrote: Thank you everyone. We finally had our meeting today (it was delayed from Tuesday.) It went much better than I was expecting. Regardless of the email that said we can't authenticate to anything but MS AD, apparently his *actual* concern was having a third party tie-in to Active Directory that would keep them from applying patches to AD. Pretty much all I had to say was good news, everyone! We don't need AD! It pissed off the Windows Director who was in the room and was pushing for us to auth directly against AD, but the veep who had the initial problem was satiated. All is right with the world again. Or at least my tiny piece of it. Until tomorrow. Thanks again, --Jason Would you ask too much if I ask to write a blog about all this somewhere ;-) ? And thank you all for the kind words towards IPA project. We are here to give you control that you need and we are very glad we are on the right track. -- Thank you, Dmitri Pal Sr. Engineering Manager for IdM portfolio Red Hat Inc. --- Looking to carve out IT costs? www.redhat.com/carveoutcosts/ ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users -- Sent from my Android phone with K-9 Mail. Please excuse my brevity.___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Desperate help requested.
On 09/07/2012 02:22 PM, Sigbjorn Lie wrote: Thanks. I believe Rob already created the account. I got some emails regarding a wiki account. Haven't had time to check it out yet. Yes. He pinged me before I created the second one for you. Rgds Siggi Dmitri Pal d...@redhat.com wrote: On 09/06/2012 09:32 PM, KodaK wrote: Thank you everyone. We finally had our meeting today (it was delayed from Tuesday.) It went much better than I was expecting. Regardless of the email that said we can't authenticate to anything but MS AD, apparently his *actual* concern was having a third party tie-in to Active Directory that would keep them from applying patches to AD. Pretty much all I had to say was good news, everyone! We don't need AD! It pissed off the Windows Director who was in the room and was pushing for us to auth directly against AD, but the veep who had the initial problem was satiated. All is right with the world again. Or at least my tiny piece of it. Until tomorrow. Thanks again, --Jason Would you ask too much if I ask to write a blog about all this somewhere ;-) ? And thank you all for the kind words towards IPA project. We are here to give you control that you need and we are very glad we are on the right track. -- Sent from my Android phone with K-9 Mail. Please excuse my brevity. -- Thank you, Dmitri Pal Sr. Engineering Manager for IdM portfolio Red Hat Inc. --- Looking to carve out IT costs? www.redhat.com/carveoutcosts/ ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Desperate help requested.
Thank you everyone. We finally had our meeting today (it was delayed from Tuesday.) It went much better than I was expecting. Regardless of the email that said we can't authenticate to anything but MS AD, apparently his *actual* concern was having a third party tie-in to Active Directory that would keep them from applying patches to AD. Pretty much all I had to say was good news, everyone! We don't need AD! It pissed off the Windows Director who was in the room and was pushing for us to auth directly against AD, but the veep who had the initial problem was satiated. All is right with the world again. Or at least my tiny piece of it. Until tomorrow. Thanks again, --Jason -- The government is going to read our mail anyway, might as well make it tough for them. GPG Public key ID: B6A1A7C6 ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Desperate help requested.
On lör, 2012-08-25 at 23:05 -0500, KodaK wrote: I've just been informed by my boss's boss's boss that, and I quote from his ridiculous email: we cannot use anything other than MS AD for authentication I've spent months of time and much effort rolling out IPA, consolidating authentication across our Linux and AIX machines. To paraphrase Babbage: I am not able rightly to apprehend the kind of confusion of ideas that could provoke such a statement. Regardless, I need some help. I need some help with comparisons between FreeIPA and AD, and the problems and issues one might encounter when trying to authenticate Unix machines against AD. Anything that can show IPA being superior to AD for *nix authentication. Anything at all. We have a similar number of AIX and Linux servers. We have a week before we have a meeting to discuss this, and I'd like to be armed to the teeth, if at all possible. Apart from what everyone else already pointed out, I believe that if you register the Linux host in the AD, you'll need to purchase a CAL for it... /David signature.asc Description: This is a digitally signed message part ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Desperate help requested.
Hi, Also if its straight into AD Im not aware you can use AD to control a Linux authentication and authorisation adequately without something like likewise or centrify. I think the best yiu can do is one group? regards Steven Jones Technical Specialist - Linux RHCE Victoria University, Wellington, NZ 0064 4 463 6272 From: freeipa-users-boun...@redhat.com [freeipa-users-boun...@redhat.com] on behalf of David Juran [da...@juran.se] Sent: Thursday, 30 August 2012 7:30 p.m. To: KodaK Cc: freeipa-users@redhat.com Subject: Re: [Freeipa-users] Desperate help requested. On lör, 2012-08-25 at 23:05 -0500, KodaK wrote: I've just been informed by my boss's boss's boss that, and I quote from his ridiculous email: we cannot use anything other than MS AD for authentication I've spent months of time and much effort rolling out IPA, consolidating authentication across our Linux and AIX machines. To paraphrase Babbage: I am not able rightly to apprehend the kind of confusion of ideas that could provoke such a statement. Regardless, I need some help. I need some help with comparisons between FreeIPA and AD, and the problems and issues one might encounter when trying to authenticate Unix machines against AD. Anything that can show IPA being superior to AD for *nix authentication. Anything at all. We have a similar number of AIX and Linux servers. We have a week before we have a meeting to discuss this, and I'd like to be armed to the teeth, if at all possible. Apart from what everyone else already pointed out, I believe that if you register the Linux host in the AD, you'll need to purchase a CAL for it... /David ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Desperate help requested.
Hi, The biggest thing is really shear control. With the best will in the world AD is not unix orientated You can control who logs in to a server and from where, you can control who gets root remotely (or any other su - *) via IPA's sudo module. You can control what they can do like no-ftp, allow ssh, no login (console), sudo and its all easy to add users to and from via the web ui (once you get the hang of it). Ive gone through what you have gone through I feel your pain.the problem is really Windows ppl dont understand and dont want to, I think its fear it certainly isnt logic. regards Steven Jones Technical Specialist - Linux RHCE Victoria University, Wellington, NZ 0064 4 463 6272 From: freeipa-users-boun...@redhat.com [freeipa-users-boun...@redhat.com] on behalf of Steven Jones [steven.jo...@vuw.ac.nz] Sent: Friday, 31 August 2012 8:41 a.m. To: David Juran; KodaK Cc: freeipa-users@redhat.com Subject: Re: [Freeipa-users] Desperate help requested. Hi, Also if its straight into AD Im not aware you can use AD to control a Linux authentication and authorisation adequately without something like likewise or centrify. I think the best yiu can do is one group? regards Steven Jones Technical Specialist - Linux RHCE Victoria University, Wellington, NZ 0064 4 463 6272 From: freeipa-users-boun...@redhat.com [freeipa-users-boun...@redhat.com] on behalf of David Juran [da...@juran.se] Sent: Thursday, 30 August 2012 7:30 p.m. To: KodaK Cc: freeipa-users@redhat.com Subject: Re: [Freeipa-users] Desperate help requested. On lör, 2012-08-25 at 23:05 -0500, KodaK wrote: I've just been informed by my boss's boss's boss that, and I quote from his ridiculous email: we cannot use anything other than MS AD for authentication I've spent months of time and much effort rolling out IPA, consolidating authentication across our Linux and AIX machines. To paraphrase Babbage: I am not able rightly to apprehend the kind of confusion of ideas that could provoke such a statement. Regardless, I need some help. I need some help with comparisons between FreeIPA and AD, and the problems and issues one might encounter when trying to authenticate Unix machines against AD. Anything that can show IPA being superior to AD for *nix authentication. Anything at all. We have a similar number of AIX and Linux servers. We have a week before we have a meeting to discuss this, and I'd like to be armed to the teeth, if at all possible. Apart from what everyone else already pointed out, I believe that if you register the Linux host in the AD, you'll need to purchase a CAL for it... /David ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Desperate help requested.
-Original Message- From: freeipa-users-boun...@redhat.com [mailto:freeipa-users-boun...@redhat.com] On Behalf Of KodaK Sent: 26 August 2012 05:06 To: freeipa-users@redhat.com Subject: [Freeipa-users] Desperate help requested. I've just been informed by my boss's boss's boss that, and I quote from his ridiculous email: we cannot use anything other than MS AD for authentication I've spent months of time and much effort rolling out IPA, consolidating authentication across our Linux and AIX machines. To paraphrase Babbage: I am not able rightly to apprehend the kind of confusion of ideas that could provoke such a statement. Regardless, I need some help. I need some help with comparisons between FreeIPA and AD, and the problems and issues one might encounter when trying to authenticate Unix machines against AD. Anything that can show IPA being superior to AD for *nix authentication. Anything at all. We have a similar number of AIX and Linux servers. We have a week before we have a meeting to discuss this, and I'd like to be armed to the teeth, if at all possible. Thanks for any help you can give. And wish me luck. Thanks, --Jason I faced a similar situation recently, but my version wasn't worded so harshly. The line to take has already been pointed out - IPA managed sudo SELinux from a central point. These concepts are entirely outwith the capabilities of Active Directory. You could also state the yet-to-be-developed 'A' part of IPA for any Auditing requirements. We also emphasised here that AD was written purely for Windows domains and that the effort put in to allowing extra schema for Unix domains is really not ideal. You should state, if you have not already done so, that you plan to link the AD and IPA domains (via a trust or a sync). That will allay any fears that users will have different passwords or even usernames to access various machines. So your boss's boss's boss can be assured that you are *authenticating* against AD, but you should still be able to have IPA in there to manage the idiosyncrasies of the Unix estate. Hope this helps Duncan Northern Rock plc is part of the Virgin Money group of companies. This e-mail is intended to be confidential to the recipient. If you receive a copy in error, please inform the sender and then delete this message. Virgin Money Personal Financial Service Limited is authorised and regulated by the Financial Services Authority. Company no. 3072766. Virgin Money Unit Trust Managers Limited is authorised and regulated by the Financial Services Authority. Company no. 3000482. Virgin Money Cards Limited. Introducer appointed representative only of Virgin Money Personal Financial Service Limited. Company no. 4232392. Virgin Money Management Services Limited. Company no. 3072772. Virgin Money Holdings (UK) Limited. Company no. 3087587. Each of the above companies is registered in England and Wales and has its registered office at Discovery House, Whiting Road, Norwich NR4 6EJ. Northern Rock plc. Authorised and regulated by the Financial Services Authority. Registered in England and Wales (Company no. 6952311) with its registered office at Northern Rock House, Gosforth, Newcastle upon Tyne NE3 4PL. The above companies use the trading name Virgin Money. ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Desperate help requested.
On Mon, Aug 27, 2012 at 08:57:20AM +0200, David Sastre wrote: On Sun, Aug 26, 2012 at 6:05 AM, KodaK wrote: Regardless, I need some help. I need some help with comparisons between FreeIPA and AD, and the problems and issues one might encounter when trying to authenticate Unix machines against AD. Anything that can show IPA being superior to AD for *nix authentication. Anything at all. We have a similar number of AIX and Linux servers. SELinux + sudo centralized management doesn't exist at all in AD. I guess it comes down to - technical orientation of IPA: designed with linux/unix in mind, not windows - open source, so all the default open vs. proprietary points apply: - no vendor lockin, if vendor decides not to continue the product you can take the source and do this for yourself - code can be audited - code seen by many eyes - ... Christian ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Desperate help requested.
On Sun, Aug 26, 2012 at 6:05 AM, KodaK sako...@gmail.com wrote: I've just been informed by my boss's boss's boss that, and I quote from his ridiculous email: we cannot use anything other than MS AD for authentication I've spent months of time and much effort rolling out IPA, consolidating authentication across our Linux and AIX machines. To paraphrase Babbage: I am not able rightly to apprehend the kind of confusion of ideas that could provoke such a statement. Regardless, I need some help. I need some help with comparisons between FreeIPA and AD, and the problems and issues one might encounter when trying to authenticate Unix machines against AD. Anything that can show IPA being superior to AD for *nix authentication. Anything at all. We have a similar number of AIX and Linux servers. We have a week before we have a meeting to discuss this, and I'd like to be armed to the teeth, if at all possible. hi, you need to explain to upper management why using IPA your company will save money. They usually understand that sort of talk. Write a business case. In the documentation (both from RHEL and from freeipa.org) you will get plenty of useful info. Magnify the points where AD comes short for your user case (selinux, sudo, automounts, service credentials management - having used ktpass.exe I was amazed at how nice the keytab capabilities are from ipa-, hostgroups, ssh public key management, ..., the list goes on and on). Explain that *that* will not change and how much money it will cost your business (admin hours, security risks, missed compliance). Explain why the future is in the trust model in ipa v3. Explain that Windows admins are not expected to run a Windows network without AD, so why are Linux/AIX admins expected to run a network without a proper Linux/AIX identity management solution. I feel your pain and can understand why you are upset, but try not to take this all personally. In the end, it is not your network. Regards, Natxo ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Desperate help requested.
Thanks, everyone, for your input. It has helped tremendously. --Jason -- The government is going to read our mail anyway, might as well make it tough for them. GPG Public key ID: B6A1A7C6 ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Desperate help requested.
Hi, LOL, your problem is like my problem we have Windows trained and educated managers, project managers and architects Well, on the plus side for IPA, Go to Centrify or Likewise as 2 examples and get a quote to authenticate against AD. We got an educational price that made my jaw drop. In the region of $600 per server and $60 per user plus 25% support per year was typical across all three products. v IPA which is free with one copy of RH. I think you'll find it a lot cheaper. The thing is, the above are hacks, if you want to do much with them you end up with their scripts on your machines all over the place and even writing your own. Have an issue and RH wont know where to turn. With Likewise for instance you may end up getting all your support via them that can add cost and delays as well. Here in NZ at least there is no real local support for these products, you ring an 0800 number (if you are lucky) and get told its 2am US time and ring back in 8 hoursbad joke. The big thing is IPA has depth, and a great road map its not just simple authenticate and authoriseyou can control services with detail (like ssh only) and sudobig pluses. Now the likes of Centrify say they can and that's true, if you code yourself or pay them to do it, or there is an existing script. Also look at the training and deployment costs of IPA v something like Centrifywith IPA and 4 days RH training you will probably be able to do a decent sized rolloutCentrify, well you might find you need a consultant or 2 at $2k a day On the minus side, IPA isnt yet mature/stable enough, IHMO. If our/my experiences are anything to go by it needs at least another 6 to 12months to work out the bugs, get the documentation usable and get RH support up to speed, but that will come. NB anyone on 6.2 and thinking of going to 6.3 it seems the chances of serious outages is significant. regards Steven Jones Technical Specialist - Linux RHCE Victoria University, Wellington, NZ 0064 4 463 6272 From: freeipa-users-boun...@redhat.com [freeipa-users-boun...@redhat.com] on behalf of Natxo Asenjo [natxo.ase...@gmail.com] Sent: Tuesday, 28 August 2012 12:17 a.m. To: freeipa-users@redhat.com Subject: Re: [Freeipa-users] Desperate help requested. On Sun, Aug 26, 2012 at 6:05 AM, KodaK sako...@gmail.commailto:sako...@gmail.com wrote: I've just been informed by my boss's boss's boss that, and I quote from his ridiculous email: we cannot use anything other than MS AD for authentication I've spent months of time and much effort rolling out IPA, consolidating authentication across our Linux and AIX machines. To paraphrase Babbage: I am not able rightly to apprehend the kind of confusion of ideas that could provoke such a statement. Regardless, I need some help. I need some help with comparisons between FreeIPA and AD, and the problems and issues one might encounter when trying to authenticate Unix machines against AD. Anything that can show IPA being superior to AD for *nix authentication. Anything at all. We have a similar number of AIX and Linux servers. We have a week before we have a meeting to discuss this, and I'd like to be armed to the teeth, if at all possible. hi, you need to explain to upper management why using IPA your company will save money. They usually understand that sort of talk. Write a business case. In the documentation (both from RHEL and from freeipa.orghttp://freeipa.org) you will get plenty of useful info. Magnify the points where AD comes short for your user case (selinux, sudo, automounts, service credentials management - having used ktpass.exe I was amazed at how nice the keytab capabilities are from ipa-, hostgroups, ssh public key management, ..., the list goes on and on). Explain that *that* will not change and how much money it will cost your business (admin hours, security risks, missed compliance). Explain why the future is in the trust model in ipa v3. Explain that Windows admins are not expected to run a Windows network without AD, so why are Linux/AIX admins expected to run a network without a proper Linux/AIX identity management solution. I feel your pain and can understand why you are upset, but try not to take this all personally. In the end, it is not your network. Regards, Natxo ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
[Freeipa-users] Desperate help requested.
I've just been informed by my boss's boss's boss that, and I quote from his ridiculous email: we cannot use anything other than MS AD for authentication I've spent months of time and much effort rolling out IPA, consolidating authentication across our Linux and AIX machines. To paraphrase Babbage: I am not able rightly to apprehend the kind of confusion of ideas that could provoke such a statement. Regardless, I need some help. I need some help with comparisons between FreeIPA and AD, and the problems and issues one might encounter when trying to authenticate Unix machines against AD. Anything that can show IPA being superior to AD for *nix authentication. Anything at all. We have a similar number of AIX and Linux servers. We have a week before we have a meeting to discuss this, and I'd like to be armed to the teeth, if at all possible. Thanks for any help you can give. And wish me luck. Thanks, --Jason -- The government is going to read our mail anyway, might as well make it tough for them. GPG Public key ID: B6A1A7C6 ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
