Re: [Freeipa-users] FreeIPA v 2.2 in an AD environment
On 11/04/2012 01:25 PM, Steven Jones wrote: Hi, Yes you can winsync and passsync RHEL6.3 IPA from win2k3 r2 + AD, it should be in your RH supported channel tree? The passsync.msi has to go on each AD box Each Domain Controller. Also note that you asked if Can I be able to synchronize the current AD user credentials with FreeIPA 2.2 or do I have to upgrade to FreeIPA 3.0 You cannot synchronize already existing passwords with IPA 2.x. You would have to force AD users to change their passwords in order to get the clear text password to send to IPA. and is a MSI supplied by RH, I think that's also in the RH support channel but for some strange reason I think it might be in the workstation tree and not server tree. From what I can read there are some caveats, 1) Only one AD domain, so if you have a AD forest you can only do one sub-domain. So if the root is example.com and you have staff.example.com and clients.example.com you can do only one, say staff.example.com to IPA. Possible issues, 2) There is a bug in the setup where you have to be careful that you specify the right OU= IF your users are not in the expected default (cn=users?), otherwise the IPA users get deleted rather than ignored, you end up with an empty IPAfrightened me senseless! https://fedorahosted.org/freeipa/ticket/2688 and https://fedorahosted.org/389/ticket/355 The problem is caused when you have a user ID in IPA that has the same user ID as a user in AD, but you didn't want them to be synced, and the AD user entry is outside the scope of the windows sync agreement. This may or may not be a problem in your deployment. So, a) If you have users in multiple ou's then only one set is synced the rest in IPA will go bye bye, unless they are unique to IPA. See above. b) If some users have a smartphone to exchange setup the winsync agreement sees that as the user having 2 ous's and first adds and then deletes those users..oops.I lost 20% of my users that way Is there a ticket/bz for this issue, or is this the same issue as above? These are with RH support, I have a hot fix, I am testing. c) Its really hard to make sure all users have been transferred as you can only see 2000 users in IPA so something like an external tool like xplorer seem to be the only way for simpletons like myself to look at and compare. This is with RH support. There are workarounds. 3) Also with 6.2 or 6.2 upgraded to 6.3 you may find that when the winsync syncs, the IPA users lose all their groups. I have tested a 6.2 upgraded to 6.3 several times and this happens each time but a clean 6.3 IPA seems finewe dont know why that is yet. This is with RH support, So if you are going to do this you need an isolated test setup to test for un-expected features that could really spoil your day. :( My main advice would be restart with a clean 6.3 setup and not an upgraded from 6.2. Ive rebuilt 2 of my three IPA servers and teh 6.3 clean builds seem a lot more stable. Also use db2ldif to make backups of your database before you do italso you might want to halt and turn off any IPA replicas when you do it until after you are happy its stable and OK. You can also use db2ldif to get around the 2000 user limit mentioned above. regards Steven Jones Technical Specialist - Linux RHCE Victoria University, Wellington, NZ 0064 4 463 6272 From: freeipa-users-boun...@redhat.com [freeipa-users-boun...@redhat.com] on behalf of William Muriithi [william.murii...@gmail.com] Sent: Monday, 5 November 2012 8:23 a.m. To: freeipa-users@redhat.com Subject: [Freeipa-users] FreeIPA v 2.2 in an AD environment Hi all, I am in the process of deploying freeIPA 2.2 to authenticate Linux systems and have been able to setup everything nicely with separate domain. I mean users are currently using separate password to access Linux system and another set of password from AD for desktop stuff. On Friday, I came across an article on freeIPA v 3 and noticed one can use the same username password for both Linux and Windows systems. I have since felt this would be a better setup and but feel like the documentation are not clear on how to achieve the above. Would anyone be able to clarify this: - Can I be able to synchronize the current AD user credentials with FreeIPA 2.2 or do I have to upgrade to FreeIPA 3.0 ? - If upgrading is necessary, is there an RPM that can run on RHEL 6.2 ? I can only seem to find freeIPA v3 RPM for Fedora 17. Was hoping to use a blessed RPM instead of rolling one which mean be incompatible with the distribution RPM once it comes around Regards, William ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users ___ Freeipa-users mailing list Freeipa-users@redhat.com
Re: [Freeipa-users] FreeIPA v 2.2 in an AD environment
On 11/04/2012 02:23 PM, William Muriithi wrote: Hi all, I am in the process of deploying freeIPA 2.2 to authenticate Linux systems and have been able to setup everything nicely with separate domain. I mean users are currently using separate password to access Linux system and another set of password from AD for desktop stuff. On Friday, I came across an article on freeIPA v 3 and noticed one can use the same username password for both Linux and Windows systems. I have since felt this would be a better setup and but feel like the documentation are not clear on how to achieve the above. Would anyone be able to clarify this: - Can I be able to synchronize the current AD user credentials with FreeIPA 2.2 or do I have to upgrade to FreeIPA 3.0 ? - If upgrading is necessary, is there an RPM that can run on RHEL 6.2 ? I can only seem to find freeIPA v3 RPM for Fedora 17. Was hoping to use a blessed RPM instead of rolling one which mean be incompatible with the distribution RPM once it comes around Regards, William In addition to other comments I want to step back and give a bit of a bigger picture. 1) Regardless of what approach you choose we recommend using the latest available version at the moment of deployment. 2) There are two different approached to dealing with AD - sync or trust. You need to chose what approach you want to use. Down the road there might be some hybrid solutions but so far they are not supported. Sync: available starting the beginning of the IPA life. It has some limitations and we indeed had some issues with the corner cases that Steve's environment has. They are not common but you have been warned anyways. Trust: a) Trusts are targeting RHEL 6.4 b) There is no upgrade from Sync to Trust solution. If you want trusts you need to upgrade what you have to 6.4 (or start over) and implement trusts there and not do Sync. c) To take advantage of trusts your clients must be SSSD 1.9.x otherwise the trusts would not work. This also means that if you have other UNIXes the trusts would not work there. If you have UNIX clients that need to be accessed by AD users you might explore some hybrid solutions that might work but we can't say for sure. For example the sync might actually work in parallel to trusts to some extent. There is also PAM pass through capability that comes with 6.4 as a tech preview. That would allow pass through LDAP auth for the non SSSD 1.9 clients. But this needs to be tried out and there might be dragons. ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users -- Thank you, Dmitri Pal Sr. Engineering Manager for IdM portfolio Red Hat Inc. --- Looking to carve out IT costs? www.redhat.com/carveoutcosts/ ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] FreeIPA v 2.2 in an AD environment
Also note that you asked if Can I be able to synchronize the current AD user credentials with FreeIPA 2.2 or do I have to upgrade to FreeIPA 3.0 You cannot synchronize already existing passwords with IPA 2.x. You would have to force AD users to change their passwords in order to get the clear text password to send to IPA. Given the password in AD is encrypted I would assume that this will apply to any version of IPA? Unless 3+ goes back to AD to confirm the password there? regards Steven Jones Technical Specialist - Linux RHCE Victoria University, Wellington, NZ 0064 4 463 6272 ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] FreeIPA v 2.2 in an AD environment
there are no records in access log I will bet on some name resolution or firewall problem. Do AMM get right DNS responses (i.e. name and IP address of the IPA server)? Do AMM established TCP connection with the IPA server? -- Petr^2 Spacek Do you see anything in the logs from such activity? -- Message: 4 Date: Mon, 05 Nov 2012 08:17:34 -0700 From: Rich Megginson rmegg...@redhat.com To: Steven Jones steven.jo...@vuw.ac.nz Cc: freeipa-users@redhat.com freeipa-users@redhat.com Subject: Re: [Freeipa-users] FreeIPA v 2.2 in an AD environment Message-ID: 5097d88e.1020...@redhat.com Content-Type: text/plain; charset=ISO-8859-1; format=flowed On 11/04/2012 01:25 PM, Steven Jones wrote: Hi, Yes you can winsync and passsync RHEL6.3 IPA from win2k3 r2 + AD, it should be in your RH supported channel tree? The passsync.msi has to go on each AD box Each Domain Controller. Also note that you asked if Can I be able to synchronize the current AD user credentials with FreeIPA 2.2 or do I have to upgrade to FreeIPA 3.0 You cannot synchronize already existing passwords with IPA 2.x. You would have to force AD users to change their passwords in order to get the clear text password to send to IPA. and is a MSI supplied by RH, I think that's also in the RH support channel but for some strange reason I think it might be in the workstation tree and not server tree. From what I can read there are some caveats, 1) Only one AD domain, so if you have a AD forest you can only do one sub-domain. So if the root is example.com and you have staff.example.com and clients.example.com you can do only one, say staff.example.com to IPA. Possible issues, 2) There is a bug in the setup where you have to be careful that you specify the right OU= IF your users are not in the expected default (cn=users?), otherwise the IPA users get deleted rather than ignored, you end up with an empty IPAfrightened me senseless! https://fedorahosted.org/freeipa/ticket/2688 and https://fedorahosted.org/389/ticket/355 The problem is caused when you have a user ID in IPA that has the same user ID as a user in AD, but you didn't want them to be synced, and the AD user entry is outside the scope of the windows sync agreement. This may or may not be a problem in your deployment. So, a) If you have users in multiple ou's then only one set is synced the rest in IPA will go bye bye, unless they are unique to IPA. See above. b) If some users have a smartphone to exchange setup the winsync agreement sees that as the user having 2 ous's and first adds and then deletes those users..oops.I lost 20% of my users that way Is there a ticket/bz for this issue, or is this the same issue as above? These are with RH support, I have a hot fix, I am testing. c) Its really hard to make sure all users have been transferred as you can only see 2000 users in IPA so something like an external tool like xplorer seem to be the only way for simpletons like myself to look at and compare. This is with RH support. There are workarounds. 3) Also with 6.2 or 6.2 upgraded to 6.3 you may find that when the winsync syncs, the IPA users lose all their groups. I have tested a 6.2 upgraded to 6.3 several times and this happens each time but a clean 6.3 IPA seems finewe dont know why that is yet. This is with RH support, So if you are going to do this you need an isolated test setup to test for un-expected features that could really spoil your day. :( My main advice would be restart with a clean 6.3 setup and not an upgraded from 6.2. Ive rebuilt 2 of my three IPA servers and teh 6.3 clean builds seem a lot more stable. Also use db2ldif to make backups of your database before you do italso you might want to halt and turn off any IPA replicas when you do it until after you are happy its stable and OK. You can also use db2ldif to get around the 2000 user limit mentioned above. regards Steven Jones Technical Specialist - Linux RHCE Victoria University, Wellington, NZ 0064 4 463 6272 From: freeipa-users-boun...@redhat.com [freeipa-users-boun...@redhat.com] on behalf of William Muriithi [william.murii...@gmail.com] Sent: Monday, 5 November 2012 8:23 a.m. To: freeipa-users@redhat.com Subject: [Freeipa-users] FreeIPA v 2.2 in an AD environment Hi all, I am in the process of deploying freeIPA 2.2 to authenticate Linux systems and have been able to setup everything nicely with separate domain. I mean users are currently using separate password to access Linux system and another set of password from AD for desktop stuff. On Friday, I came across an article on freeIPA v 3 and noticed one can use the same username password for both Linux and Windows systems. I have since felt this would be a better setup and but feel like the documentation are not clear
Re: [Freeipa-users] FreeIPA v 2.2 in an AD environment
nice (and nice its in 6.4) :) I need to read up on trusts. However from limited experience in an AD forests with trusts they get very complex and the security can go bye bye. Ive seen pen tests that come in from a trusted domain, using an account with too many privaledges a bad password in a poorly implimented AD get across to the root and rainbow the password table (and hence domain admin) via a trust of a well set up one...own AD own IPA. poorly also of course windows admins dont understand IPA or linux and linux admins dont understand AD or windows both are really specialists of complex environments in their own right. (Which cracks me up when I see adverts for linux gurus and must have 3 to 5 years experience with ADand paying peanutsdohclueless). So if inter-domian trusts are a problem just consider AD to IPA! The advantage of a win and pass sync is its a very limited and controlable choke point. Indeed having winsync only capable of looking at one ou in AD means with your admins in a different ou its impossible for them to be mirrored into IPAsort of high security by accident! ;] I guess its the age old battle between user usablity, their freedom and securityhackers really dont care So could I have a win/passsync to one AD and trusts to other IPAs and ADs? 1.9 sssd will be back ported to rhel5? regards Steven Jones Technical Specialist - Linux RHCE Victoria University, Wellington, NZ 0064 4 463 6272 In addition to other comments I want to step back and give a bit of a bigger picture. 1) Regardless of what approach you choose we recommend using the latest available version at the moment of deployment. 2) There are two different approached to dealing with AD - sync or trust. You need to chose what approach you want to use. Down the road there might be some hybrid solutions but so far they are not supported. Sync: available starting the beginning of the IPA life. It has some limitations and we indeed had some issues with the corner cases that Steve's environment has. They are not common but you have been warned anyways. Trust: a) Trusts are targeting RHEL 6.4 b) There is no upgrade from Sync to Trust solution. If you want trusts you need to upgrade what you have to 6.4 (or start over) and implement trusts there and not do Sync. c) To take advantage of trusts your clients must be SSSD 1.9.x otherwise the trusts would not work. This also means that if you have other UNIXes the trusts would not work there. If you have UNIX clients that need to be accessed by AD users you might explore some hybrid solutions that might work but we can't say for sure. For example the sync might actually work in parallel to trusts to some extent. There is also PAM pass through capability that comes with 6.4 as a tech preview. That would allow pass through LDAP auth for the non SSSD 1.9 clients. But this needs to be tried out and there might be dragons. == dragonslol...my armour is well singed if not a bit runny... regards ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] FreeIPA v 2.2 in an AD environment
Rich, In addition to other comments I want to step back and give a bit of a bigger picture. 1) Regardless of what approach you choose we recommend using the latest available version at the moment of deployment. Good suggestion. This mean I should use version 3. Problem that would have to run Fedora 17 and not happy with that option. Think I may have to wait for 6.4 before changing current setup as I like the trust setup more than the sync alternative 2) There are two different approached to dealing with AD - sync or trust. You need to chose what approach you want to use. Down the road there might be some hybrid solutions but so far they are not supported. Sync: available starting the beginning of the IPA life. It has some limitations and we indeed had some issues with the corner cases that Steve's environment has. They are not common but you have been warned anyways. Ok Trust: a) Trusts are targeting RHEL 6.4 b) There is no upgrade from Sync to Trust solution. If you want trusts you need to upgrade what you have to 6.4 (or start over) and implement trusts there and not do Sync. c) To take advantage of trusts your clients must be SSSD 1.9.x otherwise the trusts would not work. This also means that if you have other UNIXes the trusts would not work there. That sucks. Would have been better if it only affected IPA server. Hopes there will not be too many dependencies that would make it impossible of updating to SSSD 1.9.x. why is this necessary if I may ask? Though most of the changes would be limited to the server side? Actually, a better question is, whats the difference between sync and trust? To me, sync mean pushing the username password pair through the passsync while trust mean pushing the username and password through samba4. Is this correct? If you have UNIX clients that need to be accessed by AD users you might explore some hybrid solutions that might work but we can't say for sure. For example the sync might actually work in parallel to trusts to some extent. There is also PAM pass through capability that comes with 6.4 as a tech preview. That would allow pass through LDAP auth for the non SSSD 1.9 clients. But this needs to be tried out and there might be dragons. Interesting, sound scarily to go there. Thank you William ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users -- Thank you, Dmitri Pal Sr. Engineering Manager for IdM portfolio Red Hat Inc. --- Looking to carve out IT costs? www.redhat.com/carveoutcosts/ -- ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users End of Freeipa-users Digest, Vol 52, Issue 9 ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] FreeIPA v 2.2 in an AD environment
Hi, Im not at work yet but the default is something like cn=users,dc=example,dc=com, its not needed to be specified though (maybe it should be to encourage ppl to check) so I did my first sync and wiped all my users out of IPA! oops So you have specify it with something like --win-subtree ou=staff_folder,dc=example,dc=com. Note its ou=staff_folder and not cn=staff_folder, I did that oops as well, doh.also make sure the case is right...not sure if that matters So the command to winsync is done on the IPA server TO AD, the above tells the winsync script/command where to find the group to sync in AD. sucked Our AD and IPA is VMware'd so I had clones in an isolated environmentmake sure you do a db2ldif of your IPA setup thats saved my test bed at least once. smartphone issue I have a hot fix, it seems OK, apparantly its fixed proper in the 6.4 releasewhich I think is either December or the new year Your very brave using centosie no support LOL.its very complex and hard to fault find when things dont work... regards Steven Jones Technical Specialist - Linux RHCE Victoria University, Wellington, NZ 0064 4 463 6272 From: freeipa-users-boun...@redhat.com [freeipa-users-boun...@redhat.com] on behalf of William Muriithi [william.murii...@gmail.com] Sent: Tuesday, 6 November 2012 7:13 a.m. To: freeipa-users@redhat.com Subject: Re: [Freeipa-users] FreeIPA v 2.2 in an AD environment Steve, thanks Hi, Yes you can winsync and passsync RHEL6.3 IPA from win2k3 r2 + AD, it should be in your RH supported channel tree? Nope, using Centos 6.3. I checked and looks like I can find passsync.msi from here. I am hoping its the same Windows binaries supplied to RedHat paying customers http://directory.fedoraproject.org/wiki/Download 1) Only one AD domain, so if you have a AD forest you can only do one sub-domain. So if the root is example.com and you have staff.example.com and clients.example.com you can do only one, say staff.example.com to IPA. Possible issues, 2) There is a bug in the setup where you have to be careful that you specify the right OU= IF your users are not in the expected default (cn=users?), otherwise the IPA users get deleted rather than ignored, you end up with an empty IPAfrightened me senseless! Do you mind explaining this further please? Where are you specifying this? On the passsync.msi application search base field? on AD side or on ipa-replica-manage --win-subtree ? Expected default users CN, on which side, AD or FreeIPA? Sorry, I tried to google for the bug and I can't seem to pick it, so the question. So, a) If you have users in multiple ou's then only one set is synced the rest in IPA will go bye bye, unless they are unique to IPA. b) If some users have a smartphone to exchange setup the winsync agreement sees that as the user having 2 ous's and first adds and then deletes those users..oops.I lost 20% of my users that way Yikes, that would have sucked, hope you had a backup. I don't have sub-domain (Forest = domain), but would have been caught by the smartphone issue. Thanks for the heads up, really appreciates. This is with RH support. Hmm, hopefully their response will get to us none customers somehow. 3) Also with 6.2 or 6.2 upgraded to 6.3 you may find that when the winsync syncs, the IPA users lose all their groups. I have tested a 6.2 upgraded to 6.3 several times and this happens each time but a clean 6.3 IPA seems finewe dont know why that is yet. This is with RH support, So if you are going to do this you need an isolated test setup to test for un-expected features that could really spoil your day. :( Yes, I am really grateful for asking before diving in. Looks like I would have got hurt really bad. My main advice would be restart with a clean 6.3 setup and not an upgraded from 6.2. Ive rebuilt 2 of my three IPA servers and teh 6.3 clean builds seem a lot more stable. Also use db2ldif to make backups of your database before you do italso you might want to halt and turn off any IPA replicas when you do it until after you are happy its stable and OK. Will use 6.3. Thank you again for the advice William From: freeipa-users-boun...@redhat.com [freeipa-users-boun...@redhat.com] on behalf of William Muriithi [william.murii...@gmail.com] Sent: Monday, 5 November 2012 8:23 a.m. To: freeipa-users@redhat.com Subject: [Freeipa-users] FreeIPA v 2.2 in an AD environment Hi all, I am in the process of deploying freeIPA 2.2 to authenticate Linux systems and have been able to setup everything nicely with separate domain. I mean users are currently using separate password to access Linux system and another set of password from AD for desktop stuff. On Friday, I came across an article on freeIPA v 3 and noticed one can use the same
Re: [Freeipa-users] FreeIPA v 2.2 in an AD environment
corner case? as in not very standard? In which case, yes I suppose so. AD is a very complex thing and you can customise it it seems. As a Linux person wandering into such a thing as a non-standard AD and not knowing this its a bit of a minefield.but of course you dont know you are in one! so dont know what to askexperience the hard way. Dragons, yes my armour is definately a bit runny regards Steven Jones Technical Specialist - Linux RHCE Victoria University, Wellington, NZ 0064 4 463 6272 8-- Sync: available starting the beginning of the IPA life. It has some limitations and we indeed had some issues with the corner cases that Steve's environment has. They are not common but you have been warned anyways. 8--- ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] FreeIPA v 2.2 in an AD environment
Steven Jones wrote: Also note that you asked if Can I be able to synchronize the current AD user credentials with FreeIPA 2.2 or do I have to upgrade to FreeIPA 3.0 You cannot synchronize already existing passwords with IPA 2.x. You would have to force AD users to change their passwords in order to get the clear text password to send to IPA. Given the password in AD is encrypted I would assume that this will apply to any version of IPA? Right. We aren't in the business of cracking existing passwords. When using PassSync the only way for us to get the password is for it to be changed. With trust the users don't exist on the IPA side, so this isn't an issue. Unless 3+ goes back to AD to confirm the password there? With trust, tickets from the AD server are accepted as-is. With winsync the same rules apply as with 2.x (and 1.x for that matter). rob ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] FreeIPA v 2.2 in an AD environment
On 11/05/2012 01:40 PM, William Muriithi wrote: Rich, In addition to other comments I want to step back and give a bit of a bigger picture. 1) Regardless of what approach you choose we recommend using the latest available version at the moment of deployment. Good suggestion. This mean I should use version 3. Problem that would have to run Fedora 17 and not happy with that option. Think I may have to wait for 6.4 before changing current setup as I like the trust setup more than the sync alternative 2) There are two different approached to dealing with AD - sync or trust. You need to chose what approach you want to use. Down the road there might be some hybrid solutions but so far they are not supported. Sync: available starting the beginning of the IPA life. It has some limitations and we indeed had some issues with the corner cases that Steve's environment has. They are not common but you have been warned anyways. Ok Trust: a) Trusts are targeting RHEL 6.4 b) There is no upgrade from Sync to Trust solution. If you want trusts you need to upgrade what you have to 6.4 (or start over) and implement trusts there and not do Sync. c) To take advantage of trusts your clients must be SSSD 1.9.x otherwise the trusts would not work. This also means that if you have other UNIXes the trusts would not work there. That sucks. Would have been better if it only affected IPA server. Hopes there will not be too many dependencies that would make it impossible of updating to SSSD 1.9.x. why is this necessary if I may ask? Though most of the changes would be limited to the server side? Unfortunately know. The client does a lot of heavy lifting. Client needs to understand that the ticket the user is using to access the system is coming from AD thus has authorization data in the form of MS-PAC. This data need to be extracted and processed. The remapping of the MSFT ids called SIDs needs to be conducted, the SIDs need to be resolved to names so that when you say id you can get user name from AD. The interactions happen with IPA since some of the information is provided and controlled by IPA while some other things need to be looked up in AD. Trust is a very complex environment. There was a lot of development that IPA and SSSD project teams worked on jointly. Actually, a better question is, whats the difference between sync and trust? To me, sync mean pushing the username password pair through the passsync while trust mean pushing the username and password through samba4. Is this correct? No. The trust means no pushing. Once you establish trust between IPA and AD users will remain in AD and would be able to access systems and resources managed by IPA without any push of the accounts and passwords from AD to IPA or any other place. That is the beauty. All AD users still authenticate against AD, get Kerberos ticket and then using this ticket can contact systems and services on the IPA side. If you have UNIX clients that need to be accessed by AD users you might explore some hybrid solutions that might work but we can't say for sure. For example the sync might actually work in parallel to trusts to some extent. There is also PAM pass through capability that comes with 6.4 as a tech preview. That would allow pass through LDAP auth for the non SSSD 1.9 clients. But this needs to be tried out and there might be dragons. Interesting, sound scarily to go there. Thank you Not that scary. Just depends on you level of comfort about experimenting with your test environment and proving something works. We have seen on multiple occasions when people asked us something and we said it might work, we are not sure and people tried and were successful. Such experiments have a benefit of once being tried and recorded they (if not absolutely crazy) pave a way for future support of the feature in RHEL. William ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users -- Thank you, Dmitri Pal Sr. Engineering Manager for IdM portfolio Red Hat Inc. --- Looking to carve out IT costs? www.redhat.com/carveoutcosts/ -- ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users End of Freeipa-users Digest, Vol 52, Issue 9 ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users -- Thank you, Dmitri Pal Sr. Engineering Manager for IdM portfolio Red Hat Inc. --- Looking to carve out IT costs? www.redhat.com/carveoutcosts/ ___ Freeipa-users mailing list Freeipa-users@redhat.com
Re: [Freeipa-users] FreeIPA v 2.2 in an AD environment
On 11/05/2012 02:01 PM, Steven Jones wrote: corner case? as in not very standard? In which case, yes I suppose so. AD is a very complex thing and you can customise it it seems. As a Linux person wandering into such a thing as a non-standard AD and not knowing this its a bit of a minefield.but of course you dont know you are in one! so dont know what to askexperience the hard way. Dragons, yes my armour is definately a bit runny Steven, let me put this way: you were unlucky to be the first to produce the configuration we never seen before (AD sync is a part of DS for ages). Things evolve on the AD side and we are not the first to know or experience new changes and configurations that AD adds. AD in fact big and complex. I am sorry about what you have been through but we unfortunately did not anticipate the scenarios and configuration that you presented. For us they were the corner cases at the moment. Now they are not since you hit them, we learned the details of those issues and addressed them. regards Steven Jones Technical Specialist - Linux RHCE Victoria University, Wellington, NZ 0064 4 463 6272 8-- Sync: available starting the beginning of the IPA life. It has some limitations and we indeed had some issues with the corner cases that Steve's environment has. They are not common but you have been warned anyways. 8--- ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users -- Thank you, Dmitri Pal Sr. Engineering Manager for IdM portfolio Red Hat Inc. --- Looking to carve out IT costs? www.redhat.com/carveoutcosts/ ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] FreeIPA v 2.2 in an AD environment
On 11/05/2012 01:34 PM, Steven Jones wrote: nice (and nice its in 6.4) :) I need to read up on trusts. However from limited experience in an AD forests with trusts they get very complex and the security can go bye bye. Ive seen pen tests that come in from a trusted domain, using an account with too many privaledges a bad password in a poorly implimented AD get across to the root and rainbow the password table (and hence domain admin) via a trust of a well set up one...own AD own IPA. poorly also of course windows admins dont understand IPA or linux and linux admins dont understand AD or windows both are really specialists of complex environments in their own right. (Which cracks me up when I see adverts for linux gurus and must have 3 to 5 years experience with ADand paying peanutsdohclueless). So if inter-domian trusts are a problem just consider AD to IPA! The advantage of a win and pass sync is its a very limited and controlable choke point. Indeed having winsync only capable of looking at one ou in AD means with your admins in a different ou its impossible for them to be mirrored into IPAsort of high security by accident! ;] I guess its the age old battle between user usablity, their freedom and securityhackers really dont care So could I have a win/passsync to one AD and trusts to other IPAs and ADs? May be. You know about dragons though. ;-) 1.9 sssd will be back ported to rhel5? M... Sorry. No. It is too big and complex in terms of dependencies to backport. There have been many improvments to different packages that make possible for SSSD to perform its magic. regards Steven Jones Technical Specialist - Linux RHCE Victoria University, Wellington, NZ 0064 4 463 6272 In addition to other comments I want to step back and give a bit of a bigger picture. 1) Regardless of what approach you choose we recommend using the latest available version at the moment of deployment. 2) There are two different approached to dealing with AD - sync or trust. You need to chose what approach you want to use. Down the road there might be some hybrid solutions but so far they are not supported. Sync: available starting the beginning of the IPA life. It has some limitations and we indeed had some issues with the corner cases that Steve's environment has. They are not common but you have been warned anyways. Trust: a) Trusts are targeting RHEL 6.4 b) There is no upgrade from Sync to Trust solution. If you want trusts you need to upgrade what you have to 6.4 (or start over) and implement trusts there and not do Sync. c) To take advantage of trusts your clients must be SSSD 1.9.x otherwise the trusts would not work. This also means that if you have other UNIXes the trusts would not work there. If you have UNIX clients that need to be accessed by AD users you might explore some hybrid solutions that might work but we can't say for sure. For example the sync might actually work in parallel to trusts to some extent. There is also PAM pass through capability that comes with 6.4 as a tech preview. That would allow pass through LDAP auth for the non SSSD 1.9 clients. But this needs to be tried out and there might be dragons. == dragonslol...my armour is well singed if not a bit runny... regards ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users -- Thank you, Dmitri Pal Sr. Engineering Manager for IdM portfolio Red Hat Inc. --- Looking to carve out IT costs? www.redhat.com/carveoutcosts/ ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] FreeIPA v 2.2 in an AD environment
Hi, Yes.In hindsight its pretty obvious when you have a new product connecting to another complex product in a foreign way in a enterprise / complex environment that some shake-out is going to happen. I guess I didnt know what I didnt know and I got accelerated in deploying IPA faster and further than I'd said was what I wantedhence some Dragons...(quite like that) The only issue Ive had really is the speed of solving, not the solvingbut RH support has definitely stepped up to the plate and is now significantly better, huge learning curve. Hopefully my successors will have that benefit. regards Steven Jones Technical Specialist - Linux RHCE Victoria University, Wellington, NZ 0064 4 463 6272 From: freeipa-users-boun...@redhat.com [freeipa-users-boun...@redhat.com] on behalf of Dmitri Pal [d...@redhat.com] Sent: Tuesday, 6 November 2012 12:55 p.m. To: freeipa-users@redhat.com Subject: Re: [Freeipa-users] FreeIPA v 2.2 in an AD environment On 11/05/2012 02:01 PM, Steven Jones wrote: corner case? as in not very standard? In which case, yes I suppose so. AD is a very complex thing and you can customise it it seems. As a Linux person wandering into such a thing as a non-standard AD and not knowing this its a bit of a minefield.but of course you dont know you are in one! so dont know what to askexperience the hard way. Dragons, yes my armour is definately a bit runny Steven, let me put this way: you were unlucky to be the first to produce the configuration we never seen before (AD sync is a part of DS for ages). Things evolve on the AD side and we are not the first to know or experience new changes and configurations that AD adds. AD in fact big and complex. I am sorry about what you have been through but we unfortunately did not anticipate the scenarios and configuration that you presented. For us they were the corner cases at the moment. Now they are not since you hit them, we learned the details of those issues and addressed them. regards Steven Jones Technical Specialist - Linux RHCE Victoria University, Wellington, NZ 0064 4 463 6272 8-- Sync: available starting the beginning of the IPA life. It has some limitations and we indeed had some issues with the corner cases that Steve's environment has. They are not common but you have been warned anyways. 8--- ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users -- Thank you, Dmitri Pal Sr. Engineering Manager for IdM portfolio Red Hat Inc. --- Looking to carve out IT costs? www.redhat.com/carveoutcosts/ ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] FreeIPA v 2.2 in an AD environment
Hi, Yes you can winsync and passsync RHEL6.3 IPA from win2k3 r2 + AD, it should be in your RH supported channel tree? The passsync.msi has to go on each AD box and is a MSI supplied by RH, I think that's also in the RH support channel but for some strange reason I think it might be in the workstation tree and not server tree. From what I can read there are some caveats, 1) Only one AD domain, so if you have a AD forest you can only do one sub-domain. So if the root is example.com and you have staff.example.com and clients.example.com you can do only one, say staff.example.com to IPA. Possible issues, 2) There is a bug in the setup where you have to be careful that you specify the right OU= IF your users are not in the expected default (cn=users?), otherwise the IPA users get deleted rather than ignored, you end up with an empty IPAfrightened me senseless! So, a) If you have users in multiple ou's then only one set is synced the rest in IPA will go bye bye, unless they are unique to IPA. b) If some users have a smartphone to exchange setup the winsync agreement sees that as the user having 2 ous's and first adds and then deletes those users..oops.I lost 20% of my users that way These are with RH support, I have a hot fix, I am testing. c) Its really hard to make sure all users have been transferred as you can only see 2000 users in IPA so something like an external tool like xplorer seem to be the only way for simpletons like myself to look at and compare. This is with RH support. 3) Also with 6.2 or 6.2 upgraded to 6.3 you may find that when the winsync syncs, the IPA users lose all their groups. I have tested a 6.2 upgraded to 6.3 several times and this happens each time but a clean 6.3 IPA seems finewe dont know why that is yet. This is with RH support, So if you are going to do this you need an isolated test setup to test for un-expected features that could really spoil your day. :( My main advice would be restart with a clean 6.3 setup and not an upgraded from 6.2. Ive rebuilt 2 of my three IPA servers and teh 6.3 clean builds seem a lot more stable. Also use db2ldif to make backups of your database before you do italso you might want to halt and turn off any IPA replicas when you do it until after you are happy its stable and OK. regards Steven Jones Technical Specialist - Linux RHCE Victoria University, Wellington, NZ 0064 4 463 6272 From: freeipa-users-boun...@redhat.com [freeipa-users-boun...@redhat.com] on behalf of William Muriithi [william.murii...@gmail.com] Sent: Monday, 5 November 2012 8:23 a.m. To: freeipa-users@redhat.com Subject: [Freeipa-users] FreeIPA v 2.2 in an AD environment Hi all, I am in the process of deploying freeIPA 2.2 to authenticate Linux systems and have been able to setup everything nicely with separate domain. I mean users are currently using separate password to access Linux system and another set of password from AD for desktop stuff. On Friday, I came across an article on freeIPA v 3 and noticed one can use the same username password for both Linux and Windows systems. I have since felt this would be a better setup and but feel like the documentation are not clear on how to achieve the above. Would anyone be able to clarify this: - Can I be able to synchronize the current AD user credentials with FreeIPA 2.2 or do I have to upgrade to FreeIPA 3.0 ? - If upgrading is necessary, is there an RPM that can run on RHEL 6.2 ? I can only seem to find freeIPA v3 RPM for Fedora 17. Was hoping to use a blessed RPM instead of rolling one which mean be incompatible with the distribution RPM once it comes around Regards, William ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users