[Freeipa-users] Announcing FreeIPA 3.2.0
The FreeIPA team is proud to announce FreeIPA v3.2.0. It can be downloaded from http://www.freeipa.org/page/Downloads. The new version has also been built for Fedora 19 and is on its way to updates-testing. Many thanks to those that tested our alpha and beta releases and those that participated in the Fedora 19 Test day. Several issues were uncovered and resolved due to your hard work. == Highlights in 3.2.0 == === New features for 3.2.0 === * Support installing FreeIPA without an embedded Certificate Authority, with user-provided SSL certificates for the HTTP and Directory servers. [1] * New cert-find command. Search certificates in the Dogtag database based on their serial number, validity or revocation details. This feature is available both as a CLI command and Web UI page. [2] * New trustconfig-show and trustconfig-mod command. Show or modify AD Trust settings generated during AD Trust installation (ipa-adtrust-install) [3] * Multiple FreeIPA servers can now be designated as Domain Controllers for trusts with Active Directory [12] * New realmdomains-show and realmdomains-mod command. Manage list of DNS domains associated with FreeIPA realm (realmdomains sommand). This list is primarily used by AD, which can pull all domains managed by FreeIPA and use that list for routing authentication requests for domains which do not match FreeIPA realm name. [4] * Support trusted domain users in HBAC test command (hbactest command). * Allow filtering incoming trusted domain SIDs per-trust (trust-mod command). [5] * Configurable PAC type for services. Service commands can now configure a set of PAC types (MS-PAC, PAD, no PAC) that are supported and handled for the service. * Faster UI loading. FreeIPA Web UI application is now packaged in minimalized format. FreeIPA web server is now also able to transmit data in compressed format. [6] [7] * UI now accepts confirmation of cancel of its dialogs via keyboard [11] * Client reenrollment. A host that has been recreated can now be reenrolled to FreeIPA server using a backed up host keytab or admin credentials [8] * Service and Host commands now provide options to add or remove selected Kerberos flags [9] * Full system backup and restore [13] * Experimental extensible interface for Web UI [14] * Source hosts have been completely removed from HBAC. They haven't been used by SSSD for quite some time and are being removed to avoid the suggestion that they might actually do something. * Web UI is now capable to translate SIDs to user and group names for external group members * Updated French, Ukranian and Spanish translations. === Bug fixes === * Fixed migration from OpenLDAP. FreeIPA is now able to migrate users and groups from OpenLDAP database instances. * Migration process is now also a lot faster and provides more debug output (to httpd error log). * SUDO rules disabled by sudorule-disable command are now removed from ou=sudoers compat tree without a need to restart 389 Directory Server instance. * Fixed LDAP schema upgrade when upgrading from a pre-2.2.0 release * Fixed server installation with external CA (--external-ca) * Consolidate on-line help system, show help without need of valid Kerberos credentials (ipa help) * New LDAP plugin (ipa_dns) has been added to add missing idnsSOASerial attribute for replicas which either do not have integrated DNS service enabled to which have disabled SOA serial autoincrement * LDAP lockout plugin has been fixed so that lockout policies are applied consistently both for LDAP binds and Kerberos authentication * trust-resolve CLI command added to help resolving SIDs in Web UI to groups and users for external group members [16] * ... and many others stabilization fixes, see Detailed changelog for full details == Changes in API or CLI == === Dropped --selfsign option === FreeIPA servers prior to 3.2.0 could be installed with --selfsign option. This configured the server with a NSS database based Certificate Authority with a selfsigned CA certificate and limited certificate operation support. This option was always intended for development or testing purposes only and was not intended for use in production. This release drops this option and deprecates the functionality. FreeIPA servers installed with the --selfsign option will be converted to CA-less. See [15] for more information and instructions for manual certificate management. FreeIPA servers version 3.2.0 and later supports the following 2 flavors of certificate management: * FreeIPA with pki-ca (dogtag) with either a self-signed certificate or with a certificate signed by external CA (--external-ca option) * FreeIPA with no pki-ca installed with certificates signed and provided by an external CA [1] === Dropped CSV support === FreeIPA client CLI supported CSV in some arguments so that multiple values could be added with just one convenient option: ipa permission-add some-perm --permissions=read,write
[Freeipa-users] IPA - initial questions
All, I am beginning to put an IPA environment together and will be inquiring with the community on different issues. First, regarding this list, I do not see a way to search archived posts for answers. I apologize if I am just missing how to do so, is there a way to search for topics? Second, I have attempted to subscribe to the list a couple times but have not received any email notification and cannot log in via the credentials I created. Am I missing something or am I just waiting for an approval from moderators or other? Regarding IPA, my initial question is how do folks handle the root user? Is root maintained via IPA centrally or since it's a special account is it sill maintained directly on all systems? Thanks in advance, and I look forward to learning more from the community. Herb ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] IPA - initial questions
Herb Burnswell wrote: All, I am beginning to put an IPA environment together and will be inquiring with the community on different issues. First, regarding this list, I do not see a way to search archived posts for answers. I apologize if I am just missing how to do so, is there a way to search for topics? There is no built-in search command but you can use google, something like site:https://www.redhat.com/archives/freeipa-users/ search-terms Second, I have attempted to subscribe to the list a couple times but have not received any email notification and cannot log in via the credentials I created. Am I missing something or am I just waiting for an approval from moderators or other? I don't see any failed subscription requests. I went ahead and subscribed you. Regarding IPA, my initial question is how do folks handle the root user? Is root maintained via IPA centrally or since it's a special account is it sill maintained directly on all systems? You always want to be able to log in locally as root if something goes wrong. sssd purposely excludes the root users for this reason. If you want to limit root access then you'd be better of investigating SUDO and limiting who knows the root password(s). rob ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] IPA - initial questions
Rob, Thank you for your response. One of my filters on gmail was blocking the approval responses, I should have known it was user error ;-). I'm all set on the subscription. Also, thanks for the tip on searching google that way, I'll investigate questions that way. Regarding root user, that was what I was thinking. So that kind of takes away the ability to centrally manage the root password for 100's of systems via IPA correct? Or is there a way to do that? thanks, Herb On Fri, May 10, 2013 at 11:22 AM, Rob Crittenden rcrit...@redhat.comwrote: Herb Burnswell wrote: All, I am beginning to put an IPA environment together and will be inquiring with the community on different issues. First, regarding this list, I do not see a way to search archived posts for answers. I apologize if I am just missing how to do so, is there a way to search for topics? There is no built-in search command but you can use google, something like site:https://www.redhat.com/**archives/freeipa-users/https://www.redhat.com/archives/freeipa-users/search-terms Second, I have attempted to subscribe to the list a couple times but have not received any email notification and cannot log in via the credentials I created. Am I missing something or am I just waiting for an approval from moderators or other? I don't see any failed subscription requests. I went ahead and subscribed you. Regarding IPA, my initial question is how do folks handle the root user? Is root maintained via IPA centrally or since it's a special account is it sill maintained directly on all systems? You always want to be able to log in locally as root if something goes wrong. sssd purposely excludes the root users for this reason. If you want to limit root access then you'd be better of investigating SUDO and limiting who knows the root password(s). rob ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
[Freeipa-users] Fwd: IPA Error on Customer
Hi folks -I'm kind of at a loss in regards to Tomas's issues with ipa-client-install below. Any thoughts?Begin forwarded message:From: Tomas Olivares toliva...@redhat.comSubject: IPA Error on CustomerDate: May 10, 2013 12:57:32 PM PDTTo: lr...@redhat.comHi Lynn,Thanks for letting me write you directly. I've been following you for some time now on twitter and got across a customer with IPA issues and thought you could help as it's a tad important for the customer (well, they all say that).They are trying to add some servers with RHEL v5.5 to a IPA server using RHEL6. The thing is that some servers are added with no issues at all and others are presenting errors while running the following command:# ipa-client-install --domain=sistemas.previred.org--server=ipa.sistemas.previred.org--server=iparpl.sistemas.previred.org--realm=SISTEMAS.PREVIRED.ORG--principal=admin --mkhomedirThe error he's getting is the following:ipa-getkeytab: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (Unknown code krb5 7)This is being logged on the /var/log/messages file. The odd thing is that this works on some servers and not others. They have the same software as they are being provisioned over their own Satellite server.Have you ever seen this? I tried googling and checking the knowledge base as well as opening a ticket with GSS but still haven't found anything.Let me know if you need more details. Maybe you've seen that error before.Regards, Tomas OlivaresRHEL Consultant - GPS - ChileT: +56 (2) 364 44 17M: +56 (98) 271 25 13Av. Isidora Goyenechea 3000, Piso24 - (7550098)Las Condes, Santiago - ChileConozca nuestros casos de éxito enLatinoamérica Lynn Root@roguelynnAssociate Software Engineer ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] IPA Error on Customer
Please disregard my last email - wrong email list. My apologies! On May 10, 2013, at 2:26 PM, Lynn Root lr...@redhat.com wrote: Hi folks - I'm kind of at a loss in regards to Tomas's issues with ipa-client-install below. Any thoughts? Begin forwarded message: Lynn Root @roguelynn Associate Software Engineer ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] IPA - initial questions
On May 10, 2013 1:33 PM, Herb Burnswell herbert.burnsw...@gmail.com wrote: Rob, Thank you for your response. One of my filters on gmail was blocking the approval responses, I should have known it was user error ;-). I'm all set on the subscription. Also, thanks for the tip on searching google that way, I'll investigate questions that way. Regarding root user, that was what I was thinking. So that kind of takes away the ability to centrally manage the root password for 100's of systems via IPA correct? Or is there a way to do that? The root user should be local to every host without access to root relying on something external such as IPA or any other network service. If IPA goes down you still want to be able to gain access to servers. To manage root I'd recommend Puppet, or any configuration management tool if one already exists in your infrastructure. A single global 'user' resource or 'root module' (in the case of Puppet) can be assigned to every host allowing a single, central, change to propagate to all hosts. thanks, Herb On Fri, May 10, 2013 at 11:22 AM, Rob Crittenden rcrit...@redhat.com wrote: Herb Burnswell wrote: All, I am beginning to put an IPA environment together and will be inquiring with the community on different issues. First, regarding this list, I do not see a way to search archived posts for answers. I apologize if I am just missing how to do so, is there a way to search for topics? There is no built-in search command but you can use google, something like site:https://www.redhat.com/archives/freeipa-users/ search-terms Second, I have attempted to subscribe to the list a couple times but have not received any email notification and cannot log in via the credentials I created. Am I missing something or am I just waiting for an approval from moderators or other? I don't see any failed subscription requests. I went ahead and subscribed you. Regarding IPA, my initial question is how do folks handle the root user? Is root maintained via IPA centrally or since it's a special account is it sill maintained directly on all systems? You always want to be able to log in locally as root if something goes wrong. sssd purposely excludes the root users for this reason. If you want to limit root access then you'd be better of investigating SUDO and limiting who knows the root password(s). rob ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users I also use Puppet to push out a non-root, local account, for emergency situations as root on my servers is only accessible via SSH key authentication or local console. This gives my team a way to access servers if key pieces of our infrastructure are down or in maintenance. - Trey ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users