Re: [Test-Announce] FreeIPA AD Trust improvement Test Day tomorrow, 2013-07-25
Hi Alex this the reply I was looking for. Anyone still running 2k3 I feel sorry for. 2k8r2 and beyond is the way to go. Mainly we would be looking at something simple like having your Ad creds work on Fedora boxes. Thanks, Dan On Jul 24, 2013 10:44 PM, Alexander Bokovoy aboko...@redhat.com wrote: On Thu, 25 Jul 2013, dan.mas...@gmail.com wrote: Hi Adam, I apologize if I missed this in your email but Is there a link for Windows Administrators as to what versions of AD (2000,2003,200877,2012) are supported and their caveats? http://www.freeipa.org/page/**Howto/IPAv3_AD_trust_setup#**Prerequisiteshttp://www.freeipa.org/page/Howto/IPAv3_AD_trust_setup#Prerequisites covers basic requirements. FreeIPA 3.x supports Windows Server 2008 and above, we are testing regularly with 2008R2 and 2012. This is due to the fact that the requirement for cross-forest trusts is functional level 2008 or above. However, it is possible to establish a trust between a FreeIPA server and Windows Server 2003 R2, with limited functionality. However, this is unsupported, highly experimental and of very limited value. Specifically, in this setup AES encryption is not supported (only RC4 encryption is available). In order to establish a trust between a FreeIPA server and a Windows Server 2003 R2, you need to raise the forest functional level to Windows Server 2003. To do this, open 'Active Directory Domains and Trusts' snap-in and right-click on 'Active Directory Domains and Trusts' root in the left pane. Then select 'Raise forest functional level ...' and use 'Windows Server 2003' as the level to raise. This action needs to be done before establishing a trust with the 'ipa trust-add' command. The rest of the setup is identical to that of Windows Server 2008 R2. Sent from my Verizon Wireless BlackBerry -Original Message- From: Adam Williamson awill...@redhat.com Sender: devel-bounces@lists.**fedoraproject.orgdevel-boun...@lists.fedoraproject.org Date: Wed, 24 Jul 2013 15:59:47 To: test-announce@lists.**fedoraproject.orgtest-annou...@lists.fedoraproject.org Reply-To: t...@lists.fedoraproject.org, Development discussions related to Fedora devel@lists.fedoraproject.org** Subject: [Test-Announce] FreeIPA AD Trust improvement Test Day tomorrow, 2013-07-25 Hello, The FreeIPA team is happy to welcome you to a Fedora Test Day that is being held on Thursday, July 25th. We would like to invite you to take part in testing of the upcoming FreeIPA 3.3 release containing 2 major improvements for easier deployment of FreeIPA Active Directory Trust feature to existing environments: 1) Use POSIX attributes defined in Active Directory [1] With previous FreeIPA releases, users coming from Active Directory to FreeIPA managed machines were always assigned POSIX attributes (UID and GID) by algorithmic mapping. However, in some deployments, Active Directory users and groups already have defined custom POSIX attribute values (UID and GID), which may then be leveraged on Linux machines via other 3rd party Active Directory integration solutions. Administrator may choose to keep the values to not disrupt file ownerships. With FreeIPA 3.3, FreeIPA Active Directory Trust may be configured to use these attributes when Active Directory user authenticates to Linux machines. 2) Expose POSIX data on legacy systems without recent SSSD Administrators may have a deployment of machines which cannot use the recent SSSD with Active Directory Trust support but would still like to be able to authenticate with Active Directory user to these machines. This may affect for example older Linux machines, UNIX machines. With FreeIPA 3.3, Administrator may configure a compatibility LDAP tree which will contain identities of the Active Directory users to the legacy systems. These systems may then leverage standard LDAP authentication in this tree allowing selected Active Directory users to authenticate. To read more about the Test Day and suggested tests, see the following link: https://fedoraproject.org/**wiki/Test_Day:2013-07-25_AD_** trusts_with_POSIX_attributes_**in_AD_and_support_for_old_**clientshttps://fedoraproject.org/wiki/Test_Day:2013-07-25_AD_trusts_with_POSIX_attributes_in_AD_and_support_for_old_clients Thank you for your help and participation! The FreeIPA team [1] http://www.freeipa.org/page/**V3/Use_posix_attributes_**defined_in_ADhttp://www.freeipa.org/page/V3/Use_posix_attributes_defined_in_AD [2] http://www.freeipa.org/page/**V3/Serving_legacy_clients_for_**trustshttp://www.freeipa.org/page/V3/Serving_legacy_clients_for_trusts -- Adam Williamson Fedora QA Community Monkey IRC: adamw | Twitter: AdamW_Fedora | identi.ca: adamwfedora http://www.happyassassin.net __**_ test-announce mailing list test-announce@lists.**fedoraproject.orgtest-annou...@lists.fedoraproject.org
Re: [Test-Announce] FreeIPA AD Trust improvement Test Day tomorrow, 2013-07-25
Hi Adam, I apologize if I missed this in your email but Is there a link for Windows Administrators as to what versions of AD (2000,2003,200877,2012) are supported and their caveats? Sent from my Verizon Wireless BlackBerry -Original Message- From: Adam Williamson awill...@redhat.com Sender: devel-boun...@lists.fedoraproject.org Date: Wed, 24 Jul 2013 15:59:47 To: test-annou...@lists.fedoraproject.org Reply-To: t...@lists.fedoraproject.org, Development discussions related to Fedora devel@lists.fedoraproject.org Subject: [Test-Announce] FreeIPA AD Trust improvement Test Day tomorrow, 2013-07-25 Hello, The FreeIPA team is happy to welcome you to a Fedora Test Day that is being held on Thursday, July 25th. We would like to invite you to take part in testing of the upcoming FreeIPA 3.3 release containing 2 major improvements for easier deployment of FreeIPA Active Directory Trust feature to existing environments: 1) Use POSIX attributes defined in Active Directory [1] With previous FreeIPA releases, users coming from Active Directory to FreeIPA managed machines were always assigned POSIX attributes (UID and GID) by algorithmic mapping. However, in some deployments, Active Directory users and groups already have defined custom POSIX attribute values (UID and GID), which may then be leveraged on Linux machines via other 3rd party Active Directory integration solutions. Administrator may choose to keep the values to not disrupt file ownerships. With FreeIPA 3.3, FreeIPA Active Directory Trust may be configured to use these attributes when Active Directory user authenticates to Linux machines. 2) Expose POSIX data on legacy systems without recent SSSD Administrators may have a deployment of machines which cannot use the recent SSSD with Active Directory Trust support but would still like to be able to authenticate with Active Directory user to these machines. This may affect for example older Linux machines, UNIX machines. With FreeIPA 3.3, Administrator may configure a compatibility LDAP tree which will contain identities of the Active Directory users to the legacy systems. These systems may then leverage standard LDAP authentication in this tree allowing selected Active Directory users to authenticate. To read more about the Test Day and suggested tests, see the following link: https://fedoraproject.org/wiki/Test_Day:2013-07-25_AD_trusts_with_POSIX_attributes_in_AD_and_support_for_old_clients Thank you for your help and participation! The FreeIPA team [1] http://www.freeipa.org/page/V3/Use_posix_attributes_defined_in_AD [2] http://www.freeipa.org/page/V3/Serving_legacy_clients_for_trusts -- Adam Williamson Fedora QA Community Monkey IRC: adamw | Twitter: AdamW_Fedora | identi.ca: adamwfedora http://www.happyassassin.net ___ test-announce mailing list test-annou...@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/test-announce -- devel mailing list devel@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/devel -- devel mailing list devel@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/devel
Re: [Test-Announce] FreeIPA AD Trust improvement Test Day tomorrow, 2013-07-25
On Thu, 25 Jul 2013, dan.mas...@gmail.com wrote: Hi Adam, I apologize if I missed this in your email but Is there a link for Windows Administrators as to what versions of AD (2000,2003,200877,2012) are supported and their caveats? http://www.freeipa.org/page/Howto/IPAv3_AD_trust_setup#Prerequisites covers basic requirements. FreeIPA 3.x supports Windows Server 2008 and above, we are testing regularly with 2008R2 and 2012. This is due to the fact that the requirement for cross-forest trusts is functional level 2008 or above. However, it is possible to establish a trust between a FreeIPA server and Windows Server 2003 R2, with limited functionality. However, this is unsupported, highly experimental and of very limited value. Specifically, in this setup AES encryption is not supported (only RC4 encryption is available). In order to establish a trust between a FreeIPA server and a Windows Server 2003 R2, you need to raise the forest functional level to Windows Server 2003. To do this, open 'Active Directory Domains and Trusts' snap-in and right-click on 'Active Directory Domains and Trusts' root in the left pane. Then select 'Raise forest functional level ...' and use 'Windows Server 2003' as the level to raise. This action needs to be done before establishing a trust with the 'ipa trust-add' command. The rest of the setup is identical to that of Windows Server 2008 R2. Sent from my Verizon Wireless BlackBerry -Original Message- From: Adam Williamson awill...@redhat.com Sender: devel-boun...@lists.fedoraproject.org Date: Wed, 24 Jul 2013 15:59:47 To: test-annou...@lists.fedoraproject.org Reply-To: t...@lists.fedoraproject.org, Development discussions related to Fedora devel@lists.fedoraproject.org Subject: [Test-Announce] FreeIPA AD Trust improvement Test Day tomorrow, 2013-07-25 Hello, The FreeIPA team is happy to welcome you to a Fedora Test Day that is being held on Thursday, July 25th. We would like to invite you to take part in testing of the upcoming FreeIPA 3.3 release containing 2 major improvements for easier deployment of FreeIPA Active Directory Trust feature to existing environments: 1) Use POSIX attributes defined in Active Directory [1] With previous FreeIPA releases, users coming from Active Directory to FreeIPA managed machines were always assigned POSIX attributes (UID and GID) by algorithmic mapping. However, in some deployments, Active Directory users and groups already have defined custom POSIX attribute values (UID and GID), which may then be leveraged on Linux machines via other 3rd party Active Directory integration solutions. Administrator may choose to keep the values to not disrupt file ownerships. With FreeIPA 3.3, FreeIPA Active Directory Trust may be configured to use these attributes when Active Directory user authenticates to Linux machines. 2) Expose POSIX data on legacy systems without recent SSSD Administrators may have a deployment of machines which cannot use the recent SSSD with Active Directory Trust support but would still like to be able to authenticate with Active Directory user to these machines. This may affect for example older Linux machines, UNIX machines. With FreeIPA 3.3, Administrator may configure a compatibility LDAP tree which will contain identities of the Active Directory users to the legacy systems. These systems may then leverage standard LDAP authentication in this tree allowing selected Active Directory users to authenticate. To read more about the Test Day and suggested tests, see the following link: https://fedoraproject.org/wiki/Test_Day:2013-07-25_AD_trusts_with_POSIX_attributes_in_AD_and_support_for_old_clients Thank you for your help and participation! The FreeIPA team [1] http://www.freeipa.org/page/V3/Use_posix_attributes_defined_in_AD [2] http://www.freeipa.org/page/V3/Serving_legacy_clients_for_trusts -- Adam Williamson Fedora QA Community Monkey IRC: adamw | Twitter: AdamW_Fedora | identi.ca: adamwfedora http://www.happyassassin.net ___ test-announce mailing list test-annou...@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/test-announce -- devel mailing list devel@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/devel -- devel mailing list devel@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/devel -- / Alexander Bokovoy -- devel mailing list devel@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/devel
