[Freeipa-users] Re: FreeIPA Client AD Trust user look-up latencies and results

All, A final head's up for users that land on this thread. I was able to reduce all outstanding latency after realizing via debug logs that I had inadvertently created a "loop" of sorts via HBAC rules. The "loop" was caused by an HBAC rule which included both the POSIX group and its externally

[Freeipa-users] Re: FreeIPA Client AD Trust user look-up latencies and results

All, Just a head's up for users that land on this thread. Make sure that you do not create any groups whose names are actual AD usernames, i.e. "amber12" and "amber12". If you do, client look-ups will stall and fail. As a result of this find, we'll make sure to add a prefix/suffix to the group

[Freeipa-users] Re: FreeIPA Client AD Trust user look-up latencies and results

Alexander, Thank you for your support! John DeSantis Il giorno gio 2 mag 2019 alle ore 16:30 Alexander Bokovoy ha scritto: > > On Thu, 02 May 2019, John Desantis via FreeIPA-users wrote: > >Alexander, > > > >Apologies for the delay in responding. Our A.D. admins have been quite busy. > > > >>

[Freeipa-users] Re: FreeIPA Client AD Trust user look-up latencies and results

On Thu, 02 May 2019, John Desantis via FreeIPA-users wrote: Alexander, Apologies for the delay in responding. Our A.D. admins have been quite busy. Can you remove it from IPA and add ipa idoverridegroup-add 'Default Trust View' adglobalposixgroup@ad.domain --gid 10001 after you added

[Freeipa-users] Re: FreeIPA Client AD Trust user look-up latencies and results

Alexander, Apologies for the delay in responding. Our A.D. admins have been quite busy. > Can you remove it from IPA and add > > ipa idoverridegroup-add 'Default Trust View' adglobalposixgroup@ad.domain > --gid 10001 > > after you added adglobalposixgroup in AD? Alright, this was done and the

[Freeipa-users] Re: FreeIPA Client AD Trust user look-up latencies and results

On ma, 29 huhti 2019, John Desantis wrote: Alexander, Thanks for your continued support. I'm not saying about that at all. Can you show output of ipa group-show --all --raw adglobalposixgroup Sure thing! PROD:15:13:34-root@ipaserver1:~ # ipa group-show --all --raw adglobalposixgroup dn:

[Freeipa-users] Re: FreeIPA Client AD Trust user look-up latencies and results

Alexander, Thanks for your continued support. > I'm not saying about that at all. > > Can you show output of > > ipa group-show --all --raw adglobalposixgroup Sure thing! PROD:15:13:34-root@ipaserver1:~ # ipa group-show --all --raw adglobalposixgroup dn:

[Freeipa-users] Re: FreeIPA Client AD Trust user look-up latencies and results

On ma, 29 huhti 2019, John Desantis wrote: Alexander, >Yes, the group was created within the IPA domain via the cli, and this >error is only manifest in the client log. However, the GID of the >group (10001) is supplied via the AD trust using the POSIX range. That isn't going to work at all.

[Freeipa-users] Re: FreeIPA Client AD Trust user look-up latencies and results

Alexander, > >Yes, the group was created within the IPA domain via the cli, and this > >error is only manifest in the client log. However, the GID of the > >group (10001) is supplied via the AD trust using the POSIX range. > That isn't going to work at all. > > For IPA groups POSIX IDs should be

[Freeipa-users] Re: FreeIPA Client AD Trust user look-up latencies and results

Hello all, So, for anyone following this thread, I've been able to make some progress but not enough to consider the configuration production ready. After watching sssd logs ([domain] debug_level = 10, [sssd] debug_level = 10, and [nss] debug_level = 10) on both the client and server, I am able

[Freeipa-users] Re: FreeIPA Client AD Trust user look-up latencies and results

Hello all, Doh! I realized that I hadn't actually attached the logs; so much for trouble-shooting! Thanks, John DeSantis Il giorno lun 22 apr 2019 alle ore 13:07 John Desantis ha scritto: > > Hello all, > > I've pretty much exhausted my searching in order to find a solution to > a problem

[Freeipa-users] Re: FreeIPA and AD

The documentation on this is pretty good. Basically, you can ’trust’ AD from FreeIPA, which means the users from AD can be used in IPA. Groups too. Passwords must be set and reset in AD, but everything you need for Linux (SSH keys, host rules etc) can be done in IPA.

[Freeipa-users] Re: FreeIPA and AD

Whoa …… thanks for this. Now I think I am on the right path now. Thanks for the help. R > On 12 Sep 2018, at 13:44, Alexander Bokovoy via FreeIPA-users > wrote: > > On ke, 12 syys 2018, Ryan via FreeIPA-users wrote: >> >> >>> On 12 Sep 2018, at 13:07, Alexander Bokovoy via FreeIPA-users

[Freeipa-users] Re: FreeIPA and AD

On ke, 12 syys 2018, Ryan via FreeIPA-users wrote: On 12 Sep 2018, at 13:07, Alexander Bokovoy via FreeIPA-users wrote: On ke, 12 syys 2018, Ryan via FreeIPA-users wrote: Hi, All Off the bat I would like to say being new to freeIPA and rolling out successful deployment to manage our

[Freeipa-users] Re: FreeIPA and AD

On ke, 12 syys 2018, Ryan via FreeIPA-users wrote: Hi, All Off the bat I would like to say being new to freeIPA and rolling out successful deployment to manage our servers has been amazing, very few hiccups. Which brings me to my next question, I have been asked if FreeIPA can be uses with

[Freeipa-users] Re: FreeIPA and AD trust

I have an open RFE for global catalogs for a while now. Last update for target release is 7.5/7.6 timeframe :( -- gracie mobile > On Feb 6, 2018, at 7:25 AM, Alexander Bokovoy via FreeIPA-users > wrote: > > > > - Original Message - >> Hi,

[Freeipa-users] Re: FreeIPA and AD trust

- Original Message - > Hi, > > Clearly my Google skills are lacking, as I've not been able to find anything > definitive (mainly just old versions of IPA) > > We have a well used FreeIPA domain, but I have a few appliances and > applications that require Active Directory. I can find

[Freeipa-users] Re: FreeIPA and AD trust

You could probably establish two-way trust between AD and IPA domains. Is seems such configuration is supported: https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html-single/windows_integration_guide/index#trust-one-two-way - Boris Sukhinin