Re: [Freeipa-users] FreeIPA for Linux desktop deployment
Hi Nasir,
Here are my notes (in Trac wiki markup format no less) for manually setting
up Ubuntu clients to use our FreeIPA 1.2 server. I haven't tested the 2.0
branch yet, but I suspect it's primarily the same.
HTH.
-ben
--
| Ben Eisenbraun
| SBGrid Consortium | http://sbgrid.org |
| Harvard Medical School | http://hms.harvard.edu |
== Accounts/Authentication ==
Install required packages:
{{{
apt-get install ldap-utils krb5-user libpam-ldap libnss-ldap nss-updatedb
libnss-db autofs nfs-common autofs-ldap
}}}
This should spawn a dpkg-configure instance for Kerberos, give the proper
information.
Edit /etc/nsswitch.conf to include:
{{{
passwd:files ldap
group: files ldap
automount: files ldap
}}}
Edit /etc/ldap.conf to include:
{{{
uri ldap://your.server.name
basedc=EXAMPLE,dc=COM
bind_policy soft
pam_lookup_policy yes
pam_passwordmd5
nss_initgroups_ignoreusers root,ldap
nss_schema rfc2307bis
nss_map_attribute uniqueMember member
ssl no
ldap_version3
pam_filter objectClass=posixAccount
}}}
To enable pam-ldap, run:
{{{
pam-auth-update
}}}
To enable autofs-managed home directories, edit /etc/ldap/ldap.conf to read:
{{{
BASE dc=EXAMPLE,dc=COM
URI ldap://your.server.name
}}}
For kerberos config, edit /etc/krb5.conf to include
{{{
[logging]
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log
[libdefaults]
default_realm = DEV-NETWORK.IN.HWLAB
dns_lookup_realm = false
dns_lookup_kdc = false
ticket_lifetime = 24h
renew_lifetime = 7d
forwardable = true
[realms]
DEV-NETWORK.IN.HWLAB = {
kdc = your.server.name
admin_server = your.server.name
}
[domain_realm]
dev-network.in.hwlab = EXAMPLE.COM
.dev-network.in.hwlab = EXAMPLE.COM
}}}
___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] FreeIPA for Linux desktop deployment
Dimitri/Adam/Stephen, Thnks a lot for all the replies! This is a 64 bit machine. So I will try to install 32 bit and let you know the result. Also, I was trying to configure NFS service on the FreeIPA machine. I followed exactly as given in the deployment guide and tested with another RHEL 6.1 client machine with ipa-client installed on it. When I try to mount the nfs export I am getting the following error, [root@abc Packages]# mount -v -t nfs4 -o sec=krb5 openipa.cohort.org:/ /mntmount.nfs4: timeout set for Mon May 9 17:36:14 2011mount.nfs4: trying text-based options 'sec=krb5,addr=192.168.1.240,clientaddr=192.168.1.125'mount.nfs4: mount(2): Permission deniedmount.nfs4: access denied by server while mounting openipa.cohort.org:/[root@abc Packages]# But when I try to remove the kerberos authentication (i.e without -o sec=krb5) it gets mounted without any problem. I googled a lot for this error and tried all the suggestions like adding allow_weak_crypto parameter in the krb5.conf file, checking host/DNS/Keytab entries etc. Still it does not work. When I give weak crypto entry and add some weak crypto like des-cbc-md5, server rejects and says that it is not supported. My /etc/export file and all the necessary commands are copy pasted from the deployment guide with only the necessary modifications to suite my values. Please suggest me what to do. Thanks indeed in advance and regards,Nidal --- On Mon, 5/9/11, Adam Young ayo...@redhat.com wrote: From: Adam Young ayo...@redhat.com Subject: Re: [Freeipa-users] FreeIPA for Linux desktop deployment To: nasir nasir kollath...@yahoo.com Cc: freeipa-users@redhat.com Date: Monday, May 9, 2011, 6:17 AM On 05/08/2011 11:57 PM, nasir nasir wrote: Adam, I truly appreciate your persistence ! I tried using alien and it generated the .deb file successfully and even installed the ipa client package without any error on the client machine(Kubuntu 11.04). But when I run the ipa-client-install command, it gave the following error, openway@dl-360:~/rpm$ sudo ipa-client-install There was a problem importing one of the required Python modules. The error was: No module named ipaclient.ipadiscovery I'm guessing that this is a 64 bit system? It might be an arch issue. IU know that Debian and RH mde different choices for 32 on 64. RH/Fedora puts the Python code into /usr/lib64/python2.7/site-packages/ Debian might be looking under /usr/lib/ for Python. Try a 32bit RPM. openway@dl-360:~/rpm$ I even created the deb file out of ipa-python package and installed it on the kubuntu machine(without any error). Still, its the same. Any idea ? Thanks and regards, Nidal --- On Sun, 5/8/11, Adam Young ayo...@redhat.com wrote: From: Adam Young ayo...@redhat.com Subject: Re: [Freeipa-users] FreeIPA for Linux desktop deployment To: nasir nasir kollath...@yahoo.com Cc: freeipa-users@redhat.com Date: Sunday, May 8, 2011, 4:39 PM On 05/08/2011 06:20 AM, nasir nasir wrote: Thanks indeed again for the reply. I went through the deployment guide and installed and configured FreeIPA 2.0 on a RHEL 6.1 beta machine for testing. I also configured the browsers on this server and a client Kubuntu machine as per the guide. But I can't find any doc which explain how to configure a client (kubuntu in my case) for single sign on or even accessing a service like nfs using the
Re: [Freeipa-users] Disk layout - requirements
Dmitri Pal wrote: On 05/06/2011 11:58 AM, Sigbjorn Lie wrote: On 05/06/2011 04:12 PM, Rob Crittenden wrote: Steven Jones wrote: Hi, Digging through docs / googling I cant see any disk partition suggestions and size thereof requirements... Suggestions please? sizing for 500 servers, 2000 desktops, 5000+ users... Especially around having different sections of the IPA master of different raid groups if that's needed... It depends in part how you use IPA. A bare-bones user entry is about 1k, a host that has a certificate is about the same. There is some amount of overhead in the DIT and you'll need to consider the space for groups, how many kerberos services you'll deploy (also about 1k in size) and what other features of IPA you'll use. We have quite a few indexes into the data, that will take some room too. I think additional RAM will be better than terabytes of disk. 389-ds is going to try to cache much of this data, and with this number of entries it can probably keep most if not all of the database in memory. We haven't done any analysis on different FS performance. Does that help? rob Would you consider these documents describing sizing and performance tuning of the RH DS to be comparable/transferable to IPA? http://docs.redhat.com/docs/en-US/Red_Hat_Directory_Server/8.2/html/Installation_Guide/Installation_Guide-Platform_Support.html#Installation_Guide-Platform_Support-Hardware_Requirements http://docs.redhat.com/docs/en-US/Red_Hat_Directory_Server/8.2/html/Performance_Tuning_Guide/system-tuning.html Yes these documents are applicable and can be used to tune up DS server under IPA. Be careful to note that in the first document the disk space assumptions are for 100 byte entries and some (but not all) of the IPA entries are 10x that. Thanks for the links Sigbjorn. regards rob ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] FreeIPA for Linux desktop deployment
On 05/09/2011 10:43 AM, nasir nasir wrote: Dimitri/Adam/Stephen, Thnks a lot for all the replies! This is a 64 bit machine. So I will try to install 32 bit and let you know the result. Also, I was trying to configure NFS service on the FreeIPA machine. I followed exactly as given in the deployment guide and tested with another *RHEL 6.1 client machine *with ipa-client installed on it. When I try to mount the nfs export I am getting the following error, * * *[root@abc Packages]# mount -v -t nfs4 -o sec=krb5 openipa.cohort.org:/ /mnt* *mount.nfs4: timeout set for Mon May 9 17:36:14 2011* *mount.nfs4: trying text-based options 'sec=krb5,addr=192.168.1.240,clientaddr=192.168.1.125'* *mount.nfs4: mount(2): Permission denied* *mount.nfs4: access denied by server while mounting openipa.cohort.org:/* *[root@abc Packages]#* But when I try to remove the kerberos authentication (i.e without -o sec=krb5) it gets mounted without any problem. I googled a lot for this error and tried all the suggestions like adding allow_weak_crypto parameter in the krb5.conf file, checking host/DNS/Keytab entries etc. Still it does not work. When I give weak crypto entry and add some weak crypto like des-cbc-md5, server rejects and says that it is not supported. My /etc/export file and all the necessary commands are copy pasted from the deployment guide with only the necessary modifications to suite my values. Please suggest me what to do. Start off by checking the kerberos logs on both the server and client machines. in /var/log/ krb5kdc.log kadmind.log secure I'm not a a Kerberos Guru...bear that in mind Make sure the clocks are in sync. Always worth doing . Kind of the Kerberos equivalent of Make sure the network cable is actually plugged in The KDC needs to know about the NFS service in order to grant a ticket. Confirm that you can request an nfs ticket for your user and client for the given server. On the IPA server side, you have to create a service entry for your NFS server. Your NFS server needs to know to talk to the IPA Kerberos instance. This is a likely suspect, based on the error message. Make sure you can kinit and do simple IPA type things on the machine you are doing a NFS mount on. Being able to use the IPA Kerberos ticket to ssh from the nfs client machine to the NFS server machine would be a good validation that the entire problem is just in the NFS configuration. Thanks indeed in advance and regards, Nidal --- On *Mon, 5/9/11, Adam Young /ayo...@redhat.com/* wrote: From: Adam Young ayo...@redhat.com Subject: Re: [Freeipa-users] FreeIPA for Linux desktop deployment To: nasir nasir kollath...@yahoo.com Cc: freeipa-users@redhat.com Date: Monday, May 9, 2011, 6:17 AM On 05/08/2011 11:57 PM, nasir nasir wrote: Adam, I truly appreciate your persistence ! I tried using alien and it generated the .deb file successfully and even installed the ipa client package without any error on the client machine(Kubuntu 11.04). But when I run the *ipa-client-install* command, it gave the following error, *openway@dl-360:~/rpm$ sudo ipa-client-install * *There was a problem importing one of the required Python modules. The* *error was:* * * *No module named ipaclient.ipadiscovery* I'm guessing that this is a 64 bit system? It might be an arch issue. IU know that Debian and RH mde different choices for 32 on 64. RH/Fedora puts the Python code into /usr/lib64/python2.7/site-packages/ Debian might be looking under /usr/lib/ for Python. Try a 32bit RPM. * * *openway@dl-360:~/rpm$* I even created the deb file out of ipa-python package and installed it on the kubuntu machine(without any error). Still, its the same. Any idea ? Thanks and regards, Nidal --- On *Sun, 5/8/11, Adam Young /ayo...@redhat.com /mc/compose?to=ayo...@redhat.com/*wrote: From: Adam Young ayo...@redhat.com /mc/compose?to=ayo...@redhat.com Subject: Re: [Freeipa-users] FreeIPA for Linux desktop deployment To: nasir nasir kollath...@yahoo.com /mc/compose?to=kollath...@yahoo.com Cc: freeipa-users@redhat.com /mc/compose?to=freeipa-users@redhat.com Date: Sunday, May 8, 2011, 4:39 PM On 05/08/2011 06:20 AM, nasir nasir wrote: Thanks indeed again for the reply. I went through the deployment guide and installed and configured FreeIPA 2.0 on a RHEL 6.1 beta machine for testing. I also configured the browsers on this server and a client Kubuntu machine as per the guide. But I can't find any doc which explain how to configure a client (kubuntu in my case) for single sign on or even accessing a service like nfs using the browser when native ipa-client package is not available. All the docs are focused on
Re: [Freeipa-users] RHEL6.1 beta
Steven Jones wrote: Hi, Where are the ipa-server-2.0 packages held these days ? from previous list posts they were here, but I cant find them now ipa-server-2.0.0-16.el6.x86_64 https://rhn.redhat.com/rhn/software/packages/details/Overview.do?pid=619857 Red Hat Enterprise Linux Server Beta (v. 6 for 64-bit x86_64) ipa-server-2.0.0-16.el6.i686 https://rhn.redhat.com/rhn/software/packages/details/Overview.do?pid=617431 Apparently the beta is over so the packages were removed. The beta ISO's should still be available and those I'm told have the ipa packages via classic RHN. If you use the new entitlement system the beta packages are still on cdn.redhat.com. regards rob ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
[Freeipa-users] FreeIPA questions
I'm new to FreeIPA and this list so please forgive me for the n00b questions. I have what I think is a pretty straight-forward use for FreeIPA. We have an Active Directory environment with a few hundred users. We are starting to increase our number of Macs and need a directory solution. There are some issues with Macs in AD which Apple doesn't seem interested in addressing. Open Directory would be nice if we only had Macs but it doesn't allow for syncing accounts to AD, so it won't work for us. Based on what I've read about FreeIPA, it seems like it would be a good fit for us. The problem I'm having is that I can't seem to even get FreeIPA installed. I've tried using Fedora 10 with all the latest updates. I've tried adding different .repo files I've found on the various FreeIPA pages, but none of them seem to be working for me. So, my questions are: 1) What is the best distro for running FreeIPA. I'd rather not purchase RHEL, so it sounds like Fedora is the way to go. I just finished downloading Fedora 14 and will give that a try unless someone recommends something else. 2) Is version 2 highly recommended over version 1 or does version 1 have sufficient features to use it in a production environment? Essentially, we have about 30 current Macs users (and growing) that we want to create accounts for in FreeIPA and have sync'd to AD (or vice versa). The users will need the ability to change their passwords. 3) What is the best way to install FreeIPA? I'm having problems with yum (see errors below) so I was wondering if there was another way, e.g., RPMs. # yum install freeipa-server Loaded plugins: refresh-packagekit Could not retrieve mirrorlist http://mirrors.fedoraproject.org/mirrorlist?repo=fedora-10arch=x86_64 error was [Errno 4] IOError: urlopen error (101, 'Network is unreachable') http://archive.fedoraproject.org/pub/archive/fedora/linux/releases/10/Everything/x86_64/os/repodata/repomd.xml: [Errno 4] IOError: urlopen error (-2, 'Name or service not known') Trying other mirror. fedora | 2.8kB 00:00 updates | 3.4kB 00:00 Setting up Install Process No package freeipa-server available. Nothing to do Thanks! --Steve ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] FreeIPA questions
Hi, IMHO. I wouldnt use fedora as a base for a business useits not very stable or more importantly long lived. Ive done a proof of concept on F14, F14 is fine for that, unless f15 is out? to take a good look at yes You should be able to get the macs to authenticate to AD directlywe do, I can ask the Mac guy how its done if that's a help, but its probably out there on google. Distro - there is only RHEL that I can see at present and its a tech previewbare in mind that this is a redhat sponsored projectso its highly Red Hat centric. Centos, Im 99% sure there isnt a centos 6 yet (I looked last week) so Im not aware there is an alternative. I would suggest you need at least 2 RHEL instances to give redundancy and the extra add on channel(s) so that's some licencingI think RHEL licences are cheaper if they are virtualised guests though (we use VMware's ESXi) so ask a sales person the cheapest waywe pay per student so I dont know the commercial costs/licences fine points. ESXi is available as a free option...I run it at home11 guests per Dell 390.way cool for a second hand $400 workstation I have not used 1.0, though I have installed a old version a while back for a look, but I like IPA2.0 a lot.its great web interface, easy to use unlike most ldap interfaces...the best Ive seen by far, almost unusual for Red Hat as their web gui's dont impress me. There are a lot of dependencies for IPA so doing it via the rpms is a nightmare, I tried yesterday off the cd and it was a waste of 3 hours, the interdependencies made it impossible I went and kickstarted the guest again and put ipa-server in the script and it installed finebut if you dont have the 6.1 beta dvd that isnt an option.really yum is it. For the repo problem I'd suggest checking your DNS and firewall, I had a lot of grief from both because our anal security ppl had stopped outward bound dns queries and didnt tell anyone, took me 2+ hours to figure that out .so then they blocked outward http because servers didnt need to do that another 1+hour wasted..the security guy was lucky he is way bigger than me..I was so p*ssed ;] regards From: freeipa-users-boun...@redhat.com [freeipa-users-boun...@redhat.com] on behalf of SR [esopt...@cox.net] Sent: Tuesday, 10 May 2011 7:36 a.m. To: freeipa-users@redhat.com Subject: [Freeipa-users] FreeIPA questions I'm new to FreeIPA and this list so please forgive me for the n00b questions. I have what I think is a pretty straight-forward use for FreeIPA. We have an Active Directory environment with a few hundred users. We are starting to increase our number of Macs and need a directory solution. There are some issues with Macs in AD which Apple doesn't seem interested in addressing. Open Directory would be nice if we only had Macs but it doesn't allow for syncing accounts to AD, so it won't work for us. Based on what I've read about FreeIPA, it seems like it would be a good fit for us. The problem I'm having is that I can't seem to even get FreeIPA installed. I've tried using Fedora 10 with all the latest updates. I've tried adding different .repo files I've found on the various FreeIPA pages, but none of them seem to be working for me. So, my questions are: 1) What is the best distro for running FreeIPA. I'd rather not purchase RHEL, so it sounds like Fedora is the way to go. I just finished downloading Fedora 14 and will give that a try unless someone recommends something else. 2) Is version 2 highly recommended over version 1 or does version 1 have sufficient features to use it in a production environment? Essentially, we have about 30 current Macs users (and growing) that we want to create accounts for in FreeIPA and have sync'd to AD (or vice versa). The users will need the ability to change their passwords. 3) What is the best way to install FreeIPA? I'm having problems with yum (see errors below) so I was wondering if there was another way, e.g., RPMs. # yum install freeipa-server Loaded plugins: refresh-packagekit Could not retrieve mirrorlist http://mirrors.fedoraproject.org/mirrorlist?repo=fedora-10arch=x86_64 error was [Errno 4] IOError: urlopen error (101, 'Network is unreachable') http://archive.fedoraproject.org/pub/archive/fedora/linux/releases/10/Everything/x86_64/os/repodata/repomd.xml: [Errno 4] IOError: urlopen error (-2, 'Name or service not known') Trying other mirror. fedora | 2.8kB 00:00 updates | 3.4kB 00:00 Setting up Install Process No package freeipa-server available. Nothing to do Thanks! --Steve ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Disk layout - requirements
Hi, Disk space isnt an issue as such as I thin provision the VMWare guest anyway so I can be fairly generous, 200gb is easythe thing that interests me is splitting up the table spaces to different disks sets for instance (/dev/sdb1, /devsdc1 etc, etc). Later then I can change raid types or spread out to different LUNS if there is a performance bottleneck on the flythat's easy to do if the backend is broken up to different partitions on initial build... regards From: freeipa-users-boun...@redhat.com [freeipa-users-boun...@redhat.com] on behalf of Rob Crittenden [rcrit...@redhat.com] Sent: Tuesday, 10 May 2011 3:17 a.m. To: d...@redhat.com Cc: freeipa-users@redhat.com Subject: Re: [Freeipa-users] Disk layout - requirements Dmitri Pal wrote: On 05/06/2011 11:58 AM, Sigbjorn Lie wrote: On 05/06/2011 04:12 PM, Rob Crittenden wrote: Steven Jones wrote: Hi, Digging through docs / googling I cant see any disk partition suggestions and size thereof requirements... Suggestions please? sizing for 500 servers, 2000 desktops, 5000+ users... Especially around having different sections of the IPA master of different raid groups if that's needed... It depends in part how you use IPA. A bare-bones user entry is about 1k, a host that has a certificate is about the same. There is some amount of overhead in the DIT and you'll need to consider the space for groups, how many kerberos services you'll deploy (also about 1k in size) and what other features of IPA you'll use. We have quite a few indexes into the data, that will take some room too. I think additional RAM will be better than terabytes of disk. 389-ds is going to try to cache much of this data, and with this number of entries it can probably keep most if not all of the database in memory. We haven't done any analysis on different FS performance. Does that help? rob Would you consider these documents describing sizing and performance tuning of the RH DS to be comparable/transferable to IPA? http://docs.redhat.com/docs/en-US/Red_Hat_Directory_Server/8.2/html/Installation_Guide/Installation_Guide-Platform_Support.html#Installation_Guide-Platform_Support-Hardware_Requirements http://docs.redhat.com/docs/en-US/Red_Hat_Directory_Server/8.2/html/Performance_Tuning_Guide/system-tuning.html Yes these documents are applicable and can be used to tune up DS server under IPA. Be careful to note that in the first document the disk space assumptions are for 100 byte entries and some (but not all) of the IPA entries are 10x that. Thanks for the links Sigbjorn. regards rob ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
[Freeipa-users] test use cases
NB in the test use case at, https://fedoraproject.org/wiki/QA:Testcase_freeipav2_installation#With_DNS With DNS #ipa-server-install -a secret123 -p 123Secret --domain=freeipa.org --realm=FREEIPA.ORG --setup-dns -U --selfsign It is coming back with wanting forwarders set So that might need updating... eg #ipa-server-install -a secret123 -p 123Secret --domain=freeipa.org --realm=FREEIPA.ORG --setup-dns --no-forwarders -U --selfsign Also the above is spitting out the install script because the FQDN isnt set, to be correct, where should it be set? /etc/hosts? regards ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Disk layout - requirements
Steven Jones wrote: Hi, Disk space isnt an issue as such as I thin provision the VMWare guest anyway so I can be fairly generous, 200gb is easythe thing that interests me is splitting up the table spaces to different disks sets for instance (/dev/sdb1, /devsdc1 etc, etc). Later then I can change raid types or spread out to different LUNS if there is a performance bottleneck on the flythat's easy to do if the backend is broken up to different partitions on initial build... Apparently the biggest increase will be seen if you move the transaction log. See http://docs.redhat.com/docs/en-US/Red_Hat_Directory_Server/8.2/html-single/Administration_Guide/index.html#Maintaining_Directory_Databases-Configuring_Transaction_Logs_for_Frequent_Database_Updates rob regards From: freeipa-users-boun...@redhat.com [freeipa-users-boun...@redhat.com] on behalf of Rob Crittenden [rcrit...@redhat.com] Sent: Tuesday, 10 May 2011 3:17 a.m. To: d...@redhat.com Cc: freeipa-users@redhat.com Subject: Re: [Freeipa-users] Disk layout - requirements Dmitri Pal wrote: On 05/06/2011 11:58 AM, Sigbjorn Lie wrote: On 05/06/2011 04:12 PM, Rob Crittenden wrote: Steven Jones wrote: Hi, Digging through docs / googling I cant see any disk partition suggestions and size thereof requirements... Suggestions please? sizing for 500 servers, 2000 desktops, 5000+ users... Especially around having different sections of the IPA master of different raid groups if that's needed... It depends in part how you use IPA. A bare-bones user entry is about 1k, a host that has a certificate is about the same. There is some amount of overhead in the DIT and you'll need to consider the space for groups, how many kerberos services you'll deploy (also about 1k in size) and what other features of IPA you'll use. We have quite a few indexes into the data, that will take some room too. I think additional RAM will be better than terabytes of disk. 389-ds is going to try to cache much of this data, and with this number of entries it can probably keep most if not all of the database in memory. We haven't done any analysis on different FS performance. Does that help? rob Would you consider these documents describing sizing and performance tuning of the RH DS to be comparable/transferable to IPA? http://docs.redhat.com/docs/en-US/Red_Hat_Directory_Server/8.2/html/Installation_Guide/Installation_Guide-Platform_Support.html#Installation_Guide-Platform_Support-Hardware_Requirements http://docs.redhat.com/docs/en-US/Red_Hat_Directory_Server/8.2/html/Performance_Tuning_Guide/system-tuning.html Yes these documents are applicable and can be used to tune up DS server under IPA. Be careful to note that in the first document the disk space assumptions are for 100 byte entries and some (but not all) of the IPA entries are 10x that. Thanks for the links Sigbjorn. regards rob ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] test use cases
On 05/09/2011 04:51 PM, Steven Jones wrote: NB in the test use case at, https://fedoraproject.org/wiki/QA:Testcase_freeipav2_installation#With_DNS With DNS #ipa-server-install -a secret123 -p 123Secret --domain=freeipa.org --realm=FREEIPA.ORG --setup-dns -U --selfsign It is coming back with wanting forwarders set So that might need updating... eg #ipa-server-install -a secret123 -p 123Secret --domain=freeipa.org --realm=FREEIPA.ORG --setup-dns --no-forwarders -U --selfsign Also the above is spitting out the install script because the FQDN isnt set, to be correct, where should it be set? /etc/hosts? Yes. If the machine does now have DNS provided identity its name should be added to the /etc/hosts first. See first paragraph. https://fedorahosted.org/freeipa/wiki/QuickStartGuide regards ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users -- Thank you, Dmitri Pal Sr. Engineering Manager IPA project, Red Hat Inc. --- Looking to carve out IT costs? www.redhat.com/carveoutcosts/ ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] FreeIPA questions
Thanks for the feedback, Steven! The main issue we had with Macs tied directly to AD was 100% CPU utilization caused by the DirectoryService. I currently have my Mac tied to Open Directory as well as AD. This is working well with one exception: Logins (or even unlocking the screen) can take several minutes when disconnected from the network. This has been a known issue with Macs for quite some time, their forums have tons of complaints about it, yet Apple seems uninterested in working on the problem. We have a bunch of ESXi boxes and I certainly have no problem using that. In fact, I'm trying to test FreeIPA on an ESXi box already. :-) Based on past experience with dependency nightmares as well as your advice, I won't bother with RPMs. I checked yesterday and there is still no CentOS 6. So, it sounds like RHEL is really the best way to go. I think there is an eval, so I will grab that to try. Thanks again! --Steve Steven Jones wrote: Hi, IMHO. I wouldnt use fedora as a base for a business useits not very stable or more importantly long lived. Ive done a proof of concept on F14, F14 is fine for that, unless f15 is out? to take a good look at yes You should be able to get the macs to authenticate to AD directlywe do, I can ask the Mac guy how its done if that's a help, but its probably out there on google. Distro - there is only RHEL that I can see at present and its a tech previewbare in mind that this is a redhat sponsored projectso its highly Red Hat centric. Centos, Im 99% sure there isnt a centos 6 yet (I looked last week) so Im not aware there is an alternative. I would suggest you need at least 2 RHEL instances to give redundancy and the extra add on channel(s) so that's some licencingI think RHEL licences are cheaper if they are virtualised guests though (we use VMware's ESXi) so ask a sales person the cheapest waywe pay per student so I dont know the commercial costs/licences fine points. ESXi is available as a free option...I run it at home11 guests per Dell 390.way cool for a second hand $400 workstation I have not used 1.0, though I have installed a old version a while back for a look, but I like IPA2.0 a lot.its great web interface, easy to use unlike most ldap interfaces...the best Ive seen by far, almost unusual for Red Hat as their web gui's dont impress me. There are a lot of dependencies for IPA so doing it via the rpms is a nightmare, I tried yesterday off the cd and it was a waste of 3 hours, the interdependencies made it impossible I went and kickstarted the guest again and put ipa-server in the script and it installed finebut if you dont have the 6.1 beta dvd that isnt an option.really yum is it. For the repo problem I'd suggest checking your DNS and firewall, I had a lot of grief from both because our anal security ppl had stopped outward bound dns queries and didnt tell anyone, took me 2+ hours to figure that out .so then they blocked outward http because servers didnt need to do that another 1+hour wasted..the security guy was lucky he is way bigger than me..I was so p*ssed ;] regards From: freeipa-users-boun...@redhat.com [freeipa-users-boun...@redhat.com] on behalf of SR [esopt...@cox.net] Sent: Tuesday, 10 May 2011 7:36 a.m. To: freeipa-users@redhat.com Subject: [Freeipa-users] FreeIPA questions I'm new to FreeIPA and this list so please forgive me for the n00b questions. I have what I think is a pretty straight-forward use for FreeIPA. We have an Active Directory environment with a few hundred users. We are starting to increase our number of Macs and need a directory solution. There are some issues with Macs in AD which Apple doesn't seem interested in addressing. Open Directory would be nice if we only had Macs but it doesn't allow for syncing accounts to AD, so it won't work for us. Based on what I've read about FreeIPA, it seems like it would be a good fit for us. The problem I'm having is that I can't seem to even get FreeIPA installed. I've tried using Fedora 10 with all the latest updates. I've tried adding different .repo files I've found on the various FreeIPA pages, but none of them seem to be working for me. So, my questions are: 1) What is the best distro for running FreeIPA. I'd rather not purchase RHEL, so it sounds like Fedora is the way to go. I just finished downloading Fedora 14 and will give that a try unless someone recommends something else. 2) Is version 2 highly recommended over version 1 or does version 1 have sufficient features to use it in a production environment? Essentially, we have about 30 current Macs users (and growing) that we want to create accounts for in FreeIPA and have sync'd to AD (or vice versa). The users will need the ability to change their passwords. 3) What is the best way to install FreeIPA? I'm having problems with yum (see errors below) so I was
[Freeipa-users] failure to un-install FreeIPA
I am trying to un-install freeipa with ipa-server-install --uninstall and its saying not installed, but when I try to install its saying already installed! oops. Is there a way to force the script to check and remove everything? Or somewhere there is a lock file or something that needs removing? regards ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
