Re: [Freeipa-users] DNS discovery failed to determine your DNS domain
Robert M. Albrecht wrote: Hi, this happens while ipa-client-install. If I enter the domain manually, I get unable to find the IPA server. After this the installer complains about resolv.conf. Mine looks like domain example.com search example.com nameserver 192.168.0.230 The ip is my ipa-server. What should i look like ? cu romal We need some more details. What version of ipa-client? Can you include the exact errors you are getting? Do you have an AD server for the same domain/realm? rob ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Windows client logon
Just curious about this, the guide that we both refer to provides instructions for a windows client authentication but this page indicates that FreeIPA doesn't support windows clients: http://elladeon.fedorapeople.org/ipa/guide/Using_Microsoft_Windows.html Which is correct? On Tue, Sep 13, 2011 at 4:08 PM, Rob Crittenden rcrit...@redhat.com wrote: Jimmy wrote: I'm setting up a WinXP system to authenticate to FreeIPA. I followed the directions listed here: http://freeipa.org/page/Implementing_FreeIPA_in_a_mixed_Environment_%28Windows/Linux%29_-_Step_by_step I created the host account in FreeIPA, and the user, and I do get prompted to change the initial password(and it seems to work,) but as soon as the password is changed(or subsequent login attempts) I get the log in message the system cannot log you on now because the domain is not available The guide says this happens when you don't log in using the principal name, are you using that? rob ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Windows client logon
Jimmy wrote: Just curious about this, the guide that we both refer to provides instructions for a windows client authentication but this page indicates that FreeIPA doesn't support windows clients: http://elladeon.fedorapeople.org/ipa/guide/Using_Microsoft_Windows.html Which is correct? The guide you referred to was contributed by another FreeIPA user showing one way to get Windows login working. It does this by mapping all IPA users to a single windows user (ipauser). This is not practical for most installations so we don't recommend it. The roadmap for the next major release of FreeIPA adds AD trust so the IPA realm can be trusted as part of an AD forest. rob On Tue, Sep 13, 2011 at 4:08 PM, Rob Crittenden rcrit...@redhat.com mailto:rcrit...@redhat.com wrote: Jimmy wrote: I'm setting up a WinXP system to authenticate to FreeIPA. I followed the directions listed here: http://freeipa.org/page/Implementing_FreeIPA_in_a_mixed_Environment_%28Windows/Linux%29_-_Step_by_step I created the host account in FreeIPA, and the user, and I do get prompted to change the initial password(and it seems to work,) but as soon as the password is changed(or subsequent login attempts) I get the log in message the system cannot log you on now because the domain is not available The guide says this happens when you don't log in using the principal name, are you using that? rob ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
[Freeipa-users] Multi-tennancy and Freeipa
Can Freeipa accommodate a mufti-tennant environment? i.e. I work for a managed service provider that currently uses LDAP for authentication for both our users and our customer's users. But Customer A cannot see Customer B's data due to access control on our directory. Each customer has at least one LDAP service account in their container in the tree that can only view that customer's container and my company container. Would we have to do something like create realms for each customer? Then configure trusts from customer realm to ours? EXAMPLE.COM - our realm CUSTOMERA.EXAMPLE.COM - customer a realm ... so on What about data within the directory? Currently our DIT is like: o=MyCompany,dc=example,dc=com o=CustomerA,dc=excample,dc=com Would seperating by realms automatically divide that up? What about would Customer A be able to see any Customer B users using multiple realms alone or would we have to take additional precautions? Regards, -Alan Posted on behalf of Alan -- Thank you, Dmitri Pal Sr. Engineering Manager IPA project, Red Hat Inc. --- Looking to carve out IT costs? www.redhat.com/carveoutcosts/ ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Windows client logon
One thing that doesn't quite make sense about the windows config instructions, we make a keytab, but there is no indication as to where the keytab goes. I wouldn't think the IPA server would need the keytab as the password is stored in the IPA server already. On Wed, Sep 14, 2011 at 10:07 AM, Rob Crittenden rcrit...@redhat.comwrote: Jimmy wrote: Just curious about this, the guide that we both refer to provides instructions for a windows client authentication but this page indicates that FreeIPA doesn't support windows clients: http://elladeon.fedorapeople.org/ipa/guide/Using_Microsoft_Windows.html Which is correct? The guide you referred to was contributed by another FreeIPA user showing one way to get Windows login working. It does this by mapping all IPA users to a single windows user (ipauser). This is not practical for most installations so we don't recommend it. The roadmap for the next major release of FreeIPA adds AD trust so the IPA realm can be trusted as part of an AD forest. rob On Tue, Sep 13, 2011 at 4:08 PM, Rob Crittenden rcrit...@redhat.com mailto:rcrit...@redhat.com wrote: Jimmy wrote: I'm setting up a WinXP system to authenticate to FreeIPA. I followed the directions listed here: http://freeipa.org/page/Implementing_FreeIPA_in_a_mixed_Environment_%28Windows/Linux%29_-_Step_by_step I created the host account in FreeIPA, and the user, and I do get prompted to change the initial password(and it seems to work,) but as soon as the password is changed(or subsequent login attempts) I get the log in message the system cannot log you on now because the domain is not available The guide says this happens when you don't log in using the principal name, are you using that? rob ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Multi-tennancy and Freeipa
On Wed, 2011-09-14 at 11:36 -0400, Dmitri Pal wrote: Can Freeipa accommodate a mufti-tennant environment? i.e. I work for a managed service provider that currently uses LDAP for authentication for both our users and our customer's users. But Customer A cannot see Customer B's data due to access control on our directory. Each customer has at least one LDAP service account in their container in the tree that can only view that customer's container and my company container. At the moment we do not have the ability to move accounts into sub containers. It is a feature we may want to implement in future, but we kept the tree intentionally flat to avoid misuse we've seen as quite common in products like AD. Would we have to do something like create realms for each customer? Then configure trusts from customer realm to ours? EXAMPLE.COM - our realm CUSTOMERA.EXAMPLE.COM - customer a realm ... so on This may work onve ipa v3 is out. Building multiple realms (in multiple servers/VMs) is possible but trust relationship management is not fully backed in yet. What about data within the directory? Currently our DIT is like: o=MyCompany,dc=example,dc=com o=CustomerA,dc=excample,dc=com If you create multiple realms you'll have to do it with multiple servers with current IPA. Would seperating by realms automatically divide that up? What about would Customer A be able to see any Customer B users using multiple realms alone or would we have to take additional precautions? In general ACIs can be used to limit who sees what. It may be possible to use the current flat view on the server and constrain access to specific users/groups using a bit of custom schema in order to label entries, and custom ACIs. Of course you would want to turn off anonymous access to the directory and encrypt all traffic with SSL or GSSAPI at that point. Simo. -- Simo Sorce * Red Hat, Inc * New York ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Multi-tennancy and Freeipa
On Wed, 2011-09-14 at 15:08 -0400, Simo Sorce wrote: On Wed, 2011-09-14 at 11:36 -0400, Dmitri Pal wrote: Can Freeipa accommodate a mufti-tennant environment? i.e. I work for a managed service provider that currently uses LDAP for authentication for both our users and our customer's users. But Customer A cannot see Customer B's data due to access control on our directory. Each customer has at least one LDAP service account in their container in the tree that can only view that customer's container and my company container. At the moment we do not have the ability to move accounts into sub containers. It is a feature we may want to implement in future, but we kept the tree intentionally flat to avoid misuse we've seen as quite common in products like AD. Would we have to do something like create realms for each customer? Then configure trusts from customer realm to ours? EXAMPLE.COM - our realm CUSTOMERA.EXAMPLE.COM - customer a realm ... so on This may work onve ipa v3 is out. Building multiple realms (in multiple servers/VMs) is possible but trust relationship management is not fully backed in yet. What about data within the directory? Currently our DIT is like: o=MyCompany,dc=example,dc=com o=CustomerA,dc=excample,dc=com If you create multiple realms you'll have to do it with multiple servers with current IPA. Would seperating by realms automatically divide that up? What about would Customer A be able to see any Customer B users using multiple realms alone or would we have to take additional precautions? In general ACIs can be used to limit who sees what. It may be possible to use the current flat view on the server and constrain access to specific users/groups using a bit of custom schema in order to label entries, and custom ACIs. Of course you would want to turn off anonymous access to the directory and encrypt all traffic with SSL or GSSAPI at that point. Replying to myself, custom schema may not be necessary. It may be possible to use just ACIs and non-posix groups together w/o adding additional schema, that would make the problem simpler, although ACIs need to be built carefully not to cripple the admins view. Simo. -- Simo Sorce * Red Hat, Inc * New York ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Multi-tennancy and Freeipa
On Wed, 2011-09-14 at 15:19 -0400, Rob Crittenden wrote: Simo Sorce wrote: On Wed, 2011-09-14 at 15:08 -0400, Simo Sorce wrote: On Wed, 2011-09-14 at 11:36 -0400, Dmitri Pal wrote: Can Freeipa accommodate a mufti-tennant environment? i.e. I work for a managed service provider that currently uses LDAP for authentication for both our users and our customer's users. But Customer A cannot see Customer B's data due to access control on our directory. Each customer has at least one LDAP service account in their container in the tree that can only view that customer's container and my company container. At the moment we do not have the ability to move accounts into sub containers. It is a feature we may want to implement in future, but we kept the tree intentionally flat to avoid misuse we've seen as quite common in products like AD. Would we have to do something like create realms for each customer? Then configure trusts from customer realm to ours? EXAMPLE.COM - our realm CUSTOMERA.EXAMPLE.COM - customer a realm ... so on This may work onve ipa v3 is out. Building multiple realms (in multiple servers/VMs) is possible but trust relationship management is not fully backed in yet. What about data within the directory? Currently our DIT is like: o=MyCompany,dc=example,dc=com o=CustomerA,dc=excample,dc=com If you create multiple realms you'll have to do it with multiple servers with current IPA. Would seperating by realms automatically divide that up? What about would Customer A be able to see any Customer B users using multiple realms alone or would we have to take additional precautions? In general ACIs can be used to limit who sees what. It may be possible to use the current flat view on the server and constrain access to specific users/groups using a bit of custom schema in order to label entries, and custom ACIs. Of course you would want to turn off anonymous access to the directory and encrypt all traffic with SSL or GSSAPI at that point. Replying to myself, custom schema may not be necessary. It may be possible to use just ACIs and non-posix groups together w/o adding additional schema, that would make the problem simpler, although ACIs need to be built carefully not to cripple the admins view. Simo. The management framework only supports a single realm as well, even if you could manage to insert the data. The ACIs solution would work with a single-realm model ... except that it also means each customer needs to do very careful access control when using kerberos for now, as we do not have a way to constrain which users can get tickets for which services in the same REALM. This is something we want to introduce in v3.0 anyways for various reasons. So going forward, segmentation of users should become simpler. Simo. -- Simo Sorce * Red Hat, Inc * New York ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Multi-tennancy and Freeipa
Thanks all for your quick replies. My case is a bit of a corner case anyway so I was not expecting to have a perfect solution. Having tested out freeipa a few times in the last couple years it is certainly impressive the progress that has been made. I think for now I am going to continue using LDAP as we are and re-evaluate adding Kerberos later or at most selectively enable it for our admin users in the short term. :) Regards, -Alan On Wed, Sep 14, 2011 at 3:22 PM, Simo Sorce s...@redhat.com wrote: On Wed, 2011-09-14 at 15:19 -0400, Rob Crittenden wrote: Simo Sorce wrote: On Wed, 2011-09-14 at 15:08 -0400, Simo Sorce wrote: On Wed, 2011-09-14 at 11:36 -0400, Dmitri Pal wrote: Can Freeipa accommodate a mufti-tennant environment? i.e. I work for a managed service provider that currently uses LDAP for authentication for both our users and our customer's users. But Customer A cannot see Customer B's data due to access control on our directory. Each customer has at least one LDAP service account in their container in the tree that can only view that customer's container and my company container. At the moment we do not have the ability to move accounts into sub containers. It is a feature we may want to implement in future, but we kept the tree intentionally flat to avoid misuse we've seen as quite common in products like AD. Would we have to do something like create realms for each customer? Then configure trusts from customer realm to ours? EXAMPLE.COM - our realm CUSTOMERA.EXAMPLE.COM - customer a realm ... so on This may work onve ipa v3 is out. Building multiple realms (in multiple servers/VMs) is possible but trust relationship management is not fully backed in yet. What about data within the directory? Currently our DIT is like: o=MyCompany,dc=example,dc=com o=CustomerA,dc=excample,dc=com If you create multiple realms you'll have to do it with multiple servers with current IPA. Would seperating by realms automatically divide that up? What about would Customer A be able to see any Customer B users using multiple realms alone or would we have to take additional precautions? In general ACIs can be used to limit who sees what. It may be possible to use the current flat view on the server and constrain access to specific users/groups using a bit of custom schema in order to label entries, and custom ACIs. Of course you would want to turn off anonymous access to the directory and encrypt all traffic with SSL or GSSAPI at that point. Replying to myself, custom schema may not be necessary. It may be possible to use just ACIs and non-posix groups together w/o adding additional schema, that would make the problem simpler, although ACIs need to be built carefully not to cripple the admins view. Simo. The management framework only supports a single realm as well, even if you could manage to insert the data. The ACIs solution would work with a single-realm model ... except that it also means each customer needs to do very careful access control when using kerberos for now, as we do not have a way to constrain which users can get tickets for which services in the same REALM. This is something we want to introduce in v3.0 anyways for various reasons. So going forward, segmentation of users should become simpler. Simo. -- Simo Sorce * Red Hat, Inc * New York ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users