Re: [Freeipa-users] syncing users more not limited to a subtree
On 02/14/2012 07:18 AM, David Juran wrote: Hello! On fre, 2012-02-10 at 08:28 -0700, Rich Megginson wrote: On 02/10/2012 04:01 AM, David Juran wrote: I wonder if it's somehow possible to sync AD-users more selectively then just by sub-tree. In my case, I'm dealing with a very large organisation where the users that are to be synced to IPA aren't grouped by a subtree in AD but rather spread out. Can this be handled somehow? I don't think so, but can you provide some examples? If I understand the customers use-case correctly (and this is quite a disclaimer) they have _most_ of their users in one sub-tree in AD but also some users spread out all over the AD. So I gather that I really should sync the entire AD. Or that I _possibly_ could specify multiple sub-trees to sync, but still only on a subtree level and not individual users to sync. Or that I really should wait for the trust-to-AD feature to be ready... Is that correct? You could try syncing several subtrees from AD to IPA. ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Replacing the primary IPA server
On 02/14/2012 12:31 AM, Simo Sorce wrote: On Tue, 2012-02-14 at 00:14 +0100, Sigbjorn Lie wrote: On 02/13/2012 09:43 PM, Simo Sorce wrote: On Mon, 2012-02-13 at 21:37 +0100, Sigbjorn Lie wrote: On 02/13/2012 08:55 PM, Simo Sorce wrote: On Mon, 2012-02-13 at 20:43 +0100, Sigbjorn Lie wrote: On 02/13/2012 08:16 PM, Rob Crittenden wrote: Sigbjorn Lie wrote: Hi, What precautions need to be taken when replacing the primary/first IPA server? Is it enough to reinstall the server and run a ipa-replica-install from one of the other replicas? It depends on what type of CA installation you have. Did you install with dogtag or with a selfsign CA? rob Dogtag If you installed the CA on more than one replica, then you can remove the first master, all the info is replicated on the other replicas that have a clone of the CA. Note that the CA is not replicated by default see the --setup-ca option or ipa-ca-install Excellent. Yes, I've used --setup-ca when I created the replicas. :) What if I have 3 IPA servers. 2 being replicated off the first master. The master is re-installed and re-setup using ipa-replica-install from one of the 2 other IPA servers. Will not the 3rd server be left without a sync agreement? Does the 3rd server need to be manually added back in with a sync agreement? Before removing any server you should make sure it will not break the topology. You can use ipa-replica-manage and ipa-ca-replica-manage to create links between the 2 other servers before you retire the hub. You have to use both the commands as CA replication agreements are distinct from IPA replication agreements. 1. Let's say the server has crashed. Unrecoverable. Can new replication agreements still be set up between the remaining hosts? Yes, you should be able to change the agreements, as all the principals already exists so there is no need to replicate through the old hub just to set the m up. 2. I do not see a way for displaying relationships between the IPA hosts when viewing the replicas with ipa-replica-manage list. I see the same output on all the IPA hosts. ipa-replica-manage list shows all servers ipa-replica-manage list servername shows the replication agreements that server uses If they all look the same it means you have a full mesh :) 3. Perhaps this was discussed earlier: Can there be configured a ring of replicas with IPA? If by ring you mean A- B- C- A then yes. In general we recommend to not have more than 4 replication agreements per server, but that's more of a rule of thumb than a hard limit. Thank you. :) For anyone else reading this thread and looking for more information, see the link below. I see some of my questions we're already documented there. http://docs.redhat.com/docs/en-US/Red_Hat_Enterprise_Linux/6/html/Identity_Management_Guide/ipa-replica-manage.html ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] kinit: Generic error (see e-text) while getting initial credentials
Simo Sorce wrote: On Mon, 2012-02-13 at 10:39 +1100, Craig T wrote: Hi, Server: RHEL6.2 Spec: ipa-admintools-2.1.3-9.el6.x86_64 ipa-client-2.1.3-9.el6.x86_64 ipa-pki-ca-theme-9.0.3-7.el6.noarch ipa-pki-common-theme-9.0.3-7.el6.noarch ipa-python-2.1.3-9.el6.x86_64 ipa-server-2.1.3-9.el6.x86_64 ipa-server-selinux-2.1.3-9.el6.x86_64 libipa_hbac-1.5.1-66.el6_2.3.x86_64 libipa_hbac-python-1.5.1-66.el6_2.3.x86_64 python-iniparse-0.3.1-2.1.el6.noarch Error: I had this working on Friday night, came in Monday and then this error appeared? kinit -V craig Using default cache: /tmp/krb5cc_0 Using principal: cr...@example.com kinit: Generic error (see e-text) while getting initial credentials Server Side Error: (File: /var/log/krb5kdc.log) Feb 13 10:36:04 sysvm-ipa krb5kdc[5590](info): AS_REQ (4 etypes {18 17 16 23}) 192.168.0.214: LOOKING_UP_CLIENT: cr...@example.com for krbtgt/example@example.com, unable to decode stored principal key data (ASN.1 encoding ended unexpectedly) Usual Questions: Should I simply reset the password? It seem like the only option to quickly recover access to your user. Is it a bug? It may be. Did you do anything special with this user ? Did this happen immediately after a password change ? Or immediately after a FreeIPA or krb5kdc upgrade ? Can you give a little more context around this ? Also could you ldapsearch this user entry before you change your password using 'cn=Directory Manager' as user in order to retrieve the key attribute and send the ldif to me in private ? I want to see if the key blob at least looks normal (do not worry about your password, the key material is itself encrypted). It might also be handy to see who last updated this entry before you reset the password (if it isn't too late): modifyTimestamp lastModifiedBy Anyone else seen this error? Haven't seen any report, and haven't ever occurred in my testing. Simo, ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] syncing users more not limited to a subtree
David Juran wrote: Hello! On fre, 2012-02-10 at 08:28 -0700, Rich Megginson wrote: On 02/10/2012 04:01 AM, David Juran wrote: I wonder if it's somehow possible to sync AD-users more selectively then just by sub-tree. In my case, I'm dealing with a very large organisation where the users that are to be synced to IPA aren't grouped by a subtree in AD but rather spread out. Can this be handled somehow? I don't think so, but can you provide some examples? If I understand the customers use-case correctly (and this is quite a disclaimer) they have _most_ of their users in one sub-tree in AD but also some users spread out all over the AD. So I gather that I really should sync the entire AD. Or that I _possibly_ could specify multiple sub-trees to sync, but still only on a subtree level and not individual users to sync. Or that I really should wait for the trust-to-AD feature to be ready... Is that correct? How would they identify which users they would want sync'd? Is this something we'd be able to build a filter on (not that we actually provide a configurable filter right now)? rob ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
[Freeipa-users] FreeIPA deployment questions (Open Directory)
I'm new to FreeIPA and have some questions. I've searched the archives for similar articles and found https://www.redhat.com/archives/freeipa-users/2011-May/msg00040.html, but with some differences. Please excuse my lack of knowledge, but hope that answers to these questions might help others through the archives. *** I saw the announcement that 2.1.4 from the updates-testing repo is strongly advised. In the previous message, I saw that deploying a production server on Fedora was a bad idea. 2.1.3 is the last version available on the CentOS repos. Is that one reasonable to use? Are there any gotchas that I should know about like disabling selinux? Is 2.1.3 usable while waiting for 2.1.4 to hit the CentOS repos? *** AD synchronization is under active development, but I'm wanting to work with Open Directory. The last references I've seen to it on the user list was with 1.x. I've seen the opaque objects in the OD schema, realize the OD schema is rather fluid and understand that maintaining an integration like that may not be productive for such a small audience. On the other hand, are there configurations with limited replication or referrals that might provide basic interoperability? I haven't been too successful with getting Apache Directory Studio connected to FreeIPA so I can browse around, but does anyone have some insights they could share on this? Anyone have FreeIPA working at any level with OpenDirectory that they could share insights about? Thank you kindly for any insights that you might be able to share! Brian ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] syncing users more not limited to a subtree
On tis, 2012-02-14 at 17:50 -0500, Rob Crittenden wrote: I don't think so, but can you provide some examples? If I understand the customers use-case correctly (and this is quite a disclaimer) they have _most_ of their users in one sub-tree in AD but also some users spread out all over the AD. So I gather that I really should sync the entire AD. Or that I _possibly_ could specify multiple sub-trees to sync, but still only on a subtree level and not individual users to sync. Or that I really should wait for the trust-to-AD feature to be ready... Is that correct? How would they identify which users they would want sync'd? Is this something we'd be able to build a filter on (not that we actually provide a configurable filter right now)? I'll check that, but won't all of this become moot once we can trust an AD domain? If this filtering would become a show-stopper I'll get back to you, but if schedule permits, I'd rather wait for the trust feature rather then develop a new feature for this. -- David Juran Sr. Consultant Red Hat +46-725-345801 signature.asc Description: This is a digitally signed message part ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users