[Freeipa-users] [How to] Set UID, GID, HomeDir in Trust AD user
Dear all, I have two domain, one is Windows AD domain, another is IPA domain. Both two domain already have two-ways trust, and Windows AD user can logon under IPA Client PC successfully. Since user account in Windows AD can logon IPA Client PC, May I set UID, GID, HomeDir for the user from Windows AD? If so, how should I do? Any tutorial on web? Thanks Kevin Tang ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] [How to] Set UID, GID, HomeDir in Trust AD user
Dear Martin, Thank you very much Kevin From: Martin Kosek mko...@redhat.com To: kevint...@umac.mo Cc: freeipa-users@redhat.com Date: 09/12/2013 03:29 PM Subject:Re: [Freeipa-users] [How to] Set UID, GID, HomeDir in Trust AD user On 09/12/2013 09:16 AM, kevint...@umac.mo wrote: Dear all, I have two domain, one is Windows AD domain, another is IPA domain. Both two domain already have two-ways trust, and Windows AD user can logon under IPA Client PC successfully. Since user account in Windows AD can logon IPA Client PC, May I set UID, GID, HomeDir for the user from Windows AD? If so, how should I do? Any tutorial on web? Thanks Kevin Tang With a plain Active Directory and users signing from AD to FreeIPA Linux client, AD user will get automatically assigned UID and GID based on their Windows identification (SID). This should work fine. However, I think you cannot set custom home dir centrally, unless you configure Services for Identity Management for UNIX AD extension and FreeIPA to use it: Design page of the feature: http://www.freeipa.org/page/V3/Use_posix_attributes_defined_in_AD Test day page (a.k.a. tutorials): https://fedoraproject.org/wiki/Test_Day:2013-07-25_AD_trusts_with_POSIX_attributes_in_AD_and_support_for_old_clients ... and particularly this part: https://fedoraproject.org/wiki/QA:Testcase_freeipa_using_posix_attributes_in_ad If you do not want to use the extension, you could for example override the default home dir on FreeIPA clients e.g. with subdomain_homedir option of sssd.conf (man sssd.conf). HTH, Martin ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
[Freeipa-users] Using FreeIPA for LDAP authentication in 3rd party applications
Hi, Previously we have used Atlassian Crowd as a source for user data in various applications, both in-house built and proprietary such as JIRA or Confluence. As we have deployed FreeIPA, I would like to start using it as the identity source. Unfortunately using Kerberos is not always possible so I am thinking about LDAP which often is an option in 3rd party applicaitons. Anonymous access to the FreeIPA LDAP is enabled by default. Is it possible to configure username/password to access the information? Currently vSphere has a problem with anonymous access to LDAP not working as intended. Ofcourse it would be nice to be able to restrict access anyways. If using FreeIPA LDAP as the identity source, how should authentication be handled? Is it possible to read the hash code for passwords? Is it possible to authenticate against the LDAP service? Any advice appreciated! Best regards, Thomas -- Thomas Raehalme CTO, teknologiajohtaja Mobile +358 40 545 0605 Codecenter Oy Väinönkatu 26 A, 4th Floor 40100 JYVÄSKYLÄ, Finland Tel. +358 10 322 0040 www.codecenter.fi Codecenter - Tietojärjestelmiä ymmärrettävästi ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Using FreeIPA for LDAP authentication in 3rd party applications
On 09/12/2013 01:46 PM, Thomas Raehalme wrote: Hi, Previously we have used Atlassian Crowd as a source for user data in various applications, both in-house built and proprietary such as JIRA or Confluence. As we have deployed FreeIPA, I would like to start using it as the identity source. Unfortunately using Kerberos is not always possible so I am thinking about LDAP which often is an option in 3rd party applicaitons. Anonymous access to the FreeIPA LDAP is enabled by default. Is it possible to configure username/password to access the information? Currently vSphere has a problem with anonymous access to LDAP not working as intended. Ofcourse it would be nice to be able to restrict access anyways. If using FreeIPA LDAP as the identity source, how should authentication be handled? Is it possible to read the hash code for passwords? Is it possible to authenticate against the LDAP service? Any advice appreciated! Best regards, Thomas When using FreeIPA LDAP as identity source, you could ideally use Kerberos/GSSAPI authentication. But if that is not available, you can use simple LDAP binds too. You cannot read the hash codes unless you are cn=Directory Manager (or unless you set ACI allowing that, but this is very unsecure). If you do not want to access the LDAP anonymously and you do not want to use a full IPA user for that (added via ipa user-add), you can manually add a system user and use that for binding to LDAP: # ldapadd -h `hostname` -D cn=Directory Manager -x -w kokos123 dn: uid=vsphere,cn=sysaccounts,cn=etc,dc=idm,dc=lab,dc=bos,dc=redhat,dc=com objectClass: account objectClass: simplesecurityobject objectClass: top uid: vsphere userPassword: SuperSecretPassword adding new entry uid=vsphere,cn=sysaccounts,cn=etc,dc=idm,dc=lab,dc=bos,dc=redhat,dc=com HTH, Martin ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Using FreeIPA for LDAP authentication in 3rd party applications
On 09/12/2013 02:54 PM, Thomas Raehalme wrote: Hi! On Thu, Sep 12, 2013 at 3:28 PM, Martin Kosek mko...@redhat.com wrote: When using FreeIPA LDAP as identity source, you could ideally use Kerberos/GSSAPI authentication. But if that is not available, you can use simple LDAP binds too. You cannot read the hash codes unless you are cn=Directory Manager (or unless you set ACI allowing that, but this is very unsecure). Could you please elaborate on using simple LDAP binds? I was just referring to fact, that when a system or application uses LDAP as an identity and authentication source, it often use simple LDAP Bind operation (i.e. accessing LDAP with user+password or) when testing if the user accessing the application provided the right credentials. I am no expert on how you configure that with vSphere or similar, but if it supports general LDAP as an identity/authentication source, it should also work with FreeIPA. I found some doc where may be relevant: http://pubs.vmware.com/vsphere-51/index.jsp?topic=%2Fcom.vmware.vsphere.security.doc%2FGUID-B23B1360-8838-4FF2-B074-71643C4CB040.html Maybe other users are capable of giving more detailed answer with respect to vSphere. Martin ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Permission Denied
On Wed, 2013-09-11 at 19:49 -0500, Dean Hunter wrote: On Wed, 2013-09-11 at 11:49 -0400, Simo Sorce wrote: On Wed, 2013-09-11 at 10:39 -0500, Dean Hunter wrote: On Wed, 2013-09-11 at 11:20 -0400, Simo Sorce wrote: On Wed, 2013-09-11 at 08:39 -0500, Dean Hunter wrote: I do NOT believe this: [dean@ipa2 ~]$ ssh dean@desktop2 Last login: Wed Sep 11 08:32:21 2013 from ipa2.hunter.org Could not chdir to home directory /home/net/dean: Permission denied -bash: /home/net/dean/.bash_profile: Permission denied -bash-4.2$ logout -bash: /home/net/dean/.bash_logout: Permission denied Connection to desktop2 closed. [dean@ipa2 ~]$ su - Password: [root@ipa2 ~]# ssh dean@desktop2 dean@desktop2's password: Last login: Wed Sep 11 08:34:29 2013 from ipa2.hunter.org [dean@desktop2 ~]$ logout Connection to desktop2 closed. [root@ipa2 ~]# logout [dean@ipa2 ~]$ ssh dean@desktop2 Last login: Wed Sep 11 08:35:16 2013 from ipa2.hunter.org [dean@desktop2 ~]$ Are you using a kerberized NFS mount ? I think what is happening is that when going via SSH rpc.gssd cannot find your ticket, ssh may be doing something wrong in this case. Simo. Yes, I am using Kerberos with NFS. Should I report this as a bug? We need to decide what component is faulty. It may be possible we can get it working somehow. When you ssh in what is the ccache ssh assign you ? can you run klist and post the output (sanitize it if needed) ? Simo. I hope this is what you requested: Yes it is, but I need to see also what you get on the successfull ssh case, klist is all I need to see, no other output. Also does it work all the time if you use the command ssh -K dean@desktop2 ? [dean@ipa2 ~]$ klist Ticket cache: DIR::/run/user/138741/krb5cc/tktFDDxRR Default principal: d...@hunter.org Valid starting ExpiresService principal 09/11/13 19:43:28 09/12/13 19:43:28 krbtgt/hunter@hunter.org [dean@ipa2 ~]$ ssh dean@desktop2 Last login: Wed Sep 11 19:41:48 2013 from ipa2.hunter.org Could not chdir to home directory /home/net/dean: Permission denied -bash: /home/net/dean/.bash_profile: Permission denied -bash-4.2$ hostname desktop2.hunter.org -bash-4.2$ klist klist: No credentials cache found (ticket cache FILE:/tmp/krb5cc_138741) -bash-4.2$ logout -bash: /home/net/dean/.bash_logout: Permission denied Connection to desktop2 closed. [dean@ipa2 ~]$ klist Ticket cache: DIR::/run/user/138741/krb5cc/tktFDDxRR Default principal: d...@hunter.org Valid starting ExpiresService principal 09/11/13 19:43:28 09/12/13 19:43:28 krbtgt/hunter@hunter.org 09/11/13 19:44:43 09/12/13 19:43:28 host/desktop2.hunter@hunter.org [dean@ipa2 ~]$ -- Simo Sorce * Red Hat, Inc * New York ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Using FreeIPA for LDAP authentication in 3rd party applications
On 09/12/2013 03:18 PM, Thomas Raehalme wrote: Hi! On Thu, Sep 12, 2013 at 4:06 PM, Martin Kosek mko...@redhat.com wrote: I was just referring to fact, that when a system or application uses LDAP as an identity and authentication source, it often use simple LDAP Bind operation (i.e. accessing LDAP with user+password or) when testing if the user accessing the application provided the right credentials. Yes, that's true at least for some applications. Does the LDAP in FreeIPA allow that kind of login by default for IPA users? If not, is it possible to enable it somehow? Best regards, Thomas Raehalme Well, LDAP is the data backend for all FreeIPA identity data, you can certainly use plain LDAP binds with them (though Kerberos/GSSAPI auth is preferred). See an example when I add a new IPA user and do LDAP bind with his credentials: # ipa user-add --first=John --last=Doe jdoe --random - Added user jdoe - User login: jdoe First name: John Last name: Doe Full name: John Doe Display name: John Doe Initials: JD Home directory: /home/jdoe GECOS: John Doe Login shell: /bin/sh Kerberos principal: j...@example.com Email address: j...@example.com Random password: xO3xs5yOv,dL UID: 47066 GID: 47066 Password: True Member of groups: ipausers Kerberos keys available: True # ldapsearch -h `hostname` -D uid=jdoe,cn=users,cn=accounts,dc=example,dc=com -x -w xO3xs5yOv,dL -b -s base # extended LDIF # # LDAPv3 # base with scope baseObject # filter: (objectclass=*) # requesting: ALL # # dn: objectClass: top ... Martin ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] FreeIPA integrating samba4 + AD
On 09/11/2013 11:27 PM, Christovam Paynes Silva wrote: 2013/9/11 Dmitri Pal d...@redhat.com mailto:d...@redhat.com On 09/11/2013 04:02 PM, Christovam Paynes Silva wrote: It is a pity! Thank you! I did not get a feeling that we understand the whole picture correctly to say that we provided the full answer.. What I get from the description: 1) Presence of Windows Clients = 100 Correct! 2) Presence of AD to rule them Correct! 3) Presence of users (I deduce in AD too, but unclear) = 1000 Correct! Users are wirelessly. Use windows and linux without domain. Intent: use open source technologies instead of proprietary solution. That's right! What is not clear: a) Are the users that come through the portal the same users that use Windows Clients or not? Is there an overlap? Users are via wireless. Authenticate users on a captive portal with Squid. Customers are windows, linux and without domain. b) Is there any kind of Linux servers/machines in the picture? This question was not clear to me. FreeIPA is a domain controller for Linux/UNIX systems. It main value it to manage Linux environment inside your enterprise. It can manage users and groups too as any directory can. It can also authenticate users but its value is in creating a integrated Linux environment in terms of identity management. It seems that the setup you have does not actually have such Linux environment, i.e. Linux machines to join to IPA domain and manage. The question was: Do you have Linux systems to manage?. If you do not have Linux systems and all users can be stored in one place it might be that you do not need FreeIPA. It might be that you can solve the problem by using Samba4 instead of AD, connecting your clients to it, putting your external portal users into a special OU in Samba4, configuring FreeRADIUS to use this OU for authentication. Configure your portal to use RADIUS. Sorry, I may not have understood the concept of FreeIPA. I would like to continue using the AD, because of Group Policy Objects (GPO). You need to check whether Samba 4 supports GPO and to what extent. http://wiki.samba.org/index.php/FAQ#Is_it_possible_to_set_user_specific_password_policies_in_Samba4_.28e._g._on_a_OU-base.29.3F It has the ability to authenticate email services, applications, among others directly in Samba4? Yes as with any LDAP server but if you are planning to use AD than you do not need Samba 4 either. You then point your mail service and applications to AD directly. Most of modern applications have some sort of LDAP integration for identity lookup and authentication. That means you would be able to point them to prety much any directory: AD, Samba4, IPA, 389 ... HTH Thanks Dmitri 2013/9/11 Simo Sorce s...@redhat.com mailto:s...@redhat.com On Wed, 2013-09-11 at 16:37 -0300, Christovam Paynes Silva wrote: Hello Simo, thanks for the feedback. I would use the Samba4 with AD and authenticate my clients windows in FreeIPA. Is this possible? It is not possible at this point to combine Samba4 AD and freeIPA. Simo. 2013/9/11 Simo Sorce s...@redhat.com mailto:s...@redhat.com On Wed, 2013-09-11 at 14:06 -0300, Christovam Paynes Silva wrote: Hello! First I apologize if this topic is redundant. I'm looking on the implementation of FreeIPA . Looking for the forums , have some comments that authentication does not work with Samba4 . Elsewhere say that that possibility exists . Today we have nearly 200 computers in the domain with the Active Directory and one wireless captive portal with 1000 + proxy users . I would like to see if the following scenario is possible : 1 - Integrating Samba4 with Active Directory , to use their GPO and authenticate network users through the FreeIPA . 2 - Authenticate proxy servers in FreeIPA . 3 - And if it is possible some integration with FreeRADIUS Hi Christovam, it is a bit unclear what you mean by integrating here. Is your intent to use Samba4 as an AD domain controller for your Windows client s and IPA for your servers ? If that's the case
Re: [Freeipa-users] Permission Denied
On Thu, 2013-09-12 at 13:59 -0400, Simo Sorce wrote: ticket, but once you alnd of the cmahine there are no credentials this meant to be 'land on the machine', sorry for my typing impairment. Simo. -- Simo Sorce * Red Hat, Inc * New York ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Permission Denied
On Thu, 2013-09-12 at 13:59 -0400, Simo Sorce wrote: On Thu, 2013-09-12 at 11:27 -0500, Dean Hunter wrote: On Thu, 2013-09-12 at 09:09 -0400, Simo Sorce wrote: Yes it is, but I need to see also what you get on the successfull ssh case, klist is all I need to see, no other output. Also does it work all the time if you use the command ssh -K dean@desktop2 ? you did not try the above ^^ :-) Oops, it is these old eyes. OK, ssh -K dean@desktop2 works all the time. Now there are problems when I log out, sometimes one processor starts spinning other times I get tossed all the way out of Gnome. I have not yet established a pattern. Is this familiar? ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] FreeIPA integrating samba4 + AD
2013/9/11 Dmitri Pal d...@redhat.com On 09/11/2013 04:02 PM, Christovam Paynes Silva wrote: It is a pity! Thank you! I did not get a feeling that we understand the whole picture correctly to say that we provided the full answer.. What I get from the description: 1) Presence of Windows Clients = 100 Correct! 2) Presence of AD to rule them Correct! 3) Presence of users (I deduce in AD too, but unclear) = 1000 Correct! Users are wirelessly. Use windows and linux without domain. Intent: use open source technologies instead of proprietary solution. That's right! What is not clear: a) Are the users that come through the portal the same users that use Windows Clients or not? Is there an overlap? Users are via wireless. Authenticate users on a captive portal with Squid. Customers are windows, linux and without domain. b) Is there any kind of Linux servers/machines in the picture? This question was not clear to me. If you do not have Linux systems and all users can be stored in one place it might be that you do not need FreeIPA. It might be that you can solve the problem by using Samba4 instead of AD, connecting your clients to it, putting your external portal users into a special OU in Samba4, configuring FreeRADIUS to use this OU for authentication. Configure your portal to use RADIUS. Sorry, I may not have understood the concept of FreeIPA. I would like to continue using the AD, because of Group Policy Objects (GPO). It has the ability to authenticate email services, applications, among others directly in Samba4? HTH Thanks Dmitri 2013/9/11 Simo Sorce s...@redhat.com On Wed, 2013-09-11 at 16:37 -0300, Christovam Paynes Silva wrote: Hello Simo, thanks for the feedback. I would use the Samba4 with AD and authenticate my clients windows in FreeIPA. Is this possible? It is not possible at this point to combine Samba4 AD and freeIPA. Simo. 2013/9/11 Simo Sorce s...@redhat.com On Wed, 2013-09-11 at 14:06 -0300, Christovam Paynes Silva wrote: Hello! First I apologize if this topic is redundant. I'm looking on the implementation of FreeIPA . Looking for the forums , have some comments that authentication does not work with Samba4 . Elsewhere say that that possibility exists . Today we have nearly 200 computers in the domain with the Active Directory and one wireless captive portal with 1000 + proxy users . I would like to see if the following scenario is possible : 1 - Integrating Samba4 with Active Directory , to use their GPO and authenticate network users through the FreeIPA . 2 - Authenticate proxy servers in FreeIPA . 3 - And if it is possible some integration with FreeRADIUS Hi Christovam, it is a bit unclear what you mean by integrating here. Is your intent to use Samba4 as an AD domain controller for your Windows client s and IPA for your servers ? If that's the case unfortunately this is not possible at the moment as samba4 does not yet support Forest level trusts. A Microsoft AD server can be used this way instead. Simo. -- Simo Sorce * Red Hat, Inc * New York -- Simo Sorce * Red Hat, Inc * New York ___ Freeipa-users mailing listFreeipa-users@redhat.comhttps://www.redhat.com/mailman/listinfo/freeipa-users -- Thank you, Dmitri Pal Sr. Engineering Manager for IdM portfolio Red Hat Inc. --- Looking to carve out IT costs?www.redhat.com/carveoutcosts/ ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Permission Denied
On Thu, 2013-09-12 at 11:27 -0500, Dean Hunter wrote: On Thu, 2013-09-12 at 09:09 -0400, Simo Sorce wrote: Yes it is, but I need to see also what you get on the successfull ssh case, klist is all I need to see, no other output. Also does it work all the time if you use the command ssh -K dean@desktop2 ? you did not try the above ^^ :-) [dean@ipa2 ~]$ klist Ticket cache: DIR::/run/user/144081/krb5cc/tktH9faWP Default principal: d...@hunter.org Valid starting ExpiresService principal 09/12/13 11:14:40 09/13/13 11:14:40 krbtgt/hunter@hunter.org [dean@ipa2 ~]$ ssh dean@desktop2 Last login: Wed Sep 11 21:14:18 2013 from ipa2.hunter.org Could not chdir to home directory /home/net/dean: Permission denied -bash: /home/net/dean/.bash_profile: Permission denied -bash-4.2$ klist klist: No credentials cache found (ticket cache FILE:/tmp/krb5cc_144081) -bash-4.2$ logout -bash: /home/net/dean/.bash_logout: Permission denied Connection to desktop2 closed. [dean@ipa2 ~]$ klist Ticket cache: DIR::/run/user/144081/krb5cc/tktH9faWP Default principal: d...@hunter.org Valid starting ExpiresService principal 09/12/13 11:14:40 09/13/13 11:14:40 krbtgt/hunter@hunter.org 09/12/13 11:15:29 09/13/13 11:14:40 host/desktop2.hunter@hunter.org [dean@ipa2 ~]$ su - Password: [root@ipa2 ~]# klist klist: No credentials cache found (ticket cache FILE:/tmp/krb5cc_0) [root@ipa2 ~]# ssh dean@desktop2 dean@desktop2's password: Last login: Thu Sep 12 11:16:15 2013 from ipa2.hunter.org [dean@desktop2 ~]$ klist Ticket cache: DIR::/run/user/144081/krb5cc/tktrhI7WX Default principal: d...@hunter.org Valid starting ExpiresService principal 09/12/13 11:17:40 09/13/13 11:17:39 krbtgt/hunter@hunter.org 09/12/13 11:17:40 09/13/13 11:17:39 nfs/ipa2.hunter@hunter.org [dean@desktop2 ~]$ logout Connection to desktop2 closed. [root@ipa2 ~]# logout [dean@ipa2 ~]$ klist Ticket cache: DIR::/run/user/144081/krb5cc/tktH9faWP Default principal: d...@hunter.org Valid starting ExpiresService principal 09/12/13 11:14:40 09/13/13 11:14:40 krbtgt/hunter@hunter.org 09/12/13 11:15:29 09/13/13 11:14:40 host/desktop2.hunter@hunter.org [dean@ipa2 ~]$ ssh dean@desktop2 Last login: Thu Sep 12 11:17:39 2013 from ipa2.hunter.org [dean@desktop2 ~]$ klist klist: No credentials cache found (ticket cache FILE:/tmp/krb5cc_144081) [dean@desktop2 ~]$ logout Connection to desktop2 closed. [dean@ipa2 ~]$ klist Ticket cache: DIR::/run/user/144081/krb5cc/tktH9faWP Default principal: d...@hunter.org Valid starting ExpiresService principal 09/12/13 11:14:40 09/13/13 11:14:40 krbtgt/hunter@hunter.org 09/12/13 11:15:29 09/13/13 11:14:40 host/desktop2.hunter@hunter.org reboot [dean@ipa2 ~]$ klist Ticket cache: DIR::/run/user/144081/krb5cc/tktLOSJxT Default principal: d...@hunter.org Valid starting ExpiresService principal 09/12/13 11:23:56 09/13/13 11:23:56 krbtgt/hunter@hunter.org [dean@ipa2 ~]$ ssh -k dean@desktop2 Last login: Thu Sep 12 11:22:31 2013 from ipa2.hunter.org Could not chdir to home directory /home/net/dean: Permission denied -bash: /home/net/dean/.bash_profile: Permission denied -bash-4.2$ klist klist: No credentials cache found (ticket cache FILE:/tmp/krb5cc_144081) -bash-4.2$ logout -bash: /home/net/dean/.bash_logout: Permission denied Connection to desktop2 closed. [dean@ipa2 ~]$ klist Ticket cache: DIR::/run/user/144081/krb5cc/tktLOSJxT Default principal: d...@hunter.org Valid starting ExpiresService principal 09/12/13 11:23:56 09/13/13 11:23:56 krbtgt/hunter@hunter.org 09/12/13 11:24:43 09/13/13 11:23:56 host/desktop2.hunter@hunter.org However here is the exact explanation of what is going on. The first time you ssh in you are not using password authentication but SSO (GSSAPI auth) *however* you are not delegating credentials to desktop2 (-K option). What this means is that ssh can allow you in because you have a valid ticket, but once you alnd of the cmahine there are no credentials avaliable there locally so the NFS client has no way to authenticate you to the NFS server. Later on when you do the su - and the ssh you are doing password authentication instead. *that* is the key difference, the fact that you do su - is a red herring and only causes you to not have credentials to use and makes ssh fall back to password authentication. you can obtain the same effect calling kdestroy instead of su - or telling ssh to not use GSSAPI for auth. Anyway when you authenticate with a password you give the target system your password which it will use to obtain a ticket for you and it places the ticket in the DIR:/run/user/... directory. There the NFS client can find it and uses it to authenticate
[Freeipa-users] IPA vs 3.0 and Windows Group Policy
Hello, My company currently has RHEL 6.4 with IPA vs 3.0 and Samba vs 3. Is it currently possible to integrate a Windows server into this domain for using group policies to my Windows clients without creating a Windows domain or Active Directory? -- Zach ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Using FreeIPA for LDAP authentication in 3rd party applications
On Thu, Sep 12, 2013 at 02:28:45PM +0200, Martin Kosek wrote: # ldapadd -h `hostname` -D cn=Directory Manager -x -w kokos123 ^^ 0wn3d :-) ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] IPA Query Tuning and a Recovery Question
On Mon, Sep 9, 2013 at 5:32 PM, Rich Megginson rmegg...@redhat.com wrote: On 09/09/2013 10:20 AM, Charlie Derwent wrote: Hi, 2 questions, some of our automation accounts are needlessly querying the IPA server every time they call a command via sudo. This is generating a lot of noise in our access logs. Is there any way to ensure certain system accounts don't call out to the IPA server for additional groups or sudo permission when completing tasks? What are your client platforms? Does sssd or newer versions of sudo cache? The other question is slightly more embarrassing, one of our guys saw /var filling and noticed that /var/lib/dirsrv/slapd-EXAMPLE-COM/db/ had a load of log files which looked like they weren't being tidied. They are automatically cleaned up. If you have a lot of updates, it may take longer. One stupid decision later and I'm now here asking on his behalf if there is anyway of restoring the database from a replica or is a complete rebuild required? Just reinit the replica using ipa-replica-manage. I just tried to reinit the replica but I'm getting an error about failure to connect to LDAP server I'm guessing that's because it's impossible for me to kinit on the server now given the state of the DB. Second question is obviously a little bit more urgent than the first but any advice is greatly appreciated. Thanks, Charlie ___ Freeipa-users mailing listFreeipa-users@redhat.comhttps://www.redhat.com/mailman/listinfo/freeipa-users ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] IPA vs 3.0 and Windows Group Policy
On Thu, 12 Sep 2013, Zach Musselman wrote: Hello, My company currently has RHEL 6.4 with IPA vs 3.0 and Samba vs 3. Is it currently possible to integrate a Windows server into this domain for using group policies to my Windows clients without creating a Windows domain or Active Directory? No, it is not possible. -- / Alexander Bokovoy ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users