[Freeipa-users] IPA trust external DNS Default-First-Site-Name records

Hi, I am trying to setup external DNS for IPA with AD trust. I have set all records in DNS according doc but in the internal IPA DNS I can see 3 more DNS records which are not mentioned in doc. They were set automatically during ipa trust-add commnad I guess:

[Freeipa-users] AD trust with POSIX attributes

Hi all, I have a questions about IPA with AD forest trust. What I am trying to do is setup environment, where all informations about users are stored in one place - AD. I would like to read at least uid, home, shell and sshkey from AD. I have set up trust with this parameters: ipa

Re: [Freeipa-users] AD trust with POSIX attributes

Hi, thank you for the answers. May be I am doing something wrong. 1. AD attributes - I am using the standard set of user's attributes in AD - I did not extend the AD schema (2012 R2) I am using set of attributes defined in RFS2307: uidNumber gidNumber gecos homeDirectory loginShell I am

[Freeipa-users] Fwd: AD trust and UPN issue

Hi all, I have lab environment with IPA server and trust to Active directory. IPA server is in a.example.com. AD DC is in example.com. We have also child AD subdomain ext.examle.com. Everything is fine until the users in AD domain ext.example.com gets the UPN suffix of the root AD domain -

[Freeipa-users] AD trust and UPN issue

are exists ? Is > there any additional configuration needed to fix this scenario ? In general no, not until 7.3. But it might work with a workaround. Can you try setting: ldap_user_principal = nosuchattr subdomain_inherit = ldap_user_principal in sssd.conf's domain section on the server? (Y

Re: [Freeipa-users] AD trust with POSIX attributes

] #debug_level = 5 [sudo] [autofs] [ssh] #debug_level = 4 [pac] #debug_level = 4 [ifp] Regards, Jan From: "Alexander Bokovoy" <aboko...@redhat.com> To: "Jan Karásek" <jan.kara...@elostech.cz> Cc: "Justin Stephenson" <jstep...@redhat.com>, fr

Re: [Freeipa-users] AD trust with POSIX attributes

Hi, I am still fighting with storing user's POSIX attributes in AD. Please can anybody provide some simple reference settings of IPA-AD trust where users are able to get uid from AD - not from IPA ID pool ? I have tried to set values of attributes before and after creating trust, I have

Re: [Freeipa-users] AD trust with POSIX attributes

- so no values assigned. I'm using W2012 R2. Thank you, Jan From: "Justin Stephenson" <jstep...@redhat.com> To: "Jan Karásek" <jan.kara...@elostech.cz>, freeipa-users@redhat.com Sent: Tuesday, July 19, 2016 8:36:00 PM Subject: Re: [Freeipa-users] AD tru

Re: [Freeipa-users] AD trust with POSIX attributes

=RpcServices,CN=System,DC=rwe,DC=tt - it is empty. Do I missed to set something on the AD site ? Thanks, Jan From: "Justin Stephenson" <jstep...@redhat.com> To: "Jan Karásek" <jan.kara...@elostech.cz> Cc: freeipa-users@redhat.com Sent: Wednesday, July

Re: [Freeipa-users] AD trust with POSIX attributes

the value of unixHomeDirectory attribute. Is there any way to use value from AD not from subdomain_homedir template for this parameter ? Regards, Jan From: "Justin Stephenson" <jstep...@redhat.com> To: "Jan Karásek" <jan.kara...@elostech.cz>, "Alexande

[Freeipa-users] IPA-AD ldap acces - account ?

Hi, please could somebody explain how and and with which account IPA is accessing DC in IPA - AD trust scenario. Is is possible to simulate with ldapsearch some query to AD with the same permission as IPA server? We have some issues with reading ldap object from AD and I would like to

Re: [Freeipa-users] IPA-AD ldap acces - account ?

Great ! Thank you very much. It works ! Regards, Jan From: "Alexander Bokovoy" <aboko...@redhat.com> To: "Jan Karásek" <jan.kara...@elostech.cz> Cc: freeipa-users@redhat.com Sent: Thursday, August 18, 2016 4:03:14 PM Subject: Re: [Freeipa-users] IPA-AD lda

[Freeipa-users] ipa- client rhel 6.9 support for UPN different then domain name

Hi, I just looked into RHEL 6.9 beta repos and I can see there is sssd-client-1.13.3-53.el6.x86_64 version. I would like to know if with rhel 6.9 will come support for using different UPN then domain name. I am talking about AD trust scenario where user in AD domain sits in

Re: [Freeipa-users] ipa- client rhel 6.9 support for UPN different then domain name

Hi, thank you for help. I am running RHEL 7.3 on IPA serveres and with RHEL 7.3 clients it works really nice. Trouble is on RHEL 6 machines. I have tried to add krb5_use_enterprise_principal = true into domain section of sssd.conf on RHEL 6 IPA clients but problem still persists. Is there

[Freeipa-users] IPA - AD trust - LDAP signing

for help. Jan Karásek -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project

[Freeipa-users] SSH public user's key stored in AD POSIX attribute

Hi, I have a question about the IPA-AD trust scenario where POSIX attributes are store in AD. I would like to know if it's possible to store public SSH user key in Active Directory in some user's object attribute - the same way as uidNumber or loginShell. I can't find any suitable attribute

Re: [Freeipa-users] IPA-AD ldap acces - account ?

to AD ldap ? Thank you, Jan From: "Alexander Bokovoy" <aboko...@redhat.com> To: "Jan Karásek" <jan.kara...@elostech.cz> Cc: freeipa-users@redhat.com Sent: Wednesday, August 17, 2016 4:12:28 PM Subject: Re: [Freeipa-users] IPA-AD ldap acces - account ? On

Re: [Freeipa-users] AD trust and UPN issue

to handle that. Thanks, Jan -- From: "Jan Karásek" <jan.kara...@elostech.cz> To: freeipa-users@redhat.com Sent: Tuesday, May 10, 2016 4:44:14 PM Subject: AD trust and UPN issue Hi, thank you for the answer

Re: [Freeipa-users] Unable to resolve AD users from IPA

Hi, thank you for help. This is my sssd.conf from server : [domain/vs.example.cz] debug_level = 7 cache_credentials = True krb5_store_password_if_offline = True ipa_domain = vs.example.cz id_provider = ipa auth_provider = ipa access_provider = ipa ipa_hostname =

Re: [Freeipa-users] Unable to resolve AD users from IPA

Ok thank you. Wonder why it's a problem only on clients - IPA servers are quite ok with that. Jan -- Message: 1 Date: Wed, 19 Oct 2016 12:28:31 +0200 From: Sumit Bose To: freeipa-users@redhat.com

[Freeipa-users] Unable to resolve AD users from IPA client

Hi, please can you help me with troubleshooting IPA clients in IPA - AD trust scenario ? We have two IPA servers and couple of clients running on RHEl 6 and 7. IPA is running on RHEL 7.2. AD servers are in domains example.cz, cen.example.cz. Test users sits in cen.example.cz. IPA is subdomain

[Freeipa-users] Unable to resolve AD users from IPA clients

Hi, I have trouble with resolving AD users from my IPA clients. Environment: 2x IPA server with trust into AD - both IPA servers and clients running latest rhel 7.3. IPA domain: vs.example.com AD domain: example.com, cen.example.com All tstx users are in cen.example.com but their UPN

[Freeipa-users] Missing user's primary group after ipa migrate-ds

the primary group of newly created user- tester + other non primary groups. Am I doing something wrong ? How to fix this ? Import primary groups manually with ldapmodify or can I create them with ipa group-add ? Thanks, Jan Jan Karásek ELOS Technologies s.r.o. Americká 36 120

Re: [Freeipa-users] Mutli site IPA scenario - DNS issue

will have backup servers inside the each site. Just now I am simply trying to establish first inter site replication to prove that design is possible. Jan - Original Message - From: "Martin Basti" <mba...@redhat.com> To: "Jan Karásek" <jan.kara...@elostech.cz>,

[Freeipa-users] Mutli site IPA scenario - DNS issue

Hi, please can you point me to right direction with this issue ? Scenario: Site A, Site B, IPA in Site A is already installed with DNS, CA and i want to create replica to Site B. OS: RHEL 7.3, IPA 4.4 Site A - 192.168.0.0/24 IPA_A server interfaces: eth0: 192.168.0.10 -- access for