Re: [Freeipa-users] Windows Clients can´t access linux services using kerberos

[Carlos Raúl Laguna]

 still trying to understand why windows clients do not pass the
authentication on a kerberized proxy in a scheme where there is forests
trust, I assumed that in a  forests trust to cross-authentication between
realms was established automatically, i am wrong about this ?

i am using freeipa 4.4.3 and i can access to any linux host enrolled in IPA
with my windows credentials, the sso work just fine from any linux host any
idea what i am missing ? Thanks in advance

2017-03-15 3:18 GMT-04:00 Carlos Raúl Laguna <carlosla1...@gmail.com>:

> Hello everyone I need some help with this I have set up an IPA 4.4.3
> server and I have established a forest trust relationship with Active
> Directory, everything looks good, after following this guide
> http://www.freeipa.org/index. Php? Title = 
> Squid_Integration_with_FreeIPA_using_Single_Sign_On
> & redirect = no on linux clients has worked without problems but has not
> been so on my windows clients, I have overlooked something? How do the
> windows clients ticket should be register by the proxy? Thanks for your
> help any inside will help me .
>
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

[Freeipa-users] Windows Clients can´t access linux services using kerberos

[Carlos Raúl Laguna]

Hello everyone I need some help with this I have set up an IPA 4.4.3 server
and I have established a forest trust relationship with Active Directory,
everything looks good, after following this guide
http://www.freeipa.org/index. Php? Title =
Squid_Integration_with_FreeIPA_using_Single_Sign_On & redirect = no on
linux clients has worked without problems but has not been so on my windows
clients, I have overlooked something? How do the windows clients ticket
should be register by the proxy? Thanks for your help any inside will help
me .
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

[Freeipa-users] Unable to add attributes to default user schema

[Carlos Raúl Laguna]

Hello everyone,

I am trying to add a new attribute ¨mailQuota¨ to the default user schema,
so far i add the objectclass mailrecipient to the default user
objectclasses which contain this specific atribute but so far i only
capable to add the attribute manually with user-mod
--addattr=mailQuota=102400 but when invoke config-mod
--addattr=mailQuota=102400 i get ipa: ERROR: attribute "mailQuota" not
allowed. Any way to get around this, also does
https://www.freeipa.org/images/5/5b/FreeIPA33-extending-freeipa.pdf is
still relevant for freeipa 4.3.2 ?

Thanks in advance
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] IPA-AD Trust unable to resolve child domain

[Carlos Raúl Laguna]

Thanks for the clarification. Regards

2016-10-20 14:23 GMT-04:00 Alexander Bokovoy <aboko...@redhat.com>:

> On to, 20 loka 2016, Carlos Raúl Laguna wrote:
>
>> Hi Alexander,
>> I do belive is a DNS problem, the command failing are
>>
>> host -t srv _ldap._tcp.ad_domain
>> or
>> dig SRV _ldap._tcp.ad_domain
>> after checkig the logs a see this error
>> "no valid DS resolving '_ldap._tcp.ad_domain /SRV/IN': 10.20.4.22#53"
>>
>> so i disable the dnssec validation on IPA and it work as expected, i will
>> setup dnssec on the windows side and enable dns validation once more on
>> IPA
>> to see if can get the same outcome.
>>
> When you use DNSSEC validation, your DNS infrastructure should all be
> using DNSSEC. This does not depend on whether you are deploying trust to
> AD or not.
>
> In fact, when installing FreeIPA server, you have option to disable
> DNSSEC validation (ipa-server-install --no-dnssec-validation). The same
> option exists in ipa-dns-install.
>
> --
> / Alexander Bokovoy
>
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] IPA-AD Trust unable to resolve child domain

[Carlos Raúl Laguna]

Hi Alexander,
I do belive is a DNS problem, the command failing are

host -t srv _ldap._tcp.ad_domain
or
dig SRV _ldap._tcp.ad_domain
after checkig the logs a see this error
"no valid DS resolving '_ldap._tcp.ad_domain /SRV/IN': 10.20.4.22#53"

so i disable the dnssec validation on IPA and it work as expected, i will
setup dnssec on the windows side and enable dns validation once more on IPA
to see if can get the same outcome.

Thanks for you answer


2016-10-20 10:10 GMT-04:00 Alexander Bokovoy <aboko...@redhat.com>:

> On to, 20 loka 2016, Carlos Raúl Laguna wrote:
>
>> Hello everyone,
>>
>> Both server are fresh install 2008r2 and fedora 24 server freeipa 4.3.2 as
>> documentation explain in
>> http://www.freeipa.org/page/Active_Directory_trust_setup#If_
>> AD_is_subdomain_of_IPA
>>
>> however the server is unable to resolve any record from my child domain, i
>> found
>> this bug https://fedorahosted.org/freeipa/ticket/6062, but not sure if
>> this
>> version of IPA is affected by it.
>>
>> The procedure in the documentation is still valid ?.
>>
> Given that you have literally provided no logs that would help to help
> you, let's start from it.
>
> Show what's your problem is through the logs. What exact commands are
> failing? If you suspect DNS issues, show your named-pkcs11's logs.
>
> --
> / Alexander Bokovoy
>
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

[Freeipa-users] IPA-AD Trust unable to resolve child domain

[Carlos Raúl Laguna]

Hello everyone,

Both server are fresh install 2008r2 and fedora 24 server freeipa 4.3.2 as
documentation explain in
http://www.freeipa.org/page/Active_Directory_trust_setup#If_AD_is_subdomain_of_IPA

however the server is unable to resolve any record from my child domain, i
found
this bug https://fedorahosted.org/freeipa/ticket/6062, but not sure if this
version of IPA is affected by it.

The procedure in the documentation is still valid ?.

Thanks in advance.
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] Fwd: NetworkError : invalid continuation byte with utf8 codec

[Carlos Raúl Laguna]

Happy new year to all, just to point out that this also affect Fedora23
Free-IPA 4.2.0 and 4.3.0 from corps. locale  are set to es_ES.UTF-8.
Regards

2016-01-05 23:32 GMT-05:00 Fraser Tweedale :

> On Mon, Jan 04, 2016 at 03:13:43PM +0100, Domineaux Philippe wrote:
> > Hello,
> >
> > Happy new year.
> >
> > So the content of my /etc/locale.conf :
> >
> > LANG="fr_FR.UTF-8"
> >
> Happy new year to you too, and thanks for the info.
>
> I reproduced the issue and there is a now a patch awaiting review.
> Ticket: https://fedorahosted.org/freeipa/ticket/5578
>
> Cheers,
> Fraser
>
> > -- Forwarded message --
> > From: Fraser Tweedale 
> > Date: 2015-12-23 5:11 GMT+01:00
> > Subject: Re: [Freeipa-users] NetworkError : invalid continuation byte
> with
> > utf8 codec
> > To: Gmail 
> > Cc: freeipa-users@redhat.com
> >
> >
> > On Tue, Dec 22, 2015 at 08:39:09AM +0100, Gmail wrote:
> > > Here are the files you ask for:
> > >
> > Thank you.  I see Tomcat is running in an fr_FR locale. Could you
> > also provide contents of `/etc/locale.conf'?
> >
> > Cheers,
> > Fraser
> >
> > >
> > >
> > > Le 22 décembre 2015 à 02:30:06, Fraser Tweedale (ftwee...@redhat.com)
> a
> > écrit:
> > >
> > > On Mon, Dec 21, 2015 at 05:29:01PM +0100, Gmail wrote:
> > > > Hi all,
> > > >
> > > > When trying to install on a fresh new Centos 7 I’ve got this error :
> > > >
> > > > 2015-12-21T16:04:44Z DEBUG The ipa-server-install command failed,
> > exception: NetworkError: cannot connect to '
> > https://freeipa.ipa.local:8443/ca/rest/profiles/raw': 'utf8' codec can't
> > decode byte 0xea in position 13: invalid continuation byte
> > > > 2015-12-21T16:04:44Z ERROR cannot connect to '
> > https://freeipa.ipa.local:8443/ca/rest/profiles/raw': 'utf8' codec can't
> > decode byte 0xea in position 13: invalid continuation byte
> > > >
> > > > My freeipa-server version is :  4.2.0
> > > > I’m running a Centos 3.10.0-327.3.1.el7.x86_64
> > > >
> > > > Any idea of what goes wrong?
> > > >
> > > Thanks for reporting. I have not seen this error before. Could you
> > > please include the following log files and I will take a closer
> > > look:
> > >
> > > /var/log/ipaserver-install.log
> > > /var/log/pki/pki-tomcat/ca/debug
> > >
> > > Cheers,
> > > Fraser
>
> > --
> > Manage your subscription for the Freeipa-users mailing list:
> > https://www.redhat.com/mailman/listinfo/freeipa-users
> > Go to http://freeipa.org for more info on the project
>
> --
> Manage your subscription for the Freeipa-users mailing list:
> https://www.redhat.com/mailman/listinfo/freeipa-users
> Go to http://freeipa.org for more info on the project
>
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

[Freeipa-users] Unable to install ipa-server-trust-ad

[Carlos Raúl Laguna]

Hello everyone,

i am using fedora 22 server with copr repos enabled for freeipa 4.2,
according with the documentation i execute  sudo dnf install -y
*ipa-server *ipa-server-trust-ad bind bind-dyndb-ldap however the
following error occurs

Error: package freeipa-server-trust-ad-4.1.4-2.fc22.x86_64 requires
samba-python, but none of the providers can be installed

i clean the metadata and try again but no change . Any help will be great
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] Single mail deployment i an FreeIPA-WindowsAD scenario.

[Carlos Raúl Laguna]

Thanks for the clarifications, one more question, does FreeIPA support
partial or fractional replications? Regards

2015-05-28 0:25 GMT-04:00 Alexander Bokovoy aboko...@redhat.com:

 On Wed, 27 May 2015, Carlos Raúl Laguna wrote:

 Hello Martin, Alexander

 Seem that the time shift is large between us, If i understand correctly,
 compat tree will allow me to see all users, regardless they location
 Windows or FreeIPA, however the kolab-specific attribute must come from
 FreeIPA and Windows AD where the users entries lays. This means creating
 custom object classes and attributes for AD schema them update compat
 plugin to see the custom attribute.

 The second part where kolab needs to update some value in any of this
 attribute, for example mailQuota it would be rejected and therefor it must
 be done from Windows AD or FreeIPA, is this correct? Thanks both of you
 for
 your time and input in this matter. Regards

 Just to make you absolutely clear: using compat tree will not help you
 at all. Nothing else in FreeIPA could help you in getting Kolab to work
 with both IPA and AD users at the same time.

 It would be nice if kolab could grow a capability to connect to multiple
 LDAP servers at the same time, with non-overlapping user and group
 trees. I don't think it is there now and I don't see other possibilities
 here.



 2015-05-27 4:46 GMT-04:00 Alexander Bokovoy aboko...@redhat.com:

  On Wed, 27 May 2015, Martin Kosek wrote:

  On 05/27/2015 10:08 AM, Alexander Bokovoy wrote:

  On Wed, 27 May 2015, Martin Kosek wrote:

  On 05/26/2015 07:36 PM, Carlos Raúl Laguna wrote:

  Hello Martin,

 The email deployment it is a groupware in this scenario Kolab, kolab
 use
 389 ad as main backend and it require some kolab ldap specific
 attribute to
 work properly, this is not a problem in fact is quite easy to use
 freeipa
 as kolab backend, so far so good but the romance only get this far.
 Since
 we also use Windows Ad with forest-trust not all user are present in
 the
 FreeIPA directory and there it is where my problem lays. Since not
 all
 user
 are in the same box it become difficult to implement one mail system
 for
 all users. Regards


 As I said, we have compat tree that allows LDAP BIND authentication
 and
 LDAP
 identity (not enumeration) for both IPA users and AD users when realm
 is in
 place.

 You can even update the configuration of the compat tree and add the
 kolab
 specific fields to be generated there too. There was very similar
 request on
 freeipa-users. It was for vSphere, but dealing with very similar use
 case and
 the final solution:

 http://www.freeipa.org/page/HowTo/vsphere5_integration

 Would that approach work for you?

  I don't think it will work. compat tree is run-time read-only view of
 the data coming from somewhere else. You need to have Kolab-specific
 data available somewhere to be able to inject it in the compat tree.
 Where would that data be stored for Kolab for AD-specific entries?


 It would work as long as the attributes are in the real user entries
 in
 form
 of custom attributes and compat plugin can be updated to add those to
 compat view.

  What real user entries you are talking about for AD users?

  Additionally, Kolab wants to modify these custom attributes and compat

 tree simply does not support modification, they all are refused.


 If Kolab requires modifications, then this approach would not work with
 current
 FreeIPA implementation, yes.

  No, we are not going into enabling modifications over compat tree, this
 is simply impossible to achieve, sorry.
 --
 / Alexander Bokovoy


  --
 Manage your subscription for the Freeipa-users mailing list:
 https://www.redhat.com/mailman/listinfo/freeipa-users
 Go to http://freeipa.org for more info on the project



 --
 / Alexander Bokovoy

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] Single mail deployment i an FreeIPA-WindowsAD scenario.

[Carlos Raúl Laguna]

Hello Martin, Alexander

Seem that the time shift is large between us, If i understand correctly,
compat tree will allow me to see all users, regardless they location
Windows or FreeIPA, however the kolab-specific attribute must come from
FreeIPA and Windows AD where the users entries lays. This means creating
custom object classes and attributes for AD schema them update compat
plugin to see the custom attribute.

The second part where kolab needs to update some value in any of this
attribute, for example mailQuota it would be rejected and therefor it must
be done from Windows AD or FreeIPA, is this correct? Thanks both of you for
your time and input in this matter. Regards

2015-05-27 4:46 GMT-04:00 Alexander Bokovoy aboko...@redhat.com:

 On Wed, 27 May 2015, Martin Kosek wrote:

 On 05/27/2015 10:08 AM, Alexander Bokovoy wrote:

 On Wed, 27 May 2015, Martin Kosek wrote:

 On 05/26/2015 07:36 PM, Carlos Raúl Laguna wrote:

 Hello Martin,

 The email deployment it is a groupware in this scenario Kolab, kolab
 use
 389 ad as main backend and it require some kolab ldap specific
 attribute to
 work properly, this is not a problem in fact is quite easy to use
 freeipa
 as kolab backend, so far so good but the romance only get this far.
 Since
 we also use Windows Ad with forest-trust not all user are present in
 the
 FreeIPA directory and there it is where my problem lays. Since not all
 user
 are in the same box it become difficult to implement one mail system
 for
 all users. Regards


 As I said, we have compat tree that allows LDAP BIND authentication and
 LDAP
 identity (not enumeration) for both IPA users and AD users when realm
 is in
 place.

 You can even update the configuration of the compat tree and add the
 kolab
 specific fields to be generated there too. There was very similar
 request on
 freeipa-users. It was for vSphere, but dealing with very similar use
 case and
 the final solution:

 http://www.freeipa.org/page/HowTo/vsphere5_integration

 Would that approach work for you?

 I don't think it will work. compat tree is run-time read-only view of
 the data coming from somewhere else. You need to have Kolab-specific
 data available somewhere to be able to inject it in the compat tree.
 Where would that data be stored for Kolab for AD-specific entries?


 It would work as long as the attributes are in the real user entries in
 form
 of custom attributes and compat plugin can be updated to add those to
 compat view.

 What real user entries you are talking about for AD users?

  Additionally, Kolab wants to modify these custom attributes and compat
 tree simply does not support modification, they all are refused.


 If Kolab requires modifications, then this approach would not work with
 current
 FreeIPA implementation, yes.

 No, we are not going into enabling modifications over compat tree, this
 is simply impossible to achieve, sorry.
 --
 / Alexander Bokovoy

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] Single mail deployment i an FreeIPA-WindowsAD scenario.

[Carlos Raúl Laguna]

Hello Martin,

The email deployment it is a groupware in this scenario Kolab, kolab use
389 ad as main backend and it require some kolab ldap specific attribute to
work properly, this is not a problem in fact is quite easy to use freeipa
as kolab backend, so far so good but the romance only get this far. Since
we also use Windows Ad with forest-trust not all user are present in the
FreeIPA directory and there it is where my problem lays. Since not all user
are in the same box it become difficult to implement one mail system for
all users. Regards
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

[Freeipa-users] Single mail deployment i an FreeIPA-WindowsAD scenario.

[Carlos Raúl Laguna]

How i can use a single backend for a email deployment in such scenario ?
Since i am using forest trust, therefore users are not present in one
place. Regards
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] Single mail deployment i an FreeIPA-WindowsAD scenario.

[Carlos Raúl Laguna]

Any ideas how to overcome this? Winsync may be a better approach for us
instead of cross-trust.Regards

2015-05-25 13:06 GMT-04:00 Carlos Raúl Laguna carlosla1...@gmail.com:

 How i can use a single backend for a email deployment in such scenario ?
 Since i am using forest trust, therefore users are not present in one
 place. Regards

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] [[Test-Announce] Fedora 22 Final status is Go, release on May 26, 2015]

[Carlos Raúl Laguna]

Hi Alexander
Great news, does this also mean that user created in freeipa are self
created/synchronized in the windows ad ? Regtards

2015-05-22 15:00 GMT-04:00 Alexander Bokovoy aboko...@redhat.com:

 Hi,

 As per attached message, Fedora 22 final release will come to life next
 week. If you are planning to use FreeIPA in Fedora 22 or upgrade your
 FreeIPA deployment to Fedora 22, make sure updates-testing repository is
 enabled. Several last moment bug fixes related to FreeIPA were not
 rolled into the final Fedora 22 image and they are waiting in
 updats-testing for the gates to be open after release.

 One particular area is support for cross-forest trusts with Active
 Directory --- Samba in Fedora 22 got upgraded to 4.2.1 version which
 caused some changes in underlying libraries FreeIPA uses for supporting
 the cross-forest trust. The fixes are awaiting you after install in the
 updats-testing.

 Happy Fedora 22 use!
 --
 / Alexander Bokovoy


 -- Mensaje reenviado --
 From: Jaroslav Reznik jrez...@redhat.com
 To: devel-annou...@lists.fedoraproject.org, test-announce 
 test-annou...@lists.fedoraproject.org, Fedora Logistics List 
 logist...@lists.fedoraproject.org
 Cc:
 Date: Fri, 22 May 2015 14:46:39 -0400 (EDT)
 Subject: [Test-Announce] Fedora 22 Final status is Go, release on May 26,
 2015
 At the Fedora 22 Final Go/No-Go Meeting #2 that just occurred, it was
 agreed to Go with the Fedora 22 Final by Fedora QA, Release Engineering
 and Development.

 Fedora 22 Final will be publicly available on Tuesday, May 26, 2015.

 Meeting details can be seen here:
 Minutes: http://bit.ly/1Bh2pH1
 Log: http://bit.ly/1HzMI5g

 Thank you everyone for a great job, sleepless nights validating TCs,
 RCs, fixing bugs, composing stuf and everything else needed for
 smooth releases. Amazing last three years wrangling releases for me!

 Jaroslav
 ___
 test-announce mailing list
 test-annou...@lists.fedoraproject.org
 https://admin.fedoraproject.org/mailman/listinfo/test-announce
 --
 devel mailing list
 de...@lists.fedoraproject.org
 https://admin.fedoraproject.org/mailman/listinfo/devel
 Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct
 --
 Manage your subscription for the Freeipa-users mailing list:
 https://www.redhat.com/mailman/listinfo/freeipa-users
 Go to http://freeipa.org for more info on the project

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] [[Test-Announce] Fedora 22 Final status is Go, release on May 26, 2015]

[Carlos Raúl Laguna]

Just for clarification,
If i create a user in Windows 2008R2 it propagates to Freeipa 4.1 because
freeIPA trust the AD domain, in this  scenario where AD equally trust the
freeIPA domain (Fedora 22), a user created in freeIPA should not propagate
as well to AD ? Regards


2015-05-22 16:39 GMT-04:00 Alexander Bokovoy aboko...@redhat.com:

 On Fri, 22 May 2015, Carlos Raúl Laguna wrote:

 Hi Alexander
 Great news, does this also mean that user created in freeipa are self
 created/synchronized in the windows ad ? Regtards

 With cross-forest trust we don't synchronize anything to AD. Think about
 it as if FreeIPA was a separate AD forest, two AD forests don't
 synchronize anything to each other, they _refer_ to each other's domain
 controllers for operations that require authentication or other changes.

 --
 / Alexander Bokovoy

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] Migration from FreeIPA-Windows to FreeIPA-samba4

[Carlos Raúl Laguna]

2014-10-09 18:12 GMT-04:00 Dmitri Pal d...@redhat.com:

  On 10/09/2014 04:38 PM, Carlos Raúl Laguna wrote:

 Hello to everyone, for some time now i have been pretty much stalking the
 samba project site, looking forward to forest trust  and it seem that they
 introduced new functions to support trust domains
 https://download.samba.org/pub/samba/rc/WHATSNEW-4.2.0rc1.txt i guess i
 an future will be possible.


 Yes in future.


  Anyway, i am about to do a FreeIPA-Windows deployment and i was
 wondering if it will be possible in a future migrate from windows to samba?


 Yes. This is the intent. At least to be able to replace AD with Samba DC
 in some cases. I am not sure how smooth the migration part will be.

  And also, which version of FreeIPA is most ready for deployment ?


 Now?
 In which distro?

 In RHEL please use what is in 7.0.
 If you use Fedora then at least 4.0. You might want to wait couple weeks
 and use 4.1 when it gets released.

  Thanks for your time and effort. Regard







 --
 Thank you,
 Dmitri Pal

 Sr. Engineering Manager IdM portfolio
 Red Hat, Inc.


 Thanks for your reply, it will be any way to use 4.1 in RHEL 7L.Regards
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go To http://freeipa.org for more info on the project

[Freeipa-users] Migration from FreeIPA-Windows to FreeIPA-samba4

[Carlos Raúl Laguna]

Hello to everyone, for some time now i have been pretty much stalking the
samba project site, looking forward to forest trust  and it seem that they
introduced new functions to support trust domains
https://download.samba.org/pub/samba/rc/WHATSNEW-4.2.0rc1.txt i guess i an
future will be possible.

Anyway, i am about to do a FreeIPA-Windows deployment and i was wondering
if it will be possible in a future migrate from windows to samba? And also,
which version of FreeIPA is most ready for deployment ? Thanks for your
time and effort. Regard
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go To http://freeipa.org for more info on the project

Re: [Freeipa-users] FreeIPA customized for Kolab

[Carlos Raúl Laguna]

Will do, need to make a proper guide first.Thanks to all. Regards


2014-07-04 3:26 GMT-04:00 Petr Spacek pspa...@redhat.com:

 On 4.7.2014 00:49, Carlos Raúl Laguna wrote:

 In cn=config
 a extensibleObject whit a domainRelatedObject and aci (require by kolab)


 Not sure what this means - does this mean you added objectclass:
 extensibleObject to dn: cn=config?

 Thanks for the fast reply, and Yes, it is required so kolab can check wish
 is the primary domain. Thanks for your answer. Regards


 2014-07-03 18:12 GMT-04:00 Rich Megginson rmegg...@redhat.com:

On 07/03/2014 04:09 PM, Carlos Raúl Laguna wrote:

 Hello everyone, for some time i was trying to make Kolab Groupwere to
 work
 with FreeIPA and after some research is now working.


 It would be great if you can write down what you did to a new wikipage,
 preferably linked from
 http://www.freeipa.org/page/HowTos#3rd_party_Applications_Integration

 Your normal Fedora account will allow you to edit Freeipa.org wiki.

 Thank you for your time!

 Petr^2 Spacek




 Great!


   However the modification made in FreeIPA makes me wonder if some how
 limit the functions of the software.


 Changes Made:

   Creation of
 OU=Groups (Don't want to mix FreeIpa Groups whit Kolab's)
 OU=Shared Folders (Requires by Kolab)
 OU=Resources (Requires by Kolab)


   In cn=config
 a extensibleObject whit a domainRelatedObject and aci (require by kolab)


 Not sure what this means - does this mean you added objectclass:
 extensibleObject to dn: cn=config?



 The user are created from Freeipa interface  name.surname wish result in
 a
 mailbox for that user in the Kolab server.

 My actual question is if this may break  replication, or windows -
 freeipa forest relationship. Thanks in advance for your time. Regards


 This should not break replication, nor windows trust/sync, afaik.  Not
 sure what effect this will have on other parts of FreeIPA though.



 --
 Petr^2 Spacek

 --
 Manage your subscription for the Freeipa-users mailing list:
 https://www.redhat.com/mailman/listinfo/freeipa-users
 Go To http://freeipa.org for more info on the project

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go To http://freeipa.org for more info on the project

[Freeipa-users] FreeIPA customized for Kolab

[Carlos Raúl Laguna]

Hello everyone, for some time i was trying to make Kolab Groupwere to work
with FreeIPA and after some research is now working. However the
modification made in FreeIPA makes me wonder if some how limit the
functions of the software.


Changes Made:

Creation of
OU=Groups (Don't want to mix FreeIpa Groups whit Kolab's)
OU=Shared Folders (Requires by Kolab)
OU=Resources (Requires by Kolab)


 In cn=config
a extensibleObject whit a domainRelatedObject and aci (require by kolab)

The user are created from Freeipa interface  name.surname wish result in a
mailbox for that user in the Kolab server.

My actual question is if this may break  replication, or windows -
freeipa forest relationship. Thanks in advance for your time. Regards
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go To http://freeipa.org for more info on the project

Re: [Freeipa-users] FreeIPA customized for Kolab

[Carlos Raúl Laguna]

In cn=config
a extensibleObject whit a domainRelatedObject and aci (require by kolab)


Not sure what this means - does this mean you added objectclass:
extensibleObject to dn: cn=config?

Thanks for the fast reply, and Yes, it is required so kolab can check wish
is the primary domain. Thanks for your answer. Regards


2014-07-03 18:12 GMT-04:00 Rich Megginson rmegg...@redhat.com:

  On 07/03/2014 04:09 PM, Carlos Raúl Laguna wrote:

 Hello everyone, for some time i was trying to make Kolab Groupwere to work
 with FreeIPA and after some research is now working.


 Great!


  However the modification made in FreeIPA makes me wonder if some how
 limit the functions of the software.


 Changes Made:

  Creation of
 OU=Groups (Don't want to mix FreeIpa Groups whit Kolab's)
 OU=Shared Folders (Requires by Kolab)
 OU=Resources (Requires by Kolab)


  In cn=config
 a extensibleObject whit a domainRelatedObject and aci (require by kolab)


 Not sure what this means - does this mean you added objectclass:
 extensibleObject to dn: cn=config?



 The user are created from Freeipa interface  name.surname wish result in a
 mailbox for that user in the Kolab server.

 My actual question is if this may break  replication, or windows -
 freeipa forest relationship. Thanks in advance for your time. Regards


 This should not break replication, nor windows trust/sync, afaik.  Not
 sure what effect this will have on other parts of FreeIPA though.





-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go To http://freeipa.org for more info on the project