Re: [Freeipa-users] Announcing FreeIPA 4.4.2

2016-10-14 Thread Coy Hile
Will there be builds in a COPR for rhel/cents 7? Sent via the Samsung GALAXY S® 5, an AT 4G LTE smartphone Original message From: Martin Kosek Date: 10/14/16 3:58 AM (GMT-05:00) To: freeipa-users@redhat.com Subject: Re: [Freeipa-users] Announcing

[Freeipa-users] Question about ID views

2016-09-02 Thread Coy Hile
ERYONE* in some_ldap_group en masse ldap_group_2:::newGid::/somepath/home/%s:/usr/bin/restricted_shell <—— Override members of ldap_group_2 overriding each individual user’s home directory as well from, e.g. , /home/jdoe -> /somepath/home/jdoe -- Coy Hile coy.h...@coyhile.com --

Re: [Freeipa-users] How does one authenticate Windows login against IPA

2016-05-19 Thread Coy Hile
Right, you have some process that creates the shadow accounts with a random, unknown, unused pass. This assumes you have some workflow for provisioning rather than doing ad hoc ipa user add as a human. Sent from my iPad > On May 18, 2016, at 23:20, John Meyers

Re: [Freeipa-users] How does one authenticate Windows login against IPA

2016-05-18 Thread Coy Hile
When I've done this in the past, I used mit directly, not IPA. I set up a one way trust, then used "shadow objects" for users mapped using alternateSecurityID. I've setup the same one way trust testing with freeipa, but unfortunately I had to use kadmin.local to do it. I don't know that that's

Re: [Freeipa-users] IPA-AD Login

2016-02-07 Thread Coy Hile
eate a one-way trust so that the AD domain trusts the IPA realm? Then use AltSecurityID in Windows land to map a “shadow” user to each real principal? In that way AD gets relegated to a second-class citizen used only for the subset of (likely comparatively unimportant) tasks where one is forced to use

Re: [Freeipa-users] Client enrolment user

2015-11-05 Thread Coy Hile
Is there documentation thst states explicitly which permissions are granted to the Various built in roles? Sent via the Samsung GALAXY S® 5, an AT 4G LTE smartphone Original message From: Rob Crittenden Date: 11/05/2015 10:18 (GMT-05:00) To:

Re: [Freeipa-users] How to handle users with multiple homedirs on different machines?

2015-06-03 Thread Coy Hile
For solaris, just use the standard automounter config in auto_home: *  /export/home/ Sent via the Samsung GALAXY S® 5, an ATT 4G LTE smartphone Original message From: Lukas Slebodnik lsleb...@redhat.com Date: 06/03/2015 02:29 (GMT-05:00) To: netv...@gmail.com Cc:

Re: [Freeipa-users] How to handle users with multiple homedirs on different machines?

2015-06-03 Thread Coy Hile
) To: coy.h...@coyhile.com Cc: freeipa-users@redhat.com, netv...@gmail.com Subject: Re: [Freeipa-users] How to handle users with multiple homedirs on different machines? On (03/06/15 12:54), Coy Hile wrote: For solaris, just use the standard automounter config in auto_home: *  /export/home

[Freeipa-users] ID Ranges in FreeIPA

2015-04-08 Thread Coy Hile
' users vs role accounts like jdoe vs appteambuildbot)? Thanks, -c -- Coy Hile coy.h...@coyhile.com -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] Creating arbitrary users?

2015-04-07 Thread coy . hile
Quoting Simo Sorce s...@redhat.com On Mon, 2015-04-06 at 21:16 -0400, Coy Hile wrote: In MIT land, one can potentially have multiple instances tied (by convention) to a given user (that is, that administratively one knows are the same set of eyeballs). For example, I might have my normal user

Re: [Freeipa-users] Creating arbitrary users?

2015-04-07 Thread Coy Hile
, so I'm trying to draw comparisons between what I had been used to in previous vanilla krb/ldap shops. Thanks, -c -- Coy Hile coy.h...@coyhile.com -- Coy Hile coy.h...@coyhile.com -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] Creating arbitrary users?

2015-04-07 Thread Coy Hile
On Apr 7, 2015, at 2:58 PM, Simo Sorce s...@redhat.com wrote: On Tue, 2015-04-07 at 18:54 +, Coy Hile wrote: Quoting Simo Sorce s...@redhat.com: I guess that makes sense. Is it possible to add a user that simply doesn't have the posix attributes defined? In the particular case

[Freeipa-users] Creating arbitrary users?

2015-04-06 Thread Coy Hile
using that principal. -- Coy Hile coy.h...@coyhile.com -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project

[Freeipa-users] Question on freeipa-server-trust-ad

2015-04-03 Thread Coy Hile
@MIT.REALM in the MIT Realm. Is there a ‘supported’ way to do something similar with FreeIPA? Time to break out kadmin.local -x ipa-setup-override-restrictions? Or would that not drop the principal in the right place in the LDAP tree? -- Coy Hile coy.h...@coyhile.com -- Manage your

Re: [Freeipa-users] Is systemd really a requirement for freeipa 4.x?

2015-03-26 Thread Coy Hile
the requirements is quite helpful, so thanks to all who provided that. I'll work with Joyent to add systemd support to the lx brand, and in the meantime, I'll just deploy on KVM infrastructure and take the hit. I assume there's no good reason to deploy a net new setup using the 3.x release? -c -- Coy

[Freeipa-users] Is systemd really a requirement for freeipa 4.x?

2015-03-25 Thread Coy Hile
completely of the server components. thanks, -c -- Coy Hile coy.h...@coyhile.com -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project

[Freeipa-users] FreeIPA interoperability with an existing kerberos realm?

2015-03-22 Thread Coy Hile
, -- Coy Hile coy.h...@coyhile.com -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project