Re: [Freeipa-users] AD permissions needed for setting up AD trusts
On fre, 2013-01-04 at 19:04 +0100, Ana Krivokapic wrote: On 01/03/2013 12:28 PM, Petr Spacek wrote: On 12/21/2012 01:19 PM, Sumit Bose wrote: On Fri, Dec 21, 2012 at 12:30:33PM +0100, James Findley wrote: Hi What permission level is needed for the AD user when creating an AD trust? Can a regular domain user account do it, or is a domain admin needed? The account used here must be a member of the Domain Admins group. If write access to the AD server is needed, then could someone please tell me what the command will actually change in the AD server? 'ipa trust-add' will only use LSA calls on the AD server. The most important one is CreateTrustedDomainEx2 (http://msdn.microsoft.com/en-us/library/cc234380.aspx) to create the trust between the two domains. Additionally QueryTrustedDomainInfoByName (http://msdn.microsoft.com/en-us/library/cc234376.aspx) to check if the trust is already added and SetInformationTrustedDomain (http://msdn.microsoft.com/en-us/library/cc234385.aspx) to tell the AD server that the IPA server can handled AES encryption are used. Should we add this information to AD trusts documentation? The windows team at my place of work will want to know exactly what the tool will do before they grant permission. I have added this information to the AD trusts wiki page: http://www.freeipa.org/page/IPAv3_AD_trust_setup#Add_trust_with_AD_domain That link only gets me to an empty wiki page... -- David Juran Sr. Consultant Red Hat +46-725-345801 signature.asc Description: This is a digitally signed message part ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Desperate help requested.
On lör, 2012-08-25 at 23:05 -0500, KodaK wrote: I've just been informed by my boss's boss's boss that, and I quote from his ridiculous email: we cannot use anything other than MS AD for authentication I've spent months of time and much effort rolling out IPA, consolidating authentication across our Linux and AIX machines. To paraphrase Babbage: I am not able rightly to apprehend the kind of confusion of ideas that could provoke such a statement. Regardless, I need some help. I need some help with comparisons between FreeIPA and AD, and the problems and issues one might encounter when trying to authenticate Unix machines against AD. Anything that can show IPA being superior to AD for *nix authentication. Anything at all. We have a similar number of AIX and Linux servers. We have a week before we have a meeting to discuss this, and I'd like to be armed to the teeth, if at all possible. Apart from what everyone else already pointed out, I believe that if you register the Linux host in the AD, you'll need to purchase a CAL for it... /David signature.asc Description: This is a digitally signed message part ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] FreeIPA in a locked down Active Directory environment
On mån, 2012-06-18 at 10:49 -0400, Brian Wheeler wrote: Is there any way to integrate FreeIPA into an environment such as ours or am I going to have to continue with my homegrown way of doing things? I wonder if the (very) new IPA AD trust feature could solve at least some of your problems. Have a look at http://freeipa.org/page/IPAv3_testing_AD_trust for some info on how this can be tested. -- David Juran Sr. Consultant Red Hat +46-725-345801 signature.asc Description: This is a digitally signed message part ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] FreeIPA in a locked down Active Directory environment
On tis, 2012-06-19 at 13:26 +0100, James Hogarth wrote: I wonder if the (very) new IPA AD trust feature could solve at least some of your problems. Have a look at http://freeipa.org/page/IPAv3_testing_AD_trust for some info on how this can be tested. The initial documentation looks like it's describing a full two way trust - in principal would a one way trust be feasible? Allow the AD users (or a selection thereof) access to the systems part of the IPA domain but not vice versa? AFAIK, that is the only thing currently implemented. -- David Juran Sr. Consultant Red Hat +46-725-345801 signature.asc Description: This is a digitally signed message part ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] dead in the water IPA server
On mån, 2012-05-07 at 00:22 +, Steven Jones wrote: Interesting memory message.as attached I take it it isnt good? cant login that is for sure so whatever is behind the web gui is dead if nothing else... Nope, your machine ran out of memory and the directory server fell victim for the OOM-killer )-. At this point you need to reboot the machine to recover but with some luck, the syslog should contain some hints of where the memory went. -- David Juran Sr. Consultant Red Hat +46-725-345801 signature.asc Description: This is a digitally signed message part ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Trying out ipa on zlinux
On fre, 2012-05-04 at 10:25 -0400, Simo Sorce wrote: On Fri, 2012-05-04 at 16:04 +0200, David Juran wrote: [04/May/2012:15:22:27 +0200] conn=8 fd=66 slot=66 connection from local to /var/run/slapd-SRV-VOLVO-COM.socket [04/May/2012:15:22:27 +0200] conn=8 op=0 BIND dn=uid=kdc,cn=sysaccounts,cn=etc,dc=srv,dc=volvo,dc=com method=128 version=3 [04/May/2012:15:22:27 +0200] conn=8 op=0 RESULT err=7 tag=97 nentries=0 etime=0 [04/May/2012:15:22:27 +0200] conn=8 op=-1 fd=66 closed - B1 Would anyone have a clue what could be wrong? err=7 seem LDAP_AUTH_METHOD_NOT_SUPPORTED are you lacking sasl dependencies in 389 by chance ? I think I got SASL support in: root@zlin2011:/var/log/dirsrv/slapd-SRV-VOLVO-COM# ldapsearch -D cn=directory manager -w secret -x -s base -b supportedSASLMechanisms # extended LDIF # # LDAPv3 # base with scope baseObject # filter: (objectclass=*) # requesting: supportedSASLMechanisms # # dn: supportedSASLMechanisms: EXTERNAL supportedSASLMechanisms: PLAIN supportedSASLMechanisms: GSSAPI supportedSASLMechanisms: LOGIN supportedSASLMechanisms: CRAM-MD5 supportedSASLMechanisms: ANONYMOUS supportedSASLMechanisms: DIGEST-MD5 # search result search: 2 result: 0 Success # numResponses: 2 # numEntries: 1 -- David Juran Sr. Consultant Red Hat +46-725-345801 signature.asc Description: This is a digitally signed message part ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Trying out ipa on zlinux
On fre, 2012-05-04 at 10:52 -0400, Simo Sorce wrote: please run: rpm -qa |grep cyrus-sasl root@zlin2011:/var/log/dirsrv/slapd-SRV-VOLVO-COM# rpm -qa |grep cyrus-sasl cyrus-sasl-lib-2.1.23-13.el6.s390x cyrus-sasl-md5-2.1.23-13.el6.s390x cyrus-sasl-2.1.23-13.el6.s390x cyrus-sasl-plain-2.1.23-13.el6.s390x cyrus-sasl-gssapi-2.1.23-13.el6.s390x -- David Juran Sr. Consultant Red Hat +46-725-345801 signature.asc Description: This is a digitally signed message part ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] syncing users more not limited to a subtree
On tis, 2012-02-14 at 17:50 -0500, Rob Crittenden wrote: I don't think so, but can you provide some examples? If I understand the customers use-case correctly (and this is quite a disclaimer) they have _most_ of their users in one sub-tree in AD but also some users spread out all over the AD. So I gather that I really should sync the entire AD. Or that I _possibly_ could specify multiple sub-trees to sync, but still only on a subtree level and not individual users to sync. Or that I really should wait for the trust-to-AD feature to be ready... Is that correct? How would they identify which users they would want sync'd? Is this something we'd be able to build a filter on (not that we actually provide a configurable filter right now)? I'll check that, but won't all of this become moot once we can trust an AD domain? If this filtering would become a show-stopper I'll get back to you, but if schedule permits, I'd rather wait for the trust feature rather then develop a new feature for this. -- David Juran Sr. Consultant Red Hat +46-725-345801 signature.asc Description: This is a digitally signed message part ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] nisNet groups in AD
On Mon, 2011-11-21 at 11:55 -0500, Dmitri Pal wrote: On 11/21/2011 11:48 AM, David Juran wrote: Hello. I have a customer who is using nisNetgroups in microsoft Active Directory to keep track of which users are allowed to access which services. I've understood that IPA today does not sync this information from AD, is this correct? What about the future, once we can have trust towards an AD? Would that allow us to use the nisNet groups in AD for HBAC and sudo? Trusts would not help with netgroups. I wonder if it is something that can be done via a client configuration. But also why not move netgroups into IPA? Dumping the data into LDIF, creating a script to convert it to IPA internal netgroups format and loading it is not a huge effort. That is certainly the approach I will recommend but I suspect part of the problem is that the internal tool that the customer uses for the approval process (i.e. the process where someone approves that user foo should get added to group bar) knows how to communicate with AD but not how to talk to IPA. But if it comes to this, I guess it would be possible to do a regular sync, i.e. dump the LDIF from AD and import it into IPA on a regular basis. In any case, thank you for the answer. -- David Juran Sr. Consultant Red Hat +46-725-345801 signature.asc Description: This is a digitally signed message part ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
[Freeipa-users] nisNet groups in AD
Hello. I have a customer who is using nisNetgroups in microsoft Active Directory to keep track of which users are allowed to access which services. I've understood that IPA today does not sync this information from AD, is this correct? What about the future, once we can have trust towards an AD? Would that allow us to use the nisNet groups in AD for HBAC and sudo? -- David Juran Sr. Consultant Red Hat +46-725-345801 signature.asc Description: This is a digitally signed message part ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users