Re: [Freeipa-users] sssd compatibility with older RHEL 6 minor releases.
Also, when upgrading, please make sure to upgrade to the 6.6.z version of SSSD - there were couple important fixes. AFAIK, the version should be sssd-1.11.6-30.el6_6.3 Martin On 02/02/2015 10:35 PM, Genadi Postrilko wrote: Thank you for your reply. I think ill go with the first option, it about time to upgrade :). Genadi. 2015-02-01 2:09 GMT+02:00 Dmitri Pal d...@redhat.com: On 01/31/2015 01:37 PM, Genadi Postrilko wrote: Hello all. The environment i'm currently working to migrate under IPA identity management contains mostly RHEL 6.2 servers. I'm planing to use Active Directory Cross Forest Trust for Identities, IPA as sudo provider, and all the other goodies that IPA provides. If i want to enjoy all the new features (at least most of them), i know that clients have to be sssd version 1.9. And if i want IPA to be auto configured as sudo provider it has to be sssd 1.11. When reading the mailing list i noticed that sssd 1.11 is mentioned as feature of rhel 6.6. What i would like and understand is what could go wrong if i will install sssd 1.11 on rhel 6.2 servers.And what is is your general recommendations for older RHEL 6 (minor) releases? It will pull a lot of dependencies and most of your system will look like 6.6 system Also the upgrade like this might reveal some issues as the upgrades are expected to be gradual. 1-2 versions is ok but 4 is quit a big leap. Overall it is a bit risky to do it. You have three options: - upgrade properly but probably in two steps 6.2 - 6.4 - 6.6 - use SSSD from 6.2 as is for now. It will have limited functionality but can leverage AD users from the trust. You would need to configure SSSD to use LDAP for authentication and point to compat tree of IPA to take advantage of the trust. See details here: http://www.freeipa.org/images/0/0d/FreeIPA33-legacy-clients.pdf - take your chances and try a hybrid you propose but it is not a formally supported configuration. Thanks in advance, Genadi. -- Thank you, Dmitri Pal Sr. Engineering Manager IdM portfolio Red Hat, Inc. -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
Re: [Freeipa-users] sssd compatibility with older RHEL 6 minor releases.
Hi, Not knowing your specific circumstance but my experience over the last decade plus would be keep the RHEL, Debian/Ubuntu and Solaris servers up to date all the time, or at least 1~2 months behind max. eg we clone off RHEL channels into testing channels and patch then clone production from test and patch. (playing catch now is now a risk for you) If there is an issue with a rpm then you will find it and we then for instance freeze patching until it is resolved. If you dont have a test group of servers run 1~2months behind the latest and import specific rpms if a nasty bug appears eg the recent bash one. regards Steven From: freeipa-users-boun...@redhat.com freeipa-users-boun...@redhat.com on behalf of Genadi Postrilko genadip...@gmail.com Sent: Tuesday, 3 February 2015 10:35 a.m. To: Identity Managment; freeipa-users@redhat.com Subject: Re: [Freeipa-users] sssd compatibility with older RHEL 6 minor releases. Thank you for your reply. I think ill go with the first option, it about time to upgrade :). Genadi. 2015-02-01 2:09 GMT+02:00 Dmitri Pal d...@redhat.commailto:d...@redhat.com: On 01/31/2015 01:37 PM, Genadi Postrilko wrote: Hello all. The environment i'm currently working to migrate under IPA identity management contains mostly RHEL 6.2 servers. I'm planing to use Active Directory Cross Forest Trust for Identities, IPA as sudo provider, and all the other goodies that IPA provides. If i want to enjoy all the new features (at least most of them), i know that clients have to be sssd version 1.9. And if i want IPA to be auto configured as sudo provider it has to be sssd 1.11. When reading the mailing list i noticed that sssd 1.11 is mentioned as feature of rhel 6.6. What i would like and understand is what could go wrong if i will install sssd 1.11 on rhel 6.2 servers.And what is is your general recommendations for older RHEL 6 (minor) releases? It will pull a lot of dependencies and most of your system will look like 6.6 system Also the upgrade like this might reveal some issues as the upgrades are expected to be gradual. 1-2 versions is ok but 4 is quit a big leap. Overall it is a bit risky to do it. You have three options: - upgrade properly but probably in two steps 6.2 - 6.4 - 6.6 - use SSSD from 6.2 as is for now. It will have limited functionality but can leverage AD users from the trust. You would need to configure SSSD to use LDAP for authentication and point to compat tree of IPA to take advantage of the trust. See details here: http://www.freeipa.org/images/0/0d/FreeIPA33-legacy-clients.pdf - take your chances and try a hybrid you propose but it is not a formally supported configuration. Thanks in advance, Genadi. -- Thank you, Dmitri Pal Sr. Engineering Manager IdM portfolio Red Hat, Inc. -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
[Freeipa-users] sssd compatibility with older RHEL 6 minor releases.
Hello all. The environment i'm currently working to migrate under IPA identity management contains mostly RHEL 6.2 servers. I'm planing to use Active Directory Cross Forest Trust for Identities, IPA as sudo provider, and all the other goodies that IPA provides. If i want to enjoy all the new features (at least most of them), i know that clients have to be sssd version 1.9. And if i want IPA to be auto configured as sudo provider it has to be sssd 1.11. When reading the mailing list i noticed that sssd 1.11 is mentioned as feature of rhel 6.6. What i would like and understand is what could go wrong if i will install sssd 1.11 on rhel 6.2 servers.And what is is your general recommendations for older RHEL 6 (minor) releases? Thanks in advance, Genadi. -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
Re: [Freeipa-users] sssd compatibility with older RHEL 6 minor releases.
On 01/31/2015 01:37 PM, Genadi Postrilko wrote: Hello all. The environment i'm currently working to migrate under IPA identity management contains mostly RHEL 6.2 servers. I'm planing to use Active Directory Cross Forest Trust for Identities, IPA as sudo provider, and all the other goodies that IPA provides. If i want to enjoy all the new features (at least most of them), i know that clients have to be sssd version 1.9. And if i want IPA to be auto configured as sudo provider it has to be sssd 1.11. When reading the mailing list i noticed that sssd 1.11 is mentioned as feature of rhel 6.6. What i would like and understand is what could go wrong if i will install sssd 1.11 on rhel 6.2 servers.And what is is your general recommendations for older RHEL 6 (minor) releases? It will pull a lot of dependencies and most of your system will look like 6.6 system Also the upgrade like this might reveal some issues as the upgrades are expected to be gradual. 1-2 versions is ok but 4 is quit a big leap. Overall it is a bit risky to do it. You have three options: - upgrade properly but probably in two steps 6.2 - 6.4 - 6.6 - use SSSD from 6.2 as is for now. It will have limited functionality but can leverage AD users from the trust. You would need to configure SSSD to use LDAP for authentication and point to compat tree of IPA to take advantage of the trust. See details here: http://www.freeipa.org/images/0/0d/FreeIPA33-legacy-clients.pdf - take your chances and try a hybrid you propose but it is not a formally supported configuration. Thanks in advance, Genadi. -- Thank you, Dmitri Pal Sr. Engineering Manager IdM portfolio Red Hat, Inc. -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
