Re: [Freeipa-users] FreeIPA for AMM users management

2012-11-05 Thread Petr Spacek
On 11/03/2012 01:12 PM, Pavel Zhukov wrote: Can you do NS lookup of the IPA server from the AMM box? yes Can you do kinit from the AMM box against IPA? Can you do ldapsearch from the AMM box against IPA? no, AMM has restricted shell and web GUI. Hmm, that is unfortunate. Can you run tcpdump

Re: [Freeipa-users] FreeIPA v 2.2 in an AD environment

2012-11-05 Thread Rich Megginson
On 11/04/2012 01:25 PM, Steven Jones wrote: Hi, Yes you can winsync and passsync RHEL6.3 IPA from win2k3 r2 + AD, it should be in your RH supported channel tree? The passsync.msi has to go on each AD box Each Domain Controller. Also note that you asked if Can I be able to synchronize the

Re: [Freeipa-users] FreeIPA v 2.2 in an AD environment

2012-11-05 Thread Dmitri Pal
On 11/04/2012 02:23 PM, William Muriithi wrote: Hi all, I am in the process of deploying freeIPA 2.2 to authenticate Linux systems and have been able to setup everything nicely with separate domain. I mean users are currently using separate password to access Linux system and another set of

[Freeipa-users] FreeIPA start dependencies

2012-11-05 Thread Matthew Barr
So, we're in a datacenter that lost power over sandy. (It's not our only one, so the app was fine.) I'm now trying to bring the DC back online, and IPA is having issues with it's inability to reach other replicas. * We're using IPA for DNS as well as the kerberos LDAP services. Does

Re: [Freeipa-users] FreeIPA start dependencies

2012-11-05 Thread Dmitri Pal
On 11/05/2012 12:51 PM, Matthew Barr wrote: So, we're in a datacenter that lost power over sandy. (It's not our only one, so the app was fine.) I'm now trying to bring the DC back online, and IPA is having issues with it's inability to reach other replicas. * We're using IPA for DNS as

Re: [Freeipa-users] FreeIPA v 2.2 in an AD environment

2012-11-05 Thread Steven Jones
Also note that you asked if Can I be able to synchronize the current AD user credentials with FreeIPA 2.2 or do I have to upgrade to FreeIPA 3.0 You cannot synchronize already existing passwords with IPA 2.x. You would have to force AD users to change their passwords in order to get the clear

Re: [Freeipa-users] FreeIPA v 2.2 in an AD environment

2012-11-05 Thread William Muriithi
Steve, thanks Hi, Yes you can winsync and passsync RHEL6.3 IPA from win2k3 r2 + AD, it should be in your RH supported channel tree? Nope, using Centos 6.3. I checked and looks like I can find passsync.msi from here. I am hoping its the same Windows binaries supplied to RedHat paying

Re: [Freeipa-users] FreeIPA v 2.2 in an AD environment

2012-11-05 Thread Steven Jones
nice (and nice its in 6.4) :) I need to read up on trusts. However from limited experience in an AD forests with trusts they get very complex and the security can go bye bye. Ive seen pen tests that come in from a trusted domain, using an account with too many privaledges a bad password in

Re: [Freeipa-users] FreeIPA v 2.2 in an AD environment

2012-11-05 Thread William Muriithi
Rich, In addition to other comments I want to step back and give a bit of a bigger picture. 1) Regardless of what approach you choose we recommend using the latest available version at the moment of deployment. Good suggestion. This mean I should use version 3. Problem that would have to

Re: [Freeipa-users] FreeIPA v 2.2 in an AD environment

2012-11-05 Thread Steven Jones
Hi, Im not at work yet but the default is something like cn=users,dc=example,dc=com, its not needed to be specified though (maybe it should be to encourage ppl to check) so I did my first sync and wiped all my users out of IPA! oops So you have specify it with something like --win-subtree

Re: [Freeipa-users] FreeIPA v 2.2 in an AD environment

2012-11-05 Thread Steven Jones
corner case? as in not very standard? In which case, yes I suppose so. AD is a very complex thing and you can customise it it seems. As a Linux person wandering into such a thing as a non-standard AD and not knowing this its a bit of a minefield.but of course you dont know you are in

Re: [Freeipa-users] FreeIPA start dependencies

2012-11-05 Thread Matthew Barr
* We're using IPA for DNS as well as the kerberos LDAP services. Is it installed with forwarders to some other DNS server? Is that server alive and running? It is reachable? If not you might want to add host name and IP of the IPA server into the /etc/hosts Yep, that was the ticket.

Re: [Freeipa-users] FreeIPA v 2.2 in an AD environment

2012-11-05 Thread Rob Crittenden
Steven Jones wrote: Also note that you asked if Can I be able to synchronize the current AD user credentials with FreeIPA 2.2 or do I have to upgrade to FreeIPA 3.0 You cannot synchronize already existing passwords with IPA 2.x. You would have to force AD users to change their passwords in

[Freeipa-users] Updating the CA certificate

2012-11-05 Thread Erinn Looney-Triggs
I hope I haven't missed it in searching around, but how does one update the CA certificate in IPA? Though it is a year out from expiring I would rather know sooner than later when it comes to this. -Erinn signature.asc Description: OpenPGP digital signature

Re: [Freeipa-users] Updating the CA certificate

2012-11-05 Thread Rob Crittenden
Erinn Looney-Triggs wrote: I hope I haven't missed it in searching around, but how does one update the CA certificate in IPA? Though it is a year out from expiring I would rather know sooner than later when it comes to this. Kudos for planning ahead! What kind of CA do you have installed.

Re: [Freeipa-users] Updating the CA certificate

2012-11-05 Thread Erinn Looney-Triggs
On 11/05/12 10:25, Rob Crittenden wrote: Erinn Looney-Triggs wrote: I hope I haven't missed it in searching around, but how does one update the CA certificate in IPA? Though it is a year out from expiring I would rather know sooner than later when it comes to this. Kudos for planning

Re: [Freeipa-users] Updating the CA certificate

2012-11-05 Thread Rob Crittenden
Erinn Looney-Triggs wrote: On 11/05/12 10:25, Rob Crittenden wrote: Erinn Looney-Triggs wrote: I hope I haven't missed it in searching around, but how does one update the CA certificate in IPA? Though it is a year out from expiring I would rather know sooner than later when it comes to this.

Re: [Freeipa-users] Updating the CA certificate

2012-11-05 Thread Erinn Looney-Triggs
On 11/05/12 10:42, Rob Crittenden wrote: Erinn Looney-Triggs wrote: On 11/05/12 10:25, Rob Crittenden wrote: Erinn Looney-Triggs wrote: I hope I haven't missed it in searching around, but how does one update the CA certificate in IPA? Though it is a year out from expiring I would rather

[Freeipa-users] DNS / Allow PTR sync

2012-11-05 Thread Michael Mercier
Hello, A couple of questions regarding DNS / Allow PTR sync. 1. If you have a zone 'example.com' and you enable Allow PTR sync, should you also enable the option in the reverse zone (e.g. 168.192.in-addr-arpa.)? 2. Do you have to wait a specified amount of time for the PTR record to be

Re: [Freeipa-users] Can't contact LDAP server: TLS error -8172:Peer's certificate issuer has been marked as not trusted by the user

2012-11-05 Thread Dmitri Pal
On 11/05/2012 01:51 PM, Tim Hughes wrote: I am trying to migrate from a fedora-ds-1.1.2-1.fc6 server to ipa-server-2.2.0-16.el6.x86_64 with the following command ipa migrate-ds ldaps://fedora-ds-server.internal --continue --with-compat --base-dn=dc=custsvc,dc=mycompany

[Freeipa-users] Restrict user access

2012-11-05 Thread Marcello Giannoni UCLA
Hi, I defined some users that are not members of the ipausers group, for some reason this users are able to login to the server using the ipa client tools and the web interface https://myipaserver/ipa/ui I don't want any users look at other users information, is there a way to

Re: [Freeipa-users] FreeIPA v 2.2 in an AD environment

2012-11-05 Thread Dmitri Pal
On 11/05/2012 01:40 PM, William Muriithi wrote: Rich, In addition to other comments I want to step back and give a bit of a bigger picture. 1) Regardless of what approach you choose we recommend using the latest available version at the moment of deployment. Good suggestion. This mean I

Re: [Freeipa-users] FreeIPA v 2.2 in an AD environment

2012-11-05 Thread Dmitri Pal
On 11/05/2012 02:01 PM, Steven Jones wrote: corner case? as in not very standard? In which case, yes I suppose so. AD is a very complex thing and you can customise it it seems. As a Linux person wandering into such a thing as a non-standard AD and not knowing this its a bit of a

Re: [Freeipa-users] Restrict user access

2012-11-05 Thread Dmitri Pal
On 11/05/2012 05:57 PM, Marcello Giannoni UCLA wrote: Hi, I defined some users that are not members of the ipausers group, for some reason this users are able to login to the server using the ipa client tools and the web interface https://myipaserver/ipa/ui I don't want any

Re: [Freeipa-users] DNS / Allow PTR sync

2012-11-05 Thread Dmitri Pal
On 11/05/2012 04:35 PM, Michael Mercier wrote: Hello, A couple of questions regarding DNS / Allow PTR sync. 1. If you have a zone 'example.com' and you enable Allow PTR sync, should you also enable the option in the reverse zone (e.g. 168.192.in-addr-arpa.)? 2. Do you have to wait a

Re: [Freeipa-users] FreeIPA v 2.2 in an AD environment

2012-11-05 Thread Dmitri Pal
On 11/05/2012 01:34 PM, Steven Jones wrote: nice (and nice its in 6.4) :) I need to read up on trusts. However from limited experience in an AD forests with trusts they get very complex and the security can go bye bye. Ive seen pen tests that come in from a trusted domain, using an

Re: [Freeipa-users] FreeIPA v 2.2 in an AD environment

2012-11-05 Thread Steven Jones
Hi, Yes.In hindsight its pretty obvious when you have a new product connecting to another complex product in a foreign way in a enterprise / complex environment that some shake-out is going to happen. I guess I didnt know what I didnt know and I got accelerated in deploying IPA faster and