Re: [Freeipa-users] Limiting Host access by UID/GID

2013-05-31 Thread Jakub Hrozek
On Thu, May 30, 2013 at 07:23:38PM -0400, Dmitri Pal wrote: On 05/30/2013 06:52 PM, Chandan Kumar wrote: Hello, As part of migration from passwd/shadow to IPA, I want to roll out IPA/SSSD based password first for a small number of users and then for all. (same goes with host. first

Re: [Freeipa-users] IPA AD trust question

2013-05-31 Thread Martin Kosek
On 05/31/2013 09:37 AM, Sumit Bose wrote: On Fri, May 31, 2013 at 06:52:27AM +, Ondrej Valousek wrote: Hi List, I have a question - is it possible to use AD trust the way that: 1. All users are stored in AD 2. All Unix specific information (automount maps, sudo rules, HBAC rules) are

[Freeipa-users] IPA privileges question

2013-05-31 Thread Guy Matz
Hi! I'm writing a web UI to front-end a ipa host-add . . . the web ui runs as a special user who I would like to give credentials to allow it to be able to run the ipa commands necessary . . . I thought I would need to give it a host privilege, but I'm bumping up into the following: ipa:

[Freeipa-users] Limiting Host access by UID/GID

2013-05-31 Thread Chandan Kumar
As far as my understanding goes it does not stop even if I disable cache credentials. I set following parameters in sssd.conf but still UID 2 is able to login. cache_credentials = False krb5_store_password_if_offline = False min_id=5000 max_id=5010 enumerate = False entry_cache_timeout=3

Re: [Freeipa-users] IPA privileges question

2013-05-31 Thread Rob Crittenden
Guy Matz wrote: Hi! I'm writing a web UI to front-end a ipa host-add . . . the web ui runs as a special user who I would like to give credentials to allow it to be able to run the ipa commands necessary . . . I thought I would need to give it a host privilege, but I'm bumping up into the

Re: [Freeipa-users] IPA privileges question

2013-05-31 Thread Guy Matz
Sorry, should have mentioned that. I had host principal and have since added ldap: # klist -k krb5.keytab Keytab name: FILE:krb5.keytab KVNO Principal -- 3 host/ipadevmstr.collmedia@collmedia.net 3

Re: [Freeipa-users] IPA privileges question

2013-05-31 Thread Rob Crittenden
Guy Matz wrote: Sorry, should have mentioned that. I had host principal and have since added ldap: # klist -k krb5.keytab Keytab name: FILE:krb5.keytab KVNO Principal -- 3

Re: [Freeipa-users] How IPA handles AD computer groups

2013-05-31 Thread Dmitri Pal
On 05/31/2013 08:39 AM, rashard.ke...@sita.aero wrote: I am working on a team to plan a migration to IPA on our UNIX based systems. One thing I was seeking information on is Computer groups. If a trust is established with our campus AD infrasturcture, will its computer groups be shared with