[Freeipa-users] How does one authenticate Windows login against IPA

All, FreeIPA as we've discovered has some wonderful Windows integration capability, but it is all predicated on Windows AD being the authoritative source of user information. 2-Way trusts are great, but they only work for kerberotized applications, not native Windows rights (that would require

Re: [Freeipa-users] How does one authenticate Windows login against IPA

Thanks. I've experimented with that as well with vanilla MIT kerberos (prior to using FreeIPA) and I agree it works just fine. However, the limitation I always found was that it is not practical to manually create the "shadow objects" and then keep in them in sync. I was hoping the "winsync"

Re: [Freeipa-users] How does one authenticate Windows login against IPA

When I've done this in the past, I used mit directly, not IPA. I set up a one way trust, then used "shadow objects" for users mapped using alternateSecurityID. I've setup the same one way trust testing with freeipa, but unfortunately I had to use kadmin.local to do it. I don't know that that's

Re: [Freeipa-users] AD users home directory automount

Ben,First, you will need to create the automount map in FreeIPA.Example of adding automount maps from the CLI on the IPA server:1). Get TGT for admin user (or equivalent) kinit admin2). Create automount mapipa automountmap-add default auto.home3). Add auto.home to auto.masteripa automountkey-add

Re: [Freeipa-users] want to make new replicas but cert expire

Already change a new cert no.errror prompt when start server. But using ipa-replica install.same error out. So.i.should miss some.folder not yet replace. 2016年5月19日 上午2:01 於 "Rob Crittenden" 寫道： > barry...@gmail.com wrote: > >> Hi: >> >> I type ipa-replica-install server

Re: [Freeipa-users] HBAC access denied, all AD groups not detected

> -Original Message- > From: freeipa-users-boun...@redhat.com [mailto:freeipa-users- > boun...@redhat.com] On Behalf Of Jakub Hrozek > Sent: Wednesday, 18 May 2016 5:40 PM > To: freeipa-users@redhat.com > Subject: Re: [Freeipa-users] HBAC access denied, all AD groups not detected > > On

Re: [Freeipa-users] How does one authenticate Windows login against IPA

What about using the pGina project on the Windows side? Reference: http://blog.zwiegnet.com/linux-server/configure-pgina-windows-7-openldap-authentication/ -Mike -Original Message- >From: John Meyers >Sent: May 18, 2016 5:19 PM >To: freeipa-users@redhat.com

[Freeipa-users] AD group membership

Hi, We seem to have some progress, after reading this blog post about sssd performance tuning. https://jhrozek.wordpress.com/2015/08/19/performance-tuning-sssd-for-large-ipa-ad-trust-deployments/ So now we see that on the FreeIPA server, everything is stable and always produces the results we

Re: [Freeipa-users] How does one authenticate Windows login against IPA

Even if you get that to work, you are still stuck with same issue discussed earlier in this thread -- you need to have a Windows account, either local or AD, to be able to login and grant rights against. pGina just handles the authentication part. The only way to do either a 1-way Kerberos trust

[Freeipa-users] Reverse DNS

Hello, I see that our default installation of IdM is working quite well without rdns configured (its on AWS). We're not doing anything complicated with it yet but is there anything that definitely will not work? Cheers, Andrew -- Manage your subscription for the Freeipa-users mailing list:

Re: [Freeipa-users] AD users home directory automount

Yes, because you can point the automount maps to whatever device you want.  NFSv4 might be more tricky to setup on a SAN device and may or may not work depending on the software/firmware of the device.  NFSv3 is a well supported protocol across SAN vendors and you should not have any problems

Re: [Freeipa-users] a user delegated to control a OU and realmd join - how..

On Mon, May 16, 2016 at 09:34:28AM +0100, lejeczek wrote: > > > On 13/05/16 14:14, Sumit Bose wrote: > > On Wed, May 11, 2016 at 05:17:03PM +0100, lejeczek wrote: > > > .. if possible, would you know? > > > hi everybody, > > > I'm trying, and hoping it is possible to realm join an AD but is such

Re: [Freeipa-users] LDAP access for user authentication?

Hello Rob 2016-05-12 0:06 GMT+02:00 Rob Crittenden : > > Alexander Skwar wrote: >> The WAF would then send username and password to FreeIPA (using LDAP) >> and would need to get back, whether the combination was good or not. >> >> Is that scenario doable with FreeIPA and

Re: [Freeipa-users] HBAC access denied, all AD groups not detected

On Wed, May 18, 2016 at 09:46:49AM +1000, Lachlan Musicman wrote: > It's worth noting that, in difference to the bug report: > > 1. We aren't making changes to the overrides. The overrides exist, they > just aren't propagating evenly or consistently. > 2. We are seeing these errors in the various

Re: [Freeipa-users] From where can i get repo details for FreeIPA 4.3.1 version

HI All again repo is down. Regards, Ben On Mon, May 2, 2016 at 2:04 PM, Alexander Bokovoy wrote: > On Mon, 02 May 2016, Ben .T.George wrote: > >> HI >> >> thanks >> >> yes now it's working and yesterday it was not. >> > COPR service SLA is weaker than primary Fedora

[Freeipa-users] AD users home directory automount

HI LIst, Is it possible to mount home directories of AD authenticated users from external source(like san or fileshare) Regards, Ben -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on

[Freeipa-users] want to make new replicas but cert expire

Hi: I type ipa-replica-install server --ip 192.168.1.3 it show my cert expire nwhere location I should input the cert ? trusted by the user.) preparation of replica failed: cannot connect to 'https://ipa.cora.nwra.com:9444/ca/ee/ca/profileSubmitSSLClient': [Errno -8172]

Re: [Freeipa-users] Reverse DNS

On 18.05.2016 11:13, Andrew Holway wrote: Hello, I see that our default installation of IdM is working quite well without rdns configured (its on AWS). We're not doing anything complicated with it yet but is there anything that definitely will not work? Cheers, Andrew Hello, IPA

[Freeipa-users] Limiting directory listing for all users in self service

Hi all, We're busy rolling out freeipa internally and one thing we would like to limit is the ability for normal users to view all users in the directory via the self service portal. We only want the user to see their particular details. Is this possible? Thanks, Marc -- Manage your

Re: [Freeipa-users] a user delegated to control a OU and realmd join - how..

On Wed, 18 May 2016, lejeczek wrote: On Tue, 2016-05-17 at 09:19 -0400, Simo Sorce wrote: On Tue, 2016-05-17 at 09:27 +0100, lejeczek wrote: > On Fri, 2016-05-13 at 15:14 +0200, Sumit Bose wrote: > > On Wed, May 11, 2016 at 05:17:03PM +0100, lejeczek wrote: > > > .. if possible, would you know?

[Freeipa-users] Advice sought on monitoring freeipa status

Hi I'm trying to set up some monitoring of our freeipa installation. To start with, I'd like to know eg: 1) If replication stopped 2) Whether the ldap datatbases on replicas are inconsistent with each other. We have RHEL7 freeipa servers and RHEL6 and RHEL7 clients, all with latest

Re: [Freeipa-users] HBAC access denied, all AD groups not detected

On Wed, 18 May 2016, Jakub Hrozek wrote: On Wed, May 18, 2016 at 08:35:14AM +1000, Lachlan Musicman wrote: Hmmm, I also now see https://fedorahosted.org/sssd/ticket/2642 and https://bugzilla.redhat.com/show_bug.cgi?id=1217127 Versions being run: sssd-client-1.13.0-40.el7_2.4.x86_64

Re: [Freeipa-users] HBAC access denied, all AD groups not detected

On Wed, May 18, 2016 at 08:35:14AM +1000, Lachlan Musicman wrote: > Hmmm, I also now see > > https://fedorahosted.org/sssd/ticket/2642 > and > https://bugzilla.redhat.com/show_bug.cgi?id=1217127 > > Versions being run: > > sssd-client-1.13.0-40.el7_2.4.x86_64 > sssd-ad-1.13.0-40.el7_2.4.x86_64

Re: [Freeipa-users] Limiting directory listing for all users in self service

On 18.5.2016 10:27, Marc Peiser wrote: > Hi all, > > We're busy rolling out freeipa internally and one thing we would like to > limit is the ability for normal users to view all users in the directory > via the self service portal. We only want the user to see their particular > details. Is this

Re: [Freeipa-users] a user delegated to control a OU and realmd join - how..

On Tue, 2016-05-17 at 09:19 -0400, Simo Sorce wrote: > On Tue, 2016-05-17 at 09:27 +0100, lejeczek wrote: > > On Fri, 2016-05-13 at 15:14 +0200, Sumit Bose wrote: > > > On Wed, May 11, 2016 at 05:17:03PM +0100, lejeczek wrote: > > > > .. if possible, would you know? > > > > hi everybody, > > > >

Re: [Freeipa-users] LDAP access for user authentication?

Alexander Skwar wrote: Hello Rob 2016-05-12 0:06 GMT+02:00 Rob Crittenden : Alexander Skwar wrote: The WAF would then send username and password to FreeIPA (using LDAP) and would need to get back, whether the combination was good or not. Is that scenario doable with

Re: [Freeipa-users] AD users home directory automount

HI, Thanks for the reply. actually i don't want to share from my Trusted AD. My san has cifs and NFS capability. in this case how can i proceed? usually while installing client, i used to give below options ipa-client-install --server global.ipa.local --domain ipa.local --mkhomedir

Re: [Freeipa-users] LDAP access for user authentication?

Hello Rob 2016-05-18 16:21 GMT+02:00 Rob Crittenden : > Alexander Skwar wrote: >> >> Hello Rob >> >> 2016-05-12 0:06 GMT+02:00 Rob Crittenden : >>> >>> >>> Alexander Skwar wrote: >> Important parts here: >> >> - [USER_AUTH_FAILED_TECH] >> -

Re: [Freeipa-users] AD users home directory automount

I would start by reading the documentation [1]. [1] https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Linux_Domain_Identity_Authentication_and_Policy_Guide/automount.html Josh From: freeipa-users-boun...@redhat.com [mailto:freeipa-users-boun...@redhat.com] On

Re: [Freeipa-users] LDAP access for user authentication?

Alexander Skwar wrote: Hello Rob 2016-05-18 16:21 GMT+02:00 Rob Crittenden : Alexander Skwar wrote: Hello Rob 2016-05-12 0:06 GMT+02:00 Rob Crittenden : Alexander Skwar wrote: Important parts here: - [USER_AUTH_FAILED_TECH] -

Re: [Freeipa-users] want to make new replicas but cert expire

barry...@gmail.com wrote: Hi: I type ipa-replica-install server --ip 192.168.1.3 it show my cert expire nwhere location I should input the cert ? trusted by the user.) preparation of replica failed: cannot connect to 'https://ipa.cora.nwra.com:9444/ca/ee/ca/profileSubmitSSLClient': [Errno