All,
FreeIPA as we've discovered has some wonderful Windows integration
capability, but it is all predicated on Windows AD being the
authoritative source of user information. 2-Way trusts are great, but
they only work for kerberotized applications, not native Windows rights
(that would require
Thanks. I've experimented with that as well with vanilla MIT kerberos
(prior to using FreeIPA) and I agree it works just fine. However, the
limitation I always found was that it is not practical to manually
create the "shadow objects" and then keep in them in sync. I was hoping
the "winsync"
When I've done this in the past, I used mit directly, not IPA. I set up a one
way trust, then used "shadow objects" for users mapped using
alternateSecurityID. I've setup the same one way trust testing with freeipa,
but unfortunately I had to use kadmin.local to do it. I don't know that that's
Ben,First, you will need to create the automount map in FreeIPA.Example of adding automount maps from the CLI on the IPA server:1). Get TGT for admin user (or equivalent) kinit admin2). Create automount mapipa automountmap-add default auto.home3). Add auto.home to auto.masteripa automountkey-add
Already change a new cert no.errror prompt when start server. But using
ipa-replica install.same error out. So.i.should miss some.folder not yet
replace.
2016年5月19日 上午2:01 於 "Rob Crittenden" 寫道:
> barry...@gmail.com wrote:
>
>> Hi:
>>
>> I type ipa-replica-install server
> -Original Message-
> From: freeipa-users-boun...@redhat.com [mailto:freeipa-users-
> boun...@redhat.com] On Behalf Of Jakub Hrozek
> Sent: Wednesday, 18 May 2016 5:40 PM
> To: freeipa-users@redhat.com
> Subject: Re: [Freeipa-users] HBAC access denied, all AD groups not detected
>
> On
What about using the pGina project on the Windows side?
Reference:
http://blog.zwiegnet.com/linux-server/configure-pgina-windows-7-openldap-authentication/
-Mike
-Original Message-
>From: John Meyers
>Sent: May 18, 2016 5:19 PM
>To: freeipa-users@redhat.com
Hi,
We seem to have some progress, after reading this blog post about sssd
performance tuning.
https://jhrozek.wordpress.com/2015/08/19/performance-tuning-sssd-for-large-ipa-ad-trust-deployments/
So now we see that on the FreeIPA server, everything is stable and always
produces the results we
Even if you get that to work, you are still stuck with same issue
discussed earlier in this thread -- you need to have a Windows account,
either local or AD, to be able to login and grant rights against. pGina
just handles the authentication part. The only way to do either a 1-way
Kerberos trust
Hello,
I see that our default installation of IdM is working quite well without
rdns configured (its on AWS). We're not doing anything complicated with it
yet but is there anything that definitely will not work?
Cheers,
Andrew
--
Manage your subscription for the Freeipa-users mailing list:
Yes, because you can point the automount maps to whatever device you want. NFSv4 might be more tricky to setup on a SAN device and may or may not work depending on the software/firmware of the device. NFSv3 is a well supported protocol across SAN vendors and you should not have any problems
On Mon, May 16, 2016 at 09:34:28AM +0100, lejeczek wrote:
>
>
> On 13/05/16 14:14, Sumit Bose wrote:
> > On Wed, May 11, 2016 at 05:17:03PM +0100, lejeczek wrote:
> > > .. if possible, would you know?
> > > hi everybody,
> > > I'm trying, and hoping it is possible to realm join an AD but is such
Hello Rob
2016-05-12 0:06 GMT+02:00 Rob Crittenden :
>
> Alexander Skwar wrote:
>> The WAF would then send username and password to FreeIPA (using LDAP)
>> and would need to get back, whether the combination was good or not.
>>
>> Is that scenario doable with FreeIPA and
On Wed, May 18, 2016 at 09:46:49AM +1000, Lachlan Musicman wrote:
> It's worth noting that, in difference to the bug report:
>
> 1. We aren't making changes to the overrides. The overrides exist, they
> just aren't propagating evenly or consistently.
> 2. We are seeing these errors in the various
HI All
again repo is down.
Regards,
Ben
On Mon, May 2, 2016 at 2:04 PM, Alexander Bokovoy
wrote:
> On Mon, 02 May 2016, Ben .T.George wrote:
>
>> HI
>>
>> thanks
>>
>> yes now it's working and yesterday it was not.
>>
> COPR service SLA is weaker than primary Fedora
HI LIst,
Is it possible to mount home directories of AD authenticated users from
external source(like san or fileshare)
Regards,
Ben
--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on
Hi:
I type ipa-replica-install server --ip 192.168.1.3
it show my cert expire nwhere location I should input the cert ?
trusted by the user.)
preparation of replica failed: cannot connect to
'https://ipa.cora.nwra.com:9444/ca/ee/ca/profileSubmitSSLClient': [Errno
-8172]
On 18.05.2016 11:13, Andrew Holway wrote:
Hello,
I see that our default installation of IdM is working quite well
without rdns configured (its on AWS). We're not doing anything
complicated with it yet but is there anything that definitely will not
work?
Cheers,
Andrew
Hello,
IPA
Hi all,
We're busy rolling out freeipa internally and one thing we would like to
limit is the ability for normal users to view all users in the directory
via the self service portal. We only want the user to see their particular
details. Is this possible?
Thanks,
Marc
--
Manage your
On Wed, 18 May 2016, lejeczek wrote:
On Tue, 2016-05-17 at 09:19 -0400, Simo Sorce wrote:
On Tue, 2016-05-17 at 09:27 +0100, lejeczek wrote:
> On Fri, 2016-05-13 at 15:14 +0200, Sumit Bose wrote:
> > On Wed, May 11, 2016 at 05:17:03PM +0100, lejeczek wrote:
> > > .. if possible, would you know?
Hi
I'm trying to set up some monitoring of our freeipa installation. To
start with, I'd like to know eg:
1) If replication stopped
2) Whether the ldap datatbases on replicas are inconsistent with each other.
We have RHEL7 freeipa servers and RHEL6 and RHEL7 clients, all with
latest
On Wed, 18 May 2016, Jakub Hrozek wrote:
On Wed, May 18, 2016 at 08:35:14AM +1000, Lachlan Musicman wrote:
Hmmm, I also now see
https://fedorahosted.org/sssd/ticket/2642
and
https://bugzilla.redhat.com/show_bug.cgi?id=1217127
Versions being run:
sssd-client-1.13.0-40.el7_2.4.x86_64
On Wed, May 18, 2016 at 08:35:14AM +1000, Lachlan Musicman wrote:
> Hmmm, I also now see
>
> https://fedorahosted.org/sssd/ticket/2642
> and
> https://bugzilla.redhat.com/show_bug.cgi?id=1217127
>
> Versions being run:
>
> sssd-client-1.13.0-40.el7_2.4.x86_64
> sssd-ad-1.13.0-40.el7_2.4.x86_64
On 18.5.2016 10:27, Marc Peiser wrote:
> Hi all,
>
> We're busy rolling out freeipa internally and one thing we would like to
> limit is the ability for normal users to view all users in the directory
> via the self service portal. We only want the user to see their particular
> details. Is this
On Tue, 2016-05-17 at 09:19 -0400, Simo Sorce wrote:
> On Tue, 2016-05-17 at 09:27 +0100, lejeczek wrote:
> > On Fri, 2016-05-13 at 15:14 +0200, Sumit Bose wrote:
> > > On Wed, May 11, 2016 at 05:17:03PM +0100, lejeczek wrote:
> > > > .. if possible, would you know?
> > > > hi everybody,
> > > >
Alexander Skwar wrote:
Hello Rob
2016-05-12 0:06 GMT+02:00 Rob Crittenden :
Alexander Skwar wrote:
The WAF would then send username and password to FreeIPA (using LDAP)
and would need to get back, whether the combination was good or not.
Is that scenario doable with
HI,
Thanks for the reply.
actually i don't want to share from my Trusted AD. My san has cifs and NFS
capability.
in this case how can i proceed? usually while installing client, i used to
give below options
ipa-client-install --server global.ipa.local --domain ipa.local
--mkhomedir
Hello Rob
2016-05-18 16:21 GMT+02:00 Rob Crittenden :
> Alexander Skwar wrote:
>>
>> Hello Rob
>>
>> 2016-05-12 0:06 GMT+02:00 Rob Crittenden :
>>>
>>>
>>> Alexander Skwar wrote:
>> Important parts here:
>>
>> - [USER_AUTH_FAILED_TECH]
>> -
I would start by reading the documentation [1].
[1]
https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Linux_Domain_Identity_Authentication_and_Policy_Guide/automount.html
Josh
From: freeipa-users-boun...@redhat.com
[mailto:freeipa-users-boun...@redhat.com] On
Alexander Skwar wrote:
Hello Rob
2016-05-18 16:21 GMT+02:00 Rob Crittenden :
Alexander Skwar wrote:
Hello Rob
2016-05-12 0:06 GMT+02:00 Rob Crittenden :
Alexander Skwar wrote:
Important parts here:
- [USER_AUTH_FAILED_TECH]
-
barry...@gmail.com wrote:
Hi:
I type ipa-replica-install server --ip 192.168.1.3
it show my cert expire nwhere location I should input the cert ?
trusted by the user.)
preparation of replica failed: cannot connect to
'https://ipa.cora.nwra.com:9444/ca/ee/ca/profileSubmitSSLClient': [Errno
31 matches
Mail list logo