[Freeipa-users] FreeIPA as domain controller?

2016-10-17 Thread Brian Candler
Sorry if this is a frequently asked question, but it's not easy to find a simple answer. * Can I use FreeIPA (v4) as a domain controller for Windows machines to join? * If not, what's the recommended free/open solution? Would it be to set up a Samba4 domain controller, and then set up

Re: [Freeipa-users] network ports requirements for a replica

2016-10-17 Thread Alexander Bokovoy
On ma, 17 loka 2016, Karl Forner wrote: Thanks Alexander, unfortunately I could only find outdated documentation. I just realized that my question is not precise enough. The documentation I linked is the up-to-date one. Suppose I have a master running in its LAN, with all required ports open.

Re: [Freeipa-users] network ports requirements for a replica

2016-10-17 Thread Karl Forner
On Mon, Oct 17, 2016 at 10:33 AM, Alexander Bokovoy wrote: > On ma, 17 loka 2016, Karl Forner wrote: > >> Thanks Alexander, unfortunately I could only find outdated documentation. >> I just realized that my question is not precise enough. >> > The documentation I linked is

Re: [Freeipa-users] network ports requirements for a replica

2016-10-17 Thread Karl Forner
Thanks Alexander, unfortunately I could only find outdated documentation. I just realized that my question is not precise enough. Suppose I have a master running in its LAN, with all required ports open. Now I want to setup a replica running in a docker in a AWS EC2 instance. >From your answer,

Re: [Freeipa-users] FreeIPA Server installation on ubuntu 14.0

2016-10-17 Thread Lukas Slebodnik
On (13/10/16 08:15), Deepak Dimri wrote: > >Hi Alexander, > >I have tried it on ubuntu 16.04 as well but no luck either. Getting the same >error: > > >sudo apt-get install freeipa-server > >Reading package lists... Done > >Building dependency tree > >Reading state information... Done > >E:

Re: [Freeipa-users] network ports requirements for a replica

2016-10-17 Thread Alexander Bokovoy
On ma, 17 loka 2016, Karl Forner wrote: On Mon, Oct 17, 2016 at 10:33 AM, Alexander Bokovoy wrote: On ma, 17 loka 2016, Karl Forner wrote: Thanks Alexander, unfortunately I could only find outdated documentation. I just realized that my question is not precise enough.

Re: [Freeipa-users] Announcing FreeIPA 4.4.2

2016-10-17 Thread Martin Kosek
On 10/14/2016 03:29 PM, Coy Hile wrote: > > > Will there be builds in a COPR for rhel/cents 7? I would recommend waiting on RHEL-7.3, which should be released soon enough. RHEL-7.3 contains an IdM/FreeIPA version that is very close to upstream version 4.4.2. Martin -- Manage your

Re: [Freeipa-users] FreeIPA as domain controller?

2016-10-17 Thread Alexander Bokovoy
On ma, 17 loka 2016, Brian Candler wrote: Sorry if this is a frequently asked question, but it's not easy to find a simple answer. * Can I use FreeIPA (v4) as a domain controller for Windows machines to join? No. * If not, what's the recommended free/open solution? Would it be to set up a

[Freeipa-users] Upgrade 4.4.2-1.fc24 security library failure.

2016-10-17 Thread Matt .
Hi Guys, I'm having a failure on my upgrade for 4.4.2-1 on Fedora 24 I already checked some info and: ldapsearch -Y GSSAPI -b cn=CAcert,cn=ipa,cn=etc,$SUFFIX Gives me TU instead of MII as expected. Any suggestions further ? Thanks, Matt 2016-10-17T22:19:10Z DEBUG Starting external process

Re: [Freeipa-users] Ubuntu 16.04 released with FreeIPA 4.3.1

2016-10-17 Thread Jochen Hein
Timo Aaltonen writes: > On 16.10.2016 08:00, Jochen Hein wrote: >> Timo Aaltonen writes: >> >>> On 15.10.2016 22:33, Jochen Hein wrote: Timo Aaltonen writes: >>> >>> Looks like it was due to a misunderstanding.. it got

Re: [Freeipa-users] Upgrade 4.4.2-1.fc24 security library failure.

2016-10-17 Thread Martin Babinsky
On 10/18/2016 12:30 AM, Matt . wrote: Hi Guys, I'm having a failure on my upgrade for 4.4.2-1 on Fedora 24 I already checked some info and: ldapsearch -Y GSSAPI -b cn=CAcert,cn=ipa,cn=etc,$SUFFIX Gives me TU instead of MII as expected. Any suggestions further ? Thanks, Matt

Re: [Freeipa-users] Upgrade 4.4.2-1.fc24 security library failure.

2016-10-17 Thread 郑磊
May be you should specify the specific $SUFFIX according to your environment. -- 祝: 工作顺利!生活愉快! -- 长沙研发中心 郑磊 Phone:18684703229 Email:zheng...@kylinos.cn Company:天津麒麟信息技术有限公司 Address:湖南长沙市开福区三一大道工美大厦十四楼 -- Original

[Freeipa-users] Problems after install 3rd Party Certs

2016-10-17 Thread Joshua Ruybal
Hi, We've recently tried to change our https web certs for our IPA servers following the instructions listed here: https://www.freeipa.org/page/Using_3rd_part_certificates_for_HTTP/LDAP The web gui is successfully using https now, however we are having several other problems. Enrollment now

Re: [Freeipa-users] Problems after install 3rd Party Certs

2016-10-17 Thread Joshua Ruybal
Forgot to add. After some digging I saw the CA needed to be added to the nssdbs I've added the CA cert to: [root@ipa02 ipa02]# certutil -A -d /etc/pki/nssdb -n 'NewCA' -t CT,C,C -a -i fullchain.pem [root@ipa02 ipa02]# certutil -A -d /etc/httpd/alias -n 'NewCA' -t CT,C,C -a -i fullchain.pem

Re: [Freeipa-users] Ubuntu 16.04 released with FreeIPA 4.3.1

2016-10-17 Thread Timo Aaltonen
On 16.10.2016 08:00, Jochen Hein wrote: > Timo Aaltonen writes: > >> On 15.10.2016 22:33, Jochen Hein wrote: >>> Timo Aaltonen writes: >>> Ubuntu 16.04 LTS got released today, and it comes with FreeIPA 4.3.1! >>> >>> Thanks for your work on

Re: [Freeipa-users] Unable to resolve AD users from IPA client

2016-10-17 Thread Jakub Hrozek
On Mon, Oct 17, 2016 at 01:27:40PM +0200, Jan Karásek wrote: > Hi, > please can you help me with troubleshooting IPA clients in IPA - AD trust > scenario ? We have two IPA servers and couple of clients running on RHEl 6 > and 7. IPA is running on RHEL 7.2. > AD servers are in domains

Re: [Freeipa-users] Best and Secure Way for a System Account

2016-10-17 Thread Günther J . Niederwimmer
Hello Martin and List Thanks for the answer and Help. I mean my big Problem is to understand the way to configure a ACI :-(. I can't found any example or docs to configure this correct :-(. I mean this is a problem for the professional LIGA in FreeIPA , and I am not a professional :-(.. I

[Freeipa-users] Unable to resolve AD users from IPA client

2016-10-17 Thread Jan Karásek
Hi, please can you help me with troubleshooting IPA clients in IPA - AD trust scenario ? We have two IPA servers and couple of clients running on RHEl 6 and 7. IPA is running on RHEL 7.2. AD servers are in domains example.cz, cen.example.cz. Test users sits in cen.example.cz. IPA is subdomain

Re: [Freeipa-users] Best and Secure Way for a System Account

2016-10-17 Thread Martin Babinsky
On 10/17/2016 02:25 PM, Günther J. Niederwimmer wrote: Hello Martin and List Thanks for the answer and Help. I mean my big Problem is to understand the way to configure a ACI :-(. I can't found any example or docs to configure this correct :-(. I mean this is a problem for the professional

Re: [Freeipa-users] FreeIPA as domain controller?

2016-10-17 Thread Brian Candler
On 17/10/2016 15:06, Alexander Bokovoy wrote: Would there be any benefit the other way round - creating identities in S4 and using them to login to FreeIPA-joined *nix boxes? I guess the problem then is where posix attributes like uid and gid come from. This works for Samba AD > 4.4. The code

Re: [Freeipa-users] FreeIPA as domain controller?

2016-10-17 Thread Alexander Bokovoy
On ma, 17 loka 2016, Brian Candler wrote: On 17/10/2016 15:06, Alexander Bokovoy wrote: Would there be any benefit the other way round - creating identities in S4 and using them to login to FreeIPA-joined *nix boxes? I guess the problem then is where posix attributes like uid and gid come

Re: [Freeipa-users] FreeIPA as domain controller?

2016-10-17 Thread Alexander Bokovoy
On ma, 17 loka 2016, Brian Candler wrote: On 17/10/2016 11:14, Alexander Bokovoy wrote: We are not yet at the point you could use IPA-hosted identities to login to Windows machines joined to AD, though, regardless which AD implementation it is. That's very helpful, thank you. So basically it

Re: [Freeipa-users] Best and Secure Way for a System Account

2016-10-17 Thread Brian Candler
On 17/10/2016 14:56, freeipa-users-requ...@redhat.com wrote: But now I have to create for this user a ACI to read the uid, passwd,mail,mailAlternateAddress... mailAlternateAddress is in "objectClass mailrecipient" I mean I must have a ACI like access to attribute= Have any a hint

Re: [Freeipa-users] network ports requirements for a replica

2016-10-17 Thread Karl Forner
Thank you ! This is at last crystal clear for me ! Thank you also for the VPN/tunneling suggestion, I'll look into it. On Mon, Oct 17, 2016 at 12:12 PM, Alexander Bokovoy wrote: > On ma, 17 loka 2016, Karl Forner wrote: > >> On Mon, Oct 17, 2016 at 10:33 AM, Alexander

Re: [Freeipa-users] Unable to resolve AD users from IPA client

2016-10-17 Thread Sumit Bose
On Mon, Oct 17, 2016 at 01:27:40PM +0200, Jan Karásek wrote: > Hi, > please can you help me with troubleshooting IPA clients in IPA - AD trust > scenario ? We have two IPA servers and couple of clients running on RHEl 6 > and 7. IPA is running on RHEL 7.2. > AD servers are in domains

Re: [Freeipa-users] FreeIPA as domain controller?

2016-10-17 Thread Brian Candler
On 17/10/2016 11:14, Alexander Bokovoy wrote: We are not yet at the point you could use IPA-hosted identities to login to Windows machines joined to AD, though, regardless which AD implementation it is. That's very helpful, thank you. So basically it means that for the time being, our admins