FreeIPA 4 is currently available in RHEL 7.1.
Josh
From: freeipa-users-boun...@redhat.com
[mailto:freeipa-users-boun...@redhat.com] On Behalf Of Steve Neuharth
Sent: Tuesday, March 31, 2015 10:02 AM
To: freeipa-users@redhat.com
Subject: [Freeipa-users] freeipa 4.x packages for RHEL?
Hello,
We'r
Yes, but you need to allow zone transfers to your non-IPA servers:
$ ipa dnszone-mod --allow-transfer="1.2.3.4" domain.com
(where 1.2.3.4 is the IP of your new slave and domain.com is the zone name you
want to transfer)
Josh
From: freeipa-users-boun...@redhat.com
[mailto:freeipa-users-boun...
Is the PowerDNS slave in the NS RRSet for the IPA domain? Unfortuantely,
bind-dyndb-ldap does not support 'also-notify' which would allow us to send
notifies each time a zone update occurs to slave servers that are not in the
RRSet [1]. To compensate for this in my environment, I had to lower
You should add your IPA zone as a slave on your 'external' DNS servers so they
are able to resolve the IPA zone.
Josh
From: freeipa-users-boun...@redhat.com
[mailto:freeipa-users-boun...@redhat.com] On Behalf Of Winfried de Heiden
Sent: Monday, May 18, 2015 10:10 AM
To: Freeipa-users
Subject: [
You need to specify '--no-ntp' on 'ipa-client-install'
Josh
From: freeipa-users-boun...@redhat.com
[mailto:freeipa-users-boun...@redhat.com] On Behalf Of John Stein
Sent: Tuesday, July 07, 2015 7:38 AM
To: freeipa-users@redhat.com
Subject: [Freeipa-users] Using NTP SRV records
Hi,
I have an IP
Hi,
We are running the most recent IPA packages in RHEL7 and are facing a few
issues when accessing the web console:
First, since we utilize a Kerberos trust with AD, we had to create 'internal'
IPA users that we use to login to the web console. I believe it is expected
that AD users cannot l
Hi all,
I realize that this with vary from instance to instance, but I'm curious on how
others are handling naming conventions for things like HBAC rules, sudo rules,
etc.
Here is how I am handling things today:
* External groups have an 'external' prefix (eg, external_groupname)
* Hostgroups
Hi,
If I'm understanding you correctly - you will want to nest 'external' groups
into POSIX groups for assigning policy (HBAC, sudo, etc) to your AD users.
There are examples of this in the IdM documentation, but the gist is:
* Create an 'external' group in IPA (eg, ipa-group-add external_admi
Hi,
I'm currently testing an IPA 4.3 (RHEL 7.2) to IPA 4.4 (RHEL 7.3) upgrade and
had a few questions about the concept of trust agents/controllers.
Prior to IPA 4.4, were all IPA masters (that 'ipa-adtrust-install' was ran on)
considered 'trust controllers'? In my lab, the upgrade automatica
Hi all,
In my IPA 4.4 lab (RHEL 7.3), I'm trying to install/configure a new replica,
and I seem to be hitting something similar to #5412 [1].
The 'ipa-replica-install' is getting stuck on:
[4/26]: creating installation admin user
Dirsrv error logs on the new replica:
[17/Nov/2016:08:45:09.3
27; and report back.
Thanks,
Josh
-Original Message-
From: Martin Babinsky [mailto:mbabi...@redhat.com]
Sent: Friday, November 18, 2016 3:17 AM
To: Baird, Josh ; 'freeipa-users@redhat.com'
Subject: Re: [Freeipa-users] IPA 4.4 replica installation failing
On 11/17/2016 03:51 P
Yes, this is expected.
>From the IPA documentation [1]:
"The IdM-integrated DNS is multi-master. SOA serial numbers in IdM zones are
not synchronized between IdM servers. For this reason, configure DNS slave
servers to only use one IdM master server. This prevents zone transfer failures
caused
Hi,
We are evaluating RHEL7 IdM (FreeIPA 3.3) for identity management for our UNIX
infrastructure. All of our Linux hosts currently have standard and consistent
UID/GIDs for at least all of our administrative users. I'm looking for advice
on how to migrate these users into IPA.
Since we alre
> So if I understand this right, you're planning on two back to back user
> migrations? First is local->FreeIPA, then eventually FreeIPA->AD? Are your
> current "local" users coincidentally the same as your current AD users?
Well - I will likely try to skip the Local -> FreeIPA and just go directl
> I wouldn't recommend duplicating your users, pick one and use that. If you
> want to be able to manage your users, groups, HBAC, sudo, etc.
> centrally then you'll want the users in IPA. But if you leave them locally you
> may end up with corner case problems.
>
> If you *do* end up adding your
Hi,
We are attempting to run ipa-client-install in the %post section of a Kickstart
in order to join the host to an IPA domain (3.3/RHEL7 IdM). We are using
something like:
/usr/sbin/ipa-client-install -w 'one-time-password' --realm=REALM.COM -U
--no-ssh --no-sshd --no-ntp --domain=realm.com
Hi,
I'm attempting to establish a trust between FreeIPA 3.3 and AD 2008 R2. My IPA
domain consists of two servers (one master and one replica). I have verified
that DNS is configured properly as the IPA domain can resolve AD and the AD
domain can resolve IPA hosts.
On each IPA server, I perf
Hi,
The docs state this:
"DNS slaves will transfer the whole zone periodically as is specified in zone's
SOA record. DNS masters also send DNS NOTIFY messages to inform slaves about a
change asynchronously."
I have a need to execute zone transfers from my IPA server(s) to non-IPA slaves
and I
I should also note that adding "also-notify { 1.2.3.4; };" to /etc/named.conf
on the IPA server does not actually trigger notifys for whatever reason.
> -Original Message-
> From: Baird, Josh
> Sent: Thursday, January 08, 2015 9:35 AM
> To: freeipa-users@redhat.co
Hi,
We are currently piloting FreeIPA4 (RHEL 7.1 IdM) in our environment. We plan
on establishing a trust with AD at some point during the POC. An overview of
the current DNS design:
* FreeIPA runs integrated DNS (ie, ipa.domain.com)
* Servers in our environment (even once joined to IPA) cont
William,
I don't understand why I would have problems if AD DNS can resolve IPA dns, and
IPA DNS can resolve AD DNS?
The DNS servers that my servers are using can resolve both AD and IPA.
Thanks,
Josh
> -Original Message-
> From: freeipa-users-boun...@redhat.com [mailto:freeipa-users-
Hi,
I'm considering migrating to automounted home directories (via NFS), but would
like to avoid having to manually create/provision the home directories on the
NFS server. This [1] blog covers the very topic, but I'm not sure that any
progress was ever made.
Does anyone have any ideas or sug
0, 2015 6:01 PM
> To: freeipa-users@redhat.com
> Subject: Re: [Freeipa-users] Automount and home directory creation
>
> On 01/20/2015 05:40 PM, Baird, Josh wrote:
> > Hi,
> >
> > I'm considering migrating to automounted home directories (via NFS), but
> would
Hi,
I'm looking for an easy way to validate that all replication agreements are
functioning correctly between all of my IPA masters and replicas. I am aware
that I can run 'ipa-replica-manage list -v' from each IPA master, but I was
looking for something more centralized that could give me a r
That would be great, thanks!
Josh
> -Original Message-
> From: Innes, Duncan [mailto:duncan.in...@virginmoney.com]
> Sent: Thursday, February 05, 2015 11:34 AM
> To: Rob Crittenden; Baird, Josh; freeipa-users@redhat.com
> Subject: RE: [Freeipa-users] Real-time replicat
There is active development on the puppet-ipaclient module [1]. You should see
a new release in the next few days that adds better support for ipa4, exposes
sssd options and more.
[1] https://forge.puppetlabs.com/stbenjam/ipaclient
We will be using this module to automate the client install on
Hi,
I have successfully established a trust in my lab environment running IPA 4.1
(RHEL7.1) and a Windows 2008 R2 domain with Windows 2003 domain/forest
functional levels. I'm now trying to establish a trust with my production AD
domain (same functional level). The only difference is that my
eipa-users-boun...@redhat.com
[mailto:freeipa-users-boun...@redhat.com] On Behalf Of Baird, Josh
Sent: Monday, March 09, 2015 5:06 PM
To: freeipa-users@redhat.com
Subject: [Freeipa-users] Error establishing trust with AD domain
Hi,
I have successfully established a trust in my lab environment
I'm also interested in how people are handling this - especially when using AD
Trusts.
When using a trust, the IPA host not only has to communicate with IPA servers,
but with potentially every AD domain controller in your HUB site. For us, this
is a large number of domain controllers which mea
RHEL 7.2 went GA today.
> On Nov 19, 2015, at 7:59 PM, Christopher Young wrote:
>
> I recall that original message about the packaging before RHEL 7.2 and
> how few of us expressed interest. I believe I did respond to the
> positive that I could use these packages, but I certainly understand
I believe the sssd clients will need to communicate directly with your AD
domain controllers, unfortunately. I wish there was a clean way around this,
since we have a ton of DC's in our HUB site, and I don't really want to poke
holes in the firewall(s) for all of them.
Would someone from sss
Actually, I use local (external) users in my sudo rules in IPA 4.2 with no
problem.
Example:
Rule name: TestDBAs
Description: access for members of the TestDBAs group
Enabled: TRUE
Command category: all
User Groups: testdbas
Host Groups: corp_oracle
RunAs External User: oracle
In
Group the commands can run as (sudorule-find
only)
I'm not sure why those commands would be limited to sudorule-find only.
Josh
> -Original Message-
> From: Rob Verduijn [mailto:rob.verdu...@gmail.com]
> Sent: Thursday, February 04, 2016 11:13 AM
>
For AD users, I believe you have two options.
1) Set the POSIX value on the user in AD for the shell
2) Set the following in your client's sssd.conf:
[nss]
override_shell = /bin/bash
This would obviously be global per IPA client.
Josh
From: freeipa-users-boun...@redhat.com
[mailto:freeipa-use
other per-user level attributes that are required, home
directory perhaps?, but the two big ones are shell and ssh keys. I can't be
the only one who has a use case for managing these attributes for Active
Directory users.
Thanks,
Jon A
On Thu, Feb 4, 2016 at 1:30 PM, Baird, Josh
mailto:jba
It sounds like you are trying to login to Windows AD clients using IPA
credentials?
If so, I do not believe this functionality is currently supported.
Thanks,
Josh
> -Original Message-
> From: freeipa-users-boun...@redhat.com [mailto:freeipa-users-
> boun...@redhat.com] On Behalf Of Ja
No, logging into Windows AD clients using IPA credentials is not currently
supported. This functionality is currently under development.
See this thread [1] for more information.
[1] https://www.redhat.com/archives/freeipa-users/2016-February/msg00119.html
Josh
From: freeipa-users-boun...@red
Hi all,
I'm attempting to integrate Samba 4.2.3 with IPA 4.2 (RHEL7). I have a
kerberos trust established between IPA and AD. I have followed the
instructions on the wiki [1], but had some questions and problems specifically
related to share permissions:
I'm having trouble with shares where
---
From: Justin Stephenson
To: "Baird, Josh" , "'freeipa-users redhat com'"
Subject: Re: [Freeipa-users] Samba Integration with AD Trust
Date: Tue, 22 Mar 2016 15:09:50 -0400
I have used the following successfully in the past:
[shared]
path
Actually - it looks like this is working. I think I had something cached on
the Windows client that I was testing from.
Thanks for the help.
> -Original Message-
> From: freeipa-users-boun...@redhat.com [mailto:freeipa-users-
> boun...@redhat.com] On Behalf Of Baird, Jo
You can refer to the ‘Identity Management’ section in the RHEL documentation:
https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/
Josh
From: freeipa-users-boun...@redhat.com
[mailto:freeipa-users-boun...@redhat.com] On Behalf Of Ben .T.George
Sent: Tuesday, April 12, 2016
I would start by reading the documentation [1].
[1]
https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Linux_Domain_Identity_Authentication_and_Policy_Guide/automount.html
Josh
From: freeipa-users-boun...@redhat.com
[mailto:freeipa-users-boun...@redhat.com] On Behalf
42 matches
Mail list logo