[Freeipa-users] Query IPA for group membership

2012-10-05 Thread Fred van Zwieten
Hello, I have a IPA server running. This server has users who are member to various groups. I want to query the IPA server from an IPA client to know whether a user is a member to a group. I want to do this from the OpenVPN service using the openvpn_auth_pam.so. Normally one uses this like this:

Re: [Freeipa-users] Query IPA for group membership

2012-10-05 Thread Fred van Zwieten
01:36 PM, Fred van Zwieten wrote: Hello, I have a IPA server running. This server has users who are member to various groups. I want to query the IPA server from an IPA client to know whether a user is a member to a group. I want to do this from the OpenVPN service using

Re: [Freeipa-users] Query IPA for group membership

2012-10-05 Thread Fred van Zwieten
: openvpn1 and openvn2 Then configure the two instance instance with: plugin openvpn_auth_pam openvpn1 and plugin openvpn_auth_pam openvpn2 respectively. Then you can create HBAC rules in IPA using openvpn1 and openvon2 as service names. Simo. On Fri, 2012-10-05 at 20:58 +0200, Fred van Zwieten

Re: [Freeipa-users] Query IPA for group membership

2012-10-06 Thread Fred van Zwieten
Alexander, Simo, Thank you very much for this extensive explanation. I'll set it up monday and let you know how it will go. Fred On Sat, Oct 6, 2012 at 8:31 PM, Alexander Bokovoy aboko...@redhat.comwrote: On Sat, 06 Oct 2012, Fred van Zwieten wrote: Hang on..I don't see how this can work (I

[Freeipa-users] DNS forwarding problem

2012-10-22 Thread Fred van Zwieten
Hello, I have a problem. My setup: - IPA server for domain example.com on ipa.example.com - DNS server sub.example.com on host.sub.example.com - client.example.com with IP-nr off ipa.example.com in resolv.conf - an A record for client.sub.example.com in DNS server host.sub.example.com Problem:

[Freeipa-users] DNS forwarding problem

2012-10-22 Thread Fred van Zwieten
Hello, I have a problem. My setup: - IPA server for domain example.com on ipa.example.com - DNS server sub.example.com on host.sub.example.com - client.example.com with IP-nr off ipa.example.com in resolv.conf - an A record for client.sub.example.com in DNS server host.sub.example.com

[Freeipa-users] DNS forward to sub domain not working

2012-10-22 Thread Fred van Zwieten
Hello, I have a problem. My setup: - IPA server for domain example.com on ipa.example.com - DNS server sub.example.com on host.sub.example.com - client.example.com with IP-nr off ipa.example.com in resolv.conf - an A record for client.sub.example.com in DNS server host.sub.example.com Problem:

Re: [Freeipa-users] DNS forward to sub domain not working

2012-10-23 Thread Fred van Zwieten
on the IPA server. Thank you for the answers Fred On Tue, Oct 23, 2012 at 10:00 AM, Petr Spacek pspa...@redhat.com wrote: On 10/23/2012 09:51 AM, Sumit Bose wrote: On Mon, Oct 22, 2012 at 08:57:56PM +0200, Fred van Zwieten wrote: Hello, I have a problem. My setup: - IPA server for domain

[Freeipa-users] Howto re-deploy an IPA-client using kickstart

2013-01-12 Thread Fred van Zwieten
Hi there, We are in the process of implementing Satellite and want to automate server installations 100% using kickstart, cobbler, satellite. IPA clients can be scripted enrolled using kickstart. Plenty of documentation about that. However, how to re-enroll IPA clients? Satellite gives me the

Re: [Freeipa-users] Howto re-deploy an IPA-client using kickstart

2013-01-18 Thread Fred van Zwieten
mean the server has to know somehow it is being rebooted because of a re-install, but afaik, there is no way for satellite/spacewalk to tell the server this.. Regards, Fred On Sat, Jan 12, 2013 at 10:06 PM, Dmitri Pal d...@redhat.com wrote: On 01/12/2013 03:28 AM, Fred van Zwieten wrote

Re: [Freeipa-users] Howto re-deploy an IPA-client using kickstart

2013-01-18 Thread Fred van Zwieten
step. Come to think of it...there is also an api for Satellite. Maybe I can make a script that will first do the IPA stuff and then call Satellite to redeploy the server. hmmmwill look into this...and report my findings Met vriendelijke groeten, * Fred van Zwieten * *Enterprise Open

Re: [Freeipa-users] Howto re-deploy an IPA-client using kickstart

2013-01-23 Thread Fred van Zwieten
scared promoting it as a solution. Regards, Charlie. On Fri, Jan 18, 2013 at 8:14 PM, Fred van Zwieten fvzwie...@vxcompany.com wrote: Dmitri, Sure I can do this. I can make a script, and have this executed from Satellite (remote command) and than perform the server

Re: [Freeipa-users] Howto re-deploy an IPA-client using kickstart

2013-01-23 Thread Fred van Zwieten
On Wed, Jan 23, 2013 at 10:01 PM, Dmitri Pal d...@redhat.com wrote: On 01/23/2013 03:24 PM, Fred van Zwieten wrote: Dmitri, If I understand correcty this would mean I backup the keytab before reinstall en restore it after (easily done with Satellite), then do a ipa-client-install using

Re: [Freeipa-users] Howto re-deploy an IPA-client using kickstart

2013-01-25 Thread Fred van Zwieten
that. As for the ipa-host-mod --password=foo thing. You can first run the command ipa disable-host fqdn and _then_ run ipa host-mod fqdn --password=foo Met vriendelijke groeten, * Fred van Zwieten * *Enterprise Open Source Services* * Consultant* *(vrijdags afwezig)* *VX Company IT Services B.V

Re: [Freeipa-users] Howto re-deploy an IPA-client using kickstart

2013-01-25 Thread Fred van Zwieten
it back afterwards. Then I can call ipa-client-install with the old keytab to enroll the client, revoke the old keytab and get a new one in one go. I have already also asked about this on the satellite-user mailing-list. Fred On Fri, Jan 25, 2013 at 8:35 AM, Fred van Zwieten fvzwie

Re: [Freeipa-users] RHEL 6.3 identity manual - IPA

2013-02-04 Thread Fred van Zwieten
Hi, ipa-client-install should take care of setting up sudo on the client to use IPA, afaik. Essential line in nsswitch.conf: sudoers:files ldap Please read

Re: [Freeipa-users] Backup and Restoration of IPA Server

2013-02-04 Thread Fred van Zwieten
This triggers me on something related. We do use snapshots on VM's. However, we want to separate data and system disks within the guests. We have /var on a seperate disk and only that disk is getting snapshots. So, is IPA data living in /var? Fred On Mon, Feb 4, 2013 at 11:54 AM, Rajnesh Kumar

[Freeipa-users] Howto use IPA for internal websites

2013-02-06 Thread Fred van Zwieten
Hi, We have installed IPA in our internal network (let's call it example.com). We have all kinds of internal websites running for various administrative tasks. These websites are in all kind of subdomains of example.com. We would like to have them using a certificate signed by our CA. Some

[Freeipa-users] How to create readonly on all IPA data

2013-06-24 Thread Fred van Zwieten
Hi there, We have implemented IPA. We need to give someone in our org a read-only account on all IPA data. So, internal IPA data, user, groups, hosts, dns, etc. All So I want to create a role Auditor. But then I must build privs and permissions. What would be the simplest/best way to do this?

Re: [Freeipa-users] IPA, Samba and AD

2013-07-03 Thread Fred van Zwieten
for the Samba/AD interoperability? I don't know yet. It depends on what works best with this setup. I am not (yet) a Samba wunderguy, so these discussions help me (thanks for that). Fred On Wed, Jul 3, 2013 at 11:11 AM, Alexander Bokovoy a...@vda.li wrote: On Wed, 03 Jul 2013, Fred van Zwieten wrote

[Freeipa-users] Fwd: Windows, Samba and IPA

2013-09-20 Thread Fred van Zwieten
Hi, I wonder if it is possible to have Windows clients (member of some domain) to connect to SAMBA shares with an IPA account. I found various howto's voor Kerberized SAMBA but they al use Linux as the client platform. I have tried to set it up using a Red Hat Solution article, but I did not get

Re: [Freeipa-users] IPA, Samba and AD

2013-09-21 Thread Fred van Zwieten
the AD route. But now, users from the AD domain can access Samba shares. Correct? Fred On Wed, Jul 3, 2013 at 4:19 PM, Alexander Bokovoy aboko...@redhat.comwrote: On Wed, 03 Jul 2013, Fred van Zwieten wrote: 1. Do you have the same realms for both IPA and AD? Yes. 2. Do you have exactly

Re: [Freeipa-users] IPA, Samba and AD

2013-09-21 Thread Fred van Zwieten
running on it is member of it's own NT-4 Domain. Afaik NT-4 style domains do nothing with kerberos nor with DNS. So, no name clashes. Correct? Met vriendelijke groeten, * Fred van Zwieten * *Enterprise Open Source Services* * Consultant* *(woensdags afwezig)* *VX Company IT Services B.V.* *T* (035

Re: [Freeipa-users] IPA, Samba and AD

2013-09-22 Thread Fred van Zwieten
Well, as explained in this thread, the problem here is that we have an IPA domain named MYCOMP.EDU _and_ an AD domain named MYCOMP.EDU as well. Both have there own DNS servers. It's beyond the scope of this mail to explain why we have named them exactly the same, and we do wish we didn't, but this

Re: [Freeipa-users] IPA, Samba and AD

2013-09-23 Thread Fred van Zwieten
. However Users and DNS is quit a lot *and* we want to migrate the user passwords. For DNS we could use zone transfers But for user passwords? Is there IPA export import type of functionality (in RHEL64) that can provide this? Met vriendelijke groeten, * Fred van Zwieten * *Enterprise Open Source

[Freeipa-users] vsftpd and IPA and openldap

2013-11-03 Thread Fred van Zwieten
Hi there, I have a question. We have a vsftpd service running which authenticates it's virtual users against an application level openldap database. No IPA involved here. It works using pam_ldap. The virtual users are mapped to a local user thru the guest_user=user directive in vsftpd.conf. As

[Freeipa-users] local root can su to any IPA user

2013-11-29 Thread Fred van Zwieten
Hi, When being root on an ipa-client, I can su to any IPA user. This is somewhat unexptected behaviour in comparison to Windows. If I am local administrator in a windows AD member server, I cannot become a domain user. I need to be domain administrator for that. Is it possible to have this

Re: [Freeipa-users] local root can su to any IPA user

2013-11-29 Thread Fred van Zwieten
...@redhat.com wrote: On Fri, Nov 29, 2013 at 03:11:01PM +0200, Alexander Bokovoy wrote: On Fri, 29 Nov 2013, Fred van Zwieten wrote: Hi, When being root on an ipa-client, I can su to any IPA user. This is somewhat unexptected behaviour in comparison to Windows. If I am local

[Freeipa-users] Sudo rule processing order

2014-01-10 Thread Fred van Zwieten
Hi, I have a sudo rule in IPA that has the !authenticate option added to enable admins to execute certain programs as root without authentication. It doesn't work. There is another rule for the admins that allow all commands as long as they give their password. In a sudoers file, you can solve

Re: [Freeipa-users] Sudo rule processing order

2014-01-10 Thread Fred van Zwieten
, Fred van Zwieten wrote: Hi, I have a sudo rule in IPA that has the !authenticate option added to enable admins to execute certain programs as root without authentication. It doesn't work. There is another rule for the admins that allow all commands as long as they give their password

Re: [Freeipa-users] Sudo rule processing order

2014-01-13 Thread Fred van Zwieten
,cn=plugins,cn=config changetype: modify add: schema-compat-entry-attribute schema-compat-entry-attribute: sudoOrder=%{sudoOrder} This should do the trick. Martin On 01/10/2014 05:17 PM, Martin Kosek wrote: On 01/10/2014 04:52 PM, Fred van Zwieten wrote: Yes, you would expect

[Freeipa-users] passwordless login into IPA clients possible from non IPA client?

2014-03-19 Thread Fred van Zwieten
Hi, Subject says it all actually. I have a laptop with Fedora20. I work as a contractor on different assignments. Some of them have an IPA domain set up. Their RHEL6 servers are all IPA clients. I would like to ssh into these servers passwordless using ssh-agent and such. Is this possible? If so,