At my company, we are trying to setup a pilot with FreeIPA and we having some
issues. We would like to leverage our corporate AD infrastructure which mainly
lives in "somedom2.com", and is a member of "rootdom1.com" forest. Note the
different DNS naming between the root domain and the tree. O
Matt,
Try the following...
# Get admin TGT
kinit ad...@realm.com
# Get keytab for user account
ipa-getkeytab -s coipa100 -p cron_run...@realm.com -k ipa_cron_runner.keytab
# Clear tickets
kdestroy
# Request TGT using the keytab
kinit -k -t ./cron_runner.keytab cron_run...@realm.com
# List tic
I wrote a script to query IPA for accounts with passwords that are about to expire (so I can nag them with an email to reset their password), and I also added logic in my script to ignore accounts that are disabled. So I needed a way to query my IPA server for this info. I came up with 2 solution
What we do in our environment is create "service users" that are designated for certain tasks. Say you need to run a rsync job every night, after the user is created, you will need to create a keytab. Then copy the keytab file over to the box that the cronjob will run on. Then at the top of the
We have a single realm distributed across 2 data centers and 2 offices with
4 replicated IPA servers (2 in each data center). We are running IPA server
and client v2.2.0 on all servers and replication appears to be functioning
correctly. What I have noticed is that some servers in DC1, have no
files (e.g. resolv.conf and ldap.conf) that
would need to be managed too. Maybe there are some other IPA client config
files that setup static mappings during the join process. Anyone know which
ones to look at?
Thanks,
Mike
- Original Message -
From: Peter Brown
To: Michael OR
I'm not sure if this will help (not being a Solaris shop), but when we rolled
out IPA in our environment, I had some trouble with ssh and kerberos auth
working correctly. As it turned out, the fix was adding reverse lookup records
(PTR) in the DNS for all the servers.
-Mike
-Original Me
We have a POC with PWM and a testIPA server running freeIPA v2.2.0.
It is working very well and we plan to move it into production soon.
I haven't written a how-to, but I have several notes on setting this up.
What part of PWM are you having trouble with?
-Mike
- Original Message -
Fro
- Original Message -
From: "Dmitri Pal"
To:
Sent: Wednesday, March 20, 2013 7:29 PM
Subject: Re: [Freeipa-users] Mail Challenge Password Reset
On 03/20/2013 07:23 PM, Michael ORourke wrote:
We have a POC with PWM and a testIPA server running freeIPA v2.2.0.
It is working
- Original Message -
From: "KodaK"
To: "Michael ORourke"
Cc:
Sent: Wednesday, March 20, 2013 8:35 PM
Subject: Re: [Freeipa-users] Mail Challenge Password Reset
On Wed, Mar 20, 2013 at 6:23 PM, Michael ORourke
wrote:
We have a POC with PWM and a testIPA se
We have 4 replicated IPA servers running in our environment, 2 in each data
center and we have been having some problems with named quiting. Early this
morning 'named' on both IPA servers in our production data center died. I was
able to login and simply restart named. So I am not sure what c
mping core
Hello,
On 8.7.2013 02:15, Michael ORourke wrote:
We have 4 replicated IPA servers running in our environment, 2 in each
data center and we have been having some problems with named quiting.
Early this morning 'named' on both IPA servers in our production data
center died. I w
What about the pGina project? I haven't tried this personally, but it
sounds like it might be something that could work with FreeIPA (using
the LDAP plugin).
Reference: http://pgina.org/
And this article looks helpful:
http://www.freeipa.org/page/Windows_authentication_against_FreeIPA
Or perhap
What we do is create a non-posix group in FreeIPA and apply a custom password policy, then join the users to that group. Then login as the service account and reset the account's password to some random string. But if you reset it through the UI, it will set the password to expire in 1 hour. Als
Jeffrey,You will want to use the Sudo Option "!authenticate".-Mike-Original Message-
From: "Armstrong, Jeffrey"
Sent: Apr 1, 2016 1:14 PM
To: "freeipa-users@redhat.com"
Subject: [Freeipa-users] using sudo in ipa
Hi
I would like to know how to configure sudo in the IdM env
It sounds like the multitenancy configuration is not an option currently. What about running separate FreeIPA instances per client in containers (Docker)? Each client could have their own set of servers per DC and you could still keep your proposed DNS structure. Regarding FreeIPA server replica
I have a question regarding AD Integration with FreeIPA (CentOS
7.1/freeipa 4.2.0) and Windows Server 2008 R2 with a Functional Level
forest of 2008 R2. Given a simple scenario of a group in active
directory that is mapped to a POSIX group in FreeIPA, if a change is
made on the AD side such as
-Original Message-
>From: Sumit Bose
>Sent: Apr 8, 2016 3:36 AM
>To: freeipa-users@redhat.com
>Subject: Re: [Freeipa-users] AD Integration change propagation timing
>
>On Thu, Apr 07, 2016 at 10:28:22PM -0400, Michael ORourke wrote:
>> I have a question regar
-Original Message-
>From: Michael ORourke
>Sent: Apr 8, 2016 11:01 AM
>To: Sumit Bose , freeipa-users@redhat.com
>Subject: Re: [Freeipa-users] AD Integration change propagation timing
>
>-Original Message-
>>From: Sumit Bose
>>Sent: Apr 8, 20
I was able to get an older version of PWM (v.1.6.4 b1185) with an older FreeIPA v.3.0.0 working together. It's been a few years since I initially set it up, but I recall it was not easy getting PWM to cooperate with IPA. I do recall that I had to grant some extra privileges for the "proxy" user.
I'm just looking for some clarification from the documentation:
http://www.freeipa.org/page/Active_Directory_trust_setup
In the section that starts with "Edit /etc/krb5.conf", they mention a manual
configuration to the krb5.conf file for machines that will be leveraging AD
users:
[realms]
IPA_DO
Roderick,
Here's how we do it.
Create a service account user, for example "svc_useradm".
Then generate a keytab for the service account, and store it somewhere secure.
ipa-getkeytab -s infrae2u01.lnx.dr.local -p svc_useradm -k
/root/svc_useradm.keytab
Now we can leverage the keytab for that u
Yes, because you can point the automount maps to whatever device you want. NFSv4 might be more tricky to setup on a SAN device and may or may not work depending on the software/firmware of the device. NFSv3 is a well supported protocol across SAN vendors and you should not have any problems setti
What about using the pGina project on the Windows side?
Reference:
http://blog.zwiegnet.com/linux-server/configure-pgina-windows-7-openldap-authentication/
-Mike
-Original Message-
>From: John Meyers
>Sent: May 18, 2016 5:19 PM
>To: freeipa-users@redhat.com
>Subject: [Freeipa-users] How
--location=default9). On the client machines, make sure the autofs service is enabled and running.systemctl enable autofssystemctl start autofs10). Test automount by logging into the client.That should do it!-Mike-Original Message-----
From: "Ben .T.George"
Sent: May 18, 2016 10:03 A
A couple of ways to go about this. If he is local to you, you could explain that you need to establish a trust with his domain and you need his assistance for a few minutes while you type the command to join, then have him type in the password. You need to assure that the DNS forward/stub zones a
you. Also, you will need to setup a separate DNS zone and some forwarding rules. Otherwise you are going to have problems.-Mike -Original Message-
From: "Ben .T.George"
Sent: May 23, 2016 10:07 AM
To: Michael ORourke
Cc: freeipa-users
Subject: Re: [Freeipa-users] What id my AD
ains with the same DNS zone name. So if you have a flat DNS namespace, then you will want to plan accordingly to move all the linux boxes that will participate in the FreeIPA domain into the new DNS zone.-Mike-Original Message-
From: "Ben .T.George"
Sent: May 23, 2016 10:44 AM
To: M
Did you try installing PWM on a separate instance, or are you trying to install
it on the FreeIPA server? I don't recall any issues with pki-tomcat when I
setup PWM (older version), but I installed it on a VM that was joined to
FreeIPA.
-Mike
-Original Message-
>From: Zak Wolfinger
._tcp.kw.example.com). I'm not familiar with setting up FreeIPA with an external DNS, but I'm sure there are some instructions out there.-Mike-Original Message-
From: "Ben .T.George"
Sent: May 23, 2016 2:22 PM
To: Michael ORourke
Cc: freeipa-users
Subject: Re: [Freeipa-users] What
30 matches
Mail list logo