subject:"\[Freeipa\-users\] FreeIPA trusts with 2003 R2"

Re: [Freeipa-users] FreeIPA trusts with 2003 R2

2013-06-19 Thread Aly Khimji

Great

I basically said just advised that if they want to make all the IDM bells
and whistles work with AD and Elevated access they need to move on from a
2k3 as its just not being supported upstream really.


Thanks guys.




On Wed, Jun 19, 2013 at 3:24 PM, Ana Krivokapic  wrote:

> On 06/19/2013 06:47 PM, Alexander Bokovoy wrote:
> > On Wed, 19 Jun 2013, Dmitri Pal wrote:
> >> On 06/19/2013 12:35 PM, Alexander Bokovoy wrote:
> >>> On Wed, 19 Jun 2013, Aly Khimji wrote:
>  So as others have mentioned windows obviously isn't my area of focus
>  here
>  either, however we have this working with 2003r2, but I do notice odd
>  behaviour with "id" returning odd results sometimes depending on what
>  system I am logged in from or initial logins failing the first time
> and
>  working the second time, would this be a result of 2003 trust vs 2008
>  trust?
> >>> Ok, so I have tried another time and went through Windows Server 2003
> R2
> >>> setup again.
> >>>
> >>> You need to select domain functional level Windows Server 2003 and
> after
> >>> that raise forest functional level to Windows Server 2003.
> >>>
> >>> Only in this case it will work, though without AES encryption (only RC4
> >>> encryption is available).
> >>>
> >>> See
> http://technet.microsoft.com/en-us/library/cc738822%28v=ws.10%29.aspx
> >>> for Windows specifics.
> >>>
> >>> In order to raise forest functional level one needs to open 'Active
> >>> Directory Domains and Trusts' snap-in and right-click on 'Active
> >>> Directory Domains and Trusts' root in the left pane. Then select 'Raise
> >>> forest functional level ...' and use "Windows Server 2003" as the level
> >>> to raise.
> >>>
> >>> After that you can try establishing trust from IPA side.
> >>>
> >>> Here is IPA behavior (the output corresponds to FreeIPA 3.2 but
> behavior
> >>> should be the same in RHEL 6.4):
> >>>
> >>> # ipa trust-add ad.domain --admin Administrator --password
> >>> Active directory domain administrator's password: ipa: ERROR: invalid
> >>> 'AD domain controller': unsupported functional level
> >>>
> >>> (went and raised forest functional level)
> >>> # ipa trust-add ad.domain --admin Administrator
> >>> --password
> >>> Active directory domain administrator's password:
> >>> --
> >>> Added Active Directory trust for realm "ad.domain"
> >>> --
> >>>   Realm name: ad.domain
> >>>   Domain NetBIOS name: ADP
> >>>   Domain Security Identifier: S-1-5-21-426902846-1951547570-376736459
> >>>   SID blacklist incoming: S-1-0, S-1-1, S-1-2, S-1-3, S-1-5-1, S-1-5-2,
> >>>   S-1-5-3, S-1-5-4, S-1-5-5, S-1-5-6, S-1-5-7,
> >>>   S-1-5-8, S-1-5-9, S-1-5-10, S-1-5-11,
> S-1-5-12,
> >>>   S-1-5-13, S-1-5-14, S-1-5-15, S-1-5-16,
> >>> S-1-5-17,
> >>>   S-1-5-18, S-1-5-19, S-1-5-20
> >>>   SID blacklist outgoing: S-1-0, S-1-1, S-1-2, S-1-3, S-1-5-1, S-1-5-2,
> >>>   S-1-5-3, S-1-5-4, S-1-5-5, S-1-5-6, S-1-5-7,
> >>>   S-1-5-8, S-1-5-9, S-1-5-10, S-1-5-11,
> S-1-5-12,
> >>>   S-1-5-13, S-1-5-14, S-1-5-15, S-1-5-16,
> >>> S-1-5-17,
> >>>   S-1-5-18, S-1-5-19, S-1-5-20
> >>>   Trust direction: Two-way trust
> >>>   Trust type: Active Directory domain
> >>>   Trust status: Established and verified
> >>>
> >>>
> >>> Note that there will be all kinds of issues due to AES encryption keys
> >>> are missing -- you would not be able to use IPA credentials to obtain
> >>> Kerberos tickets against Windows services, for example. This whole
> >>> experiment is rather of a limited value.
> >>>
> >>> But at least, log-in with PuTTY 0.62 works.
> >>>
> >>
> >> Should we put this on wiki as a how to?
> > Definitely. If nobody beats me through the night, adding it to
> > http://www.freeipa.org/page/Howto/IPAv3_AD_trust_setup, I'll do it
> > tomorrow.
> >
> >
>
> The wiki page has been updated with this information.
>
>
> http://www.freeipa.org/page/Howto/IPAv3_AD_trust_setup#Trusts_and_Windows_Server_2003_R2
>
> --
> Regards,
>
> Ana Krivokapic
> Associate Software Engineer
> FreeIPA team
> Red Hat Inc.
>
> ___
> Freeipa-users mailing list
> Freeipa-users@redhat.com
> https://www.redhat.com/mailman/listinfo/freeipa-users
>
___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] FreeIPA trusts with 2003 R2

2013-06-19 Thread Ana Krivokapic

On 06/19/2013 06:47 PM, Alexander Bokovoy wrote:
> On Wed, 19 Jun 2013, Dmitri Pal wrote:
>> On 06/19/2013 12:35 PM, Alexander Bokovoy wrote:
>>> On Wed, 19 Jun 2013, Aly Khimji wrote:
 So as others have mentioned windows obviously isn't my area of focus
 here
 either, however we have this working with 2003r2, but I do notice odd
 behaviour with "id" returning odd results sometimes depending on what
 system I am logged in from or initial logins failing the first time and
 working the second time, would this be a result of 2003 trust vs 2008
 trust?
>>> Ok, so I have tried another time and went through Windows Server 2003 R2
>>> setup again.
>>>
>>> You need to select domain functional level Windows Server 2003 and after
>>> that raise forest functional level to Windows Server 2003.
>>>
>>> Only in this case it will work, though without AES encryption (only RC4
>>> encryption is available).
>>>
>>> See http://technet.microsoft.com/en-us/library/cc738822%28v=ws.10%29.aspx
>>> for Windows specifics.
>>>
>>> In order to raise forest functional level one needs to open 'Active
>>> Directory Domains and Trusts' snap-in and right-click on 'Active
>>> Directory Domains and Trusts' root in the left pane. Then select 'Raise
>>> forest functional level ...' and use "Windows Server 2003" as the level
>>> to raise.
>>>
>>> After that you can try establishing trust from IPA side.
>>>
>>> Here is IPA behavior (the output corresponds to FreeIPA 3.2 but behavior
>>> should be the same in RHEL 6.4):
>>>
>>> # ipa trust-add ad.domain --admin Administrator --password
>>> Active directory domain administrator's password: ipa: ERROR: invalid
>>> 'AD domain controller': unsupported functional level
>>>
>>> (went and raised forest functional level)
>>> # ipa trust-add ad.domain --admin Administrator
>>> --password
>>> Active directory domain administrator's password:
>>> --
>>> Added Active Directory trust for realm "ad.domain"
>>> --
>>>   Realm name: ad.domain
>>>   Domain NetBIOS name: ADP
>>>   Domain Security Identifier: S-1-5-21-426902846-1951547570-376736459
>>>   SID blacklist incoming: S-1-0, S-1-1, S-1-2, S-1-3, S-1-5-1, S-1-5-2,
>>>   S-1-5-3, S-1-5-4, S-1-5-5, S-1-5-6, S-1-5-7,
>>>   S-1-5-8, S-1-5-9, S-1-5-10, S-1-5-11, S-1-5-12,
>>>   S-1-5-13, S-1-5-14, S-1-5-15, S-1-5-16,
>>> S-1-5-17,
>>>   S-1-5-18, S-1-5-19, S-1-5-20
>>>   SID blacklist outgoing: S-1-0, S-1-1, S-1-2, S-1-3, S-1-5-1, S-1-5-2,
>>>   S-1-5-3, S-1-5-4, S-1-5-5, S-1-5-6, S-1-5-7,
>>>   S-1-5-8, S-1-5-9, S-1-5-10, S-1-5-11, S-1-5-12,
>>>   S-1-5-13, S-1-5-14, S-1-5-15, S-1-5-16,
>>> S-1-5-17,
>>>   S-1-5-18, S-1-5-19, S-1-5-20
>>>   Trust direction: Two-way trust
>>>   Trust type: Active Directory domain
>>>   Trust status: Established and verified
>>>
>>>
>>> Note that there will be all kinds of issues due to AES encryption keys
>>> are missing -- you would not be able to use IPA credentials to obtain
>>> Kerberos tickets against Windows services, for example. This whole
>>> experiment is rather of a limited value.
>>>
>>> But at least, log-in with PuTTY 0.62 works.
>>>
>>
>> Should we put this on wiki as a how to?
> Definitely. If nobody beats me through the night, adding it to
> http://www.freeipa.org/page/Howto/IPAv3_AD_trust_setup, I'll do it
> tomorrow.
>
>

The wiki page has been updated with this information.

http://www.freeipa.org/page/Howto/IPAv3_AD_trust_setup#Trusts_and_Windows_Server_2003_R2

-- 
Regards,

Ana Krivokapic
Associate Software Engineer
FreeIPA team
Red Hat Inc.

___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] FreeIPA trusts with 2003 R2

2013-06-19 Thread Alexander Bokovoy


On Wed, 19 Jun 2013, Aly Khimji wrote:

hey guys,

so at this point in time we haven't been having any issues, but I am not
100% if the odd issues we have been having have been related to 2003 vs
2008 issue

when we joined our IPA server to the 2003r2 we got the following output

[root@didmsvrua01 ~]# ipa trust-add --type=ad corpnonprd..com --admin
Administrator --password
Active directory domain administrator's password:
--
Added Active Directory trust for realm "CorpNonPrd..com"
--
 Realm name: CorpNonPrd..com
 Domain NetBIOS name: CORPNONPRD
 Domain Security Identifier: S-1-5-21-417068303-3117552414-2168216644
 Trust direction: Two-way trust
 Trust type: Active Directory domain
 Trust status: Established and verified
[root@didmsvrua01 ~]#


This looks slightly different than yours, does this look like a properly
established trust? I don't' seem to have any issues in regards to AES, and
trust users can log into clients however there are issues where the first
attempt takes a long time to login to the point of timeout and the second
one works

As I said, my output corresponds to 3.2 version, yours -- to 3.0. That's
fine.


--
/ Alexander Bokovoy

___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] FreeIPA trusts with 2003 R2

2013-06-19 Thread Aly Khimji

hey guys,

so at this point in time we haven't been having any issues, but I am not
100% if the odd issues we have been having have been related to 2003 vs
2008 issue

when we joined our IPA server to the 2003r2 we got the following output

[root@didmsvrua01 ~]# ipa trust-add --type=ad corpnonprd..com --admin
Administrator --password
Active directory domain administrator's password:
--
Added Active Directory trust for realm "CorpNonPrd..com"
--
  Realm name: CorpNonPrd..com
  Domain NetBIOS name: CORPNONPRD
  Domain Security Identifier: S-1-5-21-417068303-3117552414-2168216644
  Trust direction: Two-way trust
  Trust type: Active Directory domain
  Trust status: Established and verified
[root@didmsvrua01 ~]#


This looks slightly different than yours, does this look like a properly
established trust? I don't' seem to have any issues in regards to AES, and
trust users can log into clients however there are issues where the first
attempt takes a long time to login to the point of timeout and the second
one works

Aly




On Wed, Jun 19, 2013 at 12:47 PM, Alexander Bokovoy wrote:

> On Wed, 19 Jun 2013, Dmitri Pal wrote:
>
>> On 06/19/2013 12:35 PM, Alexander Bokovoy wrote:
>>
>>> On Wed, 19 Jun 2013, Aly Khimji wrote:
>>>
 So as others have mentioned windows obviously isn't my area of focus
 here
 either, however we have this working with 2003r2, but I do notice odd
 behaviour with "id" returning odd results sometimes depending on what
 system I am logged in from or initial logins failing the first time and
 working the second time, would this be a result of 2003 trust vs 2008
 trust?

>>> Ok, so I have tried another time and went through Windows Server 2003 R2
>>> setup again.
>>>
>>> You need to select domain functional level Windows Server 2003 and after
>>> that raise forest functional level to Windows Server 2003.
>>>
>>> Only in this case it will work, though without AES encryption (only RC4
>>> encryption is available).
>>>
>>> See http://technet.microsoft.com/**en-us/library/cc738822%28v=ws.**
>>> 10%29.aspx
>>> for Windows specifics.
>>>
>>> In order to raise forest functional level one needs to open 'Active
>>> Directory Domains and Trusts' snap-in and right-click on 'Active
>>> Directory Domains and Trusts' root in the left pane. Then select 'Raise
>>> forest functional level ...' and use "Windows Server 2003" as the level
>>> to raise.
>>>
>>> After that you can try establishing trust from IPA side.
>>>
>>> Here is IPA behavior (the output corresponds to FreeIPA 3.2 but behavior
>>> should be the same in RHEL 6.4):
>>>
>>> # ipa trust-add ad.domain --admin Administrator --password
>>> Active directory domain administrator's password: ipa: ERROR: invalid
>>> 'AD domain controller': unsupported functional level
>>>
>>> (went and raised forest functional level)
>>> # ipa trust-add ad.domain --admin Administrator
>>> --password
>>> Active directory domain administrator's password:
>>> --**
>>> Added Active Directory trust for realm "ad.domain"
>>> --**
>>>   Realm name: ad.domain
>>>   Domain NetBIOS name: ADP
>>>   Domain Security Identifier: S-1-5-21-426902846-1951547570-**376736459
>>>   SID blacklist incoming: S-1-0, S-1-1, S-1-2, S-1-3, S-1-5-1, S-1-5-2,
>>>   S-1-5-3, S-1-5-4, S-1-5-5, S-1-5-6, S-1-5-7,
>>>   S-1-5-8, S-1-5-9, S-1-5-10, S-1-5-11, S-1-5-12,
>>>   S-1-5-13, S-1-5-14, S-1-5-15, S-1-5-16,
>>> S-1-5-17,
>>>   S-1-5-18, S-1-5-19, S-1-5-20
>>>   SID blacklist outgoing: S-1-0, S-1-1, S-1-2, S-1-3, S-1-5-1, S-1-5-2,
>>>   S-1-5-3, S-1-5-4, S-1-5-5, S-1-5-6, S-1-5-7,
>>>   S-1-5-8, S-1-5-9, S-1-5-10, S-1-5-11, S-1-5-12,
>>>   S-1-5-13, S-1-5-14, S-1-5-15, S-1-5-16,
>>> S-1-5-17,
>>>   S-1-5-18, S-1-5-19, S-1-5-20
>>>   Trust direction: Two-way trust
>>>   Trust type: Active Directory domain
>>>   Trust status: Established and verified
>>>
>>>
>>> Note that there will be all kinds of issues due to AES encryption keys
>>> are missing -- you would not be able to use IPA credentials to obtain
>>> Kerberos tickets against Windows services, for example. This whole
>>> experiment is rather of a limited value.
>>>
>>> But at least, log-in with PuTTY 0.62 works.
>>>
>>>
>> Should we put this on wiki as a how to?
>>
> Definitely. If nobody beats me through the night, adding it to
> http://www.freeipa.org/page/**Howto/IPAv3_AD_trust_setup,
> I'll do it
> tomorrow.
>
>
> --
> / Alexander Bokovoy
>
>
> __

Re: [Freeipa-users] FreeIPA trusts with 2003 R2

2013-06-19 Thread Alexander Bokovoy


On Wed, 19 Jun 2013, Dmitri Pal wrote:

On 06/19/2013 12:35 PM, Alexander Bokovoy wrote:

On Wed, 19 Jun 2013, Aly Khimji wrote:

So as others have mentioned windows obviously isn't my area of focus
here
either, however we have this working with 2003r2, but I do notice odd
behaviour with "id" returning odd results sometimes depending on what
system I am logged in from or initial logins failing the first time and
working the second time, would this be a result of 2003 trust vs 2008
trust?

Ok, so I have tried another time and went through Windows Server 2003 R2
setup again.

You need to select domain functional level Windows Server 2003 and after
that raise forest functional level to Windows Server 2003.

Only in this case it will work, though without AES encryption (only RC4
encryption is available).

See http://technet.microsoft.com/en-us/library/cc738822%28v=ws.10%29.aspx
for Windows specifics.

In order to raise forest functional level one needs to open 'Active
Directory Domains and Trusts' snap-in and right-click on 'Active
Directory Domains and Trusts' root in the left pane. Then select 'Raise
forest functional level ...' and use "Windows Server 2003" as the level
to raise.

After that you can try establishing trust from IPA side.

Here is IPA behavior (the output corresponds to FreeIPA 3.2 but behavior
should be the same in RHEL 6.4):

# ipa trust-add ad.domain --admin Administrator --password
Active directory domain administrator's password: ipa: ERROR: invalid
'AD domain controller': unsupported functional level

(went and raised forest functional level)
# ipa trust-add ad.domain --admin Administrator
--password
Active directory domain administrator's password:
--
Added Active Directory trust for realm "ad.domain"
--
  Realm name: ad.domain
  Domain NetBIOS name: ADP
  Domain Security Identifier: S-1-5-21-426902846-1951547570-376736459
  SID blacklist incoming: S-1-0, S-1-1, S-1-2, S-1-3, S-1-5-1, S-1-5-2,
  S-1-5-3, S-1-5-4, S-1-5-5, S-1-5-6, S-1-5-7,
  S-1-5-8, S-1-5-9, S-1-5-10, S-1-5-11, S-1-5-12,
  S-1-5-13, S-1-5-14, S-1-5-15, S-1-5-16,
S-1-5-17,
  S-1-5-18, S-1-5-19, S-1-5-20
  SID blacklist outgoing: S-1-0, S-1-1, S-1-2, S-1-3, S-1-5-1, S-1-5-2,
  S-1-5-3, S-1-5-4, S-1-5-5, S-1-5-6, S-1-5-7,
  S-1-5-8, S-1-5-9, S-1-5-10, S-1-5-11, S-1-5-12,
  S-1-5-13, S-1-5-14, S-1-5-15, S-1-5-16,
S-1-5-17,
  S-1-5-18, S-1-5-19, S-1-5-20
  Trust direction: Two-way trust
  Trust type: Active Directory domain
  Trust status: Established and verified


Note that there will be all kinds of issues due to AES encryption keys
are missing -- you would not be able to use IPA credentials to obtain
Kerberos tickets against Windows services, for example. This whole
experiment is rather of a limited value.

But at least, log-in with PuTTY 0.62 works.



Should we put this on wiki as a how to?

Definitely. If nobody beats me through the night, adding it to
http://www.freeipa.org/page/Howto/IPAv3_AD_trust_setup, I'll do it
tomorrow.


--
/ Alexander Bokovoy

___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] FreeIPA trusts with 2003 R2

2013-06-19 Thread Dmitri Pal

On 06/19/2013 12:35 PM, Alexander Bokovoy wrote:
> On Wed, 19 Jun 2013, Aly Khimji wrote:
>> So as others have mentioned windows obviously isn't my area of focus
>> here
>> either, however we have this working with 2003r2, but I do notice odd
>> behaviour with "id" returning odd results sometimes depending on what
>> system I am logged in from or initial logins failing the first time and
>> working the second time, would this be a result of 2003 trust vs 2008
>> trust?
> Ok, so I have tried another time and went through Windows Server 2003 R2
> setup again.
>
> You need to select domain functional level Windows Server 2003 and after
> that raise forest functional level to Windows Server 2003.
>
> Only in this case it will work, though without AES encryption (only RC4
> encryption is available).
>
> See http://technet.microsoft.com/en-us/library/cc738822%28v=ws.10%29.aspx
> for Windows specifics.
>
> In order to raise forest functional level one needs to open 'Active
> Directory Domains and Trusts' snap-in and right-click on 'Active
> Directory Domains and Trusts' root in the left pane. Then select 'Raise
> forest functional level ...' and use "Windows Server 2003" as the level
> to raise.
>
> After that you can try establishing trust from IPA side.
>
> Here is IPA behavior (the output corresponds to FreeIPA 3.2 but behavior
> should be the same in RHEL 6.4):
>
> # ipa trust-add ad.domain --admin Administrator --password
> Active directory domain administrator's password: ipa: ERROR: invalid
> 'AD domain controller': unsupported functional level
>
> (went and raised forest functional level)
> # ipa trust-add ad.domain --admin Administrator
> --password
>
> Active directory domain administrator's password:
> --
> Added Active Directory trust for realm "ad.domain"
> --
>   Realm name: ad.domain
>   Domain NetBIOS name: ADP
>   Domain Security Identifier: S-1-5-21-426902846-1951547570-376736459
>   SID blacklist incoming: S-1-0, S-1-1, S-1-2, S-1-3, S-1-5-1, S-1-5-2,
>   S-1-5-3, S-1-5-4, S-1-5-5, S-1-5-6, S-1-5-7,
>   S-1-5-8, S-1-5-9, S-1-5-10, S-1-5-11, S-1-5-12,
>   S-1-5-13, S-1-5-14, S-1-5-15, S-1-5-16,
> S-1-5-17,
>   S-1-5-18, S-1-5-19, S-1-5-20
>   SID blacklist outgoing: S-1-0, S-1-1, S-1-2, S-1-3, S-1-5-1, S-1-5-2,
>   S-1-5-3, S-1-5-4, S-1-5-5, S-1-5-6, S-1-5-7,
>   S-1-5-8, S-1-5-9, S-1-5-10, S-1-5-11, S-1-5-12,
>   S-1-5-13, S-1-5-14, S-1-5-15, S-1-5-16,
> S-1-5-17,
>   S-1-5-18, S-1-5-19, S-1-5-20
>   Trust direction: Two-way trust
>   Trust type: Active Directory domain
>   Trust status: Established and verified
>
>
> Note that there will be all kinds of issues due to AES encryption keys
> are missing -- you would not be able to use IPA credentials to obtain
> Kerberos tickets against Windows services, for example. This whole
> experiment is rather of a limited value.
>
> But at least, log-in with PuTTY 0.62 works.
>

Should we put this on wiki as a how to?

-- 
Thank you,
Dmitri Pal

Sr. Engineering Manager for IdM portfolio
Red Hat Inc.


---
Looking to carve out IT costs?
www.redhat.com/carveoutcosts/



___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] FreeIPA trusts with 2003 R2

2013-06-19 Thread Alexander Bokovoy


On Wed, 19 Jun 2013, Aly Khimji wrote:

So as others have mentioned windows obviously isn't my area of focus here
either, however we have this working with 2003r2, but I do notice odd
behaviour with "id" returning odd results sometimes depending on what
system I am logged in from or initial logins failing the first time and
working the second time, would this be a result of 2003 trust vs 2008 trust?

Ok, so I have tried another time and went through Windows Server 2003 R2
setup again.

You need to select domain functional level Windows Server 2003 and after
that raise forest functional level to Windows Server 2003.

Only in this case it will work, though without AES encryption (only RC4
encryption is available).

See http://technet.microsoft.com/en-us/library/cc738822%28v=ws.10%29.aspx
for Windows specifics.

In order to raise forest functional level one needs to open 'Active
Directory Domains and Trusts' snap-in and right-click on 'Active
Directory Domains and Trusts' root in the left pane. Then select 'Raise
forest functional level ...' and use "Windows Server 2003" as the level
to raise.

After that you can try establishing trust from IPA side.

Here is IPA behavior (the output corresponds to FreeIPA 3.2 but behavior
should be the same in RHEL 6.4):

# ipa trust-add ad.domain --admin Administrator --password
Active directory domain administrator's password: 
ipa: ERROR: invalid 'AD domain controller': unsupported functional level


(went and raised forest functional level)
# ipa trust-add ad.domain --admin Administrator --password
Active directory domain administrator's password: 
--

Added Active Directory trust for realm "ad.domain"
--
  Realm name: ad.domain
  Domain NetBIOS name: ADP
  Domain Security Identifier: S-1-5-21-426902846-1951547570-376736459
  SID blacklist incoming: S-1-0, S-1-1, S-1-2, S-1-3, S-1-5-1, S-1-5-2,
  S-1-5-3, S-1-5-4, S-1-5-5, S-1-5-6, S-1-5-7,
  S-1-5-8, S-1-5-9, S-1-5-10, S-1-5-11, S-1-5-12,
  S-1-5-13, S-1-5-14, S-1-5-15, S-1-5-16, S-1-5-17,
  S-1-5-18, S-1-5-19, S-1-5-20
  SID blacklist outgoing: S-1-0, S-1-1, S-1-2, S-1-3, S-1-5-1, S-1-5-2,
  S-1-5-3, S-1-5-4, S-1-5-5, S-1-5-6, S-1-5-7,
  S-1-5-8, S-1-5-9, S-1-5-10, S-1-5-11, S-1-5-12,
  S-1-5-13, S-1-5-14, S-1-5-15, S-1-5-16, S-1-5-17,
  S-1-5-18, S-1-5-19, S-1-5-20
  Trust direction: Two-way trust
  Trust type: Active Directory domain
  Trust status: Established and verified


Note that there will be all kinds of issues due to AES encryption keys
are missing -- you would not be able to use IPA credentials to obtain
Kerberos tickets against Windows services, for example. This whole
experiment is rather of a limited value.

But at least, log-in with PuTTY 0.62 works.

--
/ Alexander Bokovoy

___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] FreeIPA trusts with 2003 R2

2013-06-19 Thread Dmitri Pal

On 06/19/2013 09:05 AM, Aly Khimji wrote:
> We have managed to establish a FreeIPA / Windows 2003R2.  
> However domain and forest functional level has to be set to max on
> that platform which i believe is 2003 anyways.  
> I know when I was first attempting the trusts, on a new 2003r2 DC and
> the forest functional level was set to 2000, the trust wouldn't
> establish and with IPA and the process would die.
>
> Everything "seems" to be working so far, so I would also like to know
> as well if 2008 is a requirement 100%?


We have not tested this extensively. As Alexander mentioned there might
be issues. If you manage to set it up - great. If there are some
glitches they might be related to 2003 vs 2008 but we can't say for sure
without more investigation.
If your testing reveals some reproducible issues we definitely want to
know about them. Whether we would be able to fix them is yet another story.

>
> Thanks
>
> Aly
>
>
> On Wed, Jun 19, 2013 at 8:50 AM, Brian Lee  > wrote:
>
> Has anyone successfully set up trusts between 2003 R2 and FreeIPA?
> I noticed the documentation mentions 2008 R2 as a prerequisite.
> Unfortunately our organization has not completed the migration to
> 2008 R2 yet. I know, we're a little behind the curve on that, but
> fortunately Windows servers aren't my responsibility ;-)
>
> If the Kerberos realms are separate between Active Directory and
> FreeIPA, why does the domain controller need to be Windows 2008 R2
> for an external trust? From what I understand, there is no
> difference in an external trust in Windows NT4, Active Directory
> 2003, 2008 R2 or Windows 2012.
>  
> Thanks in advance for any input or experiences with this
> configuration!
>
> ___
> Freeipa-users mailing list
> Freeipa-users@redhat.com 
> https://www.redhat.com/mailman/listinfo/freeipa-users
>
>
>
>
> ___
> Freeipa-users mailing list
> Freeipa-users@redhat.com
> https://www.redhat.com/mailman/listinfo/freeipa-users


-- 
Thank you,
Dmitri Pal

Sr. Engineering Manager for IdM portfolio
Red Hat Inc.


---
Looking to carve out IT costs?
www.redhat.com/carveoutcosts/



___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] FreeIPA trusts with 2003 R2

2013-06-19 Thread Aly Khimji

So as others have mentioned windows obviously isn't my area of focus here
either, however we have this working with 2003r2, but I do notice odd
behaviour with "id" returning odd results sometimes depending on what
system I am logged in from or initial logins failing the first time and
working the second time, would this be a result of 2003 trust vs 2008 trust?

Aly


On Wed, Jun 19, 2013 at 8:59 AM, Alexander Bokovoy wrote:

> On Wed, 19 Jun 2013, Brian Lee wrote:
>
>> Has anyone successfully set up trusts between 2003 R2 and FreeIPA? I
>> noticed the documentation mentions 2008 R2 as a prerequisite.
>> Unfortunately
>> our organization has not completed the migration to 2008 R2 yet. I know,
>> we're a little behind the curve on that, but fortunately Windows servers
>> aren't my responsibility ;-)
>>
>> If the Kerberos realms are separate between Active Directory and FreeIPA,
>> why does the domain controller need to be Windows 2008 R2 for an external
>> trust? From what I understand, there is no difference in an external trust
>> in Windows NT4, Active Directory 2003, 2008 R2 or Windows 2012.
>>
> Please note that actual requirement is to have functional level 2008 or
> above, for cross-forest trusts.
>
> In our limited testing using functional level 2003 things did not work
> as expected. We didn't look deeper because functional level 2003 also lacks
> AES encryption and making it working with weaker encryption for TGT was to
> force downgrading encryption on IPA side, aside from unclear issues with
> RPC calls.
>
> --
> / Alexander Bokovoy
>
>
> __**_
> Freeipa-users mailing list
> Freeipa-users@redhat.com
> https://www.redhat.com/**mailman/listinfo/freeipa-users
>
___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] FreeIPA trusts with 2003 R2

2013-06-19 Thread Alexander Bokovoy


On Wed, 19 Jun 2013, Brian Lee wrote:

Has anyone successfully set up trusts between 2003 R2 and FreeIPA? I
noticed the documentation mentions 2008 R2 as a prerequisite. Unfortunately
our organization has not completed the migration to 2008 R2 yet. I know,
we're a little behind the curve on that, but fortunately Windows servers
aren't my responsibility ;-)

If the Kerberos realms are separate between Active Directory and FreeIPA,
why does the domain controller need to be Windows 2008 R2 for an external
trust? From what I understand, there is no difference in an external trust
in Windows NT4, Active Directory 2003, 2008 R2 or Windows 2012.

Please note that actual requirement is to have functional level 2008 or
above, for cross-forest trusts.

In our limited testing using functional level 2003 things did not work
as expected. We didn't look deeper because functional level 2003 also lacks
AES encryption and making it working with weaker encryption for TGT was to
force downgrading encryption on IPA side, aside from unclear issues with RPC 
calls.

--
/ Alexander Bokovoy

___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] FreeIPA trusts with 2003 R2

2013-06-19 Thread Aly Khimji

We have managed to establish a FreeIPA / Windows 2003R2.
However domain and forest functional level has to be set to max on that
platform which i believe is 2003 anyways.
I know when I was first attempting the trusts, on a new 2003r2 DC and the
forest functional level was set to 2000, the trust wouldn't establish and
with IPA and the process would die.

Everything "seems" to be working so far, so I would also like to know as
well if 2008 is a requirement 100%?

Thanks

Aly

On Wed, Jun 19, 2013 at 8:50 AM, Brian Lee  wrote:

> Has anyone successfully set up trusts between 2003 R2 and FreeIPA? I
> noticed the documentation mentions 2008 R2 as a prerequisite. Unfortunately
> our organization has not completed the migration to 2008 R2 yet. I know,
> we're a little behind the curve on that, but fortunately Windows servers
> aren't my responsibility ;-)
>
> If the Kerberos realms are separate between Active Directory and FreeIPA,
> why does the domain controller need to be Windows 2008 R2 for an external
> trust? From what I understand, there is no difference in an external trust
> in Windows NT4, Active Directory 2003, 2008 R2 or Windows 2012.
>
> Thanks in advance for any input or experiences with this configuration!
>
> ___
> Freeipa-users mailing list
> Freeipa-users@redhat.com
> https://www.redhat.com/mailman/listinfo/freeipa-users
>
___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

[Freeipa-users] FreeIPA trusts with 2003 R2

2013-06-19 Thread Brian Lee

Has anyone successfully set up trusts between 2003 R2 and FreeIPA? I
noticed the documentation mentions 2008 R2 as a prerequisite. Unfortunately
our organization has not completed the migration to 2008 R2 yet. I know,
we're a little behind the curve on that, but fortunately Windows servers
aren't my responsibility ;-)

If the Kerberos realms are separate between Active Directory and FreeIPA,
why does the domain controller need to be Windows 2008 R2 for an external
trust? From what I understand, there is no difference in an external trust
in Windows NT4, Active Directory 2003, 2008 R2 or Windows 2012.

Thanks in advance for any input or experiences with this configuration!
___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] FreeIPA trusts with 2003 R2

Re: [Freeipa-users] FreeIPA trusts with 2003 R2

Re: [Freeipa-users] FreeIPA trusts with 2003 R2

Re: [Freeipa-users] FreeIPA trusts with 2003 R2

Re: [Freeipa-users] FreeIPA trusts with 2003 R2

Re: [Freeipa-users] FreeIPA trusts with 2003 R2

Re: [Freeipa-users] FreeIPA trusts with 2003 R2

Re: [Freeipa-users] FreeIPA trusts with 2003 R2

Re: [Freeipa-users] FreeIPA trusts with 2003 R2

Re: [Freeipa-users] FreeIPA trusts with 2003 R2

Re: [Freeipa-users] FreeIPA trusts with 2003 R2

[Freeipa-users] FreeIPA trusts with 2003 R2

12 matches

Site Navigation

Mail list logo

Footer information