Re: [Freeipa-users] IPA-AD trust group membership: display 'short' group names for *two* AD domains?

On Mon, Oct 24, 2016 at 11:29:06AM -0400, William Muriithi wrote: > Morning Jakub, > > >> However, I would like to tune this configuration to drop the domain > >> component of the user and group names. I tried to do this by adding > >> these settings to the [sssd] section in sssd.conf on the c

Re: [Freeipa-users] IPA-AD trust group membership: display 'short' group names for *two* AD domains?

Morning Jakub, >> However, I would like to tune this configuration to drop the domain >> component of the user and group names. I tried to do this by adding >> these settings to the [sssd] section in sssd.conf on the client: >> >>default_domain_suffix = example.au >> full_name_format =

Re: [Freeipa-users] IPA-AD trust group membership: display 'short' group names for *two* AD domains?

On Fri, Oct 21, 2016 at 04:07:16PM +1100, Robert Sturrock wrote: > > On Thu, Oct 20, 2016 at 04:46:01PM +1100, Robert Sturrock wrote: > > […] > > > However, when I try logging in as a student domain user > > > (student.example.au), > > > I don't see any of the groups (there should be 8): > > > >

Re: [Freeipa-users] IPA-AD trust group membership: display 'short' group names for *two* AD domains?

> On Thu, Oct 20, 2016 at 04:46:01PM +1100, Robert Sturrock wrote: > […] > > However, when I try logging in as a student domain user > > (student.example.au), > > I don't see any of the groups (there should be 8): > > > > $ ssh -l rnst student example au ipa-client-rh7.ipa.example.au > >

Re: [Freeipa-users] IPA-AD Trust unable to resolve child domain

Thanks for the clarification. Regards 2016-10-20 14:23 GMT-04:00 Alexander Bokovoy : > On to, 20 loka 2016, Carlos Raúl Laguna wrote: > >> Hi Alexander, >> I do belive is a DNS problem, the command failing are >> >> host -t srv _ldap._tcp.ad_domain >> or >> dig SRV _ldap._tcp.ad_domain >> after c

Re: [Freeipa-users] IPA-AD Trust unable to resolve child domain

On to, 20 loka 2016, Carlos Raúl Laguna wrote: Hi Alexander, I do belive is a DNS problem, the command failing are host -t srv _ldap._tcp.ad_domain or dig SRV _ldap._tcp.ad_domain after checkig the logs a see this error "no valid DS resolving '_ldap._tcp.ad_domain /SRV/IN': 10.20.4.22#53" so i

Re: [Freeipa-users] IPA-AD Trust unable to resolve child domain

Hi Alexander, I do belive is a DNS problem, the command failing are host -t srv _ldap._tcp.ad_domain or dig SRV _ldap._tcp.ad_domain after checkig the logs a see this error "no valid DS resolving '_ldap._tcp.ad_domain /SRV/IN': 10.20.4.22#53" so i disable the dnssec validation on IPA and it work

Re: [Freeipa-users] IPA-AD Trust unable to resolve child domain

On to, 20 loka 2016, Carlos Raúl Laguna wrote: Hello everyone, Both server are fresh install 2008r2 and fedora 24 server freeipa 4.3.2 as documentation explain in http://www.freeipa.org/page/Active_Directory_trust_setup#If_AD_is_subdomain_of_IPA however the server is unable to resolve any recor

[Freeipa-users] IPA-AD Trust unable to resolve child domain

Hello everyone, Both server are fresh install 2008r2 and fedora 24 server freeipa 4.3.2 as documentation explain in http://www.freeipa.org/page/Active_Directory_trust_setup#If_AD_is_subdomain_of_IPA however the server is unable to resolve any record from my child domain, i found this bug https://

Re: [Freeipa-users] IPA-AD trust group membership: display 'short' group names for *two* AD domains?

On Thu, Oct 20, 2016 at 04:46:01PM +1100, Robert Sturrock wrote: > Hello, > > We have an IPA (4.2) server setup on RHEL 7.2 in a trust arrangement with > our University organisational AD. The AD forest contains *two* > domains: > > EXAMPLE.AU (staff users) > STUDENT.EXAMPLE.AU (student users

[Freeipa-users] IPA-AD trust group membership: display 'short' group names for *two* AD domains?

Hello, We have an IPA (4.2) server setup on RHEL 7.2 in a trust arrangement with our University organisational AD. The AD forest contains *two* domains: EXAMPLE.AU (staff users) STUDENT.EXAMPLE.AU (student users) The IPA domain that trusts these is called: IPA.EXAMPLE.AU The basic confi

[Freeipa-users] IPA - AD trust - LDAP signing

Hi all, I am having the trouble with IPA-AD trust. We have scenario, where on the AD side the LDAP signing policy is on - this is company standard and can not be changed. Is there any chance to let the IPA use LDAP signing on IPA side ? I guess IPA use SASL LDAP bind but without signing. Wh

Re: [Freeipa-users] IPA, AD Trust and Domain Local Groups

Hi, OK, clear. Thanks for the information! Winny Sumit Bose schreef op 06-01-2016 9:19: On Wed, Jan 06, 2016 at 08:56:27AM +0100, w...@dds.nl wrote: Hi all, Using an AD trust with IPA 4.2 all works well, but on the IPA/Linux site we're just not able to see AD "Domain Local Groups". Is tha

Re: [Freeipa-users] IPA, AD Trust and Domain Local Groups

On Wed, Jan 06, 2016 at 08:56:27AM +0100, w...@dds.nl wrote: > Hi all, > > Using an AD trust with IPA 4.2 all works well, but on the IPA/Linux site > we're just not able to see AD "Domain Local Groups". > > Is that just not possible (a limitation of the current version that is), is > some extra c

[Freeipa-users] IPA, AD Trust and Domain Local Groups

Hi all, Using an AD trust with IPA 4.2 all works well, but on the IPA/Linux site we're just not able to see AD "Domain Local Groups". Is that just not possible (a limitation of the current version that is), is some extra configuration needed of is just something wrong? Hope one can give

Re: [Freeipa-users] IPA+AD trust and NFS nobody issue

On Wed, 16 Jul 2014, Nordgren, Bryce L -FS wrote: Thing is, nfsidmap always adds and then substracts '@' plus domain, assuming that the part prior to '@' is what going to be mapped by the domain-specific idmap mapper. That's the crux of the problem right there. Sssd is not a domain-specific

Re: [Freeipa-users] IPA+AD trust and NFS nobody issue

ub Hrozek [jhro...@redhat.com] Sent: Wednesday, July 16, 2014 2:19 AM To: Parsons, Aron Cc: freeipa-users@redhat.com Subject: Re: [Freeipa-users] IPA+AD trust and NFS nobody issue On 16 Jul 2014, at 03:29, Parsons, Aron wrote: > I ran into this issue last fall and have been running with a patched &

Re: [Freeipa-users] IPA+AD trust and NFS nobody issue

> Thing is, nfsidmap always adds and then substracts '@' plus domain, > assuming that the part prior to '@' is what going to be mapped by the > domain-specific idmap mapper. That's the crux of the problem right there. Sssd is not a domain-specific idmap mapper. Sssd is a domain-aware, multido

Re: [Freeipa-users] IPA+AD trust and NFS nobody issue

On Wed, 16 Jul 2014, Nordgren, Bryce L -FS wrote: Hi Aron, the support case you referenced is linked to bugzilla https://bugzilla.redhat.com/show_bug.cgi?id=1066153 which is fully acked for RHEL-6.6, the state of the bugzilla is ON_QA, so currently it looks the patch will be released in 6.6..

Re: [Freeipa-users] IPA+AD trust and NFS nobody issue

> Hi Aron, > > the support case you referenced is linked to bugzilla > https://bugzilla.redhat.com/show_bug.cgi?id=1066153 which is fully acked > for RHEL-6.6, the state of the bugzilla is ON_QA, so currently it looks the > patch will be released in 6.6.. username@domain is coded in the NFS spec a

Re: [Freeipa-users] IPA+AD trust and NFS nobody issue

code is stripping the domain off based on the location of the > first "@" character in the value returned by the server. This results in > UID/GID mappings failing and resulting in ownership on the clients of > "nobody". > > Regards, > Johan > > From:

Re: [Freeipa-users] IPA+AD trust and NFS nobody issue

an From: Dmitri Pal [dpal redhat com] Sent: Thursday, June 05, 2014 21:03 To: Johan Petersson; Alexander Bokovoy Cc: Sumit Bose; freeipa-users redhat com Subject: Re: [Freeipa-users] IPA+AD trust and NFS nobody issue On 06/04/2014 09:57 AM, Johan Petersson wrote: > Yes the message is exact

Re: [Freeipa-users] IPA+AD trust and NFS nobody issue

> > I see the first two represented on the design, but not the last. I suspect > that this means that the plugin regards security principals and NFSv4 > identities as the same thing, which may mean it won't work for multiple > domains? Let me turn the question on its head: according to the OP, th

Re: [Freeipa-users] IPA+AD trust and NFS nobody issue

On 27 Jun 2014, at 22:22, Nordgren, Bryce L -FS wrote: > >> Would the idmap sss module we have on the list pending review help here? > > My read of the design page suggests that the plugin is 66% of a solution. > There are three types of identities which need to be related: > > * local machi

Re: [Freeipa-users] IPA+AD trust and NFS nobody issue

> -Original Message- > > What I'm not quite clear on is the interaction between idmapd and ldap > > (slides 15,16,18). Does idmapd want to see this "NFSv4RemoteUser" > > schema on the LDAP server? Is this schema something that FreeIPA would > > have to support for NFS to work with cross-r

Re: [Freeipa-users] IPA+AD trust and NFS nobody issue

> Would the idmap sss module we have on the list pending review help here? My read of the design page suggests that the plugin is 66% of a solution. There are three types of identities which need to be related: * local machine accounts/identities (meaningful to the filesystem) * security princi

Re: [Freeipa-users] IPA+AD trust and NFS nobody issue

On Thu, 2014-06-26 at 23:21 +, Nordgren, Bryce L -FS wrote: > > The second @ is not provided by kerberos, it is rpcimapd making false > > assumptions, it does a getpwuid and gets back adt...@ad.example.org as > > the username, to which it decides to slap on the local REALM name with an @ > > si

Re: [Freeipa-users] IPA+AD trust and NFS nobody issue

On Fri, 2014-06-27 at 00:10 +, Nordgren, Bryce L -FS wrote: > Also: > http://tools.ietf.org/html/draft-adamson-nfsv4-multi-domain-access-04 > > Never became an RFC, but cites Simo's I-D on a Kerberos PAC. > > I like the CITI approach better (also approach 2 of section 6 in the > above I-D). I

Re: [Freeipa-users] IPA+AD trust and NFS nobody issue

21:03 > To: Johan Petersson; Alexander Bokovoy > Cc: Sumit Bose; freeipa-users@redhat.com > Subject: Re: [Freeipa-users] IPA+AD trust and NFS nobody issue > > On 06/04/2014 09:57 AM, Johan Petersson wrote: > > Yes the message is exactly like that with commas, I double checked. > &

Re: [Freeipa-users] IPA+AD trust and NFS nobody issue

On Thu, Jun 26, 2014 at 06:42:37PM -0400, Simo Sorce wrote: > On Thu, 2014-06-26 at 22:02 +, Nordgren, Bryce L -FS wrote: > > > The reason is that rpcidmapd` does not parse fully-qualified usernames > > > so"adt...@ad.example.org@IPA.EXAMPLE.ORG" does not work. > > > > If someone can educate m

Re: [Freeipa-users] IPA+AD trust and NFS nobody issue

Also: http://tools.ietf.org/html/draft-adamson-nfsv4-multi-domain-access-04 Never became an RFC, but cites Simo's I-D on a Kerberos PAC. I like the CITI approach better (also approach 2 of section 6 in the above I-D). I have no use for the groups defined in my active directory. Also, for the ex

Re: [Freeipa-users] IPA+AD trust and NFS nobody issue

> The second @ is not provided by kerberos, it is rpcimapd making false > assumptions, it does a getpwuid and gets back adt...@ad.example.org as > the username, to which it decides to slap on the local REALM name with an @ > sign in between. > > I think this is something that may be handled with i

Re: [Freeipa-users] IPA+AD trust and NFS nobody issue

On Thu, 2014-06-26 at 22:02 +, Nordgren, Bryce L -FS wrote: > > The reason is that rpcidmapd` does not parse fully-qualified usernames > > so"adt...@ad.example.org@IPA.EXAMPLE.ORG" does not work. > > If someone can educate me as to why there are two @ signs in the above, I can > fix the wiki

Re: [Freeipa-users] IPA+AD trust and NFS nobody issue

> The reason is that rpcidmapd` does not parse fully-qualified usernames > so"adt...@ad.example.org@IPA.EXAMPLE.ORG" does not work. If someone can educate me as to why there are two @ signs in the above, I can fix the wiki page (http://www.freeipa.org/page/Collaboration_with_Kerberos#Mechanism_

Re: [Freeipa-users] IPA+AD trust and NFS nobody issue

y". Regards, Johan From: Dmitri Pal [d...@redhat.com] Sent: Thursday, June 05, 2014 21:03 To: Johan Petersson; Alexander Bokovoy Cc: Sumit Bose; freeipa-users@redhat.com Subject: Re: [Freeipa-users] IPA+AD trust and NFS nobody issue On 06/04/2014 09:57 AM, Johan Petersson wrote: > Yes

Re: [Freeipa-users] IPA+AD trust and NFS nobody issue

Bokovoy [mailto:aboko...@redhat.com] Sent: Wednesday, June 04, 2014 3:14 PM To: Johan Petersson Cc: d...@redhat.com; freeipa-users@redhat.com Subject: Re: [Freeipa-users] IPA+AD trust and NFS nobody issue On Wed, 04 Jun 2014, Johan Petersson wrote: Mail got posted before I was finished sorry. I f

Re: [Freeipa-users] IPA+AD trust and NFS nobody issue

name "ad_us...@linux.home" The group ad_users is a IPA group with external maps from AD Domain users. -Original Message- From: Alexander Bokovoy [mailto:aboko...@redhat.com] Sent: Wednesday, June 04, 2014 3:14 PM To: Johan Petersson Cc: d...@redhat.com; freeipa-users@redhat

Re: [Freeipa-users] IPA+AD trust and NFS nobody issue

the first string (nss_getpwnam: name '' domain '...': resulting localname ...)? it would be [general] Verbosity = 4 in /etc/idmapd.conf From: freeipa-users-boun...@redhat.com [mailto:freeipa-users-boun...@redhat.com] On Behalf Of Johan Petersson Sent: Wednesday, June 04, 20

Re: [Freeipa-users] IPA+AD trust and NFS nobody issue

rusted domains. bye, Sumit > > > From: freeipa-users-boun...@redhat.com > [mailto:freeipa-users-boun...@redhat.com] On Behalf Of Johan Petersson > Sent: Wednesday, June 04, 2014 12:02 PM > To: d...@redhat.com; freeipa-users@redhat.com > Subject: Re: [Freeipa-users] IPA+AD tr

Re: [Freeipa-users] IPA+AD trust and NFS nobody issue

n 'linux.home,' From: freeipa-users-boun...@redhat.com [mailto:freeipa-users-boun...@redhat.com] On Behalf Of Johan Petersson Sent: Wednesday, June 04, 2014 12:02 PM To: d...@redhat.com; freeipa-users@redhat.com Subject: Re: [Freeipa-users] IPA+AD trust and NFS nobody issue Yes Client is

Re: [Freeipa-users] IPA+AD trust and NFS nobody issue

at.com> [mailto:freeipa-users-boun...@redhat.com]<mailto:[mailto:freeipa-users-boun...@redhat.com]> On Behalf Of Dmitri Pal Sent: Tuesday, June 03, 2014 6:48 PM To: freeipa-users@redhat.com<mailto:freeipa-users@redhat.com> Subject: Re: [Freeipa-users] IPA+AD trust and NFS nobody

Re: [Freeipa-users] IPA+AD trust and NFS nobody issue

-boun...@redhat.com] On Behalf Of Dmitri Pal Sent: Tuesday, June 03, 2014 6:48 PM To: freeipa-users@redhat.com Subject: Re: [Freeipa-users] IPA+AD trust and NFS nobody issue On 06/03/2014 09:07 AM, Johan Petersson wrote: Hi, Environment: RHEL 7 IPA Server 3.3 with a trust to a Windows 2012 Server AD R

Re: [Freeipa-users] IPA+AD trust and NFS nobody issue

On 06/03/2014 09:07 AM, Johan Petersson wrote: Hi, Environment: RHEL 7 IPA Server 3.3 with a trust to a Windows 2012 Server AD RHEL 7 NFS Server RHEL 7 Client I have found one problem when using a NFS 4 shared Home Directory for AD users logging in to IPA. I have created a NFS share /hom

[Freeipa-users] IPA+AD trust and NFS nobody issue

Hi, Environment: RHEL 7 IPA Server 3.3 with a trust to a Windows 2012 Server AD RHEL 7 NFS Server RHEL 7 Client I have found one problem when using a NFS 4 shared Home Directory for AD users logging in to IPA. I have created a NFS share /home/adexample.org and use autofs map in IPA. All wbinfo

Re: [Freeipa-users] IPA / AD Trust

On 03/14/2014 03:20 PM, Todd Maugh wrote: Does IPA support a trust with AD yet. I've seen that this is coming in a future release but I havent found something that said it has been released. -Todd ___ Freeipa-users mailing list Freeipa-users@redha

[Freeipa-users] IPA / AD Trust

Does IPA support a trust with AD yet. I've seen that this is coming in a future release but I havent found something that said it has been released. -Todd ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/f

Re: [Freeipa-users] ipa AD trust issue

https://bugzilla.redhat.com/show_bug.cgi?id=1061897 *Steve Dainard * IT Infrastructure Manager Miovision | *Rethink Traffic* 519-513-2407 ex.250 877-646-8476 (toll-free) *Blog | **LinkedIn

Re: [Freeipa-users] ipa AD trust issue

On 02/04/2014 03:28 PM, Steve Dainard wrote: > > > >> has anyone worked it out. Secondly cifs-utils has dependency on >> samba3 packages and ipa-ad-trust needs samba4 but samba3 and >> samba4 don't like each other , so this is the story of my >> experience with ipa. Any suggestions

Re: [Freeipa-users] ipa AD trust issue

> > > > has anyone worked it out. Secondly cifs-utils has dependency on samba3 > packages and ipa-ad-trust needs samba4 but samba3 and samba4 don't like > each other , so this is the story of my experience with ipa. Any > suggestions ? > > > Why do you need cifs-utils on the same server? > cifs-ut

Re: [Freeipa-users] Ipa AD trust

On Fri, Jan 24, 2014 at 04:32:33PM +, Zulkifal Ahmad wrote: > Hi List , I want an update on this bug . > > https://bugzilla.samba.org/show_bug.cgi?id=9618 I just re-tested with the python script from the ticket and Samba-4.1.3 and it seems to be fixed. HTH bye, Sumit > > Thanks > > > B

[Freeipa-users] Ipa AD trust

Hi List , I want an update on this bug . https://bugzilla.samba.org/show_bug.cgi?id=9618 Thanks Best Regards Sahibzada .Z. Ahmad System Administrator ___ Freeipa-users mailing list Freeipa-users@redhat.c

Re: [Freeipa-users] ipa AD trust issue

On Thu, 23 Jan 2014, Zulkifal Ahmad wrote: Hi , In reference to the following thread, I already have an entry for AD sever in the /etc/hosts file of ipaserver but the issue still remains. Both my DNS servers are resolving the records from the opposite side. Any other suggestionsto remove this

Re: [Freeipa-users] ipa AD trust issue

Hi , In reference to the following thread, I already have an entry for AD sever in the /etc/hosts file of ipaserver but the issue still remains. Both my DNS servers are resolving the records from the opposite side. Any other suggestionsto remove this error ? root@ipaserver

Re: [Freeipa-users] ipa AD trust issue

On 01/17/2014 06:29 PM, Zulkifal Ahmad wrote: > Hi List , Just wanted to find out if anyone has setup an ipa-AD trust > successfully, According to the instructions in the following link > https://access.redhat.com/site/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Identity_Management_Guide/tr

Re: [Freeipa-users] ipa AD trust issue

Hi List , Just wanted to find out if anyone has setup an ipa-AD trust successfully, According to the instructions in the following link https://access.redhat.com/site/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Identity_Management_Guide/trust-ipa-subdomain.html everything went well until I

Re: [Freeipa-users] IPA AD Trust issue

Dear Alexander, Understand, thank you very much. Kevin. From: Alexander Bokovoy To: kevint...@umac.mo Cc: freeipa-users@redhat.com Date: 09/11/2013 02:52 PM Subject:Re: [Freeipa-users] IPA AD Trust issue On Wed, 11 Sep 2013, kevint...@umac.mo wrote: >Dear Alexan

Re: [Freeipa-users] IPA AD Trust issue

> >1) IPA Client Login issue. > >In IPA client, if Windows AD user want to login, It need to type full name > >such as 'userA@win_ad.com'. How do I let Windows AD user logon only with > >their username? That means only use 'userA' to logon IPA Client PC rather > >than 'userA@win_ad.com' ? > Not su

Re: [Freeipa-users] IPA AD Trust issue

On Wed, 11 Sep 2013, kevint...@umac.mo wrote: Dear Alexander, If I use 'ipa-replica-prepare' to replica Windows AD to/from IPA AD, Will all user account in Windows AD 'copy' to IPA AD, and my IPA client can logon with Windows AD username only? (only use 'userA' to login directly, not 'userA@win_

Re: [Freeipa-users] IPA AD Trust issue

rs@redhat.com Date: 09/11/2013 12:52 PM Subject:Re: [Freeipa-users] IPA AD Trust issue On Wed, 11 Sep 2013, kevint...@umac.mo wrote: >Dear all, > >I am new to IPA and have some question about set up. >I already setup IPA server (CentOS 6.4 64bit), IPA client (CentOS 6.4

Re: [Freeipa-users] IPA AD Trust issue

On Wed, 11 Sep 2013, kevint...@umac.mo wrote: Dear all, I am new to IPA and have some question about set up. I already setup IPA server (CentOS 6.4 64bit), IPA client (CentOS 6.4 64bit), and Windows AD (Windows 2008 R2 Standard 64bit). IPA Server and Windows AD already have 2-ways trusted. Windo

[Freeipa-users] IPA AD Trust issue

Dear all, I am new to IPA and have some question about set up. I already setup IPA server (CentOS 6.4 64bit), IPA client (CentOS 6.4 64bit), and Windows AD (Windows 2008 R2 Standard 64bit). IPA Server and Windows AD already have 2-ways trusted. Windows AD user can logon under IPA client PC. I

Re: [Freeipa-users] IPA & AD trust question

On 05/31/2013 09:37 AM, Sumit Bose wrote: > On Fri, May 31, 2013 at 06:52:27AM +, Ondrej Valousek wrote: >> Hi List, >> >> I have a question - is it possible to use AD trust the way that: >> 1. All users are stored in AD >> 2. All Unix specific information (automount maps, sudo rules, HBAC rule

Re: [Freeipa-users] IPA & AD trust question

On Fri, May 31, 2013 at 06:52:27AM +, Ondrej Valousek wrote: > Hi List, > > I have a question - is it possible to use AD trust the way that: > 1. All users are stored in AD > 2. All Unix specific information (automount maps, sudo rules, HBAC rules) are > stored in IPA? Yes, sudo and HBAC for

[Freeipa-users] IPA & AD trust question

Hi List, I have a question - is it possible to use AD trust the way that: 1. All users are stored in AD 2. All Unix specific information (automount maps, sudo rules, HBAC rules) are stored in IPA? If yes then: 1. Will this scenario honour the RFC2307 user attributes in AD? 2. How is the best way