Re: [Freeipa-users] ipa AD trust issue
On 02/04/2014 03:28 PM, Steve Dainard wrote: has anyone worked it out. Secondly cifs-utils has dependency on samba3 packages and ipa-ad-trust needs samba4 but samba3 and samba4 don't like each other , so this is the story of my experience with ipa. Any suggestions ? Why do you need cifs-utils on the same server? cifs-utils to make a system a client to MSFT file server, AFAIU you cant make IPA server to be a cifs client. https://access.redhat.com/site/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Identity_Management_Guide/trust-diff-dns-domains.html Step 3 mentions that cifs-utils is required, but: yum install cifs-utils Loaded plugins: product-id, security, subscription-manager This system is receiving updates from Red Hat Subscription Management. rhel-6-server-cf-tools-1-rpms | 2.8 kB 00:00 rhel-6-server-rhev-agent-rpms | 3.1 kB 00:00 rhel-6-server-rpms| 3.7 kB 00:00 Setting up Install Process Resolving Dependencies -- Running transaction check --- Package cifs-utils.x86_64 0:4.8.1-19.el6 will be installed -- Processing Dependency: libwbclient.so.0()(64bit) for package: cifs-utils-4.8.1-19.el6.x86_64 -- Running transaction check --- Package samba-winbind-clients.x86_64 0:3.6.9-167.el6_5 will be installed -- Processing Dependency: samba-winbind = 3.6.9-167.el6_5 for package: samba-winbind-clients-3.6.9-167.el6_5.x86_64 -- Running transaction check --- Package samba-winbind.x86_64 0:3.6.9-167.el6_5 will be installed -- Processing Dependency: samba-common = 3.6.9-167.el6_5 for package: samba-winbind-3.6.9-167.el6_5.x86_64 -- Running transaction check --- Package samba-common.x86_64 0:3.6.9-167.el6_5 will be installed -- Processing Conflict: samba4-common-4.0.0-60.el6_5.rc4.x86_64 conflicts samba-common 3.9.9 -- Processing Conflict: samba4-winbind-4.0.0-60.el6_5.rc4.x86_64 conflicts samba-winbind 3.9.9 -- Processing Conflict: samba4-winbind-clients-4.0.0-60.el6_5.rc4.x86_64 conflicts samba-winbind-clients 3.9.9 -- Finished Dependency Resolution Error: samba4-common conflicts with samba-common-3.6.9-167.el6_5.x86_64 Error: samba4-winbind-clients conflicts with samba-winbind-clients-3.6.9-167.el6_5.x86_64 Error: samba4-winbind conflicts with samba-winbind-3.6.9-167.el6_5.x86_64 You could try using --skip-broken to work around the problem You could try running: rpm -Va --nofiles --nodigest Is this no longer a requirement? Can this documentation be updated? Steve Can you please file a BZ? -- Thank you, Dmitri Pal Sr. Engineering Manager for IdM portfolio Red Hat Inc. --- Looking to carve out IT costs? www.redhat.com/carveoutcosts/ ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] ipa AD trust issue
https://bugzilla.redhat.com/show_bug.cgi?id=1061897 *Steve Dainard * IT Infrastructure Manager Miovision http://miovision.com/ | *Rethink Traffic* 519-513-2407 ex.250 877-646-8476 (toll-free) *Blog http://miovision.com/blog | **LinkedIn https://www.linkedin.com/company/miovision-technologies | Twitter https://twitter.com/miovision | Facebook https://www.facebook.com/miovision* -- Miovision Technologies Inc. | 148 Manitou Drive, Suite 101, Kitchener, ON, Canada | N2C 1L3 This e-mail may contain information that is privileged or confidential. If you are not the intended recipient, please delete the e-mail and any attachments and notify us immediately. On Wed, Feb 5, 2014 at 12:34 PM, Dmitri Pal d...@redhat.com wrote: On 02/04/2014 03:28 PM, Steve Dainard wrote: has anyone worked it out. Secondly cifs-utils has dependency on samba3 packages and ipa-ad-trust needs samba4 but samba3 and samba4 don't like each other , so this is the story of my experience with ipa. Any suggestions ? Why do you need cifs-utils on the same server? cifs-utils to make a system a client to MSFT file server, AFAIU you cant make IPA server to be a cifs client. https://access.redhat.com/site/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Identity_Management_Guide/trust-diff-dns-domains.html Step 3 mentions that cifs-utils is required, but: yum install cifs-utils Loaded plugins: product-id, security, subscription-manager This system is receiving updates from Red Hat Subscription Management. rhel-6-server-cf-tools-1-rpms | 2.8 kB 00:00 rhel-6-server-rhev-agent-rpms | 3.1 kB 00:00 rhel-6-server-rpms| 3.7 kB 00:00 Setting up Install Process Resolving Dependencies -- Running transaction check --- Package cifs-utils.x86_64 0:4.8.1-19.el6 will be installed -- Processing Dependency: libwbclient.so.0()(64bit) for package: cifs-utils-4.8.1-19.el6.x86_64 -- Running transaction check --- Package samba-winbind-clients.x86_64 0:3.6.9-167.el6_5 will be installed -- Processing Dependency: samba-winbind = 3.6.9-167.el6_5 for package: samba-winbind-clients-3.6.9-167.el6_5.x86_64 -- Running transaction check --- Package samba-winbind.x86_64 0:3.6.9-167.el6_5 will be installed -- Processing Dependency: samba-common = 3.6.9-167.el6_5 for package: samba-winbind-3.6.9-167.el6_5.x86_64 -- Running transaction check --- Package samba-common.x86_64 0:3.6.9-167.el6_5 will be installed -- Processing Conflict: samba4-common-4.0.0-60.el6_5.rc4.x86_64 conflicts samba-common 3.9.9 -- Processing Conflict: samba4-winbind-4.0.0-60.el6_5.rc4.x86_64 conflicts samba-winbind 3.9.9 -- Processing Conflict: samba4-winbind-clients-4.0.0-60.el6_5.rc4.x86_64 conflicts samba-winbind-clients 3.9.9 -- Finished Dependency Resolution Error: samba4-common conflicts with samba-common-3.6.9-167.el6_5.x86_64 Error: samba4-winbind-clients conflicts with samba-winbind-clients-3.6.9-167.el6_5.x86_64 Error: samba4-winbind conflicts with samba-winbind-3.6.9-167.el6_5.x86_64 You could try using --skip-broken to work around the problem You could try running: rpm -Va --nofiles --nodigest Is this no longer a requirement? Can this documentation be updated? Steve Can you please file a BZ? -- Thank you, Dmitri Pal Sr. Engineering Manager for IdM portfolio Red Hat Inc. --- Looking to carve out IT costs?www.redhat.com/carveoutcosts/ ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] ipa AD trust issue
has anyone worked it out. Secondly cifs-utils has dependency on samba3 packages and ipa-ad-trust needs samba4 but samba3 and samba4 don't like each other , so this is the story of my experience with ipa. Any suggestions ? Why do you need cifs-utils on the same server? cifs-utils to make a system a client to MSFT file server, AFAIU you cant make IPA server to be a cifs client. https://access.redhat.com/site/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Identity_Management_Guide/trust-diff-dns-domains.html Step 3 mentions that cifs-utils is required, but: yum install cifs-utils Loaded plugins: product-id, security, subscription-manager This system is receiving updates from Red Hat Subscription Management. rhel-6-server-cf-tools-1-rpms | 2.8 kB 00:00 rhel-6-server-rhev-agent-rpms | 3.1 kB 00:00 rhel-6-server-rpms| 3.7 kB 00:00 Setting up Install Process Resolving Dependencies -- Running transaction check --- Package cifs-utils.x86_64 0:4.8.1-19.el6 will be installed -- Processing Dependency: libwbclient.so.0()(64bit) for package: cifs-utils-4.8.1-19.el6.x86_64 -- Running transaction check --- Package samba-winbind-clients.x86_64 0:3.6.9-167.el6_5 will be installed -- Processing Dependency: samba-winbind = 3.6.9-167.el6_5 for package: samba-winbind-clients-3.6.9-167.el6_5.x86_64 -- Running transaction check --- Package samba-winbind.x86_64 0:3.6.9-167.el6_5 will be installed -- Processing Dependency: samba-common = 3.6.9-167.el6_5 for package: samba-winbind-3.6.9-167.el6_5.x86_64 -- Running transaction check --- Package samba-common.x86_64 0:3.6.9-167.el6_5 will be installed -- Processing Conflict: samba4-common-4.0.0-60.el6_5.rc4.x86_64 conflicts samba-common 3.9.9 -- Processing Conflict: samba4-winbind-4.0.0-60.el6_5.rc4.x86_64 conflicts samba-winbind 3.9.9 -- Processing Conflict: samba4-winbind-clients-4.0.0-60.el6_5.rc4.x86_64 conflicts samba-winbind-clients 3.9.9 -- Finished Dependency Resolution Error: samba4-common conflicts with samba-common-3.6.9-167.el6_5.x86_64 Error: samba4-winbind-clients conflicts with samba-winbind-clients-3.6.9-167.el6_5.x86_64 Error: samba4-winbind conflicts with samba-winbind-3.6.9-167.el6_5.x86_64 You could try using --skip-broken to work around the problem You could try running: rpm -Va --nofiles --nodigest Is this no longer a requirement? Can this documentation be updated? Steve ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] ipa AD trust issue
Hi , In reference to the following thread, I already have an entry for AD sever in the /etc/hosts file of ipaserver but the issue still remains. Both my DNS servers are resolving the records from the opposite side. Any other suggestionsto remove this error ? root@ipaserver mailto:root@ipaserver# ipa trust-add --type=ad adexample.com --admin Administrator --password ipa: ERROR: CIFS server communication error: code -1073741801, message Memory allocation error (both may be None) Thanks Zulkifal Ahmad On 01/17/2014 06:29 PM, Zulkifal Ahmad wrote: Hi List , Just wanted to find out if anyone has setup an ipa-AD trust successfully, According to the instructions in the following link https://access.redhat.com/site/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Identity_Management_Guide/trust-ipa-subdomain.html everything went well until I hit the point where I had to check the samba configuration, by typing the command root@ipaserver mailto:root@ipaserver# smbclient -L ipaserver.ipaexample.com -k smbclient: command not found and similar for root@ipaserver mailto:root@ipaserver# wbinfo --online-status wbinfo: command not found I am pretty sure that the command ipa-trust-install command did install samba4 packages as dependencies, anyways I thought these packages were not necessary and went forward until I got really stuck when I typed the command . root@ipaserver mailto:root@ipaserver# ipa trust-add --type=ad adexample.com --admin Administrator --password This gave me a very cruel message ipa: ERROR: CIFS server communication error: code -1073741801, message Memory allocation error (both may be None) If its this bug https://bugzilla.redhat.com/show_bug.cgi?id=878168 Yes. The solution is: If configured, the Active Directory (AD) DNS server returns IPv4 and IPv6 addresses of an AD server. If the FreeIPA server cannot connect to the AD server with an IPv6 address, running the ipa trust-add command will fail even if it would be possible to use IPv4. To work around this problem, add the IPv4 address of the AD server to the /etc/hosts file. In this case, the FreeIPA server will use only the IPv4 address and executing ipa trust-add will be successful. has anyone worked it out. Secondly cifs-utils has dependency on samba3 packages and ipa-ad-trust needs samba4 but samba3 and samba4 don't like each other , so this is the story of my experience with ipa. Any suggestions ? Why do you need cifs-utils on the same server? cifs-utils to make a system a client to MSFT file server, AFAIU you cant make IPA server to be a cifs client. SSSD 1.12 (in works) if going to be capable to work with cifs-utils instead of samba winbind thus the limitation will be lifted. My ipa server server OS : CentOS 6.5 ipa server version : 3 Active directory: server 2008 R2 Standard Thank you */ Best Regards/* // /Sahibzada .Z. Ahmad/ /System Administrator/* * Best Regards Sahibzada .Z. Ahmad System Administrator cell: 1(678)267-0265 (US) cell: 1(647)339-5434 (Canada) ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] ipa AD trust issue
On Thu, 23 Jan 2014, Zulkifal Ahmad wrote: Hi , In reference to the following thread, I already have an entry for AD sever in the /etc/hosts file of ipaserver but the issue still remains. Both my DNS servers are resolving the records from the opposite side. Any other suggestionsto remove this error ? root@ipaserver mailto:root@ipaserver# ipa trust-add --type=ad adexample.com --admin Administrator --password ipa: ERROR: CIFS server communication error: code -1073741801, message Memory allocation error (both may be None) Add 'log level = 100' to /usr/share/ipa/smb.conf.empty in [global] section and try again. You'll get SMB traffic debugging in /var/log/httpd/error_log. Adding and removing 'log level = 100' to /usr/share/ipa/smb.conf.empty does not require restarting httpd. Thanks Zulkifal Ahmad On 01/17/2014 06:29 PM, Zulkifal Ahmad wrote: Hi List , Just wanted to find out if anyone has setup an ipa-AD trust successfully, According to the instructions in the following link https://access.redhat.com/site/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Identity_Management_Guide/trust-ipa-subdomain.html everything went well until I hit the point where I had to check the samba configuration, by typing the command root@ipaserver mailto:root@ipaserver# smbclient -L ipaserver.ipaexample.com -k smbclient: command not found and similar for root@ipaserver mailto:root@ipaserver# wbinfo --online-status wbinfo: command not found I am pretty sure that the command ipa-trust-install command did install samba4 packages as dependencies, anyways I thought these packages were not necessary and went forward until I got really stuck when I typed the command . root@ipaserver mailto:root@ipaserver# ipa trust-add --type=ad adexample.com --admin Administrator --password This gave me a very cruel message ipa: ERROR: CIFS server communication error: code -1073741801, message Memory allocation error (both may be None) If its this bug https://bugzilla.redhat.com/show_bug.cgi?id=878168 Yes. The solution is: If configured, the Active Directory (AD) DNS server returns IPv4 and IPv6 addresses of an AD server. If the FreeIPA server cannot connect to the AD server with an IPv6 address, running the ipa trust-add command will fail even if it would be possible to use IPv4. To work around this problem, add the IPv4 address of the AD server to the /etc/hosts file. In this case, the FreeIPA server will use only the IPv4 address and executing ipa trust-add will be successful. has anyone worked it out. Secondly cifs-utils has dependency on samba3 packages and ipa-ad-trust needs samba4 but samba3 and samba4 don't like each other , so this is the story of my experience with ipa. Any suggestions ? Why do you need cifs-utils on the same server? cifs-utils to make a system a client to MSFT file server, AFAIU you cant make IPA server to be a cifs client. SSSD 1.12 (in works) if going to be capable to work with cifs-utils instead of samba winbind thus the limitation will be lifted. My ipa server server OS : CentOS 6.5 ipa server version : 3 Active directory: server 2008 R2 Standard Thank you */ Best Regards/* // /Sahibzada .Z. Ahmad/ /System Administrator/* * Best Regards Sahibzada .Z. Ahmad System Administrator cell: 1(678)267-0265 (US) cell: 1(647)339-5434 (Canada) ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users -- / Alexander Bokovoy ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] ipa AD trust issue
Hi List , Just wanted to find out if anyone has setup an ipa-AD trust successfully, According to the instructions in the following link https://access.redhat.com/site/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Identity_Management_Guide/trust-ipa-subdomain.html everything went well until I hit the point where I had to check the samba configuration, by typing the command root@ipaserver# smbclient -L ipaserver.ipaexample.com -k smbclient: command not found and similar for root@ipaserver# wbinfo --online-status wbinfo: command not found I am pretty sure that the command ipa-trust-install command did install samba4 packages as dependencies, anyways I thought these packages were not necessary and went forward until I got really stuck when I typed the command . root@ipaserver# ipa trust-add --type=ad adexample.com --admin Administrator --password This gave me a very cruel message ipa: ERROR: CIFS server communication error: code -1073741801, message Memory allocation error (both may be None) If its this bug https://bugzilla.redhat.com/show_bug.cgi?id=878168 has anyone worked it out. Secondly cifs-utils has dependency on samba3 packages and ipa-ad-trust needs samba4 but samba3 and samba4 don't like each other , so this is the story of my experience with ipa. Any suggestions ? My ipa server server OS : CentOS 6.5 ipa server version : 3 Active directory: server 2008 R2 Standard Thank you Best Regards Sahibzada .Z. Ahmad System Administrator ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] ipa AD trust issue
On 01/17/2014 06:29 PM, Zulkifal Ahmad wrote: Hi List , Just wanted to find out if anyone has setup an ipa-AD trust successfully, According to the instructions in the following link https://access.redhat.com/site/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Identity_Management_Guide/trust-ipa-subdomain.html everything went well until I hit the point where I had to check the samba configuration, by typing the command root@ipaserver mailto:root@ipaserver# smbclient -L ipaserver.ipaexample.com -k smbclient: command not found and similar for root@ipaserver mailto:root@ipaserver# wbinfo --online-status wbinfo: command not found I am pretty sure that the command ipa-trust-install command did install samba4 packages as dependencies, anyways I thought these packages were not necessary and went forward until I got really stuck when I typed the command . root@ipaserver mailto:root@ipaserver# ipa trust-add --type=ad adexample.com --admin Administrator --password This gave me a very cruel message ipa: ERROR: CIFS server communication error: code -1073741801, message Memory allocation error (both may be None) If its this bug https://bugzilla.redhat.com/show_bug.cgi?id=878168 Yes. The solution is: If configured, the Active Directory (AD) DNS server returns IPv4 and IPv6 addresses of an AD server. If the FreeIPA server cannot connect to the AD server with an IPv6 address, running the ipa trust-add command will fail even if it would be possible to use IPv4. To work around this problem, add the IPv4 address of the AD server to the /etc/hosts file. In this case, the FreeIPA server will use only the IPv4 address and executing ipa trust-add will be successful. has anyone worked it out. Secondly cifs-utils has dependency on samba3 packages and ipa-ad-trust needs samba4 but samba3 and samba4 don't like each other , so this is the story of my experience with ipa. Any suggestions ? Why do you need cifs-utils on the same server? cifs-utils to make a system a client to MSFT file server, AFAIU you cant make IPA server to be a cifs client. SSSD 1.12 (in works) if going to be capable to work with cifs-utils instead of samba winbind thus the limitation will be lifted. My ipa server server OS : CentOS 6.5 ipa server version : 3 Active directory: server 2008 R2 Standard Thank you */ Best Regards/* // /Sahibzada .Z. Ahmad/ /System Administrator/* * ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users -- Thank you, Dmitri Pal Sr. Engineering Manager for IdM portfolio Red Hat Inc. --- Looking to carve out IT costs? www.redhat.com/carveoutcosts/ ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] IPA AD Trust issue
Dear Alexander, If I use 'ipa-replica-prepare' to replica Windows AD to/from IPA AD, Will all user account in Windows AD 'copy' to IPA AD, and my IPA client can logon with Windows AD username only? (only use 'userA' to login directly, not 'userA@win_ad.com'). Or after replication, can I use IPA account logon Windows Client PC only with ipa username? (only use 'userB' logon, rather than 'userB@ipa_ad.com' to logon). Thank you very much Kevin Tang From: Alexander Bokovoy aboko...@redhat.com To: kevint...@umac.mo Cc: freeipa-users@redhat.com Date: 09/11/2013 12:52 PM Subject:Re: [Freeipa-users] IPA AD Trust issue On Wed, 11 Sep 2013, kevint...@umac.mo wrote: Dear all, I am new to IPA and have some question about set up. I already setup IPA server (CentOS 6.4 64bit), IPA client (CentOS 6.4 64bit), and Windows AD (Windows 2008 R2 Standard 64bit). IPA Server and Windows AD already have 2-ways trusted. Windows AD user can logon under IPA client PC. I have 3 question about further setup. 1) IPA Client Login issue. In IPA client, if Windows AD user want to login, It need to type full name such as 'userA@win_ad.com'. How do I let Windows AD user logon only with their username? That means only use 'userA' to logon IPA Client PC rather than 'userA@win_ad.com' ? Not supported. There could be some obscure SSSD setting to allow one SSSD domain (as in /etc/sss/sssd.conf) be default but since trusted AD domains are represented as subdomains of a single IPA provider, full UPN is used to distinguish and discover which subdomain they belong to for performance reasons. 2) Windows Login issue. I want to logon under Windows AD Client PC (Client PC's OS is Windows 7), Since this Windows PC already join win_ad domain, it can allow Windows AD domain user to logon. But when I try to logon IPA user, for example, logon as 'userB@ipa_ad.com' or 'ipa_ad.com\userB'. It always show 'There are currently no logon servers available to service the logon request.' and does not allow IPA user to logon. How do I do now? I need to modify Windows AD setting? or Windows client PC setting? We do not support this mode yet, it requires implementation of Global Catalog service on IPA side which is not done yet. Plans for doing that are in Fedora 20-21 time frame. 3) Windows Login issue. Can I login under Windows AD Client PC with IPA username only (not include IPA domain)? that is, only use 'userB' as username to login? No. Only users from the domain Windows PC is joined to could be logged without explicit domain name. Since IPA domain belongs to a separate forest, you cannot log in without explicit domain prefix. Please note, even that will only be possible when we implement Global Catalog service on IPA side. -- / Alexander Bokovoy ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] IPA AD Trust issue
On Wed, 11 Sep 2013, kevint...@umac.mo wrote: Dear Alexander, If I use 'ipa-replica-prepare' to replica Windows AD to/from IPA AD, Will all user account in Windows AD 'copy' to IPA AD, and my IPA client can logon with Windows AD username only? (only use 'userA' to login directly, not 'userA@win_ad.com'). If you are using ipa-replica-prepare against Windows AD, you are using winsync/passsync which is copying user entries from AD to IPA. In this case AD users become IPA users. It is not a trust per se, only a synchronization. In particular, users will not be able to use their AD Kerberos credentials at all. But yes, in winsync case these users will be able to login with just a user name. Or after replication, can I use IPA account logon Windows Client PC only with ipa username? (only use 'userB' logon, rather than 'userB@ipa_ad.com' to logon). No, synchronization is from AD to IPA, not the other way around. A change in IPA for the account which was synchronized from AD will be propagated back to AD but IPA users will not be copied to AD. -- / Alexander Bokovoy ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] IPA AD Trust issue
1) IPA Client Login issue. In IPA client, if Windows AD user want to login, It need to type full name such as 'userA@win_ad.com'. How do I let Windows AD user logon only with their username? That means only use 'userA' to logon IPA Client PC rather than 'userA@win_ad.com' ? Not supported. There could be some obscure SSSD setting to allow one SSSD domain (as in /etc/sss/sssd.conf) be default but since trusted AD domains are represented as subdomains of a single IPA provider, full UPN is used to distinguish and discover which subdomain they belong to for performance reasons. Actually you can use default_domain_suffix in the [sssd] section. But then you need to fully-qualify the users from the IPA domain. default_domain_suffix (string) This string will be used as a default domain name for all names without a domain name component. The main use case is environments where the primary domain is intended for managing host policies and all users are located in a trusted domain. The option allows those users to log in just with their user name without giving a domain name as well. Please note that if this option is set all users from the primary domain have to use their fully qualified name, e.g. u...@domain.name, to log in. Default: not set ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] IPA AD Trust issue
Dear Alexander, Understand, thank you very much. Kevin. From: Alexander Bokovoy aboko...@redhat.com To: kevint...@umac.mo Cc: freeipa-users@redhat.com Date: 09/11/2013 02:52 PM Subject:Re: [Freeipa-users] IPA AD Trust issue On Wed, 11 Sep 2013, kevint...@umac.mo wrote: Dear Alexander, If I use 'ipa-replica-prepare' to replica Windows AD to/from IPA AD, Will all user account in Windows AD 'copy' to IPA AD, and my IPA client can logon with Windows AD username only? (only use 'userA' to login directly, not 'userA@win_ad.com'). If you are using ipa-replica-prepare against Windows AD, you are using winsync/passsync which is copying user entries from AD to IPA. In this case AD users become IPA users. It is not a trust per se, only a synchronization. In particular, users will not be able to use their AD Kerberos credentials at all. But yes, in winsync case these users will be able to login with just a user name. Or after replication, can I use IPA account logon Windows Client PC only with ipa username? (only use 'userB' logon, rather than 'userB@ipa_ad.com' to logon). No, synchronization is from AD to IPA, not the other way around. A change in IPA for the account which was synchronized from AD will be propagated back to AD but IPA users will not be copied to AD. -- / Alexander Bokovoy ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
[Freeipa-users] IPA AD Trust issue
Dear all, I am new to IPA and have some question about set up. I already setup IPA server (CentOS 6.4 64bit), IPA client (CentOS 6.4 64bit), and Windows AD (Windows 2008 R2 Standard 64bit). IPA Server and Windows AD already have 2-ways trusted. Windows AD user can logon under IPA client PC. I have 3 question about further setup. 1) IPA Client Login issue. In IPA client, if Windows AD user want to login, It need to type full name such as 'userA@win_ad.com'. How do I let Windows AD user logon only with their username? That means only use 'userA' to logon IPA Client PC rather than 'userA@win_ad.com' ? 2) Windows Login issue. I want to logon under Windows AD Client PC (Client PC's OS is Windows 7), Since this Windows PC already join win_ad domain, it can allow Windows AD domain user to logon. But when I try to logon IPA user, for example, logon as 'userB@ipa_ad.com' or 'ipa_ad.com\userB'. It always show 'There are currently no logon servers available to service the logon request.' and does not allow IPA user to logon. How do I do now? I need to modify Windows AD setting? or Windows client PC setting? 3) Windows Login issue. Can I login under Windows AD Client PC with IPA username only (not include IPA domain)? that is, only use 'userB' as username to login? Thanks all Kevin Tang ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] IPA AD Trust issue
On Wed, 11 Sep 2013, kevint...@umac.mo wrote: Dear all, I am new to IPA and have some question about set up. I already setup IPA server (CentOS 6.4 64bit), IPA client (CentOS 6.4 64bit), and Windows AD (Windows 2008 R2 Standard 64bit). IPA Server and Windows AD already have 2-ways trusted. Windows AD user can logon under IPA client PC. I have 3 question about further setup. 1) IPA Client Login issue. In IPA client, if Windows AD user want to login, It need to type full name such as 'userA@win_ad.com'. How do I let Windows AD user logon only with their username? That means only use 'userA' to logon IPA Client PC rather than 'userA@win_ad.com' ? Not supported. There could be some obscure SSSD setting to allow one SSSD domain (as in /etc/sss/sssd.conf) be default but since trusted AD domains are represented as subdomains of a single IPA provider, full UPN is used to distinguish and discover which subdomain they belong to for performance reasons. 2) Windows Login issue. I want to logon under Windows AD Client PC (Client PC's OS is Windows 7), Since this Windows PC already join win_ad domain, it can allow Windows AD domain user to logon. But when I try to logon IPA user, for example, logon as 'userB@ipa_ad.com' or 'ipa_ad.com\userB'. It always show 'There are currently no logon servers available to service the logon request.' and does not allow IPA user to logon. How do I do now? I need to modify Windows AD setting? or Windows client PC setting? We do not support this mode yet, it requires implementation of Global Catalog service on IPA side which is not done yet. Plans for doing that are in Fedora 20-21 time frame. 3) Windows Login issue. Can I login under Windows AD Client PC with IPA username only (not include IPA domain)? that is, only use 'userB' as username to login? No. Only users from the domain Windows PC is joined to could be logged without explicit domain name. Since IPA domain belongs to a separate forest, you cannot log in without explicit domain prefix. Please note, even that will only be possible when we implement Global Catalog service on IPA side. -- / Alexander Bokovoy ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users