Re: [Freeipa-users] Re : Re: Some interrogations about the freeipa deployment

2013-01-23 Thread Dmitri Pal
On 01/23/2013 03:59 PM, Bob Sauvage wrote:
>
> Hi Dale,
>
> You mean that if I turn this option to 'yes', I'll be able to connect
to the server through SSH without needing to authenticate again ? Even
if I'm connected on the domain from a Windows workstation ?
>

If you setup trusts between IPA and AD then yes.
If not then you need to ssh from the system that belongs to the API domain.
IPA does not support Windows systems to be joined to IPA domain. But you
can configure kerberos for Windows and use local Windows accounts. There
are some HowTos on the wiki about it.
Alternatively you join Linux systems to AD and use it as your central
authentication server then SSO would also work but you will loose
ability to manage your Linux related policies.

Trusts is probably the best for you but there will be dragons.
http://freeipa.org/page/Howto/IPAv3_AD_trust_setup


> Regards,
>
>
>
>> - Message d'origine -
>>
>> De : Dale Macartney
>>
>> Envoyés : 22.01.13 23:13
>>
>> À : freeipa-users@redhat.com
>>
>> Objet : Re: [Freeipa-users] Some interrogations about the freeipa
deployment
>>
>>
>>
>
> On 01/22/2013 09:51 PM, Steven Jones wrote:
> > Hi,
>
> > I have all done this, so from what you write I think IPA would be a
> good fit for what you want, except that is the single sign on bit I
> have not looked to see if that can be done. For http restart you
> control that via sudo in IPA so its centrally managed, I have this
> working for one such server though I use the reload option instead.
> to enable SSO with SSH from a ipa workstation, just edit
> /etc/ssh/sshd_config and make sure the line below is set to yes
> "GSSAPIAuthentication yes"
>
> If you've just made the change, it won't take effect until SSH is
> restarted. So do the usual service sshd restart.
>
>
> > I would also not run one instance of IPA myself but with such a
> small site that's your call.
>
> > regards
>
> > Steven Jones
>
> > Technical Specialist - Linux RHCE
>
> > Victoria University, Wellington, NZ
>
> > 0064 4 463 6272
>
> > -
> > *From:* freeipa-users-boun...@redhat.com
> [freeipa-users-boun...@redhat.com] on behalf of Bob Sauvage
> [bob.sauv...@gmx.fr]
> > *Sent:* Wednesday, 23 January 2013 9:51 a.m.
> > *To:* freeipa-users@redhat.com
> > *Subject:* [Freeipa-users] Some interrogations about the freeipa
> deployment
>
> > Hi *,
>
> > I plan to review the network architecture of my office. 10
> Windows/Linux desktops and 2 Linux servers will be deployed on the
> network.
>
> > I want to install freeipa on the first server to act like an AD DS.
> I want to authenticate users on the server and controlling what can be
> done or not by them on the network. 10 other linux web servers should
> be accessible (console) by specific users and without the need to
> authenticating again (single sign on). On these web servers, users can
> issue specific commands like "/etc/init.d/httpd restart".
>
> > Is it possible to achive this with freeipa ? Do you have some articles ?
>
> > Thanks in advance,
>
> > Bob !
>
>
> > ___
> > Freeipa-users mailing list
> > Freeipa-users@redhat.com
> > https://www.redhat.com/mailman/listinfo/freeipa-users
>
>>
>
>
>
>
>
>
> ___
> Freeipa-users mailing list
> Freeipa-users@redhat.com
> https://www.redhat.com/mailman/listinfo/freeipa-users

-- 
Thank you,
Dmitri Pal

Sr. Engineering Manager for IdM portfolio
Red Hat Inc.


---
Looking to carve out IT costs?
www.redhat.com/carveoutcosts/



___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

[Freeipa-users] Re : Re: Some interrogations about the freeipa deployment

2013-01-23 Thread Bob Sauvage
Hi Dale, 

 You mean that if I turn this option to 'yes', I'll be able to connect to the 
server through SSH without needing to authenticate again ? Even if I'm 
connected on the domain from a Windows workstation ?

 Regards,
- Message d'origine -
De : Dale Macartney
Envoyés : 22.01.13 23:13
À : freeipa-users@redhat.com
Objet : Re: [Freeipa-users] Some interrogations about the freeipa deployment

 -BEGIN PGP SIGNED MESSAGE-
 Hash: SHA1


 On 01/22/2013 09:51 PM, Steven Jones wrote:
> Hi,
 >
 > I have all done this, so from what you write I think IPA would be a good fit 
 > for what you want, except that is the single sign on bit I have not looked 
 > to see if that can be done. For http restart you control that via sudo in 
 > IPA so its centrally managed, I have this working for one such server though 
 > I use the reload option instead.
 to enable SSO with SSH from a ipa workstation, just edit /etc/ssh/sshd_config 
and make sure the line below is set to yes
 "GSSAPIAuthentication yes"

 If you've just made the change, it won't take effect until SSH is restarted. 
So do the usual service sshd restart.

>
 > I would also not run one instance of IPA myself but with such a small site 
 > that's your call.
 >
 > regards
 >
 > Steven Jones
 >
 > Technical Specialist - Linux RHCE
 >
 > Victoria University, Wellington, NZ
 >
 > 0064 4 463 6272
 >
 > -
 > *From:*  freeipa-users-boun...@redhat.com  [ 
 > freeipa-users-boun...@redhat.com ] on behalf of Bob Sauvage [ 
 > bob.sauv...@gmx.fr ]
 > *Sent:* Wednesday, 23 January 2013 9:51 a.m.
 > *To:*  freeipa-users@redhat.com 
 > *Subject:* [Freeipa-users] Some interrogations about the freeipa deployment
 >
 > Hi *,
 >
 > I plan to review the network architecture of my office. 10 Windows/Linux 
 > desktops and 2 Linux servers will be deployed on the network.
 >
 > I want to install freeipa on the first server to act like an AD DS. I want 
 > to authenticate users on the server and controlling what can be done or not 
 > by them on the network. 10 other linux web servers should be accessible 
 > (console) by specific users and without the need to authenticating again 
 > (single sign on). On these web servers, users can issue specific commands 
 > like "/etc/init.d/httpd restart".
 >
 > Is it possible to achive this with freeipa ? Do you have some articles ?
 >
 > Thanks in advance,
 >
 > Bob !
 >
 >
 > ___
 > Freeipa-users mailing list
 >  Freeipa-users@redhat.com 
 > https://www.redhat.com/mailman/listinfo/freeipa-users 

 -BEGIN PGP SIGNATURE-
 Version: GnuPG v1.4.13 (GNU/Linux)
 Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ 

 iQIcBAEBAgAGBQJQ/w8VAAoJEAJsWS61tB+q2+8P/0voaYOSa/ZnwiQmvrqLsaPE
 oYm4j/m88STSXvDdhDsgNQJZJFY9XDv7y3njnuSWElqHD0yGBEbJvc+pmoi8uZf0
 8EORIarUQhCf6awI4RIHxg6+nOOwVkllx/FDVSJldGnKlv3OSvOrln+tTK9gITkg
 ZzsMvtFTYIjrF4nMSEtTCGfFi7lnmCrvXhXijKSCRjUfZI51t78SamI5ldKzV6Zy
 RE4ofJQexUpWhCXnDyWg5I/fDY6EQc9UAjeiVjmC462Sp32Rso5bQBYUwrQtD8uG
 d1b1sfOW3v+oExmnOfSeGwzssl8SzYk1jr9kak9JU1DctPIgp5aCjpKYtRTnh5GB
 44bNMXATFHRWVU21QlaTYwmQue12cb1BaehMUjZfvHTvNcK171RF9DfAhxS+U1Z4
 ZCyv8mUGDB28xWKx0fH5639CGjPYCZxltOOF/053W7ZyrrRN38O2AD7LUkYdH3kb
 ci04L/tB8znXcP6OQaTeDzJHY12bkspJz+tBNvM/KeFhJQxw/FQqtFi55KrhlKMN
 XCsHdj3fqEzV/h6+3wu0Na7Y4hDt5mf0i3i1UTO9nj941QIr2BYKrQLzKSKLu/Md
 Z+E04ZgiQWgzb+Yw4bFv6I8g4y6nrUFVvDxt970bqgbk9cbfAGLEMjd6xRm6QDgq
 CJUkZcaWqi3SYPeGHx0x
 =fTHE
 -END PGP SIGNATURE-
___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users