Re: [Freeipa-users] question on Active Directory and FreeIPA
On Mon, Jun 22, 2015 at 09:36:49AM +, Alexander Frolushkin wrote: > Hello, Jakub! > Could you please tell, what about sssd package in RHEL 6, when we can expect > the fixes in official updates? Especially with our sensitive fixes > (parentheses in AD groups names)? Hi, in RHEL-6, only the client-side of the views will be supported, not the server. The client-side is coming to 6.7 btw as I said, there are still bugs wrt views on the server side. We can't backport them to RHEL-7.1.z until there is a customer request...hence so far they are planned for 7.2 -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] question on Active Directory and FreeIPA
Hello, Jakub! Could you please tell, what about sssd package in RHEL 6, when we can expect the fixes in official updates? Especially with our sensitive fixes (parentheses in AD groups names)? WBR, Alexander Frolushkin Cell +79232508764 Work +79232507764 -Original Message- From: freeipa-users-boun...@redhat.com [mailto:freeipa-users-boun...@redhat.com] On Behalf Of Jakub Hrozek Sent: Monday, June 22, 2015 2:27 PM To: freeipa-users@redhat.com Subject: Re: [Freeipa-users] question on Active Directory and FreeIPA On Fri, Jun 19, 2015 at 08:15:37PM +, David Fitzgerald wrote: > > > -Original Message- > From: freeipa-users-boun...@redhat.com > [mailto:freeipa-users-boun...@redhat.com] On Behalf Of Jakub Hrozek > Sent: Friday, June 19, 2015 3:15 PM > To: freeipa-users@redhat.com > Subject: Re: [Freeipa-users] question on Active Directory and FreeIPA > > On Fri, Jun 19, 2015 at 06:23:46PM +, David Fitzgerald wrote: > > Hello, > > > > Forgive me if this is a very basic question, but I have read the > > documentation and am still confused as to what to do. > > Right now I am using FreeIPA 3.3.3 on a Centos 7 server, and using > > it to manage about 200 users and 90 Scientific Linux workstations, > > and everything works great. Unfortunately I have been told that I > > must now use the University's Active Directory to authenticate all of my > > users. > > I have read the documentation on FreeIPA / AD integration and am not > > sure if that will meet my requirements. All my Linux users' home > > directories are auto mounted on login from a CentOS 7 NFS server with their > > bash profiles > > etc. run off that mount.From what I have read it seems to me that > > FreeIPA / AD integration is more focused on getting Windows users to > > be able to log into a Linux machine with access to their Windows > > folders and profiles (oddjob creating a local home directory on the > > Linux box, etc.) I don't want this. All I need is to simply > > authenticate the user using AD (BTW their IPA usernames and AD > > usernames are the same other than the > > domain) then use the info from FreeIPA as I do now. I don't need any > > folders mounted from the Windows servers. > > Have I completely mis-read the documentation and I can do this by > > integrating FreeIPA and AD? Is there an easy way to do this? I am not a > > Windows AD expert by any means. > > I'm not sure I completely answer your question, but..in case of IPA-AD trust, > the AD users always authenticate against AD, even in case of password > authentication on an IPA box. The passwords are not synchronized in any way. > > So I guess having the user accounts in AD, but keeping the automount info, > sudo rules etc would satisfy your requirements? > > > With the recent 'views' feature, you can set POSIX attributes for IPA users > without touching the AD LDAP schema, even per-host. > > > This is exactly what I need. If you are going to experiment with the views, then please note that unfortunately some bugs slipped into the 7.1 release. If you encounter problems, please either try installing latest packages for SSSD and IPA, make sure SSSD is updated also on the server side. Some SSSD bugs are not planned for patching until 7.2, in that case you might need to install upstream packages such as: https://copr.fedoraproject.org/coprs/lslebodn/sssd-1-12/ Some of the bugs are: - https://bugzilla.redhat.com/show_bug.cgi?id=1217127 - https://bugzilla.redhat.com/show_bug.cgi?id=1214719 - https://bugzilla.redhat.com/show_bug.cgi?id=1214718 - https://bugzilla.redhat.com/show_bug.cgi?id=1214716 - https://bugzilla.redhat.com/show_bug.cgi?id=1214337 -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project Информация в этом сообщении предназначена исключительно для конкретных лиц, которым она адресована. В сообщении может содержаться конфиденциальная информация, которая не может быть раскрыта или использована кем-либо, кроме адресатов. Если вы не адресат этого сообщения, то использование, переадресация, копирование или распространение содержания сообщения или его части незаконно и запрещено. Если Вы получили это сообщение ошибочно, пожалуйста, незамедлительно сообщите отправителю об этом и удалите со всем содержимым само сообщение и любые возможные его копии и приложения. The information contained in this communication is intended solely for the use of the individual or entity to whom it is addressed and others authorized to receive it. It may contain confidential or legally privileged information. The con
Re: [Freeipa-users] question on Active Directory and FreeIPA
On Fri, Jun 19, 2015 at 08:15:37PM +, David Fitzgerald wrote: > > > -Original Message- > From: freeipa-users-boun...@redhat.com > [mailto:freeipa-users-boun...@redhat.com] On Behalf Of Jakub Hrozek > Sent: Friday, June 19, 2015 3:15 PM > To: freeipa-users@redhat.com > Subject: Re: [Freeipa-users] question on Active Directory and FreeIPA > > On Fri, Jun 19, 2015 at 06:23:46PM +, David Fitzgerald wrote: > > Hello, > > > > Forgive me if this is a very basic question, but I have read the > > documentation and am still confused as to what to do. > > Right now I am using FreeIPA 3.3.3 on a Centos 7 server, and using it > > to manage about 200 users and 90 Scientific Linux workstations, and > > everything works great. Unfortunately I have been told that I must > > now use the University's Active Directory to authenticate all of my users. > > I have read the documentation on FreeIPA / AD integration and am not > > sure if that will meet my requirements. All my Linux users' home > > directories are auto mounted on login from a CentOS 7 NFS server with their > > bash profiles > > etc. run off that mount.From what I have read it seems to me that > > FreeIPA / AD integration is more focused on getting Windows users to > > be able to log into a Linux machine with access to their Windows > > folders and profiles (oddjob creating a local home directory on the > > Linux box, etc.) I don't want this. All I need is to simply > > authenticate the user using AD (BTW their IPA usernames and AD > > usernames are the same other than the > > domain) then use the info from FreeIPA as I do now. I don't need any > > folders mounted from the Windows servers. > > Have I completely mis-read the documentation and I can do this by > > integrating FreeIPA and AD? Is there an easy way to do this? I am not a > > Windows AD expert by any means. > > I'm not sure I completely answer your question, but..in case of IPA-AD trust, > the AD users always authenticate against AD, even in case of password > authentication on an IPA box. The passwords are not synchronized in any way. > > So I guess having the user accounts in AD, but keeping the automount info, > sudo rules etc would satisfy your requirements? > > > With the recent 'views' feature, you can set POSIX attributes for IPA users > without touching the AD LDAP schema, even per-host. > > > This is exactly what I need. If you are going to experiment with the views, then please note that unfortunately some bugs slipped into the 7.1 release. If you encounter problems, please either try installing latest packages for SSSD and IPA, make sure SSSD is updated also on the server side. Some SSSD bugs are not planned for patching until 7.2, in that case you might need to install upstream packages such as: https://copr.fedoraproject.org/coprs/lslebodn/sssd-1-12/ Some of the bugs are: - https://bugzilla.redhat.com/show_bug.cgi?id=1217127 - https://bugzilla.redhat.com/show_bug.cgi?id=1214719 - https://bugzilla.redhat.com/show_bug.cgi?id=1214718 - https://bugzilla.redhat.com/show_bug.cgi?id=1214716 - https://bugzilla.redhat.com/show_bug.cgi?id=1214337 -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] question on Active Directory and FreeIPA
-Original Message- From: freeipa-users-boun...@redhat.com [mailto:freeipa-users-boun...@redhat.com] On Behalf Of Jakub Hrozek Sent: Friday, June 19, 2015 3:15 PM To: freeipa-users@redhat.com Subject: Re: [Freeipa-users] question on Active Directory and FreeIPA On Fri, Jun 19, 2015 at 06:23:46PM +, David Fitzgerald wrote: > Hello, > > Forgive me if this is a very basic question, but I have read the > documentation and am still confused as to what to do. > Right now I am using FreeIPA 3.3.3 on a Centos 7 server, and using it > to manage about 200 users and 90 Scientific Linux workstations, and > everything works great. Unfortunately I have been told that I must > now use the University's Active Directory to authenticate all of my users. > I have read the documentation on FreeIPA / AD integration and am not > sure if that will meet my requirements. All my Linux users' home > directories are auto mounted on login from a CentOS 7 NFS server with their > bash profiles > etc. run off that mount.From what I have read it seems to me that > FreeIPA / AD integration is more focused on getting Windows users to > be able to log into a Linux machine with access to their Windows > folders and profiles (oddjob creating a local home directory on the > Linux box, etc.) I don't want this. All I need is to simply > authenticate the user using AD (BTW their IPA usernames and AD > usernames are the same other than the > domain) then use the info from FreeIPA as I do now. I don't need any > folders mounted from the Windows servers. > Have I completely mis-read the documentation and I can do this by integrating > FreeIPA and AD? Is there an easy way to do this? I am not a Windows AD > expert by any means. I'm not sure I completely answer your question, but..in case of IPA-AD trust, the AD users always authenticate against AD, even in case of password authentication on an IPA box. The passwords are not synchronized in any way. So I guess having the user accounts in AD, but keeping the automount info, sudo rules etc would satisfy your requirements? With the recent 'views' feature, you can set POSIX attributes for IPA users without touching the AD LDAP schema, even per-host. This is exactly what I need. -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] question on Active Directory and FreeIPA
On Fri, 2015-06-19 at 21:15 +0200, Jakub Hrozek wrote: > On Fri, Jun 19, 2015 at 06:23:46PM +, David Fitzgerald wrote: > > Hello, > > > > Forgive me if this is a very basic question, but I have read the > > documentation and am still confused as to what to do. > > Right now I am using FreeIPA 3.3.3 on a Centos 7 server, and using > > it to manage about 200 users and 90 Scientific Linux workstations, and > > everything works great. Unfortunately I have been told that I must now > > use the University's Active Directory to authenticate all of my users. > > I have read the documentation on FreeIPA / AD integration and am not sure if > > that will meet my requirements. All my Linux users' home directories are > > auto mounted on login from a CentOS 7 NFS server with their bash profiles > > etc. run off that mount.From what I have read it seems to me that > > FreeIPA / AD integration is more focused on getting Windows users to be > > able to log into a Linux machine with access to their Windows folders and > > profiles (oddjob creating a local home directory on the Linux box, etc.) > > I don't want this. All I need is to simply authenticate the user using AD > > (BTW their IPA usernames and AD usernames are the same other than the > > domain) then use the info from FreeIPA as I do now. I don't need any > > folders mounted from the Windows servers. > > Have I completely mis-read the documentation and I can do this by > > integrating FreeIPA and AD? Is there an easy way to do this? I am not a > > Windows AD expert by any means. > > I'm not sure I completely answer your question, but..in case of IPA-AD > trust, the AD users always authenticate against AD, even in case of > password authentication on an IPA box. The passwords are not > synchronized in any way. > > So I guess having the user accounts in AD, but keeping the automount > info, sudo rules etc would satisfy your requirements? > > With the recent 'views' feature, you can set POSIX attributes for IPA > users without touching the AD LDAP schema, even per-host. Just for clarity: note that use of these features will require an upgrade of your server to the latest Centos 7.2 (when it will be released). Simo. -- Simo Sorce * Red Hat, Inc * New York -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] question on Active Directory and FreeIPA
On Fri, Jun 19, 2015 at 06:23:46PM +, David Fitzgerald wrote: > Hello, > > Forgive me if this is a very basic question, but I have read the > documentation and am still confused as to what to do. > Right now I am using FreeIPA 3.3.3 on a Centos 7 server, and using > it to manage about 200 users and 90 Scientific Linux workstations, and > everything works great. Unfortunately I have been told that I must now > use the University's Active Directory to authenticate all of my users. > I have read the documentation on FreeIPA / AD integration and am not sure if > that will meet my requirements. All my Linux users' home directories are > auto mounted on login from a CentOS 7 NFS server with their bash profiles > etc. run off that mount.From what I have read it seems to me that > FreeIPA / AD integration is more focused on getting Windows users to be > able to log into a Linux machine with access to their Windows folders and > profiles (oddjob creating a local home directory on the Linux box, etc.) > I don't want this. All I need is to simply authenticate the user using AD > (BTW their IPA usernames and AD usernames are the same other than the > domain) then use the info from FreeIPA as I do now. I don't need any > folders mounted from the Windows servers. > Have I completely mis-read the documentation and I can do this by integrating > FreeIPA and AD? Is there an easy way to do this? I am not a Windows AD > expert by any means. I'm not sure I completely answer your question, but..in case of IPA-AD trust, the AD users always authenticate against AD, even in case of password authentication on an IPA box. The passwords are not synchronized in any way. So I guess having the user accounts in AD, but keeping the automount info, sudo rules etc would satisfy your requirements? With the recent 'views' feature, you can set POSIX attributes for IPA users without touching the AD LDAP schema, even per-host. -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
[Freeipa-users] question on Active Directory and FreeIPA
Hello, Forgive me if this is a very basic question, but I have read the documentation and am still confused as to what to do. Right now I am using FreeIPA 3.3.3 on a Centos 7 server, and using it to manage about 200 users and 90 Scientific Linux workstations, and everything works great. Unfortunately I have been told that I must now use the University's Active Directory to authenticate all of my users. I have read the documentation on FreeIPA / AD integration and am not sure if that will meet my requirements. All my Linux users' home directories are auto mounted on login from a CentOS 7 NFS server with their bash profiles etc. run off that mount. From what I have read it seems to me that FreeIPA / AD integration is more focused on getting Windows users to be able to log into a Linux machine with access to their Windows folders and profiles (oddjob creating a local home directory on the Linux box, etc.) I don't want this. All I need is to simply authenticate the user using AD (BTW their IPA usernames and AD usernames are the same other than the domain) then use the info from FreeIPA as I do now. I don't need any folders mounted from the Windows servers. Have I completely mis-read the documentation and I can do this by integrating FreeIPA and AD? Is there an easy way to do this? I am not a Windows AD expert by any means. Thanks for your help! Dave ++ David Fitzgerald Department of Earth Science Millersville University Millersville, PA 17551 Phone: 717-871-7436 E-Mail: david.fitzger...@millersville.edu -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project