Re: [Freeipa-users] 6.1 beta

2011-04-08 Thread Sigbjorn Lie



 Just to elaborate on Dmitri's comments. In addition to the IPA client
 and server packages that are included in the RHEL6.1 beta channel, there 
 will be a separate RHEL
 add-on channel, Enterprise Identity Replication. That add-on channel will 
 contain ds-replication
 and the Windows sync packages.

 If you wish to use IPA during the beta or when it is a tech preview
 feature of RHEL 6.1 you should request an eval entitlement to the Enterprise 
 Identity Replication
 channel from your Red Hat account rep.

 Cheers,
 Kev

 Hi Kevin,


 I have requested the replication channel as you recommended from our
 account manager.

 I am curious to why such an important feature as replication is put in
 it's own channel. I see IPA is trying to compete with Active Directory to 
 service Unix/Linux
 machines, however with Active Directory all features is included in the base 
 package of the
 operating system.

 Why does Red Hat put the replication feature of IPA into a seperate
 channel from the operating system?


 Rgds,
 Siggi


 ==


 Silly question.they want to make money and lock out the easy 
 possibility of you not paying
 them.

 There is a very good reason RedHat is nick named the Microsoft of the Linux 
 world..but they
 are all pretty much the same.

 You have to go into this with open eyes..this project isnt a real open 
 source project with
 real open source ppl from all walks of life.its a Red Hat projectthat 
 they let you see
 into on their terms, Sun and oracle for instance have done the same 
 thing.their projects
 splutter along with little OSS community support.

 Example, so if you went to say mailman (like I do) that's a real open source 
 product and I can
 get first class support via thatI would think that this will never be a 
 place for open source
 support for IPA it will be please go to red hat and pay if you want help.

 I dont know Ive even seen a single contributor who doesnt have a @redhat.com 
 address, that set
 off warning lights for me..probably why the FDS project still has so many 
 contributors and
 users

 I hadnt noticed this wrinkle as I'm busy building a total virtual copy of 
 prod to run a huge
 proof of concept / pre-prod setup which will take me another week at 
 leastgiven we dont have
 much money and its going to take me more than 6months to do, paying $ isnt 
 practical/possible and
 we dont know the cost when 6.2 comes out.  So I suspect that if you dont want 
 or cant afford a
 support contract bailing to CENTOS 6.1 or using CENTOS rpms to finish the 
 glue (on RHEL) will be
 the way to go. Given we will be using shibboleth and everyone around us with 
 shibboleth is on
 CENTOS its probably where we will go.


 Its not all bad, bear in mind of course an Identity / LDAP product off anyone 
 else eg Oracle will
 cost you mega bucks to buy (think numbers ending in 5 0's), is bloody awful 
 (2 of us spent 6
 weeks trying to make its virtual front end LDAP server even start let alone 
 do anything of use
 and I failed).and costly to look after (think 1 FTE and a highly paid one 
 to boot).I
 really wonder if the business case stacks up at all

 regards



Hello Steven,

I do not agree with you. You can download the source for IPA at any time for 
using, forking or
creating and supporting your own distribution, that to me is an open source 
project. Doesn't
matter how many of the contributers have or does not have a @redhat address.


Rgds,
Siggi





___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users


Re: [Freeipa-users] 6.1 beta

2011-04-08 Thread Sigbjorn Lie

mvh,
Sigbjorn Lie

's/windows/unix/g'
- Ubuntu - an African word, meaning Slackware is too hard for me


On Fri, April 8, 2011 01:03, Kevin Unthank wrote:
 snip

 Just to elaborate on Dmitri's comments. In addition to the IPA client
 and server packages that are included in the RHEL6.1 beta channel, there 
 will be a separate
 RHEL add-on channel, Enterprise Identity Replication.
 That add-on channel will contain ds-replication and the Windows sync
 packages.

 If you wish to use IPA during the beta or when it is a tech preview
 feature of RHEL 6.1 you should request an eval entitlement to the 
 Enterprise Identity
 Replication channel from your Red Hat account
 rep.

 Cheers,
 Kev

 Hi Kevin,


 I have requested the replication channel as you recommended from our account 
 manager.


 I am curious to why such an important feature as replication is put in it's 
 own channel. I see
 IPA is trying to compete with Active Directory to service Unix/Linux 
 machines, however with
 Active Directory all features is included in the base package of the 
 operating system.


 Why does Red Hat put the replication feature of IPA into a seperate channel 
 from the operating
 system?


 Rgds,
 Siggi


 Hi Siggi,


 With RHEL6 we are striving to have more flexibility with packaging and
 features. From the website: http://www.redhat.com/rhel/add-ons/

 Add-Ons to Red Hat Enterprise Linux allow you to tailor your application
 environment with workload extensions to suit your particular computing 
 requirements.

 For RHEL6.2 we are planning to have an Enterprise Identity Replication
 add-on. Until then, free evaluations will be available for customers who wish 
 to play with IPA
 while it is a technology preview.


Hi Kevin,

Please disregards Steven Jones' ranting, this was not the kind of feedback I 
was looking for.

Ok, I do like the wider options for channels in Red Hat, but this bring me to 
my next question:
Will there be an extra charge for this add on channel, or will this be included 
in the base
subscription?

If $answer = yes { Why does Red Hat think they can charge more for a feature 
that is included in
it's competitors base license for the equivalent product? }

Else if $answer = no { Great! :) }



Rgds,
Siggi










___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users


Re: [Freeipa-users] 6.1 beta

2011-04-08 Thread Sigbjorn Lie
Right, forgot to remove autosignature. :)

See my post at the bottom of my last email.


Rgds,
Siggi


On Fri, April 8, 2011 08:38, Sigbjorn Lie wrote:


 mvh, Sigbjorn Lie


 's/windows/unix/g'
 - Ubuntu - an African word, meaning Slackware is too hard for me



 On Fri, April 8, 2011 01:03, Kevin Unthank wrote:

 snip


 Just to elaborate on Dmitri's comments. In addition to the IPA client
 and server packages that are included in the RHEL6.1 beta channel, there 
 will be a separate
 RHEL add-on channel, Enterprise Identity Replication.
 That add-on channel will contain ds-replication and the Windows sync
 packages.

 If you wish to use IPA during the beta or when it is a tech preview
 feature of RHEL 6.1 you should request an eval entitlement to the 
 Enterprise Identity
 Replication channel from your Red Hat account
 rep.

 Cheers,
 Kev


 Hi Kevin,



 I have requested the replication channel as you recommended from our 
 account manager.



 I am curious to why such an important feature as replication is put in it's 
 own channel. I
 see IPA is trying to compete with Active Directory to service Unix/Linux 
 machines, however
 with Active Directory all features is included in the base package of the 
 operating system.



 Why does Red Hat put the replication feature of IPA into a seperate channel 
 from the
 operating system?


 Rgds,
 Siggi



 Hi Siggi,



 With RHEL6 we are striving to have more flexibility with packaging and
 features. From the website: http://www.redhat.com/rhel/add-ons/

 Add-Ons to Red Hat Enterprise Linux allow you to tailor your application
 environment with workload extensions to suit your particular computing 
 requirements.

 For RHEL6.2 we are planning to have an Enterprise Identity Replication
 add-on. Until then, free evaluations will be available for customers who 
 wish to play with IPA
 while it is a technology preview.


 Hi Kevin,


 Please disregards Steven Jones' ranting, this was not the kind of feedback I 
 was looking for.


 Ok, I do like the wider options for channels in Red Hat, but this bring me to 
 my next question:
 Will there be an extra charge for this add on channel, or will this be 
 included in the base
 subscription?

 If $answer = yes { Why does Red Hat think they can charge more for a feature 
 that is included in
 it's competitors base license for the equivalent product? }

 Else if $answer = no { Great! :) }




 Rgds,
 Siggi











 ___
 Freeipa-users mailing list
 Freeipa-users@redhat.com
 https://www.redhat.com/mailman/listinfo/freeipa-users




___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users


Re: [Freeipa-users] 6.1 beta

2011-04-08 Thread Natxo Asenjo
On Fri, Apr 8, 2011 at 8:38 AM, Sigbjorn Lie sigbj...@nixtra.com wrote:

 Ok, I do like the wider options for channels in Red Hat, but this bring me to 
 my next question:
 Will there be an extra charge for this add on channel, or will this be 
 included in the base
 subscription?

 If $answer = yes { Why does Red Hat think they can charge more for a feature 
 that is included in
 it's competitors base license for the equivalent product? }

does Microsoft include a synchronization plugin to RHDS? They do have
a synchronization package between different servers (sql and possibly
other ldap servers) into AD, but iirc not free (sorry, I forgot its
name, I saw it in the pile of cd/dvds we get from MS just in case we
bite and use it :-) ).

The synchronization between RHDS and Windows AD is as far as I see it,
just like the one from 389 directory server:
http://directory.fedoraproject.org/wiki/Howto:WindowsSync ; if there
is a supported module for freeipa, then great. Otherwise, one can
always try to get it working on its own.

Or am I absolutely wrong about this?
-- 
natxo

___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users


Re: [Freeipa-users] 6.1 beta

2011-04-08 Thread Sigbjorn Lie
On Fri, April 8, 2011 09:48, Natxo Asenjo wrote:
 On Fri, Apr 8, 2011 at 8:38 AM, Sigbjorn Lie sigbj...@nixtra.com wrote:


 Ok, I do like the wider options for channels in Red Hat, but this bring me 
 to my next question:
  Will there be an extra charge for this add on channel, or will this be 
 included in the base
 subscription?

 If $answer = yes { Why does Red Hat think they can charge more for a feature 
 that is included
 in it's competitors base license for the equivalent product? }

 does Microsoft include a synchronization plugin to RHDS? They do have a 
 synchronization package
 between different servers (sql and possibly other ldap servers) into AD, but 
 iirc not free (sorry,
 I forgot its
 name, I saw it in the pile of cd/dvds we get from MS just in case we bite and 
 use it :-) ).

 The synchronization between RHDS and Windows AD is as far as I see it,
 just like the one from 389 directory server:
 http://directory.fedoraproject.org/wiki/Howto:WindowsSync ; if there
 is a supported module for freeipa, then great. Otherwise, one can always try 
 to get it working on
 its own.

 Or am I absolutely wrong about this?
 --

Hi,

Sync between Windows and IPA is included. I am asking about the replication 
between IPA servers.


Rgds,
Siggi


___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users


Re: [Freeipa-users] 6.1 beta

2011-04-08 Thread Dmitri Pal
On 04/08/2011 02:38 AM, Sigbjorn Lie wrote:
 Hi Kevin,

 Please disregards Steven Jones' ranting, this was not the kind of feedback I 
 was looking for.

 Ok, I do like the wider options for channels in Red Hat, but this bring me to 
 my next question:
 Will there be an extra charge for this add on channel, or will this be 
 included in the base
 subscription?

 If $answer = yes { Why does Red Hat think they can charge more for a feature 
 that is included in
 it's competitors base license for the equivalent product? }

 Else if $answer = no { Great! :) }



 Rgds,
 Siggi
I will leave to Kevin to describe details but in a nutshell the
replication and or synchronization with AD (same channel) is not free.
Red Hat worked out a competitive pricing model for this product and some
of the cost is attached to the replication bits.

-- 
Thank you,
Dmitri Pal

Sr. Engineering Manager IPA project,
Red Hat Inc.


---
Looking to carve out IT costs?
www.redhat.com/carveoutcosts/



___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users


Re: [Freeipa-users] 6.1 beta

2011-04-08 Thread Kevin Unthank



On 04/08/2011 06:26 AM, Dmitri Pal wrote:

On 04/08/2011 02:38 AM, Sigbjorn Lie wrote:

Hi Kevin,

Please disregards Steven Jones' ranting, this was not the kind of feedback I 
was looking for.

Ok, I do like the wider options for channels in Red Hat, but this bring me to 
my next question:
Will there be an extra charge for this add on channel, or will this be included 
in the base
subscription?

If $answer = yes { Why does Red Hat think they can charge more for a feature 
that is included in
it's competitors base license for the equivalent product? }

Else if $answer = no { Great! :) }



Rgds,
Siggi

I will leave to Kevin to describe details but in a nutshell the
replication and or synchronization with AD (same channel) is not free.
Red Hat worked out a competitive pricing model for this product and some
of the cost is attached to the replication bits.


There aren't many more details to fill in because the final
pricing decisions have not been, erm... finalised.

As Dmitri said, we have been working on models to ensure
the pricing is competitive and flexible.

One additional parameter that we have to take into
consideration are the pricing models for other Red Hat
offerings such as virtualization, systems management and
middleware offerings. We want an easy to understand pricing
model that provides the best value for our customers.

Just to reiterate, the upstream community supported
packages remain freely available in both binary and source
form.

Cheers,
Kev

___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users


Re: [Freeipa-users] 6.1 beta

2011-04-07 Thread Sigbjorn Lie

On 04/05/2011 01:25 AM, Kevin Unthank wrote:



On 04/04/2011 12:06 PM, Dmitri Pal wrote:

On 04/04/2011 03:01 PM, Sigbjorn Lie wrote:

On 04/04/2011 08:32 PM, Rob Crittenden wrote:

Sigbjorn Lie wrote:

   On 04/04/2011 06:22 PM, Sigbjorn Lie wrote:

On 04/04/2011 03:43 PM, Dmitri Pal wrote:

On 04/03/2011 05:41 PM, Sigbjorn Lie wrote:

According to Red Hat Network it does:

ipa-server-2.0.0-16.el6.x86_64
https://rhn.redhat.com/rhn/software/packages/details/Overview.do?pid=619857 



Red Hat Enterprise Linux Server Beta (v. 6 for 64-bit x86_64)
ipa-server-2.0.0-16.el6.i686
https://rhn.redhat.com/rhn/software/packages/details/Overview.do?pid=617431 



Red Hat Enterprise Linux Server Beta (v. 6 for 32-bit x86)


Thanks for pointing this out, I'm installing RHEL 6.1 beta now. :)



It is not the final bits though. There have done several bug fixes
since then that will show up in the final 6.1 release.


Ok, thanks. I'll keep that in mind.



I think I might have a found a few bugs in the RHEL 6.1 beta release.
Please correct me if you're already aware of these.


Unless FQDN of the host is returned when running `hostname`, the IPA
services will fail to start as they return No such object when
querying the IPA LDAP for services. Shouldn't this be changed to use
`hostname -f` ?


AFAIK we don't call `hostname` in our script, it may be that another
part of init does. We have a ticket open on this, #1035.




ipa-replica-prepare fails with the error message below. I cannot find
the plugin mentioned as a seperate RPM.
# ipa-replica-prepare
The 389-ds replication plug-in was not found on this system


The package is named ds-replication. I'll open a ticket to make this
more explicit.

thanks

rob


I could not find any ds-replication package in RHN.


We are working on making it available.


Just to elaborate on Dmitri's comments. In addition to the IPA client
and server packages that are included in the RHEL6.1 beta channel, there
will be a separate RHEL add-on channel, Enterprise Identity Replication.
That add-on channel will contain ds-replication and the Windows sync
packages.

If you wish to use IPA during the beta or when it is a tech preview
feature of RHEL 6.1 you should request an eval entitlement to the
Enterprise Identity Replication channel from your Red Hat account
rep.

Cheers,
Kev

Hi Kevin,

I have requested the replication channel as you recommended from our 
account manager.


I am curious to why such an important feature as replication is put in 
it's own channel. I see IPA is trying to compete with Active Directory 
to service Unix/Linux machines, however with Active Directory all 
features is included in the base package of the operating system.


Why does Red Hat put the replication feature of IPA into a seperate 
channel from the operating system?



Rgds,
Siggi




___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users


Re: [Freeipa-users] 6.1 beta

2011-04-07 Thread Steven Jones

8-


 Just to elaborate on Dmitri's comments. In addition to the IPA client
 and server packages that are included in the RHEL6.1 beta channel, there
 will be a separate RHEL add-on channel, Enterprise Identity Replication.
 That add-on channel will contain ds-replication and the Windows sync
 packages.

 If you wish to use IPA during the beta or when it is a tech preview
 feature of RHEL 6.1 you should request an eval entitlement to the
 Enterprise Identity Replication channel from your Red Hat account
 rep.

 Cheers,
 Kev
Hi Kevin,

I have requested the replication channel as you recommended from our
account manager.

I am curious to why such an important feature as replication is put in
it's own channel. I see IPA is trying to compete with Active Directory
to service Unix/Linux machines, however with Active Directory all
features is included in the base package of the operating system.

Why does Red Hat put the replication feature of IPA into a seperate
channel from the operating system?


Rgds,
Siggi

==

Silly question.they want to make money and lock out the easy possibility 
of you not paying them.   

There is a very good reason RedHat is nick named the Microsoft of the Linux 
world..but they are all pretty much the same.

You have to go into this with open eyes..this project isnt a real open 
source project with real open source ppl from all walks of life.its a Red 
Hat projectthat they let you see into on their terms, Sun and oracle for 
instance have done the same thing.their projects splutter along with little 
OSS community support.

Example, so if you went to say mailman (like I do) that's a real open source 
product and I can get first class support via thatI would think that this 
will never be a place for open source support for IPA it will be please go to 
red hat and pay if you want help.

I dont know Ive even seen a single contributor who doesnt have a @redhat.com 
address, that set off warning lights for me..probably why the FDS project 
still has so many contributors and users

I hadnt noticed this wrinkle as I'm busy building a total virtual copy of prod 
to run a huge proof of concept / pre-prod setup which will take me another week 
at leastgiven we dont have much money and its going to take me more than 
6months to do, paying $ isnt practical/possible and we dont know the cost when 
6.2 comes out.  So I suspect that if you dont want or cant afford a support 
contract bailing to CENTOS 6.1 or using CENTOS rpms to finish the glue (on 
RHEL) will be the way to go. Given we will be using shibboleth and everyone 
around us with shibboleth is on CENTOS its probably where we will go.

Its not all bad, bear in mind of course an Identity / LDAP product off anyone 
else eg Oracle will cost you mega bucks to buy (think numbers ending in 5 0's), 
is bloody awful (2 of us spent 6 weeks trying to make its virtual front end 
LDAP server even start let alone do anything of use and I failed).and 
costly to look after (think 1 FTE and a highly paid one to boot).I really 
wonder if the business case stacks up at all

regards


___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users


Re: [Freeipa-users] 6.1 beta

2011-04-07 Thread Dmitri Pal
On 04/07/2011 05:32 PM, Steven Jones wrote:
 8-


 Just to elaborate on Dmitri's comments. In addition to the IPA client
 and server packages that are included in the RHEL6.1 beta channel, there
 will be a separate RHEL add-on channel, Enterprise Identity Replication.
 That add-on channel will contain ds-replication and the Windows sync
 packages.

 If you wish to use IPA during the beta or when it is a tech preview
 feature of RHEL 6.1 you should request an eval entitlement to the
 Enterprise Identity Replication channel from your Red Hat account
 rep.

 Cheers,
 Kev
 Hi Kevin,

 I have requested the replication channel as you recommended from our
 account manager.

 I am curious to why such an important feature as replication is put in
 it's own channel. I see IPA is trying to compete with Active Directory
 to service Unix/Linux machines, however with Active Directory all
 features is included in the base package of the operating system.

 Why does Red Hat put the replication feature of IPA into a seperate
 channel from the operating system?


 Rgds,
 Siggi

 ==

 Silly question.they want to make money and lock out the easy 
 possibility of you not paying them.   

 There is a very good reason RedHat is nick named the Microsoft of the Linux 
 world..but they are all pretty much the same.

 You have to go into this with open eyes..this project isnt a real open 
 source project with real open source ppl from all walks of life.its a Red 
 Hat projectthat they let you see into on their terms, Sun and oracle for 
 instance have done the same thing.their projects splutter along with 
 little OSS community support.

 Example, so if you went to say mailman (like I do) that's a real open source 
 product and I can get first class support via thatI would think that this 
 will never be a place for open source support for IPA it will be please go 
 to red hat and pay if you want help.

 I dont know Ive even seen a single contributor who doesnt have a @redhat.com 
 address, that set off warning lights for me..probably why the FDS project 
 still has so many contributors and users

 I hadnt noticed this wrinkle as I'm busy building a total virtual copy of 
 prod to run a huge proof of concept / pre-prod setup which will take me 
 another week at leastgiven we dont have much money and its going to take 
 me more than 6months to do, paying $ isnt practical/possible and we dont know 
 the cost when 6.2 comes out.  So I suspect that if you dont want or cant 
 afford a support contract bailing to CENTOS 6.1 or using CENTOS rpms to 
 finish the glue (on RHEL) will be the way to go. Given we will be using 
 shibboleth and everyone around us with shibboleth is on CENTOS its probably 
 where we will go.

 Its not all bad, bear in mind of course an Identity / LDAP product off anyone 
 else eg Oracle will cost you mega bucks to buy (think numbers ending in 5 
 0's), is bloody awful (2 of us spent 6 weeks trying to make its virtual front 
 end LDAP server even start let alone do anything of use and I failed).and 
 costly to look after (think 1 FTE and a highly paid one to boot).I really 
 wonder if the business case stacks up at all

 regards



Hello Siggi, Hello Steven

It is true that we are human and we sometimes need to eat (just
sometimes...).
It is true that the project was sponsored by Red Hat and most of the
contributors are from Red Hat.
It is not rue that all of them are. There are other contributors. Not
many but there are. And we hope that there will be more over time.

All the bits are available in Fedora at no cost and we do our best to
support Fedora community since we treasure anyone who provides any
feedback (better negative as we can learn from it).
We are going to continue keeping lights on this project so that people
who value the Red Hat platform for its stability can enjoy the
reasonably priced IDM solution but it does not prevent other
distributions from enjoying the fruits of our work. The same team of
engineers works on SSSD. SSSD has been adopted by SUSE, Debian  Ubuntu
and has several active non Red Hat contributors.
This did not happen over time but it did. And the main reason is that we
are ready to work with anyone who cares.

I hope that this clarifies things a bit.

-- 
Thank you,
Dmitri Pal

Sr. Engineering Manager IPA project,
Red Hat Inc.


---
Looking to carve out IT costs?
www.redhat.com/carveoutcosts/



___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users


Re: [Freeipa-users] 6.1 beta

2011-04-07 Thread Steven Jones
Hi,

I think I get a bit peeved when I go on a RH course and the trainer spends too 
much time telling us about the licencing changes for rhel6 and all the hoops 
and caveats we have to now considerthis is propriety territorywhere 
licencing becomes a costly and a time consuming headache.

Yes, everyone has to eatso moderately priced, hopefully it will be no worse 
than RDS but when Im sitting in front of managers convincing them to buy an 
Open Source product I kind of feel I'm selling my soul, its not why I took up 
Linux 12 years ago.   I think the guy who wrote the Linux network stack summed 
it up well several years ago when asked why he hadn't charged for his work, his 
answer was (paraphrase) I write a network stack and in return I get a complete 
OS in return for my work, why isnt that a great deal? 

NB  Actually for OS licencing we run twice if not three times the Microsoft 
servers on our site as Linux...it costs us less to run MS than RH in annual 
fees I find that really weird.

regards

Steven


From: freeipa-users-boun...@redhat.com [freeipa-users-boun...@redhat.com] on 
behalf of Dmitri Pal [d...@redhat.com]
Sent: Friday, 8 April 2011 10:21 a.m.
To: freeipa-users@redhat.com
Subject: Re: [Freeipa-users] 6.1 beta

On 04/07/2011 05:32 PM, Steven Jones wrote:
 8-


 Just to elaborate on Dmitri's comments. In addition to the IPA client
 and server packages that are included in the RHEL6.1 beta channel, there
 will be a separate RHEL add-on channel, Enterprise Identity Replication.
 That add-on channel will contain ds-replication and the Windows sync
 packages.

 If you wish to use IPA during the beta or when it is a tech preview
 feature of RHEL 6.1 you should request an eval entitlement to the
 Enterprise Identity Replication channel from your Red Hat account
 rep.

 Cheers,
 Kev
 Hi Kevin,

 I have requested the replication channel as you recommended from our
 account manager.

 I am curious to why such an important feature as replication is put in
 it's own channel. I see IPA is trying to compete with Active Directory
 to service Unix/Linux machines, however with Active Directory all
 features is included in the base package of the operating system.

 Why does Red Hat put the replication feature of IPA into a seperate
 channel from the operating system?


 Rgds,
 Siggi

 ==

 Silly question.they want to make money and lock out the easy 
 possibility of you not paying them.

 There is a very good reason RedHat is nick named the Microsoft of the Linux 
 world..but they are all pretty much the same.

 You have to go into this with open eyes..this project isnt a real open 
 source project with real open source ppl from all walks of life.its a Red 
 Hat projectthat they let you see into on their terms, Sun and oracle for 
 instance have done the same thing.their projects splutter along with 
 little OSS community support.

 Example, so if you went to say mailman (like I do) that's a real open source 
 product and I can get first class support via thatI would think that this 
 will never be a place for open source support for IPA it will be please go 
 to red hat and pay if you want help.

 I dont know Ive even seen a single contributor who doesnt have a @redhat.com 
 address, that set off warning lights for me..probably why the FDS project 
 still has so many contributors and users

 I hadnt noticed this wrinkle as I'm busy building a total virtual copy of 
 prod to run a huge proof of concept / pre-prod setup which will take me 
 another week at leastgiven we dont have much money and its going to take 
 me more than 6months to do, paying $ isnt practical/possible and we dont know 
 the cost when 6.2 comes out.  So I suspect that if you dont want or cant 
 afford a support contract bailing to CENTOS 6.1 or using CENTOS rpms to 
 finish the glue (on RHEL) will be the way to go. Given we will be using 
 shibboleth and everyone around us with shibboleth is on CENTOS its probably 
 where we will go.

 Its not all bad, bear in mind of course an Identity / LDAP product off anyone 
 else eg Oracle will cost you mega bucks to buy (think numbers ending in 5 
 0's), is bloody awful (2 of us spent 6 weeks trying to make its virtual front 
 end LDAP server even start let alone do anything of use and I failed).and 
 costly to look after (think 1 FTE and a highly paid one to boot).I really 
 wonder if the business case stacks up at all

 regards



Hello Siggi, Hello Steven

It is true that we are human and we sometimes need to eat (just
sometimes...).
It is true that the project was sponsored by Red Hat and most of the
contributors are from Red Hat.
It is not rue that all of them are. There are other contributors. Not
many but there are. And we hope that there will be more over time.

All the bits are available in Fedora at no cost and we do our best to
support Fedora community since we

Re: [Freeipa-users] 6.1 beta

2011-04-07 Thread Kevin Unthank

snip

Just to elaborate on Dmitri's comments. In addition to the IPA client
and server packages that are included in the RHEL6.1 beta channel, there
will be a separate RHEL add-on channel, Enterprise Identity Replication.
That add-on channel will contain ds-replication and the Windows sync
packages.

If you wish to use IPA during the beta or when it is a tech preview
feature of RHEL 6.1 you should request an eval entitlement to the
Enterprise Identity Replication channel from your Red Hat account
rep.

Cheers,
Kev

Hi Kevin,

I have requested the replication channel as you recommended from our account 
manager.

I am curious to why such an important feature as replication is put in it's own 
channel. I see IPA is trying to compete with Active Directory to service 
Unix/Linux machines, however with Active Directory all features is included in 
the base package of the operating system.

Why does Red Hat put the replication feature of IPA into a seperate channel 
from the operating system?


Rgds,
Siggi


Hi Siggi,

With RHEL6 we are striving to have more flexibility with packaging and
features. From the website: http://www.redhat.com/rhel/add-ons/

Add-Ons to Red Hat Enterprise Linux allow you to tailor your application
environment with workload extensions to suit your particular computing
requirements.

For RHEL6.2 we are planning to have an Enterprise Identity Replication
add-on. Until then, free evaluations will be available for customers who
wish to play with IPA while it is a technology preview.

Cheers,
Kev

___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users


Re: [Freeipa-users] 6.1 beta

2011-04-05 Thread Stephen Gallagher
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

On 04/04/2011 05:17 PM, Sigbjorn Lie wrote:
 The first dig is taken on the ipa server, using it's own IPA configured
 test DNS. However I have a F14 client successfully connected using my
 prod DNS (my DHCP default). Prod DNS is serving the same _ldap._tcp
 records for the same IPA server. My prod dns is serving TTL 1 second for
 the same records.
 
 I presume what happened was that I started the SSSD on the IPA server
 while it was still being served by the PROD dns. Then I changed the
 nameserver entries after.
 
 What gets to me is that I've used the prod DNS setup for testing with
 F14 for months now, without any issue. This first became an issue when I
 reinstalled the IPA server with RHEL 6.1 beta.
 
 Was that really it? Too low TTL on the DNS entries?
 


If I remember correctly, the change that added _srv_ by default to
sssd.conf went in during one of the later release candidates for
FreeIPA. So it's likely that for most of your time testing it, you only
had the explicit server address in the config file.

I do encourage you to keep the _srv_ entry, as it really does make life
a lot easier later on (if you want to add a replica or move the FreeIPA
server) since you only have to update DNS instead of every client.




- -- 
Stephen Gallagher
RHCE 804006346421761

Delivering value year after year.
Red Hat ranks #1 in value among software vendors.
http://www.redhat.com/promo/vendor/
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.11 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/

iEYEARECAAYFAk2bA1sACgkQeiVVYja6o6NYZgCfcA514qCLAJbM4LtK07CPtQpX
ahcAoIbO/X0+LuQYPz9emtOajlwej+1B
=0uQY
-END PGP SIGNATURE-

___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users


Re: [Freeipa-users] 6.1 beta

2011-04-05 Thread Stephen Gallagher
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

On 04/05/2011 09:54 AM, Sigbjorn Lie wrote:

 On 04/05/2011 08:16 AM, Sigbjorn Lie wrote:


 On 04/04/2011 05:17 PM, Sigbjorn Lie wrote:


 The first dig is taken on the ipa server, using it's own IPA configured
 test DNS. However I have a F14 client successfully connected using my 
 prod DNS (my DHCP
 default). Prod DNS is serving the same _ldap._tcp
 records for the same IPA server. My prod dns is serving TTL 1 second for 
 the same records.

 I presume what happened was that I started the SSSD on the IPA server
 while it was still being served by the PROD dns. Then I changed the 
 nameserver entries
 after.

 What gets to me is that I've used the prod DNS setup for testing with
 F14 for months now, without any issue. This first became an issue when I
 reinstalled the IPA server with RHEL 6.1 beta.

 Was that really it? Too low TTL on the DNS entries?





 If I remember correctly, the change that added _srv_ by default to
 sssd.conf went in during one of the later release candidates for FreeIPA. 
 So it's likely that
 for most of your time testing it, you only had the explicit server address 
 in the config file.


 I do encourage you to keep the _srv_ entry, as it really does make life
 a lot easier later on (if you want to add a replica or move the FreeIPA 
 server) since you only
 have to update DNS instead of every client.


 I see your point. I'll increase the TTL of my production zone and see what 
 happends then. What
 do you think of having only the _srv_ entry, no named hosts at all in 
 sssd.conf ?


 The reason the install script sets one named host is just to be extra
 cautious. If DNS is not resolving for some reason (BIND crashed, or someone 
 accidentally blocked
 port 53, etc.) then SSSD will still attempt to reach the named host before 
 giving up and going
 offline.

 It's not strictly necessary, but neither should it ever be harmful.
 Obviously if DNS is resolving correctly at all times the named host will
 never be used.

 
 
 Ok. I see.
 
 Why is the _srv_ records not used in the domain/default as well? And what 
 exactly is the
 difference between domain/ix.nixtra.com and domain/default?

[domain/default] is not in use. It's put there by authconfig (which we
use to bootstrap the SSSD setup process) but we disable that domain.
Only domains listed in the
domains = domain1, domain2, ...
line of the [sssd] section are active.

We leave it in there to be a good citizen (in case it actually was
configured previously). That way we don't wipe out any settings that the
user may have had in it.


- -- 
Stephen Gallagher
RHCE 804006346421761

Delivering value year after year.
Red Hat ranks #1 in value among software vendors.
http://www.redhat.com/promo/vendor/
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.11 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/

iEYEARECAAYFAk2bIJIACgkQeiVVYja6o6NR6ACdFp0PHQ3vz4G+KC850mn2+fL2
QaUAnA6W3hfNokCtOqlwTpriZfN/yK1n
=kDvn
-END PGP SIGNATURE-

___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users


Re: [Freeipa-users] 6.1 beta

2011-04-04 Thread Dmitri Pal
On 04/03/2011 05:41 PM, Sigbjorn Lie wrote:
 According to Red Hat Network it does:

 ipa-server-2.0.0-16.el6.x86_64
 https://rhn.redhat.com/rhn/software/packages/details/Overview.do?pid=619857
 Red Hat Enterprise Linux Server Beta (v. 6 for 64-bit x86_64)
 ipa-server-2.0.0-16.el6.i686
 https://rhn.redhat.com/rhn/software/packages/details/Overview.do?pid=617431
 Red Hat Enterprise Linux Server Beta (v. 6 for 32-bit x86)


 Thanks for pointing this out, I'm installing RHEL 6.1 beta now. :)


It is not the final bits though. There have done several bug fixes since
then that will show up in the final 6.1 release.




 Rgds,
 Siggi



 On 04/03/2011 11:29 PM, Steven Jones wrote:
 Hi,

 This has IPA 2.0 rcX server and client  in it?

 regards

 Steven

 ___
 Freeipa-users mailing list
 Freeipa-users@redhat.com
 https://www.redhat.com/mailman/listinfo/freeipa-users



 ___
 Freeipa-users mailing list
 Freeipa-users@redhat.com
 https://www.redhat.com/mailman/listinfo/freeipa-users


-- 
Thank you,
Dmitri Pal

Sr. Engineering Manager IPA project,
Red Hat Inc.


---
Looking to carve out IT costs?
www.redhat.com/carveoutcosts/



___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] 6.1 beta

2011-04-04 Thread Sigbjorn Lie

On 04/04/2011 03:43 PM, Dmitri Pal wrote:

On 04/03/2011 05:41 PM, Sigbjorn Lie wrote:

According to Red Hat Network it does:

ipa-server-2.0.0-16.el6.x86_64 
https://rhn.redhat.com/rhn/software/packages/details/Overview.do?pid=619857 
Red Hat Enterprise Linux Server Beta (v. 6 for 64-bit x86_64)
ipa-server-2.0.0-16.el6.i686 
https://rhn.redhat.com/rhn/software/packages/details/Overview.do?pid=617431 
Red Hat Enterprise Linux Server Beta (v. 6 for 32-bit x86)



Thanks for pointing this out, I'm installing RHEL 6.1 beta now. :)



It is not the final bits though. There have done several bug fixes 
since then that will show up in the final 6.1 release.


Ok, thanks. I'll keep that in mind.
___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] 6.1 beta

2011-04-04 Thread Sigbjorn Lie

On 04/04/2011 06:22 PM, Sigbjorn Lie wrote:

On 04/04/2011 03:43 PM, Dmitri Pal wrote:

On 04/03/2011 05:41 PM, Sigbjorn Lie wrote:

According to Red Hat Network it does:

ipa-server-2.0.0-16.el6.x86_64 
https://rhn.redhat.com/rhn/software/packages/details/Overview.do?pid=619857 
Red Hat Enterprise Linux Server Beta (v. 6 for 64-bit x86_64)
ipa-server-2.0.0-16.el6.i686 
https://rhn.redhat.com/rhn/software/packages/details/Overview.do?pid=617431 
Red Hat Enterprise Linux Server Beta (v. 6 for 32-bit x86)



Thanks for pointing this out, I'm installing RHEL 6.1 beta now. :)



It is not the final bits though. There have done several bug fixes 
since then that will show up in the final 6.1 release.


Ok, thanks. I'll keep that in mind.



I think I might have a found a few bugs  in the RHEL 6.1 beta release. 
Please correct me if you're already aware of these.



Unless FQDN of the host is returned when running `hostname`, the IPA 
services will fail to start as they return No such object when 
querying the IPA LDAP for services. Shouldn't this be changed to use 
`hostname -f` ?



ipa-replica-prepare fails with the error message below. I cannot find 
the plugin mentioned as a seperate RPM.

# ipa-replica-prepare
The 389-ds replication plug-in was not found on this system


Rgds,
Siggi

___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] 6.1 beta

2011-04-04 Thread Rob Crittenden

Sigbjorn Lie wrote:

  On 04/04/2011 06:22 PM, Sigbjorn Lie wrote:

On 04/04/2011 03:43 PM, Dmitri Pal wrote:

On 04/03/2011 05:41 PM, Sigbjorn Lie wrote:

According to Red Hat Network it does:

ipa-server-2.0.0-16.el6.x86_64
https://rhn.redhat.com/rhn/software/packages/details/Overview.do?pid=619857
Red Hat Enterprise Linux Server Beta (v. 6 for 64-bit x86_64)
ipa-server-2.0.0-16.el6.i686
https://rhn.redhat.com/rhn/software/packages/details/Overview.do?pid=617431
Red Hat Enterprise Linux Server Beta (v. 6 for 32-bit x86)


Thanks for pointing this out, I'm installing RHEL 6.1 beta now. :)



It is not the final bits though. There have done several bug fixes
since then that will show up in the final 6.1 release.


Ok, thanks. I'll keep that in mind.



I think I might have a found a few bugs in the RHEL 6.1 beta release.
Please correct me if you're already aware of these.


Unless FQDN of the host is returned when running `hostname`, the IPA
services will fail to start as they return No such object when
querying the IPA LDAP for services. Shouldn't this be changed to use
`hostname -f` ?


AFAIK we don't call `hostname` in our script, it may be that another 
part of init does. We have a ticket open on this, #1035.





ipa-replica-prepare fails with the error message below. I cannot find
the plugin mentioned as a seperate RPM.
# ipa-replica-prepare
The 389-ds replication plug-in was not found on this system


The package is named ds-replication. I'll open a ticket to make this 
more explicit.


thanks

rob

___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users


Re: [Freeipa-users] 6.1 beta

2011-04-04 Thread Sigbjorn Lie

On 04/04/2011 08:32 PM, Rob Crittenden wrote:

Sigbjorn Lie wrote:

  On 04/04/2011 06:22 PM, Sigbjorn Lie wrote:

On 04/04/2011 03:43 PM, Dmitri Pal wrote:

On 04/03/2011 05:41 PM, Sigbjorn Lie wrote:

According to Red Hat Network it does:

ipa-server-2.0.0-16.el6.x86_64
https://rhn.redhat.com/rhn/software/packages/details/Overview.do?pid=619857 


Red Hat Enterprise Linux Server Beta (v. 6 for 64-bit x86_64)
ipa-server-2.0.0-16.el6.i686
https://rhn.redhat.com/rhn/software/packages/details/Overview.do?pid=617431 


Red Hat Enterprise Linux Server Beta (v. 6 for 32-bit x86)


Thanks for pointing this out, I'm installing RHEL 6.1 beta now. :)



It is not the final bits though. There have done several bug fixes
since then that will show up in the final 6.1 release.


Ok, thanks. I'll keep that in mind.



I think I might have a found a few bugs in the RHEL 6.1 beta release.
Please correct me if you're already aware of these.


Unless FQDN of the host is returned when running `hostname`, the IPA
services will fail to start as they return No such object when
querying the IPA LDAP for services. Shouldn't this be changed to use
`hostname -f` ?


AFAIK we don't call `hostname` in our script, it may be that another 
part of init does. We have a ticket open on this, #1035.





ipa-replica-prepare fails with the error message below. I cannot find
the plugin mentioned as a seperate RPM.
# ipa-replica-prepare
The 389-ds replication plug-in was not found on this system


The package is named ds-replication. I'll open a ticket to make this 
more explicit.


thanks

rob


I could not find any ds-replication package in RHN.

I also noticed that in /etc/sssd/sssd.conf the ipa server is specified with:
ipa_server = _srv_, ipa01.ix.test.com

sssd doesn't resolve anything from IPA until I remove _srv_,


Rgds
Siggi



___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users


Re: [Freeipa-users] 6.1 beta

2011-04-04 Thread Dmitri Pal
On 04/04/2011 03:01 PM, Sigbjorn Lie wrote:
 On 04/04/2011 08:32 PM, Rob Crittenden wrote:
 Sigbjorn Lie wrote:
   On 04/04/2011 06:22 PM, Sigbjorn Lie wrote:
 On 04/04/2011 03:43 PM, Dmitri Pal wrote:
 On 04/03/2011 05:41 PM, Sigbjorn Lie wrote:
 According to Red Hat Network it does:

 ipa-server-2.0.0-16.el6.x86_64
 https://rhn.redhat.com/rhn/software/packages/details/Overview.do?pid=619857

 Red Hat Enterprise Linux Server Beta (v. 6 for 64-bit x86_64)
 ipa-server-2.0.0-16.el6.i686
 https://rhn.redhat.com/rhn/software/packages/details/Overview.do?pid=617431

 Red Hat Enterprise Linux Server Beta (v. 6 for 32-bit x86)


 Thanks for pointing this out, I'm installing RHEL 6.1 beta now. :)


 It is not the final bits though. There have done several bug fixes
 since then that will show up in the final 6.1 release.

 Ok, thanks. I'll keep that in mind.


 I think I might have a found a few bugs in the RHEL 6.1 beta release.
 Please correct me if you're already aware of these.


 Unless FQDN of the host is returned when running `hostname`, the IPA
 services will fail to start as they return No such object when
 querying the IPA LDAP for services. Shouldn't this be changed to use
 `hostname -f` ?

 AFAIK we don't call `hostname` in our script, it may be that another
 part of init does. We have a ticket open on this, #1035.



 ipa-replica-prepare fails with the error message below. I cannot find
 the plugin mentioned as a seperate RPM.
 # ipa-replica-prepare
 The 389-ds replication plug-in was not found on this system

 The package is named ds-replication. I'll open a ticket to make this
 more explicit.

 thanks

 rob

 I could not find any ds-replication package in RHN.

We are working on making it available.


 I also noticed that in /etc/sssd/sssd.conf the ipa server is specified
 with:
 ipa_server = _srv_, ipa01.ix.test.com

 sssd doesn't resolve anything from IPA until I remove _srv_,


Stephen, was there a recent bug on this matter in SSSD?


 Rgds
 Siggi



 ___
 Freeipa-users mailing list
 Freeipa-users@redhat.com
 https://www.redhat.com/mailman/listinfo/freeipa-users




-- 
Thank you,
Dmitri Pal

Sr. Engineering Manager IPA project,
Red Hat Inc.


---
Looking to carve out IT costs?
www.redhat.com/carveoutcosts/



___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users


Re: [Freeipa-users] 6.1 beta

2011-04-04 Thread Stephen Gallagher
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

On 04/04/2011 03:06 PM, Dmitri Pal wrote:
 On 04/04/2011 03:01 PM, Sigbjorn Lie wrote:

 I also noticed that in /etc/sssd/sssd.conf the ipa server is specified
 with:
 ipa_server = _srv_, ipa01.ix.test.com

 sssd doesn't resolve anything from IPA until I remove _srv_,

 
 Stephen, was there a recent bug on this matter in SSSD?
 

The purpose of _srv_ is to check DNS for IPA server addresses first. The
idea is that if you have more than one IPA server in service, then you
can use DNS to list all of them. Otherwise, the ipa-client-install can
only specify a static list of servers at the time of install. This would
mean that if the IPA servers changed IP addresses or new ones entered
production, it would be necessary to change all of the client
configuration files.

I'm puzzled why you would need to remove this, unless your DNS server is
returning something other than FreeIPA servers for a SRV request
directed at _ldap.tcp

- -- 
Stephen Gallagher
RHCE 804006346421761

Delivering value year after year.
Red Hat ranks #1 in value among software vendors.
http://www.redhat.com/promo/vendor/
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.11 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/

iEYEARECAAYFAk2aHcsACgkQeiVVYja6o6Pj1wCdFscY1K0TAohkhClctipBSFbJ
kHcAnAkeZkrRRGcalwHy/56dxA7nVQVS
=nxbk
-END PGP SIGNATURE-

___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users


Re: [Freeipa-users] 6.1 beta

2011-04-04 Thread Sigbjorn Lie

On 04/04/2011 09:36 PM, Stephen Gallagher wrote:

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

On 04/04/2011 03:06 PM, Dmitri Pal wrote:

On 04/04/2011 03:01 PM, Sigbjorn Lie wrote:

I also noticed that in /etc/sssd/sssd.conf the ipa server is specified
with:
ipa_server = _srv_, ipa01.ix.test.com

sssd doesn't resolve anything from IPA until I remove _srv_,


Stephen, was there a recent bug on this matter in SSSD?


The purpose of _srv_ is to check DNS for IPA server addresses first. The
idea is that if you have more than one IPA server in service, then you
can use DNS to list all of them. Otherwise, the ipa-client-install can
only specify a static list of servers at the time of install. This would
mean that if the IPA servers changed IP addresses or new ones entered
production, it would be necessary to change all of the client
configuration files.

I'm puzzled why you would need to remove this, unless your DNS server is
returning something other than FreeIPA servers for a SRV request
directed at _ldap.tcp

I have verfied that the _ldap._tcp is resolving correctly. DNS was set 
up using ipa-server-install --setup-dns. I discovered this at the IPA 
server. This is a newly installed IPA server at RH 6.1 beta installed a 
few hours ago. No IP addresses changed.



#  host -t srv _ldap._tcp
_ldap._tcp.ix.test.com has SRV record 0 100 389 ipa01.ix.test.com.


Rgds,
Siggi

___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users


Re: [Freeipa-users] 6.1 beta

2011-04-04 Thread Stephen Gallagher
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

On 04/04/2011 03:52 PM, Sigbjorn Lie wrote:
 On 04/04/2011 09:36 PM, Stephen Gallagher wrote:
 -BEGIN PGP SIGNED MESSAGE-
 Hash: SHA1

 On 04/04/2011 03:06 PM, Dmitri Pal wrote:
 On 04/04/2011 03:01 PM, Sigbjorn Lie wrote:
 I also noticed that in /etc/sssd/sssd.conf the ipa server is specified
 with:
 ipa_server = _srv_, ipa01.ix.test.com

 sssd doesn't resolve anything from IPA until I remove _srv_,

 Stephen, was there a recent bug on this matter in SSSD?

 The purpose of _srv_ is to check DNS for IPA server addresses first. The
 idea is that if you have more than one IPA server in service, then you
 can use DNS to list all of them. Otherwise, the ipa-client-install can
 only specify a static list of servers at the time of install. This would
 mean that if the IPA servers changed IP addresses or new ones entered
 production, it would be necessary to change all of the client
 configuration files.

 I'm puzzled why you would need to remove this, unless your DNS server is
 returning something other than FreeIPA servers for a SRV request
 directed at _ldap.tcp

 I have verfied that the _ldap._tcp is resolving correctly. DNS was set
 up using ipa-server-install --setup-dns. I discovered this at the IPA
 server. This is a newly installed IPA server at RH 6.1 beta installed a
 few hours ago. No IP addresses changed.
 
 
 #  host -t srv _ldap._tcp
 _ldap._tcp.ix.test.com has SRV record 0 100 389 ipa01.ix.test.com.


Is the domain part of the client machine also ix.test.com?

The way we determine which SRV record to use is as follows:
1) If dns_discovery_domain exists in the config file, it is always used.
2) If not, first try the domain part of the machine's hostname (aka
hostname -d)
3) If that fails, try the name of the SSSD domain (in sssd.conf
[domain/domainname]

IIRC ipa-client-install should set [domain/IPA domain name] so if
that's not the same as your DNS domain, we could be having problems.

Can we see your sssd.conf please? (feel free to sanitize as needed)

- -- 
Stephen Gallagher
RHCE 804006346421761

Delivering value year after year.
Red Hat ranks #1 in value among software vendors.
http://www.redhat.com/promo/vendor/
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.11 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/

iEYEARECAAYFAk2aJkUACgkQeiVVYja6o6POQACgoNBjoMy6Gs5aRrlmG9F1qcAm
CUUAniJBVpW/FPJA2gFKh/Zox/aSp4Qb
=iNep
-END PGP SIGNATURE-

___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users


Re: [Freeipa-users] 6.1 beta

2011-04-04 Thread Sigbjorn Lie

On 04/04/2011 10:12 PM, Stephen Gallagher wrote:

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

On 04/04/2011 03:52 PM, Sigbjorn Lie wrote:

On 04/04/2011 09:36 PM, Stephen Gallagher wrote:

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

On 04/04/2011 03:06 PM, Dmitri Pal wrote:

On 04/04/2011 03:01 PM, Sigbjorn Lie wrote:

I also noticed that in /etc/sssd/sssd.conf the ipa server is specified
with:
ipa_server = _srv_, ipa01.ix.test.com

sssd doesn't resolve anything from IPA until I remove _srv_,


Stephen, was there a recent bug on this matter in SSSD?


The purpose of _srv_ is to check DNS for IPA server addresses first. The
idea is that if you have more than one IPA server in service, then you
can use DNS to list all of them. Otherwise, the ipa-client-install can
only specify a static list of servers at the time of install. This would
mean that if the IPA servers changed IP addresses or new ones entered
production, it would be necessary to change all of the client
configuration files.

I'm puzzled why you would need to remove this, unless your DNS server is
returning something other than FreeIPA servers for a SRV request
directed at _ldap.tcp


I have verfied that the _ldap._tcp is resolving correctly. DNS was set
up using ipa-server-install --setup-dns. I discovered this at the IPA
server. This is a newly installed IPA server at RH 6.1 beta installed a
few hours ago. No IP addresses changed.


#  host -t srv _ldap._tcp
_ldap._tcp.ix.test.com has SRV record 0 100 389 ipa01.ix.test.com.


Is the domain part of the client machine also ix.test.com?

The way we determine which SRV record to use is as follows:
1) If dns_discovery_domain exists in the config file, it is always used.
2) If not, first try the domain part of the machine's hostname (aka
hostname -d)
3) If that fails, try the name of the SSSD domain (in sssd.conf
[domain/domainname]

IIRC ipa-client-install should set [domain/IPA domain name] so if
that's not the same as your DNS domain, we could be having problems.

Can we see your sssd.conf please? (feel free to sanitize as needed)

Please see the requested output below. This is taken from the IPA 
server, which had the issue. DNS servers in resolv.conf set to the IP of 
the IPA server.



# hostname -d
ix.test.com

# more sssd.conf
[sssd]
services = nss, pam
config_file_version = 2

domains = ix.test.com
[nss]

[pam]

[domain/ix.test.com]
cache_credentials = True
ipa_domain = ix.test.com
id_provider = ipa
auth_provider = ipa
access_provider = ipa
chpass_provider = ipa
#ipa_server = _srv_, ipa01.ix.test.com
ipa_server = ipa01.ix.test.com

[domain/default]
cache_credentials = True
krb5_realm = IX.TEST.COM
krb5_kdcip = ipa01.ix.test.com:88
auth_provider = krb5
chpass_provider = krb5
krb5_kpasswd = ipa01.ix.test.com:749

___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users


Re: [Freeipa-users] 6.1 beta

2011-04-04 Thread Stephen Gallagher
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

On 04/04/2011 04:20 PM, Sigbjorn Lie wrote:
 On 04/04/2011 10:12 PM, Stephen Gallagher wrote:
 -BEGIN PGP SIGNED MESSAGE-
 Hash: SHA1

 On 04/04/2011 03:52 PM, Sigbjorn Lie wrote:
 On 04/04/2011 09:36 PM, Stephen Gallagher wrote:
 -BEGIN PGP SIGNED MESSAGE-
 Hash: SHA1

 On 04/04/2011 03:06 PM, Dmitri Pal wrote:
 On 04/04/2011 03:01 PM, Sigbjorn Lie wrote:
 I also noticed that in /etc/sssd/sssd.conf the ipa server is
 specified
 with:
 ipa_server = _srv_, ipa01.ix.test.com

 sssd doesn't resolve anything from IPA until I remove _srv_,

 Stephen, was there a recent bug on this matter in SSSD?

 The purpose of _srv_ is to check DNS for IPA server addresses first.
 The
 idea is that if you have more than one IPA server in service, then you
 can use DNS to list all of them. Otherwise, the ipa-client-install can
 only specify a static list of servers at the time of install. This
 would
 mean that if the IPA servers changed IP addresses or new ones entered
 production, it would be necessary to change all of the client
 configuration files.

 I'm puzzled why you would need to remove this, unless your DNS
 server is
 returning something other than FreeIPA servers for a SRV request
 directed at _ldap.tcp

 I have verfied that the _ldap._tcp is resolving correctly. DNS was set
 up using ipa-server-install --setup-dns. I discovered this at the IPA
 server. This is a newly installed IPA server at RH 6.1 beta installed a
 few hours ago. No IP addresses changed.


 #  host -t srv _ldap._tcp
 _ldap._tcp.ix.test.com has SRV record 0 100 389 ipa01.ix.test.com.

 Is the domain part of the client machine also ix.test.com?

 The way we determine which SRV record to use is as follows:
 1) If dns_discovery_domain exists in the config file, it is always used.
 2) If not, first try the domain part of the machine's hostname (aka
 hostname -d)
 3) If that fails, try the name of the SSSD domain (in sssd.conf
 [domain/domainname]

 IIRC ipa-client-install should set [domain/IPA domain name] so if
 that's not the same as your DNS domain, we could be having problems.

 Can we see your sssd.conf please? (feel free to sanitize as needed)

 Please see the requested output below. This is taken from the IPA
 server, which had the issue. DNS servers in resolv.conf set to the IP of
 the IPA server.
 
 
 # hostname -d
 ix.test.com
 
 # more sssd.conf
 [sssd]
 services = nss, pam
 config_file_version = 2
 
 domains = ix.test.com
 [nss]
 
 [pam]
 
 [domain/ix.test.com]
 cache_credentials = True
 ipa_domain = ix.test.com
 id_provider = ipa
 auth_provider = ipa
 access_provider = ipa
 chpass_provider = ipa
 #ipa_server = _srv_, ipa01.ix.test.com
 ipa_server = ipa01.ix.test.com
 
 [domain/default]
 cache_credentials = True
 krb5_realm = IX.TEST.COM
 krb5_kdcip = ipa01.ix.test.com:88
 auth_provider = krb5
 chpass_provider = krb5
 krb5_kpasswd = ipa01.ix.test.com:749
 

That's very strange. There should be no issue with using _srv_ in this
configuration. Would you mind setting 'debug_level = 9' in
[domain/ix.test.com], turning _srv_ back on, restarting SSSD, trying a
request and then send me /var/log/sssd/sssd_ix.test.com.log to look at?
I'd like to know why we're failing to resolve it.


- -- 
Stephen Gallagher
RHCE 804006346421761

Delivering value year after year.
Red Hat ranks #1 in value among software vendors.
http://www.redhat.com/promo/vendor/
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.11 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/

iEYEARECAAYFAk2aKdYACgkQeiVVYja6o6OwGQCbBW3SRhGnW3CYGL5IHU8VszHX
NrwAnRRzvqLUxDrmdxDs1nOuF+eQ+Evg
=Z3lV
-END PGP SIGNATURE-

___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users


Re: [Freeipa-users] 6.1 beta

2011-04-04 Thread Kevin Unthank



On 04/04/2011 12:06 PM, Dmitri Pal wrote:

On 04/04/2011 03:01 PM, Sigbjorn Lie wrote:

On 04/04/2011 08:32 PM, Rob Crittenden wrote:

Sigbjorn Lie wrote:

   On 04/04/2011 06:22 PM, Sigbjorn Lie wrote:

On 04/04/2011 03:43 PM, Dmitri Pal wrote:

On 04/03/2011 05:41 PM, Sigbjorn Lie wrote:

According to Red Hat Network it does:

ipa-server-2.0.0-16.el6.x86_64
https://rhn.redhat.com/rhn/software/packages/details/Overview.do?pid=619857

Red Hat Enterprise Linux Server Beta (v. 6 for 64-bit x86_64)
ipa-server-2.0.0-16.el6.i686
https://rhn.redhat.com/rhn/software/packages/details/Overview.do?pid=617431

Red Hat Enterprise Linux Server Beta (v. 6 for 32-bit x86)


Thanks for pointing this out, I'm installing RHEL 6.1 beta now. :)



It is not the final bits though. There have done several bug fixes
since then that will show up in the final 6.1 release.


Ok, thanks. I'll keep that in mind.



I think I might have a found a few bugs in the RHEL 6.1 beta release.
Please correct me if you're already aware of these.


Unless FQDN of the host is returned when running `hostname`, the IPA
services will fail to start as they return No such object when
querying the IPA LDAP for services. Shouldn't this be changed to use
`hostname -f` ?


AFAIK we don't call `hostname` in our script, it may be that another
part of init does. We have a ticket open on this, #1035.




ipa-replica-prepare fails with the error message below. I cannot find
the plugin mentioned as a seperate RPM.
# ipa-replica-prepare
The 389-ds replication plug-in was not found on this system


The package is named ds-replication. I'll open a ticket to make this
more explicit.

thanks

rob


I could not find any ds-replication package in RHN.


We are working on making it available.


Just to elaborate on Dmitri's comments. In addition to the IPA client
and server packages that are included in the RHEL6.1 beta channel, there
will be a separate RHEL add-on channel, Enterprise Identity Replication.
That add-on channel will contain ds-replication and the Windows sync
packages.

If you wish to use IPA during the beta or when it is a tech preview
feature of RHEL 6.1 you should request an eval entitlement to the
Enterprise Identity Replication channel from your Red Hat account
rep.

Cheers,
Kev

snip

___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users


Re: [Freeipa-users] 6.1 beta

2011-04-04 Thread David O'Brien

Rob Crittenden wrote:

Sigbjorn Lie wrote:

  On 04/04/2011 06:22 PM, Sigbjorn Lie wrote:

On 04/04/2011 03:43 PM, Dmitri Pal wrote:

On 04/03/2011 05:41 PM, Sigbjorn Lie wrote:

According to Red Hat Network it does:

ipa-server-2.0.0-16.el6.x86_64
https://rhn.redhat.com/rhn/software/packages/details/Overview.do?pid=619857 


Red Hat Enterprise Linux Server Beta (v. 6 for 64-bit x86_64)
ipa-server-2.0.0-16.el6.i686
https://rhn.redhat.com/rhn/software/packages/details/Overview.do?pid=617431 


Red Hat Enterprise Linux Server Beta (v. 6 for 32-bit x86)


Thanks for pointing this out, I'm installing RHEL 6.1 beta now. :)



It is not the final bits though. There have done several bug fixes
since then that will show up in the final 6.1 release.


Ok, thanks. I'll keep that in mind.



I think I might have a found a few bugs in the RHEL 6.1 beta release.
Please correct me if you're already aware of these.


Unless FQDN of the host is returned when running `hostname`, the IPA
services will fail to start as they return No such object when
querying the IPA LDAP for services. Shouldn't this be changed to use
`hostname -f` ?


AFAIK we don't call `hostname` in our script, it may be that another 
part of init does. We have a ticket open on this, #1035.





ipa-replica-prepare fails with the error message below. I cannot find
the plugin mentioned as a seperate RPM.
# ipa-replica-prepare
The 389-ds replication plug-in was not found on this system


The package is named ds-replication. I'll open a ticket to make this 
more explicit.


This requirement is mentioned in the revised doc, due to be published 
very soon (next few days). Under Software Requirements, it states that 
If you are going to use replication, install the ds-replication 
package, available from the Enterprise Identity Replication channel


Apologies that it missed the initial cut.

See also Kevin Unthank's reply about requesting an eval entitlement.

David


thanks

rob

___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users



--

David O'Brien
Senior Content Author
Engineering Content Services (ECS)
Red Hat Asia Pacific Pty Ltd
+61 7 3514 8189


We couldn't care less about comfort. We make you feel good.
 ~ Federico Minoli CEO Ducati Motor S.p.A.

___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users


Re: [Freeipa-users] 6.1 beta

2011-04-04 Thread Sigbjorn Lie

On 04/05/2011 01:25 AM, Kevin Unthank wrote:



On 04/04/2011 12:06 PM, Dmitri Pal wrote:

On 04/04/2011 03:01 PM, Sigbjorn Lie wrote:

On 04/04/2011 08:32 PM, Rob Crittenden wrote:

Sigbjorn Lie wrote:

   On 04/04/2011 06:22 PM, Sigbjorn Lie wrote:

On 04/04/2011 03:43 PM, Dmitri Pal wrote:

On 04/03/2011 05:41 PM, Sigbjorn Lie wrote:

According to Red Hat Network it does:

ipa-server-2.0.0-16.el6.x86_64
https://rhn.redhat.com/rhn/software/packages/details/Overview.do?pid=619857 



Red Hat Enterprise Linux Server Beta (v. 6 for 64-bit x86_64)
ipa-server-2.0.0-16.el6.i686
https://rhn.redhat.com/rhn/software/packages/details/Overview.do?pid=617431 



Red Hat Enterprise Linux Server Beta (v. 6 for 32-bit x86)


Thanks for pointing this out, I'm installing RHEL 6.1 beta now. :)



It is not the final bits though. There have done several bug fixes
since then that will show up in the final 6.1 release.


Ok, thanks. I'll keep that in mind.



I think I might have a found a few bugs in the RHEL 6.1 beta release.
Please correct me if you're already aware of these.


Unless FQDN of the host is returned when running `hostname`, the IPA
services will fail to start as they return No such object when
querying the IPA LDAP for services. Shouldn't this be changed to use
`hostname -f` ?


AFAIK we don't call `hostname` in our script, it may be that another
part of init does. We have a ticket open on this, #1035.




ipa-replica-prepare fails with the error message below. I cannot find
the plugin mentioned as a seperate RPM.
# ipa-replica-prepare
The 389-ds replication plug-in was not found on this system


The package is named ds-replication. I'll open a ticket to make this
more explicit.

thanks

rob


I could not find any ds-replication package in RHN.


We are working on making it available.


Just to elaborate on Dmitri's comments. In addition to the IPA client
and server packages that are included in the RHEL6.1 beta channel, there
will be a separate RHEL add-on channel, Enterprise Identity Replication.
That add-on channel will contain ds-replication and the Windows sync
packages.

If you wish to use IPA during the beta or when it is a tech preview
feature of RHEL 6.1 you should request an eval entitlement to the
Enterprise Identity Replication channel from your Red Hat account
rep.

Cheers,
Kev

I will request the channel to be added to our account.

Thanks.

Rgds,
Siggi

___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users


Re: [Freeipa-users] 6.1 beta

2011-04-03 Thread Steven Jones
ooohhh

Think I can answer that myself!

ipa-server-2.0.0-16.el6.x86_64 

:D

regards

From: freeipa-users-boun...@redhat.com [freeipa-users-boun...@redhat.com] on 
behalf of Steven Jones [steven.jo...@vuw.ac.nz]
Sent: Monday, 4 April 2011 9:29 a.m.
To: d...@redhat.com; freeipa-users@redhat.com
Subject: [Freeipa-users] 6.1 beta

Hi,

This has IPA 2.0 rcX server and client  in it?

regards

Steven

___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users


Re: [Freeipa-users] 6.1 beta

2011-04-03 Thread Sigbjorn Lie

According to Red Hat Network it does:

ipa-server-2.0.0-16.el6.x86_64 
https://rhn.redhat.com/rhn/software/packages/details/Overview.do?pid=619857 
	Red Hat Enterprise Linux Server Beta (v. 6 for 64-bit x86_64)
ipa-server-2.0.0-16.el6.i686 
https://rhn.redhat.com/rhn/software/packages/details/Overview.do?pid=617431 
	Red Hat Enterprise Linux Server Beta (v. 6 for 32-bit x86)



Thanks for pointing this out, I'm installing RHEL 6.1 beta now. :)



Rgds,
Siggi



On 04/03/2011 11:29 PM, Steven Jones wrote:

Hi,

This has IPA 2.0 rcX server and client  in it?

regards

Steven

___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users


___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users