Re: [Freeipa-users] IPA Ldap only as Client on different IPA server
HI Rob, As you say I figured out the same indeed and tested to see what happens, no way around it (also cert stuff and so on). I would have been a workaround for... I'm looking forward to some intra-IPA trust in the future, would be awesome! Thanks! 2017-04-09 4:09 GMT+02:00 Rob Crittenden : > Matt . wrote: >> The issue you get here is that the IPA client is not enrolled anymore >> when you did an uninstall of the client before the IPA install on that >> "previous" client which needs to be client again after the IPA install >> on it. >> >> This sounds messy but could be ideal for some situations of useraccess >> on systems. > > Installing an IPA master configures it as a client for that master, > there is no way around it. > > You can't (or shouldn't) mix and match discrete IPA installations. > Eventually there will be intra-IPA trust which will do you what I think > you are looking for. > > rob > >> >> 2017-04-07 23:24 GMT+02:00 Rob Crittenden : >>> Matt . wrote: Nope, I provision my servers and they are added to my FreeIPA environment which auths my systeadmins. But on a server I provisioned I need to install FreeIPA as well, but without dns and ca, so it's doing ldap only actually. When I want to install FreeIPA server on this IPA client it tells me (which is logical): ipa.ipapython.install.cli.install_tool(Server): ERRORIPA client is already configured on this system. Please uninstall it before configuring the IPA server, using 'ipa-client-install --uninstall' So what I want to do is install FreeIPA server on it but using local system accounts to be auth against the former IPA server the client was assigned to. So: IPA01 get's a host which is LDAP01 but LDAP01 needs to be installed with FreeIPA (no dns and CA) as well but I want to have local sysaccounts that login to cli and such auth against IPA01 after it's installed with FreeIPA and the clientconfig for sssd is not there anymore because of the 'ipa-client-install --uninstall' >>> >>> Still very confusing. LDAP has nothing to do with this. IPA is always at >>> least LDAP + Kerberos + Apache + a few other minor services. So it's >>> better to just say no DNS and no CA, though that isn't really relevant >>> since those are always optional. >>> >>> It sounds like what you want to do is, on the same box, install IPA >>> server and configure the local machine to point to a DIFFERENT IPA >>> server for user/group lookups? >>> >>> You might be able to do it via sssd but it would be an unsupportable >>> nightmare. >>> >>> rob >>> 2017-04-07 23:11 GMT+02:00 Rob Crittenden : > Matt . wrote: >> When I have a full ipa setup and I want to add a host to it that is >> installed or needs to be installed as IPA LDAP server only, is that >> possible ? > > If you're asking if only 389-ds can be configured on an IPA server, no, > not using any IPA tools in any case. > >> Of course the ipa-server-install complains that the agent is already >> configured on the host but there might be a way ? Or just copy the >> config back faster the IPA LDAP only server is installed ? > > I don't understand. Seeing the error message and commands might help. > > rob > >>> > -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] IPA Ldap only as Client on different IPA server
Matt . wrote: > The issue you get here is that the IPA client is not enrolled anymore > when you did an uninstall of the client before the IPA install on that > "previous" client which needs to be client again after the IPA install > on it. > > This sounds messy but could be ideal for some situations of useraccess > on systems. Installing an IPA master configures it as a client for that master, there is no way around it. You can't (or shouldn't) mix and match discrete IPA installations. Eventually there will be intra-IPA trust which will do you what I think you are looking for. rob > > 2017-04-07 23:24 GMT+02:00 Rob Crittenden : >> Matt . wrote: >>> Nope, I provision my servers and they are added to my FreeIPA >>> environment which auths my systeadmins. But on a server I provisioned >>> I need to install FreeIPA as well, but without dns and ca, so it's >>> doing ldap only actually. >>> >>> When I want to install FreeIPA server on this IPA client it tells me >>> (which is logical): >>> >>> ipa.ipapython.install.cli.install_tool(Server): ERRORIPA client is >>> already configured on this system. >>> Please uninstall it before configuring the IPA server, using >>> 'ipa-client-install --uninstall' >>> >>> So what I want to do is install FreeIPA server on it but using local >>> system accounts to be auth against the former IPA server the client >>> was assigned to. >>> >>> So: >>> >>> IPA01 get's a host which is LDAP01 but LDAP01 needs to be installed >>> with FreeIPA (no dns and CA) as well but I want to have local >>> sysaccounts that login to cli and such auth against IPA01 after it's >>> installed with FreeIPA and the clientconfig for sssd is not there >>> anymore because of the 'ipa-client-install --uninstall' >> >> Still very confusing. LDAP has nothing to do with this. IPA is always at >> least LDAP + Kerberos + Apache + a few other minor services. So it's >> better to just say no DNS and no CA, though that isn't really relevant >> since those are always optional. >> >> It sounds like what you want to do is, on the same box, install IPA >> server and configure the local machine to point to a DIFFERENT IPA >> server for user/group lookups? >> >> You might be able to do it via sssd but it would be an unsupportable >> nightmare. >> >> rob >> >>> >>> 2017-04-07 23:11 GMT+02:00 Rob Crittenden : Matt . wrote: > When I have a full ipa setup and I want to add a host to it that is > installed or needs to be installed as IPA LDAP server only, is that > possible ? If you're asking if only 389-ds can be configured on an IPA server, no, not using any IPA tools in any case. > Of course the ipa-server-install complains that the agent is already > configured on the host but there might be a way ? Or just copy the > config back faster the IPA LDAP only server is installed ? I don't understand. Seeing the error message and commands might help. rob >> -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] IPA Ldap only as Client on different IPA server
The issue you get here is that the IPA client is not enrolled anymore when you did an uninstall of the client before the IPA install on that "previous" client which needs to be client again after the IPA install on it. This sounds messy but could be ideal for some situations of useraccess on systems. 2017-04-07 23:24 GMT+02:00 Rob Crittenden : > Matt . wrote: >> Nope, I provision my servers and they are added to my FreeIPA >> environment which auths my systeadmins. But on a server I provisioned >> I need to install FreeIPA as well, but without dns and ca, so it's >> doing ldap only actually. >> >> When I want to install FreeIPA server on this IPA client it tells me >> (which is logical): >> >> ipa.ipapython.install.cli.install_tool(Server): ERRORIPA client is >> already configured on this system. >> Please uninstall it before configuring the IPA server, using >> 'ipa-client-install --uninstall' >> >> So what I want to do is install FreeIPA server on it but using local >> system accounts to be auth against the former IPA server the client >> was assigned to. >> >> So: >> >> IPA01 get's a host which is LDAP01 but LDAP01 needs to be installed >> with FreeIPA (no dns and CA) as well but I want to have local >> sysaccounts that login to cli and such auth against IPA01 after it's >> installed with FreeIPA and the clientconfig for sssd is not there >> anymore because of the 'ipa-client-install --uninstall' > > Still very confusing. LDAP has nothing to do with this. IPA is always at > least LDAP + Kerberos + Apache + a few other minor services. So it's > better to just say no DNS and no CA, though that isn't really relevant > since those are always optional. > > It sounds like what you want to do is, on the same box, install IPA > server and configure the local machine to point to a DIFFERENT IPA > server for user/group lookups? > > You might be able to do it via sssd but it would be an unsupportable > nightmare. > > rob > >> >> 2017-04-07 23:11 GMT+02:00 Rob Crittenden : >>> Matt . wrote: When I have a full ipa setup and I want to add a host to it that is installed or needs to be installed as IPA LDAP server only, is that possible ? >>> >>> If you're asking if only 389-ds can be configured on an IPA server, no, >>> not using any IPA tools in any case. >>> Of course the ipa-server-install complains that the agent is already configured on the host but there might be a way ? Or just copy the config back faster the IPA LDAP only server is installed ? >>> >>> I don't understand. Seeing the error message and commands might help. >>> >>> rob >>> > -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] IPA Ldap only as Client on different IPA server
You are almost right, the box only needs to lookup users/groups from another IPA server for environment admins. The "LDAP Only" on this IPA server (and client) won't do anything on the whole network layer, only some webapp is talking to it and use users don't have anything todo with the network at all but I think it's nice when I don't have to maintain my local users there to login to the box for maintenance so I thought it would be nice when SSSD checked my default IPA-environment server for that. 2017-04-07 23:24 GMT+02:00 Rob Crittenden : > Matt . wrote: >> Nope, I provision my servers and they are added to my FreeIPA >> environment which auths my systeadmins. But on a server I provisioned >> I need to install FreeIPA as well, but without dns and ca, so it's >> doing ldap only actually. >> >> When I want to install FreeIPA server on this IPA client it tells me >> (which is logical): >> >> ipa.ipapython.install.cli.install_tool(Server): ERRORIPA client is >> already configured on this system. >> Please uninstall it before configuring the IPA server, using >> 'ipa-client-install --uninstall' >> >> So what I want to do is install FreeIPA server on it but using local >> system accounts to be auth against the former IPA server the client >> was assigned to. >> >> So: >> >> IPA01 get's a host which is LDAP01 but LDAP01 needs to be installed >> with FreeIPA (no dns and CA) as well but I want to have local >> sysaccounts that login to cli and such auth against IPA01 after it's >> installed with FreeIPA and the clientconfig for sssd is not there >> anymore because of the 'ipa-client-install --uninstall' > > Still very confusing. LDAP has nothing to do with this. IPA is always at > least LDAP + Kerberos + Apache + a few other minor services. So it's > better to just say no DNS and no CA, though that isn't really relevant > since those are always optional. > > It sounds like what you want to do is, on the same box, install IPA > server and configure the local machine to point to a DIFFERENT IPA > server for user/group lookups? > > You might be able to do it via sssd but it would be an unsupportable > nightmare. > > rob > >> >> 2017-04-07 23:11 GMT+02:00 Rob Crittenden : >>> Matt . wrote: When I have a full ipa setup and I want to add a host to it that is installed or needs to be installed as IPA LDAP server only, is that possible ? >>> >>> If you're asking if only 389-ds can be configured on an IPA server, no, >>> not using any IPA tools in any case. >>> Of course the ipa-server-install complains that the agent is already configured on the host but there might be a way ? Or just copy the config back faster the IPA LDAP only server is installed ? >>> >>> I don't understand. Seeing the error message and commands might help. >>> >>> rob >>> > -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] IPA Ldap only as Client on different IPA server
Matt . wrote: > Nope, I provision my servers and they are added to my FreeIPA > environment which auths my systeadmins. But on a server I provisioned > I need to install FreeIPA as well, but without dns and ca, so it's > doing ldap only actually. > > When I want to install FreeIPA server on this IPA client it tells me > (which is logical): > > ipa.ipapython.install.cli.install_tool(Server): ERRORIPA client is > already configured on this system. > Please uninstall it before configuring the IPA server, using > 'ipa-client-install --uninstall' > > So what I want to do is install FreeIPA server on it but using local > system accounts to be auth against the former IPA server the client > was assigned to. > > So: > > IPA01 get's a host which is LDAP01 but LDAP01 needs to be installed > with FreeIPA (no dns and CA) as well but I want to have local > sysaccounts that login to cli and such auth against IPA01 after it's > installed with FreeIPA and the clientconfig for sssd is not there > anymore because of the 'ipa-client-install --uninstall' Still very confusing. LDAP has nothing to do with this. IPA is always at least LDAP + Kerberos + Apache + a few other minor services. So it's better to just say no DNS and no CA, though that isn't really relevant since those are always optional. It sounds like what you want to do is, on the same box, install IPA server and configure the local machine to point to a DIFFERENT IPA server for user/group lookups? You might be able to do it via sssd but it would be an unsupportable nightmare. rob > > 2017-04-07 23:11 GMT+02:00 Rob Crittenden : >> Matt . wrote: >>> When I have a full ipa setup and I want to add a host to it that is >>> installed or needs to be installed as IPA LDAP server only, is that >>> possible ? >> >> If you're asking if only 389-ds can be configured on an IPA server, no, >> not using any IPA tools in any case. >> >>> Of course the ipa-server-install complains that the agent is already >>> configured on the host but there might be a way ? Or just copy the >>> config back faster the IPA LDAP only server is installed ? >> >> I don't understand. Seeing the error message and commands might help. >> >> rob >> -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] IPA Ldap only as Client on different IPA server
Nope, I provision my servers and they are added to my FreeIPA environment which auths my systeadmins. But on a server I provisioned I need to install FreeIPA as well, but without dns and ca, so it's doing ldap only actually. When I want to install FreeIPA server on this IPA client it tells me (which is logical): ipa.ipapython.install.cli.install_tool(Server): ERRORIPA client is already configured on this system. Please uninstall it before configuring the IPA server, using 'ipa-client-install --uninstall' So what I want to do is install FreeIPA server on it but using local system accounts to be auth against the former IPA server the client was assigned to. So: IPA01 get's a host which is LDAP01 but LDAP01 needs to be installed with FreeIPA (no dns and CA) as well but I want to have local sysaccounts that login to cli and such auth against IPA01 after it's installed with FreeIPA and the clientconfig for sssd is not there anymore because of the 'ipa-client-install --uninstall' 2017-04-07 23:11 GMT+02:00 Rob Crittenden : > Matt . wrote: >> When I have a full ipa setup and I want to add a host to it that is >> installed or needs to be installed as IPA LDAP server only, is that >> possible ? > > If you're asking if only 389-ds can be configured on an IPA server, no, > not using any IPA tools in any case. > >> Of course the ipa-server-install complains that the agent is already >> configured on the host but there might be a way ? Or just copy the >> config back faster the IPA LDAP only server is installed ? > > I don't understand. Seeing the error message and commands might help. > > rob > -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] IPA Ldap only as Client on different IPA server
Matt . wrote: > When I have a full ipa setup and I want to add a host to it that is > installed or needs to be installed as IPA LDAP server only, is that > possible ? If you're asking if only 389-ds can be configured on an IPA server, no, not using any IPA tools in any case. > Of course the ipa-server-install complains that the agent is already > configured on the host but there might be a way ? Or just copy the > config back faster the IPA LDAP only server is installed ? I don't understand. Seeing the error message and commands might help. rob -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
