Re: [Freeipa-users] Installed ipa-client for CentOS 5.9 and joined it to IPA-domain, but hows AD trusts are handled?
On Wed, Apr 03, 2013 at 06:25:54PM -0400, Dmitri Pal wrote: > On 04/02/2013 01:57 AM, pekka.pan...@sofor.fi wrote: > > > From: Dmitri Pal > > > >> I want also my AD users (from IPA trust) to login inside thru ssh > > but > > > >> afaik this seems to have some older SSSD version and same > > configuration > > > >> options that goes ok with CentOS 6 ipa-client wont work with > > CentOS 5. > > > >> > > > >> So what should i modify that i can login to my CentOS 5 machine > > that i can > > > >> to login AD trust users from IPA? Is there newer SSSD daemon > > available for > > > >> centos 5? > > > >> > > > > No, it is not and it would be quite hard to build it, I think. You'd > > > > need pretty recent version of Kerberos to support the PAC > > responder that > > > > handles users coming via trusts for instance. > > > > > > Yes this is quite a problem with the current solution. > > > > Is there any guides for rhel 5.x/centos 5.x when using IPA and if that > > same > > system needs also AD users logins enabled, should we just enable some > > PAM module > > and all works if SSSD/IPA is also used? > > You would need to backport 1.9 to rhel 5/centos 5 > AFAIR you can still build those for RHEL5 (I mean 1.9 can still be built > on RHEL5) but you also need to build all the dependencies (samba, > kerberos etc. and those would be quite a challenge). > > Ping jhrozek on #sssd on free node if you need more details, but it is a > big endeavor so be prepared for a tough journey. > You can build the "core SSSD" with no problems and you'll get the fast cache, AD provider and other improvements but the PAC responder needed for trusts needs the latest Kerberos (1.10+) and unless I'm wrong also samba4. You'd have to compile these yourself. > > > > > But we are looking for some ways to mitigate that. > > > Question for you about the older systems: > > > > > > What would you prefer: those systems pointing to IPA and IPA having a > > > way to serve account and authentication or point them directly to AD? > > > Do you require kerberos authentication and SSO from those machines or > > > simple LDAP authentication is OK? > > > Do you have a requirement for all the authentications to actually happen > > > in AD for audit purposes or they can happen in IPA when users come from > > > the old clients and in AD with trusts when users access newer clients? > > > > > > Thanks for the input! > > > > > > Dmitri > > > > For me, would be good if all comes from (thru) IPA, but thats not > > an requirement for me. > > > > > > > > ___ > > Freeipa-users mailing list > > Freeipa-users@redhat.com > > https://www.redhat.com/mailman/listinfo/freeipa-users > > > -- > Thank you, > Dmitri Pal > > Sr. Engineering Manager for IdM portfolio > Red Hat Inc. > > > --- > Looking to carve out IT costs? > www.redhat.com/carveoutcosts/ > > > > ___ > Freeipa-users mailing list > Freeipa-users@redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-users ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Installed ipa-client for CentOS 5.9 and joined it to IPA-domain, but hows AD trusts are handled?
On 04/02/2013 01:57 AM, pekka.pan...@sofor.fi wrote: > > From: Dmitri Pal > > >> I want also my AD users (from IPA trust) to login inside thru ssh > but > > >> afaik this seems to have some older SSSD version and same > configuration > > >> options that goes ok with CentOS 6 ipa-client wont work with > CentOS 5. > > >> > > >> So what should i modify that i can login to my CentOS 5 machine > that i can > > >> to login AD trust users from IPA? Is there newer SSSD daemon > available for > > >> centos 5? > > >> > > > No, it is not and it would be quite hard to build it, I think. You'd > > > need pretty recent version of Kerberos to support the PAC > responder that > > > handles users coming via trusts for instance. > > > > Yes this is quite a problem with the current solution. > > Is there any guides for rhel 5.x/centos 5.x when using IPA and if that > same > system needs also AD users logins enabled, should we just enable some > PAM module > and all works if SSSD/IPA is also used? You would need to backport 1.9 to rhel 5/centos 5 AFAIR you can still build those for RHEL5 (I mean 1.9 can still be built on RHEL5) but you also need to build all the dependencies (samba, kerberos etc. and those would be quite a challenge). Ping jhrozek on #sssd on free node if you need more details, but it is a big endeavor so be prepared for a tough journey. > > > But we are looking for some ways to mitigate that. > > Question for you about the older systems: > > > > What would you prefer: those systems pointing to IPA and IPA having a > > way to serve account and authentication or point them directly to AD? > > Do you require kerberos authentication and SSO from those machines or > > simple LDAP authentication is OK? > > Do you have a requirement for all the authentications to actually happen > > in AD for audit purposes or they can happen in IPA when users come from > > the old clients and in AD with trusts when users access newer clients? > > > > Thanks for the input! > > > > Dmitri > > For me, would be good if all comes from (thru) IPA, but thats not > an requirement for me. > > > > ___ > Freeipa-users mailing list > Freeipa-users@redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-users -- Thank you, Dmitri Pal Sr. Engineering Manager for IdM portfolio Red Hat Inc. --- Looking to carve out IT costs? www.redhat.com/carveoutcosts/ ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Installed ipa-client for CentOS 5.9 and joined it to IPA-domain, but hows AD trusts are handled?
> From: Dmitri Pal > >> I want also my AD users (from IPA trust) to login inside thru ssh but > >> afaik this seems to have some older SSSD version and same configuration > >> options that goes ok with CentOS 6 ipa-client wont work with CentOS 5. > >> > >> So what should i modify that i can login to my CentOS 5 machine that i can > >> to login AD trust users from IPA? Is there newer SSSD daemon available for > >> centos 5? > >> > > No, it is not and it would be quite hard to build it, I think. You'd > > need pretty recent version of Kerberos to support the PAC responder that > > handles users coming via trusts for instance. > > Yes this is quite a problem with the current solution. Is there any guides for rhel 5.x/centos 5.x when using IPA and if that same system needs also AD users logins enabled, should we just enable some PAM module and all works if SSSD/IPA is also used? > But we are looking for some ways to mitigate that. > Question for you about the older systems: > > What would you prefer: those systems pointing to IPA and IPA having a > way to serve account and authentication or point them directly to AD? > Do you require kerberos authentication and SSO from those machines or > simple LDAP authentication is OK? > Do you have a requirement for all the authentications to actually happen > in AD for audit purposes or they can happen in IPA when users come from > the old clients and in AD with trusts when users access newer clients? > > Thanks for the input! > > Dmitri For me, would be good if all comes from (thru) IPA, but thats not an requirement for me. ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Installed ipa-client for CentOS 5.9 and joined it to IPA-domain, but hows AD trusts are handled?
On 03/28/2013 08:27 AM, Jakub Hrozek wrote: > On Thu, Mar 28, 2013 at 01:14:34PM +0200, pekka.pan...@sofor.fi wrote: >> Hi all again >> >> I have lots of CentOS 5.x servers and i tested one to install ipa-client >> and managed to join it to my ipa domain. >> >> I want also my AD users (from IPA trust) to login inside thru ssh but >> afaik this seems to have some older SSSD version and same configuration >> options that goes ok with CentOS 6 ipa-client wont work with CentOS 5. >> >> So what should i modify that i can login to my CentOS 5 machine that i can >> to login AD trust users from IPA? Is there newer SSSD daemon available for >> centos 5? >> > No, it is not and it would be quite hard to build it, I think. You'd > need pretty recent version of Kerberos to support the PAC responder that > handles users coming via trusts for instance. Yes this is quite a problem with the current solution. But we are looking for some ways to mitigate that. Question for you about the older systems: What would you prefer: those systems pointing to IPA and IPA having a way to serve account and authentication or point them directly to AD? Do you require kerberos authentication and SSO from those machines or simple LDAP authentication is OK? Do you have a requirement for all the authentications to actually happen in AD for audit purposes or they can happen in IPA when users come from the old clients and in AD with trusts when users access newer clients? Thanks for the input! Dmitri > > ___ > Freeipa-users mailing list > Freeipa-users@redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-users -- Thank you, Dmitri Pal Sr. Engineering Manager for IdM portfolio Red Hat Inc. --- Looking to carve out IT costs? www.redhat.com/carveoutcosts/ ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Installed ipa-client for CentOS 5.9 and joined it to IPA-domain, but hows AD trusts are handled?
On Thu, Mar 28, 2013 at 01:14:34PM +0200, pekka.pan...@sofor.fi wrote: > Hi all again > > I have lots of CentOS 5.x servers and i tested one to install ipa-client > and managed to join it to my ipa domain. > > I want also my AD users (from IPA trust) to login inside thru ssh but > afaik this seems to have some older SSSD version and same configuration > options that goes ok with CentOS 6 ipa-client wont work with CentOS 5. > > So what should i modify that i can login to my CentOS 5 machine that i can > to login AD trust users from IPA? Is there newer SSSD daemon available for > centos 5? > No, it is not and it would be quite hard to build it, I think. You'd need pretty recent version of Kerberos to support the PAC responder that handles users coming via trusts for instance. ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users