Re: [Freeipa-users] Migrating to FreeIPA from an existing Heimdal Kerberos and 389-ds deployment

[Petr Vobornik]

On 07/18/2016 03:57 PM, Rob Crittenden wrote:
> Grant Wu wrote:
>> Thanks for the information.  Do you know if there are any plans to
>> support cross-realm trust with general KDCs?
> 
> https://fedorahosted.org/freeipa/ticket/4867
> 
> rob

In general, IPA contains krb5 component which can be in theory
configured to trust other krb5 KDC. But this procedure is manual. IPA
doesn't provide any tooling to easy it and it is not tested therefore
not supported. The general Kerberos realm trust is not planned for any
upcoming release mostly because we don't see a big demand for it. Feel
free to cc yourself or add comment to
https://fedorahosted.org/freeipa/ticket/4917 It will raise the visible
demand.

Ticket 4867 is different, it is about IPA-IPA trusts where the scope is
more confined. It may or may not(more probable) allow the trust with
general KDC as a side effect. Demand for IPA-IPA trust is raising so it
is definitively on our radar and has a chance to be implemented in some
of upcoming releases.

For completeness, there is also a RFE to support IPA-SAMBA 4 DC trusts:
https://fedorahosted.org/freeipa/ticket/4866
-- 
Petr Vobornik

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] Migrating to FreeIPA from an existing Heimdal Kerberos and 389-ds deployment

[Rob Crittenden]

Grant Wu wrote:

Thanks for the information.  Do you know if there are any plans to
support cross-realm trust with general KDCs?


https://fedorahosted.org/freeipa/ticket/4867

rob

--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] Migrating to FreeIPA from an existing Heimdal Kerberos and 389-ds deployment

[Grant Wu]

Thanks for the information.  Do you know if there are any plans to support
cross-realm trust with general KDCs?
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] Migrating to FreeIPA from an existing Heimdal Kerberos and 389-ds deployment

[Andreas Ladanyi]

Hi,
> Hi all,
>
> I'm part of the CMU Computer Club and our Kerberos/LDAP deployment has
> been a pain point for quite some time.  I've heard that FreeIPA might
> be a solution worth exploring.
>
> I would like to try to avoid user visible disruption if possible,
> however.  This means that we would like to keep our Kerberos realm
> name, keep AFS cross-realm authentication working, etc.  UIDs
> remaining the same would be good; I'd have to think about
We dont use cross realm. We created a new realm with new name. We used
ipa migrade-ds to migrate users/groups with uids.

Because we couldnt migrate the user passwords from old to new realm, we
reset the users password in the new IPA realm and let the users input a
new password once.
>
> Essentially all of our clients are various flavors of Debian; mostly
> Jessie (we have an unfortunate number of older machines that I hope to
> upgrade soon).
>
> Has anyone done something like this before?  Anyone have any ideas
> what the migration path would look like or whether this is even
> possible? 
I have the same situation. We have an old MIT Kerberos / OpenLDAP system
which we have  to migrate. We use FreeIPA 4.2 on Fedora 23 and the
current OpenAFS release and simply said: it works. Our first milestone
was to migrate webplattforms and all behind them (apache with kerberos
auth and data in AFS) first and after them with more experience with the
afs / freeipa combination we want to migrate the user homes and client
desktops.

>
> Thanks,
>
> Grant Wu
> gran...@andrew.cmu.edu 
regards,
Andreas


smime.p7s
Description: S/MIME Cryptographic Signature
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] Migrating to FreeIPA from an existing Heimdal Kerberos and 389-ds deployment

[Petr Vobornik]

On 07/14/2016 07:13 AM, Grant Wu wrote:
> Hi all,
> 
> I'm part of the CMU Computer Club and our Kerberos/LDAP deployment has been a 
> pain point for quite some time.  I've heard that FreeIPA might be a solution 
> worth exploring.
> 
> I would like to try to avoid user visible disruption if possible, however.  
> This 
> means that we would like to keep our Kerberos realm name, keep AFS 
> cross-realm 
> authentication working, etc.  UIDs remaining the same would be good; I'd have 
> to 
> think about

Users and groups can be migrated by
 `ipa migrate-ds` command.
It allows you to keep UIDs and GIDs but one must make sure that IPA
servers are configured to issue new UIDs and GIDs which doesn't overlap
with the migrated ones. There are options in ipa-server-install and
ipa-replica-manage tools for that.

This can be evaluated in an isolated network against a clone of your
LDAP server.

Cross realm trust with AFS is a challenge though. IPA now supports only
cross realm trust with Active Directory. Trusts with other general KDCs
are not yet supported.

Other migration challenge might be migration of services. It is not done
by the above mentioned `ipa migrate-ds`. When the service accounts are
added to IPA, you would have to obtain new keytabs for the services.

> 
> Essentially all of our clients are various flavors of Debian; mostly Jessie 
> (we 
> have an unfortunate number of older machines that I hope to upgrade soon).

A possibility is to use SSSD as client on Debian.

> 
> Has anyone done something like this before?  Anyone have any ideas what the 
> migration path would look like or whether this is even possible?
> 
> Thanks,
> 
> Grant Wu
> gran...@andrew.cmu.edu 
> 
-- 
Petr Vobornik

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project