Re: [Freeipa-users] Re : Re: Re : Re: Some interrogations about the freeipa deployment

2013-01-24 Thread david t. klein 

Thank you for clarifying. I had thought they said that was planned for 1.0
release, but it has been a while since I last looked at Samba4, other than
to skim the press releases a couple of weeks ago, when it actually released.



 -DTK

--
david t. klein

Cisco Certified Network Associate (CSCO11281885)
Linux Professional Institute Certification (LPI000165615)
Redhat Certified Engineer (805009745938860)

Quis custodiet ipsos custodes?




-Original Message-
From: Alexander Bokovoy [mailto:aboko...@redhat.com] 
Sent: Thursday, January 24, 2013 7:53 AM
To: david t. klein
Cc: 'Bob Sauvage'; d...@redhat.com; freeipa-users@redhat.com
Subject: Re: [Freeipa-users] Re : Re: Re : Re: Some interrogations about the
freeipa deployment

On Thu, 24 Jan 2013, david t. klein wrote:
>
>
>While you can make it sort of work, it will be a lot more difficulty, 
>and will never work quite how you want. You would be better off using 
>Active Directory or Samba4, and creating trusts between the two 
>domains.
Samba 4 AD DC does not support cross-forest trusts yet.

--
/ Alexander Bokovoy

___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] Re : Re: Re : Re: Some interrogations about the freeipa deployment

2013-01-24 Thread Steven Jones 
Hi,

What's possible and what's practical could well be 2 different things. So yes 
you may get say XP to join, whether its stable, reliable, gives you the 
functionality you need and wont take a huge effort to look after is something 
else.

I realise there is the nirvana ideal that says get one "AD" to rule them all, 
but simply that isn't simple.

Sure IPA acts like an AD for Linux but pretty much Red Hat linux at that.  We 
will see other linux distros become as effortless and more "real" Unix happen 
as the eco-system develops, but managing windows and all its versions in a 
practical sense? cant see it.

So if you want to manage windows platforms at the lowest overall cost, lowest 
risk, minimal impact to your users and least effort buy a Win2k8R2 server 
licence and run it in a virtual environment, this is what I do at home and it 
will work well for say 5~100 users.   (NB we do it at work at well, just there 
is a huge difference between 5 users and 2)

You then can sync the IPA and AD with winsync.  If that is too complex and you 
only want authentications then consider AD with something like Likewise Express 
which is free and connect your linux kit to AD, its limited but its 
simple/trivial.



regards

Steven Jones

Technical Specialist - Linux RHCE

Victoria University, Wellington, NZ

0064 4 463 6272


From: freeipa-users-boun...@redhat.com [freeipa-users-boun...@redhat.com] on 
behalf of Bob Sauvage [bob.sauv...@gmx.fr]
Sent: Thursday, 24 January 2013 11:04 p.m.
To: d...@redhat.com
Cc: freeipa-users@redhat.com
Subject: [Freeipa-users] Re : Re: Re : Re: Some interrogations about the 
freeipa deployment

Hi Dimitri,

Thanks for your response but I'm a little bit confused. Indeed, some users tell 
me that it's possible to join an IPA domain from a windows workstation and you 
say this is not possible.

I don't have an AD server, I want to configure IPA to act like an AD. My 
network contains Windows/Linux workstations and I want to centrally manage 
authentications.

Regards





- Message d'origine -

De : Dmitri Pal

Envoyés : 24.01.13 00:53

À : freeipa-users@redhat.com

Objet : Re: [Freeipa-users] Re : Re: Some interrogations about the freeipa 
deployment

On 01/23/2013 03:59 PM, Bob Sauvage wrote:
>
> Hi Dale,
>
> You mean that if I turn this option to 'yes', I'll be able to connect to the 
> server through SSH without needing to authenticate again ? Even if I'm 
> connected on the domain from a Windows workstation ?
>

If you setup trusts between IPA and AD then yes.
If not then you need to ssh from the system that belongs to the API domain.
IPA does not support Windows systems to be joined to IPA domain. But you can 
configure kerberos for Windows and use local Windows accounts. There are some 
HowTos on the wiki about it.
Alternatively you join Linux systems to AD and use it as your central 
authentication server then SSO would also work but you will loose ability to 
manage your Linux related policies.

Trusts is probably the best for you but there will be dragons.
http://freeipa.org/page/Howto/IPAv3_AD_trust_setup


> Regards,
>
>
>
>> - Message d'origine -
>>
>> De : Dale Macartney
>>
>> Envoyés : 22.01.13 23:13
>>
>> À : freeipa-users@redhat.com
>>
>> Objet : Re: [Freeipa-users] Some interrogations about the freeipa deployment
>>
>>
>>

On 01/22/2013 09:51 PM, Steven Jones wrote:
> Hi,

> I have all done this, so from what you write I think IPA would be a good fit 
> for what you want, except that is the single sign on bit I have not looked to 
> see if that can be done. For http restart you control that via sudo in IPA so 
> its centrally managed, I have this working for one such server though I use 
> the reload option instead.
to enable SSO with SSH from a ipa workstation, just edit /etc/ssh/sshd_config 
and make sure the line below is set to yes
"GSSAPIAuthentication yes"

If you've just made the change, it won't take effect until SSH is restarted. So 
do the usual service sshd restart.


> I would also not run one instance of IPA myself but with such a small site 
> that's your call.

> regards

> Steven Jones

> Technical Specialist - Linux RHCE

> Victoria University, Wellington, NZ

> 0064 4 463 6272

> -
> *From:* 
> freeipa-users-boun...@redhat.com 
> [freeipa-users-boun...@redhat.com] 
> on behalf of Bob Sauvage [bob.sauv...@gmx.fr]
> *Sent:* Wednesday, 23 January 2013 9:51 a.m.
> *To:* freeipa-users@redhat.com
> *Subject:* [Freeipa-users] Some interrogations about the freeipa deployment

> Hi *,

> I plan to review the network architecture of my office. 10 Windows/Linux 
> desktops and 2 Linux servers will be deployed on the network.

> I want to install freeipa on the first server to act like an AD DS. I want to 
> authenti

Re: [Freeipa-users] Re : Re: Re : Re: Some interrogations about the freeipa deployment

2013-01-24 Thread Alexander Bokovoy 

On Thu, 24 Jan 2013, david t. klein wrote:



While you can make it sort of work, it will be a lot more difficulty,
and will never work quite how you want. You would be better off using
Active Directory or Samba4, and creating trusts between the two
domains.

Samba 4 AD DC does not support cross-forest trusts yet.

--
/ Alexander Bokovoy

___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] Re : Re: Re : Re: Some interrogations about the freeipa deployment

2013-01-24 Thread david t. klein 
 

While you can make it sort of work, it will be a lot more difficulty, and will 
never work quite how you want. You would be better off using Active Directory 
or Samba4, and creating trusts between the two domains. 

 

 

-DTK

 

--
david t. klein

Cisco Certified Network Associate (CSCO11281885)
Linux Professional Institute Certification (LPI000165615)
Redhat Certified Engineer (805009745938860)

Quis custodiet ipsos custodes?




 

From: freeipa-users-boun...@redhat.com 
[mailto:freeipa-users-boun...@redhat.com] On Behalf Of Bob Sauvage
Sent: Thursday, January 24, 2013 4:05 AM
To: d...@redhat.com
Cc: freeipa-users@redhat.com
Subject: [Freeipa-users] Re : Re: Re : Re: Some interrogations about the 
freeipa deployment

 

Hi Dimitri, 

 

Thanks for your response but I'm a little bit confused. Indeed, some users tell 
me that it's possible to join an IPA domain from a windows workstation and you 
say this is not possible. 

 

I don't have an AD server, I want to configure IPA to act like an AD. My 
network contains Windows/Linux workstations and I want to centrally manage 
authentications. 


Regards

 

 

- Message d'origine -

De : Dmitri Pal

Envoyés : 24.01.13 00:53

À : freeipa-users@redhat.com

Objet : Re: [Freeipa-users] Re : Re: Some interrogations about the freeipa 
deployment

 

On 01/23/2013 03:59 PM, Bob Sauvage wrote:
>


 > Hi Dale,


 >


 > You mean that if I turn this option to 'yes', I'll be 
able to connect to the server through SSH without needing to authenticate again 
? Even if I'm connected on the domain from a Windows workstation ?


 >

If you setup trusts between IPA and AD then yes.
If not then you need to ssh from the system that belongs to the API domain.
IPA does not support Windows systems to be joined to IPA domain. But you can 
configure kerberos for Windows and use local Windows accounts. There are some 
HowTos on the wiki about it.
Alternatively you join Linux systems to AD and use it as your central 
authentication server then SSO would also work but you will loose ability to 
manage your Linux related policies.

Trusts is probably the best for you but there will be dragons.
http://freeipa.org/page/Howto/IPAv3_AD_trust_setup


> Regards,


 >


 >


 >


 >> - Message d'origine -


 >>


 >> De : Dale Macartney


 >>


 >> Envoyés : 22.01.13 23:13


 >>


 >> À : freeipa-users@redhat.com


 >>


 >> Objet : Re: [Freeipa-users] Some interrogations about 
the freeipa deployment


 >>


 >>


 >>




On 01/22/2013 09:51 PM, Steven Jones wrote:
> Hi,

> I have all done this, so from what you write I think IPA would be a good fit 
> for what you want, except that is the single sign on bit I have not looked to 
> see if that can be done. For http restart you control that via sudo in IPA so 
> its centrally managed, I have this working for one such server though I use 
> the reload option instead.
to enable SSO with SSH from a ipa workstation, just edit /etc/ssh/sshd_config 
and make sure the line below is set to yes
"GSSAPIAuthentication yes"

If you've just made the change, it won't take effect until SSH is restarted. So 
do the usual service sshd restart.


> I would also not run one instance of IPA myself but with such a small site 
> that's your call.

> regards

> Steven Jones

> Technical Specialist - Linux RHCE

> Victoria University, Wellington, NZ

> 0064 4 463 6272

> -
> *From:* freeipa-users-boun...@redhat.com [freeipa-users-boun...@redhat.com] 
> on behalf of Bob Sauvage [bob.sauv...@gmx.fr]
> *Sent:* Wednesday, 23 January 2013 9:51 a.m.
> *To:* freeipa-users@redhat.com
> *Subject:* [Freeipa-users] Some interrogations about the freeipa deployment

> Hi *,

> I plan to review the network architecture of my office. 10 Windows/Linux 
> desktops and 2 Linux servers will be deployed on the network.

> I want to install freeipa on the first server to act like an AD DS. I want to 
> authenticate users on the server and controlling what can be done or not by 
> them on the network. 10 other linux web servers should be accessible 
> (console) by specific users and without the need to authenticating again 
> (single sign on). On these web servers, users can issue specific commands 
> like "/etc/init.d/httpd restart".

> Is it possible to achive this with freeipa ? Do you have some articles ?

> Thanks in advance,

> Bob !


> ___
> Freeipa-users mailing list
> Freeipa-users@redhat.com
> https://www.redhat.com/mailman/listinfo/freeipa-users
 

>>


 >


 >