Re: [Freeipa-users] What id my AD domain user password not available

2016-06-14 Thread Alexander Bokovoy

On Tue, 14 Jun 2016, Ben .T.George wrote:

HI

sorry it was issue with DNS (SRV records was missing) and it's been fixed
now. i have created one way forest trust

While issuing trust from IPA server, i have used shared key and the process
was successful.

It will always be successful because IPA server talks to itself.


But after validating the trust from AD side, it's asking for some username
and  password.I have gave below password combinations:

IPA "admin" user and password
IPA admin user and IPA directory password
AD "Administrator" and password.

but still it's not accepting that. So which username and password it is
expecting?

This is if i create one way trust. If i create two way trust, this password
is not asking. and my AD admin will only allow one way trust.

There is a bug right now where shared secret one-way trust is broken
with the symptoms your setup is showing.

You have four options:
- one-way trust established using credentials of AD administrator who
  is member of Enterprise Admins or Domain admins group from the forest
  root domain. This options works just fine.

- one-way trust established using shared secret. This doesn't currently
  work. https://bugzilla.redhat.com/show_bug.cgi?id=1345975

- two-way trust established using credentials of AD administrator who
  is member of Enterprise Admins of Domain admins group from the forest
  root domain. This option works just fine.

- two-way trust established using shared secret. This option works just
  fine.

I'm currently looking into bug #1345975.
--
/ Alexander Bokovoy

--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project


Re: [Freeipa-users] What id my AD domain user password not available

2016-05-27 Thread Alexander Bokovoy

On Fri, 27 May 2016, Ben .T.George wrote:

This is what i am getting

[image: Inline image 1]
[image: Inline image 3]
[image: Inline image 4]

And that wizand end with nothing. Please anyone share more info regarding
this

The wizard asks you to enter the name of the domain, forest, or realm
for the trust. You are entering hostname of IPA master. This is never
going to fly.

In Active Directory terms:
- forest is a set of AD domains
- it is named after the first AD domain created in the forest
- this domain is called 'forest root domain'

In FreeIPA we have a single 'domain' from Active Directory perspective:
- this is the domain corresponding to Kerberos realm name, (ipa.local
  in your case)
- Forest name = forest root domain name = ipa.local

The wizard will then use DNS SRV records to discover IPA masters (AD DCs
for Active Directory view).



Regards,
Ben

On Fri, May 27, 2016 at 10:24 AM, Ben .T.George 
wrote:


HI Alex.

I Am using windows 2008 R2.

when i am giving IPA's DNS name and click next, the trust wizard is not
going through. But if i am selecting realm trust , atleast the wizard
completes.

So which AD version is recommended ?

Regards,
Ben

On Fri, May 27, 2016 at 7:05 AM, Alexander Bokovoy 
wrote:


On Fri, 27 May 2016, Ben .T.George wrote:


HI

i ran some commands from AD side and the Trust status got changed.Below
is
the command i used on AD

netdom trust  /d: /verify


Before it was : "waiting for confirmation by remote side" and not it got
changed to "Trust type: Active Directory domain"

But when i am trying to map AD group, it not going through


root@zkwipamstr01 ~]# ipa group-add-member ad_admins_external --external
'MTC_TABS\Domain Users'
[member user]:
[member group]:
Group name: ad_admins_external
Description: ad_domain admins external map
Failed members:
  member user:
  *member group: MTC_TABS\Domain Users: trusted domain object not found *
-
Number of members added 0
-

This is what my trust properties from AD. Trust type is showing as realm


It should be 'Forest', not 'realm'. Realm is for plain MIT Kerberos
realm trust which is *not* what IPA provides.

[image: Inline image 1]


How can i fix this issue.


Use correct type of trust when establishing trust on AD side. If your
Windows version does not allow to specify proper trust type, I'm afraid,
there is nothing we can help with.

--
/ Alexander Bokovoy










--
/ Alexander Bokovoy

--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project


Re: [Freeipa-users] What id my AD domain user password not available

2016-05-27 Thread Ben .T.George
HI Alex.

I Am using windows 2008 R2.

when i am giving IPA's DNS name and click next, the trust wizard is not
going through. But if i am selecting realm trust , atleast the wizard
completes.

So which AD version is recommended ?

Regards,
Ben

On Fri, May 27, 2016 at 7:05 AM, Alexander Bokovoy 
wrote:

> On Fri, 27 May 2016, Ben .T.George wrote:
>
>> HI
>>
>> i ran some commands from AD side and the Trust status got changed.Below is
>> the command i used on AD
>>
>> netdom trust  /d: /verify
>>
>>
>> Before it was : "waiting for confirmation by remote side" and not it got
>> changed to "Trust type: Active Directory domain"
>>
>> But when i am trying to map AD group, it not going through
>>
>>
>> root@zkwipamstr01 ~]# ipa group-add-member ad_admins_external --external
>> 'MTC_TABS\Domain Users'
>> [member user]:
>> [member group]:
>> Group name: ad_admins_external
>> Description: ad_domain admins external map
>> Failed members:
>>   member user:
>>   *member group: MTC_TABS\Domain Users: trusted domain object not found *
>> -
>> Number of members added 0
>> -
>>
>> This is what my trust properties from AD. Trust type is showing as realm
>>
> It should be 'Forest', not 'realm'. Realm is for plain MIT Kerberos
> realm trust which is *not* what IPA provides.
>
> [image: Inline image 1]
>>
>> How can i fix this issue.
>>
> Use correct type of trust when establishing trust on AD side. If your
> Windows version does not allow to specify proper trust type, I'm afraid,
> there is nothing we can help with.
>
> --
> / Alexander Bokovoy
>
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] What id my AD domain user password not available

2016-05-26 Thread Alexander Bokovoy

On Fri, 27 May 2016, Ben .T.George wrote:

HI

i ran some commands from AD side and the Trust status got changed.Below is
the command i used on AD

netdom trust  /d: /verify


Before it was : "waiting for confirmation by remote side" and not it got
changed to "Trust type: Active Directory domain"

But when i am trying to map AD group, it not going through


root@zkwipamstr01 ~]# ipa group-add-member ad_admins_external --external
'MTC_TABS\Domain Users'
[member user]:
[member group]:
Group name: ad_admins_external
Description: ad_domain admins external map
Failed members:
  member user:
  *member group: MTC_TABS\Domain Users: trusted domain object not found *
-
Number of members added 0
-

This is what my trust properties from AD. Trust type is showing as realm

It should be 'Forest', not 'realm'. Realm is for plain MIT Kerberos
realm trust which is *not* what IPA provides.


[image: Inline image 1]

How can i fix this issue.

Use correct type of trust when establishing trust on AD side. If your
Windows version does not allow to specify proper trust type, I'm afraid,
there is nothing we can help with.

--
/ Alexander Bokovoy

--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project


Re: [Freeipa-users] What id my AD domain user password not available

2016-05-26 Thread Ben .T.George
HI

i ran some commands from AD side and the Trust status got changed.Below is
the command i used on AD

netdom trust  /d: /verify


Before it was : "waiting for confirmation by remote side" and not it got
changed to "Trust type: Active Directory domain"

But when i am trying to map AD group, it not going through


root@zkwipamstr01 ~]# ipa group-add-member ad_admins_external --external
'MTC_TABS\Domain Users'
[member user]:
[member group]:
 Group name: ad_admins_external
 Description: ad_domain admins external map
 Failed members:
   member user:
   *member group: MTC_TABS\Domain Users: trusted domain object not found *
-
Number of members added 0
-

This is what my trust properties from AD. Trust type is showing as realm

[image: Inline image 1]

How can i fix this issue.

On Thu, May 26, 2016 at 10:32 PM, Ben .T.George <bentech4...@gmail.com>
wrote:

> Hi All
>
> i have given share key and the status is like below.
>
>
> [root@zkwipamstr01 ~]# ipa trust-add --type=ad "corp.example.com.kw"
> --trust-secret
> Shared secret for the trust:
> 
> Added Active Directory trust for realm "corp.example.com.kw"
> 
>  Realm name: corp.example.com.kw
>  Domain NetBIOS name: MTC_TABS
>  Domain Security Identifier: S-1-5-21-4225188509-189646935-2695072313
>  SID blacklist incoming: S-1-5-20, S-1-5-3, S-1-5-2, S-1-5-1, S-1-5-7,
> S-1-5-6, S-1-5-5, S-1-5-4, S-1-5-9, S-1-5-8, S-1-5-17, S-1-5-16, S-1-5-15,
>  S-1-5-14, S-1-5-13, S-1-5-12, S-1-5-11, S-1-5-10,
> S-1-3, S-1-2, S-1-1, S-1-0, S-1-5-19, S-1-5-18
>  SID blacklist outgoing: S-1-5-20, S-1-5-3, S-1-5-2, S-1-5-1, S-1-5-7,
> S-1-5-6, S-1-5-5, S-1-5-4, S-1-5-9, S-1-5-8, S-1-5-17, S-1-5-16, S-1-5-15,
>  S-1-5-14, S-1-5-13, S-1-5-12, S-1-5-11, S-1-5-10,
> S-1-3, S-1-2, S-1-1, S-1-0, S-1-5-19, S-1-5-18
>  Trust direction: Trusting forest
>  Trust type: Active Directory domain
>  Trust status: Waiting for confirmation by remote side
>
>
> what is this means "Waiting for confirmation by remote side" . how can i
> check that. from my AD side, i cannot see the screens shown in that
> gif(tutorial)
>
> Please anyone help me.
>
>
> Thanks & Regards,
> Ben
>
> On Thu, May 26, 2016 at 7:58 PM, Michael ORourke <mrorou...@earthlink.net>
> wrote:
>
>> That looks good.  I see you are using an external DNS source for the IPA
>> domain, correct?  You may need to do some additional steps on the FreeIPA
>> server, because by default it will configure BIND and populate resource
>> records for the IPA domain (for example, SRV records like _ldap_._
>> tcp.kw.example.com).  I'm not familiar with setting up FreeIPA with an
>> external DNS, but I'm sure there are some instructions out there.
>>
>> -Mike
>>
>> -Original Message-
>> From: "Ben .T.George"
>> Sent: May 23, 2016 2:22 PM
>> To: Michael ORourke
>> Cc: freeipa-users
>> Subject: Re: [Freeipa-users] What id my AD domain user password not
>> available
>>
>> HI
>>
>> in my case i have 2 domains
>>
>> AD DNS : corp.example.kw.com
>> main DNS ( from appliance) : kw.example.com
>>
>> and all the linux box are pointed to kw.example.com
>>
>> so i put my IPA server hostname as : ipa.kw.example.com and created A &
>> PTR on kw.example.com
>>
>> is that the correct way?
>>
>> Regards,
>> Ben
>>
>> On Mon, May 23, 2016 at 8:20 PM, Michael ORourke <mrorou...@earthlink.net
>> > wrote:
>>
>>> Ben,
>>>
>>> Yes, that is a requirement.  Just creating the A & PTR records for you
>>> FreeIPA server is not enough.  You will need to keep the DNS zones separate
>>> too, example:
>>> Windows AD Domain: mydomain.com
>>> FreeIPA Realm/Domain: subdomain.mydomain.com
>>>
>>> You cannot have a cross-forest trust between two domains with the same
>>> DNS zone name.  So if you have a flat DNS namespace, then you will want to
>>> plan accordingly to move all the linux boxes that will participate in the
>>> FreeIPA domain into the new DNS zone.
>>>
>>> -Mike
>>>
>>> -Original Message-
>>> From: "Ben .T.George"
>>> Sent: May 23, 2016 10:44 AM
>>> To: Michael ORourke
>>> Cc: freeipa-users
>>> Subject: Re: [Freeipa-users] What id my AD domain user password not
>>> available
>>>
>>> HI
>>>

Re: [Freeipa-users] What id my AD domain user password not available

2016-05-26 Thread Ben .T.George
Hi All

i have given share key and the status is like below.


[root@zkwipamstr01 ~]# ipa trust-add --type=ad "corp.example.com.kw"
--trust-secret
Shared secret for the trust:

Added Active Directory trust for realm "corp.example.com.kw"

 Realm name: corp.example.com.kw
 Domain NetBIOS name: MTC_TABS
 Domain Security Identifier: S-1-5-21-4225188509-189646935-2695072313
 SID blacklist incoming: S-1-5-20, S-1-5-3, S-1-5-2, S-1-5-1, S-1-5-7,
S-1-5-6, S-1-5-5, S-1-5-4, S-1-5-9, S-1-5-8, S-1-5-17, S-1-5-16, S-1-5-15,
 S-1-5-14, S-1-5-13, S-1-5-12, S-1-5-11, S-1-5-10,
S-1-3, S-1-2, S-1-1, S-1-0, S-1-5-19, S-1-5-18
 SID blacklist outgoing: S-1-5-20, S-1-5-3, S-1-5-2, S-1-5-1, S-1-5-7,
S-1-5-6, S-1-5-5, S-1-5-4, S-1-5-9, S-1-5-8, S-1-5-17, S-1-5-16, S-1-5-15,
 S-1-5-14, S-1-5-13, S-1-5-12, S-1-5-11, S-1-5-10,
S-1-3, S-1-2, S-1-1, S-1-0, S-1-5-19, S-1-5-18
 Trust direction: Trusting forest
 Trust type: Active Directory domain
 Trust status: Waiting for confirmation by remote side


what is this means "Waiting for confirmation by remote side" . how can i
check that. from my AD side, i cannot see the screens shown in that
gif(tutorial)

Please anyone help me.


Thanks & Regards,
Ben

On Thu, May 26, 2016 at 7:58 PM, Michael ORourke <mrorou...@earthlink.net>
wrote:

> That looks good.  I see you are using an external DNS source for the IPA
> domain, correct?  You may need to do some additional steps on the FreeIPA
> server, because by default it will configure BIND and populate resource
> records for the IPA domain (for example, SRV records like _ldap_._
> tcp.kw.example.com).  I'm not familiar with setting up FreeIPA with an
> external DNS, but I'm sure there are some instructions out there.
>
> -Mike
>
> -Original Message-
> From: "Ben .T.George"
> Sent: May 23, 2016 2:22 PM
> To: Michael ORourke
> Cc: freeipa-users
> Subject: Re: [Freeipa-users] What id my AD domain user password not
> available
>
> HI
>
> in my case i have 2 domains
>
> AD DNS : corp.example.kw.com
> main DNS ( from appliance) : kw.example.com
>
> and all the linux box are pointed to kw.example.com
>
> so i put my IPA server hostname as : ipa.kw.example.com and created A &
> PTR on kw.example.com
>
> is that the correct way?
>
> Regards,
> Ben
>
> On Mon, May 23, 2016 at 8:20 PM, Michael ORourke <mrorou...@earthlink.net>
> wrote:
>
>> Ben,
>>
>> Yes, that is a requirement.  Just creating the A & PTR records for you
>> FreeIPA server is not enough.  You will need to keep the DNS zones separate
>> too, example:
>> Windows AD Domain: mydomain.com
>> FreeIPA Realm/Domain: subdomain.mydomain.com
>>
>> You cannot have a cross-forest trust between two domains with the same
>> DNS zone name.  So if you have a flat DNS namespace, then you will want to
>> plan accordingly to move all the linux boxes that will participate in the
>> FreeIPA domain into the new DNS zone.
>>
>> -Mike
>>
>> -Original Message-
>> From: "Ben .T.George"
>> Sent: May 23, 2016 10:44 AM
>> To: Michael ORourke
>> Cc: freeipa-users
>> Subject: Re: [Freeipa-users] What id my AD domain user password not
>> available
>>
>> HI
>>
>> yea that GIf screen i shared with him. but that doesn't show how to take
>> shared key.
>>
>> In my case DNS is handled by 3rd party appliances and from their side
>> they created A record for my IPA server. bth forward and reverse is working
>>
>> is this forwader is mandatory thing from DNS side?
>>
>> Regards,
>> ben
>>
>> On Mon, May 23, 2016 at 5:31 PM, Michael ORourke <mrorou...@earthlink.net
>> > wrote:
>>
>>> Actually one of his questions doesn't make sense, because last I
>>> checked, normal domain users do not have permissions to create a forest
>>> trust.
>>> I believe the default is a one-way trust, so maybe his concerns about
>>> the bi-directional trust is really a non-issue.
>>> If he refuses to type in the admin password in a linux console session
>>> (extreme paranoia?), then perhaps you could give him a link to the tutorial
>>> on using a pre-shared key and have him setup the AD side and give you the
>>> key.  You don't have to be a Windows expert to do this, just ask your
>>> domain admin to do the steps for you.  Also, you will need to setup a
>>> separate DNS zone and some forwarding rules.  Otherwise you are going to
>>> have problems.
>>

Re: [Freeipa-users] What id my AD domain user password not available

2016-05-26 Thread Michael ORourke
That looks good.  I see you are using an external DNS source for the IPA domain, correct?  You may need to do some additional steps on the FreeIPA server, because by default it will configure BIND and populate resource records for the IPA domain (for example, SRV records like _ldap_._tcp.kw.example.com).  I'm not familiar with setting up FreeIPA with an external DNS, but I'm sure there are some instructions out there.-Mike-Original Message-
From: "Ben .T.George" <bentech4...@gmail.com>
Sent: May 23, 2016 2:22 PM
To: Michael ORourke <mrorou...@earthlink.net>
Cc: freeipa-users <freeipa-users@redhat.com>
Subject: Re: [Freeipa-users] What id my AD domain user password not available

HIin my case i have 2 domainsAD DNS : corp.example.kw.commain DNS ( from appliance) : kw.example.comand all the linux box are pointed to kw.example.com so i put my IPA server hostname as : ipa.kw.example.com and created A & PTR on kw.example.comis that the correct way?Regards,BenOn Mon, May 23, 2016 at 8:20 PM, Michael ORourke <mrorou...@earthlink.net> wrote:Ben,Yes, that is a requirement.  Just creating the A & PTR records for you FreeIPA server is not enough.  You will need to keep the DNS zones separate too, example:Windows AD Domain: mydomain.comFreeIPA Realm/Domain: subdomain.mydomain.comYou cannot have a cross-forest trust between two domains with the same DNS zone name.  So if you have a flat DNS namespace, then you will want to plan accordingly to move all the linux boxes that will participate in the FreeIPA domain into the new DNS zone.-Mike-Original Message-
From: "Ben .T.George" 
Sent: May 23, 2016 10:44 AM
To: Michael ORourke 
Cc: freeipa-users 
Subject: Re: [Freeipa-users] What id my AD domain user password not available

HIyea that GIf screen i shared with him. but that doesn't show how to take shared key.In my case DNS is handled by 3rd party appliances and from their side they created A record for my IPA server. bth forward and reverse is working is this forwader is mandatory thing from DNS side?Regards,benOn Mon, May 23, 2016 at 5:31 PM, Michael ORourke <mrorou...@earthlink.net> wrote:Actually one of his questions doesn't make sense, because last I checked, normal domain users do not have permissions to create a forest trust.I believe the default is a one-way trust, so maybe his concerns about the bi-directional trust is really a non-issue.If he refuses to type in the admin password in a linux console session (extreme paranoia?), then perhaps you could give him a link to the tutorial on using a pre-shared key and have him setup the AD side and give you the key.  You don't have to be a Windows expert to do this, just ask your domain admin to do the steps for you.  Also, you will need to setup a separate DNS zone and some forwarding rules.  Otherwise you are going to have problems.-Mike -Original Message-
From: "Ben .T.George" 
Sent: May 23, 2016 10:07 AM
To: Michael ORourke 
Cc: freeipa-users 
Subject: Re: [Freeipa-users] What id my AD domain user password not available

HIHe is local only but he is asking so many questions.first of all he is refusing to give domain admin users password .questions he is asking is:Is this trust relationship is two directional? If, yes why IPA require two directional trust?can we build this trust one directional?can we achieve this with normal domain user?and hs is opposing to enter password in command line and i was going though the rust using a pre-shared key and its too hard for me to understand as i have no windows experienceregards,BenOn Mon, May 23, 2016 at 4:22 PM, Michael ORourke <mrorou...@earthlink.net> wrote:A couple of ways to go about this.  If he is local to you, you could explain that you need to establish a trust with his domain and you need his assistance for a few minutes while you type the command to join, then have him type in the password.  You need to assure that the DNS forward/stub zones are setup and working too.  If he is remote, you could use some screen share software and share out your desktop and walk him through the part where he has to type the admin password.  There is also a way to create a trust using a pre-shared key.  That may be more acceptable to him.  -Mike-Original Message-
From: "Ben .T.George" 
Sent: May 23, 2016 8:42 AM
To: freeipa-users 
Subject: [Freeipa-users] What id my AD domain user password not available

Hi LIst,my Windows domain Admin is not giving domain admin user password.in this case how can i proceed ipa trust-addregards,Ben


--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project


--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project




-- 
Manage your subscription for the 

Re: [Freeipa-users] What id my AD domain user password not available

2016-05-24 Thread Martin Kosek
On 05/23/2016 03:20 PM, Ben .T.George wrote:
> Hi
> 
> Thanks for your reply.
> 
> I saw this before but the thing is i cant able to follow up this one as i am 
> not 
> completely getting those steps
> 
> ipa trust-add --type=ad "ad_domain" --trust-secret
> 
> Is asking for key and what i need to gave ?
> 
> And the shown gif screens and current AD windows are different for me.

Hi,

Try checking the procedure in the guide:
https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Windows_Integration_Guide/creating-trusts.html#create-trust-shared-secret
Maybe it will help you understand what needs to be clicked on AD side.

HTH,
Martin

> Regards
> Ben
> 
> On 23 May 2016 16:13, "Martin Babinsky"  > wrote:
> 
> On 05/23/2016 02:42 PM, Ben .T.George wrote:
> 
> Hi LIst,
> 
> my Windows domain Admin is not giving domain admin user password.
> 
> in this case how can i proceed ipa trust-add
> 
> regards,
> Ben
> 
> 
> 
> Hi Ben,
> 
> You can ask your AD domain admin to create a shared secret for 
> establishing
> trust. See the corresponding chapter in the guide for creating trusts[1] 
> for
> more details.
> 
> [1]
> 
> http://www.freeipa.org/page/Active_Directory_trust_setup#When_AD_administrator_credentials_aren.27t_available
> 
> 
> -- 
> Martin^3 Babinsky
> 
> 
> 

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project


Re: [Freeipa-users] What id my AD domain user password not available

2016-05-23 Thread Ben .T.George
HI

in my case i have 2 domains

AD DNS : corp.example.kw.com
main DNS ( from appliance) : kw.example.com

and all the linux box are pointed to kw.example.com

so i put my IPA server hostname as : ipa.kw.example.com and created A & PTR
on kw.example.com

is that the correct way?

Regards,
Ben

On Mon, May 23, 2016 at 8:20 PM, Michael ORourke <mrorou...@earthlink.net>
wrote:

> Ben,
>
> Yes, that is a requirement.  Just creating the A & PTR records for you
> FreeIPA server is not enough.  You will need to keep the DNS zones separate
> too, example:
> Windows AD Domain: mydomain.com
> FreeIPA Realm/Domain: subdomain.mydomain.com
>
> You cannot have a cross-forest trust between two domains with the same DNS
> zone name.  So if you have a flat DNS namespace, then you will want to plan
> accordingly to move all the linux boxes that will participate in the
> FreeIPA domain into the new DNS zone.
>
> -Mike
>
> -Original Message-
> From: "Ben .T.George"
> Sent: May 23, 2016 10:44 AM
> To: Michael ORourke
> Cc: freeipa-users
> Subject: Re: [Freeipa-users] What id my AD domain user password not
> available
>
> HI
>
> yea that GIf screen i shared with him. but that doesn't show how to take
> shared key.
>
> In my case DNS is handled by 3rd party appliances and from their side they
> created A record for my IPA server. bth forward and reverse is working
>
> is this forwader is mandatory thing from DNS side?
>
> Regards,
> ben
>
> On Mon, May 23, 2016 at 5:31 PM, Michael ORourke <mrorou...@earthlink.net>
> wrote:
>
>> Actually one of his questions doesn't make sense, because last I checked,
>> normal domain users do not have permissions to create a forest trust.
>> I believe the default is a one-way trust, so maybe his concerns about the
>> bi-directional trust is really a non-issue.
>> If he refuses to type in the admin password in a linux console session
>> (extreme paranoia?), then perhaps you could give him a link to the tutorial
>> on using a pre-shared key and have him setup the AD side and give you the
>> key.  You don't have to be a Windows expert to do this, just ask your
>> domain admin to do the steps for you.  Also, you will need to setup a
>> separate DNS zone and some forwarding rules.  Otherwise you are going to
>> have problems.
>>
>> -Mike
>>
>>
>> -Original Message-
>> From: "Ben .T.George"
>> Sent: May 23, 2016 10:07 AM
>> To: Michael ORourke
>> Cc: freeipa-users
>> Subject: Re: [Freeipa-users] What id my AD domain user password not
>> available
>>
>> HI
>>
>> He is local only but he is asking so many questions.
>>
>> first of all he is refusing to give domain admin users password .
>>
>> questions he is asking is:
>>
>> Is this trust relationship is two directional? If, yes why IPA require
>> two directional trust?
>> can we build this trust one directional?
>> can we achieve this with normal domain user?
>>
>> and hs is opposing to enter password in command line and i was going
>> though the rust using a pre-shared key and its too hard for me to
>> understand as i have no windows experience
>>
>> regards,
>> Ben
>>
>> On Mon, May 23, 2016 at 4:22 PM, Michael ORourke <mrorou...@earthlink.net
>> > wrote:
>>
>>> A couple of ways to go about this.  If he is local to you, you could
>>> explain that you need to establish a trust with his domain and you need his
>>> assistance for a few minutes while you type the command to join, then have
>>> him type in the password.  You need to assure that the DNS forward/stub
>>> zones are setup and working too.  If he is remote, you could use some
>>> screen share software and share out your desktop and walk him through the
>>> part where he has to type the admin password.  There is also a way to
>>> create a trust using a pre-shared key.  That may be more acceptable to
>>> him.
>>>
>>> -Mike
>>>
>>> -Original Message-
>>> From: "Ben .T.George"
>>> Sent: May 23, 2016 8:42 AM
>>> To: freeipa-users
>>> Subject: [Freeipa-users] What id my AD domain user password not
>>> available
>>>
>>> Hi LIst,
>>>
>>> my Windows domain Admin is not giving domain admin user password.
>>>
>>> in this case how can i proceed ipa trust-add
>>>
>>> regards,
>>> Ben
>>>
>>>
>>> --
>>> Manage your subscription for the Freeipa-users mailing list:
>>> https://www.redhat.com/mailman/listinfo/freeipa-users
>>> Go to http://freeipa.org for more info on the project
>>>
>>
>>
>> --
>> Manage your subscription for the Freeipa-users mailing list:
>> https://www.redhat.com/mailman/listinfo/freeipa-users
>> Go to http://freeipa.org for more info on the project
>>
>
>
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] What id my AD domain user password not available

2016-05-23 Thread Michael ORourke
Ben,Yes, that is a requirement.  Just creating the A & PTR records for you FreeIPA server is not enough.  You will need to keep the DNS zones separate too, example:Windows AD Domain: mydomain.comFreeIPA Realm/Domain: subdomain.mydomain.comYou cannot have a cross-forest trust between two domains with the same DNS zone name.  So if you have a flat DNS namespace, then you will want to plan accordingly to move all the linux boxes that will participate in the FreeIPA domain into the new DNS zone.-Mike-Original Message-
From: "Ben .T.George" <bentech4...@gmail.com>
Sent: May 23, 2016 10:44 AM
To: Michael ORourke <mrorou...@earthlink.net>
Cc: freeipa-users <freeipa-users@redhat.com>
Subject: Re: [Freeipa-users] What id my AD domain user password not available

HIyea that GIf screen i shared with him. but that doesn't show how to take shared key.In my case DNS is handled by 3rd party appliances and from their side they created A record for my IPA server. bth forward and reverse is working is this forwader is mandatory thing from DNS side?Regards,benOn Mon, May 23, 2016 at 5:31 PM, Michael ORourke <mrorou...@earthlink.net> wrote:Actually one of his questions doesn't make sense, because last I checked, normal domain users do not have permissions to create a forest trust.I believe the default is a one-way trust, so maybe his concerns about the bi-directional trust is really a non-issue.If he refuses to type in the admin password in a linux console session (extreme paranoia?), then perhaps you could give him a link to the tutorial on using a pre-shared key and have him setup the AD side and give you the key.  You don't have to be a Windows expert to do this, just ask your domain admin to do the steps for you.  Also, you will need to setup a separate DNS zone and some forwarding rules.  Otherwise you are going to have problems.-Mike -Original Message-
From: "Ben .T.George" 
Sent: May 23, 2016 10:07 AM
To: Michael ORourke 
Cc: freeipa-users 
Subject: Re: [Freeipa-users] What id my AD domain user password not available

HIHe is local only but he is asking so many questions.first of all he is refusing to give domain admin users password .questions he is asking is:Is this trust relationship is two directional? If, yes why IPA require two directional trust?can we build this trust one directional?can we achieve this with normal domain user?and hs is opposing to enter password in command line and i was going though the rust using a pre-shared key and its too hard for me to understand as i have no windows experienceregards,BenOn Mon, May 23, 2016 at 4:22 PM, Michael ORourke <mrorou...@earthlink.net> wrote:A couple of ways to go about this.  If he is local to you, you could explain that you need to establish a trust with his domain and you need his assistance for a few minutes while you type the command to join, then have him type in the password.  You need to assure that the DNS forward/stub zones are setup and working too.  If he is remote, you could use some screen share software and share out your desktop and walk him through the part where he has to type the admin password.  There is also a way to create a trust using a pre-shared key.  That may be more acceptable to him.  -Mike-Original Message-
From: "Ben .T.George" 
Sent: May 23, 2016 8:42 AM
To: freeipa-users 
Subject: [Freeipa-users] What id my AD domain user password not available

Hi LIst,my Windows domain Admin is not giving domain admin user password.in this case how can i proceed ipa trust-addregards,Ben


--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project


--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project


-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] What id my AD domain user password not available

2016-05-23 Thread Ben .T.George
HI

yea that GIf screen i shared with him. but that doesn't show how to take
shared key.

In my case DNS is handled by 3rd party appliances and from their side they
created A record for my IPA server. bth forward and reverse is working

is this forwader is mandatory thing from DNS side?

Regards,
ben

On Mon, May 23, 2016 at 5:31 PM, Michael ORourke <mrorou...@earthlink.net>
wrote:

> Actually one of his questions doesn't make sense, because last I checked,
> normal domain users do not have permissions to create a forest trust.
> I believe the default is a one-way trust, so maybe his concerns about the
> bi-directional trust is really a non-issue.
> If he refuses to type in the admin password in a linux console session
> (extreme paranoia?), then perhaps you could give him a link to the tutorial
> on using a pre-shared key and have him setup the AD side and give you the
> key.  You don't have to be a Windows expert to do this, just ask your
> domain admin to do the steps for you.  Also, you will need to setup a
> separate DNS zone and some forwarding rules.  Otherwise you are going to
> have problems.
>
> -Mike
>
>
> -Original Message-
> From: "Ben .T.George"
> Sent: May 23, 2016 10:07 AM
> To: Michael ORourke
> Cc: freeipa-users
> Subject: Re: [Freeipa-users] What id my AD domain user password not
> available
>
> HI
>
> He is local only but he is asking so many questions.
>
> first of all he is refusing to give domain admin users password .
>
> questions he is asking is:
>
> Is this trust relationship is two directional? If, yes why IPA require two
> directional trust?
> can we build this trust one directional?
> can we achieve this with normal domain user?
>
> and hs is opposing to enter password in command line and i was going
> though the rust using a pre-shared key and its too hard for me to
> understand as i have no windows experience
>
> regards,
> Ben
>
> On Mon, May 23, 2016 at 4:22 PM, Michael ORourke <mrorou...@earthlink.net>
> wrote:
>
>> A couple of ways to go about this.  If he is local to you, you could
>> explain that you need to establish a trust with his domain and you need his
>> assistance for a few minutes while you type the command to join, then have
>> him type in the password.  You need to assure that the DNS forward/stub
>> zones are setup and working too.  If he is remote, you could use some
>> screen share software and share out your desktop and walk him through the
>> part where he has to type the admin password.  There is also a way to
>> create a trust using a pre-shared key.  That may be more acceptable to
>> him.
>>
>> -Mike
>>
>> -Original Message-
>> From: "Ben .T.George"
>> Sent: May 23, 2016 8:42 AM
>> To: freeipa-users
>> Subject: [Freeipa-users] What id my AD domain user password not available
>>
>> Hi LIst,
>>
>> my Windows domain Admin is not giving domain admin user password.
>>
>> in this case how can i proceed ipa trust-add
>>
>> regards,
>> Ben
>>
>>
>> --
>> Manage your subscription for the Freeipa-users mailing list:
>> https://www.redhat.com/mailman/listinfo/freeipa-users
>> Go to http://freeipa.org for more info on the project
>>
>
>
> --
> Manage your subscription for the Freeipa-users mailing list:
> https://www.redhat.com/mailman/listinfo/freeipa-users
> Go to http://freeipa.org for more info on the project
>
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] What id my AD domain user password not available

2016-05-23 Thread Michael ORourke
Actually one of his questions doesn't make sense, because last I checked, normal domain users do not have permissions to create a forest trust.I believe the default is a one-way trust, so maybe his concerns about the bi-directional trust is really a non-issue.If he refuses to type in the admin password in a linux console session (extreme paranoia?), then perhaps you could give him a link to the tutorial on using a pre-shared key and have him setup the AD side and give you the key.  You don't have to be a Windows expert to do this, just ask your domain admin to do the steps for you.  Also, you will need to setup a separate DNS zone and some forwarding rules.  Otherwise you are going to have problems.-Mike -Original Message-
From: "Ben .T.George" <bentech4...@gmail.com>
Sent: May 23, 2016 10:07 AM
To: Michael ORourke <mrorou...@earthlink.net>
Cc: freeipa-users <freeipa-users@redhat.com>
Subject: Re: [Freeipa-users] What id my AD domain user password not available

HIHe is local only but he is asking so many questions.first of all he is refusing to give domain admin users password .questions he is asking is:Is this trust relationship is two directional? If, yes why IPA require two directional trust?can we build this trust one directional?can we achieve this with normal domain user?and hs is opposing to enter password in command line and i was going though the rust using a pre-shared key and its too hard for me to understand as i have no windows experienceregards,BenOn Mon, May 23, 2016 at 4:22 PM, Michael ORourke <mrorou...@earthlink.net> wrote:A couple of ways to go about this.  If he is local to you, you could explain that you need to establish a trust with his domain and you need his assistance for a few minutes while you type the command to join, then have him type in the password.  You need to assure that the DNS forward/stub zones are setup and working too.  If he is remote, you could use some screen share software and share out your desktop and walk him through the part where he has to type the admin password.  There is also a way to create a trust using a pre-shared key.  That may be more acceptable to him.  -Mike-Original Message-
From: "Ben .T.George" 
Sent: May 23, 2016 8:42 AM
To: freeipa-users 
Subject: [Freeipa-users] What id my AD domain user password not available

Hi LIst,my Windows domain Admin is not giving domain admin user password.in this case how can i proceed ipa trust-addregards,Ben


--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project


-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] What id my AD domain user password not available

2016-05-23 Thread Ben .T.George
HI

He is local only but he is asking so many questions.

first of all he is refusing to give domain admin users password .

questions he is asking is:

Is this trust relationship is two directional? If, yes why IPA require two
directional trust?
can we build this trust one directional?
can we achieve this with normal domain user?

and hs is opposing to enter password in command line and i was going though
the rust using a pre-shared key and its too hard for me to understand as i
have no windows experience

regards,
Ben

On Mon, May 23, 2016 at 4:22 PM, Michael ORourke 
wrote:

> A couple of ways to go about this.  If he is local to you, you could
> explain that you need to establish a trust with his domain and you need his
> assistance for a few minutes while you type the command to join, then have
> him type in the password.  You need to assure that the DNS forward/stub
> zones are setup and working too.  If he is remote, you could use some
> screen share software and share out your desktop and walk him through the
> part where he has to type the admin password.  There is also a way to
> create a trust using a pre-shared key.  That may be more acceptable to
> him.
>
> -Mike
>
> -Original Message-
> From: "Ben .T.George"
> Sent: May 23, 2016 8:42 AM
> To: freeipa-users
> Subject: [Freeipa-users] What id my AD domain user password not available
>
> Hi LIst,
>
> my Windows domain Admin is not giving domain admin user password.
>
> in this case how can i proceed ipa trust-add
>
> regards,
> Ben
>
>
> --
> Manage your subscription for the Freeipa-users mailing list:
> https://www.redhat.com/mailman/listinfo/freeipa-users
> Go to http://freeipa.org for more info on the project
>
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] What id my AD domain user password not available

2016-05-23 Thread Michael ORourke
A couple of ways to go about this.  If he is local to you, you could explain that you need to establish a trust with his domain and you need his assistance for a few minutes while you type the command to join, then have him type in the password.  You need to assure that the DNS forward/stub zones are setup and working too.  If he is remote, you could use some screen share software and share out your desktop and walk him through the part where he has to type the admin password.  There is also a way to create a trust using a pre-shared key.  That may be more acceptable to him.  -Mike-Original Message-
From: "Ben .T.George" 
Sent: May 23, 2016 8:42 AM
To: freeipa-users 
Subject: [Freeipa-users] What id my AD domain user password not available

Hi LIst,my Windows domain Admin is not giving domain admin user password.in this case how can i proceed ipa trust-addregards,Ben


-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] What id my AD domain user password not available

2016-05-23 Thread Ben .T.George
Hi

Thanks for your reply.

I saw this before but the thing is i cant able to follow up this one as i
am not completely getting those steps

ipa trust-add --type=ad "ad_domain" --trust-secret

Is asking for key and what i need to gave ?

And the shown gif screens and current AD windows are different for me.

Regards
Ben
On 23 May 2016 16:13, "Martin Babinsky"  wrote:

> On 05/23/2016 02:42 PM, Ben .T.George wrote:
>
>> Hi LIst,
>>
>> my Windows domain Admin is not giving domain admin user password.
>>
>> in this case how can i proceed ipa trust-add
>>
>> regards,
>> Ben
>>
>>
>>
> Hi Ben,
>
> You can ask your AD domain admin to create a shared secret for
> establishing trust. See the corresponding chapter in the guide for creating
> trusts[1] for more details.
>
> [1]
> http://www.freeipa.org/page/Active_Directory_trust_setup#When_AD_administrator_credentials_aren.27t_available
>
> --
> Martin^3 Babinsky
>
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] What id my AD domain user password not available

2016-05-23 Thread Martin Babinsky

On 05/23/2016 02:42 PM, Ben .T.George wrote:

Hi LIst,

my Windows domain Admin is not giving domain admin user password.

in this case how can i proceed ipa trust-add

regards,
Ben




Hi Ben,

You can ask your AD domain admin to create a shared secret for 
establishing trust. See the corresponding chapter in the guide for 
creating trusts[1] for more details.


[1] 
http://www.freeipa.org/page/Active_Directory_trust_setup#When_AD_administrator_credentials_aren.27t_available 



--
Martin^3 Babinsky

--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project