Re: [Freeipa-users] need info on AD / IPA coexistence
is abcd.ca your windows domain ? yes in this example ipa-server-install -a xx \ --hostname=ipa1.unix.abcd.ca \ -n unix.abcd.ca \ -p xxx \ -r UNIX.ABCD.CA http://unix.abcd.ca/ \ --subject=subject_DN \ #Sets the base element for the subject DN of the issued certificates. This defaults to O=realm. --forwarder=ad_dns.abcd.ca \ --no-reverse\ # Does not create a reverse DNS zone when the DNS domain is set up. --setup-dns \ --idmax=number \ #???Sets the upper bound for IDs which can be assigned by the IPA server. The default value is the ID start value plus 19. --idstart=1 # will have to check with AD I guess IPA server will become unix master DNS for UNIX current unix server fqdn will remain on abcd.ca current unix server will have dns,ntp,kdc,ldap from ipa realm will be equal to domain name = unix.abcd.ca When I will have resolve getent passwd admin issue I believe I will be able to su - admin on any unix server and will be able to start thinking about what next like winsync then create ipa slave = ipa2.unix.abcd.ca Define SRV in bind unix.abcd.ca test all our supported Unix platform, especially AIX, Does anyone was successful to hook their HP ilo, RHEV manager to IPA? Will have to convince many people to achieve this set-up, but I am sure it worth it! Thank you! you guys Rock! Sylvain 2012/3/8 Ondrej Valousek ondr...@s3group.cz ** Side note: You can manage AD integrated DNS from unix host easily with just 'nsupdate -g' - so theoretically (ok I undestand you have to have a proper Kerberos TGT...) IPA client could be able to autoconfigure (create all the necessary SRV records) AD DNS, too. Not sure if we even wanted that. but theoretically, it should be possible. Ondrej On 03/07/2012 08:11 PM, Simo Sorce wrote: On Wed, 2012-03-07 at 13:38 -0500, Sylvain Angers wrote: Hello All, We are facing the same difficulties here with coexistence with Microsoft AD on the same network Whenever I run ipa-client-install # ipa-client-install --server=server.abcd.ca --domain=abcd.ca --realm=UNIX DNS domain 'unix' is not configured for automatic KDC address lookup. KDC address will be set to fixed value. Discovery was successful! Hostname: client.abcd.ca Realm: UNIX DNS Domain: abcd.ca IPA Server: server.abcd.ca BaseDN: dc=unix is abcd.ca your windows domain ? although we support specifying a realm that is not identical to the DNS domain I strongly suggest you do not do so if you do not want to experience some trouble and to assing to your UNIX domain it's own DNS domain that matches the realm. If you do not do that things can still work, but not w/o some minor annoyances. For example discovery will fail as you find out because the DNS domain is owned by the AD realm. You also have to make sure you properly map realms to domains correctly in various clients. Simo. -- The information contained in this e-mail and in any attachments is confidential and is designated solely for the attention of the intended recipient(s). If you are not an intended recipient, you must not use, disclose, copy, distribute or retain this e-mail or any part thereof. If you have received this e-mail in error, please notify the sender by return e-mail and delete all copies of this e-mail from your computer system(s). Please direct any additional queries to: communicati...@s3group.com. Thank You. Silicon and Software Systems Limited. Registered in Ireland no. 378073. Registered Office: South County Business Park, Leopardstown, Dublin 18 -- ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users -- Sylvain Angers ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] need info on AD / IPA coexistence
Hi Again Our current Linux/AIX servers fqdn should remain on abcd.ca domain I need an advice: Should the ipa server fqdn be ipa.abcd.ca or ipa.unix.abcd.ca? and on the Linux/AIX server, should we add entry of both dns (ipa and Microsoft AD) in resolv.conf? domain unix.abcd.ca search unix.abcd.ca abcd.ca nameserver ipa_adress nameserver ad_adress Thanks -- Sylvain Angers ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] need info on AD / IPA coexistence
On Thu, 2012-03-08 at 09:46 -0500, Sylvain Angers wrote: Hi Again Our current Linux/AIX servers fqdn should remain on abcd.ca domain I need an advice: Should the ipa server fqdn be ipa.abcd.ca or ipa.unix.abcd.ca? You can have machines on a different DNS domain with FreeIPA. So you can use unix.abcd.ca for your IPA server and still install clients in abcd.ca. I think the onlt thing you should take care of is to make sure a abcd.ca - UNIX.ABCD.CA mapping in krb5.conf under the [domain_realm] section is available on all machines of the domain to avoid issues resolving the correct realm for clients in the other domain. On clients this should be autometed in the very last release but the ipa server needs to be configured after install. and on the Linux/AIX server, should we add entry of both dns (ipa and Microsoft AD) in resolv.conf? No, that would not work. What you should do is ask your DNS admin to delegate you the unix.abcd.ca zone. Once that is done it doesn't matter which DNS you are querying they will know who to ask. If delegation is not possible you could still use named forwarders in both IPA and AD so that each DNS server still know where to forward requests for the specific domain. This again will allow you to use whatever DNS your network uses and have queries properly forwarded around. domain unix.abcd.ca search unix.abcd.ca abcd.ca nameserver ipa_adress nameserver ad_adress No, don't do this as a way to not configure the DNS servers, it won't work and will cause really confusing mis-behaviors if the DNS servers themselves do not know how to talk to each other. If delegation of zones or forwarding is properly set up though then this scheme would allow you to have a fallback when either infrastructure is temporarily unreachable. Simo. -- Simo Sorce * Red Hat, Inc * New York ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] need info on AD / IPA coexistence
Alright! I am now requesting to our DNS team please delegate dns zone unix.abcd.ca to ??? Question: is the ipa server fqdn, be ipaserver.unix.abcd.ca or ipaserver.abcd.ca? does it matter? thanks 2012/3/8 Simo Sorce s...@redhat.com On Thu, 2012-03-08 at 09:46 -0500, Sylvain Angers wrote: Hi Again Our current Linux/AIX servers fqdn should remain on abcd.ca domain I need an advice: Should the ipa server fqdn be ipa.abcd.ca or ipa.unix.abcd.ca? You can have machines on a different DNS domain with FreeIPA. So you can use unix.abcd.ca for your IPA server and still install clients in abcd.ca. I think the onlt thing you should take care of is to make sure a abcd.ca - UNIX.ABCD.CA mapping in krb5.conf under the [domain_realm] section is available on all machines of the domain to avoid issues resolving the correct realm for clients in the other domain. On clients this should be autometed in the very last release but the ipa server needs to be configured after install. and on the Linux/AIX server, should we add entry of both dns (ipa and Microsoft AD) in resolv.conf? No, that would not work. What you should do is ask your DNS admin to delegate you the unix.abcd.ca zone. Once that is done it doesn't matter which DNS you are querying they will know who to ask. If delegation is not possible you could still use named forwarders in both IPA and AD so that each DNS server still know where to forward requests for the specific domain. This again will allow you to use whatever DNS your network uses and have queries properly forwarded around. domain unix.abcd.ca search unix.abcd.ca abcd.ca nameserver ipa_adress nameserver ad_adress No, don't do this as a way to not configure the DNS servers, it won't work and will cause really confusing mis-behaviors if the DNS servers themselves do not know how to talk to each other. If delegation of zones or forwarding is properly set up though then this scheme would allow you to have a fallback when either infrastructure is temporarily unreachable. Simo. -- Simo Sorce * Red Hat, Inc * New York -- Sylvain Angers ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] need info on AD / IPA coexistence
On Thu, 2012-03-08 at 11:54 -0500, Sylvain Angers wrote: Alright! I am now requesting to our DNS team please delegate dns zone unix.abcd.ca to ??? the ip address of your ipa server, they will know what questions to ask :) Question: is the ipa server fqdn, be ipaserver.unix.abcd.ca or ipaserver.abcd.ca? does it matter? It does, the IPa server DNS domain is what matters for the first master. So it should be name.unix.abcd.ca So that DNS domain = unix.abcd.ca and realm = UNIX.ABCD.CA (if you use the standard configuration). Simo. -- Simo Sorce * Red Hat, Inc * New York ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] need info on AD / IPA coexistence
If your AD realm is ABCD.CA and you want your unix realm to be UNIX.ABCD.CA then your FQDN should be ipaserver.unix.abcd.ca When you delegate the zone from AD, you should have at least two IPA servers running bind listed. ipaserver1.unix.abcd.ad ipaserver2.unix.abcd.ad That way if one is down, you can still resolve names. --- Brian Cook Solutions Architect, Red Hat, Inc. 407-212-7079 On Mar 8, 2012, at 8:54 AM, Sylvain Angers wrote: Alright! I am now requesting to our DNS team please delegate dns zone unix.abcd.ca to ??? Question: is the ipa server fqdn, be ipaserver.unix.abcd.ca or ipaserver.abcd.ca? does it matter? thanks 2012/3/8 Simo Sorce s...@redhat.com On Thu, 2012-03-08 at 09:46 -0500, Sylvain Angers wrote: Hi Again Our current Linux/AIX servers fqdn should remain on abcd.ca domain I need an advice: Should the ipa server fqdn be ipa.abcd.ca or ipa.unix.abcd.ca? You can have machines on a different DNS domain with FreeIPA. So you can use unix.abcd.ca for your IPA server and still install clients in abcd.ca. I think the onlt thing you should take care of is to make sure a abcd.ca - UNIX.ABCD.CA mapping in krb5.conf under the [domain_realm] section is available on all machines of the domain to avoid issues resolving the correct realm for clients in the other domain. On clients this should be autometed in the very last release but the ipa server needs to be configured after install. and on the Linux/AIX server, should we add entry of both dns (ipa and Microsoft AD) in resolv.conf? No, that would not work. What you should do is ask your DNS admin to delegate you the unix.abcd.ca zone. Once that is done it doesn't matter which DNS you are querying they will know who to ask. If delegation is not possible you could still use named forwarders in both IPA and AD so that each DNS server still know where to forward requests for the specific domain. This again will allow you to use whatever DNS your network uses and have queries properly forwarded around. domain unix.abcd.ca search unix.abcd.ca abcd.ca nameserver ipa_adress nameserver ad_adress No, don't do this as a way to not configure the DNS servers, it won't work and will cause really confusing mis-behaviors if the DNS servers themselves do not know how to talk to each other. If delegation of zones or forwarding is properly set up though then this scheme would allow you to have a fallback when either infrastructure is temporarily unreachable. Simo. -- Simo Sorce * Red Hat, Inc * New York -- Sylvain Angers ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
[Freeipa-users] IPA clashing with selinux on users home directories
Hi, I am setting up some IPA users what I have noticed is if I or they type startx to start a gui locking the .Xauthority fails, if I setenforce 0 then it works fine.I have never seen this behaviour before and googling suggests its an IPA and selinux conflict. and in fact when I create a local user they get an instant gui from running startx... regards Steven Jones Technical Specialist - Linux RHCE Victoria University, Wellington, NZ 0064 4 463 6272 ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] IPA clashing with selinux on users home directories
On Thu, 2012-03-08 at 20:14 +, Steven Jones wrote: Hi, I am setting up some IPA users what I have noticed is if I or they type startx to start a gui locking the .Xauthority fails, if I setenforce 0 then it works fine.I have never seen this behaviour before and googling suggests its an IPA and selinux conflict. and in fact when I create a local user they get an instant gui from running startx... I'm guessing you're creating your home directories with the help of pam_mkhomedir.so. This won't work with SELinux. You need to install and use pam_oddjob_mkhomedir.so instead, which will properly set up SELinux contexts for your users. signature.asc Description: This is a digitally signed message part ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] IPA clashing with selinux on users home directories
Thanks, I can put that in Sat. regards Steven Jones Technical Specialist - Linux RHCE Victoria University, Wellington, NZ 0064 4 463 6272 From: Simo Sorce [s...@redhat.com] Sent: Friday, 9 March 2012 10:35 a.m. To: Steven Jones Cc: freeipa-users@redhat.com Subject: Re: [Freeipa-users] IPA clashing with selinux on users home directories On Thu, 2012-03-08 at 21:27 +, Steven Jones wrote: Hi, I used ipa-client-install --mkhomedir How do I change that so it will do so properly? regards Steven Jones Technical Specialist - Linux RHCE Victoria University, Wellington, NZ 0064 4 463 6272 From: freeipa-users-boun...@redhat.com [freeipa-users-boun...@redhat.com] on behalf of Stephen Gallagher [sgall...@redhat.com] Sent: Friday, 9 March 2012 9:43 a.m. To: freeipa-users@redhat.com Subject: Re: [Freeipa-users] IPA clashing with selinux on users home directories On Thu, 2012-03-08 at 20:14 +, Steven Jones wrote: Hi, I am setting up some IPA users what I have noticed is if I or they type startx to start a gui locking the .Xauthority fails, if I setenforce 0 then it works fine.I have never seen this behaviour before and googling suggests its an IPA and selinux conflict. and in fact when I create a local user they get an instant gui from running startx... I'm guessing you're creating your home directories with the help of pam_mkhomedir.so. This won't work with SELinux. You need to install and use pam_oddjob_mkhomedir.so instead, which will properly set up SELinux contexts for your users. If you install oddjob_homedir before running ipa-client-install then it should pick that up automatically. We already have a patch upstream to require oddjob-mkhomedir at rpm install. Simo. -- Simo Sorce * Red Hat, Inc * New York ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users