Re: [Freeipa-users] Desperate help requested.
On Mon, Aug 27, 2012 at 08:57:20AM +0200, David Sastre wrote: On Sun, Aug 26, 2012 at 6:05 AM, KodaK wrote: Regardless, I need some help. I need some help with comparisons between FreeIPA and AD, and the problems and issues one might encounter when trying to authenticate Unix machines against AD. Anything that can show IPA being superior to AD for *nix authentication. Anything at all. We have a similar number of AIX and Linux servers. SELinux + sudo centralized management doesn't exist at all in AD. I guess it comes down to - technical orientation of IPA: designed with linux/unix in mind, not windows - open source, so all the default open vs. proprietary points apply: - no vendor lockin, if vendor decides not to continue the product you can take the source and do this for yourself - code can be audited - code seen by many eyes - ... Christian ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Question about migration and scripts variables
On 08/17/2012 10:55 PM, James James wrote: my second question is about ipalib. I wanted to make a hook on the user creation. The hook works fine. I just want to know if there is a way to have the value of variables like the username, the name of the creator, the e-mail of the creator and stuff like that. If you want to simply store name of entry creator, then you can use operational attributes creatorsName, createTimestamp, modifiersName and modifyTimestamp. You don't need to code anything new. For example: $ ldapsearch -Y GSSAPI -b idnsname=e.org,cn=dns,dc=e,dc=org createTimestamp creatorsName ... will print: # txt2, e.org, dns, e.org dn: idnsName=txt2,idnsName=e.org,cn=dns,dc=e,dc=org createTimestamp: 20120810114214Z creatorsName: cn=directory manager -- Petr^2 Spacek ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Active Directory slave zone in FreeIPA DNS (Franklin)
Hello, On 08/23/2012 07:00 AM, Franklin Catoni wrote: Hi, Hello, Is the zone not transferring at all, or is it just the updates that's not transferred to the AD slave server? It's not transferring at all. If the zone is not transferring at all: Did yo modify the Allow transfer property of the zone ? yes, I change the parameter to allow zone transfers from the AD If the updates is not transferring: I believe automatic increment of the zone serial number will be supported in IPA 3.0. The IPA developers will have to confirm that. However you can manually change the serial number under Zone Settings. Yes, I also read this information but I was hoping there was some other solution to the issue. And I've done manually change the serial number of the zone but without success Hope this helps. Thanks Regards, Siggi I'm a bit confused, so I tried to summarize your configuration. Please correct me if I'm wrong: zone ejemplo.com = hosted on AD server zone ejemplo.gob.ve = hosted on FreeIPA server What is your target? Do you want to have both zones on each server? I.e. one server will be master for one zone and slave for the other zone (at the same time)? Zone transfers are supported from IPA 3.0. IPA can host only master zones, slave zones have to be set in /etc/named.conf manually. There is no centralized management of slave zones. Generally, you can test zone-transfers with dig: slave$ dig @master_IP -t AXFR zone.name It should print something like: zone.example. 86400 IN SOA unused-4-107.brq.redhat.com. nonexistent.zone.example. 1344953446 123 123 666 1 zone.example. 86400 IN NS unused-4-107.brq.redhat.com. zone.example. 86400 IN TXT zone.example ... zone.example. 86400 IN SOA unused-4-107.brq.redhat.com. nonexistent.zone.example. 1344953446 123 123 666 1 This way you can test ACL and other settings on master. Does transfer with dig it work for both master servers? Petr^2 Spacek 2012/8/20 freeipa-users-requ...@redhat.com mailto:freeipa-users-requ...@redhat.com Send Freeipa-users mailing list submissions to freeipa-users@redhat.com mailto:freeipa-users@redhat.com To subscribe or unsubscribe via the World Wide Web, visit https://www.redhat.com/mailman/listinfo/freeipa-users or, via email, send a message with subject or body 'help' to freeipa-users-requ...@redhat.com mailto:freeipa-users-requ...@redhat.com You can reach the person managing the list at freeipa-users-ow...@redhat.com mailto:freeipa-users-ow...@redhat.com When replying, please edit your Subject line so it is more specific than Re: Contents of Freeipa-users digest... Today's Topics: 1. Re: Active Directory slave zone in FreeIPA DNS (Sigbjorn Lie) 2. Re: sssd client cache timer and merging IPA domains (Rob Crittenden) 3. Re: Question about migration and scripts variables (Rob Crittenden) 4. Specifying load balancing to SSSD clients (Innes, Duncan) 5. Re: Specifying load balancing to SSSD clients (Mark St. Laurent) -- Message: 1 Date: Sun, 19 Aug 2012 18:23:20 +0200 From: Sigbjorn Lie sigbj...@nixtra.com mailto:sigbj...@nixtra.com To: freeipa-users@redhat.com mailto:freeipa-users@redhat.com Subject: Re: [Freeipa-users] Active Directory slave zone in FreeIPA DNS Message-ID: 503112f8.8000...@nixtra.com mailto:503112f8.8000...@nixtra.com Content-Type: text/plain; charset=iso-8859-1; Format=flowed On 08/19/2012 04:39 PM, Franklin Catoni wrote: Greetings community. I do not speak English so I will do my best. I have two environments in my company, a domain ejemplo.com http://ejemplo.com http://ejemplo.com with Windows Active Directory running on Windows Server 2003 Enterprise Edition SP2 and domain ejemplo.gob.ve http://ejemplo.gob.ve http://ejemplo.gob.ve with FreeIPA v2.2. mounted on Centos 6.3 x64. This is because we are in the middle of a platform migration process (a very slow process) from proprietary solutions to open source. DNS and DHCP service for my two environments is offered by the server Centos 6.3 which is mounted FreeIPA directory, clients are Windows computers Active Directory domain and linux computers in the domain Ipa. Currently the zone ejemplo.gob.ve http://ejemplo.gob.ve http://ejemplo.gob.ve is administered by the FreeIPA DNS using the plugin (bind-dyndb-ldap.x86_64 v1.1.0) and I configure a slave zone using bind (bind-9.8.2-0.10.rc1.el6_3.2 . x86_64) for the domain ejemplo.com http://ejemplo.com http://ejemplo.com Active Directory Name resolution works perfectly for both Linux and Windows clients. Now here comes the tricky part In order to find a more
Re: [Freeipa-users] Desperate help requested.
On Sun, Aug 26, 2012 at 6:05 AM, KodaK sako...@gmail.com wrote: I've just been informed by my boss's boss's boss that, and I quote from his ridiculous email: we cannot use anything other than MS AD for authentication I've spent months of time and much effort rolling out IPA, consolidating authentication across our Linux and AIX machines. To paraphrase Babbage: I am not able rightly to apprehend the kind of confusion of ideas that could provoke such a statement. Regardless, I need some help. I need some help with comparisons between FreeIPA and AD, and the problems and issues one might encounter when trying to authenticate Unix machines against AD. Anything that can show IPA being superior to AD for *nix authentication. Anything at all. We have a similar number of AIX and Linux servers. We have a week before we have a meeting to discuss this, and I'd like to be armed to the teeth, if at all possible. hi, you need to explain to upper management why using IPA your company will save money. They usually understand that sort of talk. Write a business case. In the documentation (both from RHEL and from freeipa.org) you will get plenty of useful info. Magnify the points where AD comes short for your user case (selinux, sudo, automounts, service credentials management - having used ktpass.exe I was amazed at how nice the keytab capabilities are from ipa-, hostgroups, ssh public key management, ..., the list goes on and on). Explain that *that* will not change and how much money it will cost your business (admin hours, security risks, missed compliance). Explain why the future is in the trust model in ipa v3. Explain that Windows admins are not expected to run a Windows network without AD, so why are Linux/AIX admins expected to run a network without a proper Linux/AIX identity management solution. I feel your pain and can understand why you are upset, but try not to take this all personally. In the end, it is not your network. Regards, Natxo ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Desperate help requested.
Thanks, everyone, for your input. It has helped tremendously. --Jason -- The government is going to read our mail anyway, might as well make it tough for them. GPG Public key ID: B6A1A7C6 ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Desperate help requested.
Hi, LOL, your problem is like my problem we have Windows trained and educated managers, project managers and architects Well, on the plus side for IPA, Go to Centrify or Likewise as 2 examples and get a quote to authenticate against AD. We got an educational price that made my jaw drop. In the region of $600 per server and $60 per user plus 25% support per year was typical across all three products. v IPA which is free with one copy of RH. I think you'll find it a lot cheaper. The thing is, the above are hacks, if you want to do much with them you end up with their scripts on your machines all over the place and even writing your own. Have an issue and RH wont know where to turn. With Likewise for instance you may end up getting all your support via them that can add cost and delays as well. Here in NZ at least there is no real local support for these products, you ring an 0800 number (if you are lucky) and get told its 2am US time and ring back in 8 hoursbad joke. The big thing is IPA has depth, and a great road map its not just simple authenticate and authoriseyou can control services with detail (like ssh only) and sudobig pluses. Now the likes of Centrify say they can and that's true, if you code yourself or pay them to do it, or there is an existing script. Also look at the training and deployment costs of IPA v something like Centrifywith IPA and 4 days RH training you will probably be able to do a decent sized rolloutCentrify, well you might find you need a consultant or 2 at $2k a day On the minus side, IPA isnt yet mature/stable enough, IHMO. If our/my experiences are anything to go by it needs at least another 6 to 12months to work out the bugs, get the documentation usable and get RH support up to speed, but that will come. NB anyone on 6.2 and thinking of going to 6.3 it seems the chances of serious outages is significant. regards Steven Jones Technical Specialist - Linux RHCE Victoria University, Wellington, NZ 0064 4 463 6272 From: freeipa-users-boun...@redhat.com [freeipa-users-boun...@redhat.com] on behalf of Natxo Asenjo [natxo.ase...@gmail.com] Sent: Tuesday, 28 August 2012 12:17 a.m. To: freeipa-users@redhat.com Subject: Re: [Freeipa-users] Desperate help requested. On Sun, Aug 26, 2012 at 6:05 AM, KodaK sako...@gmail.commailto:sako...@gmail.com wrote: I've just been informed by my boss's boss's boss that, and I quote from his ridiculous email: we cannot use anything other than MS AD for authentication I've spent months of time and much effort rolling out IPA, consolidating authentication across our Linux and AIX machines. To paraphrase Babbage: I am not able rightly to apprehend the kind of confusion of ideas that could provoke such a statement. Regardless, I need some help. I need some help with comparisons between FreeIPA and AD, and the problems and issues one might encounter when trying to authenticate Unix machines against AD. Anything that can show IPA being superior to AD for *nix authentication. Anything at all. We have a similar number of AIX and Linux servers. We have a week before we have a meeting to discuss this, and I'd like to be armed to the teeth, if at all possible. hi, you need to explain to upper management why using IPA your company will save money. They usually understand that sort of talk. Write a business case. In the documentation (both from RHEL and from freeipa.orghttp://freeipa.org) you will get plenty of useful info. Magnify the points where AD comes short for your user case (selinux, sudo, automounts, service credentials management - having used ktpass.exe I was amazed at how nice the keytab capabilities are from ipa-, hostgroups, ssh public key management, ..., the list goes on and on). Explain that *that* will not change and how much money it will cost your business (admin hours, security risks, missed compliance). Explain why the future is in the trust model in ipa v3. Explain that Windows admins are not expected to run a Windows network without AD, so why are Linux/AIX admins expected to run a network without a proper Linux/AIX identity management solution. I feel your pain and can understand why you are upset, but try not to take this all personally. In the end, it is not your network. Regards, Natxo ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users