Re: [Freeipa-users] ip changed
On 08/30/2012 05:38 AM, george he wrote: > Hello all, > I have free-ipa set up on my lab machines all running Fedora 17. > Today the lab was moved to another building on campus and the IPs have to be > changed. > Now that the IPs are changed, I cannot even run kinit on the ipa-server. > The error message returned with kinit is "connot contact any KDC for realm > MYREALM while getting initial credentials" > What I have done to change the IPs is to run system-config-network, modify the > file /etc/hosts, and call the IT department to update the DNS server entries. > What else do I need to do to make the ipa work with the new IPs? > Thanks in advance for your help, > George > If you have FreeIPA with DNS support, you also need to update FreeIPA server A/ records in LDAP. ipa "dnsrecord-mod" command should be able to do that if you have /etc/hosts set properly. Besides that, you should be OK with the changes you already requested. Important thing is that hostname cannot change, which as I understand is not the issue. With the changes I described, does the FreeIPA server start and works for you? If not, please send error messages and we can sort it out. Thank you, Martin ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Desperate help requested.
On lör, 2012-08-25 at 23:05 -0500, KodaK wrote: > I've just been informed by my boss's boss's boss that, and I quote > from his ridiculous email: > > "we cannot use anything other than MS AD for authentication" > > I've spent months of time and much effort rolling out IPA, > consolidating authentication across our Linux and AIX machines. To > paraphrase Babbage: I am not able rightly to apprehend the kind of > confusion of ideas that could provoke such a statement. > > Regardless, I need some help. I need some help with comparisons > between FreeIPA and AD, and the problems and issues one might > encounter when trying to authenticate Unix machines against AD. > Anything that can show IPA being superior to AD for *nix > authentication. Anything at all. We have a similar number of AIX and > Linux servers. We have a week before we have a meeting to discuss > this, and I'd like to be armed to the teeth, if at all possible. Apart from what everyone else already pointed out, I believe that if you register the Linux host in the AD, you'll need to purchase a CAL for it... /David signature.asc Description: This is a digitally signed message part ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] ip changed
Martin Kosek wrote: On 08/30/2012 05:38 AM, george he wrote: Hello all, I have free-ipa set up on my lab machines all running Fedora 17. Today the lab was moved to another building on campus and the IPs have to be changed. Now that the IPs are changed, I cannot even run kinit on the ipa-server. The error message returned with kinit is "connot contact any KDC for realm MYREALM while getting initial credentials" What I have done to change the IPs is to run system-config-network, modify the file /etc/hosts, and call the IT department to update the DNS server entries. What else do I need to do to make the ipa work with the new IPs? Thanks in advance for your help, George If you have FreeIPA with DNS support, you also need to update FreeIPA server A/ records in LDAP. ipa "dnsrecord-mod" command should be able to do that if you have /etc/hosts set properly. Besides that, you should be OK with the changes you already requested. Important thing is that hostname cannot change, which as I understand is not the issue. With the changes I described, does the FreeIPA server start and works for you? If not, please send error messages and we can sort it out. You might want to check /etc/hosts too to be sure that it doesn't have stale IP entries. rob ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] KISS: DHCP from IPA
On 08/29/2012 03:52 PM, Rob Crittenden wrote:
Chris Evich wrote:
On 08/29/2012 11:57 AM, John Dennis wrote:
Thanks for the contribution Chris!
Just as an aside if you know Python you can call the IPA commands
directly and use Python to extract and reformat the data, it might be a
lot simpler than doing the bash/awk dance.
I agree that using bash/sed/awk is a bit clunky. I actually did stumble
on the python stuff by accident, but wasn't able to find much reference
/ examples for how to use it. At the time I just needed something quick
to toss-together. Maybe the python docs/examples are different today,
any links handy?
I seem to recall this came up on either freeipa-users or freeipa-devel
but I can't find the thread. Some decent examples got posted.
Here is something I've been twiddling with to add users from a
well-formatted passwd file:
import sys
import re
from ipalib import api
from ipalib import errors
filename='passwd'
name_pattern = re.compile('(\w+) \w (\w+)')
api.bootstrap(context='cli')
api.finalize()
api.Backend.xmlclient.connect()
count = 0
fd = open(filename, 'r')
while True:
line = fd.readline()
if not line:
break
line = unicode(line.strip())
try:
(login, passwd, uid, gid, gecos, dir, shell) = line.split(':')
except ValueError, e:
print "mal-formed passwd entry: %s (%s)" % (e, line)
continue
m = name_pattern.match(gecos)
if m:
first = m.group(1)
last = m.group(2)
else:
first = u'USER'
last = u'NAME'
try:
api.Command['user_add'](login, gidnumber=int(gid),
uidnumber=int(uid),
gecos=gecos.strip(), homedir=dir, shell=shell,
givenname=first, sn=last)
except errors.DuplicateEntry:
print "%s already exists" % login
continue
...
rob
Thanks! That helps. Still, one can only get so far by reading
docstrings :) More examples like this on the wiki, or (even better)
some API docs would be great!
--
Chris Evich, RHCA, RHCE, RHCDS, RHCSS
Quality Assurance Engineer
e-mail: cevich + `@' + redhat.com o: 1-888-RED-HAT1 x44214
___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Desperate help requested.
Hi, Also if its straight into AD Im not aware you can use AD to control a Linux authentication and authorisation adequately without something like likewise or centrify. I think the best yiu can do is one group? regards Steven Jones Technical Specialist - Linux RHCE Victoria University, Wellington, NZ 0064 4 463 6272 From: freeipa-users-boun...@redhat.com [freeipa-users-boun...@redhat.com] on behalf of David Juran [da...@juran.se] Sent: Thursday, 30 August 2012 7:30 p.m. To: KodaK Cc: freeipa-users@redhat.com Subject: Re: [Freeipa-users] Desperate help requested. On lör, 2012-08-25 at 23:05 -0500, KodaK wrote: > I've just been informed by my boss's boss's boss that, and I quote > from his ridiculous email: > > "we cannot use anything other than MS AD for authentication" > > I've spent months of time and much effort rolling out IPA, > consolidating authentication across our Linux and AIX machines. To > paraphrase Babbage: I am not able rightly to apprehend the kind of > confusion of ideas that could provoke such a statement. > > Regardless, I need some help. I need some help with comparisons > between FreeIPA and AD, and the problems and issues one might > encounter when trying to authenticate Unix machines against AD. > Anything that can show IPA being superior to AD for *nix > authentication. Anything at all. We have a similar number of AIX and > Linux servers. We have a week before we have a meeting to discuss > this, and I'd like to be armed to the teeth, if at all possible. Apart from what everyone else already pointed out, I believe that if you register the Linux host in the AD, you'll need to purchase a CAL for it... /David ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Desperate help requested.
Hi, The biggest thing is really shear control. With the best will in the world AD is not unix orientated You can control who logs in to a server and from where, you can control who gets root remotely (or any other su - *) via IPA's sudo module. You can control what they can do like no-ftp, allow ssh, no login (console), sudo and its all easy to add users to and from via the web ui (once you get the hang of it). Ive gone through what you have gone through I feel your pain.the problem is really Windows ppl dont understand and dont want to, I think its fear it certainly isnt logic. regards Steven Jones Technical Specialist - Linux RHCE Victoria University, Wellington, NZ 0064 4 463 6272 From: freeipa-users-boun...@redhat.com [freeipa-users-boun...@redhat.com] on behalf of Steven Jones [steven.jo...@vuw.ac.nz] Sent: Friday, 31 August 2012 8:41 a.m. To: David Juran; KodaK Cc: freeipa-users@redhat.com Subject: Re: [Freeipa-users] Desperate help requested. Hi, Also if its straight into AD Im not aware you can use AD to control a Linux authentication and authorisation adequately without something like likewise or centrify. I think the best yiu can do is one group? regards Steven Jones Technical Specialist - Linux RHCE Victoria University, Wellington, NZ 0064 4 463 6272 From: freeipa-users-boun...@redhat.com [freeipa-users-boun...@redhat.com] on behalf of David Juran [da...@juran.se] Sent: Thursday, 30 August 2012 7:30 p.m. To: KodaK Cc: freeipa-users@redhat.com Subject: Re: [Freeipa-users] Desperate help requested. On lör, 2012-08-25 at 23:05 -0500, KodaK wrote: > I've just been informed by my boss's boss's boss that, and I quote > from his ridiculous email: > > "we cannot use anything other than MS AD for authentication" > > I've spent months of time and much effort rolling out IPA, > consolidating authentication across our Linux and AIX machines. To > paraphrase Babbage: I am not able rightly to apprehend the kind of > confusion of ideas that could provoke such a statement. > > Regardless, I need some help. I need some help with comparisons > between FreeIPA and AD, and the problems and issues one might > encounter when trying to authenticate Unix machines against AD. > Anything that can show IPA being superior to AD for *nix > authentication. Anything at all. We have a similar number of AIX and > Linux servers. We have a week before we have a meeting to discuss > this, and I'd like to be armed to the teeth, if at all possible. Apart from what everyone else already pointed out, I believe that if you register the Linux host in the AD, you'll need to purchase a CAL for it... /David ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
