[Freeipa-users] Winsync
Hi! Is syncing (winsync) users and passwords from MS Active Directory deprecated in FreeIPA 4.x? If not, is there some documentation on how to use it? Additionaly, when using FreeIPA - AD trust, is it possible for user from trusted domain to log on to FreeIPA web UI? Thanks! -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] Winsync
Hi Aleksander and Tomas, thanks for quick responses! I find trust-based solution more advanced but also more complicated - two sites, one with FreeIPA and other with AD domain, limited communication from FreeIPA to AD site, FreeIPA not aware of AD sites, questionable use of RODCs and Kerberos which heavily depends on DNS. Acceptable solution would be public key login for my AD users but they are not able to log in to Free IPA web UI to update their SSH keys. So Winsync seems like simpler solution here. Regards, Srdjan. On Tue, Oct 27, 2015 at 6:20 PM, Alexander Bokovoy <aboko...@redhat.com> wrote: > On Tue, 27 Oct 2015, Tomas Babej wrote: > >> >> >> On 10/27/2015 05:51 PM, Srdjan Dutina wrote: >> >>> Hi! >>> >>> >> Hello Srdjan, >> >> Is syncing (winsync) users and passwords from MS Active Directory >>> deprecated in FreeIPA 4.x? >>> If not, is there some documentation on how to use it? >>> >>> >> Winsync synchronization is not deprecated as of now, but we are trying >> to move away from it in favor of the trust-based solution. I would >> certainly encourage you to try that before using winsync. >> > Documentation is in the 'Windows Integration Guide': > > https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Windows_Integration_Guide/pt02.html > > Chapter 7 covers winsync. > > Additionaly, when using FreeIPA - AD trust, is it possible for user from >>> trusted domain to log on to FreeIPA web UI? >>> >> >> Yes. >> > No. AD users cannot login to web UI. We are planning to add this > possibility in FreeIPA 4.4 or around that time, to allow AD users to > manage parts of their ID overrides. > > > -- > / Alexander Bokovoy > -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
[Freeipa-users] FreeIPA with third-party wildcard certificate
Hi! I'm testing FreeIPA 4.1.0 on Centos 7 (1503). I have a *wildcard *certificate for my domain issued by GoDaddy. Could I use it with FreeIPA primary and replica servers instead of self-signed certificate? If yes, how could I replace the self-signed certificate in existing two servers installation? Thank you. Srdjan. -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] HBAC and SUDO rules for legacy clients
Yes, it does. Thank you. On Mon, Apr 20, 2015 at 6:08 PM Srdjan Dutina sdut...@gmail.com wrote: Sorry for misunderstanding. I understand HBAC rules will not work for Centos 5. I just wanted to make sure disabling allow all rule and adding new HBAC rules won't interfere with AD users logging on Centos 5. On Mon, Apr 20, 2015 at 5:03 PM Alexander Bokovoy aboko...@redhat.com wrote: On Mon, 20 Apr 2015, Srdjan Dutina wrote: Just found in http://www.freeipa.org/images/0/0d/FreeIPA33-legacy-clients.pdf the next sentence: If you have HBAC's allow_all rule disabled, you will need to allow system-auth service on the FreeIPA master, so that authentication of the AD users can be performed. Is this true for FreeIPA 4.1.0 also and how could I do this? Either you are reading it wrong or I don't get where you want to apply HBAC rules because this is for IPA masters, not legacy clients per se. Yes, you nede to create HBAC service named 'system-auth' and grant access to it to AD users on IPA masters, but all it will allow you is to authenticate AD users via compat tree. If your RHEL5 SSSD clients attempt to run own HBAC rule checks, AD users cannot be checked by those rules. -- / Alexander Bokovoy -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] HBAC and SUDO rules for legacy clients
Thank for quick answer! If I disable HBAC rule, I can still login to Centos 5 client using IPA user, but not using AD user. Is there a workaround? I need allow_all disabled because of newer IPA clients. On Mon, Apr 20, 2015 at 4:30 PM Alexander Bokovoy aboko...@redhat.com wrote: On Mon, 20 Apr 2015, Srdjan Dutina wrote: Hi, Testing FreeIPA 4.1.0 (Centos 7 (1503)) with AD 2012 R2 trust. For Centos 5.11 Client (SSSD 1.5.1), will HBAC and SUDO rules function? If yes, does this apply AD users also? SSSD 1.5.1 does not have SUDO support. HBAC support in 1.5.1 will mot likely not work with compat tree that is required for legacy clients to support AD users. I don't think this was even tested. -- / Alexander Bokovoy -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
[Freeipa-users] HBAC and SUDO rules for legacy clients
Hi, Testing FreeIPA 4.1.0 (Centos 7 (1503)) with AD 2012 R2 trust. For Centos 5.11 Client (SSSD 1.5.1), will HBAC and SUDO rules function? If yes, does this apply AD users also? Thank you! -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] HBAC and SUDO rules for legacy clients
Just found in http://www.freeipa.org/images/0/0d/FreeIPA33-legacy-clients.pdf the next sentence: If you have HBAC's allow_all rule disabled, you will need to allow system-auth service on the FreeIPA master, so that authentication of the AD users can be performed. Is this true for FreeIPA 4.1.0 also and how could I do this? On Mon, Apr 20, 2015 at 4:51 PM Alexander Bokovoy aboko...@redhat.com wrote: On Mon, 20 Apr 2015, Srdjan Dutina wrote: Thank for quick answer! If I disable HBAC rule, I can still login to Centos 5 client using IPA user, but not using AD user. Is there a workaround? I need allow_all disabled because of newer IPA clients. There is no workaround so far. -- / Alexander Bokovoy -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] HBAC and SUDO rules for legacy clients
Sorry for misunderstanding. I understand HBAC rules will not work for Centos 5. I just wanted to make sure disabling allow all rule and adding new HBAC rules won't interfere with AD users logging on Centos 5. On Mon, Apr 20, 2015 at 5:03 PM Alexander Bokovoy aboko...@redhat.com wrote: On Mon, 20 Apr 2015, Srdjan Dutina wrote: Just found in http://www.freeipa.org/images/0/0d/FreeIPA33-legacy-clients.pdf the next sentence: If you have HBAC's allow_all rule disabled, you will need to allow system-auth service on the FreeIPA master, so that authentication of the AD users can be performed. Is this true for FreeIPA 4.1.0 also and how could I do this? Either you are reading it wrong or I don't get where you want to apply HBAC rules because this is for IPA masters, not legacy clients per se. Yes, you nede to create HBAC service named 'system-auth' and grant access to it to AD users on IPA masters, but all it will allow you is to authenticate AD users via compat tree. If your RHEL5 SSSD clients attempt to run own HBAC rule checks, AD users cannot be checked by those rules. -- / Alexander Bokovoy -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
[Freeipa-users] FreeIPA with Active directory Read-only domain controller trust setup
Hi, I'm testing FreeIPA (v4.1.3, Centos 7) - AD (2012 R2) trust on branch site where only AD read-only domain controller (RODC) exists. I'm aware that for initial establishing of trust I need access to writable domain controller so IPA can add trust to AD domains and trusts. But after initial setup, can FreeIPA-AD trust continue to function with IPA access to RODC only? Will Kerberos authentication of AD users on IPA domain hosts work? In this case, FreeIPA server should have DNS forward zone configured with RODC as a forwarder to AD? AD users have cached passwords on RODC, so authentication is possible in case of WAN link failure. Thanks! -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] Active Directory Kerberos authentication on older versions of IPA clients
Hi Jakub, Thanks for quick response. Yes, there were acting up. I tried to configure them the other day but obviously misconfigured something. Thanks again! -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
[Freeipa-users] Active Directory Kerberos authentication on older versions of IPA clients
Hi, I created the following test environment: 1. IPA server: v4.1.3 on Centos 7 2. Two-way trust with Active directory domain - Windows server 2012 R2 3. Connected multiple IPA clients: - Fedora 21 - v4.1.3 - Centos 7 - v3.3.3 - Centos 6.6 v.3.0.0 to IPA domain. Using Kerberos ticket for AD user, I'm able to ssh to IPA server and Fedora client, but not to Centos clients, which have older IPA client versions. These clients just skip gssapi-with-mic auth and continue to password login (which is successful). Just to add that I can obtain Kerberos ticket using 'kinit' command for AD user from all clients and also get user and group IDs using 'id' command. Additionally, is it possible to join Centos 5 client to latest IPA server? Thank you. -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project