[Freeipa-users] AIX vs HBAC
Hello freeipa-users mailling list, Whenever we configure AIX client on Redhat IPA, every IPA users can login on AIX, we have not found a way to restrict access them. We are wondering if there is been some success story with managing HBAC on AIX? Thanks in advance Sylvain ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
[Freeipa-users] deleted ipa admin groups
Hello Someone did delete the admin group by mistake, how can we recover from this? No one change password, or any other admin task is allow. But we have the Directory server password. the remaining group is "ipausers" and we had only the default group Please any help will be appreciate -- Sylvain Angers ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
[Freeipa-users] error: Realm not local to KDC
Hello Please help me troubleshot this following issue, thank you in advance! Some rhel6.2 have problem with authenticating against IPA v2.2 while some others on same domain do not have issue but still get the same error "Failed to init credentials: Realm not local to KDC" hostname of client that work = mtl-vdi02d.cnppd.lab hostname of client that does not work = mtl-vdi08d.cnppd.lab all vm on RHEV ipa server (mtl-ipa01d.unix.cnppd.lab) is on unix.cnppd.lab because we have AD ip client are on cnppd.lab Windows machine are also on cnppd.lab connected to "Active directory" so we have a stub that redirect request for unix.cnppd.lab onto our ipa client can resolve ipa and vice versa [root@mtl-vdi08d log]# nslookup mtl-ipa01d.unix.cnppd.lab Server: 165.115.58.16 Address:165.115.58.16#53 Non-authoritative answer: Name: mtl-ipa01d.unix.cnppd.lab Address: 165.115.118.21 [root@mtl-vdi08d log]# nslookup unix.cnppd.lab Server: 165.115.58.16 Address:165.115.58.16#53 Non-authoritative answer: Name: unix.cnppd.lab Address: 165.115.118.21 [root@mtl-vdi08d log]# cat /etc/resolv.conf # Generated by NetworkManager domain cnppd.lab search cnppd.lab cn.ca nameserver 165.115.58.16 we all get this message in our logs (Tue Jan 15 17:11:46 2013) [[sssd[ldap_child[1943 [ldap_child_get_tgt_sync] (0): Failed to init credentials: Realm not local to KDC (Tue Jan 15 17:11:46 2013) [[sssd[ldap_child[1944 [ldap_child_get_tgt_sync] (0): Failed to init credentials: Realm not local to KDC (Tue Jan 15 17:11:46 2013) [[sssd[ldap_child[1945 [ldap_child_get_tgt_sync] (0): Failed to init credentials: Realm not local to KDC (Tue Jan 15 17:11:46 2013) [[sssd[ldap_child[1946 [ldap_child_get_tgt_sync] (0): Failed to init credentials: Realm not local to KDC (Tue Jan 15 17:11:46 2013) [[sssd[ldap_child[1947 [ldap_child_get_tgt_sync] (0): Failed to init credentials: Realm not local to KDC (Tue Jan 15 17:12:55 2013) [[sssd[ldap_child[1954 [ldap_child_get_tgt_sync] (0): Failed to init credentials: Realm not local to KDC (Tue Jan 15 17:12:55 2013) [[sssd[ldap_child[1955 [ldap_child_get_tgt_sync] (0): Failed to init credentials: Realm not local to KDC (Tue Jan 15 17:12:56 2013) [[sssd[ldap_child[1956 [ldap_child_get_tgt_sync] (0): Failed to init credentials: Realm not local to KDC (Tue Jan 15 17:12:56 2013) [[sssd[ldap_child[1957 [ldap_child_get_tgt_sync] (0): Failed to init credentials: Realm not local to KDC (Tue Jan 15 17:12:56 2013) [[sssd[ldap_child[1958 [ldap_child_get_tgt_sync] (0): Failed to init credentials: Realm not local to KDC while I can reinstall ipa-client on mtl-vdi02d and it will still work if I do the same with mtl-vdi08d, it will still not work [root@mtl-vdi08d ~]# ipa-client-install --server=mtl-ipa01d.unix.cnppd.lab --domain=UNIX.CNPPD.LAB --mkhomedir Discovery was successful! Hostname: mtl-vdi08d.cnppd.lab Realm: UNIX.CNPPD.LAB DNS Domain: UNIX.CNPPD.LAB IPA Server: mtl-ipa01d.unix.cnppd.lab BaseDN: dc=unix,dc=cnppd,dc=lab Continue to configure the system with these values? [no]: yes User authorized to enroll computers: admin Synchronizing time with KDC... Password for ad...@unix.cnppd.lab: Enrolled in IPA realm UNIX.CNPPD.LAB Created /etc/ipa/default.conf Configured /etc/sssd/sssd.conf Configured /etc/krb5.conf for IPA realm UNIX.CNPPD.LAB SSSD enabled Unable to find 'admin' user with 'getent passwd admin'! Recognized configuration: SSSD NTP enabled Client configuration complete. [root@mtl-vdi08d ~]# see the "Unable to find 'admin' user with 'getent passwd admin'!" message [root@mtl-vdi08d log]# getent passwd t154793 [root@mtl-vdi08d log]# [root@mtl-vdi02d t154793]# getent passwd t154793 t154793:*:194764:194764:Sylvain Angers:/home/t154793:/bin/bash [root@mtl-vdi02d t154793]# What could be the cause? Any assistance would be appreciate Thank you! -- Sylvain Angers ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
[Freeipa-users] IBM Tivoli Identity Manager connector to manage IPA
Hello all, Within our organisation, we use IBM Tivoli Identity Manager connectors to provision user/group onto all our different type of system. Currently there is as many connectors as we have unix box. As each unix box use local auth, we use ITIM to push user/group to local files...We are investigating IPA since a while, and now we wonder if a regular LDAP connector from IBM Tivoli Identity manager could be use to feed IPA so we would have one connector to manage our UNIX box via IPA. Our security folks would continue to have one single interface to do user/group provisionning. I found out that there is already an IITIM LDAP connector available, but Is there such thing as ldap interface to manage ipa? Or is the only way to get ITIM to manage IPA would be via new connector build from remote ipa command lines? Thank you! -- Sylvain Angers ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
[Freeipa-users] admin account deleted from webui
Hello Someone did delete the admin account by mistake, how can we recover from this? Thank you! -- Sylvain Angers ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
[Freeipa-users] proxy with Active Directory
Hello Our security group have concern with copying username/password from from AD and might not allow this synchronisation to even happen. Is there a way to configure ipa to go get username/password via kind of proxy? Thank you! -- Sylvain Angers ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] need info on AD / IPA coexistence
2012/3/8 Brian Cook > Also, I would not use 'delegation record' from AD, use conditional > forwarding for *.unix.abcd.ca. Your AD admins should know how to do it. > > --- > Brian Cook > Solutions Architect, Red Hat, Inc. > 407-212-7079 > > > > > On Mar 8, 2012, at 9:04 AM, Simo Sorce wrote: > > On Thu, 2012-03-08 at 11:54 -0500, Sylvain Angers wrote: > > Alright! > > > I am now requesting to our DNS team > > > please delegate dns zone "unix.abcd.ca" to ??? > > > the ip address of your ipa server, they will know what questions to > ask :) > > Question: is the ipa server fqdn, be ipaserver.unix.abcd.ca or > > ipaserver.abcd.ca? > > > does it matter? > > > It does, the IPa server DNS domain is what matters for the first master. > So it should be .unix.abcd.ca > > So that DNS domain = unix.abcd.ca and realm = UNIX.ABCD.CA (if you use > the standard configuration). > > Simo. > > -- > Simo Sorce * Red Hat, Inc * New York > > ___ > Freeipa-users mailing list > Freeipa-users@redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-users > > > Hello Still have same issue "unable to find 'admin' user with 'getent passwd admin'! I redid both client and servers, no selinux,no firewall Our dns teams did set soa unix.cnppd.lab to point to my ipa server I had to put a manual entry in /etc/hosts 165.115.118.21 mtl-ipa01d.unix.cnppd.lab mtl-ipa01d then did set my ipa server with the following *ipa-server-install -a xxx --hostname=mtl-ipa01d.unix.cnppd.lab -n unix.cnppd.lab -p x -r UNIX.CNPPD.LAB --setup-dns --forwarder=165.115.52.21--fowarder=165.115.51.21* Server host name [mtl-ipa01d.unix.cnppd.lab]: Warning: skipping DNS resolution of host mtl-ipa01d.unix.cnppd.lab The IPA Master Server will be configured with Hostname:mtl-ipa01d.unix.cnppd.lab IP address: 165.115.118.21 Domain name: unix.cnppd.lab Do you want to configure the reverse zone? [yes]: Please specify the reverse zone name [118.115.165.in-addr.arpa.]: Using reverse zone 118.115.165.in-addr.arpa. Restarting the directory server Restarting the KDC Restarting the web server Configuring named: [1/9]: adding DNS container [2/9]: setting up our zone [3/9]: setting up reverse zone [4/9]: setting up our own record [5/9]: setting up kerberos principal [6/9]: setting up named.conf [7/9]: restarting named [8/9]: configuring named to start on boot [9/9]: changing resolv.conf to point to ourselves done configuring named. == Setup complete I did set my client with [root@mtl-vdi01d ~]# ipa-client-install --server=mtl-ipa01d.unix.cnppd.lab --domain=UNIX.CNPPD.LAB --realm=UNIX.CNPPD.LAB --mkhomedir Discovery was successful! Hostname: mtl-vdi01d.cn.ca Realm: UNIX.CNPPD.LAB DNS Domain: UNIX.CNPPD.LAB IPA Server: mtl-ipa01d.unix.cnppd.lab BaseDN: dc=unix,dc=cnppd,dc=lab Continue to configure the system with these values? [no]: yes User authorized to enroll computers: admin Synchronizing time with KDC... Password for ad...@unix.cnppd.lab: Enrolled in IPA realm UNIX.CNPPD.LAB Created /etc/ipa/default.conf Configured[root@mtl-vdi01d ~]# ipa-client-install --server=mtl-ipa01d.unix.cnppd.lab --domain=UNIX.CNPPD.LAB --realm=UNIX.CNPPD.LAB --mkhomedir Discovery was successful! Hostname: mtl-vdi01d.cn.ca Realm: UNIX.CNPPD.LAB DNS Domain: UNIX.CNPPD.LAB IPA Server: mtl-ipa01d.unix.cnppd.lab BaseDN: dc=unix,dc=cnppd,dc=lab Continue to configure the system with these values? [no]: yes User authorized to enroll computers: admin Synchronizing time with KDC... Password for ad...@unix.cnppd.lab: Enrolled in IPA realm UNIX.CNPPD.LAB Created /etc/ipa/default.conf Configured /etc/sssd/sssd.conf Configured /etc/krb5.conf for IPA realm UNIX.CNPPD.LAB SSSD enabled Unable to find 'admin' user with 'getent passwd admin'! Recognized configuration: SSSD NTP enabled Client configuration complete. /etc/sssd/sssd.conf Configured /etc/krb5.conf for IPA realm UNIX.CNPPD.LAB SSSD enabled Unable to find 'admin' user with 'getent passwd admin'! Recognized configuration: SSSD NTP enabled Client configuration complete. you can see that ipa did enroll my client [root@mtl-ipa01d ~]# ipa host-find --- 2 hosts matched --- Host name: mtl-ipa01d.unix.cnppd.lab Principal name: host/mtl-ipa01d.unix.cnppd@unix.cnppd.lab Keytab: True Password: False Managed by: mtl-ipa01d.unix.cnppd.lab Host name: mtl-vdi01d.cn.ca Certificate: MIIDhTCCAm2gAwIBAgIBDDANBgkqhkiG9w0BAQsFADA5MRcwFQYDVQQKEw5VTklYLkNOUFBELkxBQjEeMBwGA1UEAxMVQ2VydGlmaWNhdGUgQXV0aG9yaXR5MB4XDTEyMDMxMzE4Mjc0MVoXDTE0MDMxNDE4Mjc0MVowNDEXMBUGA1UEChMOVU5JWC5DTlBQRC5MQUIxGTAXBgNVBAMTEG10b
Re: [Freeipa-users] need info on AD / IPA coexistence
Alright! I am now requesting to our DNS team please delegate dns zone "unix.abcd.ca" to ??? Question: is the ipa server fqdn, be ipaserver.unix.abcd.ca or ipaserver.abcd.ca? does it matter? thanks 2012/3/8 Simo Sorce > On Thu, 2012-03-08 at 09:46 -0500, Sylvain Angers wrote: > > Hi Again > > Our current Linux/AIX servers fqdn should remain on abcd.ca domain > > > > I need an advice: Should the ipa server fqdn be ipa.abcd.ca or > > ipa.unix.abcd.ca? > > You can have machines on a different DNS domain with FreeIPA. > So you can use unix.abcd.ca for your IPA server and still install > clients in abcd.ca. > > I think the onlt thing you should take care of is to make sure a > abcd.ca -> UNIX.ABCD.CA mapping in krb5.conf under the [domain_realm] > section is available on all machines of the domain to avoid issues > resolving the correct realm for clients in the other domain. > > On clients this should be autometed in the very last release but the ipa > server needs to be configured after install. > > > and on the Linux/AIX server, should we add entry of both dns (ipa and > > Microsoft AD) in resolv.conf? > > No, that would not work. What you should do is ask your DNS admin to > delegate you the unix.abcd.ca zone. Once that is done it doesn't matter > which DNS you are querying they will know who to ask. > If delegation is not possible you could still use named forwarders in > both IPA and AD so that each DNS server still know where to forward > requests for the specific domain. This again will allow you to use > whatever DNS your network uses and have queries properly forwarded > around. > > > domain unix.abcd.ca > > search unix.abcd.ca abcd.ca > > nameserver ipa_adress > > nameserver ad_adress > > > No, don't do this as a way to not configure the DNS servers, it won't > work and will cause really confusing mis-behaviors if the DNS servers > themselves do not know how to talk to each other. > > If delegation of zones or forwarding is properly set up though then this > scheme would allow you to have a fallback when either infrastructure is > temporarily unreachable. > > > Simo. > > -- > Simo Sorce * Red Hat, Inc * New York > > -- Sylvain Angers ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] need info on AD / IPA coexistence
Hi Again Our current Linux/AIX servers fqdn should remain on abcd.ca domain I need an advice: Should the ipa server fqdn be ipa.abcd.ca or ipa.unix.abcd.ca? and on the Linux/AIX server, should we add entry of both dns (ipa and Microsoft AD) in resolv.conf? domain unix.abcd.ca search unix.abcd.ca abcd.ca nameserver ipa_adress nameserver ad_adress Thanks -- Sylvain Angers ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] need info on AD / IPA coexistence
>is abcd.ca your windows domain ? yes in this example ipa-server-install -a xx \ --hostname=ipa1.unix.abcd.ca \ -n unix.abcd.ca \ -p xxx \ -r UNIX.ABCD.CA <http://unix.abcd.ca/> \ --subject=subject_DN \ #Sets the base element for the subject DN of the issued certificates. This defaults to O=realm. --forwarder=ad_dns.abcd.ca \ --no-reverse\ # Does not create a reverse DNS zone when the DNS domain is set up. --setup-dns \ --idmax=number \ #???Sets the upper bound for IDs which can be assigned by the IPA server. The default value is the ID start value plus 19. --idstart=1 # will have to check with AD I guess IPA server will become unix master DNS for UNIX current unix server fqdn will remain on abcd.ca current unix server will have dns,ntp,kdc,ldap from ipa realm will be equal to domain name = unix.abcd.ca When I will have resolve "getent passwd admin" issue I believe I will be able to su - admin on any unix server and will be able to start thinking about what next like winsync then create ipa slave = ipa2.unix.abcd.ca Define SRV in bind unix.abcd.ca test all our supported Unix platform, especially AIX, Does anyone was successful to hook their HP ilo, RHEV manager to IPA? Will have to convince many people to achieve this set-up, but I am sure it worth it! Thank you! you guys Rock! Sylvain 2012/3/8 Ondrej Valousek > ** > Side note: > You can manage AD integrated DNS from unix host easily with just 'nsupdate > -g' - so theoretically (ok I undestand you have to have a proper Kerberos > TGT...) IPA client could be able to autoconfigure (create all the necessary > SRV records) AD DNS, too. Not sure if we even wanted that. but > theoretically, it should be possible. > > Ondrej > > > On 03/07/2012 08:11 PM, Simo Sorce wrote: > > On Wed, 2012-03-07 at 13:38 -0500, Sylvain Angers wrote: > > Hello All, > We are facing the same difficulties here with coexistence with > Microsoft AD > on the same network > > Whenever I run ipa-client-install > > # ipa-client-install --server=server.abcd.ca --domain=abcd.ca > --realm=UNIX > DNS domain 'unix' is not configured for automatic KDC address lookup. > KDC address will be set to fixed value. > > Discovery was successful! > Hostname: client.abcd.ca > Realm: UNIX > DNS Domain: abcd.ca > IPA Server: server.abcd.ca > BaseDN: dc=unix > > > > is abcd.ca your windows domain ? > > although we support specifying a realm that is not identical to the DNS > domain I strongly suggest you do not do so if you do not want to > experience some trouble and to assing to your UNIX domain it's own DNS > domain that matches the realm. If you do not do that things can still > work, but not w/o some minor annoyances. > For example discovery will fail as you find out because the DNS domain > is owned by the AD realm. You also have to make sure you properly map > realms to domains correctly in various clients. > > Simo. > > > > -- > The information contained in this e-mail and in any attachments is > confidential and is designated solely for the attention of the intended > recipient(s). If you are not an intended recipient, you must not use, > disclose, copy, distribute or retain this e-mail or any part thereof. If > you have received this e-mail in error, please notify the sender by return > e-mail and delete all copies of this e-mail from your computer system(s). > Please direct any additional queries to: communicati...@s3group.com. > Thank You. Silicon and Software Systems Limited. Registered in Ireland no. > 378073. Registered Office: South County Business Park, Leopardstown, Dublin > 18 > -- > > > ___ > Freeipa-users mailing list > Freeipa-users@redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-users > -- Sylvain Angers ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] need info on AD / IPA coexistence
3 > ldap [ACK] Seq=229 Ack=1349 Win=17536 Len=0 TSV=5217251 TSER=15563619 31.907040 165.115.207.219 -> 165.115.40.149 LDAP searchResEntry(1) "" 31.907054 165.115.40.149 -> 165.115.207.219 TCP 56123 > ldap [ACK] Seq=229 Ack=2314 Win=20224 Len=0 TSV=5217256 TSER=15563619 31.907540 165.115.40.149 -> 165.115.52.21 DNS Standard query A prg-yd-i02.cn.ca 31.907883 165.115.52.21 -> 165.115.40.149 DNS Standard query response A 165.115.212.167 31.911870 165.115.40.149 -> 165.115.212.167 KRB5 AS-REQ 31.995533 165.115.212.167 -> 165.115.40.149 KRB5 KRB Error: KRB5KDC_ERR_C_PRINCIPAL_UNKNOWN 31.996253 165.115.40.149 -> 165.115.207.219 LDAP unbindRequest(2) it does this snippet on every AD server before geting back empty We wonder if we need to create a subdomain with FREEIP master of that subdomain... Any help would be appreciate Regards -- Sylvain Angers ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Aix client configuration
2012/1/25 Rob Crittenden > Sylvain Angers wrote: > >> Hello >> In our lab, we are testing latest ipa on redhat and we are now >> configuring/testing an IBM/AIX client 6.1 >> >> Here is the ipa server command that we used >> *ipa-server-install -a ipa123 --hostname=mtl-ipa01d.cnppd.**lab -n >> cnppd.lab -p ldap123 -r CNPPD.LAB * >> >> >> We are following your documentation for AIX client and have some issue >> getting through the step >> >> we had to install these fileset and we still fight modcrypt >> >> lslpp -L | grep idsldap >> idsldap.clt32bit61.rte6.1.0.34C FDirectory Server - 32 >> bit >> idsldap.clt64bit61.rte6.1.0.34C FDirectory Server - 64 >> bit >> idsldap.cltbase61.adt 6.1.0.34C FDirectory Server - >> Base Client >> idsldap.cltbase61.rte 6.1.0.34C FDirectory Server - >> Base Client >> >> >> lslpp -L | grep krb >> krb5.client.rte1.5.0.2C FNetwork >> Authentication Service >> krb5.client.samples1.5.0.2C FNetwork >> Authentication Service >> krb5.doc.en_US.html1.5.0.2C FNetwork Auth Service >> HTML >> krb5.doc.en_US.pdf 1.5.0.2C FNetwork Auth Service PDF >> krb5.lic 1.5.0.2C FNetwork >> Authentication Service >> krb5.msg.en_US.client.rte 1.5.0.2C FNetwork Auth Service >> Client >> krb5.server.rte1.5.0.2C FNetwork >> Authentication Service >> >> ww did run the mksecldap command, as follow >> >> *mksecldap -c -h mtl-ipa01d.cnppd.lab -d cn=accounts,dc=cnppd,dc=lab -a >> uid=nss,cn=sysaccounts,cn=etc,**dc=cnppd,dc=lab -p abc123* >> >> >> and we got : Invalid bind DN or bind passwd. Client presetup check >> failed. >> >> Do we need to customize further this command if so, what are we missing? >> also as we have not yet succeed to make modcrypt works on our AIX 6.1, >> we wonder if we will need (temporary) to do some ldapmodify on the ipa >> server to disable ssl? >> >> Thank you for your assistance! >> > > Did you create the entry uid=nss,cn=sysaccounts,cn=etc,**... ? > > You can test that the password is correct independently with ldapsearch > and the 389-ds access log may have additional information on the bind > failure. > > rob > Hello Rob, All I see at the moment is uid=sudo,cn=sysaccounts,cn=etc,dc=cnppd,dc=lab uid=kdc,cn=sysaccounts,cn=etc,dc=cnppd,dc=lab whenever I create new users, it get under uid=nss,cn=users,cn=accounts,dc=cnppd,dc=lab How do we create uid=nss,cn=sysaccounts,cn=etc,**dc=cnppd,dc=lab ? is this something we have to manually do via ldapadd? about the nss password will the ldapadd be part of the command? Thanks -- Sylvain Angers ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
[Freeipa-users] Aix client configuration
Hello In our lab, we are testing latest ipa on redhat and we are now configuring/testing an IBM/AIX client 6.1 Here is the ipa server command that we used *ipa-server-install -a ipa123 --hostname=mtl-ipa01d.cnppd.lab -n cnppd.lab -p ldap123 -r CNPPD.LAB * We are following your documentation for AIX client and have some issue getting through the step we had to install these fileset and we still fight modcrypt lslpp -L | grep idsldap idsldap.clt32bit61.rte6.1.0.34C FDirectory Server - 32 bit idsldap.clt64bit61.rte6.1.0.34C FDirectory Server - 64 bit idsldap.cltbase61.adt 6.1.0.34C FDirectory Server - Base Client idsldap.cltbase61.rte 6.1.0.34C FDirectory Server - Base Client lslpp -L | grep krb krb5.client.rte1.5.0.2C FNetwork Authentication Service krb5.client.samples1.5.0.2C FNetwork Authentication Service krb5.doc.en_US.html1.5.0.2C FNetwork Auth Service HTML krb5.doc.en_US.pdf 1.5.0.2C FNetwork Auth Service PDF krb5.lic 1.5.0.2C FNetwork Authentication Service krb5.msg.en_US.client.rte 1.5.0.2C FNetwork Auth Service Client krb5.server.rte1.5.0.2C FNetwork Authentication Service ww did run the mksecldap command, as follow *mksecldap -c -h mtl-ipa01d.cnppd.lab -d cn=accounts,dc=cnppd,dc=lab -a uid=nss,cn=sysaccounts,cn=etc,dc=cnppd,dc=lab -p abc123* and we got : Invalid bind DN or bind passwd. Client presetup check failed. Do we need to customize further this command if so, what are we missing? also as we have not yet succeed to make modcrypt works on our AIX 6.1, we wonder if we will need (temporary) to do some ldapmodify on the ipa server to disable ssl? Thank you for your assistance! appreciate -- Sylvain Angers ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] migration plan from local accounts
>Let me know if there is anything unclear about AIX clients in the documentation on freeipa.org. May I ask why there is a krb5 server as a requirement on a client? Thanks Le 5 janv. 2012 19:50, "Simo Sorce" a écrit : > > On Thu, 2012-01-05 at 18:27 -0500, Sylvain Angers wrote: > > Hi again, > > > > > > by moving away from local account, to freeipa do we affect any of > > these numbers?: > > > > > > -group name length limits > > -group membership limits > > > > > > or they remain the same / as the under limit of the local os? > > On linux, I believe there will still be a limitation of 16 id per > > group, right? > > Linux has a "limitation" of 65K groups per user, and this has been true > for many years now. > > If you use NFS with sys auth instead of krb5 auth then you have a > lim > On Thu, 2012-01-05 at 18:27 -0500, Sylvain Angers wrote: > > Hi again, > > > > > > by moving away from local account, to freeipa do we affect any of > > these numbers?: > > > > > > -group name length limits > > -group membership limits > > > > > > or they remain the same / as the under limit of the local os? > > On linux, I believe there will still be a limitation of 16 id per > > group, right? > > Linux has a "limitation" of 65K groups per user, and this has been true > for many years now. > > If you use NFS with sys auth instead of krb5 auth then you have a > limitation of 16 groups per user, but this is a protocol limitation > valid for all OSs, it is not a limitation of Linux. And using krb5 auth > there is no such limitation. > > > > If anyone has some past experience with AIX, feel free to share with > > me > > We did some qualification/documentation testing on AIX a while back. All > I can say is that AIX can work agains FreeIPA just fine, but I am in no > way an AIX expert and the docs we have on freeipa.org are all I can tell > you to use as I already forgot all the details we dicovered at the time > we tested AIX :) > > > I am really interested to ear about it > > Let me know if there is anything unclear about AIX clients in the > documentation on freeipa.org. > > Simo. > > -- > Simo Sorce * Red Hat, Inc * New York > > ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] migration plan from local accounts
Hi again, by moving away from local account, to freeipa do we affect any of these numbers?: -group name length limits -group membership limits or they remain the same / as the under limit of the local os? On linux, I believe there will still be a limitation of 16 id per group, right? If anyone has some past experience with AIX, feel free to share with me I am really interested to ear about it Thank you! Sylvain Angers 2012/1/5 Dmitri Pal > ** > On 01/05/2012 04:20 PM, Sylvain Angers wrote: > > Hello > > We have a mixed environment of AIX, and linux servers > All our user accounts are still set locally - no NIS, and we do not have > unique uid/gid toward our hosts!!! > I am evaluating the possibility of using Redhat Identity management in our > environment > I have to figure out what AIX will be able to support - we would at least > want to be able to limit who could access what on aix > so if you have dealt with AIX, let me knows > > but here my main question > > My question is how do I deal with our current local users? > > > This is a tough one... The assumption was that some kind of identity > system is already in place. > > > When user DAVE get freeipa id 1000567, do you have to chown every > files he has on a local machine while he might has uid/gid 501 ? > > > > Yes. > > > > I guess we will have to byte the bullet and have a unique id for every > users - right? > > > Correct > > > Is there a simple migration plan from local to freeipa? > > > You pretty much outlined it here. There is nothing better I know of. > You user IDs are probably low enough that there is no overlap with user > IDs from IdM. > > > do we have to migrate an account at the time do an account at the time, > so if account doe not exist locally, it will check remote? > > > This is usually the case when you use files in the nsswitch.conf first and > then ldap or sss. > So logic would be: > 1) Create a user in IdM with same name as a local user (if it is not > already exists) > 2) Find all files owned by local user and replace UID/GID with the ones > from IPA user with the same name > 3) Remove local user > 4) Repeat for all local users > 5) Repeat on every machine > > Step 1) might be a challenge from AIX machine so you might consider > creating a list of all users first, precreating the users in IdM and then > running a script that would do the rest on each of the machines you need to > convert. > > > I am missing the big picture > > thanks in advance > -- > Sylvain Angers > > > ___ > Freeipa-users mailing > listFreeipa-users@redhat.comhttps://www.redhat.com/mailman/listinfo/freeipa-users > > > > -- > Thank you, > Dmitri Pal > > Sr. Engineering Manager IPA project, > Red Hat Inc. > > > ------- > Looking to carve out IT costs?www.redhat.com/carveoutcosts/ > > > ___ > Freeipa-users mailing list > Freeipa-users@redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-users > -- Sylvain Angers ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
[Freeipa-users] migration plan from local accounts
Hello We have a mixed environment of AIX, and linux servers All our user accounts are still set locally - no NIS, and we do not have unique uid/gid toward our hosts!!! I am evaluating the possibility of using Redhat Identity management in our environment I have to figure out what AIX will be able to support - we would at least want to be able to limit who could access what on aix so if you have dealt with AIX, let me knows but here my main question My question is how do I deal with our current local users? When user DAVE get freeipa id 1000567, do you have to chown every files he has on a local machine while he might has uid/gid 501 ? I guess we will have to byte the bullet and have a unique id for every users - right? Is there a simple migration plan from local to freeipa? do we have to migrate an account at the time do an account at the time, so if account doe not exist locally, it will check remote? I am missing the big picture thanks in advance -- Sylvain Angers ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users