[Freeipa-users] IPA - initial questions
All, I am beginning to put an IPA environment together and will be inquiring with the community on different issues. First, regarding this list, I do not see a way to search archived posts for answers. I apologize if I am just missing how to do so, is there a way to search for topics? Second, I have attempted to subscribe to the list a couple times but have not received any email notification and cannot log in via the credentials I created. Am I missing something or am I just waiting for an approval from moderators or other? Regarding IPA, my initial question is how do folks handle the root user? Is root maintained via IPA centrally or since it's a special account is it sill maintained directly on all systems? Thanks in advance, and I look forward to learning more from the community. Herb ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] IPA - initial questions
Herb Burnswell wrote: All, I am beginning to put an IPA environment together and will be inquiring with the community on different issues. First, regarding this list, I do not see a way to search archived posts for answers. I apologize if I am just missing how to do so, is there a way to search for topics? There is no built-in search command but you can use google, something like site:https://www.redhat.com/archives/freeipa-users/ search-terms Second, I have attempted to subscribe to the list a couple times but have not received any email notification and cannot log in via the credentials I created. Am I missing something or am I just waiting for an approval from moderators or other? I don't see any failed subscription requests. I went ahead and subscribed you. Regarding IPA, my initial question is how do folks handle the root user? Is root maintained via IPA centrally or since it's a special account is it sill maintained directly on all systems? You always want to be able to log in locally as root if something goes wrong. sssd purposely excludes the root users for this reason. If you want to limit root access then you'd be better of investigating SUDO and limiting who knows the root password(s). rob ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] IPA - initial questions
Rob, Thank you for your response. One of my filters on gmail was blocking the approval responses, I should have known it was user error ;-). I'm all set on the subscription. Also, thanks for the tip on searching google that way, I'll investigate questions that way. Regarding root user, that was what I was thinking. So that kind of takes away the ability to centrally manage the root password for 100's of systems via IPA correct? Or is there a way to do that? thanks, Herb On Fri, May 10, 2013 at 11:22 AM, Rob Crittenden rcrit...@redhat.comwrote: Herb Burnswell wrote: All, I am beginning to put an IPA environment together and will be inquiring with the community on different issues. First, regarding this list, I do not see a way to search archived posts for answers. I apologize if I am just missing how to do so, is there a way to search for topics? There is no built-in search command but you can use google, something like site:https://www.redhat.com/**archives/freeipa-users/https://www.redhat.com/archives/freeipa-users/search-terms Second, I have attempted to subscribe to the list a couple times but have not received any email notification and cannot log in via the credentials I created. Am I missing something or am I just waiting for an approval from moderators or other? I don't see any failed subscription requests. I went ahead and subscribed you. Regarding IPA, my initial question is how do folks handle the root user? Is root maintained via IPA centrally or since it's a special account is it sill maintained directly on all systems? You always want to be able to log in locally as root if something goes wrong. sssd purposely excludes the root users for this reason. If you want to limit root access then you'd be better of investigating SUDO and limiting who knows the root password(s). rob ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] IPA - initial questions
On May 10, 2013 1:33 PM, Herb Burnswell herbert.burnsw...@gmail.com wrote: Rob, Thank you for your response. One of my filters on gmail was blocking the approval responses, I should have known it was user error ;-). I'm all set on the subscription. Also, thanks for the tip on searching google that way, I'll investigate questions that way. Regarding root user, that was what I was thinking. So that kind of takes away the ability to centrally manage the root password for 100's of systems via IPA correct? Or is there a way to do that? The root user should be local to every host without access to root relying on something external such as IPA or any other network service. If IPA goes down you still want to be able to gain access to servers. To manage root I'd recommend Puppet, or any configuration management tool if one already exists in your infrastructure. A single global 'user' resource or 'root module' (in the case of Puppet) can be assigned to every host allowing a single, central, change to propagate to all hosts. thanks, Herb On Fri, May 10, 2013 at 11:22 AM, Rob Crittenden rcrit...@redhat.com wrote: Herb Burnswell wrote: All, I am beginning to put an IPA environment together and will be inquiring with the community on different issues. First, regarding this list, I do not see a way to search archived posts for answers. I apologize if I am just missing how to do so, is there a way to search for topics? There is no built-in search command but you can use google, something like site:https://www.redhat.com/archives/freeipa-users/ search-terms Second, I have attempted to subscribe to the list a couple times but have not received any email notification and cannot log in via the credentials I created. Am I missing something or am I just waiting for an approval from moderators or other? I don't see any failed subscription requests. I went ahead and subscribed you. Regarding IPA, my initial question is how do folks handle the root user? Is root maintained via IPA centrally or since it's a special account is it sill maintained directly on all systems? You always want to be able to log in locally as root if something goes wrong. sssd purposely excludes the root users for this reason. If you want to limit root access then you'd be better of investigating SUDO and limiting who knows the root password(s). rob ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users I also use Puppet to push out a non-root, local account, for emergency situations as root on my servers is only accessible via SSH key authentication or local console. This gives my team a way to access servers if key pieces of our infrastructure are down or in maintenance. - Trey ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
