subject:"\[Freeipa\-users\] need info on AD \/ IPA coexistence"

Re: [Freeipa-users] need info on AD / IPA coexistence

2012-03-14 Thread Sigbjorn Lie


On 03/08/2012 01:40 PM, Sylvain Angers wrote:


Does anyone was successful to hook their HP ilo, RHEV manager to IPA?



I've connected IPA to the RHEV manager, yes. It works fine. However it 
seem to require lookup up dns srv records to find the IPA servers, so I 
don't think it works unless you have your own DNS domain for IPA.




Regards,
Siggi

___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] need info on AD / IPA coexistence

2012-03-13 Thread Rob Crittenden


Sylvain Angers wrote:



2012/3/8 Brian Cook mailto:bc...@redhat.com>>

Also, I would not use 'delegation record' from AD, use conditional
forwarding for *.unix.abcd.ca .  Your AD admins
should know how to do it.

---
Brian Cook
Solutions Architect, Red Hat, Inc.
407-212-7079 




On Mar 8, 2012, at 9:04 AM, Simo Sorce wrote:


On Thu, 2012-03-08 at 11:54 -0500, Sylvain Angers wrote:

Alright!

I am now requesting to our DNS team

please delegate dns zone "unix.abcd.ca " to ???


the ip address of your ipa server, they will know what questions to
ask :)


Question: is the ipa server fqdn, be ipaserver.unix.abcd.ca
 or
ipaserver.abcd.ca ?



does it matter?


It does, the IPa server DNS domain is what matters for the first
master.
So it should be .unix.abcd.ca 

So that DNS domain = unix.abcd.ca  and realm
= UNIX.ABCD.CA  (if you use
the standard configuration).

Simo.

--
Simo Sorce * Red Hat, Inc * New York

___
Freeipa-users mailing list
Freeipa-users@redhat.com 
https://www.redhat.com/mailman/listinfo/freeipa-users



Hello

Still have same issue "unable to find 'admin' user with 'getent passwd
admin'!

I redid both client and servers, no selinux,no firewall

Our dns teams did set soa unix.cnppd.lab to point to my ipa server

I had to put a manual entry in /etc/hosts
165.115.118.21  mtl-ipa01d.unix.cnppd.lab   mtl-ipa01d


then did set my ipa server with the following
*ipa-server-install -a xxx --hostname=mtl-ipa01d.unix.cnppd.lab -n
unix.cnppd.lab -p x -r UNIX.CNPPD.LAB --setup-dns
--forwarder=165.115.52.21--fowarder=165.115.51.21*
Server host name [mtl-ipa01d.unix.cnppd.lab]:

Warning: skipping DNS resolution of host mtl-ipa01d.unix.cnppd.lab
The IPA Master Server will be configured with
Hostname:mtl-ipa01d.unix.cnppd.lab
IP address:  165.115.118.21
Domain name: unix.cnppd.lab

Do you want to configure the reverse zone? [yes]:
Please specify the reverse zone name [118.115.165.in-addr.arpa.]:
Using reverse zone 118.115.165.in-addr.arpa.


Restarting the directory server
Restarting the KDC
Restarting the web server
Configuring named:
   [1/9]: adding DNS container
   [2/9]: setting up our zone
   [3/9]: setting up reverse zone
   [4/9]: setting up our own record
   [5/9]: setting up kerberos principal
   [6/9]: setting up named.conf
   [7/9]: restarting named
   [8/9]: configuring named to start on boot
   [9/9]: changing resolv.conf to point to ourselves
done configuring named.
==
Setup complete


I did set my client with
[root@mtl-vdi01d ~]# ipa-client-install
--server=mtl-ipa01d.unix.cnppd.lab --domain=UNIX.CNPPD.LAB
--realm=UNIX.CNPPD.LAB --mkhomedir
Discovery was successful!
Hostname: mtl-vdi01d.cn.ca 
Realm: UNIX.CNPPD.LAB
DNS Domain: UNIX.CNPPD.LAB
IPA Server: mtl-ipa01d.unix.cnppd.lab
BaseDN: dc=unix,dc=cnppd,dc=lab


Continue to configure the system with these values? [no]: yes
User authorized to enroll computers: admin
Synchronizing time with KDC...
Password for ad...@unix.cnppd.lab:

Enrolled in IPA realm UNIX.CNPPD.LAB
Created /etc/ipa/default.conf
Configured[root@mtl-vdi01d ~]# ipa-client-install
--server=mtl-ipa01d.unix.cnppd.lab --domain=UNIX.CNPPD.LAB
--realm=UNIX.CNPPD.LAB --mkhomedir
Discovery was successful!
Hostname: mtl-vdi01d.cn.ca 
Realm: UNIX.CNPPD.LAB
DNS Domain: UNIX.CNPPD.LAB
IPA Server: mtl-ipa01d.unix.cnppd.lab
BaseDN: dc=unix,dc=cnppd,dc=lab


Continue to configure the system with these values? [no]: yes
User authorized to enroll computers: admin
Synchronizing time with KDC...
Password for ad...@unix.cnppd.lab:

Enrolled in IPA realm UNIX.CNPPD.LAB
Created /etc/ipa/default.conf
Configured /etc/sssd/sssd.conf
Configured /etc/krb5.conf for IPA realm UNIX.CNPPD.LAB
SSSD enabled
Unable to find 'admin' user with 'getent passwd admin'!
Recognized configuration: SSSD
NTP enabled
Client configuration complete. /etc/sssd/sssd.conf
Configured /etc/krb5.conf for IPA realm UNIX.CNPPD.LAB
SSSD enabled
Unable to find 'admin' user with 'getent passwd admin'!
Recognized configuration: SSSD
NTP enabled
Client configuration complete.

you can see that ipa did enroll my client

[root@mtl-ipa01d ~]# ipa host-find
---
2 hosts matched
---
   Host name: mtl-ipa01d.unix.cnppd.lab
   Principal name: host/mtl-ipa01d.unix.cnppd@unix.cnppd.lab
   Keytab: True
   Password: False
   Managed by: mtl-ipa01d.unix.cnppd.lab

   Host name: mtl-vdi01d.cn.ca 
   Certificate:
MIIDhTCCAm2gAwIBAgIBDDANBgkqhkiG9w0BAQsFADA5MRcwFQYDVQQKEw5VTklYLkNOUFBELkxBQjEeMBwGA1UE

Re: [Freeipa-users] need info on AD / IPA coexistence

2012-03-13 Thread Dmitri Pal

On 03/13/2012 02:59 PM, Sylvain Angers wrote:
>
>
> 2012/3/8 Brian Cook mailto:bc...@redhat.com>>
>
> Also, I would not use 'delegation record' from AD, use conditional
> forwarding for *.unix.abcd.ca .  Your AD
> admins should know how to do it.
>
> ---
> Brian Cook
> Solutions Architect, Red Hat, Inc.
> 407-212-7079 
>
>
>
>
> On Mar 8, 2012, at 9:04 AM, Simo Sorce wrote:
>
>> On Thu, 2012-03-08 at 11:54 -0500, Sylvain Angers wrote:
>>> Alright!
>>>
>>> I am now requesting to our DNS team
>>>
>>> please delegate dns zone "unix.abcd.ca " to ???
>>
>> the ip address of your ipa server, they will know what questions to
>> ask :)
>>
>>> Question: is the ipa server fqdn, be ipaserver.unix.abcd.ca
>>>  or
>>> ipaserver.abcd.ca ?
>>
>>> does it matter?
>>
>> It does, the IPa server DNS domain is what matters for the first
>> master.
>> So it should be .unix.abcd.ca 
>>
>> So that DNS domain = unix.abcd.ca  and realm
>> = UNIX.ABCD.CA  (if you use
>> the standard configuration).
>>
>> Simo.
>>
>> -- 
>> Simo Sorce * Red Hat, Inc * New York
>>
>> ___
>> Freeipa-users mailing list
>> Freeipa-users@redhat.com 
>> https://www.redhat.com/mailman/listinfo/freeipa-users
>
>
> Hello
>
> Still have same issue "unable to find 'admin' user with 'getent passwd
> admin'!
>
> I redid both client and servers, no selinux,no firewall
>
> Our dns teams did set soa unix.cnppd.lab to point to my ipa server
>
> I had to put a manual entry in /etc/hosts
> 165.115.118.21  mtl-ipa01d.unix.cnppd.lab   mtl-ipa01d
>
>
> then did set my ipa server with the following
> *ipa-server-install -a xxx --hostname=mtl-ipa01d.unix.cnppd.lab -n
> unix.cnppd.lab -p x -r UNIX.CNPPD.LAB --setup-dns
> --forwarder=165.115.52.21--fowarder=165.115.51.21*
> Server host name [mtl-ipa01d.unix.cnppd.lab]:
>
> Warning: skipping DNS resolution of host mtl-ipa01d.unix.cnppd.lab
> The IPA Master Server will be configured with
> Hostname:mtl-ipa01d.unix.cnppd.lab
> IP address:  165.115.118.21
> Domain name: unix.cnppd.lab
>
> Do you want to configure the reverse zone? [yes]:
> Please specify the reverse zone name [118.115.165.in-addr.arpa.]:
> Using reverse zone 118.115.165.in-addr.arpa.
>
>
>
> Restarting the directory server
> Restarting the KDC
> Restarting the web server
> Configuring named:
>   [1/9]: adding DNS container
>   [2/9]: setting up our zone
>   [3/9]: setting up reverse zone
>   [4/9]: setting up our own record
>   [5/9]: setting up kerberos principal
>   [6/9]: setting up named.conf
>   [7/9]: restarting named
>   [8/9]: configuring named to start on boot
>   [9/9]: changing resolv.conf to point to ourselves
> done configuring named.
> ==
> Setup complete
>
>
> I did set my client with
> [root@mtl-vdi01d ~]# ipa-client-install
> --server=mtl-ipa01d.unix.cnppd.lab --domain=UNIX.CNPPD.LAB
> --realm=UNIX.CNPPD.LAB --mkhomedir
> Discovery was successful!
> Hostname: mtl-vdi01d.cn.ca 
> Realm: UNIX.CNPPD.LAB
> DNS Domain: UNIX.CNPPD.LAB
> IPA Server: mtl-ipa01d.unix.cnppd.lab
> BaseDN: dc=unix,dc=cnppd,dc=lab
>
>
> Continue to configure the system with these values? [no]: yes
> User authorized to enroll computers: admin
> Synchronizing time with KDC...
> Password for ad...@unix.cnppd.lab: 
>
> Enrolled in IPA realm UNIX.CNPPD.LAB
> Created /etc/ipa/default.conf
> Configured[root@mtl-vdi01d ~]# ipa-client-install
> --server=mtl-ipa01d.unix.cnppd.lab --domain=UNIX.CNPPD.LAB
> --realm=UNIX.CNPPD.LAB --mkhomedir
> Discovery was successful!
> Hostname: mtl-vdi01d.cn.ca 
> Realm: UNIX.CNPPD.LAB
> DNS Domain: UNIX.CNPPD.LAB
> IPA Server: mtl-ipa01d.unix.cnppd.lab
> BaseDN: dc=unix,dc=cnppd,dc=lab
>
>
> Continue to configure the system with these values? [no]: yes
> User authorized to enroll computers: admin
> Synchronizing time with KDC...
> Password for ad...@unix.cnppd.lab: 
>
> Enrolled in IPA realm UNIX.CNPPD.LAB
> Created /etc/ipa/default.conf
> Configured /etc/sssd/sssd.conf
> Configured /etc/krb5.conf for IPA realm UNIX.CNPPD.LAB
> SSSD enabled
> Unable to find 'admin' user with 'getent passwd admin'!
> Recognized configuration: SSSD
> NTP enabled
> Client configuration complete. /etc/sssd/sssd.conf
> Configured /etc/krb5.conf for IPA realm UNIX.CNPPD.LAB
> SSSD enabled
> Unable to find 'admin' user with 'getent passwd admin'!
> Recognized configuration: SSSD
> NTP enabled
> Client configuration complete.
>
> you can see that ipa did enroll my client 
>
> [root@mtl-ipa01d ~]# ipa host-find
> ---
> 2 hosts matched
> ---
>   Host name:

Re: [Freeipa-users] need info on AD / IPA coexistence

2012-03-13 Thread Sylvain Angers

2012/3/8 Brian Cook 

> Also, I would not use 'delegation record' from AD, use conditional
> forwarding for *.unix.abcd.ca.  Your AD admins should know how to do it.
>
>  ---
> Brian Cook
> Solutions Architect, Red Hat, Inc.
> 407-212-7079
>
>
>
>
> On Mar 8, 2012, at 9:04 AM, Simo Sorce wrote:
>
> On Thu, 2012-03-08 at 11:54 -0500, Sylvain Angers wrote:
>
> Alright!
>
>
> I am now requesting to our DNS team
>
>
> please delegate dns zone "unix.abcd.ca" to ???
>
>
> the ip address of your ipa server, they will know what questions to
> ask :)
>
> Question: is the ipa server fqdn, be ipaserver.unix.abcd.ca or
>
> ipaserver.abcd.ca?
>
>
> does it matter?
>
>
> It does, the IPa server DNS domain is what matters for the first master.
> So it should be .unix.abcd.ca
>
> So that DNS domain = unix.abcd.ca and realm = UNIX.ABCD.CA (if you use
> the standard configuration).
>
> Simo.
>
> --
> Simo Sorce * Red Hat, Inc * New York
>
> ___
> Freeipa-users mailing list
> Freeipa-users@redhat.com
> https://www.redhat.com/mailman/listinfo/freeipa-users
>
>
>
Hello

Still have same issue "unable to find 'admin' user with 'getent passwd
admin'!

I redid both client and servers, no selinux,no firewall

Our dns teams did set soa unix.cnppd.lab to point to my ipa server

I had to put a manual entry in /etc/hosts
165.115.118.21  mtl-ipa01d.unix.cnppd.lab   mtl-ipa01d

then did set my ipa server with the following
*ipa-server-install -a xxx --hostname=mtl-ipa01d.unix.cnppd.lab -n
unix.cnppd.lab -p x -r UNIX.CNPPD.LAB --setup-dns
--forwarder=165.115.52.21--fowarder=165.115.51.21*
Server host name [mtl-ipa01d.unix.cnppd.lab]:

Warning: skipping DNS resolution of host mtl-ipa01d.unix.cnppd.lab
The IPA Master Server will be configured with
Hostname:mtl-ipa01d.unix.cnppd.lab
IP address:  165.115.118.21
Domain name: unix.cnppd.lab

Do you want to configure the reverse zone? [yes]:
Please specify the reverse zone name [118.115.165.in-addr.arpa.]:
Using reverse zone 118.115.165.in-addr.arpa.

Restarting the directory server
Restarting the KDC
Restarting the web server
Configuring named:
  [1/9]: adding DNS container
  [2/9]: setting up our zone
  [3/9]: setting up reverse zone
  [4/9]: setting up our own record
  [5/9]: setting up kerberos principal
  [6/9]: setting up named.conf
  [7/9]: restarting named
  [8/9]: configuring named to start on boot
  [9/9]: changing resolv.conf to point to ourselves
done configuring named.
==
Setup complete

I did set my client with
[root@mtl-vdi01d ~]# ipa-client-install --server=mtl-ipa01d.unix.cnppd.lab
--domain=UNIX.CNPPD.LAB --realm=UNIX.CNPPD.LAB --mkhomedir
Discovery was successful!
Hostname: mtl-vdi01d.cn.ca
Realm: UNIX.CNPPD.LAB
DNS Domain: UNIX.CNPPD.LAB
IPA Server: mtl-ipa01d.unix.cnppd.lab
BaseDN: dc=unix,dc=cnppd,dc=lab

Continue to configure the system with these values? [no]: yes
User authorized to enroll computers: admin
Synchronizing time with KDC...
Password for ad...@unix.cnppd.lab:

Enrolled in IPA realm UNIX.CNPPD.LAB
Created /etc/ipa/default.conf
Configured[root@mtl-vdi01d ~]# ipa-client-install
--server=mtl-ipa01d.unix.cnppd.lab --domain=UNIX.CNPPD.LAB
--realm=UNIX.CNPPD.LAB --mkhomedir
Discovery was successful!
Hostname: mtl-vdi01d.cn.ca
Realm: UNIX.CNPPD.LAB
DNS Domain: UNIX.CNPPD.LAB
IPA Server: mtl-ipa01d.unix.cnppd.lab
BaseDN: dc=unix,dc=cnppd,dc=lab

Continue to configure the system with these values? [no]: yes
User authorized to enroll computers: admin
Synchronizing time with KDC...
Password for ad...@unix.cnppd.lab:

Enrolled in IPA realm UNIX.CNPPD.LAB
Created /etc/ipa/default.conf
Configured /etc/sssd/sssd.conf
Configured /etc/krb5.conf for IPA realm UNIX.CNPPD.LAB
SSSD enabled
Unable to find 'admin' user with 'getent passwd admin'!
Recognized configuration: SSSD
NTP enabled
Client configuration complete. /etc/sssd/sssd.conf
Configured /etc/krb5.conf for IPA realm UNIX.CNPPD.LAB
SSSD enabled
Unable to find 'admin' user with 'getent passwd admin'!
Recognized configuration: SSSD
NTP enabled
Client configuration complete.

you can see that ipa did enroll my client

[root@mtl-ipa01d ~]# ipa host-find
---
2 hosts matched
---
  Host name: mtl-ipa01d.unix.cnppd.lab
  Principal name: host/mtl-ipa01d.unix.cnppd@unix.cnppd.lab
  Keytab: True
  Password: False
  Managed by: mtl-ipa01d.unix.cnppd.lab

  Host name: mtl-vdi01d.cn.ca
  Certificate:
MIIDhTCCAm2gAwIBAgIBDDANBgkqhkiG9w0BAQsFADA5MRcwFQYDVQQKEw5VTklYLkNOUFBELkxBQjEeMBwGA1UEAxMVQ2VydGlmaWNhdGUgQXV0aG9yaXR5MB4XDTEyMDMxMzE4Mjc0MVoXDTE0MDMxNDE4Mjc0MVowNDEXMBUGA1UEChMOVU5JWC5DTlBQRC5MQUIxGTAXBgNVBAMTEG10bC12ZGkwMWQuY24uY2EwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDKTPD8p7Ttxn87Y/2CCu54GDTd/CS77irN6OYj9IznqMusHAIWsVVu5m0aT77iULYzO9lKmKCL9RuSnZuqsoppFZk8UJu1KAGKv2FQi7zck28P2t6XRhHXcLRRTq5Mzfd/QjFmCv3oxTP2gd/0rLZUTHJkTzqyYIMlExfQqnEBJCzfzukyFUB5S+X2DthiGOM7vcKPXlmG

Re: [Freeipa-users] need info on AD / IPA coexistence

2012-03-08 Thread Brian Cook

Also, I would not use 'delegation record' from AD, use conditional forwarding 
for *.unix.abcd.ca.  Your AD admins should know how to do it.

---
Brian Cook
Solutions Architect, Red Hat, Inc.
407-212-7079




On Mar 8, 2012, at 9:04 AM, Simo Sorce wrote:

> On Thu, 2012-03-08 at 11:54 -0500, Sylvain Angers wrote:
>> Alright!
>> 
>> I am now requesting to our DNS team
>> 
>> please delegate dns zone "unix.abcd.ca" to ???
> 
> the ip address of your ipa server, they will know what questions to
> ask :)
> 
>> Question: is the ipa server fqdn, be ipaserver.unix.abcd.ca or
>> ipaserver.abcd.ca?
> 
>> does it matter?
> 
> It does, the IPa server DNS domain is what matters for the first master.
> So it should be .unix.abcd.ca
> 
> So that DNS domain = unix.abcd.ca and realm = UNIX.ABCD.CA (if you use
> the standard configuration).
> 
> Simo.
> 
> -- 
> Simo Sorce * Red Hat, Inc * New York
> 
> ___
> Freeipa-users mailing list
> Freeipa-users@redhat.com
> https://www.redhat.com/mailman/listinfo/freeipa-users

___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] need info on AD / IPA coexistence

2012-03-08 Thread Brian Cook

If your AD realm is ABCD.CA and you want your unix realm to be UNIX.ABCD.CA 
then your FQDN should be ipaserver.unix.abcd.ca

When you delegate the zone from AD, you should have at least two IPA servers 
running bind listed.  

ipaserver1.unix.abcd.ad
ipaserver2.unix.abcd.ad

That way if one is down, you can still resolve names.

---
Brian Cook
Solutions Architect, Red Hat, Inc.
407-212-7079




On Mar 8, 2012, at 8:54 AM, Sylvain Angers wrote:

> Alright!
> 
> I am now requesting to our DNS team
> 
> please delegate dns zone "unix.abcd.ca" to ???
> Question: is the ipa server fqdn, be ipaserver.unix.abcd.ca or 
> ipaserver.abcd.ca?
> 
> does it matter?
> 
> thanks
> 
> 2012/3/8 Simo Sorce 
> On Thu, 2012-03-08 at 09:46 -0500, Sylvain Angers wrote:
> > Hi Again
> > Our current Linux/AIX servers fqdn should remain on abcd.ca domain
> >
> > I need an advice: Should the ipa server fqdn be ipa.abcd.ca or
> > ipa.unix.abcd.ca?
> 
> You can have machines on a different DNS domain with FreeIPA.
> So you can use unix.abcd.ca for your IPA server and still install
> clients in abcd.ca.
> 
> I think the onlt thing you should take care of is to make sure a
> abcd.ca -> UNIX.ABCD.CA mapping in krb5.conf under the [domain_realm]
> section is available on all machines of the domain to avoid issues
> resolving the correct realm for clients in the other domain.
> 
> On clients this should be autometed in the very last release but the ipa
> server needs to be configured after install.
> 
> > and on the Linux/AIX server, should we add entry of both dns (ipa and
> > Microsoft AD) in resolv.conf?
> 
> No, that would not work. What you should do is ask your DNS admin to
> delegate you the unix.abcd.ca zone. Once that is done it doesn't matter
> which DNS you are querying they will know who to ask.
> If delegation is not possible you could still use named forwarders in
> both IPA and AD so that each DNS server still know where to forward
> requests for the specific domain. This again will allow you to use
> whatever DNS your network uses and have queries properly forwarded
> around.
> 
> > domain unix.abcd.ca
> > search unix.abcd.ca abcd.ca
> > nameserver ipa_adress
> > nameserver ad_adress
> >
> No, don't do this as a way to not configure the DNS servers, it won't
> work and will cause really confusing mis-behaviors if the DNS servers
> themselves do not know how to talk to each other.
> 
> If delegation of zones or forwarding is properly set up though then this
> scheme would allow you to have a fallback when either infrastructure is
> temporarily unreachable.
> >
> Simo.
> 
> --
> Simo Sorce * Red Hat, Inc * New York
> 
> 
> 
> 
> -- 
> Sylvain Angers
> 
> ___
> Freeipa-users mailing list
> Freeipa-users@redhat.com
> https://www.redhat.com/mailman/listinfo/freeipa-users

___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] need info on AD / IPA coexistence

2012-03-08 Thread Simo Sorce

On Thu, 2012-03-08 at 11:54 -0500, Sylvain Angers wrote:
> Alright!
> 
> I am now requesting to our DNS team
> 
> please delegate dns zone "unix.abcd.ca" to ???

the ip address of your ipa server, they will know what questions to
ask :)

> Question: is the ipa server fqdn, be ipaserver.unix.abcd.ca or
> ipaserver.abcd.ca?

> does it matter?

It does, the IPa server DNS domain is what matters for the first master.
So it should be .unix.abcd.ca

So that DNS domain = unix.abcd.ca and realm = UNIX.ABCD.CA (if you use
the standard configuration).

Simo.

-- 
Simo Sorce * Red Hat, Inc * New York

___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] need info on AD / IPA coexistence

2012-03-08 Thread Sylvain Angers

Alright!

I am now requesting to our DNS team

please delegate dns zone "unix.abcd.ca" to ???
Question: is the ipa server fqdn, be ipaserver.unix.abcd.ca or
ipaserver.abcd.ca?

does it matter?

thanks

2012/3/8 Simo Sorce 

> On Thu, 2012-03-08 at 09:46 -0500, Sylvain Angers wrote:
> > Hi Again
> > Our current Linux/AIX servers fqdn should remain on abcd.ca domain
> >
> > I need an advice: Should the ipa server fqdn be ipa.abcd.ca or
> > ipa.unix.abcd.ca?
>
> You can have machines on a different DNS domain with FreeIPA.
> So you can use unix.abcd.ca for your IPA server and still install
> clients in abcd.ca.
>
> I think the onlt thing you should take care of is to make sure a
> abcd.ca -> UNIX.ABCD.CA mapping in krb5.conf under the [domain_realm]
> section is available on all machines of the domain to avoid issues
> resolving the correct realm for clients in the other domain.
>
> On clients this should be autometed in the very last release but the ipa
> server needs to be configured after install.
>
> > and on the Linux/AIX server, should we add entry of both dns (ipa and
> > Microsoft AD) in resolv.conf?
>
> No, that would not work. What you should do is ask your DNS admin to
> delegate you the unix.abcd.ca zone. Once that is done it doesn't matter
> which DNS you are querying they will know who to ask.
> If delegation is not possible you could still use named forwarders in
> both IPA and AD so that each DNS server still know where to forward
> requests for the specific domain. This again will allow you to use
> whatever DNS your network uses and have queries properly forwarded
> around.
>
> > domain unix.abcd.ca
> > search unix.abcd.ca abcd.ca
> > nameserver ipa_adress
> > nameserver ad_adress
> >
> No, don't do this as a way to not configure the DNS servers, it won't
> work and will cause really confusing mis-behaviors if the DNS servers
> themselves do not know how to talk to each other.
>
> If delegation of zones or forwarding is properly set up though then this
> scheme would allow you to have a fallback when either infrastructure is
> temporarily unreachable.
> >
> Simo.
>
> --
> Simo Sorce * Red Hat, Inc * New York
>
>


-- 
Sylvain Angers
___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] need info on AD / IPA coexistence

2012-03-08 Thread Simo Sorce

On Thu, 2012-03-08 at 09:46 -0500, Sylvain Angers wrote:
> Hi Again
> Our current Linux/AIX servers fqdn should remain on abcd.ca domain 
>  
> I need an advice: Should the ipa server fqdn be ipa.abcd.ca or
> ipa.unix.abcd.ca?

You can have machines on a different DNS domain with FreeIPA.
So you can use unix.abcd.ca for your IPA server and still install
clients in abcd.ca.

I think the onlt thing you should take care of is to make sure a
abcd.ca -> UNIX.ABCD.CA mapping in krb5.conf under the [domain_realm]
section is available on all machines of the domain to avoid issues
resolving the correct realm for clients in the other domain.

On clients this should be autometed in the very last release but the ipa
server needs to be configured after install.

> and on the Linux/AIX server, should we add entry of both dns (ipa and
> Microsoft AD) in resolv.conf?  

No, that would not work. What you should do is ask your DNS admin to
delegate you the unix.abcd.ca zone. Once that is done it doesn't matter
which DNS you are querying they will know who to ask.
If delegation is not possible you could still use named forwarders in
both IPA and AD so that each DNS server still know where to forward
requests for the specific domain. This again will allow you to use
whatever DNS your network uses and have queries properly forwarded
around.

> domain unix.abcd.ca
> search unix.abcd.ca abcd.ca 
> nameserver ipa_adress
> nameserver ad_adress
> 
No, don't do this as a way to not configure the DNS servers, it won't
work and will cause really confusing mis-behaviors if the DNS servers
themselves do not know how to talk to each other.

If delegation of zones or forwarding is properly set up though then this
scheme would allow you to have a fallback when either infrastructure is
temporarily unreachable.
> 
Simo.

-- 
Simo Sorce * Red Hat, Inc * New York

___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] need info on AD / IPA coexistence

2012-03-08 Thread Sylvain Angers

Hi Again
Our current Linux/AIX servers fqdn should remain on abcd.ca domain

I need an advice: Should the ipa server fqdn be ipa.abcd.ca or
ipa.unix.abcd.ca?

and on the Linux/AIX server, should we add entry of both dns (ipa and
Microsoft AD) in resolv.conf?

domain unix.abcd.ca
search unix.abcd.ca abcd.ca
nameserver ipa_adress
nameserver ad_adress



Thanks

-- 
Sylvain Angers
___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] need info on AD / IPA coexistence

2012-03-08 Thread Sylvain Angers

>is abcd.ca your windows domain ?
yes in this example

ipa-server-install
-a xx \
--hostname=ipa1.unix.abcd.ca \
-n unix.abcd.ca \
-p xxx \
-r UNIX.ABCD.CA  \
--subject=subject_DN  \ #Sets the base element for the subject DN of the
issued certificates. This defaults to O=realm.
--forwarder=ad_dns.abcd.ca \
--no-reverse\ # Does not create a reverse DNS zone when the DNS
domain is set up.
--setup-dns \
--idmax=number  \ #???Sets the upper bound for IDs which can be assigned by
the IPA server. The default value is the ID start value plus 19.
--idstart=1 # will have to check with AD I guess

IPA server will become unix master DNS for UNIX
current unix server fqdn will remain on abcd.ca
current unix server will have dns,ntp,kdc,ldap from ipa
realm will be equal to domain name = unix.abcd.ca

When I will have resolve "getent passwd admin" issue
I believe I will be able to su - admin on any unix server
and will be able to start thinking about what next like winsync
then create ipa slave = ipa2.unix.abcd.ca
Define SRV in bind unix.abcd.ca
test all our supported Unix platform, especially AIX,
Does anyone was successful to hook their HP ilo, RHEV manager to IPA?

Will have to convince many people to achieve this set-up, but I am sure it
worth it!

Thank you! you guys Rock!

Sylvain

2012/3/8 Ondrej Valousek 

> **
> Side note:
> You can manage AD integrated DNS from unix host easily with just 'nsupdate
> -g' - so theoretically (ok I undestand you have to have a proper Kerberos
> TGT...) IPA client could be able to autoconfigure (create all the necessary
> SRV records) AD DNS, too. Not sure if we even wanted that. but
> theoretically, it should be possible.
>
> Ondrej
>
>
> On 03/07/2012 08:11 PM, Simo Sorce wrote:
>
> On Wed, 2012-03-07 at 13:38 -0500, Sylvain Angers wrote:
>
>  Hello All,
> We are facing the same difficulties here with coexistence with
> Microsoft AD
> on the same network
>
> Whenever I run ipa-client-install
>
> # ipa-client-install --server=server.abcd.ca --domain=abcd.ca
> --realm=UNIX
> DNS domain 'unix' is not configured for automatic KDC address lookup.
> KDC address will be set to fixed value.
>
> Discovery was successful!
> Hostname: client.abcd.ca
> Realm: UNIX
> DNS Domain: abcd.ca
> IPA Server: server.abcd.ca
> BaseDN: dc=unix
>
>
>
>  is abcd.ca your windows domain ?
>
> although we support specifying a realm that is not identical to the DNS
> domain I strongly suggest you do not do so if you do not want to
> experience some trouble and to assing to your UNIX domain it's own DNS
> domain that matches the realm. If you do not do that things can still
> work, but not w/o some minor annoyances.
> For example discovery will fail as you find out because the DNS domain
> is owned by the AD realm. You also have to make sure you properly map
> realms to domains correctly in various clients.
>
> Simo.
>
>
>
> --
> The information contained in this e-mail and in any attachments is
> confidential and is designated solely for the attention of the intended
> recipient(s). If you are not an intended recipient, you must not use,
> disclose, copy, distribute or retain this e-mail or any part thereof. If
> you have received this e-mail in error, please notify the sender by return
> e-mail and delete all copies of this e-mail from your computer system(s).
> Please direct any additional queries to: communicati...@s3group.com.
> Thank You. Silicon and Software Systems Limited. Registered in Ireland no.
> 378073. Registered Office: South County Business Park, Leopardstown, Dublin
> 18
> --
>
>
> ___
> Freeipa-users mailing list
> Freeipa-users@redhat.com
> https://www.redhat.com/mailman/listinfo/freeipa-users
>



-- 
Sylvain Angers
___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] need info on AD / IPA coexistence

2012-03-07 Thread Ondrej Valousek

Side note:
You can manage AD integrated DNS from unix host easily with just 'nsupdate -g' - so theoretically (ok I undestand you have to have a proper
Kerberos TGT...) IPA client could be able to autoconfigure (create all the necessary SRV records) AD DNS, too. Not sure if we even wanted
that. but theoretically, it should be possible.

Ondrej

On 03/07/2012 08:11 PM, Simo Sorce wrote:

On Wed, 2012-03-07 at 13:38 -0500, Sylvain Angers wrote:

Hello All,
We are facing the same difficulties here with coexistence with
Microsoft AD
on the same network

Whenever I run ipa-client-install

# ipa-client-install --server=server.abcd.ca --domain=abcd.ca
--realm=UNIX
DNS domain 'unix' is not configured for automatic KDC address lookup.
KDC address will be set to fixed value.

Discovery was successful!
Hostname: client.abcd.ca
Realm: UNIX
DNS Domain: abcd.ca
IPA Server: server.abcd.ca
BaseDN: dc=unix

is abcd.ca your windows domain ?

although we support specifying a realm that is not identical to the DNS
domain I strongly suggest you do not do so if you do not want to
experience some trouble and to assing to your UNIX domain it's own DNS
domain that matches the realm. If you do not do that things can still
work, but not w/o some minor annoyances.
For example discovery will fail as you find out because the DNS domain
is owned by the AD realm. You also have to make sure you properly map
realms to domains correctly in various clients.

Simo.

The information contained in this e-mail and in any attachments is confidential
and is designated solely for the attention of the intended recipient(s). If you
are not an intended recipient, you must not use, disclose, copy, distribute or
retain this e-mail or any part thereof. If you have received this e-mail in
error, please notify the sender by return e-mail and delete all copies of this
e-mail from your computer system(s).
Please direct any additional queries to: communicati...@s3group.com.
Thank You.
Silicon and Software Systems Limited. Registered in Ireland no. 378073.
Registered Office: South County Business Park, Leopardstown, Dublin 18___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] need info on AD / IPA coexistence

2012-03-07 Thread Simo Sorce

On Wed, 2012-03-07 at 13:38 -0500, Sylvain Angers wrote:
> 
> Hello All,
> We are facing the same difficulties here with coexistence with
> Microsoft AD
> on the same network
> 
> Whenever I run ipa-client-install
> 
> # ipa-client-install --server=server.abcd.ca --domain=abcd.ca
> --realm=UNIX
> DNS domain 'unix' is not configured for automatic KDC address lookup.
> KDC address will be set to fixed value.
> 
> Discovery was successful!
> Hostname: client.abcd.ca
> Realm: UNIX
> DNS Domain: abcd.ca
> IPA Server: server.abcd.ca
> BaseDN: dc=unix
> 
> 
is abcd.ca your windows domain ?

although we support specifying a realm that is not identical to the DNS
domain I strongly suggest you do not do so if you do not want to
experience some trouble and to assing to your UNIX domain it's own DNS
domain that matches the realm. If you do not do that things can still
work, but not w/o some minor annoyances.
For example discovery will fail as you find out because the DNS domain
is owned by the AD realm. You also have to make sure you properly map
realms to domains correctly in various clients.

Simo.

-- 
Simo Sorce * Red Hat, Inc * New York

___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] need info on AD / IPA coexistence

2012-03-07 Thread Sylvain Angers

2012/2/23 Simo Sorce 

> On Thu, 2012-02-23 at 21:12 -0500, Brian Cook wrote:
> > I would not expect that there would be any problem with AD and IPA
> > coexisting when the realm names are different, but I have heard
> > reports that there are problems, especially when Linux clients are
> > configured to use AD for DNS.  Trying to figure out what the problem
> > is.  I understand your delegated dns setup.  What if the customer must
> > use AD for all DNS?
>
> The only "problem" you may have is that you have to manually set all the
> SRV and TXT records.
> It's tedious but nothing heart breaking.
>
> Clients will not be able to do DNS updates if the DNS is not managed by
> IPA.
>
> Simo.
>
> --
> Simo Sorce * Red Hat, Inc * New York
>
> ___
> Freeipa-users mailing list
> Freeipa-users@redhat.com
> https://www.redhat.com/mailman/listinfo/freeipa-users
>



Hello All,
We are facing the same difficulties here with coexistence with Microsoft AD
on the same network

Whenever I run ipa-client-install

# ipa-client-install --server=server.abcd.ca --domain=abcd.ca --realm=UNIX
DNS domain 'unix' is not configured for automatic KDC address lookup.
KDC address will be set to fixed value.

Discovery was successful!
Hostname: client.abcd.ca
Realm: UNIX
DNS Domain: abcd.ca
IPA Server: server.abcd.ca
BaseDN: dc=unix


Continue to configure the system with these values? [no]: yes
User authorized to enroll computers: admin
Synchronizing time with KDC...
Password for admin@UNIX:

Enrolled in IPA realm UNIX
Created /etc/ipa/default.conf
Configured /etc/sssd/sssd.conf
Configured /etc/krb5.conf for IPA realm UNIX
SSSD enabled

*Unable to find 'admin' user with 'getent passwd admin'!*

Recognized configuration: SSSD
NTP enabled
Client configuration complete.


and when I sniff via wireshark while doing getent passwd admin, I get

many time this snipet, with all the Microsoft AD server in the loop

165.115.52.21 = our windows dns server
165.115.40.149 = our ipa client
165.115.40.144
165.115.126.210 = windows AD domain controller
165.115.212.167 = windows AD domain controller



 31.784008 165.115.52.21 -> 165.115.40.149 DNS Standard query response A
165.115.52.21
 31.784308 165.115.40.149 -> 165.115.52.21 TCP 37236 > ldap [SYN] Seq=0
Win=14600 Len=0 MSS=1460 TSV=5217133 TSER=0 WS=7
 31.784518 165.115.52.21 -> 165.115.40.149 TCP ldap > 37236 [SYN, ACK]
Seq=0 Ack=1 Win=16384 Len=0 MSS=1460 WS=0 TSV=0 TSER=0
 31.784538 165.115.40.149 -> 165.115.52.21 TCP 37236 > ldap [ACK] Seq=1
Ack=1 Win=14720 Len=0 TSV=5217133 TSER=0
 31.784873 165.115.40.149 -> 165.115.52.21 LDAP searchRequest(1) ""
baseObject
 31.785487 165.115.52.21 -> 165.115.40.149 TCP [TCP segment of a
reassembled PDU]
 31.785505 165.115.40.149 -> 165.115.52.21 TCP 37236 > ldap [ACK] Seq=229
Ack=1449 Win=17536 Len=0 TSV=5217134 TSER=13371643
 31.785522 165.115.52.21 -> 165.115.40.149 LDAP searchResEntry(1) ""
 31.785531 165.115.40.149 -> 165.115.52.21 TCP 37236 > ldap [ACK] Seq=229
Ack=2314 Win=20480 Len=0 TSV=5217134 TSER=13371643
 31.786016 165.115.40.149 -> 165.115.52.21 DNS Standard query A
jac-rg-i01.cn.ca
 31.786301 165.115.52.21 -> 165.115.40.149 DNS Standard query response A
165.115.126.210
 31.790918 165.115.40.149 -> 165.115.126.210 KRB5 AS-REQ
 31.826597 165.115.126.210 -> 165.115.40.149 KRB5 KRB Error:
KRB5KDC_ERR_C_PRINCIPAL_UNKNOWN
 31.827485 165.115.40.149 -> 165.115.52.21 LDAP unbindRequest(2)




 31.827518 165.115.40.149 -> 165.115.52.21 TCP 37236 > ldap [FIN, ACK]
Seq=236 Ack=2314 Win=20480 Len=0 TSV=5217176 TSER=13371643
 31.827763 165.115.52.21 -> 165.115.40.149 TCP ldap > 37236 [ACK] Seq=2314
Ack=237 Win=65300 Len=0 TSV=13371643 TSER=5217176
 31.827786 165.115.52.21 -> 165.115.40.149 TCP ldap > 37236 [FIN, ACK]
Seq=2314 Ack=237 Win=65300 Len=0 TSV=13371643 TSER=5217176
 31.827795 165.115.40.149 -> 165.115.52.21 TCP 37236 > ldap [ACK] Seq=237
Ack=2315 Win=20480 Len=0 TSV=5217177 TSER=13371643
 31.827856 165.115.40.149 -> 165.115.52.21 DNS Standard query A
gnp-yd-i01.cn.ca
 31.828112 165.115.52.21 -> 165.115.40.149 DNS Standard query response A
165.115.207.219
 31.828393 165.115.40.149 -> 165.115.207.219 TCP 56123 > ldap [SYN] Seq=0
Win=14600 Len=0 MSS=1460 TSV=5217177 TSER=0 WS=7
 31.860256 165.115.207.219 -> 165.115.40.149 TCP ldap > 56123 [SYN, ACK]
Seq=0 Ack=1 Win=16384 Len=0 MSS=1360 WS=0 TSV=0 TSER=0
 31.860313 165.115.40.149 -> 165.115.207.219 TCP 56123 > ldap [ACK] Seq=1
Ack=1 Win=14720 Len=0 TSV=5217209 TSER=0
 31.860488 165.115.40.149 -> 165.115.207.219 LDAP searchRequest(1) ""
baseObject
 31.901748 165.115.207.219 -> 165.115.40.149 TCP [TCP segment of a
reassembled PDU]
 31.901767 165.115.40.149 -> 165.115.207.219 TCP 56123 > ldap [ACK] Seq=229
Ack=1349 Win=17536 Len=0 TSV=5217251 TSER=15563619
 31.907040 165.115.207.219 -> 165.115.40.149 LDAP searchResEntry(1) ""
 31.907054 165.115.40.149 -> 165.115.207.219 TCP 56123 > ldap [ACK] Seq=229
Ack=2314 Win=20224 Len=0 TSV=5217256 TSER=15563619
 31.907540 1

Re: [Freeipa-users] need info on AD / IPA coexistence

2012-02-23 Thread Simo Sorce

On Thu, 2012-02-23 at 21:12 -0500, Brian Cook wrote:
> I would not expect that there would be any problem with AD and IPA
> coexisting when the realm names are different, but I have heard
> reports that there are problems, especially when Linux clients are
> configured to use AD for DNS.  Trying to figure out what the problem
> is.  I understand your delegated dns setup.  What if the customer must
> use AD for all DNS?  

The only "problem" you may have is that you have to manually set all the
SRV and TXT records.
It's tedious but nothing heart breaking.

Clients will not be able to do DNS updates if the DNS is not managed by
IPA.

Simo.

-- 
Simo Sorce * Red Hat, Inc * New York

___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] need info on AD / IPA coexistence

2012-02-23 Thread Craig T

We use the group.example.com as the primary domain name, even for
windows clients. So a typical windows pc has:
ip: 192.168.0.100
dns1: linux-dns-server1
dns2: linux-dns-server2
search: group.example.com

That way the windows pcs only use their "melb.example.com" domain for
authentication and then switch back to "group.example.com" to
communicate with other hosts on the network. 

Anyaywaz, this is just how I worked it out, there must be a better way
out there... 

cya

Craig


On Fri, Feb 24, 2012 at 02:44:59AM +, Steven Jones wrote:
> I think we are doing the same thing here, seemed to have arrived at the same 
> conclusion!.I have the AD DNS servers hand off the sub-domain to the IPA 
> servers, so they are the masters for all things linux/unix, the reverse IP 
> domains on the IPA servers are slaved from the AD DNS however as the subnets 
> are mixed clients.  This means I have to add linux servers manually in the 
> reverse AD zones, not sure what I will do with clients as they are dhcp, have 
> a look to see if I can do dns updates for a client dynamically
> 
> regards
> 
> Steven Jones
> 
> Technical Specialist - Linux RHCE
> 
> Victoria University, Wellington, NZ
> 
> 0064 4 463 6272
> 
> 
> From: Craig T [free...@noboost.org]
> Sent: Friday, 24 February 2012 3:27 p.m.
> To: Brian Cook
> Cc: Steven Jones; freeipa-users@redhat.com
> Subject: Re: [Freeipa-users] need info on AD / IPA coexistence
> 
> Hi Brian,
> 
> I spent a lot of time on this topic. In the end we decided to do the
> following;
> 
> Microsoft domain: melb.example.com
> Linux Domain: group.example.com
> 
> The linux DNS server is a slave to the Windows AD DNS servers & a
> master DNS for "group.example.com".
> 
> All PCs point to our Linux DNS server which is hosting a slave copy of
> the melb.example.com. Amazingly this all works fine.
> 
> note: at the moment at least, we are keeping two separate user lists. I
> had sync working at one stage, but couldn't get the group memberships to
> come over correctly when going from Linux --> AD.
> 
> cya
> 
> Craig
> 
> On Thu, Feb 23, 2012 at 09:12:37PM -0500, Brian Cook wrote:
> > I would not expect that there would be any problem with AD and IPA 
> > coexisting when the realm names are different, but I have heard reports 
> > that there are problems, especially when Linux clients are configured to 
> > use AD for DNS.  Trying to figure out what the problem is.  I understand 
> > your delegated dns setup.  What if the customer must use AD for all DNS?
> >
> > -Brian
> >
> > On Feb 23, 2012, at 3:28 PM, Steven Jones  wrote:
> >
> > > Hi,
> > >
> > > Subnet? IP addressing will not matter its DNS as the main issue, for me 
> > > anyway.,  I cant see IP / sunbets matter?
> > >
> > > So, yes if you have AD as the same realm as IPA then only one will work 
> > > well from what I can read, IPA has to have its neat 
> > > auto-discovery/balancing features turned off, or at least hobbled.
> > >
> > > So, as an example I have vuw.ac.nz as the AD DNS domain/ kerberos realm 
> > > and then unix.vuw.ac.nz as the sub-domain/sub kerberos realm, with AD 
> > > delegating DNS to the IPA servers. This way the unix domain is 
> > > "independent but referenced...
> > >
> > > eg I find the auto-discovery is working fine...
> > >
> > > So windows clients talk to AD directly, linux clients talk to IPA 
> > > directly, if the linux clients need to  DNS the IPA servers get that for 
> > > them from AD.
> > >
> > > I have some visio diagrams of how I have done it if you want themit 
> > > may not be the best way? but with so little architecture info available 
> > > its all I have.
> > >
> > >
> > > regards
> > >
> > > Steven Jones
> > >
> > > Technical Specialist - Linux RHCE
> > >
> > > Victoria University, Wellington, NZ
> > >
> > > 0064 4 463 6272
> > >
> > > 
> > > From: freeipa-users-boun...@redhat.com [freeipa-users-boun...@redhat.com] 
> > > on behalf of Brian Cook [bc...@redhat.com]
> > > Sent: Friday, 24 February 2012 9:59 a.m.
> > > To: freeipa-users@redhat.com
> > > Subject: [Freeipa-users] need info on AD / IPA coexistence
> > >
> > > I have heard that we currently have problems with IPA and AD existing on 
> > > the same subnet, possibly only when using AD as DNS server

Re: [Freeipa-users] need info on AD / IPA coexistence

2012-02-23 Thread Steven Jones

I think we are doing the same thing here, seemed to have arrived at the same 
conclusion!.I have the AD DNS servers hand off the sub-domain to the IPA 
servers, so they are the masters for all things linux/unix, the reverse IP 
domains on the IPA servers are slaved from the AD DNS however as the subnets 
are mixed clients.  This means I have to add linux servers manually in the 
reverse AD zones, not sure what I will do with clients as they are dhcp, have a 
look to see if I can do dns updates for a client dynamically

regards

Steven Jones

Technical Specialist - Linux RHCE

Victoria University, Wellington, NZ

0064 4 463 6272


From: Craig T [free...@noboost.org]
Sent: Friday, 24 February 2012 3:27 p.m.
To: Brian Cook
Cc: Steven Jones; freeipa-users@redhat.com
Subject: Re: [Freeipa-users] need info on AD / IPA coexistence

Hi Brian,

I spent a lot of time on this topic. In the end we decided to do the
following;

Microsoft domain: melb.example.com
Linux Domain: group.example.com

The linux DNS server is a slave to the Windows AD DNS servers & a
master DNS for "group.example.com".

All PCs point to our Linux DNS server which is hosting a slave copy of
the melb.example.com. Amazingly this all works fine.

note: at the moment at least, we are keeping two separate user lists. I
had sync working at one stage, but couldn't get the group memberships to
come over correctly when going from Linux --> AD.

cya

Craig

On Thu, Feb 23, 2012 at 09:12:37PM -0500, Brian Cook wrote:
> I would not expect that there would be any problem with AD and IPA coexisting 
> when the realm names are different, but I have heard reports that there are 
> problems, especially when Linux clients are configured to use AD for DNS.  
> Trying to figure out what the problem is.  I understand your delegated dns 
> setup.  What if the customer must use AD for all DNS?
>
> -Brian
>
> On Feb 23, 2012, at 3:28 PM, Steven Jones  wrote:
>
> > Hi,
> >
> > Subnet? IP addressing will not matter its DNS as the main issue, for me 
> > anyway.,  I cant see IP / sunbets matter?
> >
> > So, yes if you have AD as the same realm as IPA then only one will work 
> > well from what I can read, IPA has to have its neat 
> > auto-discovery/balancing features turned off, or at least hobbled.
> >
> > So, as an example I have vuw.ac.nz as the AD DNS domain/ kerberos realm and 
> > then unix.vuw.ac.nz as the sub-domain/sub kerberos realm, with AD 
> > delegating DNS to the IPA servers. This way the unix domain is "independent 
> > but referenced...
> >
> > eg I find the auto-discovery is working fine...
> >
> > So windows clients talk to AD directly, linux clients talk to IPA directly, 
> > if the linux clients need to  DNS the IPA servers get that for them from 
> > AD.
> >
> > I have some visio diagrams of how I have done it if you want themit may 
> > not be the best way? but with so little architecture info available its all 
> > I have.
> >
> >
> > regards
> >
> > Steven Jones
> >
> > Technical Specialist - Linux RHCE
> >
> > Victoria University, Wellington, NZ
> >
> > 0064 4 463 6272
> >
> > ____________________
> > From: freeipa-users-boun...@redhat.com [freeipa-users-boun...@redhat.com] 
> > on behalf of Brian Cook [bc...@redhat.com]
> > Sent: Friday, 24 February 2012 9:59 a.m.
> > To: freeipa-users@redhat.com
> > Subject: [Freeipa-users] need info on AD / IPA coexistence
> >
> > I have heard that we currently have problems with IPA and AD existing on 
> > the same subnet, possibly only when using AD as DNS servers, possibly even 
> > when the realm names are different.  I have not been able to find good 
> > concrete information or BZ's regarding this.  I am looking for 
> > clarification as to what problems exist, why, is it a bug or just a fact, 
> > is it our bug our is it a MS-AD issue, etc.  I need to understand what is 
> > going on as I have customers who are looking to deploy mixed IPA / AD 
> > environments.  Any help or information would be appreciated.
> >
> > Thanks,
> > Brian
> >
> > ---
> > Brian Cook
> > Solutions Architect, West Region
> > Red Hat, Inc.
> > 407-212-7079
> > bc...@redhat.com<mailto:bc...@redhat.com>
> >
>
> ___
> Freeipa-users mailing list
> Freeipa-users@redhat.com
> https://www.redhat.com/mailman/listinfo/freeipa-users

___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] need info on AD / IPA coexistence

2012-02-23 Thread Steven Jones

Hi,

Well I can give you how I think this works, but I stand to be corrected...

So, there is auto-discovery for kerberos going on via DNS, but AD's DNS already 
has such kerberos for its services, so a Linux client is going to try and do 
this, but its going to get AD results and not IPA results, so fail, so you have 
to be specific in commands,

For instance on install with IPA DNS I can type,

ip-client-install --mkhomdir 

and it figures out the DNS entries of the IPA server(s) and picks one to join 
via

If you cant do this as you are using AD's DNS then you have to specify the 
server and domain

I think this might also impact load balancing across IPA' LDAP/kerberos 
servers, so if you have hard coded the KDC the client wont use dns to pick one 
of the others (assuming you have any).  

I assume that any dis-advantage AD suffers from not having its own integrated 
DNS will also apply to IPA, from my limited reading this seems to be the case.

With joining a Linux client to IPA with its own DNS, dns also gets 
updated.if you are using an AD DNS then that is a manual process? 


regards

Steven Jones

Technical Specialist - Linux RHCE

Victoria University, Wellington, NZ

0064 4 463 6272


From: Brian Cook [bc...@redhat.com]
Sent: Friday, 24 February 2012 3:12 p.m.
To: Steven Jones
Cc: freeipa-users@redhat.com
Subject: Re: [Freeipa-users] need info on AD / IPA coexistence

I would not expect that there would be any problem with AD and IPA coexisting 
when the realm names are different, but I have heard reports that there are 
problems, especially when Linux clients are configured to use AD for DNS.  
Trying to figure out what the problem is.  I understand your delegated dns 
setup.  What if the customer must use AD for all DNS?

-Brian

On Feb 23, 2012, at 3:28 PM, Steven Jones  wrote:

> Hi,
>
> Subnet? IP addressing will not matter its DNS as the main issue, for me 
> anyway.,  I cant see IP / sunbets matter?
>
> So, yes if you have AD as the same realm as IPA then only one will work well 
> from what I can read, IPA has to have its neat auto-discovery/balancing 
> features turned off, or at least hobbled.
>
> So, as an example I have vuw.ac.nz as the AD DNS domain/ kerberos realm and 
> then unix.vuw.ac.nz as the sub-domain/sub kerberos realm, with AD delegating 
> DNS to the IPA servers. This way the unix domain is "independent but 
> referenced...
>
> eg I find the auto-discovery is working fine...
>
> So windows clients talk to AD directly, linux clients talk to IPA directly, 
> if the linux clients need to  DNS the IPA servers get that for them from 
> AD.
>
> I have some visio diagrams of how I have done it if you want themit may 
> not be the best way? but with so little architecture info available its all I 
> have.
>
>
> regards
>
> Steven Jones
>
> Technical Specialist - Linux RHCE
>
> Victoria University, Wellington, NZ
>
> 0064 4 463 6272
>
> 
> From: freeipa-users-boun...@redhat.com [freeipa-users-boun...@redhat.com] on 
> behalf of Brian Cook [bc...@redhat.com]
> Sent: Friday, 24 February 2012 9:59 a.m.
> To: freeipa-users@redhat.com
> Subject: [Freeipa-users] need info on AD / IPA coexistence
>
> I have heard that we currently have problems with IPA and AD existing on the 
> same subnet, possibly only when using AD as DNS servers, possibly even when 
> the realm names are different.  I have not been able to find good concrete 
> information or BZ's regarding this.  I am looking for clarification as to 
> what problems exist, why, is it a bug or just a fact, is it our bug our is it 
> a MS-AD issue, etc.  I need to understand what is going on as I have 
> customers who are looking to deploy mixed IPA / AD environments.  Any help or 
> information would be appreciated.
>
> Thanks,
> Brian
>
> ---
> Brian Cook
> Solutions Architect, West Region
> Red Hat, Inc.
> 407-212-7079
> bc...@redhat.com<mailto:bc...@redhat.com>
>

___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] need info on AD / IPA coexistence

2012-02-23 Thread Craig T

Hi Brian,

I spent a lot of time on this topic. In the end we decided to do the
following;

Microsoft domain: melb.example.com
Linux Domain: group.example.com

The linux DNS server is a slave to the Windows AD DNS servers & a
master DNS for "group.example.com".

All PCs point to our Linux DNS server which is hosting a slave copy of
the melb.example.com. Amazingly this all works fine. 

note: at the moment at least, we are keeping two separate user lists. I
had sync working at one stage, but couldn't get the group memberships to
come over correctly when going from Linux --> AD. 

cya

Craig

On Thu, Feb 23, 2012 at 09:12:37PM -0500, Brian Cook wrote:
> I would not expect that there would be any problem with AD and IPA coexisting 
> when the realm names are different, but I have heard reports that there are 
> problems, especially when Linux clients are configured to use AD for DNS.  
> Trying to figure out what the problem is.  I understand your delegated dns 
> setup.  What if the customer must use AD for all DNS?  
> 
> -Brian
> 
> On Feb 23, 2012, at 3:28 PM, Steven Jones  wrote:
> 
> > Hi,
> > 
> > Subnet? IP addressing will not matter its DNS as the main issue, for me 
> > anyway.,  I cant see IP / sunbets matter?
> > 
> > So, yes if you have AD as the same realm as IPA then only one will work 
> > well from what I can read, IPA has to have its neat 
> > auto-discovery/balancing features turned off, or at least hobbled.
> > 
> > So, as an example I have vuw.ac.nz as the AD DNS domain/ kerberos realm and 
> > then unix.vuw.ac.nz as the sub-domain/sub kerberos realm, with AD 
> > delegating DNS to the IPA servers. This way the unix domain is "independent 
> > but referenced...
> > 
> > eg I find the auto-discovery is working fine...
> > 
> > So windows clients talk to AD directly, linux clients talk to IPA directly, 
> > if the linux clients need to  DNS the IPA servers get that for them from 
> > AD.
> > 
> > I have some visio diagrams of how I have done it if you want themit may 
> > not be the best way? but with so little architecture info available its all 
> > I have.
> > 
> > 
> > regards
> > 
> > Steven Jones
> > 
> > Technical Specialist - Linux RHCE
> > 
> > Victoria University, Wellington, NZ
> > 
> > 0064 4 463 6272
> > 
> > ____________________
> > From: freeipa-users-boun...@redhat.com [freeipa-users-boun...@redhat.com] 
> > on behalf of Brian Cook [bc...@redhat.com]
> > Sent: Friday, 24 February 2012 9:59 a.m.
> > To: freeipa-users@redhat.com
> > Subject: [Freeipa-users] need info on AD / IPA coexistence
> > 
> > I have heard that we currently have problems with IPA and AD existing on 
> > the same subnet, possibly only when using AD as DNS servers, possibly even 
> > when the realm names are different.  I have not been able to find good 
> > concrete information or BZ's regarding this.  I am looking for 
> > clarification as to what problems exist, why, is it a bug or just a fact, 
> > is it our bug our is it a MS-AD issue, etc.  I need to understand what is 
> > going on as I have customers who are looking to deploy mixed IPA / AD 
> > environments.  Any help or information would be appreciated.
> > 
> > Thanks,
> > Brian
> > 
> > ---
> > Brian Cook
> > Solutions Architect, West Region
> > Red Hat, Inc.
> > 407-212-7079
> > bc...@redhat.com<mailto:bc...@redhat.com>
> > 
> 
> ___
> Freeipa-users mailing list
> Freeipa-users@redhat.com
> https://www.redhat.com/mailman/listinfo/freeipa-users

___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] need info on AD / IPA coexistence

2012-02-23 Thread Brian Cook

I would not expect that there would be any problem with AD and IPA coexisting 
when the realm names are different, but I have heard reports that there are 
problems, especially when Linux clients are configured to use AD for DNS.  
Trying to figure out what the problem is.  I understand your delegated dns 
setup.  What if the customer must use AD for all DNS?  

-Brian

On Feb 23, 2012, at 3:28 PM, Steven Jones  wrote:

> Hi,
> 
> Subnet? IP addressing will not matter its DNS as the main issue, for me 
> anyway.,  I cant see IP / sunbets matter?
> 
> So, yes if you have AD as the same realm as IPA then only one will work well 
> from what I can read, IPA has to have its neat auto-discovery/balancing 
> features turned off, or at least hobbled.
> 
> So, as an example I have vuw.ac.nz as the AD DNS domain/ kerberos realm and 
> then unix.vuw.ac.nz as the sub-domain/sub kerberos realm, with AD delegating 
> DNS to the IPA servers. This way the unix domain is "independent but 
> referenced...
> 
> eg I find the auto-discovery is working fine...
> 
> So windows clients talk to AD directly, linux clients talk to IPA directly, 
> if the linux clients need to  DNS the IPA servers get that for them from 
> AD.
> 
> I have some visio diagrams of how I have done it if you want themit may 
> not be the best way? but with so little architecture info available its all I 
> have.
> 
> 
> regards
> 
> Steven Jones
> 
> Technical Specialist - Linux RHCE
> 
> Victoria University, Wellington, NZ
> 
> 0064 4 463 6272
> 
> 
> From: freeipa-users-boun...@redhat.com [freeipa-users-boun...@redhat.com] on 
> behalf of Brian Cook [bc...@redhat.com]
> Sent: Friday, 24 February 2012 9:59 a.m.
> To: freeipa-users@redhat.com
> Subject: [Freeipa-users] need info on AD / IPA coexistence
> 
> I have heard that we currently have problems with IPA and AD existing on the 
> same subnet, possibly only when using AD as DNS servers, possibly even when 
> the realm names are different.  I have not been able to find good concrete 
> information or BZ's regarding this.  I am looking for clarification as to 
> what problems exist, why, is it a bug or just a fact, is it our bug our is it 
> a MS-AD issue, etc.  I need to understand what is going on as I have 
> customers who are looking to deploy mixed IPA / AD environments.  Any help or 
> information would be appreciated.
> 
> Thanks,
> Brian
> 
> ---
> Brian Cook
> Solutions Architect, West Region
> Red Hat, Inc.
> 407-212-7079
> bc...@redhat.com<mailto:bc...@redhat.com>
> 

___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] need info on AD / IPA coexistence

2012-02-23 Thread Steven Jones

Hi,

Subnet? IP addressing will not matter its DNS as the main issue, for me 
anyway.,  I cant see IP / sunbets matter?

So, yes if you have AD as the same realm as IPA then only one will work well 
from what I can read, IPA has to have its neat auto-discovery/balancing 
features turned off, or at least hobbled.

So, as an example I have vuw.ac.nz as the AD DNS domain/ kerberos realm and 
then unix.vuw.ac.nz as the sub-domain/sub kerberos realm, with AD delegating 
DNS to the IPA servers. This way the unix domain is "independent but 
referenced...

eg I find the auto-discovery is working fine...

So windows clients talk to AD directly, linux clients talk to IPA directly, if 
the linux clients need to  DNS the IPA servers get that for them from AD.

I have some visio diagrams of how I have done it if you want themit may not 
be the best way? but with so little architecture info available its all I have.


regards

Steven Jones

Technical Specialist - Linux RHCE

Victoria University, Wellington, NZ

0064 4 463 6272


From: freeipa-users-boun...@redhat.com [freeipa-users-boun...@redhat.com] on 
behalf of Brian Cook [bc...@redhat.com]
Sent: Friday, 24 February 2012 9:59 a.m.
To: freeipa-users@redhat.com
Subject: [Freeipa-users] need info on AD / IPA coexistence

I have heard that we currently have problems with IPA and AD existing on the 
same subnet, possibly only when using AD as DNS servers, possibly even when the 
realm names are different.  I have not been able to find good concrete 
information or BZ's regarding this.  I am looking for clarification as to what 
problems exist, why, is it a bug or just a fact, is it our bug our is it a 
MS-AD issue, etc.  I need to understand what is going on as I have customers 
who are looking to deploy mixed IPA / AD environments.  Any help or information 
would be appreciated.

Thanks,
Brian

---
Brian Cook
Solutions Architect, West Region
Red Hat, Inc.
407-212-7079
bc...@redhat.com<mailto:bc...@redhat.com>


___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

[Freeipa-users] need info on AD / IPA coexistence

2012-02-23 Thread Brian Cook

I have heard that we currently have problems with IPA and AD existing on the 
same subnet, possibly only when using AD as DNS servers, possibly even when the 
realm names are different.  I have not been able to find good concrete 
information or BZ's regarding this.  I am looking for clarification as to what 
problems exist, why, is it a bug or just a fact, is it our bug our is it a 
MS-AD issue, etc.  I need to understand what is going on as I have customers 
who are looking to deploy mixed IPA / AD environments.  Any help or information 
would be appreciated.

Thanks,
Brian

---
Brian Cook
Solutions Architect, West Region
Red Hat, Inc.
407-212-7079
bc...@redhat.com

___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] need info on AD / IPA coexistence

Re: [Freeipa-users] need info on AD / IPA coexistence

Re: [Freeipa-users] need info on AD / IPA coexistence

Re: [Freeipa-users] need info on AD / IPA coexistence

Re: [Freeipa-users] need info on AD / IPA coexistence

Re: [Freeipa-users] need info on AD / IPA coexistence

Re: [Freeipa-users] need info on AD / IPA coexistence

Re: [Freeipa-users] need info on AD / IPA coexistence

Re: [Freeipa-users] need info on AD / IPA coexistence

Re: [Freeipa-users] need info on AD / IPA coexistence

Re: [Freeipa-users] need info on AD / IPA coexistence

Re: [Freeipa-users] need info on AD / IPA coexistence

Re: [Freeipa-users] need info on AD / IPA coexistence

Re: [Freeipa-users] need info on AD / IPA coexistence

Re: [Freeipa-users] need info on AD / IPA coexistence

Re: [Freeipa-users] need info on AD / IPA coexistence

Re: [Freeipa-users] need info on AD / IPA coexistence

Re: [Freeipa-users] need info on AD / IPA coexistence

Re: [Freeipa-users] need info on AD / IPA coexistence

Re: [Freeipa-users] need info on AD / IPA coexistence

Re: [Freeipa-users] need info on AD / IPA coexistence

[Freeipa-users] need info on AD / IPA coexistence

22 matches

Site Navigation

Mail list logo

Footer information