Re: [Freeipa-users] question about Active Directory authentication
Thanks for all the info. I think I will go the trust route with IPA 4.1 and see what happens (in a test environment first of course.) From: freeipa-users-boun...@redhat.com [mailto:freeipa-users-boun...@redhat.com] On Behalf Of Steven Jones Sent: Tuesday, February 17, 2015 6:25 PM To: freeipa-users@redhat.com Subject: Re: [Freeipa-users] question about Active Directory authentication Ok, So with winsync I will have the 2000+ users in IPA. Within IPA I have several high risk/impact groups of servers and many low. For the low risk/impact servers and most desktops they can trust what AD tells them. For the high risk/impact servers/applications we do not want to reply on AD for any authorisation so permissions for these will be isolated from AD inside IPA. The idea is if we lose AD or IPA we should not lose both via any cross-linking. regards Steven From: freeipa-users-boun...@redhat.com<mailto:freeipa-users-boun...@redhat.com> mailto:freeipa-users-boun...@redhat.com>> on behalf of Dmitri Pal mailto:d...@redhat.com>> Sent: Wednesday, 18 February 2015 11:51 a.m. To: freeipa-users@redhat.com<mailto:freeipa-users@redhat.com> Subject: Re: [Freeipa-users] question about Active Directory authentication On 02/17/2015 05:21 PM, Steven Jones wrote: ***maybe*** c) You might be able to do both winsync and trusts at the same time then that is simpler provisioning. ie a user gets created in AD and automatically gets created in IPA ready for you to put in the user group you want. I am not sure this is the best solution really. Trust and sync do not help each other. The fact that you have trust does not help you to provision users the way you describe. 8><-- They achieve different things. How otherwise do I get 2000+ AD users into IPA? To me winsync allows automated provisioning of users into IPA via AD, this greatly reduces manual effort. That I get. I do not understand how trust helps you in this case. -- Thank you, Dmitri Pal Sr. Engineering Manager IdM portfolio Red Hat, Inc. -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
Re: [Freeipa-users] question about Active Directory authentication
Ok, So with winsync I will have the 2000+ users in IPA. Within IPA I have several high risk/impact groups of servers and many low. For the low risk/impact servers and most desktops they can trust what AD tells them. For the high risk/impact servers/applications we do not want to reply on AD for any authorisation so permissions for these will be isolated from AD inside IPA. The idea is if we lose AD or IPA we should not lose both via any cross-linking. regards Steven From: freeipa-users-boun...@redhat.com on behalf of Dmitri Pal Sent: Wednesday, 18 February 2015 11:51 a.m. To: freeipa-users@redhat.com Subject: Re: [Freeipa-users] question about Active Directory authentication On 02/17/2015 05:21 PM, Steven Jones wrote: ***maybe*** c) You might be able to do both winsync and trusts at the same time then that is simpler provisioning. ie a user gets created in AD and automatically gets created in IPA ready for you to put in the user group you want. I am not sure this is the best solution really. Trust and sync do not help each other. The fact that you have trust does not help you to provision users the way you describe. 8><-- They achieve different things. How otherwise do I get 2000+ AD users into IPA? To me winsync allows automated provisioning of users into IPA via AD, this greatly reduces manual effort. That I get. I do not understand how trust helps you in this case. -- Thank you, Dmitri Pal Sr. Engineering Manager IdM portfolio Red Hat, Inc. -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
Re: [Freeipa-users] question about Active Directory authentication
On 02/17/2015 05:21 PM, Steven Jones wrote: ***maybe*** c) You might be able to do both winsync and trusts at the same time then that is simpler provisioning. ie a user gets created in AD and automatically gets created in IPA ready for you to put in the user group you want. I am not sure this is the best solution really. Trust and sync do not help each other. The fact that you have trust does not help you to provision users the way you describe. 8><-- They achieve different things. How otherwise do I get 2000+ AD users into IPA? To me winsync allows automated provisioning of users into IPA via AD, this greatly reduces manual effort. That I get. I do not understand how trust helps you in this case. -- Thank you, Dmitri Pal Sr. Engineering Manager IdM portfolio Red Hat, Inc. -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
Re: [Freeipa-users] question about Active Directory authentication
***maybe*** c) You might be able to do both winsync and trusts at the same time then that is simpler provisioning. ie a user gets created in AD and automatically gets created in IPA ready for you to put in the user group you want. I am not sure this is the best solution really. Trust and sync do not help each other. The fact that you have trust does not help you to provision users the way you describe. 8><-- They achieve different things. How otherwise do I get 2000+ AD users into IPA? To me winsync allows automated provisioning of users into IPA via AD, this greatly reduces manual effort. -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
Re: [Freeipa-users] question about Active Directory authentication
On 02/17/2015 04:34 PM, Steven Jones wrote: "I have been informed that all computer users on our campus must now authenticate off of the University's Active Directory server, including all Linux machines." dictated by a clueless Windows * no doubt, ***sigh*** Here we are keeping both separate as AD is so bad security wise, but want some low risk trusts for certain groups of machines (common desktops). If the expectation is its directly off the AD then you dont need IPA at all. However without an expensive commercial addon per Linux server/desktop you wont be able to do much management and control. this has security implications, if you had say a finance or HR server without these commercial tools you may find any AD user could get on them, not what you would want. So you have 2 options in keeping IPA, a) trusts and you should be able keep your users. b) winsync and passync and all the AD users are synced over to IPA. Existing users stay as is, the ones in AD but not in IPA get pulled over to IPA. ***maybe*** c) You might be able to do both winsync and trusts at the same time then that is simpler provisioning. ie a user gets created in AD and automatically gets created in IPA ready for you to put in the user group you want. I am not sure this is the best solution really. Trust and sync do not help each other. The fact that you have trust does not help you to provision users the way you describe. I'd like to do c) which I am looking at at present, if I ever get IPA on RHEL6.6 upgraded to RHEL7.1! regards Steven J *From:* freeipa-users-boun...@redhat.com on behalf of David Fitzgerald *Sent:* Wednesday, 18 February 2015 10:05 a.m. *To:* freeipa-users@redhat.com *Subject:* [Freeipa-users] question about Active Directory authentication Hello, I am currently running an IPA 3.3 server on Centos 7. I have 70 IPA client machines running Scientific Linux 6.6 and 150 users. User directories are auto-mounted from a Centos 7 file server. I have been informed that all computer users on our campus must now authenticate off of the University's Active Directory server, including all Linux machines. I have been looking through the IPA documentation and am getting myself confused and not completely understanding what needs to be done, thus I have some questions. 1.The docs talk about setting up a trust between the IPA server and the AD server. Will I need to change all of the IPA clients as well as the IPA server, or do I only need change the server and not have to touch the clients? 2.Do I even need to set up a full trust relationship just to authenticate my users with AD? 3.Since I already have 150 users, will I have to delete their IPA accounts before setting up the trust? W Sorry if my questions are a bit basic, but I need some guidance to get me started. Thanks! Dave ++ David Fitzgerald Department of Earth Sciences Millersville University Millersville, PA 17551 Phone: 717-871-2394 E-Mail: david.fitzger...@millersville.edu -- Thank you, Dmitri Pal Sr. Engineering Manager IdM portfolio Red Hat, Inc. -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
Re: [Freeipa-users] question about Active Directory authentication
"I have been informed that all computer users on our campus must now authenticate off of the University's Active Directory server, including all Linux machines." dictated by a clueless Windows * no doubt, ***sigh*** Here we are keeping both separate as AD is so bad security wise, but want some low risk trusts for certain groups of machines (common desktops). If the expectation is its directly off the AD then you dont need IPA at all. However without an expensive commercial addon per Linux server/desktop you wont be able to do much management and control. this has security implications, if you had say a finance or HR server without these commercial tools you may find any AD user could get on them, not what you would want. So you have 2 options in keeping IPA, a) trusts and you should be able keep your users. b) winsync and passync and all the AD users are synced over to IPA. Existing users stay as is, the ones in AD but not in IPA get pulled over to IPA. ***maybe*** c) You might be able to do both winsync and trusts at the same time then that is simpler provisioning. ie a user gets created in AD and automatically gets created in IPA ready for you to put in the user group you want. I'd like to do c) which I am looking at at present, if I ever get IPA on RHEL6.6 upgraded to RHEL7.1! regards Steven J From: freeipa-users-boun...@redhat.com on behalf of David Fitzgerald Sent: Wednesday, 18 February 2015 10:05 a.m. To: freeipa-users@redhat.com Subject: [Freeipa-users] question about Active Directory authentication Hello, I am currently running an IPA 3.3 server on Centos 7. I have 70 IPA client machines running Scientific Linux 6.6 and 150 users. User directories are auto-mounted from a Centos 7 file server. I have been informed that all computer users on our campus must now authenticate off of the University's Active Directory server, including all Linux machines. I have been looking through the IPA documentation and am getting myself confused and not completely understanding what needs to be done, thus I have some questions. 1. The docs talk about setting up a trust between the IPA server and the AD server. Will I need to change all of the IPA clients as well as the IPA server, or do I only need change the server and not have to touch the clients? 2. Do I even need to set up a full trust relationship just to authenticate my users with AD? 3. Since I already have 150 users, will I have to delete their IPA accounts before setting up the trust? W Sorry if my questions are a bit basic, but I need some guidance to get me started. Thanks! Dave ++ David Fitzgerald Department of Earth Sciences Millersville University Millersville, PA 17551 Phone: 717-871-2394 E-Mail: david.fitzger...@millersville.edu -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
Re: [Freeipa-users] question about Active Directory authentication
On 02/17/2015 04:05 PM, David Fitzgerald wrote: Hello, I am currently running an IPA 3.3 server on Centos 7. I have 70 IPA client machines running Scientific Linux 6.6 and 150 users. User directories are auto-mounted from a Centos 7 file server. I have been informed that all computer users on our campus must now authenticate off of the University's Active Directory server, including all Linux machines. I have been looking through the IPA documentation and am getting myself confused and not completely understanding what needs to be done, thus I have some questions. 1.The docs talk about setting up a trust between the IPA server and the AD server. Will I need to change all of the IPA clients as well as the IPA server, or do I only need change the server and not have to touch the clients? With IPA on Centos 7 you can establish trust and you 6.6 machines should be capable of picking the trust automatically. 2.Do I even need to set up a full trust relationship just to authenticate my users with AD? You have three options: - Establish trust - Sync users from AD to IPA - Drop IPA and go direct AD (but you loose a lot). We recommend the trust approach and yet it is a full trust but that does not mean that it is wild west. The trust just means that users can cross authenticate. But if there is no permissions set (which is the case by default) the users even if they are authenticated can't do anything. So if your AD guys a re worried that the trust would open the can of worms it would not. 3.Since I already have 150 users, will I have to delete their IPA accounts before setting up the trust? W Are these users the same as AD users? If they are you can move to IPA 4.1 and convert them to ID Views to assign posix data to the AD users and then remove. https://copr.fedoraproject.org/coprs/mkosek/freeipa/ Sorry if my questions are a bit basic, but I need some guidance to get me started. Thanks! Dave ++ David Fitzgerald Department of Earth Sciences Millersville University Millersville, PA 17551 Phone: 717-871-2394 E-Mail: david.fitzger...@millersville.edu -- Thank you, Dmitri Pal Sr. Engineering Manager IdM portfolio Red Hat, Inc. -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
[Freeipa-users] question about Active Directory authentication
Hello, I am currently running an IPA 3.3 server on Centos 7. I have 70 IPA client machines running Scientific Linux 6.6 and 150 users. User directories are auto-mounted from a Centos 7 file server. I have been informed that all computer users on our campus must now authenticate off of the University's Active Directory server, including all Linux machines. I have been looking through the IPA documentation and am getting myself confused and not completely understanding what needs to be done, thus I have some questions. 1. The docs talk about setting up a trust between the IPA server and the AD server. Will I need to change all of the IPA clients as well as the IPA server, or do I only need change the server and not have to touch the clients? 2. Do I even need to set up a full trust relationship just to authenticate my users with AD? 3. Since I already have 150 users, will I have to delete their IPA accounts before setting up the trust? W Sorry if my questions are a bit basic, but I need some guidance to get me started. Thanks! Dave ++ David Fitzgerald Department of Earth Sciences Millersville University Millersville, PA 17551 Phone: 717-871-2394 E-Mail: david.fitzger...@millersville.edu -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project