[Freeipa-users] passwordless login into IPA clients possible from non IPA client?

Hi, Subject says it all actually. I have a laptop with Fedora20. I work as a contractor on different assignments. Some of them have an IPA domain set up. Their RHEL6 servers are all IPA clients. I would like to ssh into these servers passwordless using ssh-agent and such. Is this possible? If so,

Re: [Freeipa-users] Sudo rule processing order

rectory Manager" -x -W > dn: cn=sudoers,cn=Schema Compatibility,cn=plugins,cn=config > changetype: modify > add: schema-compat-entry-attribute > schema-compat-entry-attribute: sudoOrder=%{sudoOrder} > > > This should do the trick. > > Martin > > On 01/10/2014

Re: [Freeipa-users] Sudo rule processing order

ing commands on this host: (root) ALL (root) /bin/cat, /bin/egrep, /bin/find, /bin/grep, /bin/ls, /bin/more, /usr/bin/less, !/bin/su (root) NOPASSWD: /usr/bin/cobbler (root) !/bin/su Nope. Didn't help. Fred On Fri, Jan 10, 2014 at 3:59 PM, Martin Kosek wrote: > On 0

[Freeipa-users] Sudo rule processing order

Hi, I have a sudo rule in IPA that has the !authenticate option added to enable admins to execute certain programs as root without authentication. It doesn't work. There is another rule for the admins that allow all commands as long as they give their password. In a sudoers file, you can solve t

Re: [Freeipa-users] local root can su to any IPA user

: > On Fri, Nov 29, 2013 at 03:11:01PM +0200, Alexander Bokovoy wrote: > > On Fri, 29 Nov 2013, Fred van Zwieten wrote: > > >Hi, > > > > > >When being root on an ipa-client, I can su to any IPA user. This is > > >somewhat unexptected beha

[Freeipa-users] local root can su to any IPA user

Hi, When being root on an ipa-client, I can su to any IPA user. This is somewhat unexptected behaviour in comparison to Windows. If I am local administrator in a windows AD member server, I cannot become a domain user. I need to be domain administrator for that. Is it possible to have this "featu

[Freeipa-users] vsftpd and IPA and openldap

Hi there, I have a question. We have a vsftpd service running which authenticates it's virtual users against an application level openldap database. No IPA involved here. It works using pam_ldap. The virtual users are mapped to a local user thru the "guest_user=" directive in vsftpd.conf. As the v

Re: [Freeipa-users] IPA, Samba and AD

s manually. However Users and DNS is quit a lot *and* we want to migrate the user passwords. For DNS we could use zone transfers But for user passwords? Is there IPA export import type of functionality (in RHEL64) that can provide this? Met vriendelijke groeten, * Fred van Zwieten * *Enterprise O

Re: [Freeipa-users] IPA, Samba and AD

Well, as explained in this thread, the problem here is that we have an IPA domain named "MYCOMP.EDU" _and_ an AD domain named "MYCOMP.EDU" as well. Both have there own DNS servers. It's beyond the scope of this mail to explain why we have named them exactly the same, and we do wish we didn't, but t

Re: [Freeipa-users] IPA, Samba and AD

running on it is member of it's own NT-4 Domain. Afaik NT-4 style domains do nothing with kerberos nor with DNS. So, no name clashes. Correct? Met vriendelijke groeten, * Fred van Zwieten * *Enterprise Open Source Services* * Consultant* *(woensdags afwezig)* *VX Company IT Services B.V.* *T*

Re: [Freeipa-users] IPA, Samba and AD

ld go the AD route. But now, users from the AD domain can access Samba shares. Correct? Fred On Wed, Jul 3, 2013 at 4:19 PM, Alexander Bokovoy wrote: > On Wed, 03 Jul 2013, Fred van Zwieten wrote: > >1. Do you have the same realms for both IPA and AD? > >Yes. > > > >

[Freeipa-users] Fwd: Windows, Samba and IPA

Hi, I wonder if it is possible to have Windows clients (member of some domain) to connect to SAMBA shares with an IPA account. I found various howto's voor Kerberized SAMBA but they al use Linux as the client platform. I have tried to set it up using a Red Hat Solution article, but I did not get i

Re: [Freeipa-users] IPA, Samba and AD

the Samba/AD interoperability? I don't know yet. It depends on what works best with this setup. I am not (yet) a Samba wunderguy, so these discussions help me (thanks for that). Fred On Wed, Jul 3, 2013 at 11:11 AM, Alexander Bokovoy wrote: > On Wed, 03 Jul 2013, Fred van Zwieten wrot

[Freeipa-users] IPA, Samba and AD

Hi there, We have an IPA domain and an AD domain with the exact same domain name. This was set up like this because we had the idea at the time that we wanted to migrate all AD to IPA. This is still the long term goal, but we need to postpone that. All our RHEL62 and RHEL64 servers are IPA client

[Freeipa-users] How to create readonly on all IPA data

Hi there, We have implemented IPA. We need to give someone in our org a read-only account on all IPA data. So, internal IPA data, user, groups, hosts, dns, etc. All So I want to create a role "Auditor". But then I must build privs and permissions. What would be the simplest/best way to do this?

[Freeipa-users] Howto use IPA for internal websites

Hi, We have installed IPA in our internal network (let's call it example.com). We have all kinds of internal websites running for various administrative tasks. These websites are in all kind of subdomains of example.com. We would like to have them using a certificate signed by our CA. Some inter

Re: [Freeipa-users] Backup and Restoration of IPA Server

This triggers me on something related. We do use snapshots on VM's. However, we want to separate data and system disks within the guests. We have /var on a seperate disk and only that disk is getting snapshots. So, is IPA data living in /var? Fred On Mon, Feb 4, 2013 at 11:54 AM, Rajnesh Kumar

Re: [Freeipa-users] RHEL 6.3 identity manual - IPA

Hi, ipa-client-install should take care of setting up sudo on the client to use IPA, afaik. Essential line in nsswitch.conf: sudoers:files ldap Please read here

Re: [Freeipa-users] Howto re-deploy an IPA-client using kickstart

. The RFE solves this problem. I can save the keytab before re-installation and get it back afterwards. Then I can call ipa-client-install with the old keytab to enroll the client, revoke the old keytab and get a new one in one go. I have already also asked about this on the satellite-user

Re: [Freeipa-users] Howto re-deploy an IPA-client using kickstart

that. As for the ipa-host-mod --password=foo thing. You can first run the command "ipa disable-host and _then_ run "ipa host-mod --password=foo Met vriendelijke groeten, * Fred van Zwieten * *Enterprise Open Source Services* * Consultant* *(vrijdags afwezig)* *VX Company IT Service

Re: [Freeipa-users] Howto re-deploy an IPA-client using kickstart

On Wed, Jan 23, 2013 at 10:01 PM, Dmitri Pal wrote: > On 01/23/2013 03:24 PM, Fred van Zwieten wrote: > > Dmitri, > > If I understand correcty this would mean I backup the keytab before > reinstall en restore it after (easily done with Satellite), then do a > ipa-cli

Re: [Freeipa-users] Howto re-deploy an IPA-client using kickstart

rent files as SSSD > can now be integrated with autofs, ssh, sudo. > I am just not sure that backup and restore is really a sustainable > approach project/product wise. > We can probably craft a list but I am scared promoting it as a solution. > > > Regards, > Charli

Re: [Freeipa-users] Howto re-deploy an IPA-client using kickstart

step. Come to think of it...there is also an api for Satellite. Maybe I can make a script that will first do the IPA stuff and then call Satellite to redeploy the server. hmmmwill look into this...and report my findings Met vriendelijke groeten, * Fred van Zwieten * *Enterprise Open

Re: [Freeipa-users] Howto re-deploy an IPA-client using kickstart

would mean the server has to know somehow it is being rebooted because of a re-install, but afaik, there is no way for satellite/spacewalk to tell the server this.. Regards, Fred On Sat, Jan 12, 2013 at 10:06 PM, Dmitri Pal wrote: > On 01/12/2013 03:28 AM, Fred van Zwieten wrote: > >

[Freeipa-users] Howto re-deploy an IPA-client using kickstart

Hi there, We are in the process of implementing Satellite and want to automate server installations 100% using kickstart, cobbler, satellite. IPA clients can be scripted enrolled using kickstart. Plenty of documentation about that. However, how to "re"-enroll IPA clients? Satellite gives me the

Re: [Freeipa-users] DNS forward to sub domain not working

ng named on the IPA server. Thank you for the answers Fred On Tue, Oct 23, 2012 at 10:00 AM, Petr Spacek wrote: > On 10/23/2012 09:51 AM, Sumit Bose wrote: > > On Mon, Oct 22, 2012 at 08:57:56PM +0200, Fred van Zwieten wrote: > >> Hello, > >> > >> I have

[Freeipa-users] DNS forward to sub domain not working

Hello, I have a problem. My setup: - IPA server for domain example.com on ipa.example.com - DNS server sub.example.com on host.sub.example.com - client.example.com with IP-nr off ipa.example.com in resolv.conf - an A record for client.sub.example.com in DNS server host.sub.example.com Problem: I

[Freeipa-users] DNS forwarding problem

Hello, > > I have a problem. My setup: > > - IPA server for domain example.com on ipa.example.com > - DNS server sub.example.com on host.sub.example.com > - client.example.com with IP-nr off ipa.example.com in resolv.conf > - an A record for client.sub.example.com in DNS server > host.sub.example.

[Freeipa-users] DNS forwarding problem

Hello, I have a problem. My setup: - IPA server for domain example.com on ipa.example.com - DNS server sub.example.com on host.sub.example.com - client.example.com with IP-nr off ipa.example.com in resolv.conf - an A record for client.sub.example.com in DNS server host.sub.example.com Problem: I

Re: [Freeipa-users] Query IPA for group membership

Fred van Zwieten wrote: > Alexander, Simo, > > Thank you very much for this extensive explanation. I'll set it up monday > and let you know how it will go. > > Fred > > > On Sat, Oct 6, 2012 at 8:31 PM, Alexander Bokovoy wrote: > >> On Sat, 06 Oct 2012, Fr

Re: [Freeipa-users] Query IPA for group membership

Alexander, Simo, Thank you very much for this extensive explanation. I'll set it up monday and let you know how it will go. Fred On Sat, Oct 6, 2012 at 8:31 PM, Alexander Bokovoy wrote: > On Sat, 06 Oct 2012, Fred van Zwieten wrote: > >Hang on..I don't see how this can wo

Re: [Freeipa-users] Query IPA for group membership

nce with: >> plugin openvpn_auth_pam openvpn1 >> and >> plugin openvpn_auth_pam openvpn2 >> respectively. >> >> Then you can create HBAC rules in IPA using openvpn1 and openvon2 as >> service names. >> >> Simo. >> >> On Fri, 2012-10-05 at 20:58

Re: [Freeipa-users] Query IPA for group membership

name USERNAME group OPENVPN1 (is > > the user member op OPENVPN1 y/n?) > > > > > > plugin openvpn_auth_pam is afaik the only way to get OpenVPN to > > authenticate against IPA. I am not sure how this could be setup to > > work with HBAC.. > > > > > &

Re: [Freeipa-users] Query IPA for group membership

OPENVPN1 (is the user member op OPENVPN1 y/n?) plugin openvpn_auth_pam is afaik the only way to get OpenVPN to authenticate against IPA. I am not sure how this could be setup to work with HBAC.. Fred On Fri, Oct 5, 2012 at 8:23 PM, Dmitri Pal wrote: > On 10/05/2012 02:13 PM, Fred van Zwie

Re: [Freeipa-users] Query IPA for group membership

/2012 01:36 PM, Fred van Zwieten wrote: > > Hello, > > I have a IPA server running. This server has users who are member to > various groups. I want to query the IPA server from an IPA client to know > whether a user is a member to a group. > > I want to do t

[Freeipa-users] Query IPA for group membership

Hello, I have a IPA server running. This server has users who are member to various groups. I want to query the IPA server from an IPA client to know whether a user is a member to a group. I want to do this from the OpenVPN service using the openvpn_auth_pam.so. Normally one uses this like this: