Steve, thanks > Hi, > > Yes you can winsync and passsync RHEL6.3 IPA from win2k3 r2 + AD, it should > be in your RH supported channel tree? > Nope, using Centos 6.3. I checked and looks like I can find passsync.msi from here. I am hoping its the same Windows binaries supplied to RedHat paying customers
http://directory.fedoraproject.org/wiki/Download > > 1) Only one AD domain, so if you have a AD "forest" you can only do one > sub-domain. So if the root is "example.com" and you have > "staff.example.com" and "clients.example.com" you can do only one, say > staff.example.com to IPA. > > Possible issues, > > 2) There is a bug in the setup where you have to be careful that you specify > the right OU= IF your users are not in the expected default (cn=users?), > otherwise the IPA users get deleted rather than ignored, you end up with an > empty IPA....frightened me senseless! Do you mind explaining this further please? Where are you specifying this? On the passsync.msi application "search base" field? on AD side or on "ipa-replica-manage --win-subtree" ? Expected default users CN, on which side, AD or FreeIPA? Sorry, I tried to google for the bug and I can't seem to pick it, so the question. > > So, > > a) If you have users in multiple ou's then only one set is synced the > rest in IPA will go bye bye, unless they are unique to IPA. > b) If some users have a smartphone to exchange setup the winsync > agreement sees that as the user having 2 ous's and first adds and then > deletes those users......oops.....I lost 20% of my users that way.... Yikes, that would have sucked, hope you had a backup. I don't have sub-domain (Forest = domain), but would have been caught by the smartphone issue. Thanks for the heads up, really appreciates. > > This is with RH support. Hmm, hopefully their response will get to us none customers somehow. > > 3) Also with 6.2 or 6.2 upgraded to 6.3 you may find that when the winsync > syncs, the IPA users lose all their groups. I have tested a 6.2 upgraded to > 6.3 several times and this happens each time but a clean 6.3 IPA seems > fine....we dont know why that is yet. > > This is with RH support, > > So if you are going to do this you need an isolated test setup to test for > un-expected "features" that could really spoil your day. > > :( Yes, I am really grateful for asking before diving in. Looks like I would have got hurt really bad. > > My main advice would be restart with a clean 6.3 setup and not an upgraded > from 6.2. Ive rebuilt 2 of my three IPA servers and teh 6.3 clean builds > seem a lot more stable. > > Also use db2ldif to make backups of your database before you do it....also > you might want to halt and turn off any IPA replicas when you do it until > after you are happy its stable and OK. > Will use 6.3. Thank you again for the advice William > > ________________________________________ > From: [email protected] [[email protected]] on > behalf of William Muriithi [[email protected]] > Sent: Monday, 5 November 2012 8:23 a.m. > To: [email protected] > Subject: [Freeipa-users] FreeIPA v 2.2 in an AD environment > > Hi all, > > I am in the process of deploying freeIPA 2.2 to authenticate Linux > systems and have been able to setup everything nicely with separate > domain. I mean users are currently using separate password to access > Linux system and another set of password from AD for desktop stuff. On > Friday, I came across an article on freeIPA v 3 and noticed one can > use the same username & password for both Linux and Windows systems. > I have since felt this would be a better setup and but feel like the > documentation are not clear on how to achieve the above. > > Would anyone be able to clarify this: > > - Can I be able to synchronize the current AD user credentials with > FreeIPA 2.2 or do I have to upgrade to FreeIPA 3.0 ? > - If upgrading is necessary, is there an RPM that can run on RHEL 6.2 > ? I can only seem to find freeIPA v3 RPM for Fedora 17. Was hoping > to use a blessed RPM instead of rolling one which mean be incompatible > with the distribution RPM once it comes around > > Regards, > > William > > _______________________________________________ > Freeipa-users mailing list > [email protected] > https://www.redhat.com/mailman/listinfo/freeipa-users > > > > > > ------------------------------ > > Message: 3 > Date: Mon, 05 Nov 2012 09:32:42 +0100 > From: Petr Spacek <[email protected]> > To: [email protected] > Subject: Re: [Freeipa-users] FreeIPA for AMM users management > Message-ID: <[email protected]> > Content-Type: text/plain; charset=ISO-8859-1; format=flowed > > On 11/03/2012 01:12 PM, Pavel Zhukov wrote: >>> Can you do NS lookup of the IPA server from the AMM box? >> yes >>> Can you do kinit from the AMM box against IPA? >>> Can you do ldapsearch from the AMM box against IPA? >> no, AMM has restricted shell and web GUI. > > Hmm, that is unfortunate. Can you run tcpdump (or sniffer provided on AMM) on > the link between AMM and IPA server? Because there are no records in access > log I will bet on some name resolution or firewall problem. > > Do AMM get right DNS responses (i.e. name and IP address of the IPA server)? > > Do AMM established TCP connection with the IPA server? > > -- > Petr^2 Spacek > >>> Do you see anything in the logs from such activity? > > > > ------------------------------ > > Message: 4 > Date: Mon, 05 Nov 2012 08:17:34 -0700 > From: Rich Megginson <[email protected]> > To: Steven Jones <[email protected]> > Cc: "[email protected]" <[email protected]> > Subject: Re: [Freeipa-users] FreeIPA v 2.2 in an AD environment > Message-ID: <[email protected]> > Content-Type: text/plain; charset=ISO-8859-1; format=flowed > > On 11/04/2012 01:25 PM, Steven Jones wrote: >> Hi, >> >> Yes you can winsync and passsync RHEL6.3 IPA from win2k3 r2 + AD, it should >> be in your RH supported channel tree? >> >> The passsync.msi has to go on each AD box > Each Domain Controller. > > Also note that you asked if "Can I be able to synchronize the current AD > user credentials with > FreeIPA 2.2 or do I have to upgrade to FreeIPA 3.0" > > You cannot synchronize already existing passwords with IPA 2.x. You > would have to force AD users to change their passwords in order to get > the clear text password to send to IPA. > >> and is a MSI supplied by RH, I think that's also in the RH support channel >> but for some strange reason I think it might be in the workstation tree and >> not server tree. >> >> > From what I can read there are some caveats, >> >> 1) Only one AD domain, so if you have a AD "forest" you can only do one >> sub-domain. So if the root is "example.com" and you have >> "staff.example.com" and "clients.example.com" you can do only one, say >> staff.example.com to IPA. >> >> Possible issues, >> >> 2) There is a bug in the setup where you have to be careful that you specify >> the right OU= IF your users are not in the expected default (cn=users?), >> otherwise the IPA users get deleted rather than ignored, you end up with an >> empty IPA....frightened me senseless! > https://fedorahosted.org/freeipa/ticket/2688 > and > https://fedorahosted.org/389/ticket/355 > > The problem is caused when you have a user ID in IPA that has the same > user ID as a user in AD, but you didn't want them to be synced, and the > AD user entry is outside the scope of the windows sync agreement. This > may or may not be a problem in your deployment. > >> >> So, >> >> a) If you have users in multiple ou's then only one set is synced the >> rest in IPA will go bye bye, unless they are unique to IPA. > See above. >> b) If some users have a smartphone to exchange setup the winsync >> agreement sees that as the user having 2 ous's and first adds and then >> deletes those users......oops.....I lost 20% of my users that way.... > Is there a ticket/bz for this issue, or is this the same issue as above? >> >> These are with RH support, I have a hot fix, I am testing. >> >> c) Its really hard to make sure all users have been transferred as you >> can only see 2000 users in IPA so something like an external tool like >> xplorer seem to be the only way for simpletons like myself to look at and >> compare. >> >> This is with RH support. > There are workarounds. >> >> 3) Also with 6.2 or 6.2 upgraded to 6.3 you may find that when the winsync >> syncs, the IPA users lose all their groups. I have tested a 6.2 upgraded to >> 6.3 several times and this happens each time but a clean 6.3 IPA seems >> fine....we dont know why that is yet. >> >> This is with RH support, >> >> So if you are going to do this you need an isolated test setup to test for >> un-expected "features" that could really spoil your day. >> >> :( >> >> My main advice would be restart with a clean 6.3 setup and not an upgraded >> from 6.2. Ive rebuilt 2 of my three IPA servers and teh 6.3 clean builds >> seem a lot more stable. >> >> Also use db2ldif to make backups of your database before you do it....also >> you might want to halt and turn off any IPA replicas when you do it until >> after you are happy its stable and OK. > You can also use db2ldif to get around the 2000 user limit mentioned above. >> >> regards >> >> Steven Jones >> >> Technical Specialist - Linux RHCE >> >> Victoria University, Wellington, NZ >> >> 0064 4 463 6272 >> >> ________________________________________ >> From: [email protected] [[email protected]] on >> behalf of William Muriithi [[email protected]] >> Sent: Monday, 5 November 2012 8:23 a.m. >> To: [email protected] >> Subject: [Freeipa-users] FreeIPA v 2.2 in an AD environment >> >> Hi all, >> >> I am in the process of deploying freeIPA 2.2 to authenticate Linux >> systems and have been able to setup everything nicely with separate >> domain. I mean users are currently using separate password to access >> Linux system and another set of password from AD for desktop stuff. On >> Friday, I came across an article on freeIPA v 3 and noticed one can >> use the same username& password for both Linux and Windows systems. >> I have since felt this would be a better setup and but feel like the >> documentation are not clear on how to achieve the above. >> >> Would anyone be able to clarify this: >> >> - Can I be able to synchronize the current AD user credentials with >> FreeIPA 2.2 or do I have to upgrade to FreeIPA 3.0 ? >> - If upgrading is necessary, is there an RPM that can run on RHEL 6.2 >> ? I can only seem to find freeIPA v3 RPM for Fedora 17. Was hoping >> to use a blessed RPM instead of rolling one which mean be incompatible >> with the distribution RPM once it comes around >> >> Regards, >> >> William >> >> _______________________________________________ >> Freeipa-users mailing list >> [email protected] >> https://www.redhat.com/mailman/listinfo/freeipa-users >> >> >> >> _______________________________________________ >> Freeipa-users mailing list >> [email protected] >> https://www.redhat.com/mailman/listinfo/freeipa-users > > > > ------------------------------ > > Message: 5 > Date: Mon, 05 Nov 2012 10:48:26 -0500 > From: Dmitri Pal <[email protected]> > To: [email protected] > Subject: Re: [Freeipa-users] FreeIPA v 2.2 in an AD environment > Message-ID: <[email protected]> > Content-Type: text/plain; charset=ISO-8859-1 > > On 11/04/2012 02:23 PM, William Muriithi wrote: >> Hi all, >> >> I am in the process of deploying freeIPA 2.2 to authenticate Linux >> systems and have been able to setup everything nicely with separate >> domain. I mean users are currently using separate password to access >> Linux system and another set of password from AD for desktop stuff. On >> Friday, I came across an article on freeIPA v 3 and noticed one can >> use the same username & password for both Linux and Windows systems. >> I have since felt this would be a better setup and but feel like the >> documentation are not clear on how to achieve the above. >> >> Would anyone be able to clarify this: >> >> - Can I be able to synchronize the current AD user credentials with >> FreeIPA 2.2 or do I have to upgrade to FreeIPA 3.0 ? >> - If upgrading is necessary, is there an RPM that can run on RHEL 6.2 >> ? I can only seem to find freeIPA v3 RPM for Fedora 17. Was hoping >> to use a blessed RPM instead of rolling one which mean be incompatible >> with the distribution RPM once it comes around >> >> Regards, >> >> William > > In addition to other comments I want to step back and give a bit of a > bigger picture. > 1) Regardless of what approach you choose we recommend using the latest > available version at the moment of deployment. > 2) There are two different approached to dealing with AD - sync or > trust. You need to chose what approach you want to use. Down the road > there might be some hybrid solutions but so far they are not supported. > > Sync: available starting the beginning of the IPA life. It has some > limitations and we indeed had some issues with the corner cases that > Steve's environment has. They are not common but you have been warned > anyways. > > Trust: > a) Trusts are targeting RHEL 6.4 > b) There is no upgrade from Sync to Trust solution. If you want trusts > you need to upgrade what you have to 6.4 (or start over) and implement > trusts there and not do Sync. > c) To take advantage of trusts your clients must be SSSD 1.9.x otherwise > the trusts would not work. This also means that if you have other UNIXes > the trusts would not work there. > > If you have UNIX clients that need to be accessed by AD users you might > explore some hybrid solutions that might work but we can't say for sure. > For example the sync might actually work in parallel to trusts to some > extent. There is also PAM pass through capability that comes with 6.4 as > a tech preview. That would allow pass through LDAP auth for the non > SSSD 1.9 clients. But this needs to be tried out and there might be dragons. > > > >> >> _______________________________________________ >> Freeipa-users mailing list >> [email protected] >> https://www.redhat.com/mailman/listinfo/freeipa-users > > > -- > Thank you, > Dmitri Pal > > Sr. Engineering Manager for IdM portfolio > Red Hat Inc. > > > ------------------------------- > Looking to carve out IT costs? > www.redhat.com/carveoutcosts/ > > > > > > ------------------------------ > > _______________________________________________ > Freeipa-users mailing list > [email protected] > https://www.redhat.com/mailman/listinfo/freeipa-users > > End of Freeipa-users Digest, Vol 52, Issue 9 > ******************************************** _______________________________________________ Freeipa-users mailing list [email protected] https://www.redhat.com/mailman/listinfo/freeipa-users
