[Freeipa-devel] Problems accessing IPA from clients
Simo Sorce
ssorce at redhat.com
Sun Jun 8 13:32:06 UTC 2008
Can you get a kerberos ticket on the clients?
If not, what error do you get ?
Simo.
On Sat, 2008-06-07 at 13:17 -0700, Mark Christiansen wrote:
> Hello everyone,
>
> Recently I sent an e-mail because I couldn't get access to freeipa on
> any machine other than the one with freeipa installed. I reinstalled
> the MIT Kerberos client, and am now able to authenticate on a Windows
> machine. However, I can still not get the webpage to display on
> either a Windows or a Linux platform (other than the virtual machine
> freeIPA is installed on). I have reinstalled several times, and don't
> know what I could be missing. All of my machines are on one subnet,
> and I temporarily disabled firewalls to see if that could be the
> issue.
>
> Thanks for any tips!
>
> -Mark
>
> On Sat, Jun 7, 2008 at 9:00 AM, <freeipa-devel-request at redhat.com>
> wrote:
> Send Freeipa-devel mailing list submissions to
> freeipa-devel at redhat.com
>
> To subscribe or unsubscribe via the World Wide Web, visit
> https://www.redhat.com/mailman/listinfo/freeipa-devel
> or, via email, send a message with subject or body 'help' to
> freeipa-devel-request at redhat.com
>
> You can reach the person managing the list at
> freeipa-devel-owner at redhat.com
>
> When replying, please edit your Subject line so it is more
> specific
> than "Re: Contents of Freeipa-devel digest..."
>
>
> Today's Topics:
>
> 1. Re: [PATCH] be clearer about what is being configured
> (Rob Crittenden)
> 2. AD and freeIPA synch (Karl Wirth)
> 3. Re: AD and freeIPA synch (Rich Megginson)
>
>
> ----------------------------------------------------------------------
>
> Message: 1
> Date: Fri, 06 Jun 2008 15:27:21 -0400
> From: Rob Crittenden <rcritten at redhat.com>
> Subject: Re: [Freeipa-devel] [PATCH] be clearer about what is
> being
> configured
> To: freeipa-devel <freeipa-devel at redhat.com>
> Message-ID: <48498F99.5090903 at redhat.com>
> Content-Type: text/plain; charset="iso-8859-1"
>
> Skipped content of type multipart/mixed-------------- next
> part --------------
> A non-text attachment was scrubbed...
> Name: smime.p7s
> Type: application/x-pkcs7-signature
> Size: 3245 bytes
> Desc: S/MIME Cryptographic Signature
> Url :
> https://www.redhat.com/archives/freeipa-devel/attachments/20080606/c7cfd409/smime.bin
>
> ------------------------------
>
> Message: 2
> Date: Fri, 06 Jun 2008 15:32:29 -0400
> From: Karl Wirth <kwirth at redhat.com>
> Subject: [Freeipa-devel] AD and freeIPA synch
> To: freeipa-devel at redhat.com, freeipa-interest at redhat.com
> Message-ID: <484990CD.30206 at redhat.com>
> Content-Type: text/plain; charset=ISO-8859-1
>
> Hello,
>
> Many organizations have given feedback that they want to make
> sure that
> freeIPA can synch with AD. We want to provide more than what
> is
> available in the winsynch that is in fedora directory server.
> Here are
> my thoughts on what the features should be in this area. I
> would love
> your feedback. Does this sound right? What is missing?
> Longerterm, we
> hope to enable kerberos trust between AD and IPA but even then
> some
> folks will want synch as well. Thoughts?
>
> AD and freeIPA synch requirements ---proposal for your review
> and feedback
>
> 1. Keep password in AD same as PW in IPA
> - If changed in AD, bring change over to IPA
> - If changed in IPA, bring change over to AD
>
> 2. Synch userid and attributes
> - Configurable which attributes
> - If full posix available then make this available
> - Configurable translation between attributes (i.e transform
> data such
> as middle name length or whatever)
> - Configurable mapping between attribute names
> - Generate attributes if not present in AD with flexible rules
> for doing
> this and vice versa
>
> 3. Which subsets of users to keep in synch
> - Make it possible to define which AD/IPA users should be kept
> in synch
>
> 4. Topology
> - Password synch is only supported with 1 AD domain. Not
> multiple.
> - Identity/attribute synch is supported across multiple
> domains.
> ---If the same user is in multiple domains, there is a problem
> ---- Not
> supported
> ---If the same userid in different domains but different user,
> resolve
> - Need to support PW change on any IPA server
> - Need to support PW change on an AD server
>
> 5. Failover
> - Support for failover AD DC
> - Support for failover IPA
>
> 6. Install and Packaging
> - Separate install of synch tool
> - Preconfigured synch tool with easy to point to IPA and AD
> - Predefined
> - Requires passsynch on domain controllers
> - Proposal 1: Requires password to only change on AD.
> Probably not ok.
> - Proposal 2: Make changes to IPA to hand PW to AD
>
> 7. Groups.
> Allow four options that an administrator can choose between:
> - One option: Synchronize all users from AD into one IPA group
> - Second option: Synchronize all users according to filter
> defined in #3
> above and bring along all of their groups and keep their
> memberships in
> them.
> - Third option: No group synch at all
> - Fourth option: No support for nested groups
>
> Best regards,
> Karl
>
>
>
> ------------------------------
>
> Message: 3
> Date: Fri, 06 Jun 2008 13:38:50 -0600
> From: Rich Megginson <rmeggins at redhat.com>
> Subject: Re: [Freeipa-devel] AD and freeIPA synch
> To: kwirth at redhat.com
> Cc: freeipa-devel at redhat.com, freeipa-interest at redhat.com
> Message-ID: <4849924A.40303 at redhat.com>
> Content-Type: text/plain; charset="iso-8859-1"
>
> Karl Wirth wrote:
> > Hello,
> >
> > Many organizations have given feedback that they want to
> make sure that
> > freeIPA can synch with AD. We want to provide more than
> what is
> > available in the winsynch that is in fedora directory
> server. Here are
> > my thoughts on what the features should be in this area. I
> would love
> > your feedback. Does this sound right? What is missing?
> Longerterm, we
> > hope to enable kerberos trust between AD and IPA but even
> then some
> > folks will want synch as well. Thoughts?
> >
> > AD and freeIPA synch requirements ---proposal for your
> review and feedback
> >
> > 1. Keep password in AD same as PW in IPA
> > - If changed in AD, bring change over to IPA
> > - If changed in IPA, bring change over to AD
> >
> One problem with this is password policy - min length,
> complexity,
> history, etc. How to sync password policy between IPA and AD?
> > 2. Synch userid and attributes
> > - Configurable which attributes
> > - If full posix available then make this available
> > - Configurable translation between attributes (i.e transform
> data such
> > as middle name length or whatever)
> > - Configurable mapping between attribute names
> > - Generate attributes if not present in AD with flexible
> rules for doing
> > this and vice versa
> >
> > 3. Which subsets of users to keep in synch
> > - Make it possible to define which AD/IPA users should be
> kept in synch
> >
> > 4. Topology
> > - Password synch is only supported with 1 AD domain. Not
> multiple.
> > - Identity/attribute synch is supported across multiple
> domains.
> > ---If the same user is in multiple domains, there is a
> problem ---- Not
> > supported
> > ---If the same userid in different domains but different
> user, resolve
> > - Need to support PW change on any IPA server
> > - Need to support PW change on an AD server
> >
> Support for uni-directional sync - many Fedora DS users have
> asked for
> the ability to sync changes only from Fedora DS to AD, or vice
> versa,
> but not both ways. Or perhaps uni-directional for passwords
> (due to
> password policy) and bi-di for other data.
> > 5. Failover
> > - Support for failover AD DC
> > - Support for failover IPA
> >
> > 6. Install and Packaging
> > - Separate install of synch tool
> > - Preconfigured synch tool with easy to point to IPA and AD
> > - Predefined
> > - Requires passsynch on domain controllers
> > - Proposal 1: Requires password to only change on AD.
> Probably not ok.
> > - Proposal 2: Make changes to IPA to hand PW to AD
> >
> > 7. Groups.
> > Allow four options that an administrator can choose between:
> > - One option: Synchronize all users from AD into one IPA
> group
> > - Second option: Synchronize all users according to filter
> defined in #3
> > above and bring along all of their groups and keep their
> memberships in
> > them.
> > - Third option: No group synch at all
> > - Fourth option: No support for nested groups
> >
> Support for AD memberOf (if not already fully supported by
> ipa-memberof).
> > Best regards,
> > Karl
> >
> > _______________________________________________
> > Freeipa-devel mailing list
> > Freeipa-devel at redhat.com
> > https://www.redhat.com/mailman/listinfo/freeipa-devel
> >
>
> -------------- next part --------------
> A non-text attachment was scrubbed...
> Name: smime.p7s
> Type: application/x-pkcs7-signature
> Size: 3245 bytes
> Desc: S/MIME Cryptographic Signature
> Url :
> https://www.redhat.com/archives/freeipa-devel/attachments/20080606/ac471bda/smime.bin
>
> ------------------------------
>
> _______________________________________________
> Freeipa-devel mailing list
> Freeipa-devel at redhat.com
> https://www.redhat.com/mailman/listinfo/freeipa-devel
>
> End of Freeipa-devel Digest, Vol 13, Issue 11
> *********************************************
>
> _______________________________________________
> Freeipa-devel mailing list
> Freeipa-devel at redhat.com
> https://www.redhat.com/mailman/listinfo/freeipa-devel
--
Simo Sorce * Red Hat, Inc * New York
More information about the Freeipa-devel
mailing list