[Freeipa-devel] Problems accessing IPA from clients
Rob Crittenden
rcritten at redhat.com
Mon Jun 9 17:34:38 UTC 2008
Mark Christiansen wrote:
> Hi Simo,
>
> Yes, I can get a kerberos ticket on both Windows and Linux clients. I
> am able to configure a browser on the machine with FreeIPA and use its
> web interface, but I am unable to do the same on the clients.
>
> Thanks for your suggestions!
Are you configuring your browser according to:
http://www.freeipa.com/page/ClientConfigurationGuide#Configuring_Your_Browser
rob
>
> -Mark
>
> On Sun, Jun 8, 2008 at 6:32 AM, Simo Sorce <ssorce at redhat.com
> <mailto:ssorce at redhat.com>> wrote:
>
> Can you get a kerberos ticket on the clients?
> If not, what error do you get ?
>
> Simo.
>
> On Sat, 2008-06-07 at 13:17 -0700, Mark Christiansen wrote:
> > Hello everyone,
> >
> > Recently I sent an e-mail because I couldn't get access to freeipa on
> > any machine other than the one with freeipa installed. I reinstalled
> > the MIT Kerberos client, and am now able to authenticate on a Windows
> > machine. However, I can still not get the webpage to display on
> > either a Windows or a Linux platform (other than the virtual machine
> > freeIPA is installed on). I have reinstalled several times, and
> don't
> > know what I could be missing. All of my machines are on one subnet,
> > and I temporarily disabled firewalls to see if that could be the
> > issue.
> >
> > Thanks for any tips!
> >
> > -Mark
> >
> > On Sat, Jun 7, 2008 at 9:00 AM, <freeipa-devel-request at redhat.com
> <mailto:freeipa-devel-request at redhat.com>>
> > wrote:
> > Send Freeipa-devel mailing list submissions to
> > freeipa-devel at redhat.com
> <mailto:freeipa-devel at redhat.com>
> >
> > To subscribe or unsubscribe via the World Wide Web, visit
> > https://www.redhat.com/mailman/listinfo/freeipa-devel
> > or, via email, send a message with subject or body 'help' to
> > freeipa-devel-request at redhat.com
> <mailto:freeipa-devel-request at redhat.com>
> >
> > You can reach the person managing the list at
> > freeipa-devel-owner at redhat.com
> <mailto:freeipa-devel-owner at redhat.com>
> >
> > When replying, please edit your Subject line so it is more
> > specific
> > than "Re: Contents of Freeipa-devel digest..."
> >
> >
> > Today's Topics:
> >
> > 1. Re: [PATCH] be clearer about what is being configured
> > (Rob Crittenden)
> > 2. AD and freeIPA synch (Karl Wirth)
> > 3. Re: AD and freeIPA synch (Rich Megginson)
> >
> >
> >
> ----------------------------------------------------------------------
> >
> > Message: 1
> > Date: Fri, 06 Jun 2008 15:27:21 -0400
> > From: Rob Crittenden <rcritten at redhat.com
> <mailto:rcritten at redhat.com>>
> > Subject: Re: [Freeipa-devel] [PATCH] be clearer about what is
> > being
> > configured
> > To: freeipa-devel <freeipa-devel at redhat.com
> <mailto:freeipa-devel at redhat.com>>
> > Message-ID: <48498F99.5090903 at redhat.com
> <mailto:48498F99.5090903 at redhat.com>>
> > Content-Type: text/plain; charset="iso-8859-1"
> >
> > Skipped content of type multipart/mixed-------------- next
> > part --------------
> > A non-text attachment was scrubbed...
> > Name: smime.p7s
> > Type: application/x-pkcs7-signature
> > Size: 3245 bytes
> > Desc: S/MIME Cryptographic Signature
> > Url :
> >
> https://www.redhat.com/archives/freeipa-devel/attachments/20080606/c7cfd409/smime.bin
> >
> > ------------------------------
> >
> > Message: 2
> > Date: Fri, 06 Jun 2008 15:32:29 -0400
> > From: Karl Wirth <kwirth at redhat.com
> <mailto:kwirth at redhat.com>>
> > Subject: [Freeipa-devel] AD and freeIPA synch
> > To: freeipa-devel at redhat.com
> <mailto:freeipa-devel at redhat.com>, freeipa-interest at redhat.com
> <mailto:freeipa-interest at redhat.com>
> > Message-ID: <484990CD.30206 at redhat.com
> <mailto:484990CD.30206 at redhat.com>>
> > Content-Type: text/plain; charset=ISO-8859-1
> >
> > Hello,
> >
> > Many organizations have given feedback that they want to make
> > sure that
> > freeIPA can synch with AD. We want to provide more than what
> > is
> > available in the winsynch that is in fedora directory server.
> > Here are
> > my thoughts on what the features should be in this area. I
> > would love
> > your feedback. Does this sound right? What is missing?
> > Longerterm, we
> > hope to enable kerberos trust between AD and IPA but even
> then
> > some
> > folks will want synch as well. Thoughts?
> >
> > AD and freeIPA synch requirements ---proposal for your review
> > and feedback
> >
> > 1. Keep password in AD same as PW in IPA
> > - If changed in AD, bring change over to IPA
> > - If changed in IPA, bring change over to AD
> >
> > 2. Synch userid and attributes
> > - Configurable which attributes
> > - If full posix available then make this available
> > - Configurable translation between attributes (i.e transform
> > data such
> > as middle name length or whatever)
> > - Configurable mapping between attribute names
> > - Generate attributes if not present in AD with flexible
> rules
> > for doing
> > this and vice versa
> >
> > 3. Which subsets of users to keep in synch
> > - Make it possible to define which AD/IPA users should be
> kept
> > in synch
> >
> > 4. Topology
> > - Password synch is only supported with 1 AD domain. Not
> > multiple.
> > - Identity/attribute synch is supported across multiple
> > domains.
> > ---If the same user is in multiple domains, there is a
> problem
> > ---- Not
> > supported
> > ---If the same userid in different domains but different
> user,
> > resolve
> > - Need to support PW change on any IPA server
> > - Need to support PW change on an AD server
> >
> > 5. Failover
> > - Support for failover AD DC
> > - Support for failover IPA
> >
> > 6. Install and Packaging
> > - Separate install of synch tool
> > - Preconfigured synch tool with easy to point to IPA and AD
> > - Predefined
> > - Requires passsynch on domain controllers
> > - Proposal 1: Requires password to only change on AD.
> > Probably not ok.
> > - Proposal 2: Make changes to IPA to hand PW to AD
> >
> > 7. Groups.
> > Allow four options that an administrator can choose between:
> > - One option: Synchronize all users from AD into one IPA
> group
> > - Second option: Synchronize all users according to filter
> > defined in #3
> > above and bring along all of their groups and keep their
> > memberships in
> > them.
> > - Third option: No group synch at all
> > - Fourth option: No support for nested groups
> >
> > Best regards,
> > Karl
> >
> >
> >
> > ------------------------------
> >
> > Message: 3
> > Date: Fri, 06 Jun 2008 13:38:50 -0600
> > From: Rich Megginson <rmeggins at redhat.com
> <mailto:rmeggins at redhat.com>>
> > Subject: Re: [Freeipa-devel] AD and freeIPA synch
> > To: kwirth at redhat.com <mailto:kwirth at redhat.com>
> > Cc: freeipa-devel at redhat.com
> <mailto:freeipa-devel at redhat.com>, freeipa-interest at redhat.com
> <mailto:freeipa-interest at redhat.com>
> > Message-ID: <4849924A.40303 at redhat.com
> <mailto:4849924A.40303 at redhat.com>>
> > Content-Type: text/plain; charset="iso-8859-1"
> >
> > Karl Wirth wrote:
> > > Hello,
> > >
> > > Many organizations have given feedback that they want to
> > make sure that
> > > freeIPA can synch with AD. We want to provide more than
> > what is
> > > available in the winsynch that is in fedora directory
> > server. Here are
> > > my thoughts on what the features should be in this area. I
> > would love
> > > your feedback. Does this sound right? What is missing?
> > Longerterm, we
> > > hope to enable kerberos trust between AD and IPA but even
> > then some
> > > folks will want synch as well. Thoughts?
> > >
> > > AD and freeIPA synch requirements ---proposal for your
> > review and feedback
> > >
> > > 1. Keep password in AD same as PW in IPA
> > > - If changed in AD, bring change over to IPA
> > > - If changed in IPA, bring change over to AD
> > >
> > One problem with this is password policy - min length,
> > complexity,
> > history, etc. How to sync password policy between IPA
> and AD?
> > > 2. Synch userid and attributes
> > > - Configurable which attributes
> > > - If full posix available then make this available
> > > - Configurable translation between attributes (i.e
> transform
> > data such
> > > as middle name length or whatever)
> > > - Configurable mapping between attribute names
> > > - Generate attributes if not present in AD with flexible
> > rules for doing
> > > this and vice versa
> > >
> > > 3. Which subsets of users to keep in synch
> > > - Make it possible to define which AD/IPA users should be
> > kept in synch
> > >
> > > 4. Topology
> > > - Password synch is only supported with 1 AD domain. Not
> > multiple.
> > > - Identity/attribute synch is supported across multiple
> > domains.
> > > ---If the same user is in multiple domains, there is a
> > problem ---- Not
> > > supported
> > > ---If the same userid in different domains but different
> > user, resolve
> > > - Need to support PW change on any IPA server
> > > - Need to support PW change on an AD server
> > >
> > Support for uni-directional sync - many Fedora DS users have
> > asked for
> > the ability to sync changes only from Fedora DS to AD, or
> vice
> > versa,
> > but not both ways. Or perhaps uni-directional for passwords
> > (due to
> > password policy) and bi-di for other data.
> > > 5. Failover
> > > - Support for failover AD DC
> > > - Support for failover IPA
> > >
> > > 6. Install and Packaging
> > > - Separate install of synch tool
> > > - Preconfigured synch tool with easy to point to IPA and AD
> > > - Predefined
> > > - Requires passsynch on domain controllers
> > > - Proposal 1: Requires password to only change on AD.
> > Probably not ok.
> > > - Proposal 2: Make changes to IPA to hand PW to AD
> > >
> > > 7. Groups.
> > > Allow four options that an administrator can choose
> between:
> > > - One option: Synchronize all users from AD into one IPA
> > group
> > > - Second option: Synchronize all users according to filter
> > defined in #3
> > > above and bring along all of their groups and keep their
> > memberships in
> > > them.
> > > - Third option: No group synch at all
> > > - Fourth option: No support for nested groups
> > >
> > Support for AD memberOf (if not already fully supported by
> > ipa-memberof).
> > > Best regards,
> > > Karl
> > >
> > > _______________________________________________
> > > Freeipa-devel mailing list
> > > Freeipa-devel at redhat.com <mailto:Freeipa-devel at redhat.com>
> > > https://www.redhat.com/mailman/listinfo/freeipa-devel
> > >
> >
> > -------------- next part --------------
> > A non-text attachment was scrubbed...
> > Name: smime.p7s
> > Type: application/x-pkcs7-signature
> > Size: 3245 bytes
> > Desc: S/MIME Cryptographic Signature
> > Url :
> >
> https://www.redhat.com/archives/freeipa-devel/attachments/20080606/ac471bda/smime.bin
> >
> > ------------------------------
> >
> > _______________________________________________
> > Freeipa-devel mailing list
> > Freeipa-devel at redhat.com <mailto:Freeipa-devel at redhat.com>
> > https://www.redhat.com/mailman/listinfo/freeipa-devel
> >
> > End of Freeipa-devel Digest, Vol 13, Issue 11
> > *********************************************
> >
> > _______________________________________________
> > Freeipa-devel mailing list
> > Freeipa-devel at redhat.com <mailto:Freeipa-devel at redhat.com>
> > https://www.redhat.com/mailman/listinfo/freeipa-devel
> --
> Simo Sorce * Red Hat, Inc * New York
>
>
>
> ------------------------------------------------------------------------
>
> _______________________________________________
> Freeipa-devel mailing list
> Freeipa-devel at redhat.com
> https://www.redhat.com/mailman/listinfo/freeipa-devel
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 3245 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20080609/e147a8ed/attachment.bin>
More information about the Freeipa-devel
mailing list