[Freeipa-devel] Problems accessing IPA from clients
Mark Christiansen
mwchristiansen at gmail.com
Mon Jun 9 17:44:47 UTC 2008
Hi Rob,
It turns out that this fixed my Windows client:
network.auth.use-sspi false
However, my Linux (RHEL5) browser still doesn't connect.
I can file a bug to add the above line to ssbrowser.html. I am still
confused as to what could be going on with my Linux machine.
Cheers!
-Mark
On Mon, Jun 9, 2008 at 10:34 AM, Rob Crittenden <rcritten at redhat.com> wrote:
> Mark Christiansen wrote:
>
>> Hi Simo,
>>
>> Yes, I can get a kerberos ticket on both Windows and Linux clients. I am
>> able to configure a browser on the machine with FreeIPA and use its web
>> interface, but I am unable to do the same on the clients.
>> Thanks for your suggestions!
>>
>
> Are you configuring your browser according to:
>
> http://www.freeipa.com/page/ClientConfigurationGuide#Configuring_Your_Browser
>
> rob
>
>
>> -Mark
>>
>> On Sun, Jun 8, 2008 at 6:32 AM, Simo Sorce <ssorce at redhat.com <mailto:
>> ssorce at redhat.com>> wrote:
>>
>> Can you get a kerberos ticket on the clients?
>> If not, what error do you get ?
>>
>> Simo.
>>
>> On Sat, 2008-06-07 at 13:17 -0700, Mark Christiansen wrote:
>> > Hello everyone,
>> >
>> > Recently I sent an e-mail because I couldn't get access to freeipa
>> on
>> > any machine other than the one with freeipa installed. I
>> reinstalled
>> > the MIT Kerberos client, and am now able to authenticate on a
>> Windows
>> > machine. However, I can still not get the webpage to display on
>> > either a Windows or a Linux platform (other than the virtual machine
>> > freeIPA is installed on). I have reinstalled several times, and
>> don't
>> > know what I could be missing. All of my machines are on one subnet,
>> > and I temporarily disabled firewalls to see if that could be the
>> > issue.
>> >
>> > Thanks for any tips!
>> >
>> > -Mark
>> >
>> > On Sat, Jun 7, 2008 at 9:00 AM, <freeipa-devel-request at redhat.com
>> <mailto:freeipa-devel-request at redhat.com>>
>> > wrote:
>> > Send Freeipa-devel mailing list submissions to
>> > freeipa-devel at redhat.com
>> <mailto:freeipa-devel at redhat.com>
>> >
>> > To subscribe or unsubscribe via the World Wide Web, visit
>> >
>> https://www.redhat.com/mailman/listinfo/freeipa-devel
>> > or, via email, send a message with subject or body 'help' to
>> > freeipa-devel-request at redhat.com
>> <mailto:freeipa-devel-request at redhat.com>
>> >
>> > You can reach the person managing the list at
>> > freeipa-devel-owner at redhat.com
>> <mailto:freeipa-devel-owner at redhat.com>
>> >
>> > When replying, please edit your Subject line so it is more
>> > specific
>> > than "Re: Contents of Freeipa-devel digest..."
>> >
>> >
>> > Today's Topics:
>> >
>> > 1. Re: [PATCH] be clearer about what is being configured
>> > (Rob Crittenden)
>> > 2. AD and freeIPA synch (Karl Wirth)
>> > 3. Re: AD and freeIPA synch (Rich Megginson)
>> >
>> >
>> >
>> ----------------------------------------------------------------------
>> >
>> > Message: 1
>> > Date: Fri, 06 Jun 2008 15:27:21 -0400
>> > From: Rob Crittenden <rcritten at redhat.com
>> <mailto:rcritten at redhat.com>>
>> > Subject: Re: [Freeipa-devel] [PATCH] be clearer about what
>> is
>> > being
>> > configured
>> > To: freeipa-devel <freeipa-devel at redhat.com
>> <mailto:freeipa-devel at redhat.com>>
>> > Message-ID: <48498F99.5090903 at redhat.com
>> <mailto:48498F99.5090903 at redhat.com>>
>> > Content-Type: text/plain; charset="iso-8859-1"
>> >
>> > Skipped content of type multipart/mixed-------------- next
>> > part --------------
>> > A non-text attachment was scrubbed...
>> > Name: smime.p7s
>> > Type: application/x-pkcs7-signature
>> > Size: 3245 bytes
>> > Desc: S/MIME Cryptographic Signature
>> > Url :
>> >
>> https://www.redhat.com/archives/freeipa-devel/attachments/20080606/c7cfd409/smime.bin
>> >
>> > ------------------------------
>> >
>> > Message: 2
>> > Date: Fri, 06 Jun 2008 15:32:29 -0400
>> > From: Karl Wirth <kwirth at redhat.com
>> <mailto:kwirth at redhat.com>>
>> > Subject: [Freeipa-devel] AD and freeIPA synch
>> > To: freeipa-devel at redhat.com
>> <mailto:freeipa-devel at redhat.com>, freeipa-interest at redhat.com
>> <mailto:freeipa-interest at redhat.com>
>> > Message-ID: <484990CD.30206 at redhat.com
>> <mailto:484990CD.30206 at redhat.com>>
>>
>> > Content-Type: text/plain; charset=ISO-8859-1
>> >
>> > Hello,
>> >
>> > Many organizations have given feedback that they want to
>> make
>> > sure that
>> > freeIPA can synch with AD. We want to provide more than
>> what
>> > is
>> > available in the winsynch that is in fedora directory
>> server.
>> > Here are
>> > my thoughts on what the features should be in this area. I
>> > would love
>> > your feedback. Does this sound right? What is missing?
>> > Longerterm, we
>> > hope to enable kerberos trust between AD and IPA but even
>> then
>> > some
>> > folks will want synch as well. Thoughts?
>> >
>> > AD and freeIPA synch requirements ---proposal for your
>> review
>> > and feedback
>> >
>> > 1. Keep password in AD same as PW in IPA
>> > - If changed in AD, bring change over to IPA
>> > - If changed in IPA, bring change over to AD
>> >
>> > 2. Synch userid and attributes
>> > - Configurable which attributes
>> > - If full posix available then make this available
>> > - Configurable translation between attributes (i.e transform
>> > data such
>> > as middle name length or whatever)
>> > - Configurable mapping between attribute names
>> > - Generate attributes if not present in AD with flexible
>> rules
>> > for doing
>> > this and vice versa
>> >
>> > 3. Which subsets of users to keep in synch
>> > - Make it possible to define which AD/IPA users should be
>> kept
>> > in synch
>> >
>> > 4. Topology
>> > - Password synch is only supported with 1 AD domain. Not
>> > multiple.
>> > - Identity/attribute synch is supported across multiple
>> > domains.
>> > ---If the same user is in multiple domains, there is a
>> problem
>> > ---- Not
>> > supported
>> > ---If the same userid in different domains but different
>> user,
>> > resolve
>> > - Need to support PW change on any IPA server
>> > - Need to support PW change on an AD server
>> >
>> > 5. Failover
>> > - Support for failover AD DC
>> > - Support for failover IPA
>> >
>> > 6. Install and Packaging
>> > - Separate install of synch tool
>> > - Preconfigured synch tool with easy to point to IPA and AD
>> > - Predefined
>> > - Requires passsynch on domain controllers
>> > - Proposal 1: Requires password to only change on AD.
>> > Probably not ok.
>> > - Proposal 2: Make changes to IPA to hand PW to AD
>> >
>> > 7. Groups.
>> > Allow four options that an administrator can choose between:
>> > - One option: Synchronize all users from AD into one IPA
>> group
>> > - Second option: Synchronize all users according to filter
>> > defined in #3
>> > above and bring along all of their groups and keep their
>> > memberships in
>> > them.
>> > - Third option: No group synch at all
>> > - Fourth option: No support for nested groups
>> >
>> > Best regards,
>> > Karl
>> >
>> >
>> >
>> > ------------------------------
>> >
>> > Message: 3
>> > Date: Fri, 06 Jun 2008 13:38:50 -0600
>> > From: Rich Megginson <rmeggins at redhat.com
>> <mailto:rmeggins at redhat.com>>
>> > Subject: Re: [Freeipa-devel] AD and freeIPA synch
>> > To: kwirth at redhat.com <mailto:kwirth at redhat.com>
>> > Cc: freeipa-devel at redhat.com
>> <mailto:freeipa-devel at redhat.com>, freeipa-interest at redhat.com
>> <mailto:freeipa-interest at redhat.com>
>> > Message-ID: <4849924A.40303 at redhat.com
>> <mailto:4849924A.40303 at redhat.com>>
>>
>> > Content-Type: text/plain; charset="iso-8859-1"
>> >
>> > Karl Wirth wrote:
>> > > Hello,
>> > >
>> > > Many organizations have given feedback that they want to
>> > make sure that
>> > > freeIPA can synch with AD. We want to provide more than
>> > what is
>> > > available in the winsynch that is in fedora directory
>> > server. Here are
>> > > my thoughts on what the features should be in this area.
>> I
>> > would love
>> > > your feedback. Does this sound right? What is missing?
>> > Longerterm, we
>> > > hope to enable kerberos trust between AD and IPA but even
>> > then some
>> > > folks will want synch as well. Thoughts?
>> > >
>> > > AD and freeIPA synch requirements ---proposal for your
>> > review and feedback
>> > >
>> > > 1. Keep password in AD same as PW in IPA
>> > > - If changed in AD, bring change over to IPA
>> > > - If changed in IPA, bring change over to AD
>> > >
>> > One problem with this is password policy - min length,
>> > complexity,
>> > history, etc. How to sync password policy between IPA
>> and AD?
>> > > 2. Synch userid and attributes
>> > > - Configurable which attributes
>> > > - If full posix available then make this available
>> > > - Configurable translation between attributes (i.e
>> transform
>> > data such
>> > > as middle name length or whatever)
>> > > - Configurable mapping between attribute names
>> > > - Generate attributes if not present in AD with flexible
>> > rules for doing
>> > > this and vice versa
>> > >
>> > > 3. Which subsets of users to keep in synch
>> > > - Make it possible to define which AD/IPA users should be
>> > kept in synch
>> > >
>> > > 4. Topology
>> > > - Password synch is only supported with 1 AD domain. Not
>> > multiple.
>> > > - Identity/attribute synch is supported across multiple
>> > domains.
>> > > ---If the same user is in multiple domains, there is a
>> > problem ---- Not
>> > > supported
>> > > ---If the same userid in different domains but different
>> > user, resolve
>> > > - Need to support PW change on any IPA server
>> > > - Need to support PW change on an AD server
>> > >
>> > Support for uni-directional sync - many Fedora DS users have
>> > asked for
>> > the ability to sync changes only from Fedora DS to AD, or
>> vice
>> > versa,
>> > but not both ways. Or perhaps uni-directional for passwords
>> > (due to
>> > password policy) and bi-di for other data.
>> > > 5. Failover
>> > > - Support for failover AD DC
>> > > - Support for failover IPA
>> > >
>> > > 6. Install and Packaging
>> > > - Separate install of synch tool
>> > > - Preconfigured synch tool with easy to point to IPA and
>> AD
>> > > - Predefined
>> > > - Requires passsynch on domain controllers
>> > > - Proposal 1: Requires password to only change on AD.
>> > Probably not ok.
>> > > - Proposal 2: Make changes to IPA to hand PW to AD
>> > >
>> > > 7. Groups.
>> > > Allow four options that an administrator can choose
>> between:
>> > > - One option: Synchronize all users from AD into one IPA
>> > group
>> > > - Second option: Synchronize all users according to filter
>> > defined in #3
>> > > above and bring along all of their groups and keep their
>> > memberships in
>> > > them.
>> > > - Third option: No group synch at all
>> > > - Fourth option: No support for nested groups
>> > >
>> > Support for AD memberOf (if not already fully supported by
>> > ipa-memberof).
>> > > Best regards,
>> > > Karl
>> > >
>> > > _______________________________________________
>> > > Freeipa-devel mailing list
>> > > Freeipa-devel at redhat.com <mailto:Freeipa-devel at redhat.com
>> >
>> > > https://www.redhat.com/mailman/listinfo/freeipa-devel
>> > >
>> >
>> > -------------- next part --------------
>> > A non-text attachment was scrubbed...
>> > Name: smime.p7s
>> > Type: application/x-pkcs7-signature
>> > Size: 3245 bytes
>> > Desc: S/MIME Cryptographic Signature
>> > Url :
>> >
>> https://www.redhat.com/archives/freeipa-devel/attachments/20080606/ac471bda/smime.bin
>> >
>> > ------------------------------
>> >
>> > _______________________________________________
>> > Freeipa-devel mailing list
>> > Freeipa-devel at redhat.com <mailto:Freeipa-devel at redhat.com>
>> > https://www.redhat.com/mailman/listinfo/freeipa-devel
>> >
>> > End of Freeipa-devel Digest, Vol 13, Issue 11
>> > *********************************************
>> >
>> > _______________________________________________
>> > Freeipa-devel mailing list
>> > Freeipa-devel at redhat.com <mailto:Freeipa-devel at redhat.com>
>> > https://www.redhat.com/mailman/listinfo/freeipa-devel
>> --
>> Simo Sorce * Red Hat, Inc * New York
>>
>>
>>
>> ------------------------------------------------------------------------
>>
>> _______________________________________________
>> Freeipa-devel mailing list
>> Freeipa-devel at redhat.com
>> https://www.redhat.com/mailman/listinfo/freeipa-devel
>>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20080609/8c345eb9/attachment.htm>
More information about the Freeipa-devel
mailing list