[Freeipa-users] FreeIPA v 2.2 in an AD environment
Steven Jones
Steven.Jones at vuw.ac.nz
Mon Nov 5 18:52:38 UTC 2012
Hi,
Im not at work yet but the default is something like cn=users,dc=example,dc=com, its not needed to be specified though (maybe it should be to encourage ppl to check) so I did my first sync and wiped all my users out of IPA! oops....
So you have specify it with something like --win-subtree ou=staff_folder,dc=example,dc=com.
Note its ou=staff_folder and not cn=staff_folder, I did that oops as well, doh.....also make sure the case is right...not sure if that matters....
So the command to winsync is done on the IPA server TO AD, the above tells the winsync script/command where to find the group to sync in AD.
"sucked" Our AD and IPA is VMware'd so I had clones in an isolated environment....make sure you do a db2ldif of your IPA setup thats saved my test bed at least once.
"smartphone issue" I have a hot fix, it seems OK, apparantly its fixed "proper" in the 6.4 release....which I think is either December or the new year....
Your very brave using centos....ie no support LOL.....its very complex and hard to fault find when things dont work...
regards
Steven Jones
Technical Specialist - Linux RHCE
Victoria University, Wellington, NZ
0064 4 463 6272
________________________________________
From: freeipa-users-bounces at redhat.com [freeipa-users-bounces at redhat.com] on behalf of William Muriithi [william.muriithi at gmail.com]
Sent: Tuesday, 6 November 2012 7:13 a.m.
To: freeipa-users at redhat.com
Subject: Re: [Freeipa-users] FreeIPA v 2.2 in an AD environment
Steve, thanks
> Hi,
>
> Yes you can winsync and passsync RHEL6.3 IPA from win2k3 r2 + AD, it should be in your RH supported channel tree?
>
Nope, using Centos 6.3. I checked and looks like I can find
passsync.msi from here. I am hoping its the same Windows binaries
supplied to RedHat paying customers
http://directory.fedoraproject.org/wiki/Download
>
> 1) Only one AD domain, so if you have a AD "forest" you can only do one sub-domain. So if the root is "example.com" and you have "staff.example.com" and "clients.example.com" you can do only one, say staff.example.com to IPA.
>
> Possible issues,
>
> 2) There is a bug in the setup where you have to be careful that you specify the right OU= IF your users are not in the expected default (cn=users?), otherwise the IPA users get deleted rather than ignored, you end up with an empty IPA....frightened me senseless!
Do you mind explaining this further please? Where are you specifying
this? On the passsync.msi application "search base" field? on AD side
or on "ipa-replica-manage --win-subtree" ? Expected default users CN,
on which side, AD or FreeIPA? Sorry, I tried to google for the bug
and I can't seem to pick it, so the question.
>
> So,
>
> a) If you have users in multiple ou's then only one set is synced the rest in IPA will go bye bye, unless they are unique to IPA.
> b) If some users have a smartphone to exchange setup the winsync agreement sees that as the user having 2 ous's and first adds and then deletes those users......oops.....I lost 20% of my users that way....
Yikes, that would have sucked, hope you had a backup. I don't have
sub-domain (Forest = domain), but would have been caught by the
smartphone issue. Thanks for the heads up, really appreciates.
>
> This is with RH support.
Hmm, hopefully their response will get to us none customers somehow.
>
> 3) Also with 6.2 or 6.2 upgraded to 6.3 you may find that when the winsync syncs, the IPA users lose all their groups. I have tested a 6.2 upgraded to 6.3 several times and this happens each time but a clean 6.3 IPA seems fine....we dont know why that is yet.
>
> This is with RH support,
>
> So if you are going to do this you need an isolated test setup to test for un-expected "features" that could really spoil your day.
>
> :(
Yes, I am really grateful for asking before diving in. Looks like I
would have got hurt really bad.
>
> My main advice would be restart with a clean 6.3 setup and not an upgraded from 6.2. Ive rebuilt 2 of my three IPA servers and teh 6.3 clean builds seem a lot more stable.
>
> Also use db2ldif to make backups of your database before you do it....also you might want to halt and turn off any IPA replicas when you do it until after you are happy its stable and OK.
>
Will use 6.3. Thank you again for the advice
William
>
> ________________________________________
> From: freeipa-users-bounces at redhat.com [freeipa-users-bounces at redhat.com] on behalf of William Muriithi [william.muriithi at gmail.com]
> Sent: Monday, 5 November 2012 8:23 a.m.
> To: freeipa-users at redhat.com
> Subject: [Freeipa-users] FreeIPA v 2.2 in an AD environment
>
> Hi all,
>
> I am in the process of deploying freeIPA 2.2 to authenticate Linux
> systems and have been able to setup everything nicely with separate
> domain. I mean users are currently using separate password to access
> Linux system and another set of password from AD for desktop stuff. On
> Friday, I came across an article on freeIPA v 3 and noticed one can
> use the same username & password for both Linux and Windows systems.
> I have since felt this would be a better setup and but feel like the
> documentation are not clear on how to achieve the above.
>
> Would anyone be able to clarify this:
>
> - Can I be able to synchronize the current AD user credentials with
> FreeIPA 2.2 or do I have to upgrade to FreeIPA 3.0 ?
> - If upgrading is necessary, is there an RPM that can run on RHEL 6.2
> ? I can only seem to find freeIPA v3 RPM for Fedora 17. Was hoping
> to use a blessed RPM instead of rolling one which mean be incompatible
> with the distribution RPM once it comes around
>
> Regards,
>
> William
>
> _______________________________________________
> Freeipa-users mailing list
> Freeipa-users at redhat.com
> https://www.redhat.com/mailman/listinfo/freeipa-users
>
>
>
>
>
> ------------------------------
>
> Message: 3
> Date: Mon, 05 Nov 2012 09:32:42 +0100
> From: Petr Spacek <pspacek at redhat.com>
> To: freeipa-users at redhat.com
> Subject: Re: [Freeipa-users] FreeIPA for AMM users management
> Message-ID: <509779AA.6010409 at redhat.com>
> Content-Type: text/plain; charset=ISO-8859-1; format=flowed
>
> On 11/03/2012 01:12 PM, Pavel Zhukov wrote:
>>> Can you do NS lookup of the IPA server from the AMM box?
>> yes
>>> Can you do kinit from the AMM box against IPA?
>>> Can you do ldapsearch from the AMM box against IPA?
>> no, AMM has restricted shell and web GUI.
>
> Hmm, that is unfortunate. Can you run tcpdump (or sniffer provided on AMM) on
> the link between AMM and IPA server? Because there are no records in access
> log I will bet on some name resolution or firewall problem.
>
> Do AMM get right DNS responses (i.e. name and IP address of the IPA server)?
>
> Do AMM established TCP connection with the IPA server?
>
> --
> Petr^2 Spacek
>
>>> Do you see anything in the logs from such activity?
>
>
>
> ------------------------------
>
> Message: 4
> Date: Mon, 05 Nov 2012 08:17:34 -0700
> From: Rich Megginson <rmeggins at redhat.com>
> To: Steven Jones <Steven.Jones at vuw.ac.nz>
> Cc: "freeipa-users at redhat.com" <freeipa-users at redhat.com>
> Subject: Re: [Freeipa-users] FreeIPA v 2.2 in an AD environment
> Message-ID: <5097D88E.1020508 at redhat.com>
> Content-Type: text/plain; charset=ISO-8859-1; format=flowed
>
> On 11/04/2012 01:25 PM, Steven Jones wrote:
>> Hi,
>>
>> Yes you can winsync and passsync RHEL6.3 IPA from win2k3 r2 + AD, it should be in your RH supported channel tree?
>>
>> The passsync.msi has to go on each AD box
> Each Domain Controller.
>
> Also note that you asked if "Can I be able to synchronize the current AD
> user credentials with
> FreeIPA 2.2 or do I have to upgrade to FreeIPA 3.0"
>
> You cannot synchronize already existing passwords with IPA 2.x. You
> would have to force AD users to change their passwords in order to get
> the clear text password to send to IPA.
>
>> and is a MSI supplied by RH, I think that's also in the RH support channel but for some strange reason I think it might be in the workstation tree and not server tree.
>>
>> > From what I can read there are some caveats,
>>
>> 1) Only one AD domain, so if you have a AD "forest" you can only do one sub-domain. So if the root is "example.com" and you have "staff.example.com" and "clients.example.com" you can do only one, say staff.example.com to IPA.
>>
>> Possible issues,
>>
>> 2) There is a bug in the setup where you have to be careful that you specify the right OU= IF your users are not in the expected default (cn=users?), otherwise the IPA users get deleted rather than ignored, you end up with an empty IPA....frightened me senseless!
> https://fedorahosted.org/freeipa/ticket/2688
> and
> https://fedorahosted.org/389/ticket/355
>
> The problem is caused when you have a user ID in IPA that has the same
> user ID as a user in AD, but you didn't want them to be synced, and the
> AD user entry is outside the scope of the windows sync agreement. This
> may or may not be a problem in your deployment.
>
>>
>> So,
>>
>> a) If you have users in multiple ou's then only one set is synced the rest in IPA will go bye bye, unless they are unique to IPA.
> See above.
>> b) If some users have a smartphone to exchange setup the winsync agreement sees that as the user having 2 ous's and first adds and then deletes those users......oops.....I lost 20% of my users that way....
> Is there a ticket/bz for this issue, or is this the same issue as above?
>>
>> These are with RH support, I have a hot fix, I am testing.
>>
>> c) Its really hard to make sure all users have been transferred as you can only see 2000 users in IPA so something like an external tool like xplorer seem to be the only way for simpletons like myself to look at and compare.
>>
>> This is with RH support.
> There are workarounds.
>>
>> 3) Also with 6.2 or 6.2 upgraded to 6.3 you may find that when the winsync syncs, the IPA users lose all their groups. I have tested a 6.2 upgraded to 6.3 several times and this happens each time but a clean 6.3 IPA seems fine....we dont know why that is yet.
>>
>> This is with RH support,
>>
>> So if you are going to do this you need an isolated test setup to test for un-expected "features" that could really spoil your day.
>>
>> :(
>>
>> My main advice would be restart with a clean 6.3 setup and not an upgraded from 6.2. Ive rebuilt 2 of my three IPA servers and teh 6.3 clean builds seem a lot more stable.
>>
>> Also use db2ldif to make backups of your database before you do it....also you might want to halt and turn off any IPA replicas when you do it until after you are happy its stable and OK.
> You can also use db2ldif to get around the 2000 user limit mentioned above.
>>
>> regards
>>
>> Steven Jones
>>
>> Technical Specialist - Linux RHCE
>>
>> Victoria University, Wellington, NZ
>>
>> 0064 4 463 6272
>>
>> ________________________________________
>> From: freeipa-users-bounces at redhat.com [freeipa-users-bounces at redhat.com] on behalf of William Muriithi [william.muriithi at gmail.com]
>> Sent: Monday, 5 November 2012 8:23 a.m.
>> To: freeipa-users at redhat.com
>> Subject: [Freeipa-users] FreeIPA v 2.2 in an AD environment
>>
>> Hi all,
>>
>> I am in the process of deploying freeIPA 2.2 to authenticate Linux
>> systems and have been able to setup everything nicely with separate
>> domain. I mean users are currently using separate password to access
>> Linux system and another set of password from AD for desktop stuff. On
>> Friday, I came across an article on freeIPA v 3 and noticed one can
>> use the same username& password for both Linux and Windows systems.
>> I have since felt this would be a better setup and but feel like the
>> documentation are not clear on how to achieve the above.
>>
>> Would anyone be able to clarify this:
>>
>> - Can I be able to synchronize the current AD user credentials with
>> FreeIPA 2.2 or do I have to upgrade to FreeIPA 3.0 ?
>> - If upgrading is necessary, is there an RPM that can run on RHEL 6.2
>> ? I can only seem to find freeIPA v3 RPM for Fedora 17. Was hoping
>> to use a blessed RPM instead of rolling one which mean be incompatible
>> with the distribution RPM once it comes around
>>
>> Regards,
>>
>> William
>>
>> _______________________________________________
>> Freeipa-users mailing list
>> Freeipa-users at redhat.com
>> https://www.redhat.com/mailman/listinfo/freeipa-users
>>
>>
>>
>> _______________________________________________
>> Freeipa-users mailing list
>> Freeipa-users at redhat.com
>> https://www.redhat.com/mailman/listinfo/freeipa-users
>
>
>
> ------------------------------
>
> Message: 5
> Date: Mon, 05 Nov 2012 10:48:26 -0500
> From: Dmitri Pal <dpal at redhat.com>
> To: freeipa-users at redhat.com
> Subject: Re: [Freeipa-users] FreeIPA v 2.2 in an AD environment
> Message-ID: <5097DFCA.60607 at redhat.com>
> Content-Type: text/plain; charset=ISO-8859-1
>
> On 11/04/2012 02:23 PM, William Muriithi wrote:
>> Hi all,
>>
>> I am in the process of deploying freeIPA 2.2 to authenticate Linux
>> systems and have been able to setup everything nicely with separate
>> domain. I mean users are currently using separate password to access
>> Linux system and another set of password from AD for desktop stuff. On
>> Friday, I came across an article on freeIPA v 3 and noticed one can
>> use the same username & password for both Linux and Windows systems.
>> I have since felt this would be a better setup and but feel like the
>> documentation are not clear on how to achieve the above.
>>
>> Would anyone be able to clarify this:
>>
>> - Can I be able to synchronize the current AD user credentials with
>> FreeIPA 2.2 or do I have to upgrade to FreeIPA 3.0 ?
>> - If upgrading is necessary, is there an RPM that can run on RHEL 6.2
>> ? I can only seem to find freeIPA v3 RPM for Fedora 17. Was hoping
>> to use a blessed RPM instead of rolling one which mean be incompatible
>> with the distribution RPM once it comes around
>>
>> Regards,
>>
>> William
>
> In addition to other comments I want to step back and give a bit of a
> bigger picture.
> 1) Regardless of what approach you choose we recommend using the latest
> available version at the moment of deployment.
> 2) There are two different approached to dealing with AD - sync or
> trust. You need to chose what approach you want to use. Down the road
> there might be some hybrid solutions but so far they are not supported.
>
> Sync: available starting the beginning of the IPA life. It has some
> limitations and we indeed had some issues with the corner cases that
> Steve's environment has. They are not common but you have been warned
> anyways.
>
> Trust:
> a) Trusts are targeting RHEL 6.4
> b) There is no upgrade from Sync to Trust solution. If you want trusts
> you need to upgrade what you have to 6.4 (or start over) and implement
> trusts there and not do Sync.
> c) To take advantage of trusts your clients must be SSSD 1.9.x otherwise
> the trusts would not work. This also means that if you have other UNIXes
> the trusts would not work there.
>
> If you have UNIX clients that need to be accessed by AD users you might
> explore some hybrid solutions that might work but we can't say for sure.
> For example the sync might actually work in parallel to trusts to some
> extent. There is also PAM pass through capability that comes with 6.4 as
> a tech preview. That would allow pass through LDAP auth for the non
> SSSD 1.9 clients. But this needs to be tried out and there might be dragons.
>
>
>
>>
>> _______________________________________________
>> Freeipa-users mailing list
>> Freeipa-users at redhat.com
>> https://www.redhat.com/mailman/listinfo/freeipa-users
>
>
> --
> Thank you,
> Dmitri Pal
>
> Sr. Engineering Manager for IdM portfolio
> Red Hat Inc.
>
>
> -------------------------------
> Looking to carve out IT costs?
> www.redhat.com/carveoutcosts/
>
>
>
>
>
> ------------------------------
>
> _______________________________________________
> Freeipa-users mailing list
> Freeipa-users at redhat.com
> https://www.redhat.com/mailman/listinfo/freeipa-users
>
> End of Freeipa-users Digest, Vol 52, Issue 9
> ********************************************
_______________________________________________
Freeipa-users mailing list
Freeipa-users at redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users
More information about the Freeipa-users
mailing list