Configuring Windows 10 to use FreeIPA
by Joyce Babu
I followed the instructions for setting up Windows10 to use FreeIPA for
authentication
https://www.freeipa.org/page/Windows_authentication_against_FreeIPA
After following the instruction, the default domain displayed on windows 10
login screen is EXAMPLE and EXAMPLE.COM. I am able to login by entering
EXAMPLE.COM\user as the username. But when I enter the username without the
leading domain name, login fails with 'Client not found in Kerberos
database' error.
Sep 27 17:17:58 ipa.example.org krb5kdc[419](info): AS_REQ (6 etypes
{aes256-cts-hmac-sha1-96(18), aes128-cts-hmac-sha1-96(17),
DEPRECATED:arcfour-hmac(23), DEPRECATED:arcfour-hmac-exp(24), (-135),
DEPRECATED:des-cbc-md5(3)}) 192.168.0.185: CLIENT_NOT_FOUND: user@EXAMPLE
for krbtgt/EXAMPLE@EXAMPLE, Client not found in Kerberos database
Is it possible to change the default domain in windows login screen to
EXAMPLE.COM from EXAMPLE?
Thanks,
Joyce Babu
4 years, 8 months
Terminating replication agreement
by Randy Morgan
I have a two year image of one of my IPA servers that I am trying to
bring live. Unfortunately all of the certs except the CA are expired.
I have attempted to follow the instructions for updating the certs, but
it has failed to update them. After careful and extensive digging, I
have found that the issue is two replication agreements from other IPA
servers that have since been rebuilt. Because of the expired certs I
can't login to the web UI, so I can't terminate the agreements that way,
and the IPA commands fail. Is there a way to terminate these agreements
manually by removing the references to the two servers?
Randy Morgan
--
Randy Morgan
CSR
Department of Chemistry/BioChemistry
Brigham Young University
4 years, 8 months
IPA integration with AD - trust issues and controversy
by Pieter Baele
Hi,
We use an IPA domain for a large part of our internal servers.
Our first one-way trust implementation was not properly working because of
routing issues.
Two-way trust in our environment is not possible, because normal users are
limited.
(we can resolve 'system/service' accounts without those limitations)
After finding out about this limitation, we did again configure one-way
trust.
This time, we found about the registry / GPO solution to direct windows
clients to the IPA KDC's.
(
https://gpo.wiki/wiki/Kerberos.admx:Computer_Configuration#Define_host_na...
)
And all is working properly...
Last week we received a request from an external company that wants AD
integration.
They will manage their own set of RHEL servers for a specific project.
I proposed they can use the IDM domain for feature-full integration with
the AD domain.
But.... there is some discussion going on.... our AD architect(s) calls the
IPA integration with AD lacking.
Their opinion is that windows clients should discover automatically when
they need a IPA KDC
Also, they find it a severe issue that everything is hidden after one SID
(which is given permissions with the correct search scope)
As such they can' t see/discover anything in the IPA domain (logically...)
So the Windows / AD guys propose a direct integration using a keytab -
without thinking about the requirements, and comparing with network devices
or appliances
I am not talking about realmd.
What is the up-to-date opinion on SSSD realmd integration versus IDM
integration? Or other options?
What will the external company be losing in features?
And which has most risks?
But most of all: what can we do to make IPA domain<-> AD domain integration
better?
Sincerely, Pieter
4 years, 8 months
How to archive this?
by Andreas Kucher
Hi There,
i have a FreeIPA 4.6.4 Sever and two replica Servers up and running.
So far so good. Now i want to connect my hosts to my Synology NAS
running DSM 6.2.2.
My first thougth was to use Kerberos and NFS4 but unfortunaly i did not
figure out how to do this. Maybe you have a good tutorial?
In the End i found this Page:
https://frederik.lindenaar.nl/2019/07/14/integrating-synology-ds-with-fre...
I think i will try to do this and just access the shares with "LDAP".
My question is: if i want to install "ipa-adtrust-install" but it was
not installed using yum (because i thougth i was no neccecarry) can i
simple install it? Do i have to run it on the replicas as well?
Maybe you can have a look at the Page of Frederik and share your
thoughts about it?
Thank you in advice
Andy
4 years, 8 months
Manually join machines in stateless environment
by Vinícius Ferrão
Hello, the subject of the message may sound a little bit strange, but let me explain what I’m trying to do.
I have a machine with an provisioner (xCAT) that is able to boot and control different types of computer nodes. A stateless node is just a machine that boots over the network from a shared image on the server.
What I’m trying to do?
Join those stateless nodes to FreeIPA Server.
To do this, I’m aware that I can’t just run freeipa-client-install on the image chroot, since it will not behave as expected.
At this point xCAT (the provisioner) can create the DNS registers of the stateless nodes on FreeIPA integrated DNS (using TSIG keys). But I need to properly join the nodes to the server.
There’s a way to manually register the nodes on the server?
And about the users? How to enable them? Just Configure SSSD on the image and it should be fine?
The certificates, client certificates and things like this? There’s something that I need to do?
Automount?
Any help is really appreciated.
Thanks,
4 years, 8 months
Re:
by Nazan CENGİZ
Hi,
Who is the name of the community?
Do you have an existing slack group?
Thanks.
[cid:imageb28ec2.PNG@d1da10fa.4cb398f7]<http://www.havelsan.com.tr> [cid:image8c8aa2.JPG@a93b5b5c.498f306c]
Nazan CENGİZ
AR-GE MÜHENDİSİ
Mustafa Kemal Mahallesi 2120 Cad. No:39 06510 Çankaya Ankara TÜRKİYE
[cid:image9f30dc.PNG@eaef3c98.49a0f6ac] +90 312 219 57 87 [cid:image2c5a21.PNG@c874ceae.4a8947a5] +90 312 219 57 97
[cid:imageb831d2.JPG@5f6f348c.44a74e32]
YASAL UYARI: Bu elektronik posta işbu linki kullanarak ulaşabileceğiniz Koşul ve Şartlar dokümanına tabidir. <http://havelsan.com.tr/tr/news/e-posta-yasal-uyari>
LEGAL NOTICE: This e-mail is subject to the Terms and Conditions document which can be accessed with this link. <http://havelsan.com.tr/tr/news/e-posta-yasal-uyari>
[http://www.havelsan.com.tr/Library/images/mail/email.jpg] Lütfen gerekmedikçe bu sayfa ve eklerini yazdırmayınız / Please consider the environment before printing this email
________________________________
From: Nazan CENGİZ
Sent: Wednesday, September 25, 2019 11:27:45 AM
To: freeipa-users(a)lists.fedorahosted.org
Subject:
Hi all,
Shall we create a Slack band?
IRC is banned in our company.
Would you mind?
4 years, 8 months
Re: log dispatching for IPA servers
by Nazan CENGİZ
Hi all,
I wanted monitoring and centrilazed logging.For example ELK (elasticsearch,logstash,kibana) Stack.But I don't know config on FreeIPA server and client?Is there an auxiliary resource?
https://github.com/mzamora9913/Collecting-Syslogs-from-FreeIPA-and-client...
But I don't understanding.
Could you please do yuou have a research or tutorial for FreeIPA centralized logging?
Best Regards.
[cid:image26938a.PNG@6241ef69.4c95962c]<http://www.havelsan.com.tr> [cid:imageeb5f50.JPG@bab4e531.4294e394]
Nazan CENGİZ
AR-GE MÜHENDİSİ
Mustafa Kemal Mahallesi 2120 Cad. No:39 06510 Çankaya Ankara TÜRKİYE
[cid:imageedbd3d.PNG@12352f47.48ba5869] +90 312 219 57 87 [cid:imagecff0c2.PNG@69e71500.4fa4bdd2] +90 312 219 57 97
[cid:image713a9c.JPG@cd67836a.4da60895]
YASAL UYARI: Bu elektronik posta işbu linki kullanarak ulaşabileceğiniz Koşul ve Şartlar dokümanına tabidir. <http://havelsan.com.tr/tr/news/e-posta-yasal-uyari>
LEGAL NOTICE: This e-mail is subject to the Terms and Conditions document which can be accessed with this link. <http://havelsan.com.tr/tr/news/e-posta-yasal-uyari>
[http://www.havelsan.com.tr/Library/images/mail/email.jpg] Lütfen gerekmedikçe bu sayfa ve eklerini yazdırmayınız / Please consider the environment before printing this email
________________________________
From: Nazan CENGİZ
Sent: Tuesday, September 24, 2019 1:08:15 PM
To: Angus Clarke; freeipa-users(a)lists.fedorahosted.org
Cc: Fraser Tweedale
Subject: Re: [Freeipa-users] Re: log dispatching for IPA servers
I wanted logging a IPA server and many IPA client.I also want to keep logging and monitoring at the interface.
________________________________
From: Angus Clarke <post(a)angusclarke.com>
Sent: Tuesday, September 24, 2019 12:47:46 PM
To: Nazan CENGİZ; freeipa-users(a)lists.fedorahosted.org
Cc: Fraser Tweedale
Subject: [Freeipa-users] Re: log dispatching for IPA servers
Hi
If you just want an audit trail of the FreeIPA server(s) API, then apache's ErrorLog directive catches all that.
Regards
Angus
________________________________
From: Fraser Tweedale via FreeIPA-users <freeipa-users(a)lists.fedorahosted.org>
Sent: 24 September 2019 11:08
To: Nazan CENGİZ <nazancengiz(a)havelsan.com.tr>; freeipa-users(a)lists.fedorahosted.org <freeipa-users(a)lists.fedorahosted.org>
Cc: Fraser Tweedale <ftweedal(a)redhat.com>
Subject: [Freeipa-users] Re: log dispatching for IPA servers
Hi Nazan,
I'm not sure what are the best practices for log dispatching on IPA
servers, or what is suitable for your customer's environment and
requirement. I assume the customer is running RHEL and therefore
wants the solution to only use supported components. Adding
freeipa-users@ for a wider audience.
Cheers,
Fraser
On Tue, Sep 24, 2019 at 07:50:14AM +0000, Nazan CENGİZ wrote:
> Hi Fraser,
>
>
> I working 5G project in Turkey. Redhat supported me for Openstack 13.
>
>
> We install FreeIPA. We wanted log monitoring on FreeIPA server and clients.I think it should Kibana,Elasticsearch and fluentd.
>
>
> I see https://eur01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fsysadmi....
>
>
> But I don't know installing on FreeIPA server and clients.Where is installed fluentd on IPA server and clients?
>
>
> I following https://eur01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.... but It not answer the questions.
>
>
> Could you please help me?
>
>
> Best Regards,
>
>
> Nazan.
>
>
> [cid:image556c62.PNG@8bf41986.459c739a]<https://eur01.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.have...> [cid:imageb02311.JPG@73a7601e.418b1956]
> Nazan CENGİZ
> AR-GE MÜHENDİSİ
> Mustafa Kemal Mahallesi 2120 Cad. No:39 06510 Çankaya Ankara TÜRKİYE
> [cid:imagea8935c.PNG@9a2bfb11.4c8dd354] +90 312 219 57 87 [cid:image2cbf6d.PNG@6b6c6178.42ba3343] +90 312 219 57 97
>
>
> [cid:image67d26a.JPG@1a093bf4.45953fd9]
> YASAL UYARI: Bu elektronik posta işbu linki kullanarak ulaşabileceğiniz Koşul ve Şartlar dokümanına tabidir. <https://eur01.safelinks.protection.outlook.com/?url=http%3A%2F%2Fhavelsan...>
> LEGAL NOTICE: This e-mail is subject to the Terms and Conditions document which can be accessed with this link. <https://eur01.safelinks.protection.outlook.com/?url=http%3A%2F%2Fhavelsan...>
>
> [https://eur01.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.have...] Lütfen gerekmedikçe bu sayfa ve eklerini yazdırmayınız / Please consider the environment before printing this email
>
>
_______________________________________________
FreeIPA-users mailing list -- freeipa-users(a)lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-leave(a)lists.fedorahosted.org
Fedora Code of Conduct: https://eur01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fdocs.fe...
List Guidelines: https://eur01.safelinks.protection.outlook.com/?url=https%3A%2F%2Ffedorap...
List Archives: https://eur01.safelinks.protection.outlook.com/?url=https%3A%2F%2Flists.f...
4 years, 8 months
Re: log dispatching for IPA servers
by Nazan CENGİZ
Hi all,
I wanted monitoring and centrilazed logging.For example ELK (elasticsearch,logstash,kibana) Stack.But I don't know config on FreeIPA server and client?Is there an auxiliary resource?
https://github.com/mzamora9913/Collecting-Syslogs-from-FreeIPA-and-client...
But I don't understanding.
Could you please do yuou have a research or tutorial for FreeIPA centralized logging?
Best Regards.
[cid:image347106.PNG@a5dcc7e9.409203b6]<http://www.havelsan.com.tr> [cid:image5fbf77.JPG@4f26cf2f.4ebbc4db]
Nazan CENGİZ
AR-GE MÜHENDİSİ
Mustafa Kemal Mahallesi 2120 Cad. No:39 06510 Çankaya Ankara TÜRKİYE
[cid:image48d16b.PNG@1d2efdd9.4ab00d7e] +90 312 219 57 87 [cid:image19c98b.PNG@1fe142d5.4abd5c1d] +90 312 219 57 97
[cid:image777429.JPG@2b5066da.489d3957]
YASAL UYARI: Bu elektronik posta işbu linki kullanarak ulaşabileceğiniz Koşul ve Şartlar dokümanına tabidir. <http://havelsan.com.tr/tr/news/e-posta-yasal-uyari>
LEGAL NOTICE: This e-mail is subject to the Terms and Conditions document which can be accessed with this link. <http://havelsan.com.tr/tr/news/e-posta-yasal-uyari>
[http://www.havelsan.com.tr/Library/images/mail/email.jpg] Lütfen gerekmedikçe bu sayfa ve eklerini yazdırmayınız / Please consider the environment before printing this email
________________________________
From: Angus Clarke <post(a)angusclarke.com>
Sent: Tuesday, September 24, 2019 12:47:46 PM
To: Nazan CENGİZ; freeipa-users(a)lists.fedorahosted.org
Cc: Fraser Tweedale
Subject: [Freeipa-users] Re: log dispatching for IPA servers
Hi
If you just want an audit trail of the FreeIPA server(s) API, then apache's ErrorLog directive catches all that.
Regards
Angus
________________________________
From: Fraser Tweedale via FreeIPA-users <freeipa-users(a)lists.fedorahosted.org>
Sent: 24 September 2019 11:08
To: Nazan CENGİZ <nazancengiz(a)havelsan.com.tr>; freeipa-users(a)lists.fedorahosted.org <freeipa-users(a)lists.fedorahosted.org>
Cc: Fraser Tweedale <ftweedal(a)redhat.com>
Subject: [Freeipa-users] Re: log dispatching for IPA servers
Hi Nazan,
I'm not sure what are the best practices for log dispatching on IPA
servers, or what is suitable for your customer's environment and
requirement. I assume the customer is running RHEL and therefore
wants the solution to only use supported components. Adding
freeipa-users@ for a wider audience.
Cheers,
Fraser
On Tue, Sep 24, 2019 at 07:50:14AM +0000, Nazan CENGİZ wrote:
> Hi Fraser,
>
>
> I working 5G project in Turkey. Redhat supported me for Openstack 13.
>
>
> We install FreeIPA. We wanted log monitoring on FreeIPA server and clients.I think it should Kibana,Elasticsearch and fluentd.
>
>
> I see https://eur01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fsysadmi....
>
>
> But I don't know installing on FreeIPA server and clients.Where is installed fluentd on IPA server and clients?
>
>
> I following https://eur01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.... but It not answer the questions.
>
>
> Could you please help me?
>
>
> Best Regards,
>
>
> Nazan.
>
>
> [cid:image556c62.PNG@8bf41986.459c739a]<https://eur01.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.have...> [cid:imageb02311.JPG@73a7601e.418b1956]
> Nazan CENGİZ
> AR-GE MÜHENDİSİ
> Mustafa Kemal Mahallesi 2120 Cad. No:39 06510 Çankaya Ankara TÜRKİYE
> [cid:imagea8935c.PNG@9a2bfb11.4c8dd354] +90 312 219 57 87 [cid:image2cbf6d.PNG@6b6c6178.42ba3343] +90 312 219 57 97
>
>
> [cid:image67d26a.JPG@1a093bf4.45953fd9]
> YASAL UYARI: Bu elektronik posta işbu linki kullanarak ulaşabileceğiniz Koşul ve Şartlar dokümanına tabidir. <https://eur01.safelinks.protection.outlook.com/?url=http%3A%2F%2Fhavelsan...>
> LEGAL NOTICE: This e-mail is subject to the Terms and Conditions document which can be accessed with this link. <https://eur01.safelinks.protection.outlook.com/?url=http%3A%2F%2Fhavelsan...>
>
> [https://eur01.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.have...] Lütfen gerekmedikçe bu sayfa ve eklerini yazdırmayınız / Please consider the environment before printing this email
>
>
_______________________________________________
FreeIPA-users mailing list -- freeipa-users(a)lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-leave(a)lists.fedorahosted.org
Fedora Code of Conduct: https://eur01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fdocs.fe...
List Guidelines: https://eur01.safelinks.protection.outlook.com/?url=https%3A%2F%2Ffedorap...
List Archives: https://eur01.safelinks.protection.outlook.com/?url=https%3A%2F%2Flists.f...
4 years, 8 months
Re: log dispatching for IPA servers
by Fraser Tweedale
Hi Nazan,
I'm not sure what are the best practices for log dispatching on IPA
servers, or what is suitable for your customer's environment and
requirement. I assume the customer is running RHEL and therefore
wants the solution to only use supported components. Adding
freeipa-users@ for a wider audience.
Cheers,
Fraser
On Tue, Sep 24, 2019 at 07:50:14AM +0000, Nazan CENGİZ wrote:
> Hi Fraser,
>
>
> I working 5G project in Turkey. Redhat supported me for Openstack 13.
>
>
> We install FreeIPA. We wanted log monitoring on FreeIPA server and clients.I think it should Kibana,Elasticsearch and fluentd.
>
>
> I see https://sysadmin.miniconf.org/2018/lca2018-fraser_tweedale-user_session_r....
>
>
> But I don't know installing on FreeIPA server and clients.Where is installed fluentd on IPA server and clients?
>
>
> I following https://github.com/mzamora9913/Collecting-Syslogs-from-FreeIPA-and-client... but It not answer the questions.
>
>
> Could you please help me?
>
>
> Best Regards,
>
>
> Nazan.
>
>
> [cid:image556c62.PNG@8bf41986.459c739a]<http://www.havelsan.com.tr> [cid:imageb02311.JPG@73a7601e.418b1956]
> Nazan CENGİZ
> AR-GE MÜHENDİSİ
> Mustafa Kemal Mahallesi 2120 Cad. No:39 06510 Çankaya Ankara TÜRKİYE
> [cid:imagea8935c.PNG@9a2bfb11.4c8dd354] +90 312 219 57 87 [cid:image2cbf6d.PNG@6b6c6178.42ba3343] +90 312 219 57 97
>
>
> [cid:image67d26a.JPG@1a093bf4.45953fd9]
> YASAL UYARI: Bu elektronik posta işbu linki kullanarak ulaşabileceğiniz Koşul ve Şartlar dokümanına tabidir. <http://havelsan.com.tr/tr/news/e-posta-yasal-uyari>
> LEGAL NOTICE: This e-mail is subject to the Terms and Conditions document which can be accessed with this link. <http://havelsan.com.tr/tr/news/e-posta-yasal-uyari>
>
> [http://www.havelsan.com.tr/Library/images/mail/email.jpg] Lütfen gerekmedikçe bu sayfa ve eklerini yazdırmayınız / Please consider the environment before printing this email
>
>
4 years, 8 months