is AD trust possible without Samba bits?
by lejeczek
hi guys,
I do not suppose it is possible, but would be great to get absolute
clarification - AD trust cannot be established, but even it it can be
then cannot work later at all, if Samba is not under IPA's rule -
correct? It is simply is not possible, right?
many thanks, L
5 years, 9 months
freeIPa replica setup
by Alfredo De Luca
Hi all.
I need to setup a freeIPA replica and not sure which is the best and more
reliable.
I found a few people preparing the replica from the server others just
installing the replica on another machine with the appropriate
configuration.
Any info/docs?
--
*Alfredo*
5 years, 9 months
Running FreeIPA server containers on Ubuntu docker setups / Travis CI
by Jan Pazdziora
Hello,
I and Stanislav have been setting up Travis CI for the
https://github.com/freeipa/freeipa-container
repository. We now run docker build operations for pull requests
and commits, and I've been trying to add docker run tests as well.
Example Travis build
https://travis-ci.org/adelton/freeipa-container/builds/400275700
from
https://github.com/adelton/freeipa-container/commit/16ced918f8492e583ff02...
seems to pass on CentOS and rawhide images but fails on other Fedoras.
All the failures are in the
Configuring certificate server (pki-tomcatd). Estimated time: 3 minutes
[1/28]: configuring certificate server instance
[error] RuntimeError: CA configuration failed.
step. I remember that due to the way systemd was handling KEYRING
operations, seccomp:unconfined was one of the things that has been
causing issues in our tests on Fedora hosts. Running
docker info
in Travis CI shows that it's running 17.09.0-ce and there are no
Security Options listed, unlike on my Fedora 28's
docker-1.13.1-59.gitaf6b32b.fc28.x86_64 which has
Security Options:
seccomp
Profile: /etc/docker/seccomp.json
selinux
Are there people around with Ubuntu knowledge who could check what
the docker 17.09.0-ce behaviour on that system is and if seccomp can
somehow be tweaked?
Thank you,
--
Jan Pazdziora
Senior Principal Software Engineer, Security Engineering, Red Hat
5 years, 9 months
Integration of samba into a freeipa trust with AD
by Pierre Labanowski
Hi, everybody,
I have a question about the best pratice use of freeipa with trust AD
and/or sync relationship from winsync users.
1/ trust
to set up an smb file sharing service via samba, would you advise to
integrate it in the IPA realm or in the AD domain?
Both are possible, but why one more than the other? in terms of file
access performance (metadata, acl ,etc....) managed via the smb protocol
isn't there a drawback related to samba in royaume ipa to serve users
who use a windows client?
2/ winsync
do you have the same response arguments in the case of a sync between AD
and IPA?
Thx
Pierre
5 years, 9 months
Getting Synology NAS to play nice with FreeIPA
by Kristian Petersen
I have a synology NAS which hosts some SMB shares on my network. I would
like to be able to use FreeIPA as the LDAP provider it checks against for
authenticating these shares. I have a system user that I created in
FreeIPA for this purpose.
I configured the NAS to connect to my FreeIPA server for LDAP, but I get a
message about a failure to access some users NT passwords and how the Samba
service may not work for these users. It also says it could be either a
lack of NT passwords for the users or insufficient privileges to access
them. After chatting with Synology support they wanted me to enable CIFS
plaintext password authentication. However, if I select that option it
given me a warning about the share not being able to be the remote mount
target of CIFS anymore due to SMB being set to v1 only and disabling the
SMB related Bonjour service. If the system user doesn't have the needed
privileges, how can I fix that since I can't enroll the NAS?
--
Kristian Petersen
System Administrator
BYU Dept. of Chemistry and Biochemistry
5 years, 9 months
AD and IPA integration
by Николай Савельев
I changed password AD users.
I can't login on ipa servers with new password, but can - with old. Why?
I tried restart ipa services and reinitializing trust. but it didn't help.
--
С уважением, Николай.
5 years, 9 months
FreeIPA AD locked account vs public key authentication
by Bart
Hi all,
I would like to use public key authentication in my FreeIPA setup for the users coming from the AD domain. I have everything set up correctly, public key authentication works great aside from one edge case that may render this setup unacceptable. When I lock an AD account (I test this by logging in with the wrong password more than allowed amount of times) user in question still can access FreeIPA managed hosts via public key authentication.
According to the information I found regarding this behaviour - https://bugzilla.redhat.com/show_bug.cgi?id=973451 - this is a desired behaviour (it's not a bug, it's a feature). Still, it's not the configuration I am happy about :).
Has anything changed since this bug was closed?
Is there a way FreeIPA supports preventing users who are for whatever reason locked in AD from accessing FreeIPA-managed hosts?
If this is not currently supported by default, maybe someone could point me to a way I could implement this myself? I am thinking of checking if the user is locked in AD, hopefully by looking at his/hers ldap attributes in the 389 ds server in FreeIPA if such attributes exist, then removing any public keys that are present in the Default Trust View for this user. At this point I do not know it is possible, it is just an idea.
I would really appreciate your help.
5 years, 9 months
Rename HBAC Rule
by Ronald Wimmer
Is there a way to rename an existing HBAC rule? The WebGUI only offers
enable/disable/delete...
Regards,
Ronald
5 years, 9 months
