Mark Christiansen wrote:
Hi Simo,Yes, I can get a kerberos ticket on both Windows and Linux clients. I am able to configure a browser on the machine with FreeIPA and use its web interface, but I am unable to do the same on the clients.Thanks for your suggestions!
Are you configuring your browser according to: http://www.freeipa.com/page/ClientConfigurationGuide#Configuring_Your_Browser rob
-MarkOn Sun, Jun 8, 2008 at 6:32 AM, Simo Sorce <ssorce redhat com <mailto:ssorce redhat com>> wrote:Can you get a kerberos ticket on the clients? If not, what error do you get ? Simo. On Sat, 2008-06-07 at 13:17 -0700, Mark Christiansen wrote: > Hello everyone, > > Recently I sent an e-mail because I couldn't get access to freeipa on > any machine other than the one with freeipa installed. I reinstalled > the MIT Kerberos client, and am now able to authenticate on a Windows > machine. However, I can still not get the webpage to display on > either a Windows or a Linux platform (other than the virtual machine > freeIPA is installed on). I have reinstalled several times, and don't > know what I could be missing. All of my machines are on one subnet, > and I temporarily disabled firewalls to see if that could be the > issue. > > Thanks for any tips! > > -Mark > > On Sat, Jun 7, 2008 at 9:00 AM, <freeipa-devel-request redhat com <mailto:freeipa-devel-request redhat com>> > wrote: > Send Freeipa-devel mailing list submissions to > freeipa-devel redhat com <mailto:freeipa-devel redhat com> > > To subscribe or unsubscribe via the World Wide Web, visit > https://www.redhat.com/mailman/listinfo/freeipa-devel > or, via email, send a message with subject or body 'help' to > freeipa-devel-request redhat com <mailto:freeipa-devel-request redhat com> > > You can reach the person managing the list at > freeipa-devel-owner redhat com <mailto:freeipa-devel-owner redhat com> > > When replying, please edit your Subject line so it is more > specific > than "Re: Contents of Freeipa-devel digest..." > > > Today's Topics: > > 1. Re: [PATCH] be clearer about what is being configured > (Rob Crittenden) > 2. AD and freeIPA synch (Karl Wirth) > 3. Re: AD and freeIPA synch (Rich Megginson) > >> ----------------------------------------------------------------------> > Message: 1 > Date: Fri, 06 Jun 2008 15:27:21 -0400 > From: Rob Crittenden <rcritten redhat com <mailto:rcritten redhat com>> > Subject: Re: [Freeipa-devel] [PATCH] be clearer about what is > being > configured > To: freeipa-devel <freeipa-devel redhat com <mailto:freeipa-devel redhat com>> > Message-ID: <48498F99 5090903 redhat com <mailto:48498F99 5090903 redhat com>> > Content-Type: text/plain; charset="iso-8859-1" > > Skipped content of type multipart/mixed-------------- next > part -------------- > A non-text attachment was scrubbed... > Name: smime.p7s > Type: application/x-pkcs7-signature > Size: 3245 bytes > Desc: S/MIME Cryptographic Signature > Url :> https://www.redhat.com/archives/freeipa-devel/attachments/20080606/c7cfd409/smime.bin> > ------------------------------ > > Message: 2 > Date: Fri, 06 Jun 2008 15:32:29 -0400 > From: Karl Wirth <kwirth redhat com <mailto:kwirth redhat com>> > Subject: [Freeipa-devel] AD and freeIPA synch > To: freeipa-devel redhat com <mailto:freeipa-devel redhat com>, freeipa-interest redhat com <mailto:freeipa-interest redhat com> > Message-ID: <484990CD 30206 redhat com <mailto:484990CD 30206 redhat com>> > Content-Type: text/plain; charset=ISO-8859-1 > > Hello, > > Many organizations have given feedback that they want to make > sure that > freeIPA can synch with AD. We want to provide more than what > is > available in the winsynch that is in fedora directory server. > Here are > my thoughts on what the features should be in this area. I > would love > your feedback. Does this sound right? What is missing? > Longerterm, we > hope to enable kerberos trust between AD and IPA but even then > some > folks will want synch as well. Thoughts? > > AD and freeIPA synch requirements ---proposal for your review > and feedback > > 1. Keep password in AD same as PW in IPA > - If changed in AD, bring change over to IPA > - If changed in IPA, bring change over to AD > > 2. Synch userid and attributes > - Configurable which attributes > - If full posix available then make this available > - Configurable translation between attributes (i.e transform > data such > as middle name length or whatever) > - Configurable mapping between attribute names > - Generate attributes if not present in AD with flexible rules > for doing > this and vice versa > > 3. Which subsets of users to keep in synch > - Make it possible to define which AD/IPA users should be kept > in synch > > 4. Topology > - Password synch is only supported with 1 AD domain. Not > multiple. > - Identity/attribute synch is supported across multiple > domains. > ---If the same user is in multiple domains, there is a problem > ---- Not > supported > ---If the same userid in different domains but different user, > resolve > - Need to support PW change on any IPA server > - Need to support PW change on an AD server > > 5. Failover > - Support for failover AD DC > - Support for failover IPA > > 6. Install and Packaging > - Separate install of synch tool > - Preconfigured synch tool with easy to point to IPA and AD > - Predefined > - Requires passsynch on domain controllers > - Proposal 1: Requires password to only change on AD. > Probably not ok. > - Proposal 2: Make changes to IPA to hand PW to AD > > 7. Groups. > Allow four options that an administrator can choose between: > - One option: Synchronize all users from AD into one IPA group > - Second option: Synchronize all users according to filter > defined in #3 > above and bring along all of their groups and keep their > memberships in > them. > - Third option: No group synch at all > - Fourth option: No support for nested groups > > Best regards, > Karl > > > > ------------------------------ > > Message: 3 > Date: Fri, 06 Jun 2008 13:38:50 -0600 > From: Rich Megginson <rmeggins redhat com <mailto:rmeggins redhat com>> > Subject: Re: [Freeipa-devel] AD and freeIPA synch > To: kwirth redhat com <mailto:kwirth redhat com> > Cc: freeipa-devel redhat com <mailto:freeipa-devel redhat com>, freeipa-interest redhat com <mailto:freeipa-interest redhat com> > Message-ID: <4849924A 40303 redhat com <mailto:4849924A 40303 redhat com>> > Content-Type: text/plain; charset="iso-8859-1" > > Karl Wirth wrote: > > Hello, > > > > Many organizations have given feedback that they want to > make sure that > > freeIPA can synch with AD. We want to provide more than > what is > > available in the winsynch that is in fedora directory > server. Here are > > my thoughts on what the features should be in this area. I > would love > > your feedback. Does this sound right? What is missing? > Longerterm, we > > hope to enable kerberos trust between AD and IPA but even > then some > > folks will want synch as well. Thoughts? > > > > AD and freeIPA synch requirements ---proposal for your > review and feedback > > > > 1. Keep password in AD same as PW in IPA > > - If changed in AD, bring change over to IPA > > - If changed in IPA, bring change over to AD > > > One problem with this is password policy - min length, > complexity, > history, etc. How to sync password policy between IPA and AD? > > 2. Synch userid and attributes > > - Configurable which attributes > > - If full posix available then make this available > > - Configurable translation between attributes (i.e transform > data such > > as middle name length or whatever) > > - Configurable mapping between attribute names > > - Generate attributes if not present in AD with flexible > rules for doing > > this and vice versa > > > > 3. Which subsets of users to keep in synch > > - Make it possible to define which AD/IPA users should be > kept in synch > > > > 4. Topology > > - Password synch is only supported with 1 AD domain. Not > multiple. > > - Identity/attribute synch is supported across multiple > domains. > > ---If the same user is in multiple domains, there is a > problem ---- Not > > supported > > ---If the same userid in different domains but different > user, resolve > > - Need to support PW change on any IPA server > > - Need to support PW change on an AD server > > > Support for uni-directional sync - many Fedora DS users have > asked for > the ability to sync changes only from Fedora DS to AD, or vice > versa, > but not both ways. Or perhaps uni-directional for passwords > (due to > password policy) and bi-di for other data. > > 5. Failover > > - Support for failover AD DC > > - Support for failover IPA > > > > 6. Install and Packaging > > - Separate install of synch tool > > - Preconfigured synch tool with easy to point to IPA and AD > > - Predefined > > - Requires passsynch on domain controllers > > - Proposal 1: Requires password to only change on AD. > Probably not ok. > > - Proposal 2: Make changes to IPA to hand PW to AD > > > > 7. Groups. > > Allow four options that an administrator can choose between: > > - One option: Synchronize all users from AD into one IPA > group > > - Second option: Synchronize all users according to filter > defined in #3 > > above and bring along all of their groups and keep their > memberships in > > them. > > - Third option: No group synch at all > > - Fourth option: No support for nested groups > > > Support for AD memberOf (if not already fully supported by > ipa-memberof). > > Best regards, > > Karl > > > > _______________________________________________ > > Freeipa-devel mailing list > > Freeipa-devel redhat com <mailto:Freeipa-devel redhat com> > > https://www.redhat.com/mailman/listinfo/freeipa-devel > > > > -------------- next part -------------- > A non-text attachment was scrubbed... > Name: smime.p7s > Type: application/x-pkcs7-signature > Size: 3245 bytes > Desc: S/MIME Cryptographic Signature > Url :> https://www.redhat.com/archives/freeipa-devel/attachments/20080606/ac471bda/smime.bin> > ------------------------------ > > _______________________________________________ > Freeipa-devel mailing list > Freeipa-devel redhat com <mailto:Freeipa-devel redhat com> > https://www.redhat.com/mailman/listinfo/freeipa-devel > > End of Freeipa-devel Digest, Vol 13, Issue 11 > ********************************************* > > _______________________________________________ > Freeipa-devel mailing list > Freeipa-devel redhat com <mailto:Freeipa-devel redhat com> > https://www.redhat.com/mailman/listinfo/freeipa-devel -- Simo Sorce * Red Hat, Inc * New York ------------------------------------------------------------------------ _______________________________________________ Freeipa-devel mailing list Freeipa-devel redhat com https://www.redhat.com/mailman/listinfo/freeipa-devel
Attachment:
smime.p7s
Description: S/MIME Cryptographic Signature