<div dir="ltr"><div>the one run I tried on Ubunutu was a total fail. Most likely issue was the ubunutu setup itself. Machine owned by total non-admin type and was very poorly setup/managed/maintained. It gets rebooted nearly daily and then he manually remounts the large data areas as they "move around".<br>
<br></div>The IPA parts installed fine and the config ran. But the system just didn't actually _use_ the freeIPA authentication. I'm 99% certain there was crufty weirdness in the pam but the owner started pitching a fit about not having access to his machine (I hammered on this issue for 2 days solid with no success) so I was "evicted" from the process before I could schlog my way through the pam settings. <br>
</div><div class="gmail_extra"><br><br><div class="gmail_quote">On Fri, Aug 22, 2014 at 12:00 PM, JD <span dir="ltr"><<a href="mailto:jdp@algoloma.com" target="_blank">jdp@algoloma.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
I think the client has been working well for years on Debian and Ubuntu even<br>
across major release differences between the clients and server.<br>
<br>
I did see a pull request on the project in the last 24 hrs (happened to look at<br>
the git repo), but prior to that, it was a very long time. This assumes I was<br>
actually looking at the correct version system - hard for me to tell for<br>
Fedora-based stuff. I just don't have the knowledge.<br>
<div class="HOEnZb"><div class="h5"><br>
On 08/22/2014 11:48 AM, Jim Kinney wrote:<br>
> Just saw a note on the freeIPA list that the devels hope to have a server<br>
> working by Dec in Debian unstable. No status of client support was<br>
> mentioned.<br>
><br>
><br>
> On Fri, Aug 22, 2014 at 9:25 AM, Jim Kinney <<a href="mailto:jim.kinney@gmail.com">jim.kinney@gmail.com</a>> wrote:<br>
><br>
>> I don't use Debian anywhere to test. Once I get caught up on current<br>
>> projects, I'll set up an Ubuntu VM for IPA testing as that is the other<br>
>> distro used internally.<br>
>> On Aug 22, 2014 8:24 AM, "JD" <<a href="mailto:jdp@algoloma.com">jdp@algoloma.com</a>> wrote:<br>
>><br>
>>> Sounds like NIS/NIS+.<br>
>>><br>
>>> I looked a few months ago and the debian port of freeIPA seemed stalled<br>
>>> over the<br>
>>> 50+ different languages used in the 100+ tiny tools that make up the<br>
>>> offering. A<br>
>>> few of the key tools didn't work on Debian. I'm exaggerating a little,<br>
>>> but not<br>
>>> much. Have things changed?<br>
>>><br>
>>><br>
>>> On 08/22/2014 07:59 AM, Jim Kinney wrote:<br>
>>>> Bite the bullet and look at freeIPA. It's designed to run AD out of the<br>
>>>> workplace.<br>
>>>> The clincher for me was the hostgroup. All users are in a primary group<br>
>>> and<br>
>>>> as many secondary groups as needed. Hosts are also in groups or not.<br>
>>> User<br>
>>>> groups of the proper type can access host groups as allowed. This can<br>
>>> also<br>
>>>> setup sudo capabilities by user, user group, host and host group. So a<br>
>>>> script that runs as root that does a particular needed task can be<br>
>>> deployed<br>
>>>> to all systems but only accessed by allowed users on allowed hosts. Time<br>
>>>> controls exist as well.<br>
>>>><br>
>>>> Backups of freeIPA are a bit unnerving. They basically don't exist other<br>
>>>> than turn down the service and copy all files. What is used is the multi<br>
>>>> master replication.<br>
>>>><br>
>>>> I have 2 primary masters that are department wide. There's a new group<br>
>>> in a<br>
>>>> remote location that has their own big server. It's a secondary master.<br>
>>>> Masters run DNS as well as user with. So the clients in that group use<br>
>>> that<br>
>>>> as their primary DNS and the others as secondary. If network is flaky,<br>
>>> they<br>
>>>> have only a single switch between client and server. And the server<br>
>>> stays<br>
>>>> synchronized with the larger group.<br>
>>>> A really nice feature if freeIPA is it can hold ssh pub keys for users.<br>
>>> SSh<br>
>>>> and Pam knows to check the LDAP for pub keys on login. For users, no<br>
>>> more<br>
>>>> key migration. If you're allowed on that machine, it just works. For<br>
>>>> admins, if a user must be locked out, just dumping their key and locking<br>
>>>> the account to disabled handles it.<br>
>>>><br>
>>>> Yes, it's run/funded by RedHat now. Debian supports it but I found some<br>
>>>> blockers in Ubuntu (10 I think. Not tried 12). I don't know if SUSE has<br>
>>> a<br>
>>>> pam/ssh compatible or not.<br>
>>>> It works. It works very well. Active support community with developers<br>
>>> on<br>
>>>> the mailing list who help.<br>
>>>><br>
>>>> Added bonus is dogtag is used for CA and cert management. This can<br>
>>> provide<br>
>>>> user certs for authenticated access to internal websites.<br>
>>>> On Aug 22, 2014 6:58 AM, "JD" <<a href="mailto:jdp@algoloma.com">jdp@algoloma.com</a>> wrote:<br>
>>>><br>
>>>>> On 08/22/2014 12:19 AM, Jeff Hubbs wrote:<br>
>>>>>> On 8/21/14, 11:43 PM, JD wrote:<br>
>>>>>>> NIS if you don't care about security.<br>
>>>>>>><br>
>>>>>>> LDAP if you do. FreeIPA is the RH answer for this - I'm jealous.<br>
>>>>>> Agree re LDAP; if you're syncing passwd/group/sudoers files, you're<br>
>>>>> Doing It<br>
>>>>>> Wrong (tm). I long advocated avoiding "X's LDAP solution" (for values<br>
>>>>> of X to<br>
>>>>>> include Red Hat and Microsoft) so you are motivated to keep things<br>
>>>>> simple and<br>
>>>>>> manageable and don't wind up in abandonwareland or experience<br>
>>>>>> embrace/extend/extinguish.<br>
>>>>>><br>
>>>>><br>
>>>>> So - if not puppet/ansible - then how should we be managing sudoers?<br>
>>>>> Teach me Obiwan.<br>
>>>>><br>
>>>>> Please don't say eTrust. ;)<br>
_______________________________________________<br>
Ale mailing list<br>
<a href="mailto:Ale@ale.org">Ale@ale.org</a><br>
<a href="http://mail.ale.org/mailman/listinfo/ale" target="_blank">http://mail.ale.org/mailman/listinfo/ale</a><br>
See JOBS, ANNOUNCE and SCHOOLS lists at<br>
<a href="http://mail.ale.org/mailman/listinfo" target="_blank">http://mail.ale.org/mailman/listinfo</a><br>
</div></div></blockquote></div><br><br clear="all"><br>-- <br><div dir="ltr">-- <br>James P. Kinney III<br><i><i><i><i><br></i></i></i></i>Every time you stop a school, you will have to build a jail. What you
gain at one end you lose at the other. It's like feeding a dog on his
own tail. It won't fatten the dog.<br>
- Speech 11/23/1900 Mark Twain<br><i><i><i><i><br><a href="http://heretothereideas.blogspot.com/" target="_blank">http://heretothereideas.blogspot.com/</a><br></i></i></i></i></div>
</div>