On 26/03/2018 15:14, Gordon Messmer wrote:> FreeIPA takes all of one command to install, and one to set up. It > provides a web UI for both administrative and end-user management of > users, passwords, login and sudo policy, etc. Anything you find overly > complex can simply be unused.FreeIPA is easy to set up, but it is quite a complex beast under the hood. I've had some nasty debugging sessions with it before when things like Kerberos trust relationships failed.
> Am 26.03.2018 um 16:31 schrieb Tom Grace <lists-in at deathbycomputers.co.uk>: > > On 26/03/2018 15:14, Gordon Messmer wrote: >> FreeIPA takes all of one command to install, and one to set up. It >> provides a web UI for both administrative and end-user management of >> users, passwords, login and sudo policy, etc. Anything you find overly >> complex can simply be unused. > > FreeIPA is easy to set up, but it is quite a complex beast under the > hood. I've had some nasty debugging sessions with it before when things > like Kerberos trust relationships failed.Time synchronization for all nodes is crucial for kerberos ... -- LF
On 26/03/2018 16:18, Leon Fauster wrote:> Time synchronization for all nodes is crucial for kerberos ...In my case, somehow Bind lost the required kerberos tokens to be able to talk to the LDAP server on the same host, so DNS didn't work, so it couldn't attempt to refresh the token. Never worked out what the root cause was, but I do remember it being quite fun to get it working again...