<html>
<head>
<meta content="text/html; charset=windows-1252"
http-equiv="Content-Type">
</head>
<body bgcolor="#FFFFFF" text="#000000">
Hello,<br>
<br>
When adding the AD trust using 'ipa-ad-trust-posix' range type then
IPA will search AD for the ID space of existing POSIX attributes to
automatically create a suitable ID range inside IPA.<br>
<br>
You can check the exact steps and attributes searched by looking at
the add_range function definition in
/usr/lib/python2.7/site-packages/ipalib/plugins/trust.py<br>
<br>
I would suggest reviewing the output of 'ipa idrange-find' to
confirm that the range matches up with the uid and gidNumbers of
your AD environment.<br>
<br>
Kind regards,<br>
Justin Stephenson<br>
<br>
<div class="moz-cite-prefix">On 07/19/2016 09:44 AM, Jan Karásek
wrote:<br>
</div>
<blockquote
cite="mid:1660290084.1929595.1468935884877.JavaMail.zimbra@elostech.cz"
type="cite">
<div style="font-family: arial, helvetica, sans-serif; font-size:
12pt; color: #000000">
<div>Hi,<br>
</div>
<div><br data-mce-bogus="1">
</div>
<div>I am still fighting with storing user's POSIX attributes in
AD. Please can anybody provide some simple reference settings
of IPA-AD trust where users are able to get uid from AD - not
from IPA ID pool ?</div>
<div><br data-mce-bogus="1">
</div>
<div>I have tried to set values of attributes before and after
creating trust, I have tried different sssd setting but I'm
still getting uid from <span style="color: #000000;
font-family: arial, helvetica, sans-serif; font-size: 16px;
font-style: normal; font-variant: normal; font-weight:
normal; letter-spacing: normal; line-height: normal;
orphans: auto; text-align: start; text-indent: 0px;
text-transform: none; white-space: normal; widows: 1;
word-spacing: 0px; -webkit-text-stroke-width: 0px; display:
inline !important; float: none; background-color: #ffffff;"
data-mce-style="color: #000000; font-family: arial,
helvetica, sans-serif; font-size: 16px; font-style: normal;
font-variant: normal; font-weight: normal; letter-spacing:
normal; line-height: normal; orphans: auto; text-align:
start; text-indent: 0px; text-transform: none; white-space:
normal; widows: 1; word-spacing: 0px;
-webkit-text-stroke-width: 0px; display: inline !important;
float: none; background-color: #ffffff;"> IPA idrange pool
instead of from AD user's attribute.</span></div>
<div><span style="color: #000000; font-family: arial, helvetica,
sans-serif; font-size: 16px; font-style: normal;
font-variant: normal; font-weight: normal; letter-spacing:
normal; line-height: normal; orphans: auto; text-align:
start; text-indent: 0px; text-transform: none; white-space:
normal; widows: 1; word-spacing: 0px;
-webkit-text-stroke-width: 0px; display: inline !important;
float: none; background-color: #ffffff;"
data-mce-style="color: #000000; font-family: arial,
helvetica, sans-serif; font-size: 16px; font-style: normal;
font-variant: normal; font-weight: normal; letter-spacing:
normal; line-height: normal; orphans: auto; text-align:
start; text-indent: 0px; text-transform: none; white-space:
normal; widows: 1; word-spacing: 0px;
-webkit-text-stroke-width: 0px; display: inline !important;
float: none; background-color: #ffffff;"><br
data-mce-bogus="1">
</span></div>
<div><span style="color: #000000; font-family: arial, helvetica,
sans-serif; font-size: 16px; font-style: normal;
font-variant: normal; font-weight: normal; letter-spacing:
normal; line-height: normal; orphans: auto; text-align:
start; text-indent: 0px; text-transform: none; white-space:
normal; widows: 1; word-spacing: 0px;
-webkit-text-stroke-width: 0px; display: inline !important;
float: none; background-color: #ffffff;"
data-mce-style="color: #000000; font-family: arial,
helvetica, sans-serif; font-size: 16px; font-style: normal;
font-variant: normal; font-weight: normal; letter-spacing:
normal; line-height: normal; orphans: auto; text-align:
start; text-indent: 0px; text-transform: none; white-space:
normal; widows: 1; word-spacing: 0px;
-webkit-text-stroke-width: 0px; display: inline !important;
float: none; background-color: #ffffff;">What exactly is IPA
checking when it tries to decide what type of trust will be
set - ['ipa-ad-trust-posix', 'ipa-ad-trust'] ?</span></div>
<div><br data-mce-bogus="1">
</div>
<div>Do I have to mandatory fill some AD user's attributes to
get it work ? Currently I'am testing just with uidNumber and
gidNumber.</div>
<div><br>
</div>
<div>There is almost no documentation about this topic so I
don't know what else I can try ...</div>
<div><br data-mce-bogus="1">
</div>
<div>Thanks for help,</div>
<div><br data-mce-bogus="1">
</div>
<div data-marker="__SIG_PRE__">Jan</div>
<div><br>
</div>
<hr id="zwchr" data-marker="__DIVIDER__">
<div data-marker="__HEADERS__"><br>
</div>
<div data-marker="__QUOTED_TEXT__">Date: Tue, 21 Jun 2016
21:38:15 +0200<br>
From: Jakub Hrozek <a class="moz-txt-link-rfc2396E" href="mailto:jhrozek@redhat.com"><jhrozek@redhat.com></a><br>
To: <a class="moz-txt-link-abbreviated" href="mailto:freeipa-users@redhat.com">freeipa-users@redhat.com</a><br>
Subject: Re: [Freeipa-users] AD trust with POSIX attributes<br>
Message-ID: <20160621193815.GS29512@hendrix><br>
Content-Type: text/plain; charset=iso-8859-1<br>
<br>
On Tue, Jun 21, 2016 at 01:55:54PM +0200, Jan Kar?sek wrote:<br>
> Hi all, <br>
> <br>
> I have a questions about IPA with AD forest trust. What I
am trying to do is setup environment, where all informations
about users are stored in one place - AD. I would like to read
at least uid, home, shell and sshkey from AD. <br>
> <br>
> I have set up trust with this parameters: <br>
> <br>
> ipa trust-add EXAMPLE.TT --type=ad
--range-type=ipa-ad-trust-posix --admin=administrator <br>
<br>
Did you add the POSIX attributes to AD after creating the
trust maybe?<br>
<br>
> <br>
> [root@ipa1 ~]# ipa idrange-show EXAMPLE.TT_id_range <br>
> Range name: EXAMPLE.TT_id_range <br>
> First Posix ID of the range: 1392000000 <br>
> Number of IDs in the range: 200000 <br>
> Domain SID of the trusted domain:
S-1-5-21-4123312533-990676102-3576722756 <br>
> Range type: Active Directory trust range with POSIX
attributes <br>
> <br>
> <br>
> I have set attributes in AD for <a class="moz-txt-link-abbreviated" href="mailto:user@EXAMPLE.TT">user@EXAMPLE.TT</a> <br>
> - uidNumber -10000 <br>
> - homeDirectory -/home/user <br>
> - loginShell - /bin/bash <br>
> <br>
> Trust itself works fine. I can do kinit with
<a class="moz-txt-link-abbreviated" href="mailto:user@EXAMPLE.TT">user@EXAMPLE.TT</a> , I can run id and getent passwd
<a class="moz-txt-link-abbreviated" href="mailto:user@example.tt">user@example.tt</a> and I can use <a class="moz-txt-link-abbreviated" href="mailto:user@example.tt">user@example.tt</a> for ssh. <br>
> <br>
> Problem is, that I am not getting uid from AD but from
idrange: <br>
> <br>
> uid=1392001107(<a class="moz-txt-link-abbreviated" href="mailto:user@example.tt">user@example.tt</a>) <br>
> <br>
> Also I have tried to switch off id mapping in sssd.conf
with ldap_id_mapping = true in sssd.conf but no luck. <br>
<br>
This has no effect, in IPA-AD trust scenario, the id mapping
properties<br>
are managed on the server.<br>
<br>
> <br>
> I know, that it is probably better to use ID views for
this, but in our case we need to set centrally managed
environment, where all users information are externally
inserted to AD from HR system - included POSIX attributes and
we need IPA to read them from AD. <br>
<br>
I think idviews are better for overriding POSIX attributes for
a<br>
specific set of hosts, but in your environment, it sounds like
you want<br>
to use the POSIX attributes across the board.<br>
<br>
> <br>
> So my questions are: <br>
> <br>
> Is it possible to read user's POSIX attributes directly
from AD - namely uid ? <br>
<br>
Yes<br>
<br>
> Which atributes can be stored in AD ? <br>
<br>
Homedir is a bit special, for backwards compatibility the<br>
subdomains_homedir takes precedence. The others should be read
from AD.<br>
<br>
I don't have the environment set at the moment, though, so I'm
operating<br>
purely from memory.<br>
<br>
> Am I doing something wrong ? <br>
> <br>
> my sssd.conf: <br>
> [domain/a.example.tt] <br>
> debug_level = 5 <br>
> cache_credentials = True <br>
> krb5_store_password_if_offline = True <br>
> ipa_domain = a.example.tt <br>
> id_provider = ipa <br>
> auth_provider = ipa <br>
> access_provider = ipa <br>
> ipa_hostname = ipa1.a.example.tt <br>
> chpass_provider = ipa <br>
> ipa_server = ipa1.a.example.tt <br>
> ipa_server_mode = True <br>
> ldap_tls_cacert = /etc/ipa/ca.crt <br>
> #ldap_id_mapping = true <br>
> #subdomain_inherit = ldap_user_principal <br>
> #ldap_user_principal = nosuchattribute <br>
> <br>
> [sssd] <br>
> services = nss, sudo, pam, ssh <br>
> config_file_version = 2 <br>
> <br>
> domains = a.example.tt <br>
> [nss] <br>
> debug_level = 5 <br>
> homedir_substring = /home <br>
> enum_cache_timeout = 2 <br>
> entry_negative_timeout = 2 <br>
> <br>
> <br>
> [pam] <br>
> debug_level = 5 <br>
> [sudo] <br>
> <br>
> [autofs] <br>
> <br>
> [ssh] <br>
> debug_level = 4 <br>
> [pac] <br>
> <br>
> debug_level = 4 <br>
> [ifp] <br>
> <br>
> Thanks, <br>
> Jan <br>
<br>
<br>
<br>
<br>
<br>
</div>
</div>
<br>
<fieldset class="mimeAttachmentHeader"></fieldset>
<br>
</blockquote>
<br>
</body>
</html>