<html>
<head>
<meta content="text/html; charset=utf-8" http-equiv="Content-Type">
</head>
<body bgcolor="#FFFFFF" text="#000000">
<p>Hello,</p>
<p>You should remove the following from sssd.conf:</p>
<blockquote>
<p><i>[domain/example.tt]</i><i><br>
</i><i>debug_level = 7</i><i><br>
</i><i>ldap_id_mapping = False</i><i><br>
</i><i>id_provider = ad</i></p>
</blockquote>
With the AD trust configuration, you do not need to specify any
additional domain because IPA will contact AD across the trust using
the external and POSIX groups you created during the trust setup.<br>
<br>
Once done try restarting sssd and removing the /var/lib/sss/db/*
cache<br>
<br>
Kind regards,<br>
Justin Stephenson<br>
<br>
<div class="moz-cite-prefix">On 07/21/2016 07:56 AM, Jan Karásek
wrote:<br>
</div>
<blockquote
cite="mid:912094339.2008550.1469102193474.JavaMail.zimbra@elostech.cz"
type="cite">
<div style="font-family: arial, helvetica, sans-serif; font-size:
12pt; color: #000000">
<div>Thank you. </div>
<div><br data-mce-bogus="1">
</div>
<div>Now I have IDMU installed and when creating trust, IPA is
correctly autodetecting the range type: <br>
</div>
<div><br data-mce-bogus="1">
</div>
<div>Range name: EXAMPLE.TT_id_range<br>
First Posix ID of the range: 10000<br>
Number of IDs in the range: 200000<br>
Domain SID of the trusted domain:
S-1-5-21-4123312533-990676102-3576722756<br>
Range type: Active Directory trust range with POSIX
attributes<br>
</div>
<div><br>
</div>
<div>When asking for uid of the AD user:<br data-mce-bogus="1">
</div>
<div><br data-mce-bogus="1">
</div>
<div>[root@ipa1 sssd]# id <a class="moz-txt-link-abbreviated" href="mailto:user1@example.tt">user1@example.tt</a><br>
uid=1392001119(<a class="moz-txt-link-abbreviated" href="mailto:user1@example.tt">user1@example.tt</a>)
gid=1392001119(<a class="moz-txt-link-abbreviated" href="mailto:user1@example.tt">user1@example.tt</a>)
groups=1392001119(<a class="moz-txt-link-abbreviated" href="mailto:user1@example.tt">user1@example.tt</a>),1392000513(domain
<a class="moz-txt-link-abbreviated" href="mailto:users@example.tt">users@example.tt</a>),979000007(external_users)<br>
</div>
<div><br data-mce-bogus="1">
</div>
<div><br data-mce-bogus="1">
</div>
<div>... so ID-mapping is still in action.<br data-mce-bogus="1">
</div>
<div>
<div class="para"><br data-mce-bogus="1">
</div>
<div class="para">According to doc:<br data-mce-bogus="1">
</div>
<div class="para"><br data-mce-bogus="1">
</div>
<div class="para">To use existing POSIX attributes, two things
must be configured:</div>
<div xmlns:d="http://docbook.org/ns/docbook"
class="itemizedlist">
<ul>
<li class="listitem">
<div class="para">The POSIX attributes must be published
to Active Directory's global catalog. - done with
uidNumber, gidNumber<br>
</div>
</li>
<li class="listitem">
<div class="para">ID mapping (<code class="command">ldap_id_mapping</code>
in the Active Directory domain entry) must be disabled
in SSSD. - done<br>
<br>
</div>
</li>
</ul>
</div>
</div>
<div>Here is my sssd.conf from IPA server. Is there anything
else I should do to switch off ID-mapping ?<br
data-mce-bogus="1">
</div>
<div><br data-mce-bogus="1">
</div>
<div>[domain/a.example.tt]<br>
debug_level = 7<br>
cache_credentials = True<br>
krb5_store_password_if_offline = True<br>
ipa_domain = a.example.tt<br>
id_provider = ipa<br>
auth_provider = ipa<br>
access_provider = ipa<br>
ipa_hostname = ipa1.a.example.tt<br>
chpass_provider = ipa<br>
ipa_server = ipa1.a.example.tt<br>
ipa_server_mode = True<br>
ldap_tls_cacert = /etc/ipa/ca.crt<br>
#subdomain_inherit = ldap_user_principal<br>
#ldap_user_principal = nosuchattribute<br>
<br>
[domain/example.tt]<br>
debug_level = 7<br>
ldap_id_mapping = False<br>
id_provider = ad<br>
<br>
[sssd]<br>
services = nss, sudo, pam, ssh<br>
config_file_version = 2<br>
domains = a.example.tt, example.tt<br>
<br>
[nss]<br>
#debug_level = 5<br>
#homedir_substring = /home<br>
enum_cache_timeout = 2<br>
entry_negative_timeout = 2<br>
<br>
<br>
[pam]<br>
#debug_level = 5<br>
[sudo]<br>
<br>
[autofs]<br>
<br>
[ssh]<br>
#debug_level = 4<br>
[pac]<br>
<br>
#debug_level = 4<br>
[ifp]</div>
<div><br data-mce-bogus="1">
</div>
<div><br data-mce-bogus="1">
</div>
<div>Regards,<br>
</div>
<div>Jan<br data-mce-bogus="1">
</div>
<hr id="zwchr" data-marker="__DIVIDER__">
<div data-marker="__HEADERS__"><b>From: </b>"Alexander Bokovoy"
<a class="moz-txt-link-rfc2396E" href="mailto:abokovoy@redhat.com"><abokovoy@redhat.com></a><br>
<b>To: </b>"Jan Karásek" <a class="moz-txt-link-rfc2396E" href="mailto:jan.karasek@elostech.cz"><jan.karasek@elostech.cz></a><br>
<b>Cc: </b>"Justin Stephenson" <a class="moz-txt-link-rfc2396E" href="mailto:jstephen@redhat.com"><jstephen@redhat.com></a>,
<a class="moz-txt-link-abbreviated" href="mailto:freeipa-users@redhat.com">freeipa-users@redhat.com</a><br>
<b>Sent: </b>Wednesday, July 20, 2016 6:06:29 PM<br>
<b>Subject: </b>Re: [Freeipa-users] AD trust with POSIX
attributes<br>
</div>
<div><br>
</div>
<div data-marker="__QUOTED_TEXT__">On Wed, 20 Jul 2016, Jan
Karásek wrote:<br>
>Hi,<br>
><br>
>thank you.<br>
><br>
>ldapsearch reply:<br>
><br>
>search: 2<br>
>result: 32 No such object<br>
>matchedDN: CN=RpcServices,CN=System,DC=rwe,DC=tt<br>
>text: 0000208D: NameErr: DSID-03100238, problem 2001
(NO_OBJECT), data 0, best<br>
>match of:<br>
>'CN=RpcServices,CN=System,DC=rwe,DC=tt'<br>
><br>
>actually when I look under the
CN=RpcServices,CN=System,DC=rwe,DC=tt - it is empty.<br>
><br>
>Do I missed to set something on the AD site ?<br>
Yes. You need to setup IDMU. However, in Windows Server 2016
Microsoft<br>
removed IDMU tools. The LDAP schema will stay but there will<br>
be no means to visually edit POSIX attributes.<br>
<br>
<a class="moz-txt-link-freetext" href="https://blogs.technet.microsoft.com/activedirectoryua/2016/02/09/identity-management-for-unix-idmu-is-deprecated-in-windows-server/">https://blogs.technet.microsoft.com/activedirectoryua/2016/02/09/identity-management-for-unix-idmu-is-deprecated-in-windows-server/</a><br>
<br>
<br>
<br>
><br>
>Thanks,<br>
>Jan<br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
>From: "Justin Stephenson" <a class="moz-txt-link-rfc2396E" href="mailto:jstephen@redhat.com"><jstephen@redhat.com></a><br>
>To: "Jan Karásek" <a class="moz-txt-link-rfc2396E" href="mailto:jan.karasek@elostech.cz"><jan.karasek@elostech.cz></a><br>
>Cc: <a class="moz-txt-link-abbreviated" href="mailto:freeipa-users@redhat.com">freeipa-users@redhat.com</a><br>
>Sent: Wednesday, July 20, 2016 4:09:02 PM<br>
>Subject: Re: [Freeipa-users] AD trust with POSIX
attributes<br>
><br>
><br>
><br>
>These attributes should be available from port 389 and not
the global catalog, please try a command such as:<br>
><br>
>ldapsearch -H <a class="moz-txt-link-freetext" href="ldap://">ldap://</a> <ip-address> -D
"DOMAIN\Administrator" -W -b
"cn=ypservers,cn=ypserv30,cn=rpcservices,CN=System,dc=example,dc=com"
msSFU30OrderNumber msSFU30MaxUidNumber msSFU30MaxGidNumber<br>
><br>
>Replacing the root suffix in the search base, the
ip-address and bind credentials.<br>
><br>
>Kind regards,<br>
>Justin Stephenson<br>
><br>
>On 07/20/2016 08:15 AM, Jan Karásek wrote:<br>
><br>
><br>
><br>
>Hi,<br>
><br>
>thank you for the hint.<br>
><br>
>In the
/usr/lib/python2.7/site-packages/ipalib/plugins/trust.py:<br>
><br>
>It's working with msSFU30MaxUidNumber and
msSFU30OrderNumber.<br>
><br>
>If I understand it right, it is base uid number and the
number of uids in range.<br>
><br>
>If not discovered nor given via CLI, then it generate
random base and add some default_range_size.<br>
><br>
>So these two attributes must be set to use
ipa-ad-trust-posix range ?<br>
><br>
>Could anybody help me how and where to check these
attributes ? I have looked in the ldapsearch dump from my
AD(Global calaog) and I can see these attributes only in
schema - so no values assigned.<br>
>I'm using W2012 R2.<br>
><br>
>Thank you,<br>
>Jan<br>
><br>
><br>
><br>
>From: "Justin Stephenson" <a class="moz-txt-link-rfc2396E" href="mailto:jstephen@redhat.com"><jstephen@redhat.com></a><br>
>To: "Jan Karásek" <a class="moz-txt-link-rfc2396E" href="mailto:jan.karasek@elostech.cz"><jan.karasek@elostech.cz></a> ,
<a class="moz-txt-link-abbreviated" href="mailto:freeipa-users@redhat.com">freeipa-users@redhat.com</a><br>
>Sent: Tuesday, July 19, 2016 8:36:00 PM<br>
>Subject: Re: [Freeipa-users] AD trust with POSIX
attributes<br>
><br>
>Hello,<br>
><br>
>When adding the AD trust using 'ipa-ad-trust-posix' range
type then IPA will search AD for the ID space of existing
POSIX attributes to automatically create a suitable ID range
inside IPA.<br>
><br>
>You can check the exact steps and attributes searched by
looking at the add_range function definition in
/usr/lib/python2.7/site-packages/ipalib/plugins/trust.py<br>
><br>
>I would suggest reviewing the output of 'ipa idrange-find'
to confirm that the range matches up with the uid and
gidNumbers of your AD environment.<br>
><br>
>Kind regards,<br>
>Justin Stephenson<br>
><br>
>On 07/19/2016 09:44 AM, Jan Karásek wrote:<br>
><br>
>BQ_BEGIN<br>
><br>
>Hi,<br>
><br>
>I am still fighting with storing user's POSIX attributes
in AD. Please can anybody provide some simple reference
settings of IPA-AD trust where users are able to get uid from
AD - not from IPA ID pool ?<br>
><br>
>I have tried to set values of attributes before and after
creating trust, I have tried different sssd setting but I'm
still getting uid from IPA idrange pool instead of from AD
user's attribute.<br>
><br>
>What exactly is IPA checking when it tries to decide what
type of trust will be set - ['ipa-ad-trust-posix',
'ipa-ad-trust'] ?<br>
><br>
>Do I have to mandatory fill some AD user's attributes to
get it work ? Currently I'am testing just with uidNumber and
gidNumber.<br>
><br>
>There is almost no documentation about this topic so I
don't know what else I can try ...<br>
><br>
>Thanks for help,<br>
><br>
>Jan<br>
><br>
><br>
><br>
>Date: Tue, 21 Jun 2016 21:38:15 +0200<br>
>From: Jakub Hrozek <a class="moz-txt-link-rfc2396E" href="mailto:jhrozek@redhat.com"><jhrozek@redhat.com></a><br>
>To: <a class="moz-txt-link-abbreviated" href="mailto:freeipa-users@redhat.com">freeipa-users@redhat.com</a><br>
>Subject: Re: [Freeipa-users] AD trust with POSIX
attributes<br>
>Message-ID: <20160621193815.GS29512@hendrix><br>
>Content-Type: text/plain; charset=iso-8859-1<br>
><br>
>On Tue, Jun 21, 2016 at 01:55:54PM +0200, Jan Kar?sek
wrote:<br>
>> Hi all,<br>
>><br>
>> I have a questions about IPA with AD forest trust.
What I am trying to do is setup environment, where all
informations about users are stored in one place - AD. I would
like to read at least uid, home, shell and sshkey from AD.<br>
>><br>
>> I have set up trust with this parameters:<br>
>><br>
>> ipa trust-add EXAMPLE.TT --type=ad
--range-type=ipa-ad-trust-posix --admin=administrator<br>
><br>
>Did you add the POSIX attributes to AD after creating the
trust maybe?<br>
><br>
>><br>
>> [root@ipa1 ~]# ipa idrange-show EXAMPLE.TT_id_range<br>
>> Range name: EXAMPLE.TT_id_range<br>
>> First Posix ID of the range: 1392000000<br>
>> Number of IDs in the range: 200000<br>
>> Domain SID of the trusted domain:
S-1-5-21-4123312533-990676102-3576722756<br>
>> Range type: Active Directory trust range with POSIX
attributes<br>
>><br>
>><br>
>> I have set attributes in AD for <a class="moz-txt-link-abbreviated" href="mailto:user@EXAMPLE.TT">user@EXAMPLE.TT</a><br>
>> - uidNumber -10000<br>
>> - homeDirectory -/home/user<br>
>> - loginShell - /bin/bash<br>
>><br>
>> Trust itself works fine. I can do kinit with
<a class="moz-txt-link-abbreviated" href="mailto:user@EXAMPLE.TT">user@EXAMPLE.TT</a> , I can run id and getent passwd
<a class="moz-txt-link-abbreviated" href="mailto:user@example.tt">user@example.tt</a> and I can use <a class="moz-txt-link-abbreviated" href="mailto:user@example.tt">user@example.tt</a> for ssh.<br>
>><br>
>> Problem is, that I am not getting uid from AD but
from idrange:<br>
>><br>
>> uid=1392001107( <a class="moz-txt-link-abbreviated" href="mailto:user@example.tt">user@example.tt</a> )<br>
>><br>
>> Also I have tried to switch off id mapping in
sssd.conf with ldap_id_mapping = true in sssd.conf but no
luck.<br>
><br>
>This has no effect, in IPA-AD trust scenario, the id
mapping properties<br>
>are managed on the server.<br>
><br>
>><br>
>> I know, that it is probably better to use ID views
for this, but in our case we need to set centrally managed
environment, where all users information are externally
inserted to AD from HR system - included POSIX attributes and
we need IPA to read them from AD.<br>
><br>
>I think idviews are better for overriding POSIX attributes
for a<br>
>specific set of hosts, but in your environment, it sounds
like you want<br>
>to use the POSIX attributes across the board.<br>
><br>
>><br>
>> So my questions are:<br>
>><br>
>> Is it possible to read user's POSIX attributes
directly from AD - namely uid ?<br>
><br>
>Yes<br>
><br>
>> Which atributes can be stored in AD ?<br>
><br>
>Homedir is a bit special, for backwards compatibility the<br>
>subdomains_homedir takes precedence. The others should be
read from AD.<br>
><br>
>I don't have the environment set at the moment, though, so
I'm operating<br>
>purely from memory.<br>
><br>
>> Am I doing something wrong ?<br>
>><br>
>> my sssd.conf:<br>
>> [domain/a.example.tt]<br>
>> debug_level = 5<br>
>> cache_credentials = True<br>
>> krb5_store_password_if_offline = True<br>
>> ipa_domain = a.example.tt<br>
>> id_provider = ipa<br>
>> auth_provider = ipa<br>
>> access_provider = ipa<br>
>> ipa_hostname = ipa1.a.example.tt<br>
>> chpass_provider = ipa<br>
>> ipa_server = ipa1.a.example.tt<br>
>> ipa_server_mode = True<br>
>> ldap_tls_cacert = /etc/ipa/ca.crt<br>
>> #ldap_id_mapping = true<br>
>> #subdomain_inherit = ldap_user_principal<br>
>> #ldap_user_principal = nosuchattribute<br>
>><br>
>> [sssd]<br>
>> services = nss, sudo, pam, ssh<br>
>> config_file_version = 2<br>
>><br>
>> domains = a.example.tt<br>
>> [nss]<br>
>> debug_level = 5<br>
>> homedir_substring = /home<br>
>> enum_cache_timeout = 2<br>
>> entry_negative_timeout = 2<br>
>><br>
>><br>
>> [pam]<br>
>> debug_level = 5<br>
>> [sudo]<br>
>><br>
>> [autofs]<br>
>><br>
>> [ssh]<br>
>> debug_level = 4<br>
>> [pac]<br>
>><br>
>> debug_level = 4<br>
>> [ifp]<br>
>><br>
>> Thanks,<br>
>> Jan<br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
>BQ_END<br>
><br>
><br>
<br>
>-- <br>
>Manage your subscription for the Freeipa-users mailing
list:<br>
><a class="moz-txt-link-freetext" href="https://www.redhat.com/mailman/listinfo/freeipa-users">https://www.redhat.com/mailman/listinfo/freeipa-users</a><br>
>Go to <a class="moz-txt-link-freetext" href="http://freeipa.org">http://freeipa.org</a> for more info on the project<br>
<br>
<br>
-- <br>
/ Alexander Bokovoy<br>
</div>
</div>
</blockquote>
<br>
</body>
</html>