<html>
<head>
<meta content="text/html; charset=windows-1252"
http-equiv="Content-Type">
</head>
<body bgcolor="#FFFFFF" text="#000000">
<p>As Alexander mentioned, the LDAP schema still exists to add POSIX
attributes to users and groups in AD but IDMU simply provides a
convenient Graphical interface to manage this. You should still be
able to use powershell or other windows tools to modify POSIX
attributes going forward, but in general a lot of users are moving
towards sssd automatic ID mapping which means there is no
administrative management of uid/gid values.</p>
<p>There may be some other purpose for IDMU that I am not aware
of...<br>
</p>
<p>Kind regards,</p>
<p>Justin Stephenson<br>
</p>
<div class="moz-cite-prefix">On 07/25/2016 10:54 AM, Jan Karásek
wrote:<br>
</div>
<blockquote
cite="mid:1648113236.2160185.1469458459691.JavaMail.zimbra@elostech.cz"
type="cite">
<div style="font-family: arial, helvetica, sans-serif; font-size:
12pt; color: #000000">
<div>Hi,<br>
</div>
<div><br data-mce-bogus="1">
</div>
<div>just for the clarification:<br data-mce-bogus="1">
</div>
<div><br data-mce-bogus="1">
</div>
<div>Do I really need IDMU on AD side installed for IPA-AD trust
with -range-type=ipa-ad-trust-posix ? In W2012 all POSIX
attributes are already in schema and idrange type can be
forced. I just tried to remove IDMU from my AD and it's still
working. What is the role of IDMU other than allowing to
autodetect POSIX idrange type via the msSFU30OrderNumber
msSFU30MaxUidNumber attributes ?<br data-mce-bogus="1">
</div>
<div><br data-mce-bogus="1">
</div>
<div>Regards,</div>
<div> Jan<br data-mce-bogus="1">
</div>
<div><br>
</div>
<hr id="zwchr" data-marker="__DIVIDER__">
<div data-marker="__HEADERS__"><b>From: </b>"Jan Karásek"
<a class="moz-txt-link-rfc2396E" href="mailto:jan.karasek@elostech.cz"><jan.karasek@elostech.cz></a><br>
<b>To: </b>"Justin Stephenson" <a class="moz-txt-link-rfc2396E" href="mailto:jstephen@redhat.com"><jstephen@redhat.com></a><br>
<b>Cc: </b>"Alexander Bokovoy" <a class="moz-txt-link-rfc2396E" href="mailto:abokovoy@redhat.com"><abokovoy@redhat.com></a>,
<a class="moz-txt-link-abbreviated" href="mailto:freeipa-users@redhat.com">freeipa-users@redhat.com</a><br>
<b>Sent: </b>Friday, July 22, 2016 3:19:51 PM<br>
<b>Subject: </b>Re: [Freeipa-users] AD trust with POSIX
attributes<br>
</div>
<div><br>
</div>
<div data-marker="__QUOTED_TEXT__">
<div style="font-family: arial, helvetica, sans-serif;
font-size: 12pt; color: #000000">
<div>Hi,<br>
</div>
<br>
<div>thanks a lot for help guys. It's working now. I can
successfully read POSIX attributes from AD.<br>
</div>
<br>
<div>Just now I'am storring uidNumber, gidNumber, gecos,
loginShell and unixHomeDirectory in AD.<br>
</div>
<br>
<div>I have trouble with homedir. It's using
subdomain_homedir from sssd.conf and not reflecting the
value of unixHomeDirectory attribute.<br>
</div>
<br>
<div>Is there any way to use value from AD not from
subdomain_homedir template for this parameter ?<br>
</div>
<br>
<div>Regards, </div>
<div>Jan <br>
</div>
<hr id="zwchr">
<div><b>From: </b>"Justin Stephenson"
<a class="moz-txt-link-rfc2396E" href="mailto:jstephen@redhat.com"><jstephen@redhat.com></a><br>
<b>To: </b>"Jan Karásek" <a class="moz-txt-link-rfc2396E" href="mailto:jan.karasek@elostech.cz"><jan.karasek@elostech.cz></a>,
"Alexander Bokovoy" <a class="moz-txt-link-rfc2396E" href="mailto:abokovoy@redhat.com"><abokovoy@redhat.com></a><br>
<b>Cc: </b><a class="moz-txt-link-abbreviated" href="mailto:freeipa-users@redhat.com">freeipa-users@redhat.com</a><br>
<b>Sent: </b>Thursday, July 21, 2016 3:54:25 PM<br>
<b>Subject: </b>Re: [Freeipa-users] AD trust with POSIX
attributes<br>
</div>
<br>
<div>
<p>Hello,</p>
<p>You should remove the following from sssd.conf:</p>
<blockquote>
<p><i>[domain/example.tt]</i><i><br>
</i><i>debug_level = 7</i><i><br>
</i><i>ldap_id_mapping = False</i><i><br>
</i><i>id_provider = ad</i></p>
</blockquote>
With the AD trust configuration, you do not need to
specify any additional domain because IPA will contact AD
across the trust using the external and POSIX groups you
created during the trust setup.<br>
<br>
Once done try restarting sssd and removing the
/var/lib/sss/db/* cache<br>
<br>
Kind regards,<br>
Justin Stephenson<br>
<br>
<div class="moz-cite-prefix">On 07/21/2016 07:56 AM, Jan
Karásek wrote:<br>
</div>
<blockquote
cite="mid:912094339.2008550.1469102193474.JavaMail.zimbra@elostech.cz">
<div style="font-family: arial, helvetica, sans-serif;
font-size: 12pt; color: #000000">
<div>Thank you. </div>
<div><br>
</div>
<div>Now I have IDMU installed and when creating
trust, IPA is correctly autodetecting the range
type: <br>
</div>
<div><br>
</div>
<div>Range name: EXAMPLE.TT_id_range<br>
First Posix ID of the range: 10000<br>
Number of IDs in the range: 200000<br>
Domain SID of the trusted domain:
S-1-5-21-4123312533-990676102-3576722756<br>
Range type: Active Directory trust range with
POSIX attributes<br>
</div>
<div><br>
</div>
<div>When asking for uid of the AD user:<br>
</div>
<div><br>
</div>
<div>[root@ipa1 sssd]# id <a moz-do-not-send="true"
class="moz-txt-link-abbreviated"
href="mailto:user1@example.tt" target="_blank">user1@example.tt</a><br>
uid=1392001119(<a moz-do-not-send="true"
class="moz-txt-link-abbreviated"
href="mailto:user1@example.tt" target="_blank">user1@example.tt</a>)
gid=1392001119(<a moz-do-not-send="true"
class="moz-txt-link-abbreviated"
href="mailto:user1@example.tt" target="_blank">user1@example.tt</a>)
groups=1392001119(<a moz-do-not-send="true"
class="moz-txt-link-abbreviated"
href="mailto:user1@example.tt" target="_blank">user1@example.tt</a>),1392000513(domain
<a moz-do-not-send="true"
class="moz-txt-link-abbreviated"
href="mailto:users@example.tt" target="_blank">users@example.tt</a>),979000007(external_users)<br>
</div>
<div><br>
</div>
<div><br>
</div>
<div>... so ID-mapping is still in action.<br>
</div>
<div>
<div class="para"><br>
</div>
<div class="para">According to doc:<br>
</div>
<div class="para"><br>
</div>
<div class="para">To use existing POSIX attributes,
two things must be configured:</div>
<div class="itemizedlist">
<ul>
<li class="listitem">
<div class="para">The POSIX attributes must be
published to Active Directory's global
catalog. - done with uidNumber, gidNumber<br>
</div>
</li>
<li class="listitem">
<div class="para">ID mapping (<code
class="command">ldap_id_mapping</code> in
the Active Directory domain entry) must be
disabled in SSSD. - done<br>
<br>
</div>
</li>
</ul>
</div>
</div>
<div>Here is my sssd.conf from IPA server. Is there
anything else I should do to switch off ID-mapping ?<br>
</div>
<div><br>
</div>
<div>[domain/a.example.tt]<br>
debug_level = 7<br>
cache_credentials = True<br>
krb5_store_password_if_offline = True<br>
ipa_domain = a.example.tt<br>
id_provider = ipa<br>
auth_provider = ipa<br>
access_provider = ipa<br>
ipa_hostname = ipa1.a.example.tt<br>
chpass_provider = ipa<br>
ipa_server = ipa1.a.example.tt<br>
ipa_server_mode = True<br>
ldap_tls_cacert = /etc/ipa/ca.crt<br>
#subdomain_inherit = ldap_user_principal<br>
#ldap_user_principal = nosuchattribute<br>
<br>
[domain/example.tt]<br>
debug_level = 7<br>
ldap_id_mapping = False<br>
id_provider = ad<br>
<br>
[sssd]<br>
services = nss, sudo, pam, ssh<br>
config_file_version = 2<br>
domains = a.example.tt, example.tt<br>
<br>
[nss]<br>
#debug_level = 5<br>
#homedir_substring = /home<br>
enum_cache_timeout = 2<br>
entry_negative_timeout = 2<br>
<br>
<br>
[pam]<br>
#debug_level = 5<br>
[sudo]<br>
<br>
[autofs]<br>
<br>
[ssh]<br>
#debug_level = 4<br>
[pac]<br>
<br>
#debug_level = 4<br>
[ifp]</div>
<div><br>
</div>
<div><br>
</div>
<div>Regards,<br>
</div>
<div>Jan<br>
</div>
<hr id="zwchr">
<div><b>From: </b>"Alexander Bokovoy" <a
moz-do-not-send="true"
class="moz-txt-link-rfc2396E"
href="mailto:abokovoy@redhat.com" target="_blank"><abokovoy@redhat.com></a><br>
<b>To: </b>"Jan Karásek" <a moz-do-not-send="true"
class="moz-txt-link-rfc2396E"
href="mailto:jan.karasek@elostech.cz"
target="_blank"><jan.karasek@elostech.cz></a><br>
<b>Cc: </b>"Justin Stephenson" <a
moz-do-not-send="true"
class="moz-txt-link-rfc2396E"
href="mailto:jstephen@redhat.com" target="_blank"><jstephen@redhat.com></a>,
<a moz-do-not-send="true"
class="moz-txt-link-abbreviated"
href="mailto:freeipa-users@redhat.com"
target="_blank">freeipa-users@redhat.com</a><br>
<b>Sent: </b>Wednesday, July 20, 2016 6:06:29 PM<br>
<b>Subject: </b>Re: [Freeipa-users] AD trust with
POSIX attributes<br>
</div>
<div><br>
</div>
<div>On Wed, 20 Jul 2016, Jan Karásek wrote:<br>
>Hi,<br>
><br>
>thank you.<br>
><br>
>ldapsearch reply:<br>
><br>
>search: 2<br>
>result: 32 No such object<br>
>matchedDN: CN=RpcServices,CN=System,DC=rwe,DC=tt<br>
>text: 0000208D: NameErr: DSID-03100238, problem
2001 (NO_OBJECT), data 0, best<br>
>match of:<br>
>'CN=RpcServices,CN=System,DC=rwe,DC=tt'<br>
><br>
>actually when I look under the
CN=RpcServices,CN=System,DC=rwe,DC=tt - it is empty.<br>
><br>
>Do I missed to set something on the AD site ?<br>
Yes. You need to setup IDMU. However, in Windows
Server 2016 Microsoft<br>
removed IDMU tools. The LDAP schema will stay but
there will<br>
be no means to visually edit POSIX attributes.<br>
<br>
<a moz-do-not-send="true"
class="moz-txt-link-freetext"
href="https://blogs.technet.microsoft.com/activedirectoryua/2016/02/09/identity-management-for-unix-idmu-is-deprecated-in-windows-server/"
target="_blank">https://blogs.technet.microsoft.com/activedirectoryua/2016/02/09/identity-management-for-unix-idmu-is-deprecated-in-windows-server/</a><br>
<br>
<br>
<br>
><br>
>Thanks,<br>
>Jan<br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
>From: "Justin Stephenson" <a
moz-do-not-send="true"
class="moz-txt-link-rfc2396E"
href="mailto:jstephen@redhat.com" target="_blank"><jstephen@redhat.com></a><br>
>To: "Jan Karásek" <a moz-do-not-send="true"
class="moz-txt-link-rfc2396E"
href="mailto:jan.karasek@elostech.cz"
target="_blank"><jan.karasek@elostech.cz></a><br>
>Cc: <a moz-do-not-send="true"
class="moz-txt-link-abbreviated"
href="mailto:freeipa-users@redhat.com"
target="_blank">freeipa-users@redhat.com</a><br>
>Sent: Wednesday, July 20, 2016 4:09:02 PM<br>
>Subject: Re: [Freeipa-users] AD trust with POSIX
attributes<br>
><br>
><br>
><br>
>These attributes should be available from port
389 and not the global catalog, please try a command
such as:<br>
><br>
>ldapsearch -H <a moz-do-not-send="true"
class="moz-txt-link-freetext" href="ldap://"
target="_blank">ldap://</a> <ip-address> -D
"DOMAIN\Administrator" -W -b
"cn=ypservers,cn=ypserv30,cn=rpcservices,CN=System,dc=example,dc=com"
msSFU30OrderNumber msSFU30MaxUidNumber
msSFU30MaxGidNumber<br>
><br>
>Replacing the root suffix in the search base,
the ip-address and bind credentials.<br>
><br>
>Kind regards,<br>
>Justin Stephenson<br>
><br>
>On 07/20/2016 08:15 AM, Jan Karásek wrote:<br>
><br>
><br>
><br>
>Hi,<br>
><br>
>thank you for the hint.<br>
><br>
>In the
/usr/lib/python2.7/site-packages/ipalib/plugins/trust.py:<br>
><br>
>It's working with msSFU30MaxUidNumber and
msSFU30OrderNumber.<br>
><br>
>If I understand it right, it is base uid number
and the number of uids in range.<br>
><br>
>If not discovered nor given via CLI, then it
generate random base and add some
default_range_size.<br>
><br>
>So these two attributes must be set to use
ipa-ad-trust-posix range ?<br>
><br>
>Could anybody help me how and where to check
these attributes ? I have looked in the ldapsearch
dump from my AD(Global calaog) and I can see these
attributes only in schema - so no values assigned.<br>
>I'm using W2012 R2.<br>
><br>
>Thank you,<br>
>Jan<br>
><br>
><br>
><br>
>From: "Justin Stephenson" <a
moz-do-not-send="true"
class="moz-txt-link-rfc2396E"
href="mailto:jstephen@redhat.com" target="_blank"><jstephen@redhat.com></a><br>
>To: "Jan Karásek" <a moz-do-not-send="true"
class="moz-txt-link-rfc2396E"
href="mailto:jan.karasek@elostech.cz"
target="_blank"><jan.karasek@elostech.cz></a>
, <a moz-do-not-send="true"
class="moz-txt-link-abbreviated"
href="mailto:freeipa-users@redhat.com"
target="_blank">freeipa-users@redhat.com</a><br>
>Sent: Tuesday, July 19, 2016 8:36:00 PM<br>
>Subject: Re: [Freeipa-users] AD trust with POSIX
attributes<br>
><br>
>Hello,<br>
><br>
>When adding the AD trust using
'ipa-ad-trust-posix' range type then IPA will search
AD for the ID space of existing POSIX attributes to
automatically create a suitable ID range inside IPA.<br>
><br>
>You can check the exact steps and attributes
searched by looking at the add_range function
definition in
/usr/lib/python2.7/site-packages/ipalib/plugins/trust.py<br>
><br>
>I would suggest reviewing the output of 'ipa
idrange-find' to confirm that the range matches up
with the uid and gidNumbers of your AD environment.<br>
><br>
>Kind regards,<br>
>Justin Stephenson<br>
><br>
>On 07/19/2016 09:44 AM, Jan Karásek wrote:<br>
><br>
>BQ_BEGIN<br>
><br>
>Hi,<br>
><br>
>I am still fighting with storing user's POSIX
attributes in AD. Please can anybody provide some
simple reference settings of IPA-AD trust where
users are able to get uid from AD - not from IPA ID
pool ?<br>
><br>
>I have tried to set values of attributes before
and after creating trust, I have tried different
sssd setting but I'm still getting uid from IPA
idrange pool instead of from AD user's attribute.<br>
><br>
>What exactly is IPA checking when it tries to
decide what type of trust will be set -
['ipa-ad-trust-posix', 'ipa-ad-trust'] ?<br>
><br>
>Do I have to mandatory fill some AD user's
attributes to get it work ? Currently I'am testing
just with uidNumber and gidNumber.<br>
><br>
>There is almost no documentation about this
topic so I don't know what else I can try ...<br>
><br>
>Thanks for help,<br>
><br>
>Jan<br>
><br>
><br>
><br>
>Date: Tue, 21 Jun 2016 21:38:15 +0200<br>
>From: Jakub Hrozek <a moz-do-not-send="true"
class="moz-txt-link-rfc2396E"
href="mailto:jhrozek@redhat.com" target="_blank"><jhrozek@redhat.com></a><br>
>To: <a moz-do-not-send="true"
class="moz-txt-link-abbreviated"
href="mailto:freeipa-users@redhat.com"
target="_blank">freeipa-users@redhat.com</a><br>
>Subject: Re: [Freeipa-users] AD trust with POSIX
attributes<br>
>Message-ID:
<20160621193815.GS29512@hendrix><br>
>Content-Type: text/plain; charset=iso-8859-1<br>
><br>
>On Tue, Jun 21, 2016 at 01:55:54PM +0200, Jan
Kar?sek wrote:<br>
>> Hi all,<br>
>><br>
>> I have a questions about IPA with AD forest
trust. What I am trying to do is setup environment,
where all informations about users are stored in one
place - AD. I would like to read at least uid, home,
shell and sshkey from AD.<br>
>><br>
>> I have set up trust with this parameters:<br>
>><br>
>> ipa trust-add EXAMPLE.TT --type=ad
--range-type=ipa-ad-trust-posix
--admin=administrator<br>
><br>
>Did you add the POSIX attributes to AD after
creating the trust maybe?<br>
><br>
>><br>
>> [root@ipa1 ~]# ipa idrange-show
EXAMPLE.TT_id_range<br>
>> Range name: EXAMPLE.TT_id_range<br>
>> First Posix ID of the range: 1392000000<br>
>> Number of IDs in the range: 200000<br>
>> Domain SID of the trusted domain:
S-1-5-21-4123312533-990676102-3576722756<br>
>> Range type: Active Directory trust range
with POSIX attributes<br>
>><br>
>><br>
>> I have set attributes in AD for <a
moz-do-not-send="true"
class="moz-txt-link-abbreviated"
href="mailto:user@EXAMPLE.TT" target="_blank">user@EXAMPLE.TT</a><br>
>> - uidNumber -10000<br>
>> - homeDirectory -/home/user<br>
>> - loginShell - /bin/bash<br>
>><br>
>> Trust itself works fine. I can do kinit
with <a moz-do-not-send="true"
class="moz-txt-link-abbreviated"
href="mailto:user@EXAMPLE.TT" target="_blank">user@EXAMPLE.TT</a>
, I can run id and getent passwd <a
moz-do-not-send="true"
class="moz-txt-link-abbreviated"
href="mailto:user@example.tt" target="_blank">user@example.tt</a>
and I can use <a moz-do-not-send="true"
class="moz-txt-link-abbreviated"
href="mailto:user@example.tt" target="_blank">user@example.tt</a>
for ssh.<br>
>><br>
>> Problem is, that I am not getting uid from
AD but from idrange:<br>
>><br>
>> uid=1392001107( <a moz-do-not-send="true"
class="moz-txt-link-abbreviated"
href="mailto:user@example.tt" target="_blank">user@example.tt</a>
)<br>
>><br>
>> Also I have tried to switch off id mapping
in sssd.conf with ldap_id_mapping = true in
sssd.conf but no luck.<br>
><br>
>This has no effect, in IPA-AD trust scenario,
the id mapping properties<br>
>are managed on the server.<br>
><br>
>><br>
>> I know, that it is probably better to use
ID views for this, but in our case we need to set
centrally managed environment, where all users
information are externally inserted to AD from HR
system - included POSIX attributes and we need IPA
to read them from AD.<br>
><br>
>I think idviews are better for overriding POSIX
attributes for a<br>
>specific set of hosts, but in your environment,
it sounds like you want<br>
>to use the POSIX attributes across the board.<br>
><br>
>><br>
>> So my questions are:<br>
>><br>
>> Is it possible to read user's POSIX
attributes directly from AD - namely uid ?<br>
><br>
>Yes<br>
><br>
>> Which atributes can be stored in AD ?<br>
><br>
>Homedir is a bit special, for backwards
compatibility the<br>
>subdomains_homedir takes precedence. The others
should be read from AD.<br>
><br>
>I don't have the environment set at the moment,
though, so I'm operating<br>
>purely from memory.<br>
><br>
>> Am I doing something wrong ?<br>
>><br>
>> my sssd.conf:<br>
>> [domain/a.example.tt]<br>
>> debug_level = 5<br>
>> cache_credentials = True<br>
>> krb5_store_password_if_offline = True<br>
>> ipa_domain = a.example.tt<br>
>> id_provider = ipa<br>
>> auth_provider = ipa<br>
>> access_provider = ipa<br>
>> ipa_hostname = ipa1.a.example.tt<br>
>> chpass_provider = ipa<br>
>> ipa_server = ipa1.a.example.tt<br>
>> ipa_server_mode = True<br>
>> ldap_tls_cacert = /etc/ipa/ca.crt<br>
>> #ldap_id_mapping = true<br>
>> #subdomain_inherit = ldap_user_principal<br>
>> #ldap_user_principal = nosuchattribute<br>
>><br>
>> [sssd]<br>
>> services = nss, sudo, pam, ssh<br>
>> config_file_version = 2<br>
>><br>
>> domains = a.example.tt<br>
>> [nss]<br>
>> debug_level = 5<br>
>> homedir_substring = /home<br>
>> enum_cache_timeout = 2<br>
>> entry_negative_timeout = 2<br>
>><br>
>><br>
>> [pam]<br>
>> debug_level = 5<br>
>> [sudo]<br>
>><br>
>> [autofs]<br>
>><br>
>> [ssh]<br>
>> debug_level = 4<br>
>> [pac]<br>
>><br>
>> debug_level = 4<br>
>> [ifp]<br>
>><br>
>> Thanks,<br>
>> Jan<br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
>BQ_END<br>
><br>
><br>
<br>
>-- <br>
>Manage your subscription for the Freeipa-users
mailing list:<br>
><a moz-do-not-send="true"
class="moz-txt-link-freetext"
href="https://www.redhat.com/mailman/listinfo/freeipa-users"
target="_blank">https://www.redhat.com/mailman/listinfo/freeipa-users</a><br>
>Go to <a moz-do-not-send="true"
class="moz-txt-link-freetext"
href="http://freeipa.org" target="_blank">http://freeipa.org</a>
for more info on the project<br>
<br>
<br>
-- <br>
/ Alexander Bokovoy<br>
</div>
</div>
</blockquote>
</div>
</div>
<br>
</div>
</div>
<br>
<fieldset class="mimeAttachmentHeader"></fieldset>
<br>
</blockquote>
<br>
</body>
</html>