[Freeipa-users] FreeIPA backend. Mavericks server shows UIDs instead of usernames in File Sharing.
Fredy Sanchez
fredy.sanchez at modmed.com
Wed Apr 23 21:58:37 UTC 2014
And here is the attachment.
On Wed, Apr 23, 2014 at 5:57 PM, Fredy Sanchez <fredy.sanchez at modmed.com>wrote:
> Hi all,
>
> Sorry for the delay.
>
> I am sharing with you a couple of scripts and files we use to enroll our
> Macs (ML and Mavericks) into our FreeIPA domain. Using Luggage (
> https://github.com/unixorn/luggage), we package all of these into a one
> click installer that can be deployed via ARD, Munki, etc. Now, our
> environment has very specific requirements, so feel free to ask if there's
> something you don't understand or that seems incomplete.
>
> These assume you already know what FreeIPA is, and have it up and running.
> These also assume that all the server pre-staging (for example, that all
> applicable DNS records are already created) for the "enrollee" is done. In
> sum, these are ideal if all you are missing is to start enrolling Macs into
> the FreeIPA domain. And you'll have to modify the files to match your
> FreeIPA domain; we are using example.com for this.
>
> The preflight script (freeipa-client-preinstall.sh) will "clean" the
> environment of the enrollee, and backup existing files that will be
> modified during the enrollment process. It
> * Sets the DNS search domain
> * Adds a "local" search domain to the enrollee to speed up the login
> process if no FreeIPA server is available during login
> * Backs up edu.mit.Kerberos if it exists
> * Backs up krb5.conf if it exists
> * Backs up any existing LDAP info
> * Backs up /Library/Preferences/com.apple.loginwindow.plist
>
> The postflight script (freeipa-client-postinstall.sh) performs the
> enrollment. It
> * Sets email notifications to know if the enrollment failed or succeeded.
> These notifications will include the who and the why, and a hardware
> profile from the enrollee that we find useful
> * Sets and tests many variables needed for a successful enrollment like
> NTP syncing, a valid hostname, and whether or not all applicable hosts
> resolve thru your DNS servers
> * Adjusts /Library/Preferences/com.apple.loginwindow to work properly w/
> FreeIPA accounts
> * Gets opendirectoryd ready for FreeIPA
> * Enrolls the host to FreeIPA thru multiple keytab manipulations
> * Gets around problems with anonymous binds in LDAP by using a "hidden"
> user for enrollments
> * Configures the SSH client for GSSAPI authentication
> * Creates host keys and adds them to FreeIPA
> * Deletes local user account and leaves home directory intact. This will
> allow the owner of the machine to log back in using his/her FreeIPA
> credentials w/out noticing any changes. Of course, for this to happen
> transparently the home directory has to be massaged. Please let me know if
> you'd like to know how we do this. I am omitting the details for now as
> this outside the scope, me thinks.
>
> The files inside the Payload folder are:
>
> The authorization and screensaver files are FreeIPA ready ones. The
> postflight script above puts them where they need to go
> (/private/etc/pam.d).
>
> The postflight will add a /private/etc/ipa folder to the enrollee. This
> folder must contain the following files: ca-crt, ca-crt-selfsigned,
> example.enroll.keytab. These will make more sense as you go thru the code.
> These are private, so I am not sharing them.
>
> The postflight script will also put FreeIPA ready versions of
> edu.mit.Kerberos and multiple LDAP config files where they need to go
> (follow the folder structure in the .zip file attached). These we are
> sharing; you will have to modify them to match your FreeIPA domain.
>
> And this is it. Apologies for the long read. We welcome your feedback; if
> you have any please send it my way :-)
>
>
>
> On Thu, Apr 17, 2014 at 4:29 PM, Chris Whittle <cwhittl at gmail.com> wrote:
>
>> I was able to take that script and with some customizing get it to work
>> with Mavericks.... This should work, I tried to do a find and replace to
>> make it work like the github one.
>>
>>
>> On Wed, Apr 16, 2014 at 5:40 PM, Fredy Sanchez <fredy.sanchez at modmed.com>wrote:
>>
>>> Sure Rob, we'll put something together and send it to you for
>>> publishing. Give us a few days. We'll also sanitize our enrollment package
>>> and share it w/ you too. This is what we use to enroll our Macs, a one time
>>> install that does what ipa-client-install does for Linux, including these
>>> LDAP mappings. We love FreeIPA and will be really happy if this helps any
>>> other users with Mac fleets.
>>>
>>>
>>> On Wed, Apr 16, 2014 at 6:12 PM, Rob Crittenden <rcritten at redhat.com>wrote:
>>>
>>>> Fredy Sanchez wrote:
>>>>
>>>>> Hi Simo,
>>>>>
>>>>> Thanks for your reply. Good old Google pointed me to
>>>>> https://github.com/rtrouton/rtrouton_scripts/blob/master/
>>>>> rtrouton_scripts/open-l
>>>>> dap_bind_script/Mac_OpenLDAP_bind_script.sh, which gave me the idea of
>>>>> updating the RealName mapping to displayName. This solved the problem,
>>>>> I'll have to recreate the permissions for every share, but the user
>>>>> names now show up, and stick. No more UIDs.
>>>>>
>>>>
>>>> Great. Any chance you can write something and post a howto on our wiki?
>>>> Or send the details to me and I'll write something up?
>>>>
>>>> thanks
>>>>
>>>> rob
>>>>
>>>>
>>>>>
>>>>> On Tue, Apr 15, 2014 at 9:30 AM, Simo Sorce <simo at redhat.com
>>>>> <mailto:simo at redhat.com>> wrote:
>>>>>
>>>>> On Fri, 2014-04-11 at 10:37 -0400, Fredy Sanchez wrote:
>>>>> > Hi all,
>>>>> >
>>>>> > We asked this same question at discussions.apple.com
>>>>> <http://discussions.apple.com>, but figured we'd have
>>>>>
>>>>> > better luck here. I apologize in advance if this is the wrong
>>>>> forum.
>>>>> >
>>>>> > We are switching from Synology (DSM 5) to Mavericks server
>>>>> (v3.1.1. running
>>>>> > in Mavericks 10.9.2) for File Sharing. We use a FreeIPA
>>>>> (ipa-server.x86_64
>>>>> > 3.0.0-37.el6) backend for SSO, and the Mac server seems
>>>>> correctly
>>>>> > bound to it. Unfortunately, although we can add usernames to the
>>>>> shares for
>>>>> > the initial config, the usernames transform to UIDs after (only
>>>>> for SSO
>>>>> > accounts; local accounts are not affected). That is, when we go
>>>>> to edit the
>>>>> > permissions for a share, all we see are UIDs. We can always
>>>>> figure out the
>>>>> > username from the UID, but this is an extra step we don't want
>>>>> to
>>>>> have.
>>>>> > We've tried reinstalling the Mac server app from scratch,
>>>>> re-binding to the
>>>>> > FreeIPA backend, changing mappings in Directory Utility (for
>>>>> example,
>>>>> > mapping GeneratedUID to uid, which is the username), recreating
>>>>> the shares
>>>>> > and permissions, etc. Here are more details about the binding:
>>>>> >
>>>>> > * The binding happens thru a custom package we created based
>>>>> primarily on
>>>>> >
>>>>> http://linsec.ca/Using_FreeIPA_for_User_
>>>>> Authentication#Mac_OS_X_10.7.2F10.8
>>>>> > * Sys Prefs, Users & Groups, Login Options show the server bound
>>>>> to the
>>>>> > FreeIPA backend with the green dot
>>>>> > * The following mappings are in place in Directory Utility,
>>>>> Services,
>>>>> > LDAPv3, FreeIPA backend
>>>>> >
>>>>> > Users: inetOrgPerson
>>>>> > AuthenticationAuthority: uid
>>>>> > GeneratedUID: random number in uppercase
>>>>> > HomeDirectory: #/Users/$uid$
>>>>> > NFSHomeDirectory: #/Users/$uid$
>>>>> > OriginalHomeDirectory: #/Users/$uid$
>>>>> > PrimaryGroupID: gidNumber
>>>>> > RealName: cn
>>>>> > RecordName: uid
>>>>> > UniqueID: uidNumber
>>>>> > UserShell: loginShell
>>>>> > Groups: posixgroup
>>>>> > PrimaryGroupID: gidNumber
>>>>> > RecordName: cn
>>>>> >
>>>>> > The search bases are correct
>>>>> >
>>>>> > * Directory Utility, Directory Editor shows the right info for
>>>>> the users.
>>>>> > * $ id $USERNAME shows the right information for the user
>>>>> >
>>>>> > FreeIPA is working beautifully for our Mac / Linux environment.
>>>>> We provide
>>>>> > directory services to about 300 hosts, and 200 employees using
>>>>> it; and
>>>>> > haven't had any problems LDAP wise until now. So we think we are
>>>>> missing a
>>>>> > mapping here. Any ideas?
>>>>>
>>>>> Fredy,
>>>>> I quickly tried to check for some documentation on how to
>>>>> configure this
>>>>> stuff, but found only useless superficial guides on how to find the
>>>>> pointy/clicky buttons to push to enable the service.
>>>>>
>>>>> I am not a Mac expert by a long shot so I cannot help you much
>>>>> here.
>>>>>
>>>>> Is there any guide available on how to use this service with other
>>>>> LDAP
>>>>> servers, like openLDAP or Active Directory ? We can probably draw
>>>>> some
>>>>> conclusions from there.
>>>>>
>>>>> Simo.
>>>>>
>>>>> --
>>>>> Simo Sorce * Red Hat, Inc * New York
>>>>>
>>>>>
>>>>>
>>>>>
>>>>> --
>>>>> Cheers,
>>>>>
>>>>> Fredy Sanchez
>>>>> IT Manager @ Modernizing Medicine
>>>>> (561) 880-2998 x237
>>>>> fredy.sanchez at modmed.com <mailto:fredy.sanchez at modmed.com>
>>>>>
>>>>> *Need IT support?* Visit https://mmit.zendesk.com
>>>>> <https://mmit.zendesk.com/>
>>>>>
>>>>> *
>>>>>
>>>>>
>>>>> * *
>>>>> *
>>>>>
>>>>>
>>>>>
>>>>> _______________________________________________
>>>>> Freeipa-users mailing list
>>>>> Freeipa-users at redhat.com
>>>>> https://www.redhat.com/mailman/listinfo/freeipa-users
>>>>>
>>>>>
>>>>
>>>
>>>
>>> --
>>> Cheers,
>>>
>>> Fredy Sanchez
>>> IT Manager @ Modernizing Medicine
>>> (561) 880-2998 x237
>>> fredy.sanchez at modmed.com
>>>
>>> *Need IT support?* Visit https://mmit.zendesk.com
>>>
>>> -
>>>
>>>
>>> -
>>>
>>>
>>> _______________________________________________
>>> Freeipa-users mailing list
>>> Freeipa-users at redhat.com
>>> https://www.redhat.com/mailman/listinfo/freeipa-users
>>>
>>
>>
>
>
> --
> Cheers,
>
> Fredy Sanchez
> IT Manager @ Modernizing Medicine
> (561) 880-2998 x237
> fredy.sanchez at modmed.com
>
> *Need IT support?* Visit https://mmit.zendesk.com
>
> -
>
>
> -
>
>
--
Cheers,
Fredy Sanchez
IT Manager @ Modernizing Medicine
(561) 880-2998 x237
fredy.sanchez at modmed.com
*Need IT support?* Visit https://mmit.zendesk.com
-
-
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20140423/8ccf3320/attachment.htm>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: FreeIPA-client.zip
Type: application/zip
Size: 24451 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20140423/8ccf3320/attachment.zip>
More information about the Freeipa-users
mailing list