[Freeipa-users] FreeIPA ActiveDire​ctory Integratio​n: Managing AD Users in IPA

[Dmitri Pal]

On 09/14/2014 03:42 AM, Gregor Bregenzer wrote:
> 2014-09-14 1:14 GMT+02:00 Dmitri Pal <dpal at redhat.com>:
>> On 09/13/2014 05:27 PM, Gregor Bregenzer wrote:
>>> Hi!
>>>
>>> There are two ways that you can use to integrate FreeIPA with AD: a.)
>>> trust b.) synchronization  Here are the pros/cons for both of them:
>>> http://www.freeipa.org/docs/master/html-desktop/index.html#trust-sync
>>>
>>> If you want to manage POSIX attributes for each user can do that with
>>> either identity management for Unix at AD using the trust, or with the
>>> synchronzation at FreeIPA. With synchronization you see the users to
>>> in FreeIPA, but still have to two users to manage - in FreeIPA and AD.
>>> With the AD trust the sssd daemon running on FreeIPA is proxying all
>>> request from the client sssd directly to AD
>> This is not exactly true. SSSD understands that IPA and AD are in trust
>> relations. If you use user name and password to login SSSD will turn to AD
>> directly without sending password over the wire. If you SSO into the linux
>> box the kerberos library (on you windows client) will do all the ticket
>> acquisition and redirects.
>>
>> The proxy is already done for older clients that does not understand that
>> IPA is in trust relations with AD.
>> http://www.freeipa.org/images/2/2e/FreeIPA33-trust.pdf
>>
> Sorry, there are two things i did not mention a.) no SSO, b.) Linux
> Client SSSD requesting UID/GID.
>
> a.) if you ssh login from a Windows client that is _not_ joined in AD
> or a standalone Linux box - so no SSO. Because there the destination
> Linux clients with sssd (1.9.2 with AD trust compatibilty with ipa
> provider, or 1.11+ with full AD trust capability) still need SSSD on
> the FreeIPA Server that will forward the authentication requests to
> AD. In slide 30 of
> http://www.freeipa.org/images/2/2e/FreeIPA33-trust.pdf it states:
>
> "SSSD is used behind the scenes on the FreeIPA server
> to lookup up users in trusted AD domains
> SSSD on FreeIPA clients will forward resolution requests
> to FreeIPA servers through FreeIPA LDAP server plugin"
>
> b.) If you have a client that is authenticating using Kerberos and
> therefore SSO, the destination Linux sssd client still needs the sssd
> client on the FreeIPA server to lookup the UID/GID. So there's the
> authentication process either with SSO or without SSO, and there's the
> lookup process for the attributes - am i correct?

If the client is new i.e. 1.9+ it will know ho to use trusts and will 
support UID/GID coming from AD.
These clients should be joined to IPA.
Other older clients need to be handled following the guidelines re 
legacy clients.
See below.

>
>>> , so you see no users in
>>> FreeIPA, but you have to extend the AD schema using Identity
>>> Management for unix.
>>
>> You really have two options: let SSSD to map users dynamically, in this case
>> you do not need AD schema extensions or you can extend schema as suggested.
>> The third option that is under development is described in my other reply.
> What happens if you have already defined the UID/GID with the schema
> extension on AD and have legacy Linux clients using them, but you
> still want to use the exact UID/GID _and_ make use of all the great
> features offered in FreeIPA such as HBAC, sudorules, etc.? Then only
> the AD Trust with SSSD 1.11+ with full AD trust feature set is working
> - correct (because 1.9.2 with ipa provider cannot get the GID from
> AD)?

SSSD 1.9 should work ok with IPA in trust relations.
Earlier versions or other clients should be pointed to the IPA compat tree.
http://www.freeipa.org/images/0/0d/FreeIPA33-legacy-clients.pdf

Then you get exactly what you are looking for.


>>> Also the password policy from the group policy in
>>> AD is used when you use the AD trust, but on clients with sssd you can
>>> change the password using kpasswd from Kerberos. If you want to use a
>>> trust with AD and want to receive the correct GID set in AD then you
>>> have to use sssd >1.9.x, otherwise you get a different GID (see
>>>
>>> https://www.redhat.com/archives/freeipa-users/2014-September/msg00192.html)
>>>
>>> All other stuff such as HBAC etc. can be centrally managed on FreeIPA,
>>> no matter if you use a trust or synchronzation.
>>>
>>> Gregor
>>>
>>> 2014-09-13 22:03 GMT+02:00 Traiano Welcome <traiano at gmail.com>:
>>>> Hi List
>>>>
>>>> Currently I have a stable trust relationship going between IPA and
>>>> Windows
>>>> AD. I create users and manage passwords in AD, but want to manage the
>>>> rest
>>>> in IPA, "the rest" being default shell, default home directory settings,
>>>> RBAC, HBAC, Selinux  etc ..
>>>>
>>>> What I'm expecting it to be able to log into the FreeIPA web interface,
>>>> and
>>>> see a synched list of users created in AD appear in the interface, after
>>>> which I can modify the settings on a per user basis.
>>>>
>>>> If that level of granularity is not possible, I would then expect to be
>>>> able
>>>> to at least apply an IPA-imposed set of account defaults on and AD user
>>>> group:
>>>>
>>>> - default shell
>>>> - HBAC rules
>>>> - Sudo rules
>>>> - SELinux rules
>>>> - RBAC
>>>>
>>>> Is this possible with FreeIPA? I can't find anything coherent in the
>>>> documentation that describes an effective way of managing the POSIX
>>>> attributes of AD users in FreeIPA.
>>>>
>>>> Thanks in advance!
>>>> Traiano
>>>>
>>>>
>>>>
>>>>
>>>> --
>>>> Manage your subscription for the Freeipa-users mailing list:
>>>> https://www.redhat.com/mailman/listinfo/freeipa-users
>>>> Go To http://freeipa.org for more info on the project
>>
>>
>> --
>> Thank you,
>> Dmitri Pal
>>
>> Sr. Engineering Manager IdM portfolio
>> Red Hat, Inc.
>>
>> --
>> Manage your subscription for the Freeipa-users mailing list:
>> https://www.redhat.com/mailman/listinfo/freeipa-users
>> Go To http://freeipa.org for more info on the project


-- 
Thank you,
Dmitri Pal

Sr. Engineering Manager IdM portfolio
Red Hat, Inc.