[Freeipa-users] Freeipa4 - AD SSH logins

Alexander Bokovoy abokovoy at redhat.com
Wed Apr 15 18:58:23 UTC 2015 

On Wed, 15 Apr 2015, Aric Wilisch wrote:
>So I would have to setup an ID View Override for every user in AD that
>needs to login to to a FreeIPA host?
>
>I guess I’m having trouble understanding why it wouldn’t just use the
>defaults set into FreeIPA? The Default home directory is set to /home
>and the default shell is set to /bin/bash.
Because you have options on how you would set identity mapping for AD
users, there is no single way to apply these defaults.

- You can have POSIX attributes defined in Active Directory.
  - this means you can use any existing tool on Windows to set POSIX
    attributes for each user manually or with automation tools

  - FreeIPA will notice the attributes and configure ID ranges of the
    trusted domains to pick up POSIX attributes from Active Directory

  - SSSD will use ID range type to pull POSIX attributes from Active
    Directory

- You can have POSIX attributes generated automatically for AD users by
  FreeIPA
  - this means some safe defaults will be applied by SSSD running on IPA
    master, these are based on sssd.conf options for subdomain_*

  - these defaults will affect AD users' only UID/GID information for
    client-side SSSD <1.12 because old SSSD doesn't know how to pick up
    the rest of attributes

  - for SSSD >= 1.12 the defaults from IPA master will be honored by IPA
    clients automatically

- in both cases ID View 'Default Trust View' can be used to configure
  POSIX attributes for AD users explicitly. There are no templates
  though.

If templating is needed in ID Views, a ticket could be filed. Perhaps it
is a good idea but it will take time to implement in FreeIPA
(management), SSSD and slapi-nis (application of defaults).


>This is a lot of work to go to unless there’s a way to set it globally
>for the entire domain. Also noticing sudo doesn’t work for those users
>even though I have the ad_admins group added to the sudo group I
>created.
Open a separate thread and provide SSSD logs, our debugging capabilities
are distinguishable from magic and thus require help from you. ;)


-- 
/ Alexander Bokovoy

More information about the Freeipa-users mailing list