[Freeipa-users] question on Active Directory and FreeIPA

Alexander Frolushkin Alexander.Frolushkin at megafon.ru
Mon Jun 22 09:36:49 UTC 2015 

Hello, Jakub!
Could you please tell, what about sssd package in RHEL 6, when we can expect the fixes in official updates? Especially with our sensitive fixes (parentheses in AD groups names)?

WBR,
Alexander Frolushkin
Cell +79232508764
Work +79232507764

-----Original Message-----
From: freeipa-users-bounces at redhat.com [mailto:freeipa-users-bounces at redhat.com] On Behalf Of Jakub Hrozek
Sent: Monday, June 22, 2015 2:27 PM
To: freeipa-users at redhat.com
Subject: Re: [Freeipa-users] question on Active Directory and FreeIPA

On Fri, Jun 19, 2015 at 08:15:37PM +0000, David Fitzgerald wrote:
>
>
> -----Original Message-----
> From: freeipa-users-bounces at redhat.com
> [mailto:freeipa-users-bounces at redhat.com] On Behalf Of Jakub Hrozek
> Sent: Friday, June 19, 2015 3:15 PM
> To: freeipa-users at redhat.com
> Subject: Re: [Freeipa-users] question on Active Directory and FreeIPA
>
> On Fri, Jun 19, 2015 at 06:23:46PM +0000, David Fitzgerald wrote:
> > Hello,
> >
> > Forgive me if this is a very basic question, but I have read the documentation and am still confused as to what to do.
> > Right now I am using FreeIPA 3.3.3 on a Centos 7 server, and using
> > it to manage about 200 users and 90 Scientific Linux workstations,
> > and everything works great.  Unfortunately I have been told that I
> > must now use the University's Active Directory to authenticate all of my users.
> > I have read the documentation on FreeIPA / AD integration and am not
> > sure if that will meet my requirements.  All my Linux users' home
> > directories are auto mounted on login from a CentOS 7 NFS server with their bash profiles
> > etc. run off that mount.    From what I have read it seems to me that
> > FreeIPA / AD integration is more focused on getting Windows users to
> > be able to log into a Linux machine with access to their Windows
> > folders and profiles (oddjob creating a local home directory on the
> > Linux box, etc.) I don't want this.  All I need is to simply
> > authenticate the user using AD (BTW their IPA usernames and AD
> > usernames are the same other than the
> > domain) then use the info from FreeIPA as I do now. I don't need any
> > folders mounted from the Windows  servers.
> > Have I completely mis-read the documentation and I can do this by integrating FreeIPA and AD?  Is there an easy way to do this? I am not a Windows AD expert by any means.
>
> I'm not sure I completely answer your question, but..in case of IPA-AD trust, the AD users always authenticate against AD, even in case of password authentication on an IPA box. The passwords are not synchronized in any way.
>
> So I guess having the user accounts in AD, but keeping the automount info, sudo rules etc would satisfy your requirements?
>
>
> With the recent 'views' feature, you can set POSIX attributes for IPA users without touching the AD LDAP schema, even per-host.
>
>
> This is exactly what I need.

If you are going to experiment with the views, then please note that unfortunately some bugs slipped into the 7.1 release. If you encounter problems, please either try installing latest packages for SSSD and IPA, make sure SSSD is updated also on the server side.

Some SSSD bugs are not planned for patching until 7.2, in that case you might need to install upstream packages such as:
    https://copr.fedoraproject.org/coprs/lslebodn/sssd-1-12/

Some of the bugs are:
    - https://bugzilla.redhat.com/show_bug.cgi?id=1217127
    - https://bugzilla.redhat.com/show_bug.cgi?id=1214719
    - https://bugzilla.redhat.com/show_bug.cgi?id=1214718
    - https://bugzilla.redhat.com/show_bug.cgi?id=1214716
    - https://bugzilla.redhat.com/show_bug.cgi?id=1214337


--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

________________________________

Информация в этом сообщении предназначена исключительно для конкретных лиц, которым она адресована. В сообщении может содержаться конфиденциальная информация, которая не может быть раскрыта или использована кем-либо, кроме адресатов. Если вы не адресат этого сообщения, то использование, переадресация, копирование или распространение содержания сообщения или его части незаконно и запрещено. Если Вы получили это сообщение ошибочно, пожалуйста, незамедлительно сообщите отправителю об этом и удалите со всем содержимым само сообщение и любые возможные его копии и приложения.

The information contained in this communication is intended solely for the use of the individual or entity to whom it is addressed and others authorized to receive it. It may contain confidential or legally privileged information. The contents may not be disclosed or used by anyone other than the addressee. If you are not the intended recipient(s), any use, disclosure, copying, distribution or any action taken or omitted to be taken in reliance on it is prohibited and may be unlawful. If you have received this communication in error please notify us immediately by responding to this email and then delete the e-mail and all attachments and any copies thereof.

(c)20mf50

More information about the Freeipa-users mailing list