[Freeipa-users] Password entry through Trust not correct

McEvoy, James james.mcevoy at hp.com
Sun Mar 22 16:44:42 UTC 2015 

From: freeipa-users-bounces at redhat.com [freeipa-users-bounces at redhat.com] on behalf of Dmitri Pal [dpal at redhat.com]
Sent: Saturday, March 21, 2015 10:42 AM
To: freeipa-users at redhat.com
Subject: Re: [Freeipa-users] Password entry through Trust not correct

On 03/20/2015 08:56 PM, McEvoy, James wrote:
When I look at the password entries for my rfc2307 account in Active directory I get three different answers.
The only correct one is on a server where I used sssd to join AD directly ( the last one ).  Do I need to configure
rfc2307?  When I configured the server to join AD directly I use the option --enablerfc2307bis when I run authconfig.

from a freeipa client:
$ getent passwd jemcevoy at ENAS.NET<mailto:jemcevoy at ENAS.NET>
jemcevoy at enas.net:*:10001:10004::/home/enas.net/jemcevoy<UrlBlockedError.aspx>:

from the ipa server:
[root at ipa ~]# getent passwd jemcevoy at ENAS.NET<mailto:jemcevoy at ENAS.NET>
jemcevoy at enas.net:*:10001:10004:James<UrlBlockedError.aspx> McEvoy:/home/enas.net/jemcevoy:/bin/bash

from a server that joined AD directly using sssd:
$ getent passwd jemcevoy at ENAS.NET<mailto:jemcevoy at ENAS.NET>
jemcevoy:*:10001:10004:James McEvoy:/home/jemcevoy:/bin/bash


Hi,

Let us step back.
What versions of the server and of the client and on what platforms?

When you set trust, how did you set it?
It might be that IPA server did not detect that you have Posix extensions in AD.
There is some heuristics involved so probably you should use explicit parameters to tell IPA whether you have posix in AD or not.



--
Thank you,
Dmitri Pal

Sr. Engineering Manager IdM portfolio
Red Hat, Inc.


Hi Dmitri,

My IPA Server is running Fedora 21 directly on an HP DL360-G7 server.
The Version of the freeipa is: freeipa-server-4.1.3-2.fc21.x86_64

The freeipa server has a trust with a Windows 2008R2 Active Directory
domain named ENAS.Net.

The client is in an LXC container with both the hosting server and the
LXC guest running Fedora 20.
The client is running freeipa-client-3.3.5-1.fc20.x86_64.

This is at the top of the file /var/log/ipaclient-install.log in the client:

2015-03-19T19:20:38Z DEBUG /usr/sbin/ipa-client-install was invoked with options
: {'domain': 'lnx.lab', 'force': False, 'krb5_offline_passwords': True, 'primary
': False, 'realm_name': 'LNX.LAB', 'force_ntpd': False, 'create_sshfp': True, 'c
onf_sshd': True, 'conf_ntp': False, 'on_master': False, 'ntp_server': None, 'ca_
cert_file': None, 'principal': 'admin at LNX.LAB', 'keytab': None, 'hostname': 'ctn
017-135.lnx.lab', 'no_ac': False, 'unattended': None, 'sssd': True, 'trust_sshfp
': False, 'dns_updates': True, 'mkhomedir': True, 'conf_ssh': True, 'force_join'
: False, 'server': ['ipa.lnx.lab'], 'prompt_password': False, 'permit': False, '
debug': False, 'preserve_sssd': False, 'uninstall': False}


The client is getting the correct POSIX uid/gid from Active Directory, it is the
home directory which looks samba style to me and the shell is completely missing.

Monday morning (PDT) I will kickstart another server with Fedora 21 to see the
results when it joins freeipa and uses the trust.  I will try both directly and
from an LXC guest to see if the correct POSIX attributes get passed through from
the Active Directory Identity Management for Unix plugin.

  -- jim

More information about the Freeipa-users mailing list