[Freeipa-users] Password entry through Trust not correct

Sun Mar 22 19:56:52 UTC 2015

On Sun, Mar 22, 2015 at 04:44:42PM +0000, McEvoy, James wrote:
> 
> From: freeipa-users-bounces at redhat.com [freeipa-users-bounces at redhat.com] on behalf of Dmitri Pal [dpal at redhat.com]
> Sent: Saturday, March 21, 2015 10:42 AM
> To: freeipa-users at redhat.com
> Subject: Re: [Freeipa-users] Password entry through Trust not correct
> 
> On 03/20/2015 08:56 PM, McEvoy, James wrote:
> When I look at the password entries for my rfc2307 account in Active directory I get three different answers.
> The only correct one is on a server where I used sssd to join AD directly ( the last one ).  Do I need to configure
> rfc2307?  When I configured the server to join AD directly I use the option --enablerfc2307bis when I run authconfig.
> 
> from a freeipa client:
> $ getent passwd jemcevoy at ENAS.NET<mailto:jemcevoy at ENAS.NET>
> jemcevoy at enas.net:*:10001:10004::/home/enas.net/jemcevoy<UrlBlockedError.aspx>:
> 
> from the ipa server:
> [root at ipa ~]# getent passwd jemcevoy at ENAS.NET<mailto:jemcevoy at ENAS.NET>
> jemcevoy at enas.net:*:10001:10004:James<UrlBlockedError.aspx> McEvoy:/home/enas.net/jemcevoy:/bin/bash
> 
> from a server that joined AD directly using sssd:
> $ getent passwd jemcevoy at ENAS.NET<mailto:jemcevoy at ENAS.NET>
> jemcevoy:*:10001:10004:James McEvoy:/home/jemcevoy:/bin/bash
> 
> 
> Hi,
> 
> Let us step back.
> What versions of the server and of the client and on what platforms?
> 
> When you set trust, how did you set it?
> It might be that IPA server did not detect that you have Posix extensions in AD.
> There is some heuristics involved so probably you should use explicit parameters to tell IPA whether you have posix in AD or not.
> 
> 
> 
> --
> Thank you,
> Dmitri Pal
> 
> Sr. Engineering Manager IdM portfolio
> Red Hat, Inc.
> 
> 
> Hi Dmitri,
> 
> My IPA Server is running Fedora 21 directly on an HP DL360-G7 server.
> The Version of the freeipa is: freeipa-server-4.1.3-2.fc21.x86_64
> 
> The freeipa server has a trust with a Windows 2008R2 Active Directory
> domain named ENAS.Net.
> 
> The client is in an LXC container with both the hosting server and the
> LXC guest running Fedora 20.
> The client is running freeipa-client-3.3.5-1.fc20.x86_64.
> 
> This is at the top of the file /var/log/ipaclient-install.log in the client:
> 
> 2015-03-19T19:20:38Z DEBUG /usr/sbin/ipa-client-install was invoked with options
> : {'domain': 'lnx.lab', 'force': False, 'krb5_offline_passwords': True, 'primary
> ': False, 'realm_name': 'LNX.LAB', 'force_ntpd': False, 'create_sshfp': True, 'c
> onf_sshd': True, 'conf_ntp': False, 'on_master': False, 'ntp_server': None, 'ca_
> cert_file': None, 'principal': 'admin at LNX.LAB', 'keytab': None, 'hostname': 'ctn
> 017-135.lnx.lab', 'no_ac': False, 'unattended': None, 'sssd': True, 'trust_sshfp
> ': False, 'dns_updates': True, 'mkhomedir': True, 'conf_ssh': True, 'force_join'
> : False, 'server': ['ipa.lnx.lab'], 'prompt_password': False, 'permit': False, '
> debug': False, 'preserve_sssd': False, 'uninstall': False}
> 
> 
> The client is getting the correct POSIX uid/gid from Active Directory, it is the
> home directory which looks samba style to me and the shell is completely missing.
> 
> Monday morning (PDT) I will kickstart another server with Fedora 21 to see the
> results when it joins freeipa and uses the trust.  I will try both directly and
> from an LXC guest to see if the correct POSIX attributes get passed through from
> the Active Directory Identity Management for Unix plugin.

With FreeIPA server 3.x what you are seeing is actually expected. The
ability to transfer additional POSIX attributes from the server to the
client was only added in 4.x, sorry.

In the meantime, I wonder if the various
subdomain_homedir/override_homedir/override_shell etc
attributes would be helpful on the clients?

Finally, please note that the most important part are the UID and GID
attributes so that you can access your files.