[Freeipa-users] Active Directory Integration and limitations

Simo Sorce simo at redhat.com
Mon Nov 23 15:36:39 UTC 2015 

On Wed, 2015-11-18 at 11:46 +0100, Domineaux Philippe wrote:
> Here is my environment :
> 
> 1 Windows Domain
> Windows workstations
> Windows servers
> Multiple linux domains
> Linux workstations
> Linux servers
> 
> Here is my goal :
> 
> All users are centralized in the Active Directory.
> Users will authenticate on linux workstations with their AD accounts (
> using POSIX attributes).
> Linux workstations must have access to NFS shares on Linux servers.

Hi Domineaux,
you should look into setting up FreeIPA with a trust relationship to the
Windows Domain.

> What are the limitations ?

It is hard to say what kind of limitations you are interested into, when
we trust AD, then AD users can access Linux machines, one limitation (if
you think it is a limitation) is that AD users will have fully qualified
names on the host (example: user at ad.example.com) and not just flat names
to avoid name clashes between ipa users, local users and AD users.

> Windows users equals ipa users in term of services ?

Yes.

> Do I have to configure kerberos to also join directly the Windows Kerberos
> Realm,
> or will IPA do the job to ask Windows server ?

If you set up a trust between servers all is taken care of for you wrt
clients.

> in etc/krb5.conf :
> 
> includedir /var/lib/sss/pubconf/krb5.include.d/
> 
> [libdefaults]
>   default_realm = IPA.ORG
>   dns_lookup_realm = true
>   dns_lookup_kdc = true
>   rdns = false
>   ticket_lifetime = 24h
>   forwardable = yes
>   udp_preference_limit = 0
>   default_ccache_name = KEYRING:persistent:%{uid}
>   canonicalize = yes
>   allow_weak_crypto = true
> 
> [realms]
>   IPA.ORG = {
>     pkinit_anchors = FILE:/etc/ipa/ca.crt
>     auth_to_local = RULE:[1:$1@
> $0](^.*@WINDOMAIN.LOCAL$)s/@WINDOMAIN.LOCAL/@windomain.local/
>     auth_to_local = DEFAULT
> 
>   }
> 
> ### IS THIS NECESSARY
> WINDOMAIN.LOCAL = {
>                kdc = srvadipa.windomain.local
>                admin_server = srvadipa.windomain.local
> }
> 
> 
> [domain_realm]
>   .cosmo.org = COSMO.ORG
>   cosmo.org = COSMO.ORG
> 
> ### IS THIS NECESSARY
> 
>   .windomain.local = WINDOMAIN.LOCAL
>   windomain.local = WINDOMAIN.LOCAL

It depends on what client you are using, older RHEL may need this, newer
ones have an include directory in krb5.conf and sssd generates
appropriate configuration automatically based on server configuration.

> Is the bug in libnfsidmap still active and prevents Windows users to access
> to NFS4 krb5 secured shared folder ?

I am not sure what bug you refer to. You may need to configure nfs
client nfs idmap, but I am not aware of bugs that will prevent it from
working right if properly configured.

Specifically you may want to *not* try to consult LDAP from idmap, but
use a regex to transform the windows realm from upper case to lowercase
and then just use the getpwnam interface.

Simo.

> I currently have
> 
> bug here:
> https://www.redhat.com/archives/freeipa-users/2014-June/msg00163.html
> -- 
> Manage your subscription for the Freeipa-users mailing list:
> https://www.redhat.com/mailman/listinfo/freeipa-users
> Go to http://freeipa.org for more info on the project


-- 
Simo Sorce * Red Hat, Inc * New York

More information about the Freeipa-users mailing list