[Freeipa-users] User mapping between domains

Simpson Lachlan Lachlan.Simpson at petermac.org
Wed Feb 3 03:59:55 UTC 2016 

IPA is successfully installed, a one way trust created, and we have been able to
login using AD credentials.

For future googler's, there is some bare bones documentation on how to allow AD 
users to login to your system, under the heading "Allow access for users from AD
domain to protected resources"

http://www.freeipa.org/page/Active_Directory_trust_setup#Configure_IPA_server_for_cross-realm_trusts

I can confirm this works for a one directional trust (IPA trusts AD), since that
is what we have.

Question/Issue:

Currently I have two logins, one in the AD domain and one on each server in 
the IPA domain. The desire is to close that gap. 

We were under the impression that, utilising idoverrideuser, that we could map 
AD's 

"Smith Jane"@example.org (or EXAMPLE\Jane Smith; yes I know our AD logins 
have spaces in them, it's a technical debt that has no solution roadmap within 
the org) to

jsmith at unix.example.org (which we would set up in IPA), 

and be able to override certain aspects, like:

 - instead of using the clumsy 

ssh "Smith Jane"@example.org at host1.unix.example.org 

to login to a system, we could use:

ssh jsmith at host1.unix.example.org

and that via the ID Views Default Trust View the IPA server would:
 - see that jsmith is "Smith Jane" in AD
 - authenticate against "Smith Jane"'s AD password
 - see that jsmith's uid now needs to be 1500 instead of 17890983
 - see that jsmith's home should be /home/jsmith, creating this dir if it 
    doesn't exist
 - see that jsmith's shell is /bin/bash

Am I merely imagining that this is possible?

My information came from various blog posts on the RH blog that suggested such a
thing was possible, and this post on the FreeIPA site:

http://www.freeipa.org/page/V4/Migrating_existing_environments_to_Trust#ID_Views

Given the above use case, can I please get advice on:

 - is there a preferred order in which IPA user (jsmith at unix.example.org) is 
    created and AD user (EXAMPLE\Smith Jane) has their ID Views Default Trust 
    View entry created? 
 - for the creation of homedir on login, does this need to be done per host, via
    ipa-client-install's --mkhomedir option rather than per user?


Have I missed something?

Cheers
L.


This email (including any attachments or links) may contain 
confidential and/or legally privileged information and is 
intended only to be read or used by the addressee.  If you 
are not the intended addressee, any use, distribution, 
disclosure or copying of this email is strictly 
prohibited.  
Confidentiality and legal privilege attached to this email 
(including any attachments) are not waived or lost by 
reason of its mistaken delivery to you.
If you have received this email in error, please delete it 
and notify us immediately by telephone or email.  Peter 
MacCallum Cancer Centre provides no guarantee that this 
transmission is free of virus or that it has not been 
intercepted or altered and will not be liable for any delay 
in its receipt.

More information about the Freeipa-users mailing list