[Freeipa-users] User mapping between domains

Jakub Hrozek jhrozek at redhat.com
Wed Feb 3 07:37:02 UTC 2016 

On Wed, Feb 03, 2016 at 03:59:55AM +0000, Simpson Lachlan wrote:
> IPA is successfully installed, a one way trust created, and we have been able to
> login using AD credentials.
> 
> For future googler's, there is some bare bones documentation on how to allow AD 
> users to login to your system, under the heading "Allow access for users from AD
> domain to protected resources"
> 
> http://www.freeipa.org/page/Active_Directory_trust_setup#Configure_IPA_server_for_cross-realm_trusts
> 
> I can confirm this works for a one directional trust (IPA trusts AD), since that
> is what we have.
> 
> Question/Issue:
> 
> Currently I have two logins, one in the AD domain and one on each server in 
> the IPA domain. The desire is to close that gap. 
> 
> We were under the impression that, utilising idoverrideuser, that we could map 
> AD's 
> 
> "Smith Jane"@example.org (or EXAMPLE\Jane Smith; yes I know our AD logins 
> have spaces in them, it's a technical debt that has no solution roadmap within 
> the org) to
> 
> jsmith at unix.example.org (which we would set up in IPA), 
> 
> and be able to override certain aspects, like:
> 
>  - instead of using the clumsy 
> 
> ssh "Smith Jane"@example.org at host1.unix.example.org 

btw normally you can login with samAccountName or UPN. I find it a bit
odd that samAccountName would contain "Smith Jane", I would expect that
to be in the gecos attribute.. Maybe in this case using UPN would be at
least a bit easier , because you wouldn't have to quote it?

> 
> to login to a system, we could use:
> 
> ssh jsmith at host1.unix.example.org

No, this cannot be done, at least not this way. While you can "remap"
the AD usernames to a different one with id overrides functionality (so
that "Smith Jane" might have a different name, you would still need to
use the fully qualified name, not a shortname.

This is because the trusted AD domain is a subdomain in SSSD lingo and
all subdomains are implicitly fully qualified.

If you want to use shortnames for your AD logins, you can use the
default_domain_suffix option. But then only the domain that you put into
this option's value can use short names and all other domains (including
the IPA domain) must be fully qualified.

> 
> and that via the ID Views Default Trust View the IPA server would:
>  - see that jsmith is "Smith Jane" in AD
>  - authenticate against "Smith Jane"'s AD password
>  - see that jsmith's uid now needs to be 1500 instead of 17890983
>  - see that jsmith's home should be /home/jsmith, creating this dir if it 
>     doesn't exist
>  - see that jsmith's shell is /bin/bash
> 
> Am I merely imagining that this is possible?
> 
> My information came from various blog posts on the RH blog that suggested such a
> thing was possible, and this post on the FreeIPA site:
> 
> http://www.freeipa.org/page/V4/Migrating_existing_environments_to_Trust#ID_Views
> 
> Given the above use case, can I please get advice on:
> 
>  - is there a preferred order in which IPA user (jsmith at unix.example.org) is 
>     created and AD user (EXAMPLE\Smith Jane) has their ID Views Default Trust 
>     View entry created? 
>  - for the creation of homedir on login, does this need to be done per host, via
>     ipa-client-install's --mkhomedir option rather than per user?
> 
> 
> Have I missed something?
> 
> Cheers
> L.
> 
> 
> This email (including any attachments or links) may contain 
> confidential and/or legally privileged information and is 
> intended only to be read or used by the addressee.  If you 
> are not the intended addressee, any use, distribution, 
> disclosure or copying of this email is strictly 
> prohibited.  
> Confidentiality and legal privilege attached to this email 
> (including any attachments) are not waived or lost by 
> reason of its mistaken delivery to you.
> If you have received this email in error, please delete it 
> and notify us immediately by telephone or email.  Peter 
> MacCallum Cancer Centre provides no guarantee that this 
> transmission is free of virus or that it has not been 
> intercepted or altered and will not be liable for any delay 
> in its receipt.
> 
> 
> -- 
> Manage your subscription for the Freeipa-users mailing list:
> https://www.redhat.com/mailman/listinfo/freeipa-users
> Go to http://freeipa.org for more info on the project

More information about the Freeipa-users mailing list