[Freeipa-users] User mapping between domains
Jakub Hrozek
jhrozek at redhat.com
Wed Feb 3 07:37:02 UTC 2016
On Wed, Feb 03, 2016 at 03:59:55AM +0000, Simpson Lachlan wrote:
> IPA is successfully installed, a one way trust created, and we have been able to
> login using AD credentials.
>
> For future googler's, there is some bare bones documentation on how to allow AD
> users to login to your system, under the heading "Allow access for users from AD
> domain to protected resources"
>
> http://www.freeipa.org/page/Active_Directory_trust_setup#Configure_IPA_server_for_cross-realm_trusts
>
> I can confirm this works for a one directional trust (IPA trusts AD), since that
> is what we have.
>
> Question/Issue:
>
> Currently I have two logins, one in the AD domain and one on each server in
> the IPA domain. The desire is to close that gap.
>
> We were under the impression that, utilising idoverrideuser, that we could map
> AD's
>
> "Smith Jane"@example.org (or EXAMPLE\Jane Smith; yes I know our AD logins
> have spaces in them, it's a technical debt that has no solution roadmap within
> the org) to
>
> jsmith at unix.example.org (which we would set up in IPA),
>
> and be able to override certain aspects, like:
>
> - instead of using the clumsy
>
> ssh "Smith Jane"@example.org at host1.unix.example.org
btw normally you can login with samAccountName or UPN. I find it a bit
odd that samAccountName would contain "Smith Jane", I would expect that
to be in the gecos attribute.. Maybe in this case using UPN would be at
least a bit easier , because you wouldn't have to quote it?
>
> to login to a system, we could use:
>
> ssh jsmith at host1.unix.example.org
No, this cannot be done, at least not this way. While you can "remap"
the AD usernames to a different one with id overrides functionality (so
that "Smith Jane" might have a different name, you would still need to
use the fully qualified name, not a shortname.
This is because the trusted AD domain is a subdomain in SSSD lingo and
all subdomains are implicitly fully qualified.
If you want to use shortnames for your AD logins, you can use the
default_domain_suffix option. But then only the domain that you put into
this option's value can use short names and all other domains (including
the IPA domain) must be fully qualified.
>
> and that via the ID Views Default Trust View the IPA server would:
> - see that jsmith is "Smith Jane" in AD
> - authenticate against "Smith Jane"'s AD password
> - see that jsmith's uid now needs to be 1500 instead of 17890983
> - see that jsmith's home should be /home/jsmith, creating this dir if it
> doesn't exist
> - see that jsmith's shell is /bin/bash
>
> Am I merely imagining that this is possible?
>
> My information came from various blog posts on the RH blog that suggested such a
> thing was possible, and this post on the FreeIPA site:
>
> http://www.freeipa.org/page/V4/Migrating_existing_environments_to_Trust#ID_Views
>
> Given the above use case, can I please get advice on:
>
> - is there a preferred order in which IPA user (jsmith at unix.example.org) is
> created and AD user (EXAMPLE\Smith Jane) has their ID Views Default Trust
> View entry created?
> - for the creation of homedir on login, does this need to be done per host, via
> ipa-client-install's --mkhomedir option rather than per user?
>
>
> Have I missed something?
>
> Cheers
> L.
>
>
> This email (including any attachments or links) may contain
> confidential and/or legally privileged information and is
> intended only to be read or used by the addressee. If you
> are not the intended addressee, any use, distribution,
> disclosure or copying of this email is strictly
> prohibited.
> Confidentiality and legal privilege attached to this email
> (including any attachments) are not waived or lost by
> reason of its mistaken delivery to you.
> If you have received this email in error, please delete it
> and notify us immediately by telephone or email. Peter
> MacCallum Cancer Centre provides no guarantee that this
> transmission is free of virus or that it has not been
> intercepted or altered and will not be liable for any delay
> in its receipt.
>
>
> --
> Manage your subscription for the Freeipa-users mailing list:
> https://www.redhat.com/mailman/listinfo/freeipa-users
> Go to http://freeipa.org for more info on the project
More information about the Freeipa-users
mailing list