[Freeipa-users] AD trust with POSIX attributes

Justin Stephenson jstephen at redhat.com
Tue Jul 19 18:36:00 UTC 2016 

Hello,

When adding the AD trust using 'ipa-ad-trust-posix' range type then IPA 
will search AD for the ID space of existing POSIX attributes to 
automatically create a suitable ID range inside IPA.

You can check the exact steps and attributes searched by looking at the 
add_range function definition in 
/usr/lib/python2.7/site-packages/ipalib/plugins/trust.py

I would suggest reviewing the output of 'ipa idrange-find' to confirm 
that the range matches up with the uid and gidNumbers of your AD 
environment.

Kind regards,
Justin Stephenson

On 07/19/2016 09:44 AM, Jan Karásek wrote:
> Hi,
>
> I am still fighting with storing user's POSIX attributes in AD. Please 
> can anybody provide some simple reference settings of IPA-AD trust 
> where users are able to get uid from AD - not from IPA ID pool ?
>
> I have tried to set values of attributes before and after creating 
> trust, I have tried different sssd setting but I'm still getting uid 
> from  IPA idrange pool instead of from AD user's attribute.
>
> What exactly is IPA checking when it tries to decide what type of 
> trust will be set - ['ipa-ad-trust-posix', 'ipa-ad-trust'] ?
>
> Do I have to mandatory fill some AD user's attributes to get it work ? 
> Currently I'am testing just with uidNumber and gidNumber.
>
> There is almost no documentation about this topic so I don't know what 
> else I can try ...
>
> Thanks for help,
>
> Jan
>
> ------------------------------------------------------------------------
>
> Date: Tue, 21 Jun 2016 21:38:15 +0200
> From: Jakub Hrozek <jhrozek at redhat.com>
> To: freeipa-users at redhat.com
> Subject: Re: [Freeipa-users] AD trust with POSIX attributes
> Message-ID: <20160621193815.GS29512 at hendrix>
> Content-Type: text/plain; charset=iso-8859-1
>
> On Tue, Jun 21, 2016 at 01:55:54PM +0200, Jan Kar?sek wrote:
> > Hi all,
> >
> > I have a questions about IPA with AD forest trust. What I am trying 
> to do is setup environment, where all informations about users are 
> stored in one place - AD. I would like to read at least uid, home, 
> shell and sshkey from AD.
> >
> > I have set up trust with this parameters:
> >
> > ipa trust-add EXAMPLE.TT --type=ad --range-type=ipa-ad-trust-posix 
> --admin=administrator
>
> Did you add the POSIX attributes to AD after creating the trust maybe?
>
> >
> > [root at ipa1 ~]# ipa idrange-show EXAMPLE.TT_id_range
> > Range name: EXAMPLE.TT_id_range
> > First Posix ID of the range: 1392000000
> > Number of IDs in the range: 200000
> > Domain SID of the trusted domain: 
> S-1-5-21-4123312533-990676102-3576722756
> > Range type: Active Directory trust range with POSIX attributes
> >
> >
> > I have set attributes in AD for user at EXAMPLE.TT
> > - uidNumber -10000
> > - homeDirectory -/home/user
> > - loginShell - /bin/bash
> >
> > Trust itself works fine. I can do kinit with user at EXAMPLE.TT , I can 
> run id and getent passwd user at example.tt and I can use user at example.tt 
> for ssh.
> >
> > Problem is, that I am not getting uid from AD but from idrange:
> >
> > uid=1392001107(user at example.tt)
> >
> > Also I have tried to switch off id mapping in sssd.conf with 
> ldap_id_mapping = true in sssd.conf but no luck.
>
> This has no effect, in IPA-AD trust scenario, the id mapping properties
> are managed on the server.
>
> >
> > I know, that it is probably better to use ID views for this, but in 
> our case we need to set centrally managed environment, where all users 
> information are externally inserted to AD from HR system - included 
> POSIX attributes and we need IPA to read them from AD.
>
> I think idviews are better for overriding POSIX attributes for a
> specific set of hosts, but in your environment, it sounds like you want
> to use the POSIX attributes across the board.
>
> >
> > So my questions are:
> >
> > Is it possible to read user's POSIX attributes directly from AD - 
> namely uid ?
>
> Yes
>
> > Which atributes can be stored in AD ?
>
> Homedir is a bit special, for backwards compatibility the
> subdomains_homedir takes precedence. The others should be read from AD.
>
> I don't have the environment set at the moment, though, so I'm operating
> purely from memory.
>
> > Am I doing something wrong ?
> >
> > my sssd.conf:
> > [domain/a.example.tt]
> > debug_level = 5
> > cache_credentials = True
> > krb5_store_password_if_offline = True
> > ipa_domain = a.example.tt
> > id_provider = ipa
> > auth_provider = ipa
> > access_provider = ipa
> > ipa_hostname = ipa1.a.example.tt
> > chpass_provider = ipa
> > ipa_server = ipa1.a.example.tt
> > ipa_server_mode = True
> > ldap_tls_cacert = /etc/ipa/ca.crt
> > #ldap_id_mapping = true
> > #subdomain_inherit = ldap_user_principal
> > #ldap_user_principal = nosuchattribute
> >
> > [sssd]
> > services = nss, sudo, pam, ssh
> > config_file_version = 2
> >
> > domains = a.example.tt
> > [nss]
> > debug_level = 5
> > homedir_substring = /home
> > enum_cache_timeout = 2
> > entry_negative_timeout = 2
> >
> >
> > [pam]
> > debug_level = 5
> > [sudo]
> >
> > [autofs]
> >
> > [ssh]
> > debug_level = 4
> > [pac]
> >
> > debug_level = 4
> > [ifp]
> >
> > Thanks,
> > Jan
>
>
>
>
>
>
>

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20160719/07688bae/attachment.htm>

More information about the Freeipa-users mailing list