[Freeipa-users] AD trust with POSIX attributes

Justin Stephenson jstephen at redhat.com
Wed Jul 20 14:09:02 UTC 2016 

These attributes should be available from port 389 and not the global 
catalog, please try a command such as:

  ldapsearch -H ldap://<ip-address> -D "DOMAIN\Administrator" -W -b 
"cn=ypservers,cn=ypserv30,cn=rpcservices,CN=System,dc=example,dc=com" 
msSFU30OrderNumber msSFU30MaxUidNumber msSFU30MaxGidNumber


Replacing the root suffix in the search base, the ip-address and bind 
credentials.

Kind regards,
Justin Stephenson

On 07/20/2016 08:15 AM, Jan Karásek wrote:
> Hi,
>
> thank you for the hint.
>
> In the /usr/lib/python2.7/site-packages/ipalib/plugins/trust.py:
>
> It's working with msSFU30MaxUidNumber and msSFU30OrderNumber.
>
> If I understand it right, it is base uid number and the number of uids 
> in range.
>
> If not discovered nor given via CLI, then it generate random base and  
> add some default_range_size.
>
> So these two attributes must be set to use ipa-ad-trust-posix range ?
>
> Could anybody help me how and where to check these attributes ? I have 
> looked in the ldapsearch dump from my AD(Global calaog)  and I can see 
> these attributes only in schema - so no values assigned.
> I'm using W2012 R2.
>
> Thank you,
> Jan
>
>
> ------------------------------------------------------------------------
> *From: *"Justin Stephenson" <jstephen at redhat.com>
> *To: *"Jan Karásek" <jan.karasek at elostech.cz>, freeipa-users at redhat.com
> *Sent: *Tuesday, July 19, 2016 8:36:00 PM
> *Subject: *Re: [Freeipa-users] AD trust with POSIX attributes
>
> Hello,
>
> When adding the AD trust using 'ipa-ad-trust-posix' range type then 
> IPA will search AD for the ID space of existing POSIX attributes to 
> automatically create a suitable ID range inside IPA.
>
> You can check the exact steps and attributes searched by looking at 
> the add_range function definition in 
> /usr/lib/python2.7/site-packages/ipalib/plugins/trust.py
>
> I would suggest reviewing the output of 'ipa idrange-find' to confirm 
> that the range matches up with the uid and gidNumbers of your AD 
> environment.
>
> Kind regards,
> Justin Stephenson
>
> On 07/19/2016 09:44 AM, Jan Karásek wrote:
>
>     Hi,
>
>     I am still fighting with storing user's POSIX attributes in AD.
>     Please can anybody provide some simple reference settings of
>     IPA-AD trust where users are able to get uid from AD - not from
>     IPA ID pool ?
>
>     I have tried to set values of attributes before and after creating
>     trust, I have tried different sssd setting but I'm still getting
>     uid from  IPA idrange pool instead of from AD user's attribute.
>
>     What exactly is IPA checking when it tries to decide what type of
>     trust will be set - ['ipa-ad-trust-posix', 'ipa-ad-trust'] ?
>
>     Do I have to mandatory fill some AD user's attributes to get it
>     work ? Currently I'am testing just with uidNumber and gidNumber.
>
>     There is almost no documentation about this topic so I don't know
>     what else I can try ...
>
>     Thanks for help,
>
>     Jan
>
>     ------------------------------------------------------------------------
>
>     Date: Tue, 21 Jun 2016 21:38:15 +0200
>     From: Jakub Hrozek <jhrozek at redhat.com>
>     To: freeipa-users at redhat.com
>     Subject: Re: [Freeipa-users] AD trust with POSIX attributes
>     Message-ID: <20160621193815.GS29512 at hendrix>
>     Content-Type: text/plain; charset=iso-8859-1
>
>     On Tue, Jun 21, 2016 at 01:55:54PM +0200, Jan Kar?sek wrote:
>     > Hi all,
>     >
>     > I have a questions about IPA with AD forest trust. What I am
>     trying to do is setup environment, where all informations about
>     users are stored in one place - AD. I would like to read at least
>     uid, home, shell and sshkey from AD.
>     >
>     > I have set up trust with this parameters:
>     >
>     > ipa trust-add EXAMPLE.TT --type=ad
>     --range-type=ipa-ad-trust-posix --admin=administrator
>
>     Did you add the POSIX attributes to AD after creating the trust maybe?
>
>     >
>     > [root at ipa1 ~]# ipa idrange-show EXAMPLE.TT_id_range
>     > Range name: EXAMPLE.TT_id_range
>     > First Posix ID of the range: 1392000000
>     > Number of IDs in the range: 200000
>     > Domain SID of the trusted domain:
>     S-1-5-21-4123312533-990676102-3576722756
>     > Range type: Active Directory trust range with POSIX attributes
>     >
>     >
>     > I have set attributes in AD for user at EXAMPLE.TT
>     > - uidNumber -10000
>     > - homeDirectory -/home/user
>     > - loginShell - /bin/bash
>     >
>     > Trust itself works fine. I can do kinit with user at EXAMPLE.TT , I
>     can run id and getent passwd user at example.tt and I can use
>     user at example.tt for ssh.
>     >
>     > Problem is, that I am not getting uid from AD but from idrange:
>     >
>     > uid=1392001107(user at example.tt)
>     >
>     > Also I have tried to switch off id mapping in sssd.conf with
>     ldap_id_mapping = true in sssd.conf but no luck.
>
>     This has no effect, in IPA-AD trust scenario, the id mapping
>     properties
>     are managed on the server.
>
>     >
>     > I know, that it is probably better to use ID views for this, but
>     in our case we need to set centrally managed environment, where
>     all users information are externally inserted to AD from HR system
>     - included POSIX attributes and we need IPA to read them from AD.
>
>     I think idviews are better for overriding POSIX attributes for a
>     specific set of hosts, but in your environment, it sounds like you
>     want
>     to use the POSIX attributes across the board.
>
>     >
>     > So my questions are:
>     >
>     > Is it possible to read user's POSIX attributes directly from AD
>     - namely uid ?
>
>     Yes
>
>     > Which atributes can be stored in AD ?
>
>     Homedir is a bit special, for backwards compatibility the
>     subdomains_homedir takes precedence. The others should be read
>     from AD.
>
>     I don't have the environment set at the moment, though, so I'm
>     operating
>     purely from memory.
>
>     > Am I doing something wrong ?
>     >
>     > my sssd.conf:
>     > [domain/a.example.tt]
>     > debug_level = 5
>     > cache_credentials = True
>     > krb5_store_password_if_offline = True
>     > ipa_domain = a.example.tt
>     > id_provider = ipa
>     > auth_provider = ipa
>     > access_provider = ipa
>     > ipa_hostname = ipa1.a.example.tt
>     > chpass_provider = ipa
>     > ipa_server = ipa1.a.example.tt
>     > ipa_server_mode = True
>     > ldap_tls_cacert = /etc/ipa/ca.crt
>     > #ldap_id_mapping = true
>     > #subdomain_inherit = ldap_user_principal
>     > #ldap_user_principal = nosuchattribute
>     >
>     > [sssd]
>     > services = nss, sudo, pam, ssh
>     > config_file_version = 2
>     >
>     > domains = a.example.tt
>     > [nss]
>     > debug_level = 5
>     > homedir_substring = /home
>     > enum_cache_timeout = 2
>     > entry_negative_timeout = 2
>     >
>     >
>     > [pam]
>     > debug_level = 5
>     > [sudo]
>     >
>     > [autofs]
>     >
>     > [ssh]
>     > debug_level = 4
>     > [pac]
>     >
>     > debug_level = 4
>     > [ifp]
>     >
>     > Thanks,
>     > Jan
>
>
>
>
>
>
>
>
>

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20160720/7734da69/attachment.htm>

More information about the Freeipa-users mailing list