[Freeipa-users] AD trust with POSIX attributes
Justin Stephenson
jstephen at redhat.com
Tue Jul 26 19:37:43 UTC 2016
As Alexander mentioned, the LDAP schema still exists to add POSIX
attributes to users and groups in AD but IDMU simply provides a
convenient Graphical interface to manage this. You should still be able
to use powershell or other windows tools to modify POSIX attributes
going forward, but in general a lot of users are moving towards sssd
automatic ID mapping which means there is no administrative management
of uid/gid values.
There may be some other purpose for IDMU that I am not aware of...
Kind regards,
Justin Stephenson
On 07/25/2016 10:54 AM, Jan Karásek wrote:
> Hi,
>
> just for the clarification:
>
> Do I really need IDMU on AD side installed for IPA-AD trust with
> -range-type=ipa-ad-trust-posix ? In W2012 all POSIX attributes are
> already in schema and idrange type can be forced. I just tried to
> remove IDMU from my AD and it's still working. What is the role of
> IDMU other than allowing to autodetect POSIX idrange type via
> the msSFU30OrderNumber msSFU30MaxUidNumber attributes ?
>
> Regards,
> Jan
>
> ------------------------------------------------------------------------
> *From: *"Jan Karásek" <jan.karasek at elostech.cz>
> *To: *"Justin Stephenson" <jstephen at redhat.com>
> *Cc: *"Alexander Bokovoy" <abokovoy at redhat.com>, freeipa-users at redhat.com
> *Sent: *Friday, July 22, 2016 3:19:51 PM
> *Subject: *Re: [Freeipa-users] AD trust with POSIX attributes
>
> Hi,
>
> thanks a lot for help guys. It's working now. I can successfully read
> POSIX attributes from AD.
>
> Just now I'am storring uidNumber, gidNumber, gecos, loginShell and
> unixHomeDirectory in AD.
>
> I have trouble with homedir. It's using subdomain_homedir from
> sssd.conf and not reflecting the value of unixHomeDirectory attribute.
>
> Is there any way to use value from AD not from subdomain_homedir
> template for this parameter ?
>
> Regards,
> Jan
> ------------------------------------------------------------------------
> *From: *"Justin Stephenson" <jstephen at redhat.com>
> *To: *"Jan Karásek" <jan.karasek at elostech.cz>, "Alexander Bokovoy"
> <abokovoy at redhat.com>
> *Cc: *freeipa-users at redhat.com
> *Sent: *Thursday, July 21, 2016 3:54:25 PM
> *Subject: *Re: [Freeipa-users] AD trust with POSIX attributes
>
> Hello,
>
> You should remove the following from sssd.conf:
>
> /[domain/example.tt]//
> //debug_level = 7//
> //ldap_id_mapping = False//
> //id_provider = ad/
>
> With the AD trust configuration, you do not need to specify any
> additional domain because IPA will contact AD across the trust using
> the external and POSIX groups you created during the trust setup.
>
> Once done try restarting sssd and removing the /var/lib/sss/db/* cache
>
> Kind regards,
> Justin Stephenson
>
> On 07/21/2016 07:56 AM, Jan Karásek wrote:
>
> Thank you.
>
> Now I have IDMU installed and when creating trust, IPA is
> correctly autodetecting the range type:
>
> Range name: EXAMPLE.TT_id_range
> First Posix ID of the range: 10000
> Number of IDs in the range: 200000
> Domain SID of the trusted domain:
> S-1-5-21-4123312533-990676102-3576722756
> Range type: Active Directory trust range with POSIX attributes
>
> When asking for uid of the AD user:
>
> [root at ipa1 sssd]# id user1 at example.tt
> uid=1392001119(user1 at example.tt) gid=1392001119(user1 at example.tt)
> groups=1392001119(user1 at example.tt),1392000513(domain
> users at example.tt),979000007(external_users)
>
>
> ... so ID-mapping is still in action.
>
> According to doc:
>
> To use existing POSIX attributes, two things must be configured:
>
> *
> The POSIX attributes must be published to Active Directory's
> global catalog. - done with uidNumber, gidNumber
> *
> ID mapping (|ldap_id_mapping| in the Active Directory domain
> entry) must be disabled in SSSD. - done
>
> Here is my sssd.conf from IPA server. Is there anything else I
> should do to switch off ID-mapping ?
>
> [domain/a.example.tt]
> debug_level = 7
> cache_credentials = True
> krb5_store_password_if_offline = True
> ipa_domain = a.example.tt
> id_provider = ipa
> auth_provider = ipa
> access_provider = ipa
> ipa_hostname = ipa1.a.example.tt
> chpass_provider = ipa
> ipa_server = ipa1.a.example.tt
> ipa_server_mode = True
> ldap_tls_cacert = /etc/ipa/ca.crt
> #subdomain_inherit = ldap_user_principal
> #ldap_user_principal = nosuchattribute
>
> [domain/example.tt]
> debug_level = 7
> ldap_id_mapping = False
> id_provider = ad
>
> [sssd]
> services = nss, sudo, pam, ssh
> config_file_version = 2
> domains = a.example.tt, example.tt
>
> [nss]
> #debug_level = 5
> #homedir_substring = /home
> enum_cache_timeout = 2
> entry_negative_timeout = 2
>
>
> [pam]
> #debug_level = 5
> [sudo]
>
> [autofs]
>
> [ssh]
> #debug_level = 4
> [pac]
>
> #debug_level = 4
> [ifp]
>
>
> Regards,
> Jan
> ------------------------------------------------------------------------
> *From: *"Alexander Bokovoy" <abokovoy at redhat.com>
> *To: *"Jan Karásek" <jan.karasek at elostech.cz>
> *Cc: *"Justin Stephenson" <jstephen at redhat.com>,
> freeipa-users at redhat.com
> *Sent: *Wednesday, July 20, 2016 6:06:29 PM
> *Subject: *Re: [Freeipa-users] AD trust with POSIX attributes
>
> On Wed, 20 Jul 2016, Jan Karásek wrote:
> >Hi,
> >
> >thank you.
> >
> >ldapsearch reply:
> >
> >search: 2
> >result: 32 No such object
> >matchedDN: CN=RpcServices,CN=System,DC=rwe,DC=tt
> >text: 0000208D: NameErr: DSID-03100238, problem 2001 (NO_OBJECT),
> data 0, best
> >match of:
> >'CN=RpcServices,CN=System,DC=rwe,DC=tt'
> >
> >actually when I look under the
> CN=RpcServices,CN=System,DC=rwe,DC=tt - it is empty.
> >
> >Do I missed to set something on the AD site ?
> Yes. You need to setup IDMU. However, in Windows Server 2016 Microsoft
> removed IDMU tools. The LDAP schema will stay but there will
> be no means to visually edit POSIX attributes.
>
> https://blogs.technet.microsoft.com/activedirectoryua/2016/02/09/identity-management-for-unix-idmu-is-deprecated-in-windows-server/
>
>
>
> >
> >Thanks,
> >Jan
> >
> >
> >
> >
> >
> >
> >
> >From: "Justin Stephenson" <jstephen at redhat.com>
> >To: "Jan Karásek" <jan.karasek at elostech.cz>
> >Cc: freeipa-users at redhat.com
> >Sent: Wednesday, July 20, 2016 4:09:02 PM
> >Subject: Re: [Freeipa-users] AD trust with POSIX attributes
> >
> >
> >
> >These attributes should be available from port 389 and not the
> global catalog, please try a command such as:
> >
> >ldapsearch -H ldap:// <ip-address> -D "DOMAIN\Administrator" -W
> -b
> "cn=ypservers,cn=ypserv30,cn=rpcservices,CN=System,dc=example,dc=com"
> msSFU30OrderNumber msSFU30MaxUidNumber msSFU30MaxGidNumber
> >
> >Replacing the root suffix in the search base, the ip-address and
> bind credentials.
> >
> >Kind regards,
> >Justin Stephenson
> >
> >On 07/20/2016 08:15 AM, Jan Karásek wrote:
> >
> >
> >
> >Hi,
> >
> >thank you for the hint.
> >
> >In the /usr/lib/python2.7/site-packages/ipalib/plugins/trust.py:
> >
> >It's working with msSFU30MaxUidNumber and msSFU30OrderNumber.
> >
> >If I understand it right, it is base uid number and the number of
> uids in range.
> >
> >If not discovered nor given via CLI, then it generate random base
> and add some default_range_size.
> >
> >So these two attributes must be set to use ipa-ad-trust-posix range ?
> >
> >Could anybody help me how and where to check these attributes ? I
> have looked in the ldapsearch dump from my AD(Global calaog) and I
> can see these attributes only in schema - so no values assigned.
> >I'm using W2012 R2.
> >
> >Thank you,
> >Jan
> >
> >
> >
> >From: "Justin Stephenson" <jstephen at redhat.com>
> >To: "Jan Karásek" <jan.karasek at elostech.cz> ,
> freeipa-users at redhat.com
> >Sent: Tuesday, July 19, 2016 8:36:00 PM
> >Subject: Re: [Freeipa-users] AD trust with POSIX attributes
> >
> >Hello,
> >
> >When adding the AD trust using 'ipa-ad-trust-posix' range type
> then IPA will search AD for the ID space of existing POSIX
> attributes to automatically create a suitable ID range inside IPA.
> >
> >You can check the exact steps and attributes searched by looking
> at the add_range function definition in
> /usr/lib/python2.7/site-packages/ipalib/plugins/trust.py
> >
> >I would suggest reviewing the output of 'ipa idrange-find' to
> confirm that the range matches up with the uid and gidNumbers of
> your AD environment.
> >
> >Kind regards,
> >Justin Stephenson
> >
> >On 07/19/2016 09:44 AM, Jan Karásek wrote:
> >
> >BQ_BEGIN
> >
> >Hi,
> >
> >I am still fighting with storing user's POSIX attributes in AD.
> Please can anybody provide some simple reference settings of
> IPA-AD trust where users are able to get uid from AD - not from
> IPA ID pool ?
> >
> >I have tried to set values of attributes before and after
> creating trust, I have tried different sssd setting but I'm still
> getting uid from IPA idrange pool instead of from AD user's attribute.
> >
> >What exactly is IPA checking when it tries to decide what type of
> trust will be set - ['ipa-ad-trust-posix', 'ipa-ad-trust'] ?
> >
> >Do I have to mandatory fill some AD user's attributes to get it
> work ? Currently I'am testing just with uidNumber and gidNumber.
> >
> >There is almost no documentation about this topic so I don't know
> what else I can try ...
> >
> >Thanks for help,
> >
> >Jan
> >
> >
> >
> >Date: Tue, 21 Jun 2016 21:38:15 +0200
> >From: Jakub Hrozek <jhrozek at redhat.com>
> >To: freeipa-users at redhat.com
> >Subject: Re: [Freeipa-users] AD trust with POSIX attributes
> >Message-ID: <20160621193815.GS29512 at hendrix>
> >Content-Type: text/plain; charset=iso-8859-1
> >
> >On Tue, Jun 21, 2016 at 01:55:54PM +0200, Jan Kar?sek wrote:
> >> Hi all,
> >>
> >> I have a questions about IPA with AD forest trust. What I am
> trying to do is setup environment, where all informations about
> users are stored in one place - AD. I would like to read at least
> uid, home, shell and sshkey from AD.
> >>
> >> I have set up trust with this parameters:
> >>
> >> ipa trust-add EXAMPLE.TT --type=ad
> --range-type=ipa-ad-trust-posix --admin=administrator
> >
> >Did you add the POSIX attributes to AD after creating the trust
> maybe?
> >
> >>
> >> [root at ipa1 ~]# ipa idrange-show EXAMPLE.TT_id_range
> >> Range name: EXAMPLE.TT_id_range
> >> First Posix ID of the range: 1392000000
> >> Number of IDs in the range: 200000
> >> Domain SID of the trusted domain:
> S-1-5-21-4123312533-990676102-3576722756
> >> Range type: Active Directory trust range with POSIX attributes
> >>
> >>
> >> I have set attributes in AD for user at EXAMPLE.TT
> >> - uidNumber -10000
> >> - homeDirectory -/home/user
> >> - loginShell - /bin/bash
> >>
> >> Trust itself works fine. I can do kinit with user at EXAMPLE.TT ,
> I can run id and getent passwd user at example.tt and I can use
> user at example.tt for ssh.
> >>
> >> Problem is, that I am not getting uid from AD but from idrange:
> >>
> >> uid=1392001107( user at example.tt )
> >>
> >> Also I have tried to switch off id mapping in sssd.conf with
> ldap_id_mapping = true in sssd.conf but no luck.
> >
> >This has no effect, in IPA-AD trust scenario, the id mapping
> properties
> >are managed on the server.
> >
> >>
> >> I know, that it is probably better to use ID views for this,
> but in our case we need to set centrally managed environment,
> where all users information are externally inserted to AD from HR
> system - included POSIX attributes and we need IPA to read them
> from AD.
> >
> >I think idviews are better for overriding POSIX attributes for a
> >specific set of hosts, but in your environment, it sounds like
> you want
> >to use the POSIX attributes across the board.
> >
> >>
> >> So my questions are:
> >>
> >> Is it possible to read user's POSIX attributes directly from AD
> - namely uid ?
> >
> >Yes
> >
> >> Which atributes can be stored in AD ?
> >
> >Homedir is a bit special, for backwards compatibility the
> >subdomains_homedir takes precedence. The others should be read
> from AD.
> >
> >I don't have the environment set at the moment, though, so I'm
> operating
> >purely from memory.
> >
> >> Am I doing something wrong ?
> >>
> >> my sssd.conf:
> >> [domain/a.example.tt]
> >> debug_level = 5
> >> cache_credentials = True
> >> krb5_store_password_if_offline = True
> >> ipa_domain = a.example.tt
> >> id_provider = ipa
> >> auth_provider = ipa
> >> access_provider = ipa
> >> ipa_hostname = ipa1.a.example.tt
> >> chpass_provider = ipa
> >> ipa_server = ipa1.a.example.tt
> >> ipa_server_mode = True
> >> ldap_tls_cacert = /etc/ipa/ca.crt
> >> #ldap_id_mapping = true
> >> #subdomain_inherit = ldap_user_principal
> >> #ldap_user_principal = nosuchattribute
> >>
> >> [sssd]
> >> services = nss, sudo, pam, ssh
> >> config_file_version = 2
> >>
> >> domains = a.example.tt
> >> [nss]
> >> debug_level = 5
> >> homedir_substring = /home
> >> enum_cache_timeout = 2
> >> entry_negative_timeout = 2
> >>
> >>
> >> [pam]
> >> debug_level = 5
> >> [sudo]
> >>
> >> [autofs]
> >>
> >> [ssh]
> >> debug_level = 4
> >> [pac]
> >>
> >> debug_level = 4
> >> [ifp]
> >>
> >> Thanks,
> >> Jan
> >
> >
> >
> >
> >
> >
> >
> >
> >
> >
> >
> >
> >BQ_END
> >
> >
>
> >--
> >Manage your subscription for the Freeipa-users mailing list:
> >https://www.redhat.com/mailman/listinfo/freeipa-users
> >Go to http://freeipa.org for more info on the project
>
>
> --
> / Alexander Bokovoy
>
>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20160726/2a082b1c/attachment.htm>
More information about the Freeipa-users
mailing list