[Freeipa-users] FreeIPA as domain controller?

Alexander Bokovoy abokovoy at redhat.com
Mon Oct 17 14:52:26 UTC 2016 

On ma, 17 loka 2016, Brian Candler wrote:
>On 17/10/2016 15:06, Alexander Bokovoy wrote:
>>>Would there be any benefit the other way round - creating 
>>>identities in S4 and using them to login to FreeIPA-joined *nix 
>>>boxes? I guess the problem then is where posix attributes like uid 
>>>and gid come from.
>>This works for Samba AD > 4.4. The code in Samba that supports forest
>>trust is a bit new (and was written by Red Hat's request) so depending
>>on what version you are using your experience will vary.
>>
>>IPA supports different methods for mapping IDs, including algorithmic
>>ones. We default to algorithmic ID range if existing POSIX IDs aren't
>>found.
>>
>>See ID MAPPING section in sssd-ad man page for details. You don't need
>>to configure anything in SSSD, though, because it is done automatically
>>based on the ID ranges in IPA.
>
>OK, but let me just see if I can clarify. Given the following scenario:
>
>SAMBA . . . . . . FREEIPA
>  |                  |
>USER               SERVER
>
>The server isn't joined directly to the Samba domain, but the manpage 
>for sssd-ad says "This provider requires that the machine be joined to 
>the AD domain".
>
>So is it true that:
>
>1. The server is not configured to use sssd-ad? Does it automatically 
>use this module if, because of trust relationships, a user from the 
>Samba domain logs into it? Would it need configuration, or does it 
>pick up everything it needs from the DNS?
In case of IPA client, SSSD is configured to use SSSD's 'ipa' provider.
The provider is more complex than sssd-ldap or sssd-ad, it derives a lot
of own configuration based on the content of IPA LDAP server. In case of
trust to AD, it derives dynamically configurations of 'subdomains' for
IPA domain. These subdomains are driven by 'sssd-ad'-like provider.

To cut it short, the same ID MAPPING mechanism is in use if ID range in
IPA corresponding to the AD domain discovered via forest trust is set to 
'Active Directory domain range'. See 'ipa help idrange' for more
details.

When you establish trust between AD and IPA, the ranges for AD domains
are created automatically. There is a code that attempts to look up in
AD and understand whether POSIX attributes are stored there. In such
case ID range for the AD domains would be set to 'Active Directory
domain range with POSIX attributes'.

>
>2. If I create the posix uids/gids as extra attributes in the Samba 
>domain, the algorithmic ID mapping isn't required?
If you set ID range for corresponding AD domain in IPA to be
'ipa-ad-trust-posix' and make sure all users that need to logon to IPA
have POSIX attributes, then it should work.

I think most of this is described in the Windows Integration Guide for
RHEL7.
-- 
/ Alexander Bokovoy

More information about the Freeipa-users mailing list