[Freeipa-users] Re: FreeIPA and AD

Ryan via FreeIPA-users Wed, 12 Sep 2018 05:07:11 -0700

Whoa …… thanks for this. Now I think I am on the right path now. 

Thanks for the help.


R

> On 12 Sep 2018, at 13:44, Alexander Bokovoy via FreeIPA-users 
> <freeipa-users@lists.fedorahosted.org> wrote:
> 
> On ke, 12 syys 2018, Ryan via FreeIPA-users wrote:
>> 
>> 
>>> On 12 Sep 2018, at 13:07, Alexander Bokovoy via FreeIPA-users 
>>> <freeipa-users@lists.fedorahosted.org> wrote:
>>> 
>>> On ke, 12 syys 2018, Ryan via FreeIPA-users wrote:
>>>> Hi, All
>>>> 
>>>> Off the bat I would like to say being new to freeIPA and rolling out
>>>> successful deployment to manage our servers has been amazing, very few
>>>> hiccups.
>>>> 
>>>> Which brings me to my next question, I have been asked if FreeIPA can
>>>> be uses with Samba4 as a Domain Controller in our environment. After
>>>> much reading its not as simple as it might sound.
>>>> 
>>>> In saying that, my question is simple.
>>>> 
>>>> How or what would be the best way to keep the AD users and FreeIPA
>>>> users in sync. All I am really looking for is to Auth Users on the new
>>>> Samba4 AD server. Can this be done or not.
>>> It currently cannot be done. Requires functionality not available in
>>> FreeIPA.
>>> 
>> 
>> Yeah thats what I thought, just need to confirm.
>> 
>> What would you suggest the best way to dump users from ldap and the
>> populate samba with users and random passwords? I understand this is
>> out of scope of freeIPA.
> You can use Python bindings to IPA to generate list of user entries in python 
> and
> then feed some properties of that to samba-tool.
> 
> Something like this, using ipa console to simplify use of the API:
> 
> # ipa console
> (Custom IPA interactive Python console)
>   api: IPA API object
>   pp: pretty printer
>>>> result = api.Command.user_find(all=True, raw=True)['result']
>>>> len(result)
> 7
>>>> pp(result)
> ({'cn': ('Alexander Bokovoy',),
> 'displayName': ('Alexander Bokovoy',),
> 'dn': 'uid=ab,cn=users,cn=accounts,dc=example,dc=com',
> 'gecos': ('Alexander Bokovoy',),
> 'gidnumber': ('1536000001',),
> 'givenname': ('Alexander',),
> 'homedirectory': ('/home/ab',),
> 'initials': ('AB',),
> 'ipaNTHash': (b'some-value',),
> 'ipaNTSecurityIdentifier': ('<DOMAIN-SID>-1001',),
> 'ipaUniqueID': ('<UNIQUE-ID>',),
> 'ipaUserAuthType': ('otp',),
> 'krbLastPwdChange': ('20180531111544Z',),
> 'krbPasswordExpiration': ('20180829111544Z',),
> 'krbcanonicalname': ('a...@example.com <mailto:a...@example.com>',),
> 'krbprincipalname': ('a...@example.com <mailto:a...@example.com>',),
> 'loginshell': ('/bin/sh',),
> 'mail': ('a...@example.com <mailto:a...@example.com>',),
> 'memberOf': (<list of DNs>),
> 'nsaccountlock': ('FALSE',),
> 'objectClass': ('ipaobject',
>                 'person',
>                 'top',
>                 'ipasshuser',
>                 'inetorgperson',
>                 'organizationalperson',
>                 'krbticketpolicyaux',
>                 'krbprincipalaux',
>                 'inetuser',
>                 'posixaccount',
>                 'ipaSshGroupOfPubKeys',
>                 'mepOriginEntry',
>                 'ipantuserattrs',
>                 'ipauserauthtypeclass'),
> 'sn': ('Bokovoy',),
> 'uid': ('ab',),
> 'uidnumber': ('1536000001',)
> <more data>
> },
> <more entries>
> )
> 
>>>> for x in filter(lambda x: 'givenname' in x, result):
> ...     print("samba-tool user create {uid[0]} t4mp-P-A-S-S-W-O-R-D 
> --given-name={givenname[0]} --surname={sn[0]} 
> --must-change-at-next-login".format(**x))
> ... samba-tool user create ab t4mp-P-A-S-S-W-O-R-D --given-name=Alexander 
> --surname=Bokovoy --must-change-at-next-login
> samba-tool user create mbar t4mp-P-A-S-S-W-O-R-D --given-name=M --surname=Bar 
> --must-change-at-next-login
> samba-tool user create new-user t4mp-P-A-S-S-W-O-R-D --given-name=New 
> --surname=User --must-change-at-next-login
> samba-tool user create a-user t4mp-P-A-S-S-W-O-R-D --given-name=A 
> --surname=User --must-change-at-next-login
> samba-tool user create some-user t4mp-P-A-S-S-W-O-R-D --given-name=Some 
> --surname=User --must-change-at-next-login
> samba-tool user create user-mode t4mp-P-A-S-S-W-O-R-D --given-name=User 
> --surname=Mode --must-change-at-next-login
> 
> 
> -- 
> / Alexander Bokovoy
> Sr. Principal Software Engineer
> Security / Identity Management Engineering
> Red Hat Limited, Finland
> _______________________________________________
> FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
> To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
> Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
> List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
> List Archives: 
> https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org

_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org

[Freeipa-users] Re: FreeIPA and AD

Reply via email to