Hi Stefan, On Thu, Dec 7, 2023 at 8:00 AM Stefan Palm via FreeIPA-users < freeipa-users@lists.fedorahosted.org> wrote:
> Hello everyone. > > It looks like I have a problem understanding the way AD trusts work. > Maybe someone here can enlighten me. > > In our AD we have "normal" users and groups and we have users/groups > with POSIX attributes. For the latter we want to use FreeIPA to > implement HBAC and Sudo rules. > > Last week I installed a FreeIPA server (v4.10.1) and created a oneway > trust to our AD. This has worked so far, I can log on to my (test) > FreeIPA client with my AD user. > > My comprehension problem: I can only see AD users and AD groups on the > FreeIPA server and on my test client that have POSIX attributes (uid, > uidNumber, gidNumber) set. To clarify: "getent passwd" and "getent > groups" do not find users and groups that do not have POSIX attributes > and the same applies to "ipa group-add-member". > Your trust was probably created as a posix trust (with *ipa trust-add --range-type=**ipa-ad-trust-posix*). This means that only users and groups with POSIX ids defined on AD can be used on IPA side. For more details you can refer to https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/9/html/planning_identity_management/planning-a-cross-forest-trust-between-idm-and-ad_planning-identity-management#con_posix-and-id-mapping-id-range-types-for-ad-users_planning-a-cross-forest-trust-between-idm-and-ad and > While this does not matter for the users so far, it is a problem for me > with the groups because I can now only select AD groups with POSIX > attributes when mapping, i.e. "ipa group-add-member <local group> > --external '<AD\Group>'" only works with POSIX groups from the AD. > Why is this a problem? Because I now suddenly see the groups "twice", so > if I make an "id <user>", then I see the original AD group (e.g. > "webserver admins" with the gidNumber from the AD) and additionally the > mapped group from FreeIPA (with its own gid). > > The AD groups can be used on IPA side only through the use of external groups, as explained in https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/windows_integration_guide/trust-managing#trust-groups The question I have is, does it have to be like this? > Is there no way to select either the already existing AD group directly > in HABC and/or Sudo rules? Or if the mapping has to be to local groups, > to select non-POSIX groups from the AD? > > If you want to use non-POSIX groups from AD, then you need to establish the trust with a range type ipa-ad-trust instead of ipa-ad-trust-posix, or define a group override on IPA that assigns a groupid to the group (see https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/9/html/managing_idm_users_groups_hosts_and_access_control_rules/assembly_using-id-views-for-active-directory-users_managing-users-groups-hosts ). But the behavior will be exactly the same, ie on IPA side the user is seen as a member of the AD group + of the posix group defined on IPA side. HTH, flo > > Best regards > Stefan > -- > _______________________________________________ > FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org > To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org > Fedora Code of Conduct: > https://docs.fedoraproject.org/en-US/project/code-of-conduct/ > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines > List Archives: > https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org > Do not reply to spam, report it: > https://pagure.io/fedora-infrastructure/new_issue >
-- _______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue