On 09/14/2014 03:42 AM, Gregor Bregenzer wrote:
2014-09-14 1:14 GMT+02:00 Dmitri Pal <d...@redhat.com>:
On 09/13/2014 05:27 PM, Gregor Bregenzer wrote:
Hi!
There are two ways that you can use to integrate FreeIPA with AD: a.)
trust b.) synchronization Here are the pros/cons for both of them:
http://www.freeipa.org/docs/master/html-desktop/index.html#trust-sync
If you want to manage POSIX attributes for each user can do that with
either identity management for Unix at AD using the trust, or with the
synchronzation at FreeIPA. With synchronization you see the users to
in FreeIPA, but still have to two users to manage - in FreeIPA and AD.
With the AD trust the sssd daemon running on FreeIPA is proxying all
request from the client sssd directly to AD
This is not exactly true. SSSD understands that IPA and AD are in trust
relations. If you use user name and password to login SSSD will turn to AD
directly without sending password over the wire. If you SSO into the linux
box the kerberos library (on you windows client) will do all the ticket
acquisition and redirects.
The proxy is already done for older clients that does not understand that
IPA is in trust relations with AD.
http://www.freeipa.org/images/2/2e/FreeIPA33-trust.pdf
Sorry, there are two things i did not mention a.) no SSO, b.) Linux
Client SSSD requesting UID/GID.
a.) if you ssh login from a Windows client that is _not_ joined in AD
or a standalone Linux box - so no SSO. Because there the destination
Linux clients with sssd (1.9.2 with AD trust compatibilty with ipa
provider, or 1.11+ with full AD trust capability) still need SSSD on
the FreeIPA Server that will forward the authentication requests to
AD. In slide 30 of
http://www.freeipa.org/images/2/2e/FreeIPA33-trust.pdf it states:
"SSSD is used behind the scenes on the FreeIPA server
to lookup up users in trusted AD domains
SSSD on FreeIPA clients will forward resolution requests
to FreeIPA servers through FreeIPA LDAP server plugin"
b.) If you have a client that is authenticating using Kerberos and
therefore SSO, the destination Linux sssd client still needs the sssd
client on the FreeIPA server to lookup the UID/GID. So there's the
authentication process either with SSO or without SSO, and there's the
lookup process for the attributes - am i correct?
If the client is new i.e. 1.9+ it will know ho to use trusts and will
support UID/GID coming from AD.
These clients should be joined to IPA.
Other older clients need to be handled following the guidelines re
legacy clients.
See below.
, so you see no users in
FreeIPA, but you have to extend the AD schema using Identity
Management for unix.
You really have two options: let SSSD to map users dynamically, in this case
you do not need AD schema extensions or you can extend schema as suggested.
The third option that is under development is described in my other reply.
What happens if you have already defined the UID/GID with the schema
extension on AD and have legacy Linux clients using them, but you
still want to use the exact UID/GID _and_ make use of all the great
features offered in FreeIPA such as HBAC, sudorules, etc.? Then only
the AD Trust with SSSD 1.11+ with full AD trust feature set is working
- correct (because 1.9.2 with ipa provider cannot get the GID from
AD)?
SSSD 1.9 should work ok with IPA in trust relations.
Earlier versions or other clients should be pointed to the IPA compat tree.
http://www.freeipa.org/images/0/0d/FreeIPA33-legacy-clients.pdf
Then you get exactly what you are looking for.
Also the password policy from the group policy in
AD is used when you use the AD trust, but on clients with sssd you can
change the password using kpasswd from Kerberos. If you want to use a
trust with AD and want to receive the correct GID set in AD then you
have to use sssd >1.9.x, otherwise you get a different GID (see
https://www.redhat.com/archives/freeipa-users/2014-September/msg00192.html)
All other stuff such as HBAC etc. can be centrally managed on FreeIPA,
no matter if you use a trust or synchronzation.
Gregor
2014-09-13 22:03 GMT+02:00 Traiano Welcome <trai...@gmail.com>:
Hi List
Currently I have a stable trust relationship going between IPA and
Windows
AD. I create users and manage passwords in AD, but want to manage the
rest
in IPA, "the rest" being default shell, default home directory settings,
RBAC, HBAC, Selinux etc ..
What I'm expecting it to be able to log into the FreeIPA web interface,
and
see a synched list of users created in AD appear in the interface, after
which I can modify the settings on a per user basis.
If that level of granularity is not possible, I would then expect to be
able
to at least apply an IPA-imposed set of account defaults on and AD user
group:
- default shell
- HBAC rules
- Sudo rules
- SELinux rules
- RBAC
Is this possible with FreeIPA? I can't find anything coherent in the
documentation that describes an effective way of managing the POSIX
attributes of AD users in FreeIPA.
Thanks in advance!
Traiano
--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go To http://freeipa.org for more info on the project
--
Thank you,
Dmitri Pal
Sr. Engineering Manager IdM portfolio
Red Hat, Inc.
--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go To http://freeipa.org for more info on the project
--
Thank you,
Dmitri Pal
Sr. Engineering Manager IdM portfolio
Red Hat, Inc.
--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go To http://freeipa.org for more info on the project
