Maybe the difference was that I used a fresh demo installation from windows 2012r2 server. I only added the ad-controller, dns and ntp functionality for testing. (and all the patches...which literaly takes a day to complete on a system with 4 cores and 4G ram)
I also found out that dnsseq is not default, so I disabled dnsseq validation on the ipa server in the named.conf. Because this already cost me a day's work debugging and not to mention lack of knowledge on how to do this in ad. Minor side note, according to : https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Windows_Integration_Guide/trust-requirements.html#dns-realm-settings In the dns verification checks it tells you to verify the kerberos udp record dig +short -t SRV _kerberos._udp.dc._msdcs.ad.example.com. This yields no response There is no udp record in the ad , but there is a tcp record. dig +short -t SRV _kerberos._tcp.dc._msdcs.ad.example.com. This gives a response I also validated the trust on the AD side, I'm not sure this is needed. After doing this I can issue the command : 'id AD.DOMAIN\\ADUSER' and I get a response telling me the uid/gid/ad-id/ad-group etc. Rob Verduijn 2016-01-25 9:24 GMT+01:00 Jakub Hrozek <jhro...@redhat.com>: > On Sun, Jan 24, 2016 at 08:03:09PM +0100, Rob Verduijn wrote: >> Hi, >> >> Hmmmm microsoft removes the UI, but leaves the schema extension. >> Does not really make sense, but after some googling this does seem to >> be the case. >> >> Your comment made me check google with some different keywords and I >> found that there was this irritation that was solved by somebody. (at >> microsoft) >> >> http://blogs.technet.com/b/sfu/archive/2013/07/08/ldap-calls-made-from-the-unix-client-query-incorrect-login-shell.aspx >> >> That explains why modifying the loginShell attribute did not work. >> >> I put the 'ldap_user_shell=msSFU30LoginShell' in the >> [domain/ipadomain] section from sssd.conf. >> This is required I guess on all ipa-clients that AD-accounts get access to. > > Hmm, is this really required? The thing is that the IPA clients get > their information through an extended operation and it's the SSSD on the > IPA server that does the heavy lifting and just passes the info to the > clients. > > I'll try to find some time later to test this.. > >> >> And now all users seem to get the /bin/bash that can be set in the >> AD-user attribute loginShell >> >> ( glad to see the keep their camel case in sync everywhere in the AD ) >> >> Thanks for thinking along on this one. >> Rob Verduijn >> >> 2016-01-24 16:02 GMT+01:00 Jakub Hrozek <jhro...@redhat.com>: >> > >> >> On 24 Jan 2016, at 12:00, Rob Verduijn <rob.verdu...@gmail.com> wrote: >> >> >> >> Hello, >> >> >> >> I'm trying to get an ipa server to trust a microsoft AD-domain. >> >> >> >> So far I've managed to get the trust to work and I can login with an >> >> active directory user on the ipa clients. >> >> >> >> Now I see the default shell is set to /bin/sh. >> >> Since the preffered shel is bash for me I wish to change this. >> >> It doesn't help to set this in the ipa server config since these >> >> accounts are external ms accounts. >> >> >> >> In the goog old days we used to have posix attributes schemas in the >> >> AD one of them being the shell. >> >> >> >> Sadly this is a thing of the past. >> > ~~~~~~~~~~~~ >> > >> > Are you referring to IMU being deprecated? IIRC the attributes should >> > work..even though MS is deprecating the UI.. >> > >> > Alternatively, since the clients read the ID info via the server, >> > overrinding the shell in IPA server's sssd.conf should work as well. >> > >> >> https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Windows_Integration_Guide/ex.sssd-ad-posix.html >> >> >> >> How do I define a new default shell for all ms-AD accounts in ipa ? >> >> >> >> Cheers >> >> Rob Verduijn >> >> >> >> -- >> >> Manage your subscription for the Freeipa-users mailing list: >> >> https://www.redhat.com/mailman/listinfo/freeipa-users >> >> Go to http://freeipa.org for more info on the project >> > -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project