Hi, thank you for the answers. May be I am doing something wrong.
1. AD attributes - I am using the standard set of user's attributes in AD - I did not extend the AD schema (2012 R2) I am using set of attributes defined in RFS2307: uidNumber gidNumber gecos homeDirectory loginShell I am having troubles to find in documentation the names of attributes which IPA is able to read from AD . Could you please clarify if this is OK ? Could you please point me to some doc ...? I have read the Windows integration guide, but there was not enough details ... 2. Do I need to fill in user's attributes values before the trust is set up ? 3. If using Idviews in this case I would have to somehow copy information stored in AD into id views a keep them updated, which is huge overhead when you have hundreds or thousands users. That is why I need to read them directly from AD. 4. Is it possible to change the already established trust -without --range-type=ipa-ad-trust-posix to trust with POSIX range ? I mean without breaking the trust and reestablishing new one ? Thanks a lot, Jan On Tue, Jun 21, 2016 at 01:55:54PM +0200, Jan Kar?sek wrote: > Hi all, > > I have a questions about IPA with AD forest trust. What I am trying to do is > setup environment, where all informations about users are stored in one place > - AD. I would like to read at least uid, home, shell and sshkey from AD. > > I have set up trust with this parameters: > > ipa trust-add EXAMPLE.TT --type=ad --range-type=ipa-ad-trust-posix > --admin=administrator Did you add the POSIX attributes to AD after creating the trust maybe? > > [root@ipa1 ~]# ipa idrange-show EXAMPLE.TT_id_range > Range name: EXAMPLE.TT_id_range > First Posix ID of the range: 1392000000 > Number of IDs in the range: 200000 > Domain SID of the trusted domain: S-1-5-21-4123312533-990676102-3576722756 > Range type: Active Directory trust range with POSIX attributes > > > I have set attributes in AD for u...@example.tt > - uidNumber -10000 > - homeDirectory -/home/user > - loginShell - /bin/bash > > Trust itself works fine. I can do kinit with u...@example.tt , I can run id > and getent passwd u...@example.tt and I can use u...@example.tt for ssh. > > Problem is, that I am not getting uid from AD but from idrange: > > uid=1392001107(u...@example.tt) > > Also I have tried to switch off id mapping in sssd.conf with ldap_id_mapping > = true in sssd.conf but no luck. This has no effect, in IPA-AD trust scenario, the id mapping properties are managed on the server. > > I know, that it is probably better to use ID views for this, but in our case > we need to set centrally managed environment, where all users information are > externally inserted to AD from HR system - included POSIX attributes and we > need IPA to read them from AD. I think idviews are better for overriding POSIX attributes for a specific set of hosts, but in your environment, it sounds like you want to use the POSIX attributes across the board. > > So my questions are: > > Is it possible to read user's POSIX attributes directly from AD - namely uid > ? Yes > Which atributes can be stored in AD ? Homedir is a bit special, for backwards compatibility the subdomains_homedir takes precedence. The others should be read from AD. I don't have the environment set at the moment, though, so I'm operating purely from memory. > Am I doing something wrong ? > > my sssd.conf: > [domain/a.example.tt] > debug_level = 5 > cache_credentials = True > krb5_store_password_if_offline = True > ipa_domain = a.example.tt > id_provider = ipa > auth_provider = ipa > access_provider = ipa > ipa_hostname = ipa1.a.example.tt > chpass_provider = ipa > ipa_server = ipa1.a.example.tt > ipa_server_mode = True > ldap_tls_cacert = /etc/ipa/ca.crt > #ldap_id_mapping = true > #subdomain_inherit = ldap_user_principal > #ldap_user_principal = nosuchattribute > > [sssd] > services = nss, sudo, pam, ssh > config_file_version = 2 > > domains = a.example.tt > [nss] > debug_level = 5 > homedir_substring = /home > enum_cache_timeout = 2 > entry_negative_timeout = 2 > > > [pam] > debug_level = 5 > [sudo] > > [autofs] > > [ssh] > debug_level = 4 > [pac] > > debug_level = 4 > [ifp] > > Thanks, > Jan
-- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project