Hi,
just for the clarification:
Do I really need IDMU on AD side installed for IPA-AD trust with
-range-type=ipa-ad-trust-posix ? In W2012 all POSIX attributes are
already in schema and idrange type can be forced. I just tried to
remove IDMU from my AD and it's still working. What is the role of
IDMU other than allowing to autodetect POSIX idrange type via
the msSFU30OrderNumber msSFU30MaxUidNumber attributes ?
Regards,
Jan
------------------------------------------------------------------------
*From: *"Jan Karásek" <jan.kara...@elostech.cz>
*To: *"Justin Stephenson" <jstep...@redhat.com>
*Cc: *"Alexander Bokovoy" <aboko...@redhat.com>, freeipa-users@redhat.com
*Sent: *Friday, July 22, 2016 3:19:51 PM
*Subject: *Re: [Freeipa-users] AD trust with POSIX attributes
Hi,
thanks a lot for help guys. It's working now. I can successfully read
POSIX attributes from AD.
Just now I'am storring uidNumber, gidNumber, gecos, loginShell and
unixHomeDirectory in AD.
I have trouble with homedir. It's using subdomain_homedir from
sssd.conf and not reflecting the value of unixHomeDirectory attribute.
Is there any way to use value from AD not from subdomain_homedir
template for this parameter ?
Regards,
Jan
------------------------------------------------------------------------
*From: *"Justin Stephenson" <jstep...@redhat.com>
*To: *"Jan Karásek" <jan.kara...@elostech.cz>, "Alexander Bokovoy"
<aboko...@redhat.com>
*Cc: *freeipa-users@redhat.com
*Sent: *Thursday, July 21, 2016 3:54:25 PM
*Subject: *Re: [Freeipa-users] AD trust with POSIX attributes
Hello,
You should remove the following from sssd.conf:
/[domain/example.tt]//
//debug_level = 7//
//ldap_id_mapping = False//
//id_provider = ad/
With the AD trust configuration, you do not need to specify any
additional domain because IPA will contact AD across the trust using
the external and POSIX groups you created during the trust setup.
Once done try restarting sssd and removing the /var/lib/sss/db/* cache
Kind regards,
Justin Stephenson
On 07/21/2016 07:56 AM, Jan Karásek wrote:
Thank you.
Now I have IDMU installed and when creating trust, IPA is
correctly autodetecting the range type:
Range name: EXAMPLE.TT_id_range
First Posix ID of the range: 10000
Number of IDs in the range: 200000
Domain SID of the trusted domain:
S-1-5-21-4123312533-990676102-3576722756
Range type: Active Directory trust range with POSIX attributes
When asking for uid of the AD user:
[root@ipa1 sssd]# id us...@example.tt
uid=1392001119(us...@example.tt) gid=1392001119(us...@example.tt)
groups=1392001119(us...@example.tt),1392000513(domain
us...@example.tt),979000007(external_users)
... so ID-mapping is still in action.
According to doc:
To use existing POSIX attributes, two things must be configured:
*
The POSIX attributes must be published to Active Directory's
global catalog. - done with uidNumber, gidNumber
*
ID mapping (|ldap_id_mapping| in the Active Directory domain
entry) must be disabled in SSSD. - done
Here is my sssd.conf from IPA server. Is there anything else I
should do to switch off ID-mapping ?
[domain/a.example.tt]
debug_level = 7
cache_credentials = True
krb5_store_password_if_offline = True
ipa_domain = a.example.tt
id_provider = ipa
auth_provider = ipa
access_provider = ipa
ipa_hostname = ipa1.a.example.tt
chpass_provider = ipa
ipa_server = ipa1.a.example.tt
ipa_server_mode = True
ldap_tls_cacert = /etc/ipa/ca.crt
#subdomain_inherit = ldap_user_principal
#ldap_user_principal = nosuchattribute
[domain/example.tt]
debug_level = 7
ldap_id_mapping = False
id_provider = ad
[sssd]
services = nss, sudo, pam, ssh
config_file_version = 2
domains = a.example.tt, example.tt
[nss]
#debug_level = 5
#homedir_substring = /home
enum_cache_timeout = 2
entry_negative_timeout = 2
[pam]
#debug_level = 5
[sudo]
[autofs]
[ssh]
#debug_level = 4
[pac]
#debug_level = 4
[ifp]
Regards,
Jan
------------------------------------------------------------------------
*From: *"Alexander Bokovoy" <aboko...@redhat.com>
*To: *"Jan Karásek" <jan.kara...@elostech.cz>
*Cc: *"Justin Stephenson" <jstep...@redhat.com>,
freeipa-users@redhat.com
*Sent: *Wednesday, July 20, 2016 6:06:29 PM
*Subject: *Re: [Freeipa-users] AD trust with POSIX attributes
On Wed, 20 Jul 2016, Jan Karásek wrote:
>Hi,
>
>thank you.
>
>ldapsearch reply:
>
>search: 2
>result: 32 No such object
>matchedDN: CN=RpcServices,CN=System,DC=rwe,DC=tt
>text: 0000208D: NameErr: DSID-03100238, problem 2001 (NO_OBJECT),
data 0, best
>match of:
>'CN=RpcServices,CN=System,DC=rwe,DC=tt'
>
>actually when I look under the
CN=RpcServices,CN=System,DC=rwe,DC=tt - it is empty.
>
>Do I missed to set something on the AD site ?
Yes. You need to setup IDMU. However, in Windows Server 2016 Microsoft
removed IDMU tools. The LDAP schema will stay but there will
be no means to visually edit POSIX attributes.
https://blogs.technet.microsoft.com/activedirectoryua/2016/02/09/identity-management-for-unix-idmu-is-deprecated-in-windows-server/
>
>Thanks,
>Jan
>
>
>
>
>
>
>
>From: "Justin Stephenson" <jstep...@redhat.com>
>To: "Jan Karásek" <jan.kara...@elostech.cz>
>Cc: freeipa-users@redhat.com
>Sent: Wednesday, July 20, 2016 4:09:02 PM
>Subject: Re: [Freeipa-users] AD trust with POSIX attributes
>
>
>
>These attributes should be available from port 389 and not the
global catalog, please try a command such as:
>
>ldapsearch -H ldap:// <ip-address> -D "DOMAIN\Administrator" -W
-b
"cn=ypservers,cn=ypserv30,cn=rpcservices,CN=System,dc=example,dc=com"
msSFU30OrderNumber msSFU30MaxUidNumber msSFU30MaxGidNumber
>
>Replacing the root suffix in the search base, the ip-address and
bind credentials.
>
>Kind regards,
>Justin Stephenson
>
>On 07/20/2016 08:15 AM, Jan Karásek wrote:
>
>
>
>Hi,
>
>thank you for the hint.
>
>In the /usr/lib/python2.7/site-packages/ipalib/plugins/trust.py:
>
>It's working with msSFU30MaxUidNumber and msSFU30OrderNumber.
>
>If I understand it right, it is base uid number and the number of
uids in range.
>
>If not discovered nor given via CLI, then it generate random base
and add some default_range_size.
>
>So these two attributes must be set to use ipa-ad-trust-posix range ?
>
>Could anybody help me how and where to check these attributes ? I
have looked in the ldapsearch dump from my AD(Global calaog) and I
can see these attributes only in schema - so no values assigned.
>I'm using W2012 R2.
>
>Thank you,
>Jan
>
>
>
>From: "Justin Stephenson" <jstep...@redhat.com>
>To: "Jan Karásek" <jan.kara...@elostech.cz> ,
freeipa-users@redhat.com
>Sent: Tuesday, July 19, 2016 8:36:00 PM
>Subject: Re: [Freeipa-users] AD trust with POSIX attributes
>
>Hello,
>
>When adding the AD trust using 'ipa-ad-trust-posix' range type
then IPA will search AD for the ID space of existing POSIX
attributes to automatically create a suitable ID range inside IPA.
>
>You can check the exact steps and attributes searched by looking
at the add_range function definition in
/usr/lib/python2.7/site-packages/ipalib/plugins/trust.py
>
>I would suggest reviewing the output of 'ipa idrange-find' to
confirm that the range matches up with the uid and gidNumbers of
your AD environment.
>
>Kind regards,
>Justin Stephenson
>
>On 07/19/2016 09:44 AM, Jan Karásek wrote:
>
>BQ_BEGIN
>
>Hi,
>
>I am still fighting with storing user's POSIX attributes in AD.
Please can anybody provide some simple reference settings of
IPA-AD trust where users are able to get uid from AD - not from
IPA ID pool ?
>
>I have tried to set values of attributes before and after
creating trust, I have tried different sssd setting but I'm still
getting uid from IPA idrange pool instead of from AD user's attribute.
>
>What exactly is IPA checking when it tries to decide what type of
trust will be set - ['ipa-ad-trust-posix', 'ipa-ad-trust'] ?
>
>Do I have to mandatory fill some AD user's attributes to get it
work ? Currently I'am testing just with uidNumber and gidNumber.
>
>There is almost no documentation about this topic so I don't know
what else I can try ...
>
>Thanks for help,
>
>Jan
>
>
>
>Date: Tue, 21 Jun 2016 21:38:15 +0200
>From: Jakub Hrozek <jhro...@redhat.com>
>To: freeipa-users@redhat.com
>Subject: Re: [Freeipa-users] AD trust with POSIX attributes
>Message-ID: <20160621193815.GS29512@hendrix>
>Content-Type: text/plain; charset=iso-8859-1
>
>On Tue, Jun 21, 2016 at 01:55:54PM +0200, Jan Kar?sek wrote:
>> Hi all,
>>
>> I have a questions about IPA with AD forest trust. What I am
trying to do is setup environment, where all informations about
users are stored in one place - AD. I would like to read at least
uid, home, shell and sshkey from AD.
>>
>> I have set up trust with this parameters:
>>
>> ipa trust-add EXAMPLE.TT --type=ad
--range-type=ipa-ad-trust-posix --admin=administrator
>
>Did you add the POSIX attributes to AD after creating the trust
maybe?
>
>>
>> [root@ipa1 ~]# ipa idrange-show EXAMPLE.TT_id_range
>> Range name: EXAMPLE.TT_id_range
>> First Posix ID of the range: 1392000000
>> Number of IDs in the range: 200000
>> Domain SID of the trusted domain:
S-1-5-21-4123312533-990676102-3576722756
>> Range type: Active Directory trust range with POSIX attributes
>>
>>
>> I have set attributes in AD for u...@example.tt
>> - uidNumber -10000
>> - homeDirectory -/home/user
>> - loginShell - /bin/bash
>>
>> Trust itself works fine. I can do kinit with u...@example.tt ,
I can run id and getent passwd u...@example.tt and I can use
u...@example.tt for ssh.
>>
>> Problem is, that I am not getting uid from AD but from idrange:
>>
>> uid=1392001107( u...@example.tt )
>>
>> Also I have tried to switch off id mapping in sssd.conf with
ldap_id_mapping = true in sssd.conf but no luck.
>
>This has no effect, in IPA-AD trust scenario, the id mapping
properties
>are managed on the server.
>
>>
>> I know, that it is probably better to use ID views for this,
but in our case we need to set centrally managed environment,
where all users information are externally inserted to AD from HR
system - included POSIX attributes and we need IPA to read them
from AD.
>
>I think idviews are better for overriding POSIX attributes for a
>specific set of hosts, but in your environment, it sounds like
you want
>to use the POSIX attributes across the board.
>
>>
>> So my questions are:
>>
>> Is it possible to read user's POSIX attributes directly from AD
- namely uid ?
>
>Yes
>
>> Which atributes can be stored in AD ?
>
>Homedir is a bit special, for backwards compatibility the
>subdomains_homedir takes precedence. The others should be read
from AD.
>
>I don't have the environment set at the moment, though, so I'm
operating
>purely from memory.
>
>> Am I doing something wrong ?
>>
>> my sssd.conf:
>> [domain/a.example.tt]
>> debug_level = 5
>> cache_credentials = True
>> krb5_store_password_if_offline = True
>> ipa_domain = a.example.tt
>> id_provider = ipa
>> auth_provider = ipa
>> access_provider = ipa
>> ipa_hostname = ipa1.a.example.tt
>> chpass_provider = ipa
>> ipa_server = ipa1.a.example.tt
>> ipa_server_mode = True
>> ldap_tls_cacert = /etc/ipa/ca.crt
>> #ldap_id_mapping = true
>> #subdomain_inherit = ldap_user_principal
>> #ldap_user_principal = nosuchattribute
>>
>> [sssd]
>> services = nss, sudo, pam, ssh
>> config_file_version = 2
>>
>> domains = a.example.tt
>> [nss]
>> debug_level = 5
>> homedir_substring = /home
>> enum_cache_timeout = 2
>> entry_negative_timeout = 2
>>
>>
>> [pam]
>> debug_level = 5
>> [sudo]
>>
>> [autofs]
>>
>> [ssh]
>> debug_level = 4
>> [pac]
>>
>> debug_level = 4
>> [ifp]
>>
>> Thanks,
>> Jan
>
>
>
>
>
>
>
>
>
>
>
>
>BQ_END
>
>
>--
>Manage your subscription for the Freeipa-users mailing list:
>https://www.redhat.com/mailman/listinfo/freeipa-users
>Go to http://freeipa.org for more info on the project
--
/ Alexander Bokovoy
