Re: [Freeipa-users] IPA+AD trust and NFS nobody issue
On Fri, 2014-06-27 at 00:10 +, Nordgren, Bryce L -FS wrote: Also: http://tools.ietf.org/html/draft-adamson-nfsv4-multi-domain-access-04 Never became an RFC, but cites Simo's I-D on a Kerberos PAC. I like the CITI approach better (also approach 2 of section 6 in the above I-D). I have no use for the groups defined in my active directory. Also, for the external collaboration case, my AD may not be accessible to an NFS server outside the firewall. However, if (?) support for an NFSRemoteUser schema is lacking in FreeIPA, and if AD is accessible to both client and server, it seems that approach 3 of section 6 above would be the answer? Somehow configure idmap.conf (on NFS clients and servers) to directly query AD? Does that seem correct? I honestly think (and gave this feedback to the authors in the past) that trying to standardize on LDAP in an NFS document is wrong, it should be implementation specific. I think NFS should define roughly how a mapping service should behave, but should not try to dictate how Directory services can/should be used, the variation and modes of use is just too big in the real world, and keeps changing. Moreover it is already incorrect to believe all identities can be resolved by contacting a single LDAP server (AD trusted forests as an example), and that the LDAP server can actually fully resolve group memberships (again AD, and even FreeIPA when trusting AD forests) without using custom operations possible only fully correct when run by the KDC (or other RPC service, again see AD). In the FreeIPA case for example we do not (normally) convey AD groups to the service and instead map (some of) them into FreeIPA external groups, a client that tries to query directly the AD service (assuming you have direct access which is often not true) would not get cross-realm group memberships as defined in the IPA server and would therefore cause issues. Simo. -- Simo Sorce * Red Hat, Inc * New York -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
Re: [Freeipa-users] [SOLVED] Re: FreeIPA backend. Mavericks server shows UIDs instead of usernames in File Sharing.
Hi Fredy, We have integrated our Mac Worstations (Mountain Lion and Maverick) with FreeIPA with good success except for password change. Does your method allows users to change their password through the OSX interface for example when a new user is created and logs in for the first time? For now we need to have our users go through the web interface of a different workstation to change their newly created account password. At this point that is the only thing that still doesn’t work for us. Davis Davis Goodman Directeur Informatique | IT Manager 5605 Avenue de Gaspé, Suite 408 | Montréal, QC H2T 2A4 From: Simo Sorce s...@redhat.com Reply: Simo Sorce s...@redhat.com Date: April 16, 2014 at 18:06:27 To: Fredy Sanchez fredy.sanc...@modmed.com Cc: Guillermo Fuentes guillermo.fuen...@modernizingmedicine.com, freeipa-users@redhat.com freeipa-users@redhat.com Subject: [Freeipa-users] [SOLVED] Re: FreeIPA backend. Mavericks server shows UIDs instead of usernames in File Sharing. Good! And thanks for letting us know, it may help other users too. Simo. On Wed, 2014-04-16 at 17:58 -0400, Fredy Sanchez wrote: Hi Simo, Thanks for your reply. Good old Google pointed me to https://github.com/rtrouton/rtrouton_scripts/blob/master/rtrouton_scripts/open-ldap_bind_script/Mac_OpenLDAP_bind_script.sh, which gave me the idea of updating the RealName mapping to displayName. This solved the problem, I'll have to recreate the permissions for every share, but the user names now show up, and stick. No more UIDs. On Tue, Apr 15, 2014 at 9:30 AM, Simo Sorce s...@redhat.com wrote: On Fri, 2014-04-11 at 10:37 -0400, Fredy Sanchez wrote: Hi all, We asked this same question at discussions.apple.com, but figured we'd have better luck here. I apologize in advance if this is the wrong forum. We are switching from Synology (DSM 5) to Mavericks server (v3.1.1. running in Mavericks 10.9.2) for File Sharing. We use a FreeIPA (ipa-server.x86_64 3.0.0-37.el6) backend for SSO, and the Mac server seems correctly bound to it. Unfortunately, although we can add usernames to the shares for the initial config, the usernames transform to UIDs after (only for SSO accounts; local accounts are not affected). That is, when we go to edit the permissions for a share, all we see are UIDs. We can always figure out the username from the UID, but this is an extra step we don't want to have. We've tried reinstalling the Mac server app from scratch, re-binding to the FreeIPA backend, changing mappings in Directory Utility (for example, mapping GeneratedUID to uid, which is the username), recreating the shares and permissions, etc. Here are more details about the binding: * The binding happens thru a custom package we created based primarily on http://linsec.ca/Using_FreeIPA_for_User_Authentication#Mac_OS_X_10.7.2F10.8 * Sys Prefs, Users Groups, Login Options show the server bound to the FreeIPA backend with the green dot * The following mappings are in place in Directory Utility, Services, LDAPv3, FreeIPA backend Users: inetOrgPerson AuthenticationAuthority: uid GeneratedUID: random number in uppercase HomeDirectory: #/Users/$uid$ NFSHomeDirectory: #/Users/$uid$ OriginalHomeDirectory: #/Users/$uid$ PrimaryGroupID: gidNumber RealName: cn RecordName: uid UniqueID: uidNumber UserShell: loginShell Groups: posixgroup PrimaryGroupID: gidNumber RecordName: cn The search bases are correct * Directory Utility, Directory Editor shows the right info for the users. * $ id $USERNAME shows the right information for the user FreeIPA is working beautifully for our Mac / Linux environment. We provide directory services to about 300 hosts, and 200 employees using it; and haven't had any problems LDAP wise until now. So we think we are missing a mapping here. Any ideas? Fredy, I quickly tried to check for some documentation on how to configure this stuff, but found only useless superficial guides on how to find the pointy/clicky buttons to push to enable the service. I am not a Mac expert by a long shot so I cannot help you much here. Is there any guide available on how to use this service with other LDAP servers, like openLDAP or Active Directory ? We can probably draw some conclusions from there. Simo. -- Simo Sorce * Red Hat, Inc * New York -- Simo Sorce * Red Hat, Inc * New York ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users -- Manage your subscription for the Freeipa-users mailing list:
[Freeipa-users] Help: Rebooted IPA server and AD Trust shows offline
Was trying to add an external ad group to IPA, it kept failing with unable to connect to server. Figured I'd reboot to clear things up. Oops. Now wbinfo --online-status shows are AD as offline. wbinfo -u shows blank wbinfo -n 'DOMAIN\user' gives the following message: failed to call wbcLookupName: WBC_ERR_DOMAIN_NOT_FOUND could not lookup 'Domain\user' I saw a similar post in the freeipa-users archive about adding client min protocol = CORE client max protocol = SMB2_02 to the samba config; restarted winbind and still getting errors FreeIPA 3.0 Windows 2008 R2. -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
Re: [Freeipa-users] Help: Rebooted IPA server and AD Trust shows offline
Hi, Probably there are better ways to solve this issue but the way that works for me is to validate the trust from the AD side after a reboot of the IPA Server - it always shows as offline for me too. On 2012 Server you can do this through Active Directory Domains and Trusts - properties on your domain and go to trust tab - properties again. Next you press validate on the General tab. AD will ask for authentication but that can be skipped. AD Trust will be back online right away and you can check it through wbinfo --online-status. Probably the procedure are similar on Server 2008. Johan From: freeipa-users-boun...@redhat.com [freeipa-users-boun...@redhat.com] on behalf of Mark Gardner [malek...@gmail.com] Sent: Friday, June 27, 2014 20:23 To: freeipa-users Subject: [Freeipa-users] Help: Rebooted IPA server and AD Trust shows offline Was trying to add an external ad group to IPA, it kept failing with unable to connect to server. Figured I'd reboot to clear things up. Oops. Now wbinfo --online-status shows are AD as offline. wbinfo -u shows blank wbinfo -n 'DOMAIN\user' gives the following message: failed to call wbcLookupName: WBC_ERR_DOMAIN_NOT_FOUND could not lookup 'Domain\user' I saw a similar post in the freeipa-users archive about adding client min protocol = CORE client max protocol = SMB2_02 to the samba config; restarted winbind and still getting errors FreeIPA 3.0 Windows 2008 R2. This e-mail is private and confidential between the sender and the addressee. In the event of misdirection, the recipient is prohibited from using, copying or disseminating it or any information in it. Please notify the above if any misdirection. -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project