Re: [Freeipa-users] IPA-AD trust group membership: display 'short' group names for *two* AD domains?
On Mon, Oct 24, 2016 at 11:29:06AM -0400, William Muriithi wrote: > Morning Jakub, > > >> However, I would like to tune this configuration to drop the domain > >> component of the user and group names. I tried to do this by adding > >> these settings to the [sssd] section in sssd.conf on the client: > >> > >>default_domain_suffix = example.au > >> full_name_format = %1$s > >> > >> With this configuration, I can login as a staff domain user (example.au) > >> successfully and I then see the short-name form of the groups: > >> > >> $ ssh -l r...@student.example.au ipa-client-rh7.ipa.example.au > >> [rnst@ipa-client-rh7 ~]$ groups > >> rnst > >> > >> Is this expected behaviour? Is there a possible client configuration that > >> will support our AD forest setup or is this simply not possible? > > > > What you did is quite correct, but unfortunately works only with > > RHEL-7.3 or newer as it requires sssd-1.14 or newer, sorry. > > Does one need sssd-1.14 on the IPA server only or is this required on > all the IPA clients too? I haven't tested since I was working in this area, but I belive the clients as well. -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] IPA-AD trust group membership: display 'short' group names for *two* AD domains?
Morning Jakub, >> However, I would like to tune this configuration to drop the domain >> component of the user and group names. I tried to do this by adding >> these settings to the [sssd] section in sssd.conf on the client: >> >>default_domain_suffix = example.au >> full_name_format = %1$s >> >> With this configuration, I can login as a staff domain user (example.au) >> successfully and I then see the short-name form of the groups: >> >> $ ssh -l r...@student.example.au ipa-client-rh7.ipa.example.au >> [rnst@ipa-client-rh7 ~]$ groups >> rnst >> >> Is this expected behaviour? Is there a possible client configuration that >> will support our AD forest setup or is this simply not possible? > > What you did is quite correct, but unfortunately works only with > RHEL-7.3 or newer as it requires sssd-1.14 or newer, sorry. Does one need sssd-1.14 on the IPA server only or is this required on all the IPA clients too? Regards, William -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] IPA-AD trust group membership: display 'short' group names for *two* AD domains?
On Fri, Oct 21, 2016 at 04:07:16PM +1100, Robert Sturrock wrote: > > On Thu, Oct 20, 2016 at 04:46:01PM +1100, Robert Sturrock wrote: > > […] > > > However, when I try logging in as a student domain user > > > (student.example.au), > > > I don't see any of the groups (there should be 8): > > > > > > $ ssh -l rnst student example au ipa-client-rh7.ipa.example.au > > > [rnst ipa-client-rh7 ~]$ groups > > > rnst > > > > > > Is this expected behaviour? Is there a possible client configuration that > > > will support our AD forest setup or is this simply not possible? > > > > What you did is quite correct, but unfortunately works only with > > RHEL-7.3 or newer as it requires sssd-1.14 or newer, sorry. > > I tried the same configuration on FC24, which has sssd-1.14.1-3, but it > didn’t work for the student domain either: > > $ ssh -l r...@student.example.au ipa-client-fc24.ipa.example.au > -sh-4.3$ groups > rnst > > Is the version shipping with RHEL7.3 likely to be different? No, it's pretty much the same. Can you take a look at the logs and create a dump of the ldb cache, please? See: https://fedorahosted.org/sssd/wiki/Troubleshooting -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] IPA-AD trust group membership: display 'short' group names for *two* AD domains?
> On Thu, Oct 20, 2016 at 04:46:01PM +1100, Robert Sturrock wrote: > […] > > However, when I try logging in as a student domain user > > (student.example.au), > > I don't see any of the groups (there should be 8): > > > > $ ssh -l rnst student example au ipa-client-rh7.ipa.example.au > > [rnst ipa-client-rh7 ~]$ groups > > rnst > > > > Is this expected behaviour? Is there a possible client configuration that > > will support our AD forest setup or is this simply not possible? > > What you did is quite correct, but unfortunately works only with > RHEL-7.3 or newer as it requires sssd-1.14 or newer, sorry. I tried the same configuration on FC24, which has sssd-1.14.1-3, but it didn’t work for the student domain either: $ ssh -l r...@student.example.au ipa-client-fc24.ipa.example.au -sh-4.3$ groups rnst Is the version shipping with RHEL7.3 likely to be different? Regards, Robert. -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] IPA-AD trust group membership: display 'short' group names for *two* AD domains?
On Thu, Oct 20, 2016 at 04:46:01PM +1100, Robert Sturrock wrote: > Hello, > > We have an IPA (4.2) server setup on RHEL 7.2 in a trust arrangement with > our University organisational AD. The AD forest contains *two* > domains: > > EXAMPLE.AU (staff users) > STUDENT.EXAMPLE.AU (student users) > > The IPA domain that trusts these is called: > > IPA.EXAMPLE.AU > > The basic configuration as described above works ok - we can login to > IPA client hosts with user principals from either of the AD domains > and we see correct group membership. > > However, I would like to tune this configuration to drop the domain > component of the user and group names. I tried to do this by adding > these settings to the [sssd] section in sssd.conf on the client: > > default_domain_suffix = example.au > full_name_format = %1$s > > With this configuration, I can login as a staff domain user (example.au) > successfully and I then see the short-name form of the groups: > > $ ssh -l r...@example.au ipa-client-rh7.ipa.example.au > [rns@ipa-client-rh7 ~]$ groups > rns domain users d-750g 511all [..etc..] > > However, when I try logging in as a student domain user (student.example.au), > I don't see any of the groups (there should be 8): > > $ ssh -l r...@student.example.au ipa-client-rh7.ipa.example.au > [rnst@ipa-client-rh7 ~]$ groups > rnst > > Is this expected behaviour? Is there a possible client configuration that > will support our AD forest setup or is this simply not possible? What you did is quite correct, but unfortunately works only with RHEL-7.3 or newer as it requires sssd-1.14 or newer, sorry. -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
[Freeipa-users] IPA-AD trust group membership: display 'short' group names for *two* AD domains?
Hello, We have an IPA (4.2) server setup on RHEL 7.2 in a trust arrangement with our University organisational AD. The AD forest contains *two* domains: EXAMPLE.AU (staff users) STUDENT.EXAMPLE.AU (student users) The IPA domain that trusts these is called: IPA.EXAMPLE.AU The basic configuration as described above works ok - we can login to IPA client hosts with user principals from either of the AD domains and we see correct group membership. However, I would like to tune this configuration to drop the domain component of the user and group names. I tried to do this by adding these settings to the [sssd] section in sssd.conf on the client: default_domain_suffix = example.au full_name_format = %1$s With this configuration, I can login as a staff domain user (example.au) successfully and I then see the short-name form of the groups: $ ssh -l r...@example.au ipa-client-rh7.ipa.example.au [rns@ipa-client-rh7 ~]$ groups rns domain users d-750g 511all [..etc..] However, when I try logging in as a student domain user (student.example.au), I don't see any of the groups (there should be 8): $ ssh -l r...@student.example.au ipa-client-rh7.ipa.example.au [rnst@ipa-client-rh7 ~]$ groups rnst Is this expected behaviour? Is there a possible client configuration that will support our AD forest setup or is this simply not possible? Regards, Robert. Complete client sssd.conf: - [domain/ipa.example.au] cache_credentials = True krb5_store_password_if_offline = True ipa_domain = ipa.example.au id_provider = ipa auth_provider = ipa access_provider = ipa ipa_hostname = ipa-client-rh7.ipa.example.au chpass_provider = ipa ipa_server = _srv_, matilda3.ipa.example.au ldap_tls_cacert = /etc/ipa/ca.crt [sssd] services = nss, sudo, pam, ssh config_file_version = 2 domains = ipa.example.au default_domain_suffix = example.au full_name_format = %1$s [nss] homedir_substring = /home override_shell = /bin/bash [pam] [sudo] [autofs] [ssh] [pac] [ifp] -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project