Re: [Freeipa-users] FreeIPA as domain controller?
On ti, 18 loka 2016, Brian Candler wrote: On 17/10/2016 15:52, Alexander Bokovoy wrote: If you set ID range for corresponding AD domain in IPA to be 'ipa-ad-trust-posix' and make sure all users that need to logon to IPA have POSIX attributes, then it should work. I think most of this is described in the Windows Integration Guide for RHEL7. Thank you. Final question. Suppose I use just the ipa-client package with sssd-ad pointing to Samba4 (or even real Windows AD). Is that likely to be a satisfactory solution for managing the *nix boxes, or would I be better of with two separate domains? No, it is wrong to use this mode. If you made a Linux machine a client to IPA, it will be set up to use 'ipa' provider in SSSD and that should support all needed functionality. You don't need to change anything in the configuration. Remember, I pointed you to sssd-ad manual page only to make sure you would read about ID mapping because this is the place in SSSD documentation which explains what happens there. I did not ask you to change IPA client setup to use 'ad' provider in SSSD. For example, would I lose the features that FreeIPA gives me like host-based access controls, sudo controls, central storage of ssh public keys? Yes, you will lose all these features. -- / Alexander Bokovoy -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] FreeIPA as domain controller?
On 17/10/2016 15:52, Alexander Bokovoy wrote: If you set ID range for corresponding AD domain in IPA to be 'ipa-ad-trust-posix' and make sure all users that need to logon to IPA have POSIX attributes, then it should work. I think most of this is described in the Windows Integration Guide for RHEL7. Thank you. Final question. Suppose I use just the ipa-client package with sssd-ad pointing to Samba4 (or even real Windows AD). Is that likely to be a satisfactory solution for managing the *nix boxes, or would I be better of with two separate domains? For example, would I lose the features that FreeIPA gives me like host-based access controls, sudo controls, central storage of ssh public keys? Thanks, Brian. -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] FreeIPA as domain controller?
On ma, 17 loka 2016, Brian Candler wrote: On 17/10/2016 15:06, Alexander Bokovoy wrote: Would there be any benefit the other way round - creating identities in S4 and using them to login to FreeIPA-joined *nix boxes? I guess the problem then is where posix attributes like uid and gid come from. This works for Samba AD > 4.4. The code in Samba that supports forest trust is a bit new (and was written by Red Hat's request) so depending on what version you are using your experience will vary. IPA supports different methods for mapping IDs, including algorithmic ones. We default to algorithmic ID range if existing POSIX IDs aren't found. See ID MAPPING section in sssd-ad man page for details. You don't need to configure anything in SSSD, though, because it is done automatically based on the ID ranges in IPA. OK, but let me just see if I can clarify. Given the following scenario: SAMBA . . . . . . FREEIPA | | USER SERVER The server isn't joined directly to the Samba domain, but the manpage for sssd-ad says "This provider requires that the machine be joined to the AD domain". So is it true that: 1. The server is not configured to use sssd-ad? Does it automatically use this module if, because of trust relationships, a user from the Samba domain logs into it? Would it need configuration, or does it pick up everything it needs from the DNS? In case of IPA client, SSSD is configured to use SSSD's 'ipa' provider. The provider is more complex than sssd-ldap or sssd-ad, it derives a lot of own configuration based on the content of IPA LDAP server. In case of trust to AD, it derives dynamically configurations of 'subdomains' for IPA domain. These subdomains are driven by 'sssd-ad'-like provider. To cut it short, the same ID MAPPING mechanism is in use if ID range in IPA corresponding to the AD domain discovered via forest trust is set to 'Active Directory domain range'. See 'ipa help idrange' for more details. When you establish trust between AD and IPA, the ranges for AD domains are created automatically. There is a code that attempts to look up in AD and understand whether POSIX attributes are stored there. In such case ID range for the AD domains would be set to 'Active Directory domain range with POSIX attributes'. 2. If I create the posix uids/gids as extra attributes in the Samba domain, the algorithmic ID mapping isn't required? If you set ID range for corresponding AD domain in IPA to be 'ipa-ad-trust-posix' and make sure all users that need to logon to IPA have POSIX attributes, then it should work. I think most of this is described in the Windows Integration Guide for RHEL7. -- / Alexander Bokovoy -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] FreeIPA as domain controller?
On 17/10/2016 15:06, Alexander Bokovoy wrote: Would there be any benefit the other way round - creating identities in S4 and using them to login to FreeIPA-joined *nix boxes? I guess the problem then is where posix attributes like uid and gid come from. This works for Samba AD > 4.4. The code in Samba that supports forest trust is a bit new (and was written by Red Hat's request) so depending on what version you are using your experience will vary. IPA supports different methods for mapping IDs, including algorithmic ones. We default to algorithmic ID range if existing POSIX IDs aren't found. See ID MAPPING section in sssd-ad man page for details. You don't need to configure anything in SSSD, though, because it is done automatically based on the ID ranges in IPA. OK, but let me just see if I can clarify. Given the following scenario: SAMBA . . . . . . FREEIPA | | USER SERVER The server isn't joined directly to the Samba domain, but the manpage for sssd-ad says "This provider requires that the machine be joined to the AD domain". So is it true that: 1. The server is not configured to use sssd-ad? Does it automatically use this module if, because of trust relationships, a user from the Samba domain logs into it? Would it need configuration, or does it pick up everything it needs from the DNS? 2. If I create the posix uids/gids as extra attributes in the Samba domain, the algorithmic ID mapping isn't required? Thanks, Brian. -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] FreeIPA as domain controller?
On 17/10/2016 11:14, Alexander Bokovoy wrote: We are not yet at the point you could use IPA-hosted identities to login to Windows machines joined to AD, though, regardless which AD implementation it is. That's very helpful, thank you. So basically it means that for the time being, our admins will need two identities (one in each realm) and there is not much benefit in setting up cross-realm trust. Would there be any benefit the other way round - creating identities in S4 and using them to login to FreeIPA-joined *nix boxes? I guess the problem then is where posix attributes like uid and gid come from. Regards, Brian. -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] FreeIPA as domain controller?
On ma, 17 loka 2016, Brian Candler wrote: Sorry if this is a frequently asked question, but it's not easy to find a simple answer. * Can I use FreeIPA (v4) as a domain controller for Windows machines to join? No. * If not, what's the recommended free/open solution? Would it be to set up a Samba4 domain controller, and then set up cross-realm trust between FreeIPA and Samba4? Yes. We are not yet at the point you could use IPA-hosted identities to login to Windows machines joined to AD, though, regardless which AD implementation it is. (That is: assuming I want central AAA for both Linux boxes and Windows boxes) Things I found: * http://www.freeipa.org/page/About ... but it only mentions FreeIPA v2 and v3 * https://sambaxp.org/archive_data/SambaXP2016-SLIDES/thu/track2/sambaxp2016-thu-track2-Alexander_Bokovoy-Andreas_Schneider-SambaAndFreeIPAAnUpdateOnActiveDirectoryIntegration.pdf ... report on work-in-progress. It does say: " FreeIPA Domain Controller is unlike Samba AD → Windows cannot be joined to FreeIPA". But it's not clear if this is an eventual goal, or whether it's likely to remain this way. Eventual goal is to allow IPA-hosted identities to be used to login to Windows machines joined to Samba AD. -- / Alexander Bokovoy -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
