Hi, All
Off the bat I would like to say being new to freeIPA and rolling out successful deployment to manage our servers has been amazing, very few hiccups.
Which brings me to my next question, I have been asked if FreeIPA can be uses with Samba4 as a Domain Controller in our environment. After much reading its not as simple as it might sound.
In saying that, my question is simple.
How or what would be the best way to keep the AD users and FreeIPA users in sync. All I am really looking for is to Auth Users on the new Samba4 AD server. Can this be done or not.
Am I going to have to accept the fact that I may need to manage users in Samba and FreeIPA.
Thanks in advance on any advice.
R
On ke, 12 syys 2018, Ryan via FreeIPA-users wrote:
Hi, All
Off the bat I would like to say being new to freeIPA and rolling out successful deployment to manage our servers has been amazing, very few hiccups.
Which brings me to my next question, I have been asked if FreeIPA can be uses with Samba4 as a Domain Controller in our environment. After much reading its not as simple as it might sound.
In saying that, my question is simple.
How or what would be the best way to keep the AD users and FreeIPA users in sync. All I am really looking for is to Auth Users on the new Samba4 AD server. Can this be done or not.
It currently cannot be done. Requires functionality not available in FreeIPA.
On 12 Sep 2018, at 13:07, Alexander Bokovoy via FreeIPA-users freeipa-users@lists.fedorahosted.org wrote:
On ke, 12 syys 2018, Ryan via FreeIPA-users wrote:
Hi, All
Off the bat I would like to say being new to freeIPA and rolling out successful deployment to manage our servers has been amazing, very few hiccups.
Which brings me to my next question, I have been asked if FreeIPA can be uses with Samba4 as a Domain Controller in our environment. After much reading its not as simple as it might sound.
In saying that, my question is simple.
How or what would be the best way to keep the AD users and FreeIPA users in sync. All I am really looking for is to Auth Users on the new Samba4 AD server. Can this be done or not.
It currently cannot be done. Requires functionality not available in FreeIPA.
Yeah thats what I thought, just need to confirm.
What would you suggest the best way to dump users from ldap and the populate samba with users and random passwords? I understand this is out of scope of freeIPA.
-- / Alexander Bokovoy Sr. Principal Software Engineer Security / Identity Management Engineering Red Hat Limited, Finland _______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org mailto:freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org mailto:freeipa-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahoste... https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
On ke, 12 syys 2018, Ryan via FreeIPA-users wrote:
On 12 Sep 2018, at 13:07, Alexander Bokovoy via FreeIPA-users freeipa-users@lists.fedorahosted.org wrote:
On ke, 12 syys 2018, Ryan via FreeIPA-users wrote:
Hi, All
Off the bat I would like to say being new to freeIPA and rolling out successful deployment to manage our servers has been amazing, very few hiccups.
Which brings me to my next question, I have been asked if FreeIPA can be uses with Samba4 as a Domain Controller in our environment. After much reading its not as simple as it might sound.
In saying that, my question is simple.
How or what would be the best way to keep the AD users and FreeIPA users in sync. All I am really looking for is to Auth Users on the new Samba4 AD server. Can this be done or not.
It currently cannot be done. Requires functionality not available in FreeIPA.
Yeah thats what I thought, just need to confirm.
What would you suggest the best way to dump users from ldap and the populate samba with users and random passwords? I understand this is out of scope of freeIPA.
You can use Python bindings to IPA to generate list of user entries in python and then feed some properties of that to samba-tool.
Something like this, using ipa console to simplify use of the API:
# ipa console (Custom IPA interactive Python console) api: IPA API object pp: pretty printer
result = api.Command.user_find(all=True, raw=True)['result'] len(result)
7
pp(result)
({'cn': ('Alexander Bokovoy',), 'displayName': ('Alexander Bokovoy',), 'dn': 'uid=ab,cn=users,cn=accounts,dc=example,dc=com', 'gecos': ('Alexander Bokovoy',), 'gidnumber': ('1536000001',), 'givenname': ('Alexander',), 'homedirectory': ('/home/ab',), 'initials': ('AB',), 'ipaNTHash': (b'some-value',), 'ipaNTSecurityIdentifier': ('<DOMAIN-SID>-1001',), 'ipaUniqueID': ('<UNIQUE-ID>',), 'ipaUserAuthType': ('otp',), 'krbLastPwdChange': ('20180531111544Z',), 'krbPasswordExpiration': ('20180829111544Z',), 'krbcanonicalname': ('ab@EXAMPLE.COM',), 'krbprincipalname': ('ab@EXAMPLE.COM',), 'loginshell': ('/bin/sh',), 'mail': ('ab@example.com',), 'memberOf': (<list of DNs>), 'nsaccountlock': ('FALSE',), 'objectClass': ('ipaobject', 'person', 'top', 'ipasshuser', 'inetorgperson', 'organizationalperson', 'krbticketpolicyaux', 'krbprincipalaux', 'inetuser', 'posixaccount', 'ipaSshGroupOfPubKeys', 'mepOriginEntry', 'ipantuserattrs', 'ipauserauthtypeclass'), 'sn': ('Bokovoy',), 'uid': ('ab',), 'uidnumber': ('1536000001',) <more data> }, <more entries> )
for x in filter(lambda x: 'givenname' in x, result):
... print("samba-tool user create {uid[0]} t4mp-P-A-S-S-W-O-R-D --given-name={givenname[0]} --surname={sn[0]} --must-change-at-next-login".format(**x)) ... samba-tool user create ab t4mp-P-A-S-S-W-O-R-D --given-name=Alexander --surname=Bokovoy --must-change-at-next-login samba-tool user create mbar t4mp-P-A-S-S-W-O-R-D --given-name=M --surname=Bar --must-change-at-next-login samba-tool user create new-user t4mp-P-A-S-S-W-O-R-D --given-name=New --surname=User --must-change-at-next-login samba-tool user create a-user t4mp-P-A-S-S-W-O-R-D --given-name=A --surname=User --must-change-at-next-login samba-tool user create some-user t4mp-P-A-S-S-W-O-R-D --given-name=Some --surname=User --must-change-at-next-login samba-tool user create user-mode t4mp-P-A-S-S-W-O-R-D --given-name=User --surname=Mode --must-change-at-next-login
Whoa …… thanks for this. Now I think I am on the right path now.
Thanks for the help.
R
On 12 Sep 2018, at 13:44, Alexander Bokovoy via FreeIPA-users freeipa-users@lists.fedorahosted.org wrote:
On ke, 12 syys 2018, Ryan via FreeIPA-users wrote:
On 12 Sep 2018, at 13:07, Alexander Bokovoy via FreeIPA-users freeipa-users@lists.fedorahosted.org wrote:
On ke, 12 syys 2018, Ryan via FreeIPA-users wrote:
Hi, All
Off the bat I would like to say being new to freeIPA and rolling out successful deployment to manage our servers has been amazing, very few hiccups.
Which brings me to my next question, I have been asked if FreeIPA can be uses with Samba4 as a Domain Controller in our environment. After much reading its not as simple as it might sound.
In saying that, my question is simple.
How or what would be the best way to keep the AD users and FreeIPA users in sync. All I am really looking for is to Auth Users on the new Samba4 AD server. Can this be done or not.
It currently cannot be done. Requires functionality not available in FreeIPA.
Yeah thats what I thought, just need to confirm.
What would you suggest the best way to dump users from ldap and the populate samba with users and random passwords? I understand this is out of scope of freeIPA.
You can use Python bindings to IPA to generate list of user entries in python and then feed some properties of that to samba-tool.
Something like this, using ipa console to simplify use of the API:
# ipa console (Custom IPA interactive Python console) api: IPA API object pp: pretty printer
result = api.Command.user_find(all=True, raw=True)['result'] len(result)
7
pp(result)
({'cn': ('Alexander Bokovoy',), 'displayName': ('Alexander Bokovoy',), 'dn': 'uid=ab,cn=users,cn=accounts,dc=example,dc=com', 'gecos': ('Alexander Bokovoy',), 'gidnumber': ('1536000001',), 'givenname': ('Alexander',), 'homedirectory': ('/home/ab',), 'initials': ('AB',), 'ipaNTHash': (b'some-value',), 'ipaNTSecurityIdentifier': ('<DOMAIN-SID>-1001',), 'ipaUniqueID': ('<UNIQUE-ID>',), 'ipaUserAuthType': ('otp',), 'krbLastPwdChange': ('20180531111544Z',), 'krbPasswordExpiration': ('20180829111544Z',), 'krbcanonicalname': ('ab@EXAMPLE.COM mailto:ab@EXAMPLE.COM',), 'krbprincipalname': ('ab@EXAMPLE.COM mailto:ab@EXAMPLE.COM',), 'loginshell': ('/bin/sh',), 'mail': ('ab@example.com mailto:ab@example.com',), 'memberOf': (<list of DNs>), 'nsaccountlock': ('FALSE',), 'objectClass': ('ipaobject', 'person', 'top', 'ipasshuser', 'inetorgperson', 'organizationalperson', 'krbticketpolicyaux', 'krbprincipalaux', 'inetuser', 'posixaccount', 'ipaSshGroupOfPubKeys', 'mepOriginEntry', 'ipantuserattrs', 'ipauserauthtypeclass'), 'sn': ('Bokovoy',), 'uid': ('ab',), 'uidnumber': ('1536000001',)
<more data> }, <more entries> )
for x in filter(lambda x: 'givenname' in x, result):
... print("samba-tool user create {uid[0]} t4mp-P-A-S-S-W-O-R-D --given-name={givenname[0]} --surname={sn[0]} --must-change-at-next-login".format(**x)) ... samba-tool user create ab t4mp-P-A-S-S-W-O-R-D --given-name=Alexander --surname=Bokovoy --must-change-at-next-login samba-tool user create mbar t4mp-P-A-S-S-W-O-R-D --given-name=M --surname=Bar --must-change-at-next-login samba-tool user create new-user t4mp-P-A-S-S-W-O-R-D --given-name=New --surname=User --must-change-at-next-login samba-tool user create a-user t4mp-P-A-S-S-W-O-R-D --given-name=A --surname=User --must-change-at-next-login samba-tool user create some-user t4mp-P-A-S-S-W-O-R-D --given-name=Some --surname=User --must-change-at-next-login samba-tool user create user-mode t4mp-P-A-S-S-W-O-R-D --given-name=User --surname=Mode --must-change-at-next-login
-- / Alexander Bokovoy Sr. Principal Software Engineer Security / Identity Management Engineering Red Hat Limited, Finland _______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahoste...
freeipa-users@lists.fedorahosted.org