hi guys
After a longer break from Windowze, I had Win2012 trust okey in the past, now I'm fiddling with Win2016 and have this question:
After trust (one-way coming from AD) established okey should AD's users be immediately available to/in IPA?
Usual things such as id, ipa user-show do find them users. I cannot remember how it was with my Win2012.
many thanks, L.
There is no enumeration support, but if you want to figure out if your connection works, try getent on a group or user (or using id on a group or user). If those don’t work the AD Trust might not be working correctly. I start the trusts on the IPA side and use Domain Admin creds (and not a secret or token), that always works for me.
If the trust works but something else is wrong, you can check if the trusts are listed and domains can be fetched from the trust. If you don’t even have those, the trust doesn’t work at all. If do you have those it’s a different problem.
Does the trust show on the DC in the trust settings?
Regards, John
On 16 Jan 2019, at 19:19, lejeczek via FreeIPA-users freeipa-users@lists.fedorahosted.org wrote:
hi guys
After a longer break from Windowze, I had Win2012 trust okey in the past, now I'm fiddling with Win2016 and have this question:
After trust (one-way coming from AD) established okey should AD's users be immediately available to/in IPA?
Usual things such as id, ipa user-show do find them users. I cannot remember how it was with my Win2012.
many thanks, L. _______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahoste...
On 16/01/2019 19:26, John Keates wrote:
There is no enumeration support, but if you want to figure out if your connection works, try getent on a group or user (or using id on a group or user). If those don’t work the AD Trust might not be working correctly. I start the trusts on the IPA side and use Domain Admin creds (and not a secret or token), that always works for me.
If the trust works but something else is wrong, you can check if the trusts are listed and domains can be fetched from the trust. If you don’t even have those, the trust doesn’t work at all. If do you have those it’s a different problem.
Does the trust show on the DC in the trust settings?
Trust does show in 2016 DC but because it was started there, that trust was set up with a shared secret on 2016 and then finished off on IPAs.
The thing is - I do not have(and cannot have) admin access/credentials on 2016 AD and in such cases I understand, only shared key is the option available. Or nor not?
Regards, John
On 16 Jan 2019, at 19:19, lejeczek via FreeIPA-users freeipa-users@lists.fedorahosted.org wrote:
hi guys
After a longer break from Windowze, I had Win2012 trust okey in the past, now I'm fiddling with Win2016 and have this question:
After trust (one-way coming from AD) established okey should AD's users be immediately available to/in IPA?
Usual things such as id, ipa user-show do find them users. I cannot remember how it was with my Win2012.
many thanks, L. _______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahoste...
On to, 17 tammi 2019, lejeczek via FreeIPA-users wrote:
On 16/01/2019 19:26, John Keates wrote:
There is no enumeration support, but if you want to figure out if your connection works, try getent on a group or user (or using id on a group or user). If those don’t work the AD Trust might not be working correctly. I start the trusts on the IPA side and use Domain Admin creds (and not a secret or token), that always works for me.
If the trust works but something else is wrong, you can check if the trusts are listed and domains can be fetched from the trust. If you don’t even have those, the trust doesn’t work at all. If do you have those it’s a different problem.
Does the trust show on the DC in the trust settings?
Trust does show in 2016 DC but because it was started there, that trust was set up with a shared secret on 2016 and then finished off on IPAs.
Ah. One-way trust with a shared secret is not supported yet. I need to merge my patches, hopefully, somewhere after devconf/FOSDEM. It requires changes to Samba (released in 4.7.11+, 4.8.6+), to SSSD (released in 1.16.3+), and to FreeIPA (not merged yet).
The thing is - I do not have(and cannot have) admin access/credentials on 2016 AD and in such cases I understand, only shared key is the option available. Or nor not?
I have Windows Server 2016 deployment and I have access to admin creds there without any problems. Unless you are trying to say that your administrators don't like to give you temporary membership in a 'Domain Admins' group in the forest root domain or in 'Enterprise Admins' group to allow creating a forest trust, you should definitely be able to use admin credentials to establish trust. Windows Server 2016 is no different from 2012 in this sense.
On 17/01/2019 11:43, Alexander Bokovoy wrote:
On to, 17 tammi 2019, lejeczek via FreeIPA-users wrote:
On 16/01/2019 19:26, John Keates wrote:
There is no enumeration support, but if you want to figure out if your connection works, try getent on a group or user (or using id on a group or user). If those don’t work the AD Trust might not be working correctly. I start the trusts on the IPA side and use Domain Admin creds (and not a secret or token), that always works for me.
If the trust works but something else is wrong, you can check if the trusts are listed and domains can be fetched from the trust. If you don’t even have those, the trust doesn’t work at all. If do you have those it’s a different problem.
Does the trust show on the DC in the trust settings?
Trust does show in 2016 DC but because it was started there, that trust was set up with a shared secret on 2016 and then finished off on IPAs.
Ah. One-way trust with a shared secret is not supported yet. I need to merge my patches, hopefully, somewhere after devconf/FOSDEM. It requires changes to Samba (released in 4.7.11+, 4.8.6+), to SSSD (released in 1.16.3+), and to FreeIPA (not merged yet).
The thing is - I do not have(and cannot have) admin access/credentials on 2016 AD and in such cases I understand, only shared key is the option available. Or nor not?
I have Windows Server 2016 deployment and I have access to admin creds there without any problems. Unless you are trying to say that your administrators don't like to give you temporary membership in a 'Domain Admins' group in the forest root domain or in 'Enterprise Admins' group to allow creating a forest trust, you should definitely be able to use admin credentials to establish trust. Windows Server 2016 is no different from 2012 in this sense.
I'm not trying, I'm saying that indeed.
I remember now that I asked around of the same "issue" when I first came across it time ago when I fiddled with 2012.
If I did not say it then, but if I did then I'll repeat - in big organizations like one I work for where often organizationally formal separation exist to some extent, that "shared secret" - I could not stress enough - the sooner it gets into IPA (fully working) the more lives and problems are saved :)
I'll keep my fingers cross hard :)
many! thanks. L.
On 17/01/2019 11:43, Alexander Bokovoy wrote:
On to, 17 tammi 2019, lejeczek via FreeIPA-users wrote:
On 16/01/2019 19:26, John Keates wrote:
There is no enumeration support, but if you want to figure out if your connection works, try getent on a group or user (or using id on a group or user). If those don’t work the AD Trust might not be working correctly. I start the trusts on the IPA side and use Domain Admin creds (and not a secret or token), that always works for me.
If the trust works but something else is wrong, you can check if the trusts are listed and domains can be fetched from the trust. If you don’t even have those, the trust doesn’t work at all. If do you have those it’s a different problem.
Does the trust show on the DC in the trust settings?
Trust does show in 2016 DC but because it was started there, that trust was set up with a shared secret on 2016 and then finished off on IPAs.
Ah. One-way trust with a shared secret is not supported yet. I need to merge my patches, hopefully, somewhere after devconf/FOSDEM. It requires changes to Samba (released in 4.7.11+, 4.8.6+), to SSSD (released in 1.16.3+), and to FreeIPA (not merged yet).
The thing is - I do not have(and cannot have) admin access/credentials on 2016 AD and in such cases I understand, only shared key is the option available. Or nor not?
I have Windows Server 2016 deployment and I have access to admin creds there without any problems. Unless you are trying to say that your administrators don't like to give you temporary membership in a 'Domain
How temporary would that have to be?
Is it just for them time when IPA adds a trust and such admin access can be removed right after that?
What when one needs to add a controller at later time, and related stuff?
Admins' group in the forest root domain or in 'Enterprise Admins' group to allow creating a forest trust, you should definitely be able to use admin credentials to establish trust. Windows Server 2016 is no different from 2012 in this sense.
On ke, 23 tammi 2019, lejeczek via FreeIPA-users wrote:
On 17/01/2019 11:43, Alexander Bokovoy wrote:
On to, 17 tammi 2019, lejeczek via FreeIPA-users wrote:
On 16/01/2019 19:26, John Keates wrote:
There is no enumeration support, but if you want to figure out if your connection works, try getent on a group or user (or using id on a group or user). If those don’t work the AD Trust might not be working correctly. I start the trusts on the IPA side and use Domain Admin creds (and not a secret or token), that always works for me.
If the trust works but something else is wrong, you can check if the trusts are listed and domains can be fetched from the trust. If you don’t even have those, the trust doesn’t work at all. If do you have those it’s a different problem.
Does the trust show on the DC in the trust settings?
Trust does show in 2016 DC but because it was started there, that trust was set up with a shared secret on 2016 and then finished off on IPAs.
Ah. One-way trust with a shared secret is not supported yet. I need to merge my patches, hopefully, somewhere after devconf/FOSDEM. It requires changes to Samba (released in 4.7.11+, 4.8.6+), to SSSD (released in 1.16.3+), and to FreeIPA (not merged yet).
The thing is - I do not have(and cannot have) admin access/credentials on 2016 AD and in such cases I understand, only shared key is the option available. Or nor not?
I have Windows Server 2016 deployment and I have access to admin creds there without any problems. Unless you are trying to say that your administrators don't like to give you temporary membership in a 'Domain
How temporary would that have to be?
Is it just for them time when IPA adds a trust and such admin access can be removed right after that?
Yes, just at that time.
What when one needs to add a controller at later time, and related stuff?
Adding a trust controller is unrelated to adding a trust itself.
On ke, 16 tammi 2019, lejeczek via FreeIPA-users wrote:
hi guys
After a longer break from Windowze, I had Win2012 trust okey in the past, now I'm fiddling with Win2016 and have this question:
After trust (one-way coming from AD) established okey should AD's users be immediately available to/in IPA?
Usual things such as id, ipa user-show do find them users. I cannot remember how it was with my Win2012.
There should be no difference in functional behavior.
Perhaps, you were lucky in terms of establishing trust at a time when SSSD on IPA master decided to refresh its domain information and discovering it has new trusted domains to look at.
On 16/01/2019 21:17, Alexander Bokovoy wrote:
On ke, 16 tammi 2019, lejeczek via FreeIPA-users wrote:
hi guys
After a longer break from Windowze, I had Win2012 trust okey in the past, now I'm fiddling with Win2016 and have this question:
After trust (one-way coming from AD) established okey should AD's users be immediately available to/in IPA?
Usual things such as id, ipa user-show do find them users. I cannot remember how it was with my Win2012.
There should be no difference in functional behavior.
Perhaps, you were lucky in terms of establishing trust at a time when SSSD on IPA master decided to refresh its domain information and discovering it has new trusted domains to look at.
ough... I was not being careful with my typing, it is:
Usual things such as id, ipa user-show do NOT find them users. I cannot remember how it was with my Win2012.
On to, 17 tammi 2019, lejeczek via FreeIPA-users wrote:
On 16/01/2019 21:17, Alexander Bokovoy wrote:
On ke, 16 tammi 2019, lejeczek via FreeIPA-users wrote:
hi guys
After a longer break from Windowze, I had Win2012 trust okey in the past, now I'm fiddling with Win2016 and have this question:
After trust (one-way coming from AD) established okey should AD's users be immediately available to/in IPA?
Usual things such as id, ipa user-show do find them users. I cannot remember how it was with my Win2012.
There should be no difference in functional behavior.
Perhaps, you were lucky in terms of establishing trust at a time when SSSD on IPA master decided to refresh its domain information and discovering it has new trusted domains to look at.
ough... I was not being careful with my typing, it is:
Usual things such as id, ipa user-show do NOT find them users. I cannot remember how it was with my Win2012.
ipa user-show should not find any AD users at all, that's as intended.
if `id user@ad.domain` doesn't work, follow SSSD troubleshooting guides https://docs.pagure.org/sssd.sssd/users/troubleshooting.html
On 16/01/2019 21:17, Alexander Bokovoy wrote:
On ke, 16 tammi 2019, lejeczek via FreeIPA-users wrote:
hi guys
After a longer break from Windowze, I had Win2012 trust okey in the past, now I'm fiddling with Win2016 and have this question:
After trust (one-way coming from AD) established okey should AD's users be immediately available to/in IPA?
Usual things such as id, ipa user-show do find them users. I cannot remember how it was with my Win2012.
There should be no difference in functional behavior.
Perhaps, you were lucky in terms of establishing trust at a time when SSSD on IPA master decided to refresh its domain information and discovering it has new trusted domains to look at.
Do we users/admins have any/some control over those bits, over how SSSD refreshes & caches this bits?
I've decided to briefly try with 2016 "lab" type, my own 2016 I control. I get users immediately with one-way (full credentials and no shared secret) trust but only on the master which established the trust, remaining master though they can validate the trust with kvno/kinit they at the moment see no AD users with id/getent/ipa user.
Reading docs I could not get this clarified, I suppose but having this crystal clear would be best - ipa-adtrust-install is only needed on that one master which will establish the trust and does need to be on each IPA's master?
On to, 17 tammi 2019, lejeczek via FreeIPA-users wrote:
On 16/01/2019 21:17, Alexander Bokovoy wrote:
On ke, 16 tammi 2019, lejeczek via FreeIPA-users wrote:
hi guys
After a longer break from Windowze, I had Win2012 trust okey in the past, now I'm fiddling with Win2016 and have this question:
After trust (one-way coming from AD) established okey should AD's users be immediately available to/in IPA?
Usual things such as id, ipa user-show do find them users. I cannot remember how it was with my Win2012.
There should be no difference in functional behavior.
Perhaps, you were lucky in terms of establishing trust at a time when SSSD on IPA master decided to refresh its domain information and discovering it has new trusted domains to look at.
Do we users/admins have any/some control over those bits, over how SSSD refreshes & caches this bits?
I've decided to briefly try with 2016 "lab" type, my own 2016 I control. I get users immediately with one-way (full credentials and no shared secret) trust but only on the master which established the trust, remaining master though they can validate the trust with kvno/kinit they at the moment see no AD users with id/getent/ipa user.
Reading docs I could not get this clarified, I suppose but having this crystal clear would be best - ipa-adtrust-install is only needed on that one master which will establish the trust and does need to be on each IPA's master?
Correct, ipa-adtrust-install needs to be run on one master to configure that one as a trust controller role. Other masters can be designated as trust agents via re-run of 'ipa-adtrust-install --add-agents' on the original master. If you want to have more trust controllers, you can initialize them by runnning ipa-adtrust-install on those masters but this is not required. This all is described in the documentation.
Unless you designated IPA masters as trust agents or trust controllers, they will not be able to resolve AD users/groups. It is a security feature as having access to inter-forest trust credentials allows to impersonate the whole trust link. Thus, by default the access to these credentials is limited and have to be granted via 'ipa-adtrust-install --add-agents' from a master with a trust controller role.
freeipa-users@lists.fedorahosted.org