I'm working with the ipa web services to provision users across a one way trust with IPA. I have looked at the id_view_* services and am trying to wrap my head around a few details:
1. When I ssh into a linux box thats a member of the IPA domain with my AD user IPA creates an object in LDAP and assigns a gid and uid to it, but when i create the user in the ID View under the Default Trust View the information from the object isn't there, BUT when I set the shell it gets written to the directory object when I update the shell attribute. Shouldn't the user's gid/uid be visible there as part of the view?
2. When I add a user from AD to an external group should I specify the userPrincipalName as the external member?
3. Is there a way to get IPA to trigger the creation of the ldap object that represents the AD user via a web service instead of logging in or sudoing over to that user?
Thanks
On pe, 18 touko 2018, Marc Boorshtein via FreeIPA-users wrote:
I'm working with the ipa web services to provision users across a one way trust with IPA. I have looked at the id_view_* services and am trying to wrap my head around a few details:
- When I ssh into a linux box thats a member of the IPA domain with
my AD user IPA creates an object in LDAP and assigns a gid and uid to it, but when i create the user in the ID View under the Default Trust View the information from the object isn't there, BUT when I set the shell it gets written to the directory object when I update the shell attribute. Shouldn't the user's gid/uid be visible there as part of the view?
IPA does not create any specific object in LDAP when you are ssh-ing into a Linux box. That simply does not happen and never was.
Can you demonstrate what you are talking about with a concrete example using 'ipa idoverrideuser-*' commands?
- When I add a user from AD to an external group should I specify
the userPrincipalName as the external member?
You should specify something that SSSD will be able to resolve to an AD user. It could be username@domain or NetBIOS\username or anything else that SSSD could resolve.
- Is there a way to get IPA to trigger the creation of the ldap
object that represents the AD user via a web service instead of logging in or sudoing over to that user?
No. And both sudoing or logging in into the host does not create the LDAP object as well. You as administrator should create those entries.
I'm working with the ipa web services to provision users across a one way trust with IPA. I have looked at the id_view_* services and am trying to wrap my head around a few details:
- When I ssh into a linux box thats a member of the IPA domain with
my AD user IPA creates an object in LDAP and assigns a gid and uid to it, but when i create the user in the ID View under the Default Trust View the information from the object isn't there, BUT when I set the shell it gets written to the directory object when I update the shell attribute. Shouldn't the user's gid/uid be visible there as part of the view?
IPA does not create any specific object in LDAP when you are ssh-ing into a Linux box. That simply does not happen and never was.
Can you demonstrate what you are talking about with a concrete example using 'ipa idoverrideuser-*' commands?
IPA Domain - rhelent.lan AD Domain - ent2k12.domain.com
One way trust with rhelent.lan trusting ent2k12.domain.com
1. Create a user in AD - thor@ent2k12.domain.com 2. Search IPA's 389 for (uid=thor@ent2k12.domain.com), no results 3. Login to server in rhelent.lan 4. sudo su - thor@ent2k12.domain.com 5. id - uid=160812321(thor@ent2k12.domain.com) gid=160812321(thor@ent2k12.domain.com) groups=160812321(thor@ent2k12.domain.com),160800513(domain users@ent2k12.domain.com) context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 6. Search IPA's 389 for (uid=thor@ent2k12.domain.com), found at uid=thor@ent2k12.domain.com,cn=users,cn=compat,dc=rhelent,dc=lan, no shell attribute 7. login to the ipa web interface - Create a user override for uid=thor@ent2k12.domain.com and a shell of /bin/bash 8. Search IPA's 389 for (uid=thor@ent2k12.domain.com), found at uid=thor@ent2k12.domain.com,cn=users,cn=compat,dc=rhelent,dc=lan, no shell attribute 9. sudo su - thor@ent2k12.domain.com - now my default shell is bash
I thought i would see a shell attribute after #8 but thats not the case. Where is the override stored?
- When I add a user from AD to an external group should I specify
the userPrincipalName as the external member?
You should specify something that SSSD will be able to resolve to an AD user. It could be username@domain or NetBIOS\username or anything else that SSSD could resolve.
OK, that makes sense
- Is there a way to get IPA to trigger the creation of the ldap
object that represents the AD user via a web service instead of logging in or sudoing over to that user?
No. And both sudoing or logging in into the host does not create the LDAP object as well. You as administrator should create those entries.
This doesn't seem to linueup with the steps produced above, what am I missing?
Thanks
On pe, 18 touko 2018, Marc Boorshtein wrote:
I'm working with the ipa web services to provision users across a one way trust with IPA. I have looked at the id_view_* services and am trying to wrap my head around a few details:
- When I ssh into a linux box thats a member of the IPA domain with
my AD user IPA creates an object in LDAP and assigns a gid and uid to it, but when i create the user in the ID View under the Default Trust View the information from the object isn't there, BUT when I set the shell it gets written to the directory object when I update the shell attribute. Shouldn't the user's gid/uid be visible there as part of the view?
IPA does not create any specific object in LDAP when you are ssh-ing into a Linux box. That simply does not happen and never was.
Can you demonstrate what you are talking about with a concrete example using 'ipa idoverrideuser-*' commands?
IPA Domain - rhelent.lan AD Domain - ent2k12.domain.com
One way trust with rhelent.lan trusting ent2k12.domain.com
- Create a user in AD - thor@ent2k12.domain.com
- Search IPA's 389 for (uid=thor@ent2k12.domain.com), no results
- Login to server in rhelent.lan
- sudo su - thor@ent2k12.domain.com
- id - uid=160812321(thor@ent2k12.domain.com)
gid=160812321(thor@ent2k12.domain.com) groups=160812321(thor@ent2k12.domain.com),160800513(domain users@ent2k12.domain.com) context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 6. Search IPA's 389 for (uid=thor@ent2k12.domain.com), found at uid=thor@ent2k12.domain.com,cn=users,cn=compat,dc=rhelent,dc=lan, no shell attribute 7. login to the ipa web interface - Create a user override for uid=thor@ent2k12.domain.com and a shell of /bin/bash 8. Search IPA's 389 for (uid=thor@ent2k12.domain.com), found at uid=thor@ent2k12.domain.com,cn=users,cn=compat,dc=rhelent,dc=lan, no shell attribute 9. sudo su - thor@ent2k12.domain.com - now my default shell is bash
I thought i would see a shell attribute after #8 but thats not the case. Where is the override stored?
What you see above is a compat entry, not an ID override. Compat entry is provided on demand -- in fact, you searched it and it was created by looking up in SSSD. This information in compat tree is not used normally by any client using SSSD with 'id_provider=ipa' at all. It is for clients that don't use SSSD or use SSSD old enough that it doesn't support trust to AD directly.
- When I add a user from AD to an external group should I specify
the userPrincipalName as the external member?
You should specify something that SSSD will be able to resolve to an AD user. It could be username@domain or NetBIOS\username or anything else that SSSD could resolve.
OK, that makes sense
- Is there a way to get IPA to trigger the creation of the ldap
object that represents the AD user via a web service instead of logging in or sudoing over to that user?
No. And both sudoing or logging in into the host does not create the LDAP object as well. You as administrator should create those entries.
This doesn't seem to linueup with the steps produced above, what am I missing?
You are looking at wrong objects in a wrong place and make wrong conclusions based on that. ;)
See Windows Integration Guide, "Chapter 8. Using ID Views in Active Directory Environments" https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/htm... for details on ID overrides.
See Windows Integration Guide, section "5.6. Active Directory Trust for Legacy Linux Clients" for details about the compat tree. https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/htm...
You can also read https://pagure.io/slapi-nis/blob/master/f/doc/ipa/sch-ipa.txt but compat tree is not something you should be looking at if your IPA clients are using SSSD newer than 1.9.
Thanks for pointing me in the right direction Marc Boorshtein CTO Tremolo Security marc.boorshtein@tremolosecurity.com (703) 828-4902 Twitter - @mlbiam / @tremolosecurity
On Fri, May 18, 2018 at 4:06 PM, Alexander Bokovoy abokovoy@redhat.com wrote:
On pe, 18 touko 2018, Marc Boorshtein wrote:
I'm working with the ipa web services to provision users across a one way trust with IPA. I have looked at the id_view_* services and am trying to wrap my head around a few details:
- When I ssh into a linux box thats a member of the IPA domain with
my AD user IPA creates an object in LDAP and assigns a gid and uid to it, but when i create the user in the ID View under the Default Trust View the information from the object isn't there, BUT when I set the shell it gets written to the directory object when I update the shell attribute. Shouldn't the user's gid/uid be visible there as part of the view?
IPA does not create any specific object in LDAP when you are ssh-ing into a Linux box. That simply does not happen and never was.
Can you demonstrate what you are talking about with a concrete example using 'ipa idoverrideuser-*' commands?
IPA Domain - rhelent.lan AD Domain - ent2k12.domain.com
One way trust with rhelent.lan trusting ent2k12.domain.com
- Create a user in AD - thor@ent2k12.domain.com
- Search IPA's 389 for (uid=thor@ent2k12.domain.com), no results
- Login to server in rhelent.lan
- sudo su - thor@ent2k12.domain.com
- id - uid=160812321(thor@ent2k12.domain.com)
gid=160812321(thor@ent2k12.domain.com) groups=160812321(thor@ent2k12.domain.com),160800513(domain users@ent2k12.domain.com) context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 6. Search IPA's 389 for (uid=thor@ent2k12.domain.com), found at uid=thor@ent2k12.domain.com,cn=users,cn=compat,dc=rhelent,dc=lan, no shell attribute 7. login to the ipa web interface - Create a user override for uid=thor@ent2k12.domain.com and a shell of /bin/bash 8. Search IPA's 389 for (uid=thor@ent2k12.domain.com), found at uid=thor@ent2k12.domain.com,cn=users,cn=compat,dc=rhelent,dc=lan, no shell attribute 9. sudo su - thor@ent2k12.domain.com - now my default shell is bash
I thought i would see a shell attribute after #8 but thats not the case. Where is the override stored?
What you see above is a compat entry, not an ID override. Compat entry is provided on demand -- in fact, you searched it and it was created by looking up in SSSD. This information in compat tree is not used normally by any client using SSSD with 'id_provider=ipa' at all. It is for clients that don't use SSSD or use SSSD old enough that it doesn't support trust to AD directly.
- When I add a user from AD to an external group should I specify
the userPrincipalName as the external member?
You should specify something that SSSD will be able to resolve to an AD user. It could be username@domain or NetBIOS\username or anything else that SSSD could resolve.
OK, that makes sense
- Is there a way to get IPA to trigger the creation of the ldap
object that represents the AD user via a web service instead of logging in or sudoing over to that user?
No. And both sudoing or logging in into the host does not create the LDAP object as well. You as administrator should create those entries.
This doesn't seem to linueup with the steps produced above, what am I missing?
You are looking at wrong objects in a wrong place and make wrong conclusions based on that. ;)
See Windows Integration Guide, "Chapter 8. Using ID Views in Active Directory Environments" https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/htm... for details on ID overrides.
See Windows Integration Guide, section "5.6. Active Directory Trust for Legacy Linux Clients" for details about the compat tree. https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/htm...
You can also read https://pagure.io/slapi-nis/blob/master/f/doc/ipa/sch-ipa.txt but compat tree is not something you should be looking at if your IPA clients are using SSSD newer than 1.9.
-- / Alexander Bokovoy Sr. Principal Software Engineer Security / Identity Management Engineering Red Hat Limited, Finland
freeipa-users@lists.fedorahosted.org