Hello!
I created a FreeIPA (ipa.angelsofclockwork.net) and Active Directory (ad.angelsofclockwork.net) and put them into a two way trust with posix. I used these commands:
ipa-adtrust-install --enable-compat --add-agents ipa trust-add --type=ad ad.angelsofclockwork.net --admin lmabel --password --two-way=true --range-type=ipa-ad-trust-posix
The users in AD have posix attributes assigned and those attributes are in the global catalog. My linux clients can see the AD users when I do a getent passwd user@ad.angelsofclockwork.net. So this is working as intended.
http://www.freeipa.org/page/HowTo/Setup_FreeIPA_Services_for_Mac_OS_X_10.12 - I used this guide to add our first mac to FreeIPA rather than AD. This guide worked for the most part, but I cannot get it to see the users across the trust boundary. I'm sure I'm either missing something or mac's open directory utility doesn't support trusts like we would think it should.
[root@sani ~]# dscacheutil -q user -a name admin name: admin password: ******** uid: 931600000 gid: 931600000 dir: /Users/admin shell: /bin/bash gecos: Administrator
[root@sani ~]# dscacheutil -q user -a name louis.abel [root@sani ~]# dscacheutil -q user -a name louis.abel@ad.angelsofclockwork.net
Anyone have any suggestions? Or will I have to just connect my mac to AD and work with it that way? I was trying to avoid having to add to AD, but it seems like I'm going to have to go that route. Unless anyone has experience with getting it to work across trusts. From my research it seems others have tried to solve the 'trust' problem when there's two AD domains involved, not an IPA and AD domain. So it seems like a mac specific problem perhaps.
On su, 09 heinä 2017, Louis Abel via FreeIPA-users wrote:
Hello!
I created a FreeIPA (ipa.angelsofclockwork.net) and Active Directory (ad.angelsofclockwork.net) and put them into a two way trust with posix. I used these commands:
ipa-adtrust-install --enable-compat --add-agents ipa trust-add --type=ad ad.angelsofclockwork.net --admin lmabel --password --two-way=true --range-type=ipa-ad-trust-posix
The users in AD have posix attributes assigned and those attributes are in the global catalog. My linux clients can see the AD users when I do a getent passwd user@ad.angelsofclockwork.net. So this is working as intended.
http://www.freeipa.org/page/HowTo/Setup_FreeIPA_Services_for_Mac_OS_X_10.12
- I used this guide to add our first mac to FreeIPA rather than AD.
This guide worked for the most part, but I cannot get it to see the users across the trust boundary. I'm sure I'm either missing something or mac's open directory utility doesn't support trusts like we would think it should.
OpenDirectory only looks into a single LDAP server. FreeIPA LDAP server does not provide AD users in its own LDAP tree, thus OpenDirectory cannot see them.
It is working as designed in a sense that OpenDirectory is not supported for trusted users and never was supported.
Anyone have any suggestions? Or will I have to just connect my mac to AD and work with it that way? I was trying to avoid having to add to AD, but it seems like I'm going to have to go that route. Unless anyone has experience with getting it to work across trusts. From my research it seems others have tried to solve the 'trust' problem when there's two AD domains involved, not an IPA and AD domain. So it seems like a mac specific problem perhaps.
Yes, just connect to AD. We don't have much support for macOS in the trust to AD space.
freeipa-users@lists.fedorahosted.org
-
Alexander Bokovoy -
Louis Abel