Thanks for pointing me in the right direction Marc Boorshtein CTO Tremolo Security marc.boorsht...@tremolosecurity.com (703) 828-4902 Twitter - @mlbiam / @tremolosecurity
On Fri, May 18, 2018 at 4:06 PM, Alexander Bokovoy <aboko...@redhat.com> wrote: > On pe, 18 touko 2018, Marc Boorshtein wrote: >>>> >>>> >>>> I'm working with the ipa web services to provision users across a one >>>> way trust with IPA. I have looked at the id_view_* services and am >>>> trying to wrap my head around a few details: >>>> >>>> 1. When I ssh into a linux box thats a member of the IPA domain with >>>> my AD user IPA creates an object in LDAP and assigns a gid and uid to >>>> it, but when i create the user in the ID View under the Default Trust >>>> View the information from the object isn't there, BUT when I set the >>>> shell it gets written to the directory object when I update the shell >>>> attribute. Shouldn't the user's gid/uid be visible there as part of >>>> the view? >>> >>> >>> IPA does not create any specific object in LDAP when you are ssh-ing >>> into a Linux box. That simply does not happen and never was. >>> >>> Can you demonstrate what you are talking about with a concrete example >>> using 'ipa idoverrideuser-*' commands? >>> >> >> >> >> IPA Domain - rhelent.lan >> AD Domain - ent2k12.domain.com >> >> One way trust with rhelent.lan trusting ent2k12.domain.com >> >> 1. Create a user in AD - t...@ent2k12.domain.com >> 2. Search IPA's 389 for (uid=t...@ent2k12.domain.com), no results >> 3. Login to server in rhelent.lan >> 4. sudo su - t...@ent2k12.domain.com >> 5. id - uid=160812321(t...@ent2k12.domain.com) >> gid=160812321(t...@ent2k12.domain.com) >> groups=160812321(t...@ent2k12.domain.com),160800513(domain >> us...@ent2k12.domain.com) >> context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 >> 6. Search IPA's 389 for (uid=t...@ent2k12.domain.com), found at >> uid=t...@ent2k12.domain.com,cn=users,cn=compat,dc=rhelent,dc=lan, no >> shell attribute >> 7. login to the ipa web interface - Create a user override for >> uid=t...@ent2k12.domain.com and a shell of /bin/bash >> 8. Search IPA's 389 for (uid=t...@ent2k12.domain.com), found at >> uid=t...@ent2k12.domain.com,cn=users,cn=compat,dc=rhelent,dc=lan, no >> shell attribute >> 9. sudo su - t...@ent2k12.domain.com - now my default shell is bash >> >> I thought i would see a shell attribute after #8 but thats not the >> case. Where is the override stored? > > What you see above is a compat entry, not an ID override. Compat entry > is provided on demand -- in fact, you searched it and it was created by > looking up in SSSD. This information in compat tree is not used normally > by any client using SSSD with 'id_provider=ipa' at all. It is for > clients that don't use SSSD or use SSSD old enough that it doesn't > support trust to AD directly. > > >>>> 2. When I add a user from AD to an external group should I specify >>>> the userPrincipalName as the external member? >>> >>> >>> You should specify something that SSSD will be able to resolve to an AD >>> user. It could be username@domain or NetBIOS\username or anything else >>> that SSSD could resolve. >>> >> >> OK, that makes sense >> >> >>>> 3. Is there a way to get IPA to trigger the creation of the ldap >>>> object that represents the AD user via a web service instead of >>>> logging in or sudoing over to that user? >>> >>> >>> No. And both sudoing or logging in into the host does not create the >>> LDAP object as well. You as administrator should create those entries. >>> >> >> This doesn't seem to linueup with the steps produced above, what am I >> missing? > > You are looking at wrong objects in a wrong place and make wrong > conclusions based on that. ;) > > See Windows Integration Guide, "Chapter 8. Using ID Views in Active > Directory Environments" > https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html-single/windows_integration_guide/index#id-views > for details on ID overrides. > > See Windows Integration Guide, section "5.6. Active Directory Trust for > Legacy > Linux Clients" for details about the compat tree. > https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html-single/windows_integration_guide/index#trust-legacy > > You can also read > https://pagure.io/slapi-nis/blob/master/f/doc/ipa/sch-ipa.txt but compat > tree is not something you should be looking at if your IPA clients are > using SSSD newer than 1.9. > > > > -- > / Alexander Bokovoy > Sr. Principal Software Engineer > Security / Identity Management Engineering > Red Hat Limited, Finland _______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/freeipa-users@lists.fedorahosted.org/message/WAFBSUFQQIGELWAAOQSJ7KM2QM4ZRCWK/
