Hi!
Attached patch allows to enable serving trusted domain users and groups
through Schema Compatibilty plugin.
The patch only does FreeIPA master configuration settings, the real work
is done by the changes to slapi-nis plugin (in a separate email).
Since ipa-adtrust-install can safely be run multiple times, one can
re-run it on the IPA master to enable serving old clients, by specifying
ipa-adtrust-install --enable-compat
or answering 'yes' to the interactive question.
I have expanded man page for ipa-adtrust-install to cover this option.
Once enabled, following is possible:
---------------------------------------------------------------------------
# ldapsearch -Y GSSAPI -b cn=compat,dc=vda,dc=li '(&(cn=domain
adm...@ad.lan)(objectclass=posixgroup))'
SASL/GSSAPI authentication started
SASL username: ad...@vda.li
SASL SSF: 56
SASL data security layer installed.
# extended LDIF
#
# LDAPv3
# base <cn=compat,dc=vda,dc=li> with scope subtree
# filter: (&(cn=domain adm...@ad.lan)(objectclass=posixgroup))
# requesting: ALL
#
# domain adm...@ad.lan, groups, compat, vda.li
dn: cn=domain adm...@ad.lan,cn=groups,cn=compat,dc=vda,dc=li
objectClass: posixGroup
objectClass: extensibleObject
objectClass: top
gidNumber: 1442800512
memberUid: uid=administra...@ad.lan,cn=users,cn=compat,dc=vda,dc=li
schema-compat-origin: sssd
ipaNTSecurityIdentifier: S-1-5-21-3502988750-125904550-3683905862-512
cn: domain adm...@ad.lan
# search result
search: 4
result: 0 Success
# numResponses: 2
# numEntries: 1
---------------------------------------------------------------------------
and for users:
---------------------------------------------------------------------------
# ldapsearch -Y GSSAPI -b cn=compat,dc=vda,dc=li
# '(uid=administra...@ad.lan)'
SASL/GSSAPI authentication started
SASL username: ad...@vda.li
SASL SSF: 56
SASL data security layer installed.
# extended LDIF
#
# LDAPv3
# base <cn=compat,dc=vda,dc=li> with scope subtree
# filter: (uid=administra...@ad.lan)
# requesting: ALL
#
# administra...@ad.lan, users, compat, vda.li
dn: uid=administra...@ad.lan,cn=users,cn=compat,dc=vda,dc=li
objectClass: posixAccount
objectClass: extensibleObject
objectClass: top
gecos: Administrator
cn: Administrator
uidNumber: 1442800500
gidNumber: 1442800500
homeDirectory: /
schema-compat-origin: sssd
ipaNTSecurityIdentifier: S-1-5-21-3502988750-125904550-3683905862-500
uid: administra...@ad.lan
# search result
search: 4
result: 0 Success
# numResponses: 2
# numEntries: 1
----------------------------------------------------------------------------
Currently PAM authentication is a bit broken due to yet-to-hunt bug in
SSSD or my environment (Jakub was unable to reproduce it) where SSSD
thinks that AD DC is offline during authentication step.
However, if you don't hit the bug, you can check authentication by doing
following bind and entering a password for your AD administrator:
# ldapsearch -D uid=administra...@ad.lan,cn=users,cn=compat,dc=vda,dc=li \
-W -x -C -a always -b dc=vda,dc=li '(uid=admin)'
The bind operation needs to be performed _after_ user lookup.
All these commands are only examples, I'm currently working on seeing
how to configure pam_ldap/nss_ldap to use compat plugin this way.
--
/ Alexander Bokovoy
>From bd7addcc2a25555b37cd128dcbea0bc6e9b2929e Mon Sep 17 00:00:00 2001
From: Alexander Bokovoy <aboko...@redhat.com>
Date: Mon, 15 Jul 2013 19:13:50 +0300
Subject: [PATCH] ipa-adtrust-install: configure compatibility tree to serve
trusted domain users
Enables support for trusted domains users for old clients through Schema
Compatibility plugin. SSSD supports trusted domains natively starting with
version 1.9 platform. For platforms that lack SSSD or run older SSSD version
one needs to use this option. When enabled, slapi-nis package needs to
be installed and schema-compat-plugin will be configured to provide lookup of
users and groups from trusted domains via SSSD on IPA server. These users and
groups will be available under cn=users,cn=compat,$SUFFIX and
cn=groups,cn=compat,$SUFFIX trees. SSSD will normalize names of users and
groups to lower case.
In addition to providing these users and groups through the compat tree,
this option enables authentication over LDAP for trusted domain users with DN
under compat tree, i.e. using bind DN
uid=administrator@ad.domain,cn=users,cn=compat,$SUFFIX.
This authentication is related to PAM stack using 'system-auth' PAM
service. If you have disabled HBAC rule 'allow_all', then make sure there is
special service called 'system-auth' created and HBAC rule to allow access to
anyone to this rule on IPA masters is added. Please note that system-auth PAM
service is not used directly by any other application, therefore it is safe to
create one specifically to support trusted domain users via compatibility path.
https://fedorahosted.org/freeipa/ticket/3567
---
install/tools/ipa-adtrust-install | 18 +++++++++++++++++-
install/tools/man/ipa-adtrust-install.1 | 18 ++++++++++++++++++
ipaserver/install/adtrustinstance.py | 22 +++++++++++++++++++++-
3 files changed, 56 insertions(+), 2 deletions(-)
diff --git a/install/tools/ipa-adtrust-install
b/install/tools/ipa-adtrust-install
index 5744c6f..838f722 100755
--- a/install/tools/ipa-adtrust-install
+++ b/install/tools/ipa-adtrust-install
@@ -62,6 +62,9 @@ def parse_options():
parser.add_option("--add-sids", dest="add_sids", action="store_true",
default=False, help="Add SIDs for existing users and" \
" groups as the final step")
+ parser.add_option("--enable-compat",
+ dest="enable_compat", default=False, action="store_true",
+ help="Enable support for trusted domains for old
clients")
options, args = parser.parse_args()
safe_options = parser.get_safe_opts(options)
@@ -194,6 +197,15 @@ def ensure_admin_kinit(admin_name, admin_password):
return False
return True
+def enable_compat_tree():
+ print "Do you want to enable support for trusted domains in Schema
Compatibility plugin?"
+ print "This will allow clients older than SSSD 1.9 and non-Linux clients
to work with trusted users."
+ print ""
+ enable_compat = ipautil.user_input("Enable trusted domains support in
slapi-nis?", default = False, allow_empty = False)
+ print ""
+ return enable_compat
+
+
def main():
safe_options, options = parse_options()
@@ -244,6 +256,9 @@ def main():
sys.exit("Aborting installation.")
break
+ if not options.unattended and not options.enable_compat:
+ options.enable_compat = enable_compat_tree()
+
# Check we have a public IP that is associated with the hostname
ip = None
try:
@@ -363,7 +378,8 @@ def main():
smb.setup(api.env.host, ip_address, api.env.realm, api.env.domain,
netbios_name, reset_netbios_name,
options.rid_base, options.secondary_rid_base,
- options.no_msdcs, options.add_sids)
+ options.no_msdcs, options.add_sids,
+ enable_compat = options.enable_compat)
smb.find_local_id_range()
smb.create_instance()
diff --git a/install/tools/man/ipa-adtrust-install.1
b/install/tools/man/ipa-adtrust-install.1
index 38957f3..7931178 100644
--- a/install/tools/man/ipa-adtrust-install.1
+++ b/install/tools/man/ipa-adtrust-install.1
@@ -106,6 +106,24 @@ The password of the user with administrative privileges
for this IPA server. Wil
.TP
The credentials of the admin user will be used to obtain Kerberos ticket
before configuring cross-realm trusts support and afterwards, to ensure that
the ticket contains MS-PAC information required to actually add a trust with
Active Directory domain via 'ipa trust-add --type=ad' command.
.TP
+\fB\-\-enable\-compat\fR
+Enables support for trusted domains users for old clients through Schema
Compatibility plugin.
+SSSD supports trusted domains natively starting with version 1.9 platform. For
platforms that
+lack SSSD or run older SSSD version one needs to use this option. When
enabled, slapi\-nis package
+needs to be installed and schema\-compat\-plugin will be configured to provide
lookup of
+users and groups from trusted domains via SSSD on IPA server. These users and
groups will be
+available under \fBcn=users,cn=compat,$SUFFIX\fR and
\fBcn=groups,cn=compat,$SUFFIX\fR trees.
+SSSD will normalize names of users and groups to lower case.
+.IP
+In addition to providing these users and groups through the compat tree, this
option enables
+authentication over LDAP for trusted domain users with DN under compat tree,
i.e. using bind DN
+\fBuid=administrator@ad.domain,cn=users,cn=compat,$SUFFIX\fR. This
authentication is related
+to PAM stack using '\fBsystem\-auth\fR' PAM service. If you have disabled HBAC
rule 'allow_all', then
+make sure there is special service called '\fBsystem\-auth\fR' created and
HBAC rule to allow
+access to anyone to this rule on IPA masters is added. Please note that
system-auth PAM service
+is not used directly by any other application, therefore it is safe to create
one specifically
+to support trusted domain users via compatibility path.
+.TP
.SH "EXIT STATUS"
0 if the installation was successful
diff --git a/ipaserver/install/adtrustinstance.py
b/ipaserver/install/adtrustinstance.py
index 4eb20d9..9ecc7e9 100644
--- a/ipaserver/install/adtrustinstance.py
+++ b/ipaserver/install/adtrustinstance.py
@@ -664,6 +664,20 @@ class ADTRUSTInstance(service.Service):
except Exception, e:
root_logger.critical("Checking replicas for cifs principals failed
with error '%s'" % e)
+ def __enable_compat_tree(self):
+ try:
+ compat_plugin_dn = DN("cn=Schema
Compatibility,cn=plugins,cn=config")
+ lookup_sssd_name = "schema-compat-lookup-sssd"
+ for config in (("cn=users", "user"), ("cn=groups", "group")):
+ entry_dn = DN(config[0], compat_plugin_dn)
+ current = self.admin_conn.get_entry(entry_dn)
+ lookup_sssd = current.get(lookup_sssd_name, [])
+ if not(config[1] in lookup_sssd):
+ current[lookup_sssd_name] = [config[1]]
+ self.admin_conn.update_entry(entry_dn, current)
+ except Exception, e:
+ root_logger.critical("Enabling SSSD support in slapi-nis failed
with error '%s'" % e)
+
def __start(self):
try:
self.start()
@@ -713,7 +727,7 @@ class ADTRUSTInstance(service.Service):
def setup(self, fqdn, ip_address, realm_name, domain_name, netbios_name,
reset_netbios_name, rid_base, secondary_rid_base,
- no_msdcs=False, add_sids=False, smbd_user="samba"):
+ no_msdcs=False, add_sids=False, smbd_user="samba",
enable_compat=False):
self.fqdn = fqdn
self.ip_address = ip_address
self.realm = realm_name
@@ -724,6 +738,7 @@ class ADTRUSTInstance(service.Service):
self.secondary_rid_base = secondary_rid_base
self.no_msdcs = no_msdcs
self.add_sids = add_sids
+ self.enable_compat = enable_compat
self.smbd_user = smbd_user
self.suffix = ipautil.realm_to_suffix(self.realm)
self.ldapi_socket = "%%2fvar%%2frun%%2fslapd-%s.socket" % \
@@ -811,6 +826,11 @@ class ADTRUSTInstance(service.Service):
self.step("configuring smbd to start on boot", self.__enable)
self.step("adding special DNS service records", \
self.__add_dns_service_records)
+
+ if self.enable_compat:
+ self.step("Enabling trusted domains support for older clients via
Schema Compatibility plugin",
+ self.__enable_compat_tree)
+
self.step("restarting Directory Server to take MS PAC and LDAP plugins
changes into account", \
self.__restart_dirsrv)
self.step("adding fallback group", self.__add_fallback_group)
--
1.8.3.1
_______________________________________________
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel