On Mon, Jul 15, 2013 at 08:14:52PM +0300, Alexander Bokovoy wrote: > Hi! > > Attached patch allows to enable serving trusted domain users and groups > through Schema Compatibilty plugin. > > The patch only does FreeIPA master configuration settings, the real work > is done by the changes to slapi-nis plugin (in a separate email). > > Since ipa-adtrust-install can safely be run multiple times, one can > re-run it on the IPA master to enable serving old clients, by specifying > > ipa-adtrust-install --enable-compat > > or answering 'yes' to the interactive question. > > I have expanded man page for ipa-adtrust-install to cover this option. > > Once enabled, following is possible: > --------------------------------------------------------------------------- > # ldapsearch -Y GSSAPI -b cn=compat,dc=vda,dc=li '(&(cn=domain > adm...@ad.lan)(objectclass=posixgroup))' > SASL/GSSAPI authentication started > SASL username: ad...@vda.li > SASL SSF: 56 > SASL data security layer installed. > # extended LDIF > # > # LDAPv3 > # base <cn=compat,dc=vda,dc=li> with scope subtree > # filter: (&(cn=domain adm...@ad.lan)(objectclass=posixgroup)) > # requesting: ALL > # > > # domain adm...@ad.lan, groups, compat, vda.li > dn: cn=domain adm...@ad.lan,cn=groups,cn=compat,dc=vda,dc=li > objectClass: posixGroup > objectClass: extensibleObject > objectClass: top > gidNumber: 1442800512 > memberUid: uid=administra...@ad.lan,cn=users,cn=compat,dc=vda,dc=li > schema-compat-origin: sssd > ipaNTSecurityIdentifier: S-1-5-21-3502988750-125904550-3683905862-512 > cn: domain adm...@ad.lan > > # search result > search: 4 > result: 0 Success > > # numResponses: 2 > # numEntries: 1 > --------------------------------------------------------------------------- > > and for users: > --------------------------------------------------------------------------- > # ldapsearch -Y GSSAPI -b cn=compat,dc=vda,dc=li > # '(uid=administra...@ad.lan)' > SASL/GSSAPI authentication started > SASL username: ad...@vda.li > SASL SSF: 56 > SASL data security layer installed. > # extended LDIF > # > # LDAPv3 > # base <cn=compat,dc=vda,dc=li> with scope subtree > # filter: (uid=administra...@ad.lan) > # requesting: ALL > # > > # administra...@ad.lan, users, compat, vda.li > dn: uid=administra...@ad.lan,cn=users,cn=compat,dc=vda,dc=li > objectClass: posixAccount > objectClass: extensibleObject > objectClass: top > gecos: Administrator > cn: Administrator > uidNumber: 1442800500 > gidNumber: 1442800500 > homeDirectory: / > schema-compat-origin: sssd > ipaNTSecurityIdentifier: S-1-5-21-3502988750-125904550-3683905862-500 > uid: administra...@ad.lan > > # search result > search: 4 > result: 0 Success > > # numResponses: 2 > # numEntries: 1 > ---------------------------------------------------------------------------- > > Currently PAM authentication is a bit broken due to yet-to-hunt bug in > SSSD or my environment (Jakub was unable to reproduce it) where SSSD > thinks that AD DC is offline during authentication step. > > However, if you don't hit the bug, you can check authentication by doing > following bind and entering a password for your AD administrator: > # ldapsearch -D uid=administra...@ad.lan,cn=users,cn=compat,dc=vda,dc=li \ > -W -x -C -a always -b dc=vda,dc=li '(uid=admin)' > > The bind operation needs to be performed _after_ user lookup. > > All these commands are only examples, I'm currently working on seeing > how to configure pam_ldap/nss_ldap to use compat plugin this way. > -- > / Alexander Bokovoy
Hi, the patch looks mostly good to me. I only have some small nitpicks: > +++ b/install/tools/man/ipa-adtrust-install.1 > @@ -106,6 +106,24 @@ The password of the user with administrative privileges > for this IPA server. Wil > .TP > The credentials of the admin user will be used to obtain Kerberos ticket > before configuring cross-realm trusts support and afterwards, to ensure that > the ticket contains MS-PAC information required to actually add a trust with > Active Directory domain via 'ipa trust-add --type=ad' command. > .TP > +\fB\-\-enable\-compat\fR > +Enables support for trusted domains users for old clients through Schema > Compatibility plugin. > +SSSD supports trusted domains natively starting with version 1.9 platform. > For platforms that ^^^^^^^^ The word "platform" looks a little extra here to me. > +lack SSSD or run older SSSD version one needs to use this option. When > enabled, slapi\-nis package > +needs to be installed and schema\-compat\-plugin will be configured to > provide lookup of > +users and groups from trusted domains via SSSD on IPA server. These users > and groups will be > +available under \fBcn=users,cn=compat,$SUFFIX\fR and > \fBcn=groups,cn=compat,$SUFFIX\fR trees. > +SSSD will normalize names of users and groups to lower case. > +.IP > +In addition to providing these users and groups through the compat tree, > this option enables > +authentication over LDAP for trusted domain users with DN under compat tree, > i.e. using bind DN > +\fBuid=administrator@ad.domain,cn=users,cn=compat,$SUFFIX\fR. This > authentication is related > +to PAM stack using '\fBsystem\-auth\fR' PAM service. If you have disabled > HBAC rule 'allow_all', then > +make sure there is special service called '\fBsystem\-auth\fR' created and > HBAC rule to allow > +access to anyone to this rule on IPA masters is added. Please note that > system-auth PAM service > +is not used directly by any other application, therefore it is safe to > create one specifically > +to support trusted domain users via compatibility path. The last sentence wasn't really clear to me, were you suggesting to create a special PAM service? > +.TP > .SH "EXIT STATUS" > 0 if the installation was successful > > diff --git a/ipaserver/install/adtrustinstance.py > b/ipaserver/install/adtrustinstance.py > index 4eb20d9..9ecc7e9 100644 > --- a/ipaserver/install/adtrustinstance.py > +++ b/ipaserver/install/adtrustinstance.py > @@ -664,6 +664,20 @@ class ADTRUSTInstance(service.Service): > except Exception, e: > root_logger.critical("Checking replicas for cifs principals > failed with error '%s'" % e) > > + def __enable_compat_tree(self): > + try: > + compat_plugin_dn = DN("cn=Schema > Compatibility,cn=plugins,cn=config") > + lookup_sssd_name = "schema-compat-lookup-sssd" > + for config in (("cn=users", "user"), ("cn=groups", "group")): > + entry_dn = DN(config[0], compat_plugin_dn) > + current = self.admin_conn.get_entry(entry_dn) > + lookup_sssd = current.get(lookup_sssd_name, []) > + if not(config[1] in lookup_sssd): > + current[lookup_sssd_name] = [config[1]] > + self.admin_conn.update_entry(entry_dn, current) > + except Exception, e: > + root_logger.critical("Enabling SSSD support in slapi-nis failed > with error '%s'" % e) > + > def __start(self): > try: > self.start() > @@ -713,7 +727,7 @@ class ADTRUSTInstance(service.Service): > > def setup(self, fqdn, ip_address, realm_name, domain_name, netbios_name, > reset_netbios_name, rid_base, secondary_rid_base, > - no_msdcs=False, add_sids=False, smbd_user="samba"): > + no_msdcs=False, add_sids=False, smbd_user="samba", > enable_compat=False): > self.fqdn = fqdn > self.ip_address = ip_address > self.realm = realm_name > @@ -724,6 +738,7 @@ class ADTRUSTInstance(service.Service): > self.secondary_rid_base = secondary_rid_base > self.no_msdcs = no_msdcs > self.add_sids = add_sids > + self.enable_compat = enable_compat > self.smbd_user = smbd_user > self.suffix = ipautil.realm_to_suffix(self.realm) > self.ldapi_socket = "%%2fvar%%2frun%%2fslapd-%s.socket" % \ > @@ -811,6 +826,11 @@ class ADTRUSTInstance(service.Service): > self.step("configuring smbd to start on boot", self.__enable) > self.step("adding special DNS service records", \ > self.__add_dns_service_records) > + > + if self.enable_compat: > + self.step("Enabling trusted domains support for older clients > via Schema Compatibility plugin", ^^^^ Nitpick: all the other steps begin with lowercased letter. Only this one is uppercased, which makes the tool output looks inconsistent: [15/21]: adding special DNS service records [16/21]: Enabling trusted domains support for older clients via Schema Compatibility plugin [17/21]: restarting Directory Server to take MS PAC and LDAP plugins changes into account > + self.__enable_compat_tree) > + > self.step("restarting Directory Server to take MS PAC and LDAP > plugins changes into account", \ > self.__restart_dirsrv) > self.step("adding fallback group", self.__add_fallback_group) > -- > 1.8.3.1 > Othwerwise looks good to me and seems to be working fine. _______________________________________________ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel