>> >> I'm working with the ipa web services to provision users across a one >> way trust with IPA. I have looked at the id_view_* services and am >> trying to wrap my head around a few details: >> >> 1. When I ssh into a linux box thats a member of the IPA domain with >> my AD user IPA creates an object in LDAP and assigns a gid and uid to >> it, but when i create the user in the ID View under the Default Trust >> View the information from the object isn't there, BUT when I set the >> shell it gets written to the directory object when I update the shell >> attribute. Shouldn't the user's gid/uid be visible there as part of >> the view? > > IPA does not create any specific object in LDAP when you are ssh-ing > into a Linux box. That simply does not happen and never was. > > Can you demonstrate what you are talking about with a concrete example > using 'ipa idoverrideuser-*' commands? >
IPA Domain - rhelent.lan AD Domain - ent2k12.domain.com One way trust with rhelent.lan trusting ent2k12.domain.com 1. Create a user in AD - t...@ent2k12.domain.com 2. Search IPA's 389 for (uid=t...@ent2k12.domain.com), no results 3. Login to server in rhelent.lan 4. sudo su - t...@ent2k12.domain.com 5. id - uid=160812321(t...@ent2k12.domain.com) gid=160812321(t...@ent2k12.domain.com) groups=160812321(t...@ent2k12.domain.com),160800513(domain us...@ent2k12.domain.com) context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 6. Search IPA's 389 for (uid=t...@ent2k12.domain.com), found at uid=t...@ent2k12.domain.com,cn=users,cn=compat,dc=rhelent,dc=lan, no shell attribute 7. login to the ipa web interface - Create a user override for uid=t...@ent2k12.domain.com and a shell of /bin/bash 8. Search IPA's 389 for (uid=t...@ent2k12.domain.com), found at uid=t...@ent2k12.domain.com,cn=users,cn=compat,dc=rhelent,dc=lan, no shell attribute 9. sudo su - t...@ent2k12.domain.com - now my default shell is bash I thought i would see a shell attribute after #8 but thats not the case. Where is the override stored? >> 2. When I add a user from AD to an external group should I specify >> the userPrincipalName as the external member? > > You should specify something that SSSD will be able to resolve to an AD > user. It could be username@domain or NetBIOS\username or anything else > that SSSD could resolve. > OK, that makes sense >> 3. Is there a way to get IPA to trigger the creation of the ldap >> object that represents the AD user via a web service instead of >> logging in or sudoing over to that user? > > No. And both sudoing or logging in into the host does not create the > LDAP object as well. You as administrator should create those entries. > This doesn't seem to linueup with the steps produced above, what am I missing? Thanks _______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/freeipa-users@lists.fedorahosted.org/message/7TBJWVWPGE55WXCSTLGHYJLSAJO5LRHR/