2014-09-14 1:14 GMT+02:00 Dmitri Pal <d...@redhat.com>:
> On 09/13/2014 05:27 PM, Gregor Bregenzer wrote:
>>
>> Hi!
>>
>> There are two ways that you can use to integrate FreeIPA with AD: a.)
>> trust b.) synchronization  Here are the pros/cons for both of them:
>> http://www.freeipa.org/docs/master/html-desktop/index.html#trust-sync
>>
>> If you want to manage POSIX attributes for each user can do that with
>> either identity management for Unix at AD using the trust, or with the
>> synchronzation at FreeIPA. With synchronization you see the users to
>> in FreeIPA, but still have to two users to manage - in FreeIPA and AD.
>> With the AD trust the sssd daemon running on FreeIPA is proxying all
>> request from the client sssd directly to AD
>
> This is not exactly true. SSSD understands that IPA and AD are in trust
> relations. If you use user name and password to login SSSD will turn to AD
> directly without sending password over the wire. If you SSO into the linux
> box the kerberos library (on you windows client) will do all the ticket
> acquisition and redirects.
>
> The proxy is already done for older clients that does not understand that
> IPA is in trust relations with AD.
> http://www.freeipa.org/images/2/2e/FreeIPA33-trust.pdf
>

Sorry, there are two things i did not mention a.) no SSO, b.) Linux
Client SSSD requesting UID/GID.

a.) if you ssh login from a Windows client that is _not_ joined in AD
or a standalone Linux box - so no SSO. Because there the destination
Linux clients with sssd (1.9.2 with AD trust compatibilty with ipa
provider, or 1.11+ with full AD trust capability) still need SSSD on
the FreeIPA Server that will forward the authentication requests to
AD. In slide 30 of
http://www.freeipa.org/images/2/2e/FreeIPA33-trust.pdf it states:

"SSSD is used behind the scenes on the FreeIPA server
to lookup up users in trusted AD domains
SSSD on FreeIPA clients will forward resolution requests
to FreeIPA servers through FreeIPA LDAP server plugin"

b.) If you have a client that is authenticating using Kerberos and
therefore SSO, the destination Linux sssd client still needs the sssd
client on the FreeIPA server to lookup the UID/GID. So there's the
authentication process either with SSO or without SSO, and there's the
lookup process for the attributes - am i correct?

>> , so you see no users in
>> FreeIPA, but you have to extend the AD schema using Identity
>> Management for unix.
>
>
> You really have two options: let SSSD to map users dynamically, in this case
> you do not need AD schema extensions or you can extend schema as suggested.
> The third option that is under development is described in my other reply.

What happens if you have already defined the UID/GID with the schema
extension on AD and have legacy Linux clients using them, but you
still want to use the exact UID/GID _and_ make use of all the great
features offered in FreeIPA such as HBAC, sudorules, etc.? Then only
the AD Trust with SSSD 1.11+ with full AD trust feature set is working
- correct (because 1.9.2 with ipa provider cannot get the GID from
AD)?

>> Also the password policy from the group policy in
>> AD is used when you use the AD trust, but on clients with sssd you can
>> change the password using kpasswd from Kerberos. If you want to use a
>> trust with AD and want to receive the correct GID set in AD then you
>> have to use sssd >1.9.x, otherwise you get a different GID (see
>>
>> https://www.redhat.com/archives/freeipa-users/2014-September/msg00192.html)
>>
>> All other stuff such as HBAC etc. can be centrally managed on FreeIPA,
>> no matter if you use a trust or synchronzation.
>>
>> Gregor
>>
>> 2014-09-13 22:03 GMT+02:00 Traiano Welcome <trai...@gmail.com>:
>>>
>>> Hi List
>>>
>>> Currently I have a stable trust relationship going between IPA and
>>> Windows
>>> AD. I create users and manage passwords in AD, but want to manage the
>>> rest
>>> in IPA, "the rest" being default shell, default home directory settings,
>>> RBAC, HBAC, Selinux  etc ..
>>>
>>> What I'm expecting it to be able to log into the FreeIPA web interface,
>>> and
>>> see a synched list of users created in AD appear in the interface, after
>>> which I can modify the settings on a per user basis.
>>>
>>> If that level of granularity is not possible, I would then expect to be
>>> able
>>> to at least apply an IPA-imposed set of account defaults on and AD user
>>> group:
>>>
>>> - default shell
>>> - HBAC rules
>>> - Sudo rules
>>> - SELinux rules
>>> - RBAC
>>>
>>> Is this possible with FreeIPA? I can't find anything coherent in the
>>> documentation that describes an effective way of managing the POSIX
>>> attributes of AD users in FreeIPA.
>>>
>>> Thanks in advance!
>>> Traiano
>>>
>>>
>>>
>>>
>>> --
>>> Manage your subscription for the Freeipa-users mailing list:
>>> https://www.redhat.com/mailman/listinfo/freeipa-users
>>> Go To http://freeipa.org for more info on the project
>
>
>
> --
> Thank you,
> Dmitri Pal
>
> Sr. Engineering Manager IdM portfolio
> Red Hat, Inc.
>
> --
> Manage your subscription for the Freeipa-users mailing list:
> https://www.redhat.com/mailman/listinfo/freeipa-users
> Go To http://freeipa.org for more info on the project

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go To http://freeipa.org for more info on the project

Reply via email to