From: [] on 
behalf of Dmitri Pal []
Sent: Saturday, March 21, 2015 10:42 AM
Subject: Re: [Freeipa-users] Password entry through Trust not correct

On 03/20/2015 08:56 PM, McEvoy, James wrote:
When I look at the password entries for my rfc2307 account in Active directory 
I get three different answers.
The only correct one is on a server where I used sssd to join AD directly ( the 
last one ).  Do I need to configure
rfc2307?  When I configured the server to join AD directly I use the option 
--enablerfc2307bis when I run authconfig.

from a freeipa client:
$ getent passwd<>*:10001:10004::/home/<UrlBlockedError.aspx>:

from the ipa server:
[root@ipa ~]# getent passwd<>*:10001:10004:James<UrlBlockedError.aspx> 

from a server that joined AD directly using sssd:
$ getent passwd<>
jemcevoy:*:10001:10004:James McEvoy:/home/jemcevoy:/bin/bash


Let us step back.
What versions of the server and of the client and on what platforms?

When you set trust, how did you set it?
It might be that IPA server did not detect that you have Posix extensions in AD.
There is some heuristics involved so probably you should use explicit 
parameters to tell IPA whether you have posix in AD or not.

Thank you,
Dmitri Pal

Sr. Engineering Manager IdM portfolio
Red Hat, Inc.

Hi Dmitri,

My IPA Server is running Fedora 21 directly on an HP DL360-G7 server.
The Version of the freeipa is: freeipa-server-4.1.3-2.fc21.x86_64

The freeipa server has a trust with a Windows 2008R2 Active Directory
domain named ENAS.Net.

The client is in an LXC container with both the hosting server and the
LXC guest running Fedora 20.
The client is running freeipa-client-3.3.5-1.fc20.x86_64.

This is at the top of the file /var/log/ipaclient-install.log in the client:

2015-03-19T19:20:38Z DEBUG /usr/sbin/ipa-client-install was invoked with options
: {'domain': 'lnx.lab', 'force': False, 'krb5_offline_passwords': True, 'primary
': False, 'realm_name': 'LNX.LAB', 'force_ntpd': False, 'create_sshfp': True, 'c
onf_sshd': True, 'conf_ntp': False, 'on_master': False, 'ntp_server': None, 'ca_
cert_file': None, 'principal': 'ad...@lnx.lab', 'keytab': None, 'hostname': 'ctn
017-135.lnx.lab', 'no_ac': False, 'unattended': None, 'sssd': True, 'trust_sshfp
': False, 'dns_updates': True, 'mkhomedir': True, 'conf_ssh': True, 'force_join'
: False, 'server': ['ipa.lnx.lab'], 'prompt_password': False, 'permit': False, '
debug': False, 'preserve_sssd': False, 'uninstall': False}

The client is getting the correct POSIX uid/gid from Active Directory, it is the
home directory which looks samba style to me and the shell is completely 

Monday morning (PDT) I will kickstart another server with Fedora 21 to see the
results when it joins freeipa and uses the trust.  I will try both directly and
from an LXC guest to see if the correct POSIX attributes get passed through from
the Active Directory Identity Management for Unix plugin.

  -- jim

Manage your subscription for the Freeipa-users mailing list:
Go to for more info on the project

Reply via email to