On Sun, Mar 22, 2015 at 04:44:42PM +0000, McEvoy, James wrote:
> From: freeipa-users-boun...@redhat.com [freeipa-users-boun...@redhat.com] on 
> behalf of Dmitri Pal [d...@redhat.com]
> Sent: Saturday, March 21, 2015 10:42 AM
> To: freeipa-users@redhat.com
> Subject: Re: [Freeipa-users] Password entry through Trust not correct
> On 03/20/2015 08:56 PM, McEvoy, James wrote:
> When I look at the password entries for my rfc2307 account in Active 
> directory I get three different answers.
> The only correct one is on a server where I used sssd to join AD directly ( 
> the last one ).  Do I need to configure
> rfc2307?  When I configured the server to join AD directly I use the option 
> --enablerfc2307bis when I run authconfig.
> from a freeipa client:
> $ getent passwd jemce...@enas.net<mailto:jemce...@enas.net>
> jemce...@enas.net:*:10001:10004::/home/enas.net/jemcevoy<UrlBlockedError.aspx>:
> from the ipa server:
> [root@ipa ~]# getent passwd jemce...@enas.net<mailto:jemce...@enas.net>
> jemce...@enas.net:*:10001:10004:James<UrlBlockedError.aspx> 
> McEvoy:/home/enas.net/jemcevoy:/bin/bash
> from a server that joined AD directly using sssd:
> $ getent passwd jemce...@enas.net<mailto:jemce...@enas.net>
> jemcevoy:*:10001:10004:James McEvoy:/home/jemcevoy:/bin/bash
> Hi,
> Let us step back.
> What versions of the server and of the client and on what platforms?
> When you set trust, how did you set it?
> It might be that IPA server did not detect that you have Posix extensions in 
> AD.
> There is some heuristics involved so probably you should use explicit 
> parameters to tell IPA whether you have posix in AD or not.
> --
> Thank you,
> Dmitri Pal
> Sr. Engineering Manager IdM portfolio
> Red Hat, Inc.
> Hi Dmitri,
> My IPA Server is running Fedora 21 directly on an HP DL360-G7 server.
> The Version of the freeipa is: freeipa-server-4.1.3-2.fc21.x86_64
> The freeipa server has a trust with a Windows 2008R2 Active Directory
> domain named ENAS.Net.
> The client is in an LXC container with both the hosting server and the
> LXC guest running Fedora 20.
> The client is running freeipa-client-3.3.5-1.fc20.x86_64.
> This is at the top of the file /var/log/ipaclient-install.log in the client:
> 2015-03-19T19:20:38Z DEBUG /usr/sbin/ipa-client-install was invoked with 
> options
> : {'domain': 'lnx.lab', 'force': False, 'krb5_offline_passwords': True, 
> 'primary
> ': False, 'realm_name': 'LNX.LAB', 'force_ntpd': False, 'create_sshfp': True, 
> 'c
> onf_sshd': True, 'conf_ntp': False, 'on_master': False, 'ntp_server': None, 
> 'ca_
> cert_file': None, 'principal': 'ad...@lnx.lab', 'keytab': None, 'hostname': 
> 'ctn
> 017-135.lnx.lab', 'no_ac': False, 'unattended': None, 'sssd': True, 
> 'trust_sshfp
> ': False, 'dns_updates': True, 'mkhomedir': True, 'conf_ssh': True, 
> 'force_join'
> : False, 'server': ['ipa.lnx.lab'], 'prompt_password': False, 'permit': 
> False, '
> debug': False, 'preserve_sssd': False, 'uninstall': False}
> The client is getting the correct POSIX uid/gid from Active Directory, it is 
> the
> home directory which looks samba style to me and the shell is completely 
> missing.
> Monday morning (PDT) I will kickstart another server with Fedora 21 to see the
> results when it joins freeipa and uses the trust.  I will try both directly 
> and
> from an LXC guest to see if the correct POSIX attributes get passed through 
> from
> the Active Directory Identity Management for Unix plugin.

With FreeIPA server 3.x what you are seeing is actually expected. The
ability to transfer additional POSIX attributes from the server to the
client was only added in 4.x, sorry.

In the meantime, I wonder if the various
subdomain_homedir/override_homedir/override_shell etc
attributes would be helpful on the clients?

Finally, please note that the most important part are the UID and GID
attributes so that you can access your files.

Manage your subscription for the Freeipa-users mailing list:
Go to http://freeipa.org for more info on the project

Reply via email to