On Wed, 15 Apr 2015, Aric Wilisch wrote:
So I would have to setup an ID View Override for every user in AD that
needs to login to to a FreeIPA host?

I guess I’m having trouble understanding why it wouldn’t just use the
defaults set into FreeIPA? The Default home directory is set to /home
and the default shell is set to /bin/bash.
Because you have options on how you would set identity mapping for AD
users, there is no single way to apply these defaults.

- You can have POSIX attributes defined in Active Directory.
 - this means you can use any existing tool on Windows to set POSIX
   attributes for each user manually or with automation tools

 - FreeIPA will notice the attributes and configure ID ranges of the
   trusted domains to pick up POSIX attributes from Active Directory

 - SSSD will use ID range type to pull POSIX attributes from Active

- You can have POSIX attributes generated automatically for AD users by
 - this means some safe defaults will be applied by SSSD running on IPA
   master, these are based on sssd.conf options for subdomain_*

 - these defaults will affect AD users' only UID/GID information for
   client-side SSSD <1.12 because old SSSD doesn't know how to pick up
   the rest of attributes

 - for SSSD >= 1.12 the defaults from IPA master will be honored by IPA
   clients automatically

- in both cases ID View 'Default Trust View' can be used to configure
 POSIX attributes for AD users explicitly. There are no templates

If templating is needed in ID Views, a ticket could be filed. Perhaps it
is a good idea but it will take time to implement in FreeIPA
(management), SSSD and slapi-nis (application of defaults).

This is a lot of work to go to unless there’s a way to set it globally
for the entire domain. Also noticing sudo doesn’t work for those users
even though I have the ad_admins group added to the sudo group I
Open a separate thread and provide SSSD logs, our debugging capabilities
are distinguishable from magic and thus require help from you. ;)

/ Alexander Bokovoy

Manage your subscription for the Freeipa-users mailing list:
Go to http://freeipa.org for more info on the project

Reply via email to