On Wed, 15 Apr 2015, Aric Wilisch wrote:
So I would have to setup an ID View Override for every user in AD that
needs to login to to a FreeIPA host?
I guess I’m having trouble understanding why it wouldn’t just use the
defaults set into FreeIPA? The Default home directory is set to /home
and the default shell is set to /bin/bash.
Because you have options on how you would set identity mapping for AD
users, there is no single way to apply these defaults.
- You can have POSIX attributes defined in Active Directory.
- this means you can use any existing tool on Windows to set POSIX
attributes for each user manually or with automation tools
- FreeIPA will notice the attributes and configure ID ranges of the
trusted domains to pick up POSIX attributes from Active Directory
- SSSD will use ID range type to pull POSIX attributes from Active
- You can have POSIX attributes generated automatically for AD users by
- this means some safe defaults will be applied by SSSD running on IPA
master, these are based on sssd.conf options for subdomain_*
- these defaults will affect AD users' only UID/GID information for
client-side SSSD <1.12 because old SSSD doesn't know how to pick up
the rest of attributes
- for SSSD >= 1.12 the defaults from IPA master will be honored by IPA
- in both cases ID View 'Default Trust View' can be used to configure
POSIX attributes for AD users explicitly. There are no templates
If templating is needed in ID Views, a ticket could be filed. Perhaps it
is a good idea but it will take time to implement in FreeIPA
(management), SSSD and slapi-nis (application of defaults).
This is a lot of work to go to unless there’s a way to set it globally
for the entire domain. Also noticing sudo doesn’t work for those users
even though I have the ad_admins group added to the sudo group I
Open a separate thread and provide SSSD logs, our debugging capabilities
are distinguishable from magic and thus require help from you. ;)
/ Alexander Bokovoy
Manage your subscription for the Freeipa-users mailing list:
Go to http://freeipa.org for more info on the project