On Wed, Feb 03, 2016 at 03:59:55AM +0000, Simpson Lachlan wrote: > IPA is successfully installed, a one way trust created, and we have been able > to > login using AD credentials. > > For future googler's, there is some bare bones documentation on how to allow > AD > users to login to your system, under the heading "Allow access for users from > AD > domain to protected resources" > > http://www.freeipa.org/page/Active_Directory_trust_setup#Configure_IPA_server_for_cross-realm_trusts > > I can confirm this works for a one directional trust (IPA trusts AD), since > that > is what we have. > > Question/Issue: > > Currently I have two logins, one in the AD domain and one on each server in > the IPA domain. The desire is to close that gap. > > We were under the impression that, utilising idoverrideuser, that we could > map > AD's > > "Smith Jane"@example.org (or EXAMPLE\Jane Smith; yes I know our AD logins > have spaces in them, it's a technical debt that has no solution roadmap > within > the org) to > > jsm...@unix.example.org (which we would set up in IPA), > > and be able to override certain aspects, like: > > - instead of using the clumsy > > ssh "Smith Jane"@example....@host1.unix.example.org
btw normally you can login with samAccountName or UPN. I find it a bit odd that samAccountName would contain "Smith Jane", I would expect that to be in the gecos attribute.. Maybe in this case using UPN would be at least a bit easier , because you wouldn't have to quote it? > > to login to a system, we could use: > > ssh jsm...@host1.unix.example.org No, this cannot be done, at least not this way. While you can "remap" the AD usernames to a different one with id overrides functionality (so that "Smith Jane" might have a different name, you would still need to use the fully qualified name, not a shortname. This is because the trusted AD domain is a subdomain in SSSD lingo and all subdomains are implicitly fully qualified. If you want to use shortnames for your AD logins, you can use the default_domain_suffix option. But then only the domain that you put into this option's value can use short names and all other domains (including the IPA domain) must be fully qualified. > > and that via the ID Views Default Trust View the IPA server would: > - see that jsmith is "Smith Jane" in AD > - authenticate against "Smith Jane"'s AD password > - see that jsmith's uid now needs to be 1500 instead of 17890983 > - see that jsmith's home should be /home/jsmith, creating this dir if it > doesn't exist > - see that jsmith's shell is /bin/bash > > Am I merely imagining that this is possible? > > My information came from various blog posts on the RH blog that suggested > such a > thing was possible, and this post on the FreeIPA site: > > http://www.freeipa.org/page/V4/Migrating_existing_environments_to_Trust#ID_Views > > Given the above use case, can I please get advice on: > > - is there a preferred order in which IPA user (jsm...@unix.example.org) is > created and AD user (EXAMPLE\Smith Jane) has their ID Views Default Trust > View entry created? > - for the creation of homedir on login, does this need to be done per host, > via > ipa-client-install's --mkhomedir option rather than per user? > > > Have I missed something? > > Cheers > L. > > > This email (including any attachments or links) may contain > confidential and/or legally privileged information and is > intended only to be read or used by the addressee. If you > are not the intended addressee, any use, distribution, > disclosure or copying of this email is strictly > prohibited. > Confidentiality and legal privilege attached to this email > (including any attachments) are not waived or lost by > reason of its mistaken delivery to you. > If you have received this email in error, please delete it > and notify us immediately by telephone or email. Peter > MacCallum Cancer Centre provides no guarantee that this > transmission is free of virus or that it has not been > intercepted or altered and will not be liable for any delay > in its receipt. > > > -- > Manage your subscription for the Freeipa-users mailing list: > https://www.redhat.com/mailman/listinfo/freeipa-users > Go to http://freeipa.org for more info on the project -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project