Hi all, 

I have a questions about IPA with AD forest trust. What I am trying to do is 
setup environment, where all informations about users are stored in one place - 
AD. I would like to read at least uid, home, shell and sshkey from AD. 

I have set up trust with this parameters: 

ipa trust-add EXAMPLE.TT --type=ad --range-type=ipa-ad-trust-posix 

[root@ipa1 ~]# ipa idrange-show EXAMPLE.TT_id_range 
Range name: EXAMPLE.TT_id_range 
First Posix ID of the range: 1392000000 
Number of IDs in the range: 200000 
Domain SID of the trusted domain: S-1-5-21-4123312533-990676102-3576722756 
Range type: Active Directory trust range with POSIX attributes 

I have set attributes in AD for u...@example.tt 
- uidNumber -10000 
- homeDirectory -/home/user 
- loginShell - /bin/bash 

Trust itself works fine. I can do kinit with u...@example.tt , I can run id and 
getent passwd u...@example.tt and I can use u...@example.tt for ssh. 

Problem is, that I am not getting uid from AD but from idrange: 


Also I have tried to switch off id mapping in sssd.conf with ldap_id_mapping = 
true in sssd.conf but no luck. 

I know, that it is probably better to use ID views for this, but in our case we 
need to set centrally managed environment, where all users information are 
externally inserted to AD from HR system - included POSIX attributes and we 
need IPA to read them from AD. 

So my questions are: 

Is it possible to read user's POSIX attributes directly from AD - namely uid ? 
Which atributes can be stored in AD ? 
Am I doing something wrong ? 

my sssd.conf: 
debug_level = 5 
cache_credentials = True 
krb5_store_password_if_offline = True 
ipa_domain = a.example.tt 
id_provider = ipa 
auth_provider = ipa 
access_provider = ipa 
ipa_hostname = ipa1.a.example.tt 
chpass_provider = ipa 
ipa_server = ipa1.a.example.tt 
ipa_server_mode = True 
ldap_tls_cacert = /etc/ipa/ca.crt 
#ldap_id_mapping = true 
#subdomain_inherit = ldap_user_principal 
#ldap_user_principal = nosuchattribute 

services = nss, sudo, pam, ssh 
config_file_version = 2 

domains = a.example.tt 
debug_level = 5 
homedir_substring = /home 
enum_cache_timeout = 2 
entry_negative_timeout = 2 

debug_level = 5 


debug_level = 4 

debug_level = 4 

Manage your subscription for the Freeipa-users mailing list:
Go to http://freeipa.org for more info on the project

Reply via email to