On Wed, 20 Jul 2016, Jan Karásek wrote:

thank you.

ldapsearch reply:

search: 2
result: 32 No such object
matchedDN: CN=RpcServices,CN=System,DC=rwe,DC=tt
text: 0000208D: NameErr: DSID-03100238, problem 2001 (NO_OBJECT), data 0, best
match of:

actually when I look under the CN=RpcServices,CN=System,DC=rwe,DC=tt - it is 

Do I missed to set something on the AD site ?
Yes. You need to setup IDMU. However, in Windows Server 2016 Microsoft
removed IDMU tools. The LDAP schema will stay but there will
be no means to visually edit POSIX attributes.



From: "Justin Stephenson" <jstep...@redhat.com>
To: "Jan Karásek" <jan.kara...@elostech.cz>
Cc: freeipa-users@redhat.com
Sent: Wednesday, July 20, 2016 4:09:02 PM
Subject: Re: [Freeipa-users] AD trust with POSIX attributes

These attributes should be available from port 389 and not the global catalog, 
please try a command such as:

ldapsearch -H ldap:// <ip-address> -D "DOMAIN\Administrator" -W -b 
"cn=ypservers,cn=ypserv30,cn=rpcservices,CN=System,dc=example,dc=com" msSFU30OrderNumber 
msSFU30MaxUidNumber msSFU30MaxGidNumber

Replacing the root suffix in the search base, the ip-address and bind 

Kind regards,
Justin Stephenson

On 07/20/2016 08:15 AM, Jan Karásek wrote:


thank you for the hint.

In the /usr/lib/python2.7/site-packages/ipalib/plugins/trust.py:

It's working with msSFU30MaxUidNumber and msSFU30OrderNumber.

If I understand it right, it is base uid number and the number of uids in range.

If not discovered nor given via CLI, then it generate random base and add some 

So these two attributes must be set to use ipa-ad-trust-posix range ?

Could anybody help me how and where to check these attributes ? I have looked 
in the ldapsearch dump from my AD(Global calaog) and I can see these attributes 
only in schema - so no values assigned.
I'm using W2012 R2.

Thank you,

From: "Justin Stephenson" <jstep...@redhat.com>
To: "Jan Karásek" <jan.kara...@elostech.cz> , freeipa-users@redhat.com
Sent: Tuesday, July 19, 2016 8:36:00 PM
Subject: Re: [Freeipa-users] AD trust with POSIX attributes


When adding the AD trust using 'ipa-ad-trust-posix' range type then IPA will 
search AD for the ID space of existing POSIX attributes to automatically create 
a suitable ID range inside IPA.

You can check the exact steps and attributes searched by looking at the 
add_range function definition in 

I would suggest reviewing the output of 'ipa idrange-find' to confirm that the 
range matches up with the uid and gidNumbers of your AD environment.

Kind regards,
Justin Stephenson

On 07/19/2016 09:44 AM, Jan Karásek wrote:



I am still fighting with storing user's POSIX attributes in AD. Please can 
anybody provide some simple reference settings of IPA-AD trust where users are 
able to get uid from AD - not from IPA ID pool ?

I have tried to set values of attributes before and after creating trust, I 
have tried different sssd setting but I'm still getting uid from IPA idrange 
pool instead of from AD user's attribute.

What exactly is IPA checking when it tries to decide what type of trust will be 
set - ['ipa-ad-trust-posix', 'ipa-ad-trust'] ?

Do I have to mandatory fill some AD user's attributes to get it work ? 
Currently I'am testing just with uidNumber and gidNumber.

There is almost no documentation about this topic so I don't know what else I 
can try ...

Thanks for help,


Date: Tue, 21 Jun 2016 21:38:15 +0200
From: Jakub Hrozek <jhro...@redhat.com>
To: freeipa-users@redhat.com
Subject: Re: [Freeipa-users] AD trust with POSIX attributes
Message-ID: <20160621193815.GS29512@hendrix>
Content-Type: text/plain; charset=iso-8859-1

On Tue, Jun 21, 2016 at 01:55:54PM +0200, Jan Kar?sek wrote:
Hi all,

I have a questions about IPA with AD forest trust. What I am trying to do is 
setup environment, where all informations about users are stored in one place - 
AD. I would like to read at least uid, home, shell and sshkey from AD.

I have set up trust with this parameters:

ipa trust-add EXAMPLE.TT --type=ad --range-type=ipa-ad-trust-posix 

Did you add the POSIX attributes to AD after creating the trust maybe?

[root@ipa1 ~]# ipa idrange-show EXAMPLE.TT_id_range
Range name: EXAMPLE.TT_id_range
First Posix ID of the range: 1392000000
Number of IDs in the range: 200000
Domain SID of the trusted domain: S-1-5-21-4123312533-990676102-3576722756
Range type: Active Directory trust range with POSIX attributes

I have set attributes in AD for u...@example.tt
- uidNumber -10000
- homeDirectory -/home/user
- loginShell - /bin/bash

Trust itself works fine. I can do kinit with u...@example.tt , I can run id and 
getent passwd u...@example.tt and I can use u...@example.tt for ssh.

Problem is, that I am not getting uid from AD but from idrange:

uid=1392001107( u...@example.tt )

Also I have tried to switch off id mapping in sssd.conf with ldap_id_mapping = 
true in sssd.conf but no luck.

This has no effect, in IPA-AD trust scenario, the id mapping properties
are managed on the server.

I know, that it is probably better to use ID views for this, but in our case we 
need to set centrally managed environment, where all users information are 
externally inserted to AD from HR system - included POSIX attributes and we 
need IPA to read them from AD.

I think idviews are better for overriding POSIX attributes for a
specific set of hosts, but in your environment, it sounds like you want
to use the POSIX attributes across the board.

So my questions are:

Is it possible to read user's POSIX attributes directly from AD - namely uid ?


Which atributes can be stored in AD ?

Homedir is a bit special, for backwards compatibility the
subdomains_homedir takes precedence. The others should be read from AD.

I don't have the environment set at the moment, though, so I'm operating
purely from memory.

Am I doing something wrong ?

my sssd.conf:
debug_level = 5
cache_credentials = True
krb5_store_password_if_offline = True
ipa_domain = a.example.tt
id_provider = ipa
auth_provider = ipa
access_provider = ipa
ipa_hostname = ipa1.a.example.tt
chpass_provider = ipa
ipa_server = ipa1.a.example.tt
ipa_server_mode = True
ldap_tls_cacert = /etc/ipa/ca.crt
#ldap_id_mapping = true
#subdomain_inherit = ldap_user_principal
#ldap_user_principal = nosuchattribute

services = nss, sudo, pam, ssh
config_file_version = 2

domains = a.example.tt
debug_level = 5
homedir_substring = /home
enum_cache_timeout = 2
entry_negative_timeout = 2

debug_level = 5


debug_level = 4

debug_level = 4



Manage your subscription for the Freeipa-users mailing list:
Go to http://freeipa.org for more info on the project

/ Alexander Bokovoy

Manage your subscription for the Freeipa-users mailing list:
Go to http://freeipa.org for more info on the project

Reply via email to