Re: [Freeipa-users] [How to] Set UID, GID, HomeDir in Trust AD user
Dear Martin, Thank you very much Kevin From: Martin Kosek To: kevint...@umac.mo Cc: freeipa-users@redhat.com Date: 09/12/2013 03:29 PM Subject:Re: [Freeipa-users] [How to] Set UID, GID, HomeDir in Trust AD user On 09/12/2013 09:16 AM, kevint...@umac.mo wrote: > Dear all, > > I have two domain, one is Windows AD domain, another is IPA domain. Both > two domain already have two-ways trust, and Windows AD user can logon > under IPA Client PC successfully. > > Since user account in Windows AD can logon IPA Client PC, May I set UID, > GID, HomeDir for the user from Windows AD? If so, how should I do? Any > tutorial on web? > > Thanks > Kevin Tang > With a plain Active Directory and users signing from AD to FreeIPA Linux client, AD user will get automatically assigned UID and GID based on their Windows identification (SID). This should work fine. However, I think you cannot set custom home dir centrally, unless you configure "Services for Identity Management for UNIX" AD extension and FreeIPA to use it: Design page of the feature: http://www.freeipa.org/page/V3/Use_posix_attributes_defined_in_AD Test day page (a.k.a. tutorials): https://fedoraproject.org/wiki/Test_Day:2013-07-25_AD_trusts_with_POSIX_attributes_in_AD_and_support_for_old_clients ... and particularly this part: https://fedoraproject.org/wiki/QA:Testcase_freeipa_using_posix_attributes_in_ad If you do not want to use the extension, you could for example override the default home dir on FreeIPA clients e.g. with subdomain_homedir option of sssd.conf (man sssd.conf). HTH, Martin ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
[Freeipa-users] [How to] Set UID, GID, HomeDir in Trust AD user
Dear all, I have two domain, one is Windows AD domain, another is IPA domain. Both two domain already have two-ways trust, and Windows AD user can logon under IPA Client PC successfully. Since user account in Windows AD can logon IPA Client PC, May I set UID, GID, HomeDir for the user from Windows AD? If so, how should I do? Any tutorial on web? Thanks Kevin Tang ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] IPA AD Trust issue
Dear Alexander, Understand, thank you very much. Kevin. From: Alexander Bokovoy To: kevint...@umac.mo Cc: freeipa-users@redhat.com Date: 09/11/2013 02:52 PM Subject:Re: [Freeipa-users] IPA AD Trust issue On Wed, 11 Sep 2013, kevint...@umac.mo wrote: >Dear Alexander, > >If I use 'ipa-replica-prepare' to replica Windows AD to/from IPA AD, Will >all user account in Windows AD 'copy' to IPA AD, and my IPA client can >logon with Windows AD username only? (only use 'userA' to login directly, >not 'userA@win_ad.com'). If you are using ipa-replica-prepare against Windows AD, you are using winsync/passsync which is copying user entries from AD to IPA. In this case AD users become IPA users. It is not a trust per se, only a synchronization. In particular, users will not be able to use their AD Kerberos credentials at all. But yes, in winsync case these users will be able to login with just a user name. >Or after replication, can I use IPA account logon Windows Client PC only >with ipa username? (only use 'userB' logon, rather than 'userB@ipa_ad.com' >to logon). No, synchronization is from AD to IPA, not the other way around. A change in IPA for the account which was synchronized from AD will be propagated back to AD but IPA users will not be copied to AD. -- / Alexander Bokovoy ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] IPA AD Trust issue
Dear Alexander, If I use 'ipa-replica-prepare' to replica Windows AD to/from IPA AD, Will all user account in Windows AD 'copy' to IPA AD, and my IPA client can logon with Windows AD username only? (only use 'userA' to login directly, not 'userA@win_ad.com'). Or after replication, can I use IPA account logon Windows Client PC only with ipa username? (only use 'userB' logon, rather than 'userB@ipa_ad.com' to logon). Thank you very much Kevin Tang From: Alexander Bokovoy To: kevint...@umac.mo Cc: freeipa-users@redhat.com Date: 09/11/2013 12:52 PM Subject:Re: [Freeipa-users] IPA AD Trust issue On Wed, 11 Sep 2013, kevint...@umac.mo wrote: >Dear all, > >I am new to IPA and have some question about set up. >I already setup IPA server (CentOS 6.4 64bit), IPA client (CentOS 6.4 >64bit), and Windows AD (Windows 2008 R2 Standard 64bit). IPA Server and >Windows AD already have 2-ways trusted. Windows AD user can logon under >IPA client PC. > >I have 3 question about further setup. > >1) IPA Client Login issue. >In IPA client, if Windows AD user want to login, It need to type full name >such as 'userA@win_ad.com'. How do I let Windows AD user logon only with >their username? That means only use 'userA' to logon IPA Client PC rather >than 'userA@win_ad.com' ? Not supported. There could be some obscure SSSD setting to allow one SSSD domain (as in /etc/sss/sssd.conf) be default but since trusted AD domains are represented as subdomains of a single IPA provider, full UPN is used to distinguish and discover which subdomain they belong to for performance reasons. >2) Windows Login issue. >I want to logon under Windows AD Client PC (Client PC's OS is Windows 7), >Since this Windows PC already join win_ad domain, it can allow Windows AD >domain user to logon. But when I try to logon IPA user, for example, logon >as 'userB@ipa_ad.com' or 'ipa_ad.com\userB'. It always show 'There are >currently no logon servers available to service the logon request.' and >does not allow IPA user to logon. How do I do now? I need to modify >Windows AD setting? or Windows client PC setting? We do not support this mode yet, it requires implementation of Global Catalog service on IPA side which is not done yet. Plans for doing that are in Fedora 20-21 time frame. >3) Windows Login issue. >Can I login under Windows AD Client PC with IPA username only (not include >IPA domain)? that is, only use 'userB' as username to login? No. Only users from the domain Windows PC is joined to could be logged without explicit domain name. Since IPA domain belongs to a separate forest, you cannot log in without explicit domain prefix. Please note, even that will only be possible when we implement Global Catalog service on IPA side. -- / Alexander Bokovoy ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
[Freeipa-users] IPA AD Trust issue
Dear all, I am new to IPA and have some question about set up. I already setup IPA server (CentOS 6.4 64bit), IPA client (CentOS 6.4 64bit), and Windows AD (Windows 2008 R2 Standard 64bit). IPA Server and Windows AD already have 2-ways trusted. Windows AD user can logon under IPA client PC. I have 3 question about further setup. 1) IPA Client Login issue. In IPA client, if Windows AD user want to login, It need to type full name such as 'userA@win_ad.com'. How do I let Windows AD user logon only with their username? That means only use 'userA' to logon IPA Client PC rather than 'userA@win_ad.com' ? 2) Windows Login issue. I want to logon under Windows AD Client PC (Client PC's OS is Windows 7), Since this Windows PC already join win_ad domain, it can allow Windows AD domain user to logon. But when I try to logon IPA user, for example, logon as 'userB@ipa_ad.com' or 'ipa_ad.com\userB'. It always show 'There are currently no logon servers available to service the logon request.' and does not allow IPA user to logon. How do I do now? I need to modify Windows AD setting? or Windows client PC setting? 3) Windows Login issue. Can I login under Windows AD Client PC with IPA username only (not include IPA domain)? that is, only use 'userB' as username to login? Thanks all Kevin Tang ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
