Re: [Freeipa-users] IPA-AD trust group membership: display 'short' group names for *two* AD domains?

2016-10-24 Thread Jakub Hrozek 
On Mon, Oct 24, 2016 at 11:29:06AM -0400, William Muriithi wrote:
> Morning Jakub,
> 
> >>  However, I would like to tune this configuration to drop the domain
> >>  component of the user and group names.  I tried to do this by adding
> >>  these settings to the [sssd] section in sssd.conf on the client:
> >>
> >>default_domain_suffix = example.au
> >> full_name_format = %1$s
> >>
> >>  With this configuration, I can login as a staff domain user (example.au)
> >> successfully and I then see the short-name form of the groups:
> >>
> >> $ ssh -l r...@student.example.au ipa-client-rh7.ipa.example.au
> >> [rnst@ipa-client-rh7 ~]$ groups
> >> rnst
> >>
> >> Is this expected behaviour?  Is there a possible client configuration that
> >> will support our AD forest setup or is this simply not possible?
> >
> > What you did is quite correct, but unfortunately works only with
> > RHEL-7.3 or newer as it requires sssd-1.14 or newer, sorry.
> 
> Does one need  sssd-1.14 on the IPA server only or is this required on
> all the IPA clients too?

I haven't tested since I was working in this area, but I belive the clients
as well.

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] IPA-AD trust group membership: display 'short' group names for *two* AD domains?

2016-10-24 Thread William Muriithi 
Morning Jakub,

>>  However, I would like to tune this configuration to drop the domain
>>  component of the user and group names.  I tried to do this by adding
>>  these settings to the [sssd] section in sssd.conf on the client:
>>
>>default_domain_suffix = example.au
>> full_name_format = %1$s
>>
>>  With this configuration, I can login as a staff domain user (example.au)
>> successfully and I then see the short-name form of the groups:
>>
>> $ ssh -l r...@student.example.au ipa-client-rh7.ipa.example.au
>> [rnst@ipa-client-rh7 ~]$ groups
>> rnst
>>
>> Is this expected behaviour?  Is there a possible client configuration that
>> will support our AD forest setup or is this simply not possible?
>
> What you did is quite correct, but unfortunately works only with
> RHEL-7.3 or newer as it requires sssd-1.14 or newer, sorry.

Does one need  sssd-1.14 on the IPA server only or is this required on
all the IPA clients too?

Regards,
William

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] IPA-AD trust group membership: display 'short' group names for *two* AD domains?

2016-10-21 Thread Jakub Hrozek 
On Fri, Oct 21, 2016 at 04:07:16PM +1100, Robert Sturrock wrote:
> > On Thu, Oct 20, 2016 at 04:46:01PM +1100, Robert Sturrock wrote:
> > […]
> > > However, when I try logging in as a student domain user 
> > > (student.example.au),
> > > I don't see any of the groups (there should be 8):
> > > 
> > > $ ssh -l rnst student example au ipa-client-rh7.ipa.example.au
> > > [rnst ipa-client-rh7 ~]$ groups
> > > rnst
> > > 
> > > Is this expected behaviour?  Is there a possible client configuration that
> > > will support our AD forest setup or is this simply not possible?
> > 
> > What you did is quite correct, but unfortunately works only with
> > RHEL-7.3 or newer as it requires sssd-1.14 or newer, sorry.
> 
> I tried the same configuration on FC24, which has sssd-1.14.1-3, but it 
> didn’t work for the student domain either:
> 
> $ ssh -l r...@student.example.au ipa-client-fc24.ipa.example.au
> -sh-4.3$ groups
> rnst
> 
> Is the version shipping with RHEL7.3 likely to be different?

No, it's pretty much the same. Can you take a look at the logs and
create a dump of the ldb cache, please?

See:
https://fedorahosted.org/sssd/wiki/Troubleshooting

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] IPA-AD trust group membership: display 'short' group names for *two* AD domains?

2016-10-20 Thread Robert Sturrock 
> On Thu, Oct 20, 2016 at 04:46:01PM +1100, Robert Sturrock wrote:
> […]
> > However, when I try logging in as a student domain user 
> > (student.example.au),
> > I don't see any of the groups (there should be 8):
> > 
> > $ ssh -l rnst student example au ipa-client-rh7.ipa.example.au
> > [rnst ipa-client-rh7 ~]$ groups
> > rnst
> > 
> > Is this expected behaviour?  Is there a possible client configuration that
> > will support our AD forest setup or is this simply not possible?
> 
> What you did is quite correct, but unfortunately works only with
> RHEL-7.3 or newer as it requires sssd-1.14 or newer, sorry.

I tried the same configuration on FC24, which has sssd-1.14.1-3, but it didn’t 
work for the student domain either:

$ ssh -l r...@student.example.au ipa-client-fc24.ipa.example.au
-sh-4.3$ groups
rnst

Is the version shipping with RHEL7.3 likely to be different?

Regards,

Robert.

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] IPA-AD Trust unable to resolve child domain

2016-10-20 Thread Carlos Raúl Laguna 
Thanks for the clarification. Regards

2016-10-20 14:23 GMT-04:00 Alexander Bokovoy :

> On to, 20 loka 2016, Carlos Raúl Laguna wrote:
>
>> Hi Alexander,
>> I do belive is a DNS problem, the command failing are
>>
>> host -t srv _ldap._tcp.ad_domain
>> or
>> dig SRV _ldap._tcp.ad_domain
>> after checkig the logs a see this error
>> "no valid DS resolving '_ldap._tcp.ad_domain /SRV/IN': 10.20.4.22#53"
>>
>> so i disable the dnssec validation on IPA and it work as expected, i will
>> setup dnssec on the windows side and enable dns validation once more on
>> IPA
>> to see if can get the same outcome.
>>
> When you use DNSSEC validation, your DNS infrastructure should all be
> using DNSSEC. This does not depend on whether you are deploying trust to
> AD or not.
>
> In fact, when installing FreeIPA server, you have option to disable
> DNSSEC validation (ipa-server-install --no-dnssec-validation). The same
> option exists in ipa-dns-install.
>
> --
> / Alexander Bokovoy
>
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] IPA-AD Trust unable to resolve child domain

2016-10-20 Thread Alexander Bokovoy 

On to, 20 loka 2016, Carlos Raúl Laguna wrote:

Hi Alexander,
I do belive is a DNS problem, the command failing are

host -t srv _ldap._tcp.ad_domain
or
dig SRV _ldap._tcp.ad_domain
after checkig the logs a see this error
"no valid DS resolving '_ldap._tcp.ad_domain /SRV/IN': 10.20.4.22#53"

so i disable the dnssec validation on IPA and it work as expected, i will
setup dnssec on the windows side and enable dns validation once more on IPA
to see if can get the same outcome.

When you use DNSSEC validation, your DNS infrastructure should all be
using DNSSEC. This does not depend on whether you are deploying trust to
AD or not.

In fact, when installing FreeIPA server, you have option to disable
DNSSEC validation (ipa-server-install --no-dnssec-validation). The same
option exists in ipa-dns-install.

--
/ Alexander Bokovoy

--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] IPA-AD Trust unable to resolve child domain

2016-10-20 Thread Carlos Raúl Laguna 
Hi Alexander,
I do belive is a DNS problem, the command failing are

host -t srv _ldap._tcp.ad_domain
or
dig SRV _ldap._tcp.ad_domain
after checkig the logs a see this error
"no valid DS resolving '_ldap._tcp.ad_domain /SRV/IN': 10.20.4.22#53"

so i disable the dnssec validation on IPA and it work as expected, i will
setup dnssec on the windows side and enable dns validation once more on IPA
to see if can get the same outcome.

Thanks for you answer


2016-10-20 10:10 GMT-04:00 Alexander Bokovoy :

> On to, 20 loka 2016, Carlos Raúl Laguna wrote:
>
>> Hello everyone,
>>
>> Both server are fresh install 2008r2 and fedora 24 server freeipa 4.3.2 as
>> documentation explain in
>> http://www.freeipa.org/page/Active_Directory_trust_setup#If_
>> AD_is_subdomain_of_IPA
>>
>> however the server is unable to resolve any record from my child domain, i
>> found
>> this bug https://fedorahosted.org/freeipa/ticket/6062, but not sure if
>> this
>> version of IPA is affected by it.
>>
>> The procedure in the documentation is still valid ?.
>>
> Given that you have literally provided no logs that would help to help
> you, let's start from it.
>
> Show what's your problem is through the logs. What exact commands are
> failing? If you suspect DNS issues, show your named-pkcs11's logs.
>
> --
> / Alexander Bokovoy
>
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] IPA-AD Trust unable to resolve child domain

2016-10-20 Thread Alexander Bokovoy 

On to, 20 loka 2016, Carlos Raúl Laguna wrote:

Hello everyone,

Both server are fresh install 2008r2 and fedora 24 server freeipa 4.3.2 as
documentation explain in
http://www.freeipa.org/page/Active_Directory_trust_setup#If_AD_is_subdomain_of_IPA

however the server is unable to resolve any record from my child domain, i
found
this bug https://fedorahosted.org/freeipa/ticket/6062, but not sure if this
version of IPA is affected by it.

The procedure in the documentation is still valid ?.

Given that you have literally provided no logs that would help to help
you, let's start from it.

Show what's your problem is through the logs. What exact commands are
failing? If you suspect DNS issues, show your named-pkcs11's logs.

--
/ Alexander Bokovoy

--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

[Freeipa-users] IPA-AD Trust unable to resolve child domain

2016-10-20 Thread Carlos Raúl Laguna 
Hello everyone,

Both server are fresh install 2008r2 and fedora 24 server freeipa 4.3.2 as
documentation explain in
http://www.freeipa.org/page/Active_Directory_trust_setup#If_AD_is_subdomain_of_IPA

however the server is unable to resolve any record from my child domain, i
found
this bug https://fedorahosted.org/freeipa/ticket/6062, but not sure if this
version of IPA is affected by it.

The procedure in the documentation is still valid ?.

Thanks in advance.
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] IPA-AD trust group membership: display 'short' group names for *two* AD domains?

2016-10-20 Thread Jakub Hrozek 
On Thu, Oct 20, 2016 at 04:46:01PM +1100, Robert Sturrock wrote:
> Hello,
> 
> We have an IPA (4.2) server setup on RHEL 7.2 in a trust arrangement with
> our University organisational AD.  The AD forest contains *two*
> domains:
> 
>   EXAMPLE.AU (staff users)
>   STUDENT.EXAMPLE.AU (student users)
> 
> The IPA domain that trusts these is called:
> 
>   IPA.EXAMPLE.AU
> 
> The basic configuration as described above works ok - we can login to
> IPA client hosts with user principals from either of the AD domains
> and we see correct group membership.
> 
> However, I would like to tune this configuration to drop the domain
> component of the user and group names.  I tried to do this by adding
> these settings to the [sssd] section in sssd.conf on the client:
> 
> default_domain_suffix = example.au
> full_name_format = %1$s
> 
> With this configuration, I can login as a staff domain user (example.au)
> successfully and I then see the short-name form of the groups:
> 
> $ ssh -l r...@example.au ipa-client-rh7.ipa.example.au
> [rns@ipa-client-rh7 ~]$ groups
> rns domain users d-750g 511all [..etc..]
> 
> However, when I try logging in as a student domain user (student.example.au),
> I don't see any of the groups (there should be 8):
> 
> $ ssh -l r...@student.example.au ipa-client-rh7.ipa.example.au
> [rnst@ipa-client-rh7 ~]$ groups
> rnst
> 
> Is this expected behaviour?  Is there a possible client configuration that
> will support our AD forest setup or is this simply not possible?

What you did is quite correct, but unfortunately works only with
RHEL-7.3 or newer as it requires sssd-1.14 or newer, sorry.

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

[Freeipa-users] IPA-AD trust group membership: display 'short' group names for *two* AD domains?

2016-10-19 Thread Robert Sturrock 
Hello,

We have an IPA (4.2) server setup on RHEL 7.2 in a trust arrangement with
our University organisational AD.  The AD forest contains *two*
domains:

  EXAMPLE.AU (staff users)
  STUDENT.EXAMPLE.AU (student users)

The IPA domain that trusts these is called:

  IPA.EXAMPLE.AU

The basic configuration as described above works ok - we can login to
IPA client hosts with user principals from either of the AD domains
and we see correct group membership.

However, I would like to tune this configuration to drop the domain
component of the user and group names.  I tried to do this by adding
these settings to the [sssd] section in sssd.conf on the client:

default_domain_suffix = example.au
full_name_format = %1$s

With this configuration, I can login as a staff domain user (example.au)
successfully and I then see the short-name form of the groups:

$ ssh -l r...@example.au ipa-client-rh7.ipa.example.au
[rns@ipa-client-rh7 ~]$ groups
rns domain users d-750g 511all [..etc..]

However, when I try logging in as a student domain user (student.example.au),
I don't see any of the groups (there should be 8):

$ ssh -l r...@student.example.au ipa-client-rh7.ipa.example.au
[rnst@ipa-client-rh7 ~]$ groups
rnst

Is this expected behaviour?  Is there a possible client configuration that
will support our AD forest setup or is this simply not possible?

Regards,

Robert.

Complete client sssd.conf:
-

[domain/ipa.example.au]
cache_credentials = True
krb5_store_password_if_offline = True
ipa_domain = ipa.example.au
id_provider = ipa
auth_provider = ipa
access_provider = ipa
ipa_hostname = ipa-client-rh7.ipa.example.au
chpass_provider = ipa
ipa_server = _srv_, matilda3.ipa.example.au
ldap_tls_cacert = /etc/ipa/ca.crt

[sssd]
services = nss, sudo, pam, ssh
config_file_version = 2
domains = ipa.example.au
default_domain_suffix = example.au
full_name_format = %1$s

[nss]
homedir_substring = /home
override_shell = /bin/bash

[pam]

[sudo]

[autofs]

[ssh]

[pac]

[ifp]

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

[Freeipa-users] IPA - AD trust - LDAP signing

2016-10-07 Thread Jan Karásek 
Hi all, 

I am having the trouble with IPA-AD trust. We have scenario, where on the AD 
side the LDAP signing policy is on - this is company standard and can not be 
changed. 
Is there any chance to let the IPA use LDAP signing on IPA side ? I guess IPA 
use SASL LDAP bind but without signing. 

What I am not understanding now is that IPA is still able to obtain info from 
AD LDAP although DC servers keeps complaining about unsigned LDAP connections - 
event 2889. 

https://support.microsoft.com/en-us/kb/935834 
https://technet.microsoft.com/en-us/library/dd941849(v=ws.10).aspx 


Thanks for help. 
Jan Karásek 

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] IPA, AD Trust and Domain Local Groups

2016-01-06 Thread wdh 

Hi,

OK, clear. Thanks for the information!

Winny

Sumit Bose schreef op 06-01-2016 9:19:

On Wed, Jan 06, 2016 at 08:56:27AM +0100, w...@dds.nl wrote:

Hi all,

Using an AD trust with IPA 4.2 all works well, but on the IPA/Linux 
site

we're just not able to see AD "Domain Local Groups".

Is that just not possible (a limitation of the current version that 
is), is

some extra configuration needed of is just something wrong?

Hope one can give an answer!


This is by design. As the name says the groups are 'Domain Local' i.e.
only valid in the own AD domain (not even in the whole AD forest). 
Since

the IPA domain is a completely different forest from the AD perspective
the Domain Local Groups do not apply here. IPA just does the same here
as AD does.

HTH

bye,
Sumit



Winny

--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project


--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] IPA, AD Trust and Domain Local Groups

2016-01-06 Thread Sumit Bose 
On Wed, Jan 06, 2016 at 08:56:27AM +0100, w...@dds.nl wrote:
> Hi all,
> 
> Using an AD trust with IPA 4.2 all works well, but on the IPA/Linux site
> we're just not able to see AD "Domain Local Groups".
> 
> Is that just not possible (a limitation of the current version that is), is
> some extra configuration needed of is just something wrong?
> 
> Hope one can give an answer!

This is by design. As the name says the groups are 'Domain Local' i.e.
only valid in the own AD domain (not even in the whole AD forest). Since
the IPA domain is a completely different forest from the AD perspective
the Domain Local Groups do not apply here. IPA just does the same here
as AD does.

HTH

bye,
Sumit

> 
> Winny
> 
> -- 
> Manage your subscription for the Freeipa-users mailing list:
> https://www.redhat.com/mailman/listinfo/freeipa-users
> Go to http://freeipa.org for more info on the project

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

[Freeipa-users] IPA, AD Trust and Domain Local Groups

2016-01-06 Thread wdh 

Hi all,

Using an AD trust with IPA 4.2 all works well, but on the IPA/Linux site 
we're just not able to see AD "Domain Local Groups".


Is that just not possible (a limitation of the current version that is), 
is some extra configuration needed of is just something wrong?


Hope one can give an answer!

Winny

--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] IPA+AD trust and NFS nobody issue

2014-07-16 Thread Jakub Hrozek 

On 16 Jul 2014, at 03:29, Parsons, Aron parso...@bit-sys.com wrote:

 I ran into this issue last fall and have been running with a patched 
 libnfsidmap since November while our support case with Red Hat waits on a 
 resolution (pretty much have given up hope at this point).  It's a trivial 
 patch and removes the assumption that only one @ can be present in a username.
 
 With this patch applied, we have hundreds of sssd 1.11 clients on EL5, EL6 
 and EL7 in multiple environments all using NFSv4 mounts with ID mapping 
 enabled.  We have experienced zero issues with this patch applied.  Without 
 it, the AD trust setup is a no-go in any sort of real environment since NFSv4 
 is broken.
 
 If you'd like to reference our support case, it's #00983906.  Patch is 
 included below.
 
 /aron
 

Hi Aron,

the support case you referenced is linked to bugzilla 
https://bugzilla.redhat.com/show_bug.cgi?id=1066153 which is fully acked for 
RHEL-6.6, the state of the bugzilla is ON_QA, so currently it looks the patch 
will be released in 6.6..


 
 From 305930bded0d377ebda858e8772ebf6527ba3f03 Mon Sep 17 00:00:00 2001
 From: Aron Parsons parso...@bit-sys.com
 Date: Fri, 15 Nov 2013 14:43:10 -0500
 Subject: [PATCH] account for usernames with @ in them
 
 ---
 libnfsidmap/nss.c |2 +-
 1 files changed, 1 insertions(+), 1 deletions(-)
 
 diff --git a/libnfsidmap/nss.c b/libnfsidmap/nss.c
 index 04aff19..f9ad4be 100644
 --- a/libnfsidmap/nss.c
 +++ b/libnfsidmap/nss.c
 @@ -135,7 +135,7 @@ static char *strip_domain(const char *name, const char 
 *domain)
   char *l = NULL;
   int len;
 
 - c = strchr(name, '@');
 + c = strrchr(name, '@');
   if (c == NULL  domain != NULL)
goto out;
   if (c == NULL  domain == NULL) {
 -- 
 1.7.1
 
 -
 Hi,
 
 First i wish to thank everybody that helped me out trying to solve this issue 
 and i also wish to inform that NFS 4 does not work with AD users through an 
 AD and IPA trust at the moment for RHEL 6 and 7.  
 
 The reason is that rpcidmapd` does not parse fully-qualified usernames 
 soadtest AD EXAMPLE o...@ipa.example.org does not work.
 The client-side code is stripping the domain off based on the location of the 
 first @ character in the value returned by the server.  This results in 
 UID/GID mappings failing and resulting in ownership on the clients of 
 nobody.
 
 Regards,
 Johan
 
 From: Dmitri Pal [dpal redhat com]
 Sent: Thursday, June 05, 2014 21:03
 To: Johan Petersson; Alexander Bokovoy
 Cc: Sumit Bose; freeipa-users redhat com
 Subject: Re: [Freeipa-users] IPA+AD trust and NFS nobody issue
 
 On 06/04/2014 09:57 AM, Johan Petersson wrote:
 Yes the message is exactly like that with commas, I double checked.
 
 To anser Sumit's question: Maybe adding 'linux.home' and 'ad.home' to  
 Local-Realms in idmap.conf might help?
 
 I did on all machines and got rid of that specific message but I still get 
 user nobody unfortunately.
 
 Here are logs from when I did a su - adtest AD h...@linux.home with both 
 AD.HOME and LINUX.HOME added to Local_realms in idmap.conf.
 
 Client:
 Jun  4 15:30:13 client su: (to adtest ad home) linux on pts/0
 Jun  4 15:30:13 client nfsidmap[3602]: key: 0x35965a5f type: gid value: 
 adtest ad h...@linux.home timeout 600
 Jun  4 15:30:13 client nfsidmap[3602]: nfs4_name_to_gid: calling 
 nsswitch-name_to_gid
 Jun  4 15:30:13 client nfsidmap[3602]: nfs4_name_to_gid: 
 nsswitch-name_to_gid returned -22
 Jun  4 15:30:13 client nfsidmap[3602]: nfs4_name_to_gid: final return value 
 is -22
 Jun  4 15:30:13 client nfsidmap[3602]: nfs4_name_to_gid: calling 
 nsswitch-name_to_gid
 Jun  4 15:30:13 client nfsidmap[3602]: nfs4_name_to_gid: 
 nsswitch-name_to_gid returned 0
 Jun  4 15:30:13 client nfsidmap[3602]: nfs4_name_to_gid: final return value 
 is 0
 
 Do we have a corresponding SSSD trace that shows the actual process of
 the resolution?
 
 
 
 NFS Server:
 Jun  4 15:33:48 share rpc.idmapd[1908]: nfsdcb: authbuf=gss/krb5p 
 authtype=user
 Jun  4 15:33:48 share rpc.idmapd[1908]: nfs4_uid_to_name: calling 
 nsswitch-uid_to_name
 Jun  4 15:33:48 share rpc.idmapd[1908]: nfs4_uid_to_name: 
 nsswitch-uid_to_name returned 0
 Jun  4 15:33:48 share rpc.idmapd[1908]: nfs4_uid_to_name: final return value 
 is 0
 Jun  4 15:33:48 share rpc.idmapd[1908]: Server : (user) id 497801107 - 
 name adtest ad h...@linux.home
 Jun  4 15:33:48 share rpc.idmapd[1908]: nfsdcb: authbuf=gss/krb5p 
 authtype=group
 Jun  4 15:33:48 share rpc.idmapd[1908]: nfs4_gid_to_name: calling 
 nsswitch-gid_to_name
 Jun  4 15:33:48 share rpc.idmapd[1908]: nfs4_gid_to_name: 
 nsswitch-gid_to_name returned 0
 Jun  4 15:33:48 share rpc.idmapd[1908]: nfs4_gid_to_name: final return value 
 is 0
 Jun  4 15:33:48 share rpc.idmapd[1908]: Server : (group) id 112005 - 
 name ad_users linux home
 
 The group ad_users is a IPA group with external maps from AD Domain users.
 
 -Original Message-
 From: Alexander Bokovoy [mailto:abokovoy redhat com]
 Sent

Re: [Freeipa-users] IPA+AD trust and NFS nobody issue

2014-07-16 Thread Nordgren, Bryce L -FS 
 Hi Aron,

 the support case you referenced is linked to bugzilla
 https://bugzilla.redhat.com/show_bug.cgi?id=1066153 which is fully acked
 for RHEL-6.6, the state of the bugzilla is ON_QA, so currently it looks the
 patch will be released in 6.6..

username@domain is coded in the NFS spec as an NFS id which goes over the wire. 
It's unclear what allowing two @ signs means (which @ separates username 
from doman, and which is part of one of these components?) While I'm sure this 
patch is trivial and I'm certain the patch works, it breaks interoperability 
with everything not running the patch (all non-linux and any non RHEL/Centos 
6.6 linux). This is probably acceptable in certain closed environments, but I 
can never use it here.

However, patching the idmapper so that if the username already contains an @, 
it doesn't add another one should also be trivial and should also work. It has 
the added benefit of not trashing interoperability. Conceptually, it allows 
sssd to convey both username and domain with no extra overhead and upgrades the 
linux nfs idmapper to handle living on a system which understands more than a 
flat namespace. To do it right, sssd always needs to supply the nfs idmapper 
usernames of the form username@domain regardless of the regex used to parse 
out those components at the login prompt.

I'd have put that on the bugzilla, but I can't get at it.

Bryce




This electronic message contains information generated by the USDA solely for 
the intended recipients. Any unauthorized interception of this message or the 
use or disclosure of the information it contains may violate the law and 
subject the violator to civil or criminal penalties. If you believe you have 
received this message in error, please notify the sender and delete the email 
immediately.

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go To http://freeipa.org for more info on the project

Re: [Freeipa-users] IPA+AD trust and NFS nobody issue

2014-07-16 Thread Alexander Bokovoy 

On Wed, 16 Jul 2014, Nordgren, Bryce L -FS wrote:

Hi Aron,

the support case you referenced is linked to bugzilla
https://bugzilla.redhat.com/show_bug.cgi?id=1066153 which is fully acked
for RHEL-6.6, the state of the bugzilla is ON_QA, so currently it looks the
patch will be released in 6.6..


username@domain is coded in the NFS spec as an NFS id which goes over
the wire. It's unclear what allowing two @ signs means (which @
separates username from doman, and which is part of one of these
components?) While I'm sure this patch is trivial and I'm certain the
patch works, it breaks interoperability with everything not running the
patch (all non-linux and any non RHEL/Centos 6.6 linux). This is
probably acceptable in certain closed environments, but I can never use
it here.

The patch went upstream already. What it does is changing lookup at
last '@' instead of the first one. For traditional NFS cases it changes
nothing as there is one '@' anyway, the one added by nfsidmap code.



However, patching the idmapper so that if the username already contains
an @, it doesn't add another one should also be trivial and should
also work. It has the added benefit of not trashing interoperability.
Conceptually, it allows sssd to convey both username and domain with no
extra overhead and upgrades the linux nfs idmapper to handle living on
a system which understands more than a flat namespace. To do it right,
sssd always needs to supply the nfs idmapper usernames of the form
username@domain regardless of the regex used to parse out those
components at the login prompt.

Thing is, nfsidmap always adds and then substracts '@' plus domain,
assuming that the part prior to '@' is what going to be mapped by the
domain-specific idmap mapper. What you get here by not adding the '@' to
the name which contains '@' already is that wrong domain will be
classified and then wrong name is passed to the system to ask for.

Current implementation (with the patch) survives both cases better than
what you propose.

--
/ Alexander Bokovoy

--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go To http://freeipa.org for more info on the project

Re: [Freeipa-users] IPA+AD trust and NFS nobody issue

2014-07-16 Thread Nordgren, Bryce L -FS 


 Thing is, nfsidmap always adds and then substracts '@' plus domain,
 assuming that the part prior to '@' is what going to be mapped by the
 domain-specific idmap mapper.

That's the crux of the problem right there.  Sssd is not a domain-specific 
idmap mapper.  Sssd is a domain-aware, multidomain idmap mapper. Hence the 
first @.

 What you get here by not adding the '@' to
 the name which contains '@' already is that wrong domain will be classified
 and then wrong name is passed to the system to ask for.

The corollary of not adding the '@' is not subtracting it either.

If sssd is the system service that deals with multidomain issues, then let it. 
The NFS idmapper doesn't need to add or subtract the @ and should pass it on 
to sssd, if it's interacting with sssd. One flag to the mapper 
(domain-aware-system=true), the internal linux only problems are solved 
internally, and the over the wire traffic is not broken in ways that break 
other clients (e.g., your patched system emits traffic which looks _exactly_ 
like the traditional-read-conforming NFS case to unpatched systems and 
other ground-up implementations). Breaking the protocol in a self-consistent 
way which excludes other platforms is a very Microsoft-like approach and makes 
me feel all dirty. Sometimes (not now) it's necessary as a band-aid/workaround, 
but this time the band-aid doesn't have to break things. :)

I'd say the real solution, long term, is to point both sssd and the nfs 
idmapper at something like a umich_ldap server managed by freeipa. This has 
additional benefits like centralizing the idmapping in a way that's exportable 
to foreign organizations so they can be clients to my servers, being able to 
resolve uidNumber collisions when I'm not in control of the AD I'm trying to 
use, supporting bare Kerberos trusts, allowing multiple GSSAuthNames (e.g., my 
AD account, Kerberos credentials from my home network KDC, my SAML account) to 
be recognized as the same user, etc. Room for growth.





This electronic message contains information generated by the USDA solely for 
the intended recipients. Any unauthorized interception of this message or the 
use or disclosure of the information it contains may violate the law and 
subject the violator to civil or criminal penalties. If you believe you have 
received this message in error, please notify the sender and delete the email 
immediately.

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go To http://freeipa.org for more info on the project

Re: [Freeipa-users] IPA+AD trust and NFS nobody issue

2014-07-16 Thread Parsons, Aron 
Hi Jakub,
Good to know about the patch.  It's unfortunate I can get a faster and more 
detailed answer via the mailing list than GSS.  Since I can't access the 
bugzilla, any idea if it's targeted at RHEL7 as well?

/aron

From: Jakub Hrozek [jhro...@redhat.com]
Sent: Wednesday, July 16, 2014 2:19 AM
To: Parsons, Aron
Cc: freeipa-users@redhat.com
Subject: Re: [Freeipa-users] IPA+AD trust and NFS nobody issue

On 16 Jul 2014, at 03:29, Parsons, Aron parso...@bit-sys.com wrote:

 I ran into this issue last fall and have been running with a patched 
 libnfsidmap since November while our support case with Red Hat waits on a 
 resolution (pretty much have given up hope at this point).  It's a trivial 
 patch and removes the assumption that only one @ can be present in a username.

 With this patch applied, we have hundreds of sssd 1.11 clients on EL5, EL6 
 and EL7 in multiple environments all using NFSv4 mounts with ID mapping 
 enabled.  We have experienced zero issues with this patch applied.  Without 
 it, the AD trust setup is a no-go in any sort of real environment since NFSv4 
 is broken.

 If you'd like to reference our support case, it's #00983906.  Patch is 
 included below.

 /aron


Hi Aron,

the support case you referenced is linked to bugzilla 
https://bugzilla.redhat.com/show_bug.cgi?id=1066153 which is fully acked for 
RHEL-6.6, the state of the bugzilla is ON_QA, so currently it looks the patch 
will be released in 6.6..



 From 305930bded0d377ebda858e8772ebf6527ba3f03 Mon Sep 17 00:00:00 2001
 From: Aron Parsons parso...@bit-sys.com
 Date: Fri, 15 Nov 2013 14:43:10 -0500
 Subject: [PATCH] account for usernames with @ in them

 ---
 libnfsidmap/nss.c |2 +-
 1 files changed, 1 insertions(+), 1 deletions(-)

 diff --git a/libnfsidmap/nss.c b/libnfsidmap/nss.c
 index 04aff19..f9ad4be 100644
 --- a/libnfsidmap/nss.c
 +++ b/libnfsidmap/nss.c
 @@ -135,7 +135,7 @@ static char *strip_domain(const char *name, const char 
 *domain)
   char *l = NULL;
   int len;

 - c = strchr(name, '@');
 + c = strrchr(name, '@');
   if (c == NULL  domain != NULL)
goto out;
   if (c == NULL  domain == NULL) {
 --
 1.7.1

 -
 Hi,

 First i wish to thank everybody that helped me out trying to solve this issue 
 and i also wish to inform that NFS 4 does not work with AD users through an 
 AD and IPA trust at the moment for RHEL 6 and 7.

 The reason is that rpcidmapd` does not parse fully-qualified usernames 
 soadtest AD EXAMPLE o...@ipa.example.org does not work.
 The client-side code is stripping the domain off based on the location of the 
 first @ character in the value returned by the server.  This results in 
 UID/GID mappings failing and resulting in ownership on the clients of 
 nobody.

 Regards,
 Johan

 From: Dmitri Pal [dpal redhat com]
 Sent: Thursday, June 05, 2014 21:03
 To: Johan Petersson; Alexander Bokovoy
 Cc: Sumit Bose; freeipa-users redhat com
 Subject: Re: [Freeipa-users] IPA+AD trust and NFS nobody issue

 On 06/04/2014 09:57 AM, Johan Petersson wrote:
 Yes the message is exactly like that with commas, I double checked.

 To anser Sumit's question: Maybe adding 'linux.home' and 'ad.home' to  
 Local-Realms in idmap.conf might help?

 I did on all machines and got rid of that specific message but I still get 
 user nobody unfortunately.

 Here are logs from when I did a su - adtest AD h...@linux.home with both 
 AD.HOME and LINUX.HOME added to Local_realms in idmap.conf.

 Client:
 Jun  4 15:30:13 client su: (to adtest ad home) linux on pts/0
 Jun  4 15:30:13 client nfsidmap[3602]: key: 0x35965a5f type: gid value: 
 adtest ad h...@linux.home timeout 600
 Jun  4 15:30:13 client nfsidmap[3602]: nfs4_name_to_gid: calling 
 nsswitch-name_to_gid
 Jun  4 15:30:13 client nfsidmap[3602]: nfs4_name_to_gid: 
 nsswitch-name_to_gid returned -22
 Jun  4 15:30:13 client nfsidmap[3602]: nfs4_name_to_gid: final return value 
 is -22
 Jun  4 15:30:13 client nfsidmap[3602]: nfs4_name_to_gid: calling 
 nsswitch-name_to_gid
 Jun  4 15:30:13 client nfsidmap[3602]: nfs4_name_to_gid: 
 nsswitch-name_to_gid returned 0
 Jun  4 15:30:13 client nfsidmap[3602]: nfs4_name_to_gid: final return value 
 is 0

 Do we have a corresponding SSSD trace that shows the actual process of
 the resolution?



 NFS Server:
 Jun  4 15:33:48 share rpc.idmapd[1908]: nfsdcb: authbuf=gss/krb5p 
 authtype=user
 Jun  4 15:33:48 share rpc.idmapd[1908]: nfs4_uid_to_name: calling 
 nsswitch-uid_to_name
 Jun  4 15:33:48 share rpc.idmapd[1908]: nfs4_uid_to_name: 
 nsswitch-uid_to_name returned 0
 Jun  4 15:33:48 share rpc.idmapd[1908]: nfs4_uid_to_name: final return value 
 is 0
 Jun  4 15:33:48 share rpc.idmapd[1908]: Server : (user) id 497801107 - 
 name adtest ad h...@linux.home
 Jun  4 15:33:48 share rpc.idmapd[1908]: nfsdcb: authbuf=gss/krb5p 
 authtype=group
 Jun  4 15:33:48 share rpc.idmapd[1908]: nfs4_gid_to_name: calling 
 nsswitch-gid_to_name
 Jun  4 15:33:48

Re: [Freeipa-users] IPA+AD trust and NFS nobody issue

2014-07-16 Thread Alexander Bokovoy 

On Wed, 16 Jul 2014, Nordgren, Bryce L -FS wrote:




Thing is, nfsidmap always adds and then substracts '@' plus domain,
assuming that the part prior to '@' is what going to be mapped by the
domain-specific idmap mapper.


That's the crux of the problem right there.  Sssd is not a
domain-specific idmap mapper.  Sssd is a domain-aware, multidomain
idmap mapper. Hence the first @.

You are mixing different mappers and different layers.

SSSD uses separator (set to '@' by default and enforced as '@' in IPA
trusts mode) to automatically qualify users from non-primary domains. In
case of IPA trusts this is enforced for trusted domains of IPA domain
which are discovered automatically by IPA-specific means. SSSD, thus,
exposes these names as normal system-wide user and group names,
available to anyone performing NSS calls of the libc.

NFS idmap layer does own optimization by internally presenting any
NFS-provided name as name@domain and passing it to internal NFS idmap
providers. idmap plugins then take this name@domain and perform own
mapping. This has nothing to do with system-wide user names and it has
nothing to do with on wire NFS protocol, it is particular NFS idmap
library implementation detail. Note that libnfsidmap actually has two
stacks of idmap modules, applied separately to NFSv4 domain names and to
GSSAPI-authenticated names. While the same plugins are used in both
cases, the use of 'nsswitch' plugin for GSSAPI-authenticated names is
debatable without applying krb5_aname_to_localname() first, which
nfs-utils doesn't even do.

In other words, we have two different layers, dealing with different
conceptual idmap approaches, and one of them is being used by the other.
The latter (NFS idmap 'nsswitch' plugin) didn't expect that system-level
names might include the same symbol '@'. Given that the NFS
idmap-internal '@' is always appended to NFS-protocol provided name,
splitting the resulting string on last '@' is the right thing to do to
avoid clashes.




What you get here by not adding the '@' to
the name which contains '@' already is that wrong domain will be classified
and then wrong name is passed to the system to ask for.


The corollary of not adding the '@' is not subtracting it either.

This would be a major change to NFS libnfsidmap library and while
technically could be superior, it serves little value in this context.


If sssd is the system service that deals with multidomain issues, then
let it. The NFS idmapper doesn't need to add or subtract the @ and
should pass it on to sssd, if it's interacting with sssd. One flag to
the mapper (domain-aware-system=true), the internal linux only
problems are solved internally, and the over the wire traffic is not
broken in ways that break other clients (e.g., your patched system
emits traffic which looks _exactly_ like the
traditional-read-conforming NFS case to unpatched systems and other
ground-up implementations). Breaking the protocol in a self-consistent
way which excludes other platforms is a very Microsoft-like approach
and makes me feel all dirty. Sometimes (not now) it's necessary as a
band-aid/workaround, but this time the band-aid doesn't have to break
things. :)

As I said, there is no protocol, on wire or between libnfsidmap and
lower OS levels, that requires special '@' handling. It is purely
internal thing to libnfsidmap. The way it was treated was wrong from the
beginning so I would argue the strrchr() fix is actually the proper fix
rather than band-aid.


I'd say the real solution, long term, is to point both sssd and the nfs
idmapper at something like a umich_ldap server managed by freeipa. This
has additional benefits like centralizing the idmapping in a way that's
exportable to foreign organizations so they can be clients to my
servers, being able to resolve uidNumber collisions when I'm not in
control of the AD I'm trying to use, supporting bare Kerberos trusts,
allowing multiple GSSAuthNames (e.g., my AD account, Kerberos
credentials from my home network KDC, my SAML account) to be recognized
as the same user, etc. Room for growth.

We want to have specialized NFS idmap plugin to existing libnfsidmap
that uses specialized SSSD API internally (the patch is on review on
SSSD list, at least it was when I went to my vacation which I'm enjoying
now:). Alternatively, we want to write a complete replacement of
libnfsidmap given the knowledge we have at SSSD side.

What is lacking here is the fact that with krb5 1.13 we also have way to
dynamically plug into krb5_aname_to_localname() processing and get rid
of static auth_to_local rules in krb5.conf for whole IPA domain and its
trusted domains. In this scheme for GSSAPI-authenticated NFS names all
what is needed to be done is krb5_aname_to_localname() call prior to use
of 'nsswitch' plugin. The rest will be done by SSSD automatically and
for all applications, not only NFS idmapper.
--
/ Alexander Bokovoy

--
Manage your subscription for the Freeipa-users mailing list:

Re: [Freeipa-users] IPA+AD trust and NFS nobody issue

2014-07-15 Thread Parsons, Aron 
I ran into this issue last fall and have been running with a patched 
libnfsidmap since November while our support case with Red Hat waits on a 
resolution (pretty much have given up hope at this point).  It's a trivial 
patch and removes the assumption that only one @ can be present in a username.

With this patch applied, we have hundreds of sssd 1.11 clients on EL5, EL6 and 
EL7 in multiple environments all using NFSv4 mounts with ID mapping enabled.  
We have experienced zero issues with this patch applied.  Without it, the AD 
trust setup is a no-go in any sort of real environment since NFSv4 is broken.

If you'd like to reference our support case, it's #00983906.  Patch is included 
below.

/aron


From 305930bded0d377ebda858e8772ebf6527ba3f03 Mon Sep 17 00:00:00 2001
From: Aron Parsons parso...@bit-sys.com
Date: Fri, 15 Nov 2013 14:43:10 -0500
Subject: [PATCH] account for usernames with @ in them

---
 libnfsidmap/nss.c |2 +-
 1 files changed, 1 insertions(+), 1 deletions(-)

diff --git a/libnfsidmap/nss.c b/libnfsidmap/nss.c
index 04aff19..f9ad4be 100644
--- a/libnfsidmap/nss.c
+++ b/libnfsidmap/nss.c
@@ -135,7 +135,7 @@ static char *strip_domain(const char *name, const char 
*domain)
char *l = NULL;
int len;
 
-   c = strchr(name, '@');
+   c = strrchr(name, '@');
if (c == NULL  domain != NULL)
 goto out;
if (c == NULL  domain == NULL) {
-- 
1.7.1

-
Hi,

First i wish to thank everybody that helped me out trying to solve this issue 
and i also wish to inform that NFS 4 does not work with AD users through an AD 
and IPA trust at the moment for RHEL 6 and 7.  

The reason is that rpcidmapd` does not parse fully-qualified usernames 
soadtest AD EXAMPLE o...@ipa.example.org does not work.
 The client-side code is stripping the domain off based on the location of the 
first @ character in the value returned by the server.  This results in 
UID/GID mappings failing and resulting in ownership on the clients of nobody.

Regards,
Johan

From: Dmitri Pal [dpal redhat com]
Sent: Thursday, June 05, 2014 21:03
To: Johan Petersson; Alexander Bokovoy
Cc: Sumit Bose; freeipa-users redhat com
Subject: Re: [Freeipa-users] IPA+AD trust and NFS nobody issue

On 06/04/2014 09:57 AM, Johan Petersson wrote:
 Yes the message is exactly like that with commas, I double checked.

 To anser Sumit's question: Maybe adding 'linux.home' and 'ad.home' to  
 Local-Realms in idmap.conf might help?

 I did on all machines and got rid of that specific message but I still get 
 user nobody unfortunately.

 Here are logs from when I did a su - adtest AD h...@linux.home with both 
 AD.HOME and LINUX.HOME added to Local_realms in idmap.conf.

 Client:
 Jun  4 15:30:13 client su: (to adtest ad home) linux on pts/0
 Jun  4 15:30:13 client nfsidmap[3602]: key: 0x35965a5f type: gid value: 
 adtest ad h...@linux.home timeout 600
 Jun  4 15:30:13 client nfsidmap[3602]: nfs4_name_to_gid: calling 
 nsswitch-name_to_gid
 Jun  4 15:30:13 client nfsidmap[3602]: nfs4_name_to_gid: 
 nsswitch-name_to_gid returned -22
 Jun  4 15:30:13 client nfsidmap[3602]: nfs4_name_to_gid: final return value 
 is -22
 Jun  4 15:30:13 client nfsidmap[3602]: nfs4_name_to_gid: calling 
 nsswitch-name_to_gid
 Jun  4 15:30:13 client nfsidmap[3602]: nfs4_name_to_gid: 
 nsswitch-name_to_gid returned 0
 Jun  4 15:30:13 client nfsidmap[3602]: nfs4_name_to_gid: final return value 
 is 0

Do we have a corresponding SSSD trace that shows the actual process of
the resolution?



 NFS Server:
 Jun  4 15:33:48 share rpc.idmapd[1908]: nfsdcb: authbuf=gss/krb5p 
 authtype=user
 Jun  4 15:33:48 share rpc.idmapd[1908]: nfs4_uid_to_name: calling 
 nsswitch-uid_to_name
 Jun  4 15:33:48 share rpc.idmapd[1908]: nfs4_uid_to_name: 
 nsswitch-uid_to_name returned 0
 Jun  4 15:33:48 share rpc.idmapd[1908]: nfs4_uid_to_name: final return value 
 is 0
 Jun  4 15:33:48 share rpc.idmapd[1908]: Server : (user) id 497801107 - 
 name adtest ad h...@linux.home
 Jun  4 15:33:48 share rpc.idmapd[1908]: nfsdcb: authbuf=gss/krb5p 
 authtype=group
 Jun  4 15:33:48 share rpc.idmapd[1908]: nfs4_gid_to_name: calling 
 nsswitch-gid_to_name
 Jun  4 15:33:48 share rpc.idmapd[1908]: nfs4_gid_to_name: 
 nsswitch-gid_to_name returned 0
 Jun  4 15:33:48 share rpc.idmapd[1908]: nfs4_gid_to_name: final return value 
 is 0
 Jun  4 15:33:48 share rpc.idmapd[1908]: Server : (group) id 112005 - 
 name ad_users linux home

 The group ad_users is a IPA group with external maps from AD Domain users.

 -Original Message-
 From: Alexander Bokovoy [mailto:abokovoy redhat com]
 Sent: Wednesday, June 04, 2014 3:14 PM
 To: Johan Petersson
 Cc: dpal redhat com; freeipa-users redhat com
 Subject: Re: [Freeipa-users] IPA+AD trust and NFS nobody issue

 On Wed, 04 Jun 2014, Johan Petersson wrote:
 Mail got posted before I was finished sorry.

 I found one clue to the issue after increasing autofs logging to debug and 
 as i thought it has to do with id-mapping

Re: [Freeipa-users] IPA+AD trust and NFS nobody issue

2014-06-27 Thread Simo Sorce 
On Fri, 2014-06-27 at 00:10 +, Nordgren, Bryce L -FS wrote:
 Also:
 http://tools.ietf.org/html/draft-adamson-nfsv4-multi-domain-access-04
 
 Never became an RFC, but cites Simo's I-D on a Kerberos PAC.
 
 I like the CITI approach better (also approach 2 of section 6 in the
 above I-D). I have no use for the groups defined in my active
 directory. Also, for the external collaboration case, my AD may not be
 accessible to an NFS server outside the firewall.
 
 However, if (?) support for an NFSRemoteUser schema is lacking in
 FreeIPA, and if AD is accessible to both client and server, it seems
 that approach 3 of section 6 above would be the answer? Somehow
 configure idmap.conf (on NFS clients and servers) to directly query
 AD? Does that seem correct?

I honestly think (and gave this feedback to the authors in the past)
that trying to standardize on LDAP in an NFS document is wrong, it
should be implementation specific.

I think NFS should define roughly how a mapping service should behave,
but should not try to dictate how Directory services can/should be used,
the variation and modes of use is just too big in the real world, and
keeps changing. Moreover it is already incorrect to believe all
identities can be resolved by contacting a single LDAP server (AD
trusted forests as an example), and that the LDAP server can actually
fully resolve group memberships (again AD, and even FreeIPA when
trusting AD forests) without using custom operations possible only fully
correct when run by the KDC (or other RPC service, again see AD).

In the FreeIPA case for example we do not (normally) convey AD groups to
the service and instead map (some of) them into FreeIPA external groups,
a client that tries to query directly the AD service (assuming you have
direct access which is often not true) would not get cross-realm group
memberships as defined in the IPA server and would therefore cause
issues.

Simo.

-- 
Simo Sorce * Red Hat, Inc * New York

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go To http://freeipa.org for more info on the project

Re: [Freeipa-users] IPA+AD trust and NFS nobody issue

2014-06-26 Thread Nordgren, Bryce L -FS 

 The second @ is not provided by kerberos, it is rpcimapd making false
 assumptions, it does a getpwuid and gets back adt...@ad.example.org as
 the username, to which it decides to slap on the local REALM name with an @
 sign in between.

 I think this is something that may be handled with imapd.conf configuration.

Muchas gracias. This makes sense.

Found an old presentation on the topic [1]. Slide 15 is particularly relevant. 
Slide 4, however, taught me something I didn't know: NFS wants to deal with 
NFSv4 domain names (slide 3), which can be different than GSS principal names 
(Kerberos principals). There is only one NFS domain, but there can be multiple 
security realms and multiple DNS domains (slide 2).

The crux of this is on slide 14: Need to add posixAccount with GSSAuthName for 
UID/GID mapping of remote user.  Is this another use case for views?

What I'm not quite clear on is the interaction between idmapd and ldap (slides 
15,16,18). Does idmapd want to see this NFSv4RemoteUser schema on the LDAP 
server? Is this schema something that FreeIPA would have to support for NFS to 
work with cross-realm trusts? Or has the landscape changed since this 2005 
presentation?

Bryce

[1] 
http://www.citi.umich.edu/projects/nfsv4/crossrealm/ASC_NFSv4_WKSHP_X_DOMAIN_N2ID.pdf




This electronic message contains information generated by the USDA solely for 
the intended recipients. Any unauthorized interception of this message or the 
use or disclosure of the information it contains may violate the law and 
subject the violator to civil or criminal penalties. If you believe you have 
received this message in error, please notify the sender and delete the email 
immediately.

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go To http://freeipa.org for more info on the project

Re: [Freeipa-users] IPA+AD trust and NFS nobody issue

2014-06-05 Thread Dmitri Pal 

On 06/04/2014 09:57 AM, Johan Petersson wrote:

Yes the message is exactly like that with commas, I double checked.

To anser Sumit's question: Maybe adding 'linux.home' and 'ad.home' to  
Local-Realms in idmap.conf might help?

I did on all machines and got rid of that specific message but I still get user 
nobody unfortunately.

Here are logs from when I did a su - adt...@ad.home@linux.home with both 
AD.HOME and LINUX.HOME added to Local_realms in idmap.conf.

Client:
Jun  4 15:30:13 client su: (to adt...@ad.home) linux on pts/0
Jun  4 15:30:13 client nfsidmap[3602]: key: 0x35965a5f type: gid value: 
adt...@ad.home@linux.home timeout 600
Jun  4 15:30:13 client nfsidmap[3602]: nfs4_name_to_gid: calling 
nsswitch-name_to_gid
Jun  4 15:30:13 client nfsidmap[3602]: nfs4_name_to_gid: nsswitch-name_to_gid 
returned -22
Jun  4 15:30:13 client nfsidmap[3602]: nfs4_name_to_gid: final return value is 
-22
Jun  4 15:30:13 client nfsidmap[3602]: nfs4_name_to_gid: calling 
nsswitch-name_to_gid
Jun  4 15:30:13 client nfsidmap[3602]: nfs4_name_to_gid: nsswitch-name_to_gid 
returned 0
Jun  4 15:30:13 client nfsidmap[3602]: nfs4_name_to_gid: final return value is 0


Do we have a corresponding SSSD trace that shows the actual process of 
the resolution?





NFS Server:
Jun  4 15:33:48 share rpc.idmapd[1908]: nfsdcb: authbuf=gss/krb5p authtype=user
Jun  4 15:33:48 share rpc.idmapd[1908]: nfs4_uid_to_name: calling 
nsswitch-uid_to_name
Jun  4 15:33:48 share rpc.idmapd[1908]: nfs4_uid_to_name: nsswitch-uid_to_name 
returned 0
Jun  4 15:33:48 share rpc.idmapd[1908]: nfs4_uid_to_name: final return value is 0
Jun  4 15:33:48 share rpc.idmapd[1908]: Server : (user) id 497801107 - name 
adt...@ad.home@linux.home
Jun  4 15:33:48 share rpc.idmapd[1908]: nfsdcb: authbuf=gss/krb5p authtype=group
Jun  4 15:33:48 share rpc.idmapd[1908]: nfs4_gid_to_name: calling 
nsswitch-gid_to_name
Jun  4 15:33:48 share rpc.idmapd[1908]: nfs4_gid_to_name: nsswitch-gid_to_name 
returned 0
Jun  4 15:33:48 share rpc.idmapd[1908]: nfs4_gid_to_name: final return value is 0
Jun  4 15:33:48 share rpc.idmapd[1908]: Server : (group) id 112005 - name 
ad_us...@linux.home

The group ad_users is a IPA group with external maps from AD Domain users.

-Original Message-
From: Alexander Bokovoy [mailto:aboko...@redhat.com]
Sent: Wednesday, June 04, 2014 3:14 PM
To: Johan Petersson
Cc: d...@redhat.com; freeipa-users@redhat.com
Subject: Re: [Freeipa-users] IPA+AD trust and NFS nobody issue

On Wed, 04 Jun 2014, Johan Petersson wrote:

Mail got posted before I was finished sorry.

I found one clue to the issue after increasing autofs logging to debug and as i 
thought it has to do with id-mapping.

From /var/log/messages:

Nfsidmap[1696]: nss_getpwnam: name 'adt...@ad.home@linux.home,' does not map 
into domain 'linux.home,'

Are you sure the message is exactly like this, with a comma after linux.home?

The reason I'm asking is because the code that prints the message looks like 
this:

 localname = strip_domain(name, domain);
 IDMAP_LOG(4, (nss_getpwnam: name '%s' domain '%s': 
   resulting localname '%s'\n, name, domain, localname));
 if (localname == NULL) {
 IDMAP_LOG(0, (nss_getpwnam: name '%s' does not map 
 into domain '%s'\n, name,
 domain ? domain : not-provided));
 goto err_free_buf;
 }

note that it doesn't have comma anywhere in the string printed.

Can you please increase the log level to 4 so that we can see the first string 
(nss_getpwnam: name '' domain '...': resulting localname ...)? it would be

[general]
   Verbosity = 4

in /etc/idmapd.conf





From: freeipa-users-boun...@redhat.com
[mailto:freeipa-users-boun...@redhat.com] On Behalf Of Johan Petersson
Sent: Wednesday, June 04, 2014 12:02 PM
To: d...@redhat.com; freeipa-users@redhat.com
Subject: Re: [Freeipa-users] IPA+AD trust and NFS nobody issue

Yes Client is default RHEL 7 and both IPA and NFS Server is aswell.


server.ad.home = AD Server
share.linux.home = NFS Server
ipa.linux.home = IPA Server
client.linux.home = Client

NFS with automounted krb5p Home Directories work for IPA users.

sssd-1.11.2-65.el7.x86_64

id adt...@ad.homemailto:adt...@ad.home
uid=497801107(adt...@ad.homemailto:adt...@ad.home)
gid=497801107(adt...@ad.homemailto:adt...@ad.home)
groups=497801107(adt...@ad.home),497800513(domainmailto:adt...@ad.home
),497800513(domain us...@ad.homemailto:us...@ad.home)

getent passwd adt...@ad.homemailto:adt...@ad.home
adt...@ad.home:*:497801107:497801107::/home/ad.home/adtestmailto:adt...@ad.home:*:497801107:497801107::/home/ad.home/adtest:

klist after kinit adt...@ad.homemailto:adt...@ad.home

[root@client ~]# klist -e
Ticket cache: KEYRING:persistent:0:0
Default principal: adt...@ad.homemailto:adt...@ad.home

Valid starting ExpiresService principal
06/04/14 11:28:35  06/04/14 21:28:35  
krbtgt/ad.h

Re: [Freeipa-users] IPA+AD trust and NFS nobody issue

2014-06-04 Thread Johan Petersson 
Yes Client is default RHEL 7 and both IPA and NFS Server is aswell.


server.ad.home = AD Server
share.linux.home = NFS Server
ipa.linux.home = IPA Server
client.linux.home = Client

NFS with automounted krb5p Home Directories work for IPA users.

sssd-1.11.2-65.el7.x86_64

id adt...@ad.home
uid=497801107(adt...@ad.home) gid=497801107(adt...@ad.home) 
groups=497801107(adt...@ad.home),497800513(domain us...@ad.home)

getent passwd adt...@ad.home
adt...@ad.home:*:497801107:497801107::/home/ad.home/adtest:

klist after kinit adt...@ad.home

[root@client ~]# klist -e
Ticket cache: KEYRING:persistent:0:0
Default principal: adt...@ad.home

Valid starting ExpiresService principal
06/04/14 11:28:35  06/04/14 21:28:35  krbtgt/ad.h...@ad.home
 renew until 06/05/14 11:28:30, Etype (skey, tkt): 
aes256-cts-hmac-sha1-96, aes256-cts-hmac-sha1-96

klist after ssh adt...@ad.home@ipa.linux.home

klist
Ticket cache: KEYRING:persistent:497801107:krb_ccache_y5TW1kB
Default principal: adt...@ad.home

Valid starting ExpiresService principal
06/04/14 11:35:16  06/04/14 21:35:16 nfs/share.linux.h...@linux.home
 renew until 06/05/14 11:28:30
06/04/14 11:35:16  06/04/14 21:35:16  krbtgt/linux.h...@ad.home
 renew until 06/05/14 11:28:30
06/04/14 11:28:35  06/04/14 21:35:16  krbtgt/ad.h...@ad.home
 renew until 06/05/14 11:28:30

Home Directory gets mounted by autofs through sssd but user:group is both 
nobody.

The Client's sssd.conf:

[domain/linux.home]

cache_credentials = True
krb5_store_password_if_offline = True
ipa_domain = linux.home
id_provider = ipa
auth_provider = ipa
access_provider = ipa
ipa_hostname = client.linux.home
chpass_provider = ipa
ipa_dyndns_update = True
ipa_server = _srv_, ipa.linux.home
ldap_tls_cacert = /etc/ipa/ca.crt
autofs_provider = ipa
ipa_automount_location = default
subdomains_provider = ipa
[sssd]
services = nss, pam, autofs, ssh
config_file_version = 2

domains = linux.home
[nss]

[pam]

[sudo]

[autofs]

[ssh]

[pac]


From: freeipa-users-boun...@redhat.com 
[mailto:freeipa-users-boun...@redhat.com] On Behalf Of Dmitri Pal
Sent: Tuesday, June 03, 2014 6:48 PM
To: freeipa-users@redhat.com
Subject: Re: [Freeipa-users] IPA+AD trust and NFS nobody issue

On 06/03/2014 09:07 AM, Johan Petersson wrote:
Hi,

Environment:

RHEL 7 IPA Server 3.3 with a trust to a Windows 2012 Server AD
RHEL 7 NFS Server
RHEL 7 Client

I have found one problem when using a NFS 4 shared Home Directory for AD users 
logging in to IPA.
I have created a NFS share /home/adexample.org and use autofs map in IPA.
All wbinfo tests works as well as id.
I can login fine through SSH and Shell with 
adt...@adexample.orgmailto:adt...@adexample.org
The problem is that I can add the AD user as owner of his Home Directory and if 
I log in to the NFS Server locally or through ssh permissions are correct but 
when logging in to any other computer i get nobody as owner.
Are those computers RHEL7 NFS clients with SSSD?
Can you describe them in more details please?


Groups are no problem since AD groups can be mapped to Posix groups.

Idmap.conf domain is set to the IPA Domain.

Is there some way to get NFS working with the AD user as owner of his Home 
Directory?

Thanks for any help.


This e-mail is private and confidential between the sender and the addressee.
In the event of misdirection, the recipient is prohibited from using, copying or
disseminating it or any information in it. Please notify the above if any 
misdirection.




___

Freeipa-users mailing list

Freeipa-users@redhat.commailto:Freeipa-users@redhat.com

https://www.redhat.com/mailman/listinfo/freeipa-users




--

Thank you,

Dmitri Pal



Sr. Engineering Manager IdM portfolio

Red Hat, Inc.
___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] IPA+AD trust and NFS nobody issue

2014-06-04 Thread Johan Petersson 
I found one clue to the issue and as i thought it has to do with m

From: freeipa-users-boun...@redhat.com 
[mailto:freeipa-users-boun...@redhat.com] On Behalf Of Johan Petersson
Sent: Wednesday, June 04, 2014 12:02 PM
To: d...@redhat.com; freeipa-users@redhat.com
Subject: Re: [Freeipa-users] IPA+AD trust and NFS nobody issue

Yes Client is default RHEL 7 and both IPA and NFS Server is aswell.


server.ad.home = AD Server
share.linux.home = NFS Server
ipa.linux.home = IPA Server
client.linux.home = Client

NFS with automounted krb5p Home Directories work for IPA users.

sssd-1.11.2-65.el7.x86_64

id adt...@ad.homemailto:adt...@ad.home
uid=497801107(adt...@ad.homemailto:adt...@ad.home) 
gid=497801107(adt...@ad.homemailto:adt...@ad.home) 
groups=497801107(adt...@ad.home),497800513(domainmailto:adt...@ad.home),497800513(domain
 us...@ad.homemailto:us...@ad.home)

getent passwd adt...@ad.homemailto:adt...@ad.home
adt...@ad.home:*:497801107:497801107::/home/ad.home/adtestmailto:adt...@ad.home:*:497801107:497801107::/home/ad.home/adtest:

klist after kinit adt...@ad.homemailto:adt...@ad.home

[root@client ~]# klist -e
Ticket cache: KEYRING:persistent:0:0
Default principal: adt...@ad.homemailto:adt...@ad.home

Valid starting ExpiresService principal
06/04/14 11:28:35  06/04/14 21:28:35  
krbtgt/ad.h...@ad.homemailto:krbtgt/ad.h...@ad.home
 renew until 06/05/14 11:28:30, Etype (skey, tkt): 
aes256-cts-hmac-sha1-96, aes256-cts-hmac-sha1-96

klist after ssh 
adt...@ad.home@ipa.linux.homemailto:adt...@ad.home@ipa.linux.home

klist
Ticket cache: KEYRING:persistent:497801107:krb_ccache_y5TW1kB
Default principal: adt...@ad.homemailto:adt...@ad.home

Valid starting ExpiresService principal
06/04/14 11:35:16  06/04/14 21:35:16 
nfs/share.linux.h...@linux.homemailto:nfs/share.linux.h...@linux.home
 renew until 06/05/14 11:28:30
06/04/14 11:35:16  06/04/14 21:35:16  
krbtgt/linux.h...@ad.homemailto:krbtgt/linux.h...@ad.home
 renew until 06/05/14 11:28:30
06/04/14 11:28:35  06/04/14 21:35:16  
krbtgt/ad.h...@ad.homemailto:krbtgt/ad.h...@ad.home
 renew until 06/05/14 11:28:30

Home Directory gets mounted by autofs through sssd but user:group is both 
nobody.

The Client's sssd.conf:

[domain/linux.home]

cache_credentials = True
krb5_store_password_if_offline = True
ipa_domain = linux.home
id_provider = ipa
auth_provider = ipa
access_provider = ipa
ipa_hostname = client.linux.home
chpass_provider = ipa
ipa_dyndns_update = True
ipa_server = _srv_, ipa.linux.home
ldap_tls_cacert = /etc/ipa/ca.crt
autofs_provider = ipa
ipa_automount_location = default
subdomains_provider = ipa
[sssd]
services = nss, pam, autofs, ssh
config_file_version = 2

domains = linux.home
[nss]

[pam]

[sudo]

[autofs]

[ssh]

[pac]


From: freeipa-users-boun...@redhat.commailto:freeipa-users-boun...@redhat.com 
[mailto:freeipa-users-boun...@redhat.com]mailto:[mailto:freeipa-users-boun...@redhat.com]
 On Behalf Of Dmitri Pal
Sent: Tuesday, June 03, 2014 6:48 PM
To: freeipa-users@redhat.commailto:freeipa-users@redhat.com
Subject: Re: [Freeipa-users] IPA+AD trust and NFS nobody issue

On 06/03/2014 09:07 AM, Johan Petersson wrote:
Hi,

Environment:

RHEL 7 IPA Server 3.3 with a trust to a Windows 2012 Server AD
RHEL 7 NFS Server
RHEL 7 Client

I have found one problem when using a NFS 4 shared Home Directory for AD users 
logging in to IPA.
I have created a NFS share /home/adexample.org and use autofs map in IPA.
All wbinfo tests works as well as id.
I can login fine through SSH and Shell with 
adt...@adexample.orgmailto:adt...@adexample.org
The problem is that I can add the AD user as owner of his Home Directory and if 
I log in to the NFS Server locally or through ssh permissions are correct but 
when logging in to any other computer i get nobody as owner.
Are those computers RHEL7 NFS clients with SSSD?
Can you describe them in more details please?

Groups are no problem since AD groups can be mapped to Posix groups.

Idmap.conf domain is set to the IPA Domain.

Is there some way to get NFS working with the AD user as owner of his Home 
Directory?

Thanks for any help.


This e-mail is private and confidential between the sender and the addressee.
In the event of misdirection, the recipient is prohibited from using, copying or
disseminating it or any information in it. Please notify the above if any 
misdirection.



___

Freeipa-users mailing list

Freeipa-users@redhat.commailto:Freeipa-users@redhat.com

https://www.redhat.com/mailman/listinfo/freeipa-users



--

Thank you,

Dmitri Pal



Sr. Engineering Manager IdM portfolio

Red Hat, Inc.
___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] IPA+AD trust and NFS nobody issue

2014-06-04 Thread Johan Petersson 
Mail got posted before I was finished sorry.

I found one clue to the issue after increasing autofs logging to debug and as i 
thought it has to do with id-mapping.

From /var/log/messages:

Nfsidmap[1696]: nss_getpwnam: name 'adt...@ad.home@linux.home,' does not map 
into domain 'linux.home,'


From: freeipa-users-boun...@redhat.com 
[mailto:freeipa-users-boun...@redhat.com] On Behalf Of Johan Petersson
Sent: Wednesday, June 04, 2014 12:02 PM
To: d...@redhat.com; freeipa-users@redhat.com
Subject: Re: [Freeipa-users] IPA+AD trust and NFS nobody issue

Yes Client is default RHEL 7 and both IPA and NFS Server is aswell.


server.ad.home = AD Server
share.linux.home = NFS Server
ipa.linux.home = IPA Server
client.linux.home = Client

NFS with automounted krb5p Home Directories work for IPA users.

sssd-1.11.2-65.el7.x86_64

id adt...@ad.homemailto:adt...@ad.home
uid=497801107(adt...@ad.homemailto:adt...@ad.home) 
gid=497801107(adt...@ad.homemailto:adt...@ad.home) 
groups=497801107(adt...@ad.home),497800513(domainmailto:adt...@ad.home),497800513(domain
 us...@ad.homemailto:us...@ad.home)

getent passwd adt...@ad.homemailto:adt...@ad.home
adt...@ad.home:*:497801107:497801107::/home/ad.home/adtestmailto:adt...@ad.home:*:497801107:497801107::/home/ad.home/adtest:

klist after kinit adt...@ad.homemailto:adt...@ad.home

[root@client ~]# klist -e
Ticket cache: KEYRING:persistent:0:0
Default principal: adt...@ad.homemailto:adt...@ad.home

Valid starting ExpiresService principal
06/04/14 11:28:35  06/04/14 21:28:35  
krbtgt/ad.h...@ad.homemailto:krbtgt/ad.h...@ad.home
 renew until 06/05/14 11:28:30, Etype (skey, tkt): 
aes256-cts-hmac-sha1-96, aes256-cts-hmac-sha1-96

klist after ssh 
adt...@ad.home@ipa.linux.homemailto:adt...@ad.home@ipa.linux.home

klist
Ticket cache: KEYRING:persistent:497801107:krb_ccache_y5TW1kB
Default principal: adt...@ad.homemailto:adt...@ad.home

Valid starting ExpiresService principal
06/04/14 11:35:16  06/04/14 21:35:16 
nfs/share.linux.h...@linux.homemailto:nfs/share.linux.h...@linux.home
 renew until 06/05/14 11:28:30
06/04/14 11:35:16  06/04/14 21:35:16  
krbtgt/linux.h...@ad.homemailto:krbtgt/linux.h...@ad.home
 renew until 06/05/14 11:28:30
06/04/14 11:28:35  06/04/14 21:35:16  
krbtgt/ad.h...@ad.homemailto:krbtgt/ad.h...@ad.home
 renew until 06/05/14 11:28:30

Home Directory gets mounted by autofs through sssd but user:group is both 
nobody.

The Client's sssd.conf:

[domain/linux.home]

cache_credentials = True
krb5_store_password_if_offline = True
ipa_domain = linux.home
id_provider = ipa
auth_provider = ipa
access_provider = ipa
ipa_hostname = client.linux.home
chpass_provider = ipa
ipa_dyndns_update = True
ipa_server = _srv_, ipa.linux.home
ldap_tls_cacert = /etc/ipa/ca.crt
autofs_provider = ipa
ipa_automount_location = default
subdomains_provider = ipa
[sssd]
services = nss, pam, autofs, ssh
config_file_version = 2

domains = linux.home
[nss]

[pam]

[sudo]

[autofs]

[ssh]

[pac]


From: freeipa-users-boun...@redhat.commailto:freeipa-users-boun...@redhat.com 
[mailto:freeipa-users-boun...@redhat.com]mailto:[mailto:freeipa-users-boun...@redhat.com]
 On Behalf Of Dmitri Pal
Sent: Tuesday, June 03, 2014 6:48 PM
To: freeipa-users@redhat.commailto:freeipa-users@redhat.com
Subject: Re: [Freeipa-users] IPA+AD trust and NFS nobody issue

On 06/03/2014 09:07 AM, Johan Petersson wrote:
Hi,

Environment:

RHEL 7 IPA Server 3.3 with a trust to a Windows 2012 Server AD
RHEL 7 NFS Server
RHEL 7 Client

I have found one problem when using a NFS 4 shared Home Directory for AD users 
logging in to IPA.
I have created a NFS share /home/adexample.org and use autofs map in IPA.
All wbinfo tests works as well as id.
I can login fine through SSH and Shell with 
adt...@adexample.orgmailto:adt...@adexample.org
The problem is that I can add the AD user as owner of his Home Directory and if 
I log in to the NFS Server locally or through ssh permissions are correct but 
when logging in to any other computer i get nobody as owner.
Are those computers RHEL7 NFS clients with SSSD?
Can you describe them in more details please?

Groups are no problem since AD groups can be mapped to Posix groups.

Idmap.conf domain is set to the IPA Domain.

Is there some way to get NFS working with the AD user as owner of his Home 
Directory?

Thanks for any help.


This e-mail is private and confidential between the sender and the addressee.
In the event of misdirection, the recipient is prohibited from using, copying or
disseminating it or any information in it. Please notify the above if any 
misdirection.



___

Freeipa-users mailing list

Freeipa-users@redhat.commailto:Freeipa-users@redhat.com

https://www.redhat.com/mailman/listinfo/freeipa-users



--

Thank you,

Dmitri Pal



Sr. Engineering Manager IdM portfolio

Red Hat, Inc.
___
Freeipa-users mailing list
Freeipa

Re: [Freeipa-users] IPA+AD trust and NFS nobody issue

2014-06-04 Thread Sumit Bose 
On Wed, Jun 04, 2014 at 12:24:11PM +, Johan Petersson wrote:
 Mail got posted before I was finished sorry.
 
 I found one clue to the issue after increasing autofs logging to debug and as 
 i thought it has to do with id-mapping.
 
 From /var/log/messages:
 
 Nfsidmap[1696]: nss_getpwnam: name 'adt...@ad.home@linux.home,' does not map 
 into domain 'linux.home,'

Maybe adding 'linux.home' and 'ad.home' to  Local-Realms in idmap.conf
might help?

I'll check the nfsidmap code to see how/if it can handle trusted
domains.

bye,
Sumit

 
 
 From: freeipa-users-boun...@redhat.com 
 [mailto:freeipa-users-boun...@redhat.com] On Behalf Of Johan Petersson
 Sent: Wednesday, June 04, 2014 12:02 PM
 To: d...@redhat.com; freeipa-users@redhat.com
 Subject: Re: [Freeipa-users] IPA+AD trust and NFS nobody issue
 
 Yes Client is default RHEL 7 and both IPA and NFS Server is aswell.
 
 
 server.ad.home = AD Server
 share.linux.home = NFS Server
 ipa.linux.home = IPA Server
 client.linux.home = Client
 
 NFS with automounted krb5p Home Directories work for IPA users.
 
 sssd-1.11.2-65.el7.x86_64
 
 id adt...@ad.homemailto:adt...@ad.home
 uid=497801107(adt...@ad.homemailto:adt...@ad.home) 
 gid=497801107(adt...@ad.homemailto:adt...@ad.home) 
 groups=497801107(adt...@ad.home),497800513(domainmailto:adt...@ad.home),497800513(domain
  us...@ad.homemailto:us...@ad.home)
 
 getent passwd adt...@ad.homemailto:adt...@ad.home
 adt...@ad.home:*:497801107:497801107::/home/ad.home/adtestmailto:adt...@ad.home:*:497801107:497801107::/home/ad.home/adtest:
 
 klist after kinit adt...@ad.homemailto:adt...@ad.home
 
 [root@client ~]# klist -e
 Ticket cache: KEYRING:persistent:0:0
 Default principal: adt...@ad.homemailto:adt...@ad.home
 
 Valid starting ExpiresService principal
 06/04/14 11:28:35  06/04/14 21:28:35  
 krbtgt/ad.h...@ad.homemailto:krbtgt/ad.h...@ad.home
  renew until 06/05/14 11:28:30, Etype (skey, tkt): 
 aes256-cts-hmac-sha1-96, aes256-cts-hmac-sha1-96
 
 klist after ssh 
 adt...@ad.home@ipa.linux.homemailto:adt...@ad.home@ipa.linux.home
 
 klist
 Ticket cache: KEYRING:persistent:497801107:krb_ccache_y5TW1kB
 Default principal: adt...@ad.homemailto:adt...@ad.home
 
 Valid starting ExpiresService principal
 06/04/14 11:35:16  06/04/14 21:35:16 
 nfs/share.linux.h...@linux.homemailto:nfs/share.linux.h...@linux.home
  renew until 06/05/14 11:28:30
 06/04/14 11:35:16  06/04/14 21:35:16  
 krbtgt/linux.h...@ad.homemailto:krbtgt/linux.h...@ad.home
  renew until 06/05/14 11:28:30
 06/04/14 11:28:35  06/04/14 21:35:16  
 krbtgt/ad.h...@ad.homemailto:krbtgt/ad.h...@ad.home
  renew until 06/05/14 11:28:30
 
 Home Directory gets mounted by autofs through sssd but user:group is both 
 nobody.
 
 The Client's sssd.conf:
 
 [domain/linux.home]
 
 cache_credentials = True
 krb5_store_password_if_offline = True
 ipa_domain = linux.home
 id_provider = ipa
 auth_provider = ipa
 access_provider = ipa
 ipa_hostname = client.linux.home
 chpass_provider = ipa
 ipa_dyndns_update = True
 ipa_server = _srv_, ipa.linux.home
 ldap_tls_cacert = /etc/ipa/ca.crt
 autofs_provider = ipa
 ipa_automount_location = default
 subdomains_provider = ipa
 [sssd]
 services = nss, pam, autofs, ssh
 config_file_version = 2
 
 domains = linux.home
 [nss]
 
 [pam]
 
 [sudo]
 
 [autofs]
 
 [ssh]
 
 [pac]
 
 
 From: 
 freeipa-users-boun...@redhat.commailto:freeipa-users-boun...@redhat.com 
 [mailto:freeipa-users-boun...@redhat.com]mailto:[mailto:freeipa-users-boun...@redhat.com]
  On Behalf Of Dmitri Pal
 Sent: Tuesday, June 03, 2014 6:48 PM
 To: freeipa-users@redhat.commailto:freeipa-users@redhat.com
 Subject: Re: [Freeipa-users] IPA+AD trust and NFS nobody issue
 
 On 06/03/2014 09:07 AM, Johan Petersson wrote:
 Hi,
 
 Environment:
 
 RHEL 7 IPA Server 3.3 with a trust to a Windows 2012 Server AD
 RHEL 7 NFS Server
 RHEL 7 Client
 
 I have found one problem when using a NFS 4 shared Home Directory for AD 
 users logging in to IPA.
 I have created a NFS share /home/adexample.org and use autofs map in IPA.
 All wbinfo tests works as well as id.
 I can login fine through SSH and Shell with 
 adt...@adexample.orgmailto:adt...@adexample.org
 The problem is that I can add the AD user as owner of his Home Directory and 
 if I log in to the NFS Server locally or through ssh permissions are correct 
 but when logging in to any other computer i get nobody as owner.
 Are those computers RHEL7 NFS clients with SSSD?
 Can you describe them in more details please?
 
 Groups are no problem since AD groups can be mapped to Posix groups.
 
 Idmap.conf domain is set to the IPA Domain.
 
 Is there some way to get NFS working with the AD user as owner of his Home 
 Directory?
 
 Thanks for any help.
 
 
 This e-mail is private and confidential between the sender and the addressee.
 In the event of misdirection, the recipient is prohibited from using, copying 
 or
 disseminating it or any information in it. Please notify

Re: [Freeipa-users] IPA+AD trust and NFS nobody issue

2014-06-04 Thread Alexander Bokovoy 

On Wed, 04 Jun 2014, Johan Petersson wrote:

Mail got posted before I was finished sorry.

I found one clue to the issue after increasing autofs logging to debug and as i 
thought it has to do with id-mapping.


From /var/log/messages:


Nfsidmap[1696]: nss_getpwnam: name 'adt...@ad.home@linux.home,' does not map 
into domain 'linux.home,'

Are you sure the message is exactly like this, with a comma after linux.home?

The reason I'm asking is because the code that prints the message looks
like this:

   localname = strip_domain(name, domain);
   IDMAP_LOG(4, (nss_getpwnam: name '%s' domain '%s': 
 resulting localname '%s'\n, name, domain, localname));
   if (localname == NULL) {
   IDMAP_LOG(0, (nss_getpwnam: name '%s' does not map 
   into domain '%s'\n, name,
   domain ? domain : not-provided));
   goto err_free_buf;
   }

note that it doesn't have comma anywhere in the string printed.

Can you please increase the log level to 4 so that we can see the first
string (nss_getpwnam: name '' domain '...': resulting localname
...)? it would be

[general]
 Verbosity = 4

in /etc/idmapd.conf






From: freeipa-users-boun...@redhat.com 
[mailto:freeipa-users-boun...@redhat.com] On Behalf Of Johan Petersson
Sent: Wednesday, June 04, 2014 12:02 PM
To: d...@redhat.com; freeipa-users@redhat.com
Subject: Re: [Freeipa-users] IPA+AD trust and NFS nobody issue

Yes Client is default RHEL 7 and both IPA and NFS Server is aswell.


server.ad.home = AD Server
share.linux.home = NFS Server
ipa.linux.home = IPA Server
client.linux.home = Client

NFS with automounted krb5p Home Directories work for IPA users.

sssd-1.11.2-65.el7.x86_64

id adt...@ad.homemailto:adt...@ad.home
uid=497801107(adt...@ad.homemailto:adt...@ad.home) 
gid=497801107(adt...@ad.homemailto:adt...@ad.home) 
groups=497801107(adt...@ad.home),497800513(domainmailto:adt...@ad.home),497800513(domain 
us...@ad.homemailto:us...@ad.home)

getent passwd adt...@ad.homemailto:adt...@ad.home
adt...@ad.home:*:497801107:497801107::/home/ad.home/adtestmailto:adt...@ad.home:*:497801107:497801107::/home/ad.home/adtest:

klist after kinit adt...@ad.homemailto:adt...@ad.home

[root@client ~]# klist -e
Ticket cache: KEYRING:persistent:0:0
Default principal: adt...@ad.homemailto:adt...@ad.home

Valid starting ExpiresService principal
06/04/14 11:28:35  06/04/14 21:28:35  
krbtgt/ad.h...@ad.homemailto:krbtgt/ad.h...@ad.home
renew until 06/05/14 11:28:30, Etype (skey, tkt): 
aes256-cts-hmac-sha1-96, aes256-cts-hmac-sha1-96

klist after ssh 
adt...@ad.home@ipa.linux.homemailto:adt...@ad.home@ipa.linux.home

klist
Ticket cache: KEYRING:persistent:497801107:krb_ccache_y5TW1kB
Default principal: adt...@ad.homemailto:adt...@ad.home

Valid starting ExpiresService principal
06/04/14 11:35:16  06/04/14 21:35:16 
nfs/share.linux.h...@linux.homemailto:nfs/share.linux.h...@linux.home
renew until 06/05/14 11:28:30
06/04/14 11:35:16  06/04/14 21:35:16  
krbtgt/linux.h...@ad.homemailto:krbtgt/linux.h...@ad.home
renew until 06/05/14 11:28:30
06/04/14 11:28:35  06/04/14 21:35:16  
krbtgt/ad.h...@ad.homemailto:krbtgt/ad.h...@ad.home
renew until 06/05/14 11:28:30

Home Directory gets mounted by autofs through sssd but user:group is both 
nobody.

The Client's sssd.conf:

[domain/linux.home]

cache_credentials = True
krb5_store_password_if_offline = True
ipa_domain = linux.home
id_provider = ipa
auth_provider = ipa
access_provider = ipa
ipa_hostname = client.linux.home
chpass_provider = ipa
ipa_dyndns_update = True
ipa_server = _srv_, ipa.linux.home
ldap_tls_cacert = /etc/ipa/ca.crt
autofs_provider = ipa
ipa_automount_location = default
subdomains_provider = ipa
[sssd]
services = nss, pam, autofs, ssh
config_file_version = 2

domains = linux.home
[nss]

[pam]

[sudo]

[autofs]

[ssh]

[pac]


From: freeipa-users-boun...@redhat.commailto:freeipa-users-boun...@redhat.com 
[mailto:freeipa-users-boun...@redhat.com]mailto:[mailto:freeipa-users-boun...@redhat.com]
 On Behalf Of Dmitri Pal
Sent: Tuesday, June 03, 2014 6:48 PM
To: freeipa-users@redhat.commailto:freeipa-users@redhat.com
Subject: Re: [Freeipa-users] IPA+AD trust and NFS nobody issue

On 06/03/2014 09:07 AM, Johan Petersson wrote:
Hi,

Environment:

RHEL 7 IPA Server 3.3 with a trust to a Windows 2012 Server AD
RHEL 7 NFS Server
RHEL 7 Client

I have found one problem when using a NFS 4 shared Home Directory for AD users 
logging in to IPA.
I have created a NFS share /home/adexample.org and use autofs map in IPA.
All wbinfo tests works as well as id.
I can login fine through SSH and Shell with 
adt...@adexample.orgmailto:adt...@adexample.org
The problem is that I can add the AD user as owner of his Home Directory and if I log in 
to the NFS Server locally or through ssh permissions are correct but when logging in to 
any other computer i get nobody as owner.
Are those computers

Re: [Freeipa-users] IPA+AD trust and NFS nobody issue

2014-06-04 Thread Johan Petersson 
Yes the message is exactly like that with commas, I double checked.

To anser Sumit's question: Maybe adding 'linux.home' and 'ad.home' to  
Local-Realms in idmap.conf might help?

I did on all machines and got rid of that specific message but I still get user 
nobody unfortunately.

Here are logs from when I did a su - adt...@ad.home@linux.home with both 
AD.HOME and LINUX.HOME added to Local_realms in idmap.conf.

Client:
Jun  4 15:30:13 client su: (to adt...@ad.home) linux on pts/0
Jun  4 15:30:13 client nfsidmap[3602]: key: 0x35965a5f type: gid value: 
adt...@ad.home@linux.home timeout 600
Jun  4 15:30:13 client nfsidmap[3602]: nfs4_name_to_gid: calling 
nsswitch-name_to_gid
Jun  4 15:30:13 client nfsidmap[3602]: nfs4_name_to_gid: nsswitch-name_to_gid 
returned -22
Jun  4 15:30:13 client nfsidmap[3602]: nfs4_name_to_gid: final return value is 
-22
Jun  4 15:30:13 client nfsidmap[3602]: nfs4_name_to_gid: calling 
nsswitch-name_to_gid
Jun  4 15:30:13 client nfsidmap[3602]: nfs4_name_to_gid: nsswitch-name_to_gid 
returned 0
Jun  4 15:30:13 client nfsidmap[3602]: nfs4_name_to_gid: final return value is 0

NFS Server:
Jun  4 15:33:48 share rpc.idmapd[1908]: nfsdcb: authbuf=gss/krb5p authtype=user
Jun  4 15:33:48 share rpc.idmapd[1908]: nfs4_uid_to_name: calling 
nsswitch-uid_to_name
Jun  4 15:33:48 share rpc.idmapd[1908]: nfs4_uid_to_name: nsswitch-uid_to_name 
returned 0
Jun  4 15:33:48 share rpc.idmapd[1908]: nfs4_uid_to_name: final return value is 0
Jun  4 15:33:48 share rpc.idmapd[1908]: Server : (user) id 497801107 - name 
adt...@ad.home@linux.home
Jun  4 15:33:48 share rpc.idmapd[1908]: nfsdcb: authbuf=gss/krb5p authtype=group
Jun  4 15:33:48 share rpc.idmapd[1908]: nfs4_gid_to_name: calling 
nsswitch-gid_to_name
Jun  4 15:33:48 share rpc.idmapd[1908]: nfs4_gid_to_name: nsswitch-gid_to_name 
returned 0
Jun  4 15:33:48 share rpc.idmapd[1908]: nfs4_gid_to_name: final return value is 0
Jun  4 15:33:48 share rpc.idmapd[1908]: Server : (group) id 112005 - 
name ad_us...@linux.home

The group ad_users is a IPA group with external maps from AD Domain users.

-Original Message-
From: Alexander Bokovoy [mailto:aboko...@redhat.com] 
Sent: Wednesday, June 04, 2014 3:14 PM
To: Johan Petersson
Cc: d...@redhat.com; freeipa-users@redhat.com
Subject: Re: [Freeipa-users] IPA+AD trust and NFS nobody issue

On Wed, 04 Jun 2014, Johan Petersson wrote:
Mail got posted before I was finished sorry.

I found one clue to the issue after increasing autofs logging to debug and as 
i thought it has to do with id-mapping.

From /var/log/messages:

Nfsidmap[1696]: nss_getpwnam: name 'adt...@ad.home@linux.home,' does not map 
into domain 'linux.home,'
Are you sure the message is exactly like this, with a comma after linux.home?

The reason I'm asking is because the code that prints the message looks like 
this:

localname = strip_domain(name, domain);
IDMAP_LOG(4, (nss_getpwnam: name '%s' domain '%s': 
  resulting localname '%s'\n, name, domain, localname));
if (localname == NULL) {
IDMAP_LOG(0, (nss_getpwnam: name '%s' does not map 
into domain '%s'\n, name,
domain ? domain : not-provided));
goto err_free_buf;
}

note that it doesn't have comma anywhere in the string printed.

Can you please increase the log level to 4 so that we can see the first string 
(nss_getpwnam: name '' domain '...': resulting localname ...)? it would be

[general]
  Verbosity = 4

in /etc/idmapd.conf





From: freeipa-users-boun...@redhat.com 
[mailto:freeipa-users-boun...@redhat.com] On Behalf Of Johan Petersson
Sent: Wednesday, June 04, 2014 12:02 PM
To: d...@redhat.com; freeipa-users@redhat.com
Subject: Re: [Freeipa-users] IPA+AD trust and NFS nobody issue

Yes Client is default RHEL 7 and both IPA and NFS Server is aswell.


server.ad.home = AD Server
share.linux.home = NFS Server
ipa.linux.home = IPA Server
client.linux.home = Client

NFS with automounted krb5p Home Directories work for IPA users.

sssd-1.11.2-65.el7.x86_64

id adt...@ad.homemailto:adt...@ad.home
uid=497801107(adt...@ad.homemailto:adt...@ad.home) 
gid=497801107(adt...@ad.homemailto:adt...@ad.home) 
groups=497801107(adt...@ad.home),497800513(domainmailto:adt...@ad.home
),497800513(domain us...@ad.homemailto:us...@ad.home)

getent passwd adt...@ad.homemailto:adt...@ad.home
adt...@ad.home:*:497801107:497801107::/home/ad.home/adtestmailto:adt...@ad.home:*:497801107:497801107::/home/ad.home/adtest:

klist after kinit adt...@ad.homemailto:adt...@ad.home

[root@client ~]# klist -e
Ticket cache: KEYRING:persistent:0:0
Default principal: adt...@ad.homemailto:adt...@ad.home

Valid starting ExpiresService principal
06/04/14 11:28:35  06/04/14 21:28:35  
krbtgt/ad.h...@ad.homemailto:krbtgt/ad.h...@ad.home
 renew until 06/05/14 11:28:30, Etype (skey, tkt): 
aes256-cts-hmac-sha1-96, aes256-cts-hmac-sha1-96

klist after ssh 
adt

[Freeipa-users] IPA+AD trust and NFS nobody issue

2014-06-03 Thread Johan Petersson 
Hi,

Environment:

RHEL 7 IPA Server 3.3 with a trust to a Windows 2012 Server AD
RHEL 7 NFS Server
RHEL 7 Client

I have found one problem when using a NFS 4 shared Home Directory for AD users 
logging in to IPA.
I have created a NFS share /home/adexample.org and use autofs map in IPA.
All wbinfo tests works as well as id.
I can login fine through SSH and Shell with adt...@adexample.org
The problem is that I can add the AD user as owner of his Home Directory and if 
I log in to the NFS Server locally or through ssh permissions are correct but 
when logging in to any other computer i get nobody as owner.
Groups are no problem since AD groups can be mapped to Posix groups.

Idmap.conf domain is set to the IPA Domain.

Is there some way to get NFS working with the AD user as owner of his Home 
Directory?

Thanks for any help.


This e-mail is private and confidential between the sender and the addressee.
In the event of misdirection, the recipient is prohibited from using, copying 
or disseminating it or any information in it. Please notify the above if any 
misdirection.
___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] IPA+AD trust and NFS nobody issue

2014-06-03 Thread Dmitri Pal 

On 06/03/2014 09:07 AM, Johan Petersson wrote:


Hi,

Environment:

RHEL 7 IPA Server 3.3 with a trust to a Windows 2012 Server AD

RHEL 7 NFS Server

RHEL 7 Client

I have found one problem when using a NFS 4 shared Home Directory for 
AD users logging in to IPA.


I have created a NFS share /home/adexample.org and use autofs map in IPA.

All wbinfo tests works as well as id.

I can login fine through SSH and Shell with adt...@adexample.org

The problem is that I can add the AD user as owner of his Home 
Directory and if I log in to the NFS Server locally or through ssh 
permissions are correct but when logging in to any other computer i 
get nobody as owner.



Are those computers RHEL7 NFS clients with SSSD?
Can you describe them in more details please?


Groups are no problem since AD groups can be mapped to Posix groups.

Idmap.conf domain is set to the IPA Domain.

Is there some way to get NFS working with the AD user as owner of his 
Home Directory?


Thanks for any help.

/This e-mail is private and confidential between the sender and the 
addressee. /


/In the event of misdirection, the recipient is prohibited from using, 
copying or /


/disseminating it or any information in it. Please notify the above if 
any misdirection./




___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users



--
Thank you,
Dmitri Pal

Sr. Engineering Manager IdM portfolio
Red Hat, Inc.

___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

[Freeipa-users] IPA / AD Trust

2014-03-14 Thread Todd Maugh 
Does IPA support a trust with AD yet.

I've seen that this is coming in a future release but I havent found something 
that said it has been released.

-Todd
___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] IPA / AD Trust

2014-03-14 Thread Dmitri Pal 

On 03/14/2014 03:20 PM, Todd Maugh wrote:

Does IPA support a trust with AD yet.

I've seen that this is coming in a future release but I havent found 
something that said it has been released.


-Todd


___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

IPA 3.3.x + SSSD 1.11.x

It is release upstream and in Fedora. Will be a part of RHEL7 release.

--
Thank you,
Dmitri Pal

Sr. Engineering Manager for IdM portfolio
Red Hat Inc.


---
Looking to carve out IT costs?
www.redhat.com/carveoutcosts/



___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] ipa AD trust issue

2014-02-05 Thread Dmitri Pal 
On 02/04/2014 03:28 PM, Steve Dainard wrote:



 has anyone worked it out. Secondly cifs-utils has dependency on
 samba3 packages and ipa-ad-trust needs samba4 but samba3 and
 samba4 don't like each other , so this is the story of my
 experience with ipa. Any suggestions ?

 Why do you need cifs-utils on the same server?
 cifs-utils to make a system a client to MSFT file server, AFAIU
 you cant make IPA server to be a cifs client.


 https://access.redhat.com/site/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Identity_Management_Guide/trust-diff-dns-domains.html

 Step 3 mentions that cifs-utils is required, but:

 yum install cifs-utils
 Loaded plugins: product-id, security, subscription-manager
 This system is receiving updates from Red Hat Subscription Management.
 rhel-6-server-cf-tools-1-rpms | 2.8 kB
 00:00 
 rhel-6-server-rhev-agent-rpms | 3.1 kB
 00:00 
 rhel-6-server-rpms| 3.7 kB
 00:00 
 Setting up Install Process
 Resolving Dependencies
 -- Running transaction check
 --- Package cifs-utils.x86_64 0:4.8.1-19.el6 will be installed
 -- Processing Dependency: libwbclient.so.0()(64bit) for package:
 cifs-utils-4.8.1-19.el6.x86_64
 -- Running transaction check
 --- Package samba-winbind-clients.x86_64 0:3.6.9-167.el6_5 will be
 installed
 -- Processing Dependency: samba-winbind = 3.6.9-167.el6_5 for
 package: samba-winbind-clients-3.6.9-167.el6_5.x86_64
 -- Running transaction check
 --- Package samba-winbind.x86_64 0:3.6.9-167.el6_5 will be installed
 -- Processing Dependency: samba-common = 3.6.9-167.el6_5 for package:
 samba-winbind-3.6.9-167.el6_5.x86_64
 -- Running transaction check
 --- Package samba-common.x86_64 0:3.6.9-167.el6_5 will be installed
 -- Processing Conflict: samba4-common-4.0.0-60.el6_5.rc4.x86_64
 conflicts samba-common  3.9.9
 -- Processing Conflict: samba4-winbind-4.0.0-60.el6_5.rc4.x86_64
 conflicts samba-winbind  3.9.9
 -- Processing Conflict:
 samba4-winbind-clients-4.0.0-60.el6_5.rc4.x86_64 conflicts
 samba-winbind-clients  3.9.9
 -- Finished Dependency Resolution
 Error: samba4-common conflicts with samba-common-3.6.9-167.el6_5.x86_64
 Error: samba4-winbind-clients conflicts with
 samba-winbind-clients-3.6.9-167.el6_5.x86_64
 Error: samba4-winbind conflicts with samba-winbind-3.6.9-167.el6_5.x86_64
  You could try using --skip-broken to work around the problem
  You could try running: rpm -Va --nofiles --nodigest


 Is this no longer a requirement? Can this documentation be updated?

 Steve
  


Can you please file a BZ?

-- 
Thank you,
Dmitri Pal

Sr. Engineering Manager for IdM portfolio
Red Hat Inc.


---
Looking to carve out IT costs?
www.redhat.com/carveoutcosts/



___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] ipa AD trust issue

2014-02-05 Thread Steve Dainard 
https://bugzilla.redhat.com/show_bug.cgi?id=1061897

*Steve Dainard *
IT Infrastructure Manager
Miovision http://miovision.com/ | *Rethink Traffic*
519-513-2407 ex.250
877-646-8476 (toll-free)

*Blog http://miovision.com/blog  |  **LinkedIn
https://www.linkedin.com/company/miovision-technologies  |  Twitter
https://twitter.com/miovision  |  Facebook
https://www.facebook.com/miovision*
--
 Miovision Technologies Inc. | 148 Manitou Drive, Suite 101, Kitchener, ON,
Canada | N2C 1L3
This e-mail may contain information that is privileged or confidential. If
you are not the intended recipient, please delete the e-mail and any
attachments and notify us immediately.


On Wed, Feb 5, 2014 at 12:34 PM, Dmitri Pal d...@redhat.com wrote:

  On 02/04/2014 03:28 PM, Steve Dainard wrote:



  has anyone worked it out. Secondly cifs-utils has dependency on samba3
 packages and ipa-ad-trust needs samba4 but samba3 and samba4 don't like
 each other , so this is the story of my experience with ipa. Any
 suggestions ?


  Why do you need cifs-utils on the same server?
 cifs-utils to make a system a client to MSFT file server, AFAIU you cant
 make IPA server to be a cifs client.



 https://access.redhat.com/site/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Identity_Management_Guide/trust-diff-dns-domains.html

  Step 3 mentions that cifs-utils is required, but:

  yum install cifs-utils
 Loaded plugins: product-id, security, subscription-manager
 This system is receiving updates from Red Hat Subscription Management.
 rhel-6-server-cf-tools-1-rpms | 2.8 kB
 00:00
 rhel-6-server-rhev-agent-rpms | 3.1 kB
 00:00
 rhel-6-server-rpms| 3.7 kB
 00:00
 Setting up Install Process
 Resolving Dependencies
 -- Running transaction check
 --- Package cifs-utils.x86_64 0:4.8.1-19.el6 will be installed
 -- Processing Dependency: libwbclient.so.0()(64bit) for package:
 cifs-utils-4.8.1-19.el6.x86_64
 -- Running transaction check
 --- Package samba-winbind-clients.x86_64 0:3.6.9-167.el6_5 will be
 installed
 -- Processing Dependency: samba-winbind = 3.6.9-167.el6_5 for package:
 samba-winbind-clients-3.6.9-167.el6_5.x86_64
 -- Running transaction check
 --- Package samba-winbind.x86_64 0:3.6.9-167.el6_5 will be installed
 -- Processing Dependency: samba-common = 3.6.9-167.el6_5 for package:
 samba-winbind-3.6.9-167.el6_5.x86_64
 -- Running transaction check
 --- Package samba-common.x86_64 0:3.6.9-167.el6_5 will be installed
 -- Processing Conflict: samba4-common-4.0.0-60.el6_5.rc4.x86_64 conflicts
 samba-common  3.9.9
 -- Processing Conflict: samba4-winbind-4.0.0-60.el6_5.rc4.x86_64
 conflicts samba-winbind  3.9.9
 -- Processing Conflict: samba4-winbind-clients-4.0.0-60.el6_5.rc4.x86_64
 conflicts samba-winbind-clients  3.9.9
 -- Finished Dependency Resolution
 Error: samba4-common conflicts with samba-common-3.6.9-167.el6_5.x86_64
 Error: samba4-winbind-clients conflicts with
 samba-winbind-clients-3.6.9-167.el6_5.x86_64
 Error: samba4-winbind conflicts with samba-winbind-3.6.9-167.el6_5.x86_64
  You could try using --skip-broken to work around the problem
  You could try running: rpm -Va --nofiles --nodigest


  Is this no longer a requirement? Can this documentation be updated?

  Steve



 Can you please file a BZ?


 --
 Thank you,
 Dmitri Pal

 Sr. Engineering Manager for IdM portfolio
 Red Hat Inc.


 ---
 Looking to carve out IT costs?www.redhat.com/carveoutcosts/


___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] ipa AD trust issue

2014-02-04 Thread Steve Dainard 



  has anyone worked it out. Secondly cifs-utils has dependency on samba3
 packages and ipa-ad-trust needs samba4 but samba3 and samba4 don't like
 each other , so this is the story of my experience with ipa. Any
 suggestions ?


 Why do you need cifs-utils on the same server?
 cifs-utils to make a system a client to MSFT file server, AFAIU you cant
 make IPA server to be a cifs client.


https://access.redhat.com/site/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Identity_Management_Guide/trust-diff-dns-domains.html

Step 3 mentions that cifs-utils is required, but:

yum install cifs-utils
Loaded plugins: product-id, security, subscription-manager
This system is receiving updates from Red Hat Subscription Management.
rhel-6-server-cf-tools-1-rpms | 2.8 kB
00:00
rhel-6-server-rhev-agent-rpms | 3.1 kB
00:00
rhel-6-server-rpms| 3.7 kB
00:00
Setting up Install Process
Resolving Dependencies
-- Running transaction check
--- Package cifs-utils.x86_64 0:4.8.1-19.el6 will be installed
-- Processing Dependency: libwbclient.so.0()(64bit) for package:
cifs-utils-4.8.1-19.el6.x86_64
-- Running transaction check
--- Package samba-winbind-clients.x86_64 0:3.6.9-167.el6_5 will be
installed
-- Processing Dependency: samba-winbind = 3.6.9-167.el6_5 for package:
samba-winbind-clients-3.6.9-167.el6_5.x86_64
-- Running transaction check
--- Package samba-winbind.x86_64 0:3.6.9-167.el6_5 will be installed
-- Processing Dependency: samba-common = 3.6.9-167.el6_5 for package:
samba-winbind-3.6.9-167.el6_5.x86_64
-- Running transaction check
--- Package samba-common.x86_64 0:3.6.9-167.el6_5 will be installed
-- Processing Conflict: samba4-common-4.0.0-60.el6_5.rc4.x86_64 conflicts
samba-common  3.9.9
-- Processing Conflict: samba4-winbind-4.0.0-60.el6_5.rc4.x86_64 conflicts
samba-winbind  3.9.9
-- Processing Conflict: samba4-winbind-clients-4.0.0-60.el6_5.rc4.x86_64
conflicts samba-winbind-clients  3.9.9
-- Finished Dependency Resolution
Error: samba4-common conflicts with samba-common-3.6.9-167.el6_5.x86_64
Error: samba4-winbind-clients conflicts with
samba-winbind-clients-3.6.9-167.el6_5.x86_64
Error: samba4-winbind conflicts with samba-winbind-3.6.9-167.el6_5.x86_64
 You could try using --skip-broken to work around the problem
 You could try running: rpm -Va --nofiles --nodigest


Is this no longer a requirement? Can this documentation be updated?

Steve
___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

[Freeipa-users] Ipa AD trust

2014-01-24 Thread Zulkifal Ahmad 
Hi List , I want an update on this bug .

https://bugzilla.samba.org/show_bug.cgi?id=9618

Thanks


 Best Regards

Sahibzada .Z. Ahmad
System Administrator




  ___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] Ipa AD trust

2014-01-24 Thread Sumit Bose 
On Fri, Jan 24, 2014 at 04:32:33PM +, Zulkifal Ahmad wrote:
 Hi List , I want an update on this bug .
 
 https://bugzilla.samba.org/show_bug.cgi?id=9618

I just re-tested with the python script from the ticket and Samba-4.1.3
and it seems to be fixed.

HTH

bye,
Sumit

 
 Thanks
 
 
  Best Regards
 
 Sahibzada .Z. Ahmad
 System Administrator
 
 
 
 
 

 ___
 Freeipa-users mailing list
 Freeipa-users@redhat.com
 https://www.redhat.com/mailman/listinfo/freeipa-users

___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] ipa AD trust issue

2014-01-23 Thread Zulkifal Ahmad 
Hi , In reference to the following thread, I already have an entry for AD sever 
in the /etc/hosts file of ipaserver but the issue still remains. Both my DNS 
servers are resolving the records from the opposite side. Any other 
suggestionsto remove this error ?

root@ipaserver mailto:root@ipaserver# ipa trust-add --type=ad
 adexample.com --admin Administrator --password


ipa: ERROR: CIFS server communication error: code -1073741801,
message Memory allocation error (both may be None)

 

Thanks

Zulkifal Ahmad


 

On 01/17/2014 06:29 PM, Zulkifal Ahmad wrote:
 Hi List , Just wanted to find out if anyone has setup an ipa-AD trust
 successfully, According to the instructions in the following link
 https://access.redhat.com/site/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Identity_Management_Guide/trust-ipa-subdomain.html
 everything went well until I hit the point where I had to check the
 samba configuration, by typing the command
 root@ipaserver mailto:root@ipaserver# smbclient -L
 ipaserver.ipaexample.com -k
 smbclient: command not found
 and similar for
 root@ipaserver mailto:root@ipaserver# wbinfo --online-status
 wbinfo: command not found
 
 I am pretty sure that the command ipa-trust-install command did
 install samba4 packages as dependencies, anyways I thought these
 packages were not necessary and went forward until I got really stuck
 when I typed the command .
 root@ipaserver mailto:root@ipaserver# ipa trust-add --type=ad
 adexample.com --admin Administrator --password
 This gave me a very cruel message
 ipa: ERROR: CIFS server communication error: code -1073741801,
 message Memory allocation error (both may be None)
 If its this bug  https://bugzilla.redhat.com/show_bug.cgi?id=878168 
 
Yes. The solution is:
 
If configured, the Active Directory (AD) DNS server returns IPv4 and
IPv6 addresses of an AD server. If the FreeIPA server cannot connect to
the AD server with an IPv6 address, running the ipa trust-add command
will fail even if it would be possible to use IPv4. To work around this
problem, add the IPv4 address of the AD server to the /etc/hosts file.
In this case, the FreeIPA server will use only the IPv4 address and
executing ipa trust-add will be successful.
 
 has anyone worked it out. Secondly cifs-utils has dependency on samba3
 packages and ipa-ad-trust needs samba4 but samba3 and samba4 don't
 like each other , so this is the story of my experience with ipa. Any
 suggestions ?
 
Why do you need cifs-utils on the same server?
cifs-utils to make a system a client to MSFT file server, AFAIU you cant
make IPA server to be a cifs client.
 
SSSD 1.12 (in works) if going to be capable to work with cifs-utils
instead of samba winbind thus the limitation will be lifted. 
 
 
 My ipa server server OS : CentOS 6.5
 ipa server version : 3
 Active directory: server 2008 R2 Standard
 
 Thank you
 */ Best Regards/*
 //
 /Sahibzada .Z. Ahmad/
 /System Administrator/*
 *


 Best Regards

Sahibzada .Z. Ahmad
System Administrator
cell: 1(678)267-0265 (US)
cell: 1(647)339-5434  (Canada)







 
  ___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] ipa AD trust issue

2014-01-23 Thread Alexander Bokovoy 

On Thu, 23 Jan 2014, Zulkifal Ahmad wrote:

Hi , In reference to the following thread, I already have an entry for AD sever 
in the /etc/hosts file of ipaserver but the issue still remains. Both my DNS 
servers are resolving the records from the opposite side. Any other 
suggestionsto remove this error ?

root@ipaserver mailto:root@ipaserver# ipa trust-add --type=ad
adexample.com --admin Administrator --password


ipa: ERROR: CIFS server communication error: code -1073741801,
message Memory allocation error (both may be None)

Add 'log level = 100' to /usr/share/ipa/smb.conf.empty in [global]
section and try again.

You'll get SMB traffic debugging in /var/log/httpd/error_log.

Adding and removing 'log level = 100' to /usr/share/ipa/smb.conf.empty
does not require restarting httpd.





Thanks

Zulkifal Ahmad




On 01/17/2014 06:29 PM, Zulkifal Ahmad wrote:

Hi List , Just wanted to find out if anyone has setup an ipa-AD trust
successfully, According to the instructions in the following link
https://access.redhat.com/site/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Identity_Management_Guide/trust-ipa-subdomain.html
everything went well until I hit the point where I had to check the
samba configuration, by typing the command
root@ipaserver mailto:root@ipaserver# smbclient -L
ipaserver.ipaexample.com -k
smbclient: command not found
and similar for
root@ipaserver mailto:root@ipaserver# wbinfo --online-status
wbinfo: command not found

I am pretty sure that the command ipa-trust-install command did
install samba4 packages as dependencies, anyways I thought these
packages were not necessary and went forward until I got really stuck
when I typed the command .
root@ipaserver mailto:root@ipaserver# ipa trust-add --type=ad
adexample.com --admin Administrator --password
This gave me a very cruel message
ipa: ERROR: CIFS server communication error: code -1073741801,
message Memory allocation error (both may be None)
If its this bug  https://bugzilla.redhat.com/show_bug.cgi?id=878168 


Yes. The solution is:

If configured, the Active Directory (AD) DNS server returns IPv4 and
IPv6 addresses of an AD server. If the FreeIPA server cannot connect to
the AD server with an IPv6 address, running the ipa trust-add command
will fail even if it would be possible to use IPv4. To work around this
problem, add the IPv4 address of the AD server to the /etc/hosts file.
In this case, the FreeIPA server will use only the IPv4 address and
executing ipa trust-add will be successful.


has anyone worked it out. Secondly cifs-utils has dependency on samba3
packages and ipa-ad-trust needs samba4 but samba3 and samba4 don't
like each other , so this is the story of my experience with ipa. Any
suggestions ?


Why do you need cifs-utils on the same server?
cifs-utils to make a system a client to MSFT file server, AFAIU you cant
make IPA server to be a cifs client.

SSSD 1.12 (in works) if going to be capable to work with cifs-utils
instead of samba winbind thus the limitation will be lifted.



My ipa server server OS : CentOS 6.5
ipa server version : 3
Active directory: server 2008 R2 Standard

Thank you
*/ Best Regards/*
//
/Sahibzada .Z. Ahmad/
/System Administrator/*
*



Best Regards

Sahibzada .Z. Ahmad
System Administrator
cell: 1(678)267-0265 (US)
cell: 1(647)339-5434  (Canada)












___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users



--
/ Alexander Bokovoy

___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] ipa AD trust issue

2014-01-17 Thread Zulkifal Ahmad 
Hi List , Just wanted to find out if anyone has setup an ipa-AD trust 
successfully, According to the instructions in the following link
https://access.redhat.com/site/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Identity_Management_Guide/trust-ipa-subdomain.html
everything went well until I hit the point where I had to check the samba 
configuration, by typing the command 
root@ipaserver#  smbclient -L ipaserver.ipaexample.com -k
smbclient: command not found 
and similar for 
root@ipaserver#  wbinfo --online-status
wbinfo: command not found 
 
I am pretty sure that the command ipa-trust-install command did install 
samba4 packages as dependencies, anyways I thought these packages were not 
necessary and  went forward until I got really stuck when I typed the command .
root@ipaserver# ipa trust-add --type=ad adexample.com --admin Administrator 
--password
This gave me a very cruel message
ipa: ERROR: CIFS server communication error: code -1073741801,
  message Memory allocation error (both may be None)
If its this bug  https://bugzilla.redhat.com/show_bug.cgi?id=878168 
has anyone worked it out. Secondly cifs-utils has dependency on samba3 packages 
and ipa-ad-trust needs samba4 but samba3 and samba4 don't like each other , so 
this is the story of my experience with ipa. Any suggestions ?
My ipa server server OS : CentOS 6.5
ipa server version : 3
Active directory: server 2008 R2 Standard
 
Thank you
 Best Regards

Sahibzada .Z. Ahmad

System Administrator









  ___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] ipa AD trust issue

2014-01-17 Thread Dmitri Pal 
On 01/17/2014 06:29 PM, Zulkifal Ahmad wrote:
 Hi List , Just wanted to find out if anyone has setup an ipa-AD trust
 successfully, According to the instructions in the following link
 https://access.redhat.com/site/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Identity_Management_Guide/trust-ipa-subdomain.html
 everything went well until I hit the point where I had to check the
 samba configuration, by typing the command
 root@ipaserver mailto:root@ipaserver#  smbclient -L
 ipaserver.ipaexample.com -k
 smbclient: command not found
 and similar for
 root@ipaserver mailto:root@ipaserver#  wbinfo --online-status
 wbinfo: command not found
  
 I am pretty sure that the command ipa-trust-install command did
 install samba4 packages as dependencies, anyways I thought these
 packages were not necessary and  went forward until I got really stuck
 when I typed the command .
 root@ipaserver mailto:root@ipaserver# ipa trust-add --type=ad
 adexample.com --admin Administrator --password
 This gave me a very cruel message
 ipa: ERROR: CIFS server communication error: code -1073741801,
   message Memory allocation error (both may be None)
 If its this bug  https://bugzilla.redhat.com/show_bug.cgi?id=878168 

Yes. The solution is:

If configured, the Active Directory (AD) DNS server returns IPv4 and
IPv6 addresses of an AD server. If the FreeIPA server cannot connect to
the AD server with an IPv6 address, running the ipa trust-add command
will fail even if it would be possible to use IPv4. To work around this
problem, add the IPv4 address of the AD server to the /etc/hosts file.
In this case, the FreeIPA server will use only the IPv4 address and
executing ipa trust-add will be successful.

 has anyone worked it out. Secondly cifs-utils has dependency on samba3
 packages and ipa-ad-trust needs samba4 but samba3 and samba4 don't
 like each other , so this is the story of my experience with ipa. Any
 suggestions ?

Why do you need cifs-utils on the same server?
cifs-utils to make a system a client to MSFT file server, AFAIU you cant
make IPA server to be a cifs client.

SSSD 1.12 (in works) if going to be capable to work with cifs-utils
instead of samba winbind thus the limitation will be lifted. 


 My ipa server server OS : CentOS 6.5
 ipa server version : 3
 Active directory: server 2008 R2 Standard
  
 Thank you
 */ Best Regards/*
 //
 /Sahibzada .Z. Ahmad/
 /System Administrator/*
 *










 ___
 Freeipa-users mailing list
 Freeipa-users@redhat.com
 https://www.redhat.com/mailman/listinfo/freeipa-users


-- 
Thank you,
Dmitri Pal

Sr. Engineering Manager for IdM portfolio
Red Hat Inc.


---
Looking to carve out IT costs?
www.redhat.com/carveoutcosts/



___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] IPA AD Trust issue

2013-09-11 Thread KevinTang 
Dear Alexander,

If I use 'ipa-replica-prepare' to replica Windows AD to/from IPA AD, Will 
all user account in Windows AD 'copy' to IPA AD, and my IPA client can 
logon with Windows AD username only? (only use 'userA' to login directly, 
not 'userA@win_ad.com').

Or after replication, can I use IPA account logon Windows Client PC only 
with ipa username? (only use 'userB' logon, rather than 'userB@ipa_ad.com' 
to logon).

Thank you very much
Kevin Tang




From:   Alexander Bokovoy aboko...@redhat.com
To: kevint...@umac.mo
Cc: freeipa-users@redhat.com
Date:   09/11/2013 12:52 PM
Subject:Re: [Freeipa-users] IPA AD Trust issue



On Wed, 11 Sep 2013, kevint...@umac.mo wrote:
Dear all,

I am new to IPA and have some question about set up.
I already setup IPA server (CentOS 6.4 64bit), IPA client (CentOS 6.4
64bit), and Windows AD (Windows 2008 R2 Standard 64bit). IPA Server and
Windows AD already have 2-ways trusted. Windows AD user can logon under
IPA client PC.

I have 3 question about further setup.

1)  IPA Client Login issue.
In IPA client, if Windows AD user want to login, It need to type full 
name
such as 'userA@win_ad.com'. How do I let Windows AD user logon only with
their username? That means only use 'userA' to logon IPA Client PC rather
than 'userA@win_ad.com' ?
Not supported. There could be some obscure SSSD setting to allow one
SSSD domain (as in /etc/sss/sssd.conf) be default but since trusted AD
domains are represented as subdomains of a single IPA provider, full UPN 
is
used to distinguish and discover which subdomain they belong to for
performance reasons.

2) Windows Login issue.
I want to logon under Windows AD Client PC (Client PC's OS is Windows 7),
Since this Windows PC already join win_ad domain, it can allow Windows AD
domain user to logon. But when I try to logon IPA user, for example, 
logon
as 'userB@ipa_ad.com' or 'ipa_ad.com\userB'. It always show 'There are
currently no logon servers available to service the logon request.' and
does not allow IPA user to logon. How do I do now? I need to modify
Windows AD setting? or Windows client PC setting?
We do not support this mode yet, it requires implementation of Global
Catalog service on IPA side which is not done yet. Plans for doing that
are in Fedora 20-21 time frame.

3) Windows Login issue.
Can I login under Windows AD Client PC with IPA username only (not 
include
IPA domain)? that is, only use 'userB' as username to login?
No. Only users from the domain Windows PC is joined to could be logged
without explicit domain name. Since IPA domain belongs to a separate
forest, you cannot log in without explicit domain prefix. Please note, 
even
that will only be possible when we implement Global Catalog service on
IPA side.

-- 
/ Alexander Bokovoy



___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] IPA AD Trust issue

2013-09-11 Thread Alexander Bokovoy 

On Wed, 11 Sep 2013, kevint...@umac.mo wrote:

Dear Alexander,

If I use 'ipa-replica-prepare' to replica Windows AD to/from IPA AD, Will
all user account in Windows AD 'copy' to IPA AD, and my IPA client can
logon with Windows AD username only? (only use 'userA' to login directly,
not 'userA@win_ad.com').

If you are using ipa-replica-prepare against Windows AD, you are using
winsync/passsync which is copying user entries from AD to IPA. In this
case AD users become IPA users. It is not a trust per se, only a
synchronization. In particular, users will not be able to use their AD
Kerberos credentials at all.

But yes, in winsync case these users will be able to login with just a
user name.


Or after replication, can I use IPA account logon Windows Client PC only
with ipa username? (only use 'userB' logon, rather than 'userB@ipa_ad.com'
to logon).

No, synchronization is from AD to IPA, not the other way around. A
change in IPA for the account which was synchronized from AD will be
propagated back to AD but IPA users will not be copied to AD.

--
/ Alexander Bokovoy

___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] IPA AD Trust issue

2013-09-11 Thread Jakub Hrozek 
 1)  IPA Client Login issue.
 In IPA client, if Windows AD user want to login, It need to type full name
 such as 'userA@win_ad.com'. How do I let Windows AD user logon only with
 their username? That means only use 'userA' to logon IPA Client PC rather
 than 'userA@win_ad.com' ?
 Not supported. There could be some obscure SSSD setting to allow one
 SSSD domain (as in /etc/sss/sssd.conf) be default but since trusted AD
 domains are represented as subdomains of a single IPA provider, full UPN is
 used to distinguish and discover which subdomain they belong to for
 performance reasons.

Actually you can use default_domain_suffix in the [sssd] section. But
then you need to fully-qualify the users from the IPA domain.

 default_domain_suffix (string)
  This string will be used as a default domain name for all names without a
  domain name component. The main use case is environments where the primary
  domain is intended for managing host policies and all users are located in a
  trusted domain. The option allows those users to log in just with their user
  name without giving a domain name as well.

  Please note that if this option is set all users from the primary domain have
  to use their fully qualified name, e.g. u...@domain.name, to log in.

  Default: not set

___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] IPA AD Trust issue

2013-09-11 Thread KevinTang 
Dear Alexander,

Understand, thank you very much.

Kevin.



From:   Alexander Bokovoy aboko...@redhat.com
To: kevint...@umac.mo
Cc: freeipa-users@redhat.com
Date:   09/11/2013 02:52 PM
Subject:Re: [Freeipa-users] IPA AD Trust issue



On Wed, 11 Sep 2013, kevint...@umac.mo wrote:
Dear Alexander,

If I use 'ipa-replica-prepare' to replica Windows AD to/from IPA AD, Will
all user account in Windows AD 'copy' to IPA AD, and my IPA client can
logon with Windows AD username only? (only use 'userA' to login directly,
not 'userA@win_ad.com').
If you are using ipa-replica-prepare against Windows AD, you are using
winsync/passsync which is copying user entries from AD to IPA. In this
case AD users become IPA users. It is not a trust per se, only a
synchronization. In particular, users will not be able to use their AD
Kerberos credentials at all.

But yes, in winsync case these users will be able to login with just a
user name.

Or after replication, can I use IPA account logon Windows Client PC only
with ipa username? (only use 'userB' logon, rather than 
'userB@ipa_ad.com'
to logon).
No, synchronization is from AD to IPA, not the other way around. A
change in IPA for the account which was synchronized from AD will be
propagated back to AD but IPA users will not be copied to AD.

-- 
/ Alexander Bokovoy



___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

[Freeipa-users] IPA AD Trust issue

2013-09-10 Thread KevinTang 
Dear all,

I am new to IPA and have some question about set up.
I already setup IPA server (CentOS 6.4 64bit), IPA client (CentOS 6.4 
64bit), and Windows AD (Windows 2008 R2 Standard 64bit). IPA Server and 
Windows AD already have 2-ways trusted. Windows AD user can logon under 
IPA client PC.

I have 3 question about further setup.

1)  IPA Client Login issue.
In IPA client, if Windows AD user want to login, It need to type full name 
such as 'userA@win_ad.com'. How do I let Windows AD user logon only with 
their username? That means only use 'userA' to logon IPA Client PC rather 
than 'userA@win_ad.com' ?

2) Windows Login issue.
I want to logon under Windows AD Client PC (Client PC's OS is Windows 7), 
Since this Windows PC already join win_ad domain, it can allow Windows AD 
domain user to logon. But when I try to logon IPA user, for example, logon 
as 'userB@ipa_ad.com' or 'ipa_ad.com\userB'. It always show 'There are 
currently no logon servers available to service the logon request.' and 
does not allow IPA user to logon. How do I do now? I need to modify 
Windows AD setting? or Windows client PC setting?

3) Windows Login issue.
Can I login under Windows AD Client PC with IPA username only (not include 
IPA domain)? that is, only use 'userB' as username to login?

Thanks all
Kevin Tang

___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] IPA AD Trust issue

2013-09-10 Thread Alexander Bokovoy 

On Wed, 11 Sep 2013, kevint...@umac.mo wrote:

Dear all,

I am new to IPA and have some question about set up.
I already setup IPA server (CentOS 6.4 64bit), IPA client (CentOS 6.4
64bit), and Windows AD (Windows 2008 R2 Standard 64bit). IPA Server and
Windows AD already have 2-ways trusted. Windows AD user can logon under
IPA client PC.

I have 3 question about further setup.

1)  IPA Client Login issue.
In IPA client, if Windows AD user want to login, It need to type full name
such as 'userA@win_ad.com'. How do I let Windows AD user logon only with
their username? That means only use 'userA' to logon IPA Client PC rather
than 'userA@win_ad.com' ?

Not supported. There could be some obscure SSSD setting to allow one
SSSD domain (as in /etc/sss/sssd.conf) be default but since trusted AD
domains are represented as subdomains of a single IPA provider, full UPN is
used to distinguish and discover which subdomain they belong to for
performance reasons.


2) Windows Login issue.
I want to logon under Windows AD Client PC (Client PC's OS is Windows 7),
Since this Windows PC already join win_ad domain, it can allow Windows AD
domain user to logon. But when I try to logon IPA user, for example, logon
as 'userB@ipa_ad.com' or 'ipa_ad.com\userB'. It always show 'There are
currently no logon servers available to service the logon request.' and
does not allow IPA user to logon. How do I do now? I need to modify
Windows AD setting? or Windows client PC setting?

We do not support this mode yet, it requires implementation of Global
Catalog service on IPA side which is not done yet. Plans for doing that
are in Fedora 20-21 time frame.


3) Windows Login issue.
Can I login under Windows AD Client PC with IPA username only (not include
IPA domain)? that is, only use 'userB' as username to login?

No. Only users from the domain Windows PC is joined to could be logged
without explicit domain name. Since IPA domain belongs to a separate
forest, you cannot log in without explicit domain prefix. Please note, even
that will only be possible when we implement Global Catalog service on
IPA side.

--
/ Alexander Bokovoy

___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] IPA AD trust question

2013-05-31 Thread Martin Kosek 
On 05/31/2013 09:37 AM, Sumit Bose wrote:
 On Fri, May 31, 2013 at 06:52:27AM +, Ondrej Valousek wrote:
 Hi List,

 I have a question - is it possible to use AD trust the way that:
 1. All users are stored in AD
 2. All Unix specific information (automount maps, sudo rules, HBAC rules) 
 are stored in IPA?
 
 Yes, sudo and HBAC for sure, I haven't tested automount maps but so far
 I can see no issues.
 

 If yes then:
 1. Will this scenario honour the RFC2307 user attributes in AD?
 
 We are trying to support RFC2307 attributes in AD with the next releases
 for SSSD and FreeIPA. Currently only algorithmic IP mapping based on the
 AD user's RID is available.

Ondreji, this is by the way the upstream ticket under which this feature is
being implemented (in case you want to follow it):

https://fedorahosted.org/freeipa/ticket/2904

There are other tickets targeted on AD cooperation in FreeIPA 3.3 release
(https://fedorahosted.org/freeipa/report/3), you may also want to check that
they address your needs (and provide comments if they don't). We are still in a
design phase, so some amendments are possible.

Thanks,
Martin

___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users