[Freeipa-users] Fwd: FreeIPA installation on centos 7

2017-02-02 Thread amit bhatt 
-- Forwarded message --
From: amit bhatt 
Date: Thu, Feb 2, 2017 at 10:56 PM
Subject: FreeIPA installation on centos 7
To: freeipa-users@redhat.com


My QA development setup is running with IPA VERSION: 4.2.0 on centos 7 and I
want to install the same version in my production environment as well.
 however when i am running yum install ipa-server i am getting VERSION:
4.4.0 (package ipa-server-4.4.0-14.el7.centos.4.x86_64) installed.

How can i force IPA server to install 4.2.0 and not 4.4.0?

Thanks for your help in advance
~Amit
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] Dogtag vs Freeipa Dogtag

2017-02-02 Thread Fraser Tweedale 
On Thu, Feb 02, 2017 at 11:56:55AM +0100, Gorazd wrote:
> Hi Fraser,
> 
> thank you for your comment.
> 
> Still doing some decision making, could anyone know if for example KeyCloak
> (as identity and acces managment solution)+DogTag could have the same or
> better experience (since dogtag has more features than IPA's bundeled
> dogtag) than using Freeipa, what are really the benefits of FreeIPA to use
> it as a system for IdM and PKI solution, is that really just that it has
> integrations with RADIUS also supported, so to be also ready for the deploy
> within typical enterprise environments?
> 
One of the big advantages: if you are issuing certificates for
subject principals defined in the FreeIPA directory, you get a lot
of validation and authorisation for those certificate requests based
on what FreeIPA knows.  It can be quite complicated to set up such a
regime with Dogtag.  OTOH if you need to issue certs for entities
about which FreeIPA knows nothing, then FreeIPA doesn't bring a lot
to the table right now.

If you clearly know what you want but there's isn't support in
FreeIPA, file an RFE.  Like Alexander mentioned there's no guarantee
if or when we can implement it, but at least we will know about it
and be able to work assess it alongside other priorities.

Cheers,
Fraser

> Thank you in advance,
> Gorazd
> 
> 
> 
> On Thu, Feb 2, 2017 at 1:11 AM, Fraser Tweedale  wrote:
> 
> > On Wed, Feb 01, 2017 at 09:44:34PM +0100, Gorazd wrote:
> > > Hello,
> > >
> > > i am interested if there is any feature matrix available for FreeIpa
> > > version of dogtag packaging. So which features of DogTak are not included
> > > or does come with limitations when installed with Freeipa (such as OCSP
> > is
> > > already part of CA and could not be installed seperately), in contrast
> > when
> > > on uses Dogtag as a standlone software installation?
> > >
> > FreeIPA does not use the standalone OCSP responder, or the token
> > processing subsystems (TKS/TPS).  There is nothing preventing you
> > from installing them, but FreeIPA won't help you to do that, and
> > there is no integration.
> >
> > Cheers,
> > Fraser
> >
> > > Thank you in advance.
> > >
> > > Regards,
> > > Gorazd
> >
> > > --
> > > Manage your subscription for the Freeipa-users mailing list:
> > > https://www.redhat.com/mailman/listinfo/freeipa-users
> > > Go to http://freeipa.org for more info on the project
> >
> >

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

[Freeipa-users] ipactl services running, but auth not working

2017-02-02 Thread pgb205 
We have multiple ipa servers but only one is continuously affected by the 
strange problem described in the subject line.Users report not being able to 
login to servers that are using a specific ipa_server. Looking at this server 
ipactl shows everything as RUNNING. ipactl restart fixes the issue until the 
next time.
My questions are:1. What could be causing this, and what can I check.2. What 
logging should I enable on the server.3. We are currently monitoring for 
processes 'Running' but clearly that is not fool-proof way to check if the 
service is actually up.What would be a definitive method to check if Freeipa is 
up and functional in all respects. I was thinking of setting up cron jobthat 
attempts to do kinit  on a client machine. The problems that I 
foresee with this method is caching that might give false negatives.
thanks-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

[Freeipa-users] Smart Card login into an Active Directory User

2017-02-02 Thread spammewoods 
I am running an IPA server (4.4.0) on RHEL 7.3 which is integrated with a 
Windows Active Directory server.   I am trying to configure the IPA server to 
allow the Active Directory Users to log into Gnome with a CAC smart card.  I’m 
having a hard time finding any instructions on how to do this.  The problem I’m 
having is the Common Name from the smart card is not getting associated with 
the Active Directory account.  I added the certificate from the smart card to 
the IPA server by creating a User ID override for the AD user account.  I made 
sure to not use authconfig to configure smart cards and I added ifp to the 
services line in the sssd.conf file.

I have the following packages installed:
ipa-admintools.noarch   4.4.0-14.el7_3.4

ipa-client.x86_64   4.4.0-14.el7_3.4

ipa-client-common.noarch   4.4.0-14.el7_3.4 
  
ipa-common.noarch   4.4.0-14.el7_3.4
  
ipa-python-compat.noarch   4.4.0-14.el7_3.4 

ipa-server.x86_64   4.4.0-14.el7_3.4

ipa-server-common.noarch   4.4.0-14.el7_3.4 

ipa-server-dns.noarch  4.4.0-14.el7_3.4
ipa-server-trust-ad.x86_64  4.4.0-14.el7_3.4

I can log in with AD user accounts that are configured with UserName and 
Passswords, so I know that the integration is working.   When I try to log into 
GDM with my smart card,  I don’t get prompted for a PIN number.  It only asks 
for the password from the AD account.   


-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] ipa- client rhel 6.9 support for UPN different then domain name

2017-02-02 Thread Sumit Bose 
On Thu, Feb 02, 2017 at 04:57:05PM +0100, Jan Karásek wrote:
> Hi,
> 
> I just looked into RHEL 6.9 beta repos and I can see there is 
> sssd-client-1.13.3-53.el6.x86_64 version. I would like to know if with rhel 
> 6.9 will come support for using different UPN then domain name. I am talking 
> about AD trust scenario where user in AD domain sits in 
> u...@subdomain.example.com but has a UPN set to u...@example.com. It has been 
> solved in RHEL 7.3 I guess with sssd 1.14. Is ipa-client in RHEL 6.9 able to 
> handle this situation or is there any known workaround ?

This is basically a server side feature. You need an IPA server version
which is delivered with RHEL-7.3. SSSD 1.14 in 7.3 can automatically
detect if the server supports this or not. This autodetection was not
backported to 6.9 but if your servers support it you can set
'krb5_use_enterprise_principal = true' (see man sssd-krb5 for details)
on the IPA clients with older SSSD versions. 

HTH

bye,
Sumit

> 
> Thanks,
> Jan 
> 
> -- 
> Manage your subscription for the Freeipa-users mailing list:
> https://www.redhat.com/mailman/listinfo/freeipa-users
> Go to http://freeipa.org for more info on the project

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] How to enable krb5_child log

2017-02-02 Thread Jakub Hrozek 
On Thu, Feb 02, 2017 at 05:19:07PM +0100, Kees Bakker wrote:
> Hi
> 
> Sorry, I did search wherever I could but I couldn't find it.
> How do I enable krb5_child debug log? I'm on an Ubuntu
> system which by default writes an empty /var/log/krb5_child.log
> 
> Is it a section in /etc/sssd/sssd.conf? Is it in /etc/krb5.conf? What
> do I have to add where to get logging in krb5_child.log?

add debug_level= to the [domain] section.

> 
> BTW. I'm trying to debug a problem that results in
>   "Invalid UID in persistent keyring"
> The weird thing is, if I become root (via another ssh login) and
> then do a "su - user" (the same user with the error), the problem
> does not show up. Meanwhile that user keeps getting the above
> error (for klist kdestroy, klist).

su as root gets automatically authenticated by the pam_rootok.so
module..

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

[Freeipa-users] How to enable krb5_child log

2017-02-02 Thread Kees Bakker 
Hi

Sorry, I did search wherever I could but I couldn't find it.
How do I enable krb5_child debug log? I'm on an Ubuntu
system which by default writes an empty /var/log/krb5_child.log

Is it a section in /etc/sssd/sssd.conf? Is it in /etc/krb5.conf? What
do I have to add where to get logging in krb5_child.log?

BTW. I'm trying to debug a problem that results in
  "Invalid UID in persistent keyring"
The weird thing is, if I become root (via another ssh login) and
then do a "su - user" (the same user with the error), the problem
does not show up. Meanwhile that user keeps getting the above
error (for klist kdestroy, klist).
-- 
Kees


-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

[Freeipa-users] ipa- client rhel 6.9 support for UPN different then domain name

2017-02-02 Thread Jan Karásek 
Hi,

I just looked into RHEL 6.9 beta repos and I can see there is 
sssd-client-1.13.3-53.el6.x86_64 version. I would like to know if with rhel 6.9 
will come support for using different UPN then domain name. I am talking about 
AD trust scenario where user in AD domain sits in u...@subdomain.example.com 
but has a UPN set to u...@example.com. It has been solved in RHEL 7.3 I guess 
with sssd 1.14. Is ipa-client in RHEL 6.9 able to handle this situation or is 
there any known workaround ?

Thanks,
Jan 

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] Gateway_timeout Error

2017-02-02 Thread deepak dimri 
Hi All,

I am stuck with this gateway error on my replicas. I recreated the replicas
but that did not help either. I realised that if i just keep my primary ipa
up then i do not get the error on the secondary/replica server. The error
logs on replica shows hits are getting successfully executed but i am
certain that its trying to bind to primary ipa server when i am trying to
open the hosts/users entries. It seems its failing to make ldap bind to
primary server and then eventually timing out.

Any idea why in my case replica is trying to connect to ipa master?

Thanks,
Deepak



On Thu, Feb 2, 2017 at 10:12 AM, deepak dimri 
wrote:

> Hey Martin,
>
>
> Is gateway error has anything to do with --no-wait-for-dns flag that i
> used when i created the replica image? i have another test IPA setup
> working fine in the same env and the only difference i see that in that env
> i did not use --no-wait-for-dns for replicas
>
> Thanks,
> Deepak
>
> On Wed, Feb 1, 2017 at 10:52 PM, deepak dimri 
> wrote:
>
>> sorry for not replying to all!
>>
>> I have apache reverse proxy front ending the ipa servers. As i mentioned
>> if i try hitting ipa replica WebUI directly then i do get the objects
>> loaded on the browser after waiting for over a minute or so. replica server
>> (/var/log/dirsrv/slapd-$YOUR_REALM/{access,errors}) shows hits coming
>> through fine but for some reasons web browser ends up with the gateway
>> error.
>>
>> both the ipa masters are running VERSION: 4.4.0, API_VERSION: 2.213
>>
>> Kind Regards,
>> Deepak
>>
>>
>> On Wed, Feb 1, 2017 at 9:21 PM, Martin Babinsky 
>> wrote:
>>
>>> On 02/01/2017 04:26 PM, deepak dimri wrote:
>>>
 Yes, Martin - i do see requests hitting
 replica.. /var/log/httpd/error_log shows:

 [Wed Feb 01 15:16:47.469766 2017] [:error] [pid 2464] ipa: INFO:
 ad...@xxx.xyz.com : batch:
 host_show(u'xxx.abx.xyz ', rights=True, all=True):
 SUCCESS

 I used ansible playbook to build the replica server. ran
 ipa-replica-prepare on the primary:
 ipa-replica-prepare {{ replica_dns }} --password={{ipa_password}}
 --no-wait-for-dns

 copied the replica file over to replica server:
 scp -oStrictHostKeyChecking=no -i ~/.ssh/{{ssh_keyname}}.pem
 /var/lib/ipa/replica-info-{{ replica_dns }}.gpg root@{{
 replica_dns }}:/var/lib/ipa/

 ran the replica install on the replica server:
 ipa-replica-install /var/lib/ipa/replica-info-{{  replica_dns }}.gpg
 --password={{ipa_password}} --admin-password={{ipa_password}}

 I have notices that if i directly use the replica (bypassing proxy)  URL
 then the objects shows after waiting for over a minute or so. When i use
 proxy pass then it just times out after few seconds.

 No clue why its behaving like this

 Many Thanks,
 Deepak

 On Wed, Feb 1, 2017 at 6:45 PM, Martin Babinsky > wrote:

 On 02/01/2017 11:17 AM, deepak dimri wrote:

 Hello Martin, Thank you so much for your reply.

 I checked /etc/ipa/default.conf 'xmlrpc_uri' on my secondary
 server and
 its pointing to its own hostname and not to primary server
 hostname :(

 any other clue, Martin?

 I have tried without proxy and again to luck either its throwing
 same
 gateway_error

 Regards,
 Deepak

 On Wed, Feb 1, 2017 at 3:03 PM, Martin Babinsky
 
 >>
 wrote:

 On 02/01/2017 10:22 AM, deepak dimri wrote:

 Hi All,

 I have two IPA servers - primary and secondary running.
 the
 secondary
 ipa server is installed using ipa replica image of
 primary.
 While doing
 the testing i realised that when i manually shut down my
 primary ipa
 server making my secondary server to serve the UI. And
 now when
 i try to
 access user or hosts details using my secondary server
 then i am
 getting
 below error in the UI. I am able to login fine though;
 it is
 just that
 when i double click on host objects then i get the
 error.


   An error has occurred (GATEWAY_TIMEOUT)


 I am still trying to troubleshoot as why i am getting
 timeout
 error but
 thought of asking the

Re: [Freeipa-users] Dogtag vs Freeipa Dogtag

2017-02-02 Thread Alexander Bokovoy 

Hi,

On to, 02 helmi 2017, Gorazd wrote:

Hi Fraser,

thank you for your comment.

Still doing some decision making, could anyone know if for example KeyCloak
(as identity and acces managment solution)+DogTag could have the same or
better experience (since dogtag has more features than IPA's bundeled
dogtag) than using Freeipa, what are really the benefits of FreeIPA to use
it as a system for IdM and PKI solution, is that really just that it has
integrations with RADIUS also supported, so to be also ready for the deploy
within typical enterprise environments?


FreeIPA attempts to make easier deployment of common use cases we've
seen so far. There are two limiting factors: 1) available people who can
do the work (contributions are welcome!), and 2) priorities that come
from paying customers for those teams that could contribute development
resources. In short, a software needs to be written and maintained, that
does not happens by itself.

If someone wants to use more advanced Dogtag features, they are free to
work with Dogtag and FreeIPA to contribute an integration pieces. Most
of such integration requires changes on the Dogtag side as well -- we
discovered multiple times that in order to automate/simplify/etc we have
to change on both sides, so a deeper development cooperation between
those projects was always needed (and was/is happening). Finally,
talking to Dogtag developers directly to get an advise what is possible
on their side is an option too.

Obviously, doing a joint development takes time and has to be planned
out. In some cases you might be not being able to contribute that time
or your goals are to deploy within a shorter time frame. This means your
other option could be to either use Dogtag directly or look for
alternatives.


From my perspective it is just perfectly fine to make an informed

decision to not use FreeIPA. It is also perfectly fine to consider
installing additional Dogtag components and take responsibility of
supporting a resulting deployment setup. Each situation has own
constraints and limitations which only you are aware of, not other
members of extended community. And only you can decide what amount of
effort could be put to achieve your goals.



Thank you in advance,
Gorazd



On Thu, Feb 2, 2017 at 1:11 AM, Fraser Tweedale  wrote:


On Wed, Feb 01, 2017 at 09:44:34PM +0100, Gorazd wrote:
> Hello,
>
> i am interested if there is any feature matrix available for FreeIpa
> version of dogtag packaging. So which features of DogTak are not included
> or does come with limitations when installed with Freeipa (such as OCSP
is
> already part of CA and could not be installed seperately), in contrast
when
> on uses Dogtag as a standlone software installation?
>
FreeIPA does not use the standalone OCSP responder, or the token
processing subsystems (TKS/TPS).  There is nothing preventing you
from installing them, but FreeIPA won't help you to do that, and
there is no integration.

Cheers,
Fraser

> Thank you in advance.
>
> Regards,
> Gorazd

> --
> Manage your subscription for the Freeipa-users mailing list:
> https://www.redhat.com/mailman/listinfo/freeipa-users
> Go to http://freeipa.org for more info on the project





--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project



--
/ Alexander Bokovoy

--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] Dogtag vs Freeipa Dogtag

2017-02-02 Thread Gorazd 
Hi Fraser,

thank you for your comment.

Still doing some decision making, could anyone know if for example KeyCloak
(as identity and acces managment solution)+DogTag could have the same or
better experience (since dogtag has more features than IPA's bundeled
dogtag) than using Freeipa, what are really the benefits of FreeIPA to use
it as a system for IdM and PKI solution, is that really just that it has
integrations with RADIUS also supported, so to be also ready for the deploy
within typical enterprise environments?

Thank you in advance,
Gorazd



On Thu, Feb 2, 2017 at 1:11 AM, Fraser Tweedale  wrote:

> On Wed, Feb 01, 2017 at 09:44:34PM +0100, Gorazd wrote:
> > Hello,
> >
> > i am interested if there is any feature matrix available for FreeIpa
> > version of dogtag packaging. So which features of DogTak are not included
> > or does come with limitations when installed with Freeipa (such as OCSP
> is
> > already part of CA and could not be installed seperately), in contrast
> when
> > on uses Dogtag as a standlone software installation?
> >
> FreeIPA does not use the standalone OCSP responder, or the token
> processing subsystems (TKS/TPS).  There is nothing preventing you
> from installing them, but FreeIPA won't help you to do that, and
> there is no integration.
>
> Cheers,
> Fraser
>
> > Thank you in advance.
> >
> > Regards,
> > Gorazd
>
> > --
> > Manage your subscription for the Freeipa-users mailing list:
> > https://www.redhat.com/mailman/listinfo/freeipa-users
> > Go to http://freeipa.org for more info on the project
>
>
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] unable to delete a user - which has a double??

2017-02-02 Thread lejeczek 



On 01/02/17 19:16, Martin Basti wrote:

Hello,

you have to use ldapdelete command and remove it manually

Martin




and the user's group?
I'm using a gui and it protests:
..
Deleting a managed entry is not allowed. It needs to be 
manually unlinked first.]

..
I've already have the user removed.

Would be great if coming new versions account for this 
situation and provide users/admin with tool(s) that can take 
care of.


many thanks,
L.


On 01.02.2017 19:30, lejeczek wrote:

hi all,
take a look:

$ ipa user-find --uid 3501
--
1 user matched
--
  User login: appmgr
  First name: app
  Last name: developer
  Home directory: /home.sysops/appmgr
  Login shell: /bin/bash
  Principal alias: appmgr@PRIVATE
  Email address: appmgr@private
  UID: 3501
  GID: 3501
  Account disabled: False

$ ipa user-find --uid 1104
--
1 user matched
--
  User login: appmgr
  First name: app
  Last name: devel 1
  Home directory: /home.sysops/appmgr
  Login shell: /bin/bash
  Principal alias: appmgr@PRIVATE
  Email address: appmgr@private
  UID: 1104
  GID: 1104
  Account disabled: False

Number of entries returned 1


I think it had something to do with an initial(long time 
ago) migration.

How to safely delete such a user? Or one of them?

$ ipa user-del appmgr --no-preserve
ipa: ERROR: The search criteria was not specific enough. 
Expected 1 and found 2.


many thanks,
L.





--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] unable to delete a user - which has a double??

2017-02-02 Thread lejeczek 



On 01/02/17 19:12, Jochen Hein wrote:

Hi

lejeczek  writes:


I think it had something to do with an initial(long time ago)
migration.
How to safely delete such a user? Or one of them?

$ ipa user-del appmgr --no-preserve
ipa: ERROR: The search criteria was not specific enough. Expected 1
and found 2.

Did you try "--continue"?

nope, --continue won't help, at least with 4.4


You can check both users with "ipa user-find ... --all" and look for the
ipauniqueid. I think you'll can remove the user with ldapremove.

Jochen



--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] Is WinSync A Bad Choice?

2017-02-02 Thread Jakub Hrozek 
On Wed, Feb 01, 2017 at 04:19:39PM -0600, Jason B. Nance wrote:
> >> - Users can't login to a Linux box using just "username" 
> >> (user@ad.domain is
> >> used)
> > 
> > In the current version you can use the 'default_domain_suffix' option in
> > sssd.conf on the clients. In RHEL-7.4 we are looking into making this
> > limitation go away.
> 
> Thank you very much, Jakub.  That is helpful information!  Are you saying 
> that there will basically be a domain search order or something for users 
> that login without specifying a domain?

For the IPA-AD case, probably:
https://fedorahosted.org/sssd/ticket/3210
For the direct AD integration case (which will share the underlying code
with the IPA-AD integration case), the admin would opt-in with a
sssd.conf option, essentially saying 'let me always use shortnames for
all domains, there are no name conflicts' and then sssd would not
require shortnames for trusted domains.

The ticket that tracks the shortname-for-trusted-domains case in general
is:
https://fedorahosted.org/sssd/ticket/3001

Please note the tickets are in the "Future releases" milestone at the
moment, but we do plan them for the next RHEL release; the upstream
milestones just need a bit more grooming.

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] Is WinSync A Bad Choice?

2017-02-02 Thread Alexander Bokovoy 

On ke, 01 helmi 2017, Jason B. Nance wrote:

- User/group management in general becomes largely a command-line operation

> (such as mapping groups so they can be used in HBAC and sudo rules)



While this is a nice-to-have, it isn't a deal breaker.



This definitely exists in WebUI? Unless you mean something I don't understand.



Define groups:
Identity->User Groups (second tab)


In my setup (FreeIPA 4.4.0 on CentOS 7) I don't see external users
(users that are known via the trust with AD) under the "Users" tab.
There is limited visibility / management of external groups and
membership, but nothing that displays a list of available users/groups
in AD when attempting to create/modify a user/group.

Not seeing AD users is the correct thing, you don't miss anything.

This topic comes regularly on the list. It is described in the Windows
integration guide, we discuss it here, you can look into archives, for
example:

https://www.redhat.com/archives/freeipa-users/2016-October/msg00083.html

IPA is not designed to give you ability to manage your AD users as if
they were in IPA -- you cannot create them there, you cannot list them
there. They are not and there is no need to pretend they are.

POSIX attributes for them can be managed in the ID overrides (in Default
Trust View). We are working on making possible to do self-service in web
UI for AD users themselves in upcoming releases. You can do 'self-service'
as an AD user in CLI already with 
 ipa idoverrideuser-mod "default trust view" your.account@ad.domain  [options]

but you currently cannot login as AD user to web UI. Also ID Override
needs to be pre-created by the IPA admin right now -- just do

 ipa idoverrideuser-add "default trust view" your.account@ad.domain




Define user mappings:
IPA Server -> ID Views -> Default Trust View


By "mapping" I meant adding an AD group to a FreeIPA group (which can be used 
for HBAC/sudo) so that AD membership is known by IPA when applying the HBAC/sudo rules. 
For example:

ipa group-add \
--desc="lab.gen.zone 'Domain Admins' external map" \
lgz_map_domain_admins \
--external
ipa group-add \
--desc="lab.gen.zone 'Domain Admins' POSIX" \
lgz_domain_admins
ipa group-add-member \
lgz_map_domain_admins \
--external 'LAB\Domain Admins'
ipa group-add-member \
lgz_domain_admins \
--groups lgz_map_domain_admins



--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project



--
/ Alexander Bokovoy

--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project