Re: [Freeipa-users] ID Mapping

2017-02-27 Thread Hanoz Elavia 
Thanks Jakub!!


*Hanoz Elavia |*  IT Manager
*O:* 604-734-2866 *|*  *www.atomiccartoons.com
<http://www.atomiccartoons.com>*
112 West 6th Ave, Vancouver, BC, Canada, V5Y1K6

On Mon, Feb 27, 2017 at 7:26 AM, Jakub Hrozek <jhro...@redhat.com> wrote:

> On Sun, Feb 26, 2017 at 12:12:23PM -0800, Hanoz Elavia wrote:
> > Hey guys,
> >
> > Is it possible to disable ID mapping for AD users in a FreeIPA AD trust
> > setup?
> >
> > The version report is as follows:
> >
> > AD: Windows 2008 R2
> > FreeIPA Server: 4.4.0-14
> > FreeIPA Client: 4.4.0-14
> > SSSD: 1.14.0-43
> > Linux version: CentOS 7.3 x64_86
> >
> > I've tried setting ldap_id_mapping = False in sssd.conf in the IPA domain
> > sectionwith no success.
> >
> > Regards,
> >
> > Hanoz
>
> In IPA-AD trust environment the mapping is managed on the server. So
> you'd need to remove the algorithmical range and add a POSIX range
> instead (see  ipa help idrange-add, --type=['ipa-ad-trust-posix',
> 'ipa-ad-trust', 'ipa-local'])
>
> Note that clients cannot modify the range type at the moment, so you
> also need to remove the cache from all clients in the domain.
>
> --
> Manage your subscription for the Freeipa-users mailing list:
> https://www.redhat.com/mailman/listinfo/freeipa-users
> Go to http://freeipa.org for more info on the project
>
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

[Freeipa-users] ID Mapping

2017-02-26 Thread Hanoz Elavia 
Hey guys,

Is it possible to disable ID mapping for AD users in a FreeIPA AD trust
setup?

The version report is as follows:

AD: Windows 2008 R2
FreeIPA Server: 4.4.0-14
FreeIPA Client: 4.4.0-14
SSSD: 1.14.0-43
Linux version: CentOS 7.3 x64_86

I've tried setting ldap_id_mapping = False in sssd.conf in the IPA domain
sectionwith no success.

Regards,

Hanoz
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] Default domain for AD groups

2017-02-24 Thread Hanoz Elavia 
Thanks Alexander!!


On Fri, Feb 24, 2017 at 6:04 AM, Alexander Bokovoy <aboko...@redhat.com>
wrote:

> On to, 23 helmi 2017, Hanoz Elavia wrote:
>
>> Hello,
>>
>> My FreeIPA clients and server are setup to use the AD domain as the
>> default. This is done using the default_domain_suffix parameter in the
>> sssd
>> section of the sssd.conf file.
>>
>> This works fine for users when we use ldapsearch but not so much for
>> groups. For e.g.:
>>
>> ldapsearch -x -W -s sub -H 'ldap://ipa.server.com' -b
>> 'cn=compat,dc=ipa,dc=server,dc=com' -D
>> 'uid=binduser,cn=users,cn=accounts,dc=ipa,dc=server,dc=com' '(cn=
>> domaingr...@server.com)'
>>
>> works fine but
>>
>> ldapsearch -x -W -s sub -H 'ldap://ipa.server.com' -b
>> 'cn=compat,dc=ipa,dc=server,dc=com' -D
>> 'uid=binduser,cn=users,cn=accounts,dc=ipa,dc=server,dc=com'
>> '(cn=domaingroup)'
>>
>> won't work. However, the above will work fine for users. I'm using the
>>
> No, compat tree is designed to be used with fully-qualified groups and
> users. There is no way around it.
>
> --
> / Alexander Bokovoy
>
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

[Freeipa-users] Default domain for AD groups

2017-02-23 Thread Hanoz Elavia 
Hello,

My FreeIPA clients and server are setup to use the AD domain as the
default. This is done using the default_domain_suffix parameter in the sssd
section of the sssd.conf file.

This works fine for users when we use ldapsearch but not so much for
groups. For e.g.:

ldapsearch -x -W -s sub -H 'ldap://ipa.server.com' -b
'cn=compat,dc=ipa,dc=server,dc=com' -D
'uid=binduser,cn=users,cn=accounts,dc=ipa,dc=server,dc=com' '(cn=
domaingr...@server.com)'

works fine but

ldapsearch -x -W -s sub -H 'ldap://ipa.server.com' -b
'cn=compat,dc=ipa,dc=server,dc=com' -D
'uid=binduser,cn=users,cn=accounts,dc=ipa,dc=server,dc=com'
'(cn=domaingroup)'

won't work. However, the above will work fine for users. I'm using the
following:

AD: Windows 2008 R2
FreeIPA Server: 4.4.0-14
FreeIPA Client: 4.4.0-14
SSSD: 1.14.0-43
Linux version: CentOS 7.3 x64_86

The AD trust is setup with --enable-compat.

Regards,

Hanoz
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] ldapsearch for AD users

2017-02-23 Thread Hanoz Elavia 
Thanks Alexander,

I have rebuilt the server with compatibility and I can now query AD users.
I'll just have to confirm with Dell / EMC whether the Isilon can now handle
this.

Regards,

Hanoz


On Wed, Feb 22, 2017 at 10:26 PM, Alexander Bokovoy 
wrote:

> On ke, 22 helmi 2017, Jason B. Nance wrote:
>
>> For example, for user that would be (&(objectClass=posixAccount)(uid=%s))
>>> where %s is ad_u...@server.com according to your example.
>>>
>>> This is what would be intercepted and queried through SSSD.
>>>
>>> For example:
>>>
>>> $ ldapsearch -Y GSSAPI -b cn=compat,dc=xs,dc=ipa,dc=cool
>>> '(&(objectClass=posixAccount)(uid=u...@ad.ipa.cool))'
>>> SASL/GSSAPI authentication started
>>> SASL username: ad...@xs.ipa.cool
>>> SASL SSF: 56
>>> SASL data security layer installed.
>>> # extended LDIF
>>> #
>>> # LDAPv3
>>> # base

Re: [Freeipa-users] ldapsearch for AD users

2017-02-22 Thread Hanoz Elavia 
Hey Jason,

I am not sure about that. I just rebuilt my IPA server since it's only
purpose is to authenticate users with the AD. As for the clients, I removed
them from the FreeIPA server using ipa-client-install --uninstall and
rebooted. Once they rebooted my saltstack state added them back to the
server. Sorry, I can't help you much there.

Regards,

Hanoz


*Hanoz Elavia |*  IT Manager
*O:* 604-734-2866 *|*  *www.atomiccartoons.com
<http://www.atomiccartoons.com>*
112 West 6th Ave, Vancouver, BC, Canada, V5Y1K6

On Wed, Feb 22, 2017 at 2:19 PM, Jason B. Nance <ja...@tresgeek.net> wrote:

>
> I realized I had made one more change. I setup the FreeIPA server again
> and this time I added the --enable-compat with my
> /usr/sbin/ipa-adtrust-install command.
>
> Is it safe to re-run ipa-adtrust-install?  I have existing trusts in place.
>
> Thanks,
>
> j
>
>
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] ldapsearch for AD users

2017-02-22 Thread Hanoz Elavia 
Hey Jason,

Also, my bind DN is a native FreeIPA user and doesn't exist on the Active
Directory.

Regards,

Hanoz


*Hanoz Elavia |*  IT Manager
*O:* 604-734-2866 *|*  *www.atomiccartoons.com
<http://www.atomiccartoons.com>*
112 West 6th Ave, Vancouver, BC, Canada, V5Y1K6

On Wed, Feb 22, 2017 at 2:07 PM, Hanoz Elavia <h.ela...@atomiccartoons.com>
wrote:

> Hey Jason,
>
> I realized I had made one more change. I setup the FreeIPA server again
> and this time I added the --enable-compat with my
> /usr/sbin/ipa-adtrust-install command.
>
> Yes, I cannot use GSSAPI as well. I use simple bind to run a LDAP query.
> On IPA clients I don't need to authenticate as IPA takes care of that. Hope
> this helps.
>
> Regards,
>
> Hanoz
>
>
> *Hanoz Elavia |*  IT Manager
> *O:* 604-734-2866 *|*  *www.atomiccartoons.com
> <http://www.atomiccartoons.com>*
> 112 West 6th Ave, Vancouver, BC, Canada, V5Y1K6
>
> On Wed, Feb 22, 2017 at 1:50 PM, Jason B. Nance <ja...@tresgeek.net>
> wrote:
>
>> > For example, for user that would be (&(objectClass=posixAccount)(u
>> id=%s))
>> > where %s is ad_u...@server.com according to your example.
>> >
>> > This is what would be intercepted and queried through SSSD.
>> >
>> > For example:
>> >
>> > $ ldapsearch -Y GSSAPI -b cn=compat,dc=xs,dc=ipa,dc=cool
>> > '(&(objectClass=posixAccount)(uid=u...@ad.ipa.cool))'
>> > SASL/GSSAPI authentication started
>> > SASL username: ad...@xs.ipa.cool
>> > SASL SSF: 56
>> > SASL data security layer installed.
>> > # extended LDIF
>> > #
>> > # LDAPv3
>> > # base

Re: [Freeipa-users] ldapsearch for AD users

2017-02-22 Thread Hanoz Elavia 
Hey Jason,

I realized I had made one more change. I setup the FreeIPA server again and
this time I added the --enable-compat with my /usr/sbin/ipa-adtrust-install
command.

Yes, I cannot use GSSAPI as well. I use simple bind to run a LDAP query. On
IPA clients I don't need to authenticate as IPA takes care of that. Hope
this helps.

Regards,

Hanoz


*Hanoz Elavia |*  IT Manager
*O:* 604-734-2866 *|*  *www.atomiccartoons.com
<http://www.atomiccartoons.com>*
112 West 6th Ave, Vancouver, BC, Canada, V5Y1K6

On Wed, Feb 22, 2017 at 1:50 PM, Jason B. Nance <ja...@tresgeek.net> wrote:

> > For example, for user that would be (&(objectClass=posixAccount)(
> uid=%s))
> > where %s is ad_u...@server.com according to your example.
> >
> > This is what would be intercepted and queried through SSSD.
> >
> > For example:
> >
> > $ ldapsearch -Y GSSAPI -b cn=compat,dc=xs,dc=ipa,dc=cool
> > '(&(objectClass=posixAccount)(uid=u...@ad.ipa.cool))'
> > SASL/GSSAPI authentication started
> > SASL username: ad...@xs.ipa.cool
> > SASL SSF: 56
> > SASL data security layer installed.
> > # extended LDIF
> > #
> > # LDAPv3
> > # base

Re: [Freeipa-users] ldapsearch for AD users

2017-02-22 Thread Hanoz Elavia 
Hey Alexander,

So based on the RFC 2307 documentation, I built a test server and ran the
following command:

 ldapsearch -x -W -H 'ldap://ipa.server.com' -b
'cn=compat,dc=ipa,dc=server,dc=com' -D
'uid=admin,cn=users,cn=accounts,dc=ipa,dc=server,dc=com' -s sub 'uid=
ad_u...@server.com'

It worked as expected. Then once I rebooted the test server it stopped
working. Any idea which service might be failing ?

Regards,

Hanoz



On Wed, Feb 22, 2017 at 8:40 AM, Hanoz Elavia <h.ela...@atomiccartoons.com>
wrote:

> Hey Alex,
>
> Thanks, I ran ipa-compat-manage status and it shows Plugin enabled. I'll
> have a look at the link and see if we can change the query to obtain the
> info required.
>
> Regards,
>
> Hanoz
>
>
> *Hanoz Elavia |*  IT Manager
> *O:* 604-734-2866 *|*  *www.atomiccartoons.com
> <http://www.atomiccartoons.com>*
> 112 West 6th Ave, Vancouver, BC, Canada, V5Y1K6
>
> On Wed, Feb 22, 2017 at 8:34 AM, Alexander Bokovoy <aboko...@redhat.com>
> wrote:
>
>> On ke, 22 helmi 2017, Hanoz Elavia wrote:
>>
>>> Thanks Alex,
>>>
>>> Does it also means that I'll have to install the FreeIPA server with
>>> --enable-compat ? I didn't do that.
>>>
>>
>> check ipa-compat-manage tool.
>>
>>
>>> Regards,
>>>
>>> Hanoz
>>>
>>>
>>> *Hanoz Elavia |*  IT Manager
>>> *O:* 604-734-2866 *|*  *www.atomiccartoons.com
>>> <http://www.atomiccartoons.com>*
>>> 112 West 6th Ave, Vancouver, BC, Canada, V5Y1K6
>>>
>>> On Wed, Feb 22, 2017 at 7:22 AM, Alexander Bokovoy <aboko...@redhat.com>
>>> wrote:
>>>
>>> On ke, 22 helmi 2017, Hanoz Elavia wrote:
>>>>
>>>> Hey Alex,
>>>>>
>>>>> Thanks for the link, isn't RFC 2307 implemented as Services for Unix in
>>>>> Windows 2008 R2? Apologies for not mentioning this earlier but I
>>>>> haven't
>>>>> enabled that mainly because SSSD now maps the IDs. Also, in the newer
>>>>> version of the Windows Server, SFU seems to have been discontinued.
>>>>>
>>>>> I think you are confused by the names. What Compat tree provides is an
>>>> interface on IPA side to look up identities of AD users and groups over
>>>> LDAP. Compat tree will do lookup through SSSD on your behalf. This means
>>>> we don't depend on how Windows side provides or does not provide
>>>> attributes.
>>>> Everything SSSD can resolve, can be returned, be it stored in AD LDAP,
>>>> generated by SSSD, or stored in ID overrides in IPA.
>>>>
>>>> But the query format is the one described in RFC 2307 because this is
>>>> what all nss implementations like nss_ldap or similar ones use in
>>>> UNIX-like environments. Windows Server is merely implementing the same
>>>> LDAP schema to allow interoperability with the same clients. Think of
>>>> Compat Tree in IPA as doing the same, just dynamically.
>>>>
>>>>
>>>> --
>>>> / Alexander Bokovoy
>>>>
>>>>
>> --
>> / Alexander Bokovoy
>>
>
>
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] ldapsearch for AD users

2017-02-22 Thread Hanoz Elavia 
Hey Alex,

Thanks, I ran ipa-compat-manage status and it shows Plugin enabled. I'll
have a look at the link and see if we can change the query to obtain the
info required.

Regards,

Hanoz


*Hanoz Elavia |*  IT Manager
*O:* 604-734-2866 *|*  *www.atomiccartoons.com
<http://www.atomiccartoons.com>*
112 West 6th Ave, Vancouver, BC, Canada, V5Y1K6

On Wed, Feb 22, 2017 at 8:34 AM, Alexander Bokovoy <aboko...@redhat.com>
wrote:

> On ke, 22 helmi 2017, Hanoz Elavia wrote:
>
>> Thanks Alex,
>>
>> Does it also means that I'll have to install the FreeIPA server with
>> --enable-compat ? I didn't do that.
>>
>
> check ipa-compat-manage tool.
>
>
>> Regards,
>>
>> Hanoz
>>
>>
>> *Hanoz Elavia |*  IT Manager
>> *O:* 604-734-2866 *|*  *www.atomiccartoons.com
>> <http://www.atomiccartoons.com>*
>> 112 West 6th Ave, Vancouver, BC, Canada, V5Y1K6
>>
>> On Wed, Feb 22, 2017 at 7:22 AM, Alexander Bokovoy <aboko...@redhat.com>
>> wrote:
>>
>> On ke, 22 helmi 2017, Hanoz Elavia wrote:
>>>
>>> Hey Alex,
>>>>
>>>> Thanks for the link, isn't RFC 2307 implemented as Services for Unix in
>>>> Windows 2008 R2? Apologies for not mentioning this earlier but I haven't
>>>> enabled that mainly because SSSD now maps the IDs. Also, in the newer
>>>> version of the Windows Server, SFU seems to have been discontinued.
>>>>
>>>> I think you are confused by the names. What Compat tree provides is an
>>> interface on IPA side to look up identities of AD users and groups over
>>> LDAP. Compat tree will do lookup through SSSD on your behalf. This means
>>> we don't depend on how Windows side provides or does not provide
>>> attributes.
>>> Everything SSSD can resolve, can be returned, be it stored in AD LDAP,
>>> generated by SSSD, or stored in ID overrides in IPA.
>>>
>>> But the query format is the one described in RFC 2307 because this is
>>> what all nss implementations like nss_ldap or similar ones use in
>>> UNIX-like environments. Windows Server is merely implementing the same
>>> LDAP schema to allow interoperability with the same clients. Think of
>>> Compat Tree in IPA as doing the same, just dynamically.
>>>
>>>
>>> --
>>> / Alexander Bokovoy
>>>
>>>
> --
> / Alexander Bokovoy
>
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] ldapsearch for AD users

2017-02-22 Thread Hanoz Elavia 
Thanks Alex,

Does it also means that I'll have to install the FreeIPA server with
--enable-compat ? I didn't do that.

Regards,

Hanoz


*Hanoz Elavia |*  IT Manager
*O:* 604-734-2866 *|*  *www.atomiccartoons.com
<http://www.atomiccartoons.com>*
112 West 6th Ave, Vancouver, BC, Canada, V5Y1K6

On Wed, Feb 22, 2017 at 7:22 AM, Alexander Bokovoy <aboko...@redhat.com>
wrote:

> On ke, 22 helmi 2017, Hanoz Elavia wrote:
>
>> Hey Alex,
>>
>> Thanks for the link, isn't RFC 2307 implemented as Services for Unix in
>> Windows 2008 R2? Apologies for not mentioning this earlier but I haven't
>> enabled that mainly because SSSD now maps the IDs. Also, in the newer
>> version of the Windows Server, SFU seems to have been discontinued.
>>
> I think you are confused by the names. What Compat tree provides is an
> interface on IPA side to look up identities of AD users and groups over
> LDAP. Compat tree will do lookup through SSSD on your behalf. This means
> we don't depend on how Windows side provides or does not provide
> attributes.
> Everything SSSD can resolve, can be returned, be it stored in AD LDAP,
> generated by SSSD, or stored in ID overrides in IPA.
>
> But the query format is the one described in RFC 2307 because this is
> what all nss implementations like nss_ldap or similar ones use in
> UNIX-like environments. Windows Server is merely implementing the same
> LDAP schema to allow interoperability with the same clients. Think of
> Compat Tree in IPA as doing the same, just dynamically.
>
>
> --
> / Alexander Bokovoy
>
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] ldapsearch for AD users

2017-02-22 Thread Hanoz Elavia 
Hey Alex,

Thanks for the link, isn't RFC 2307 implemented as Services for Unix in
Windows 2008 R2? Apologies for not mentioning this earlier but I haven't
enabled that mainly because SSSD now maps the IDs. Also, in the newer
version of the Windows Server, SFU seems to have been discontinued.

Since there is a possibility of us having to upgrade in the future, I tried
to keep SFU out of the picture. Please let me know your thoughts. Here's
some additional info regarding the environment:

Windows ADs: Windows Server 2008 R2
FreeIPA Server: CentOS 7.2 x86_64
FreeIPA Server Version: 4.4.0.14
FreeIPA Client Version: 4.4.0.14
SSSD Version: 1.14.0-43

Thanks,

Hanoz


*Hanoz Elavia |*  IT Manager
*O:* 604-734-2866 *|*  *www.atomiccartoons.com
<http://www.atomiccartoons.com>*
112 West 6th Ave, Vancouver, BC, Canada, V5Y1K6

On Wed, Feb 22, 2017 at 7:05 AM, Hanoz Elavia <h.ela...@atomiccartoons.com>
wrote:

> Thanks guys,
>
> I think there might be a way to modify the LDAP query. I'm speaking to the
> EMC /  Dell support personnel today to see what can be done.
>
> Regards,
>
> Hanoz
>
>
> *Hanoz Elavia |*  IT Manager
> *O:* 604-734-2866 *|*  *www.atomiccartoons.com
> <http://www.atomiccartoons.com>*
> 112 West 6th Ave, Vancouver, BC, Canada, V5Y1K6
>
> On Wed, Feb 22, 2017 at 6:50 AM, Alexander Bokovoy <aboko...@redhat.com>
> wrote:
>
>> On ke, 22 helmi 2017, Jason B. Nance wrote:
>>
>>> There is none. Compat tree is built with RFC2307 queries in mind.
>>>> RFC2307 clients issue a request with a specific user or group name and
>>>> that triggers lookup of AD user/group through SSSD and insertion into
>>>> the compat tree. A part of the trigger is how LDAP filter is built (see
>>>> RFC for those). If your software does not use the same filter, you
>>>> wouldn't get a response.
>>>>
>>>
>>> Are you saying that there is an LDAP query you can use to retrieve the
>>> UID/GID of a user/group that is known via an AD trust as long as the
>>> filter is correct?  I ran into this same situation (with a storage
>>> appliance) and thought that the problem was that the UIDs/GIDs were
>>> calculated but never stored, but I hadn't stopped to think about how
>>> whether sssd (on the local machine) retrieves them from FreeIPA or does
>>> the calculation.
>>>
>> Read https://pagure.io/slapi-nis/blob/master/f/doc/ipa/sch-ipa.txt
>>
>>
>>
>> --
>> / Alexander Bokovoy
>>
>
>
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] ldapsearch for AD users

2017-02-22 Thread Hanoz Elavia 
Thanks guys,

I think there might be a way to modify the LDAP query. I'm speaking to the
EMC /  Dell support personnel today to see what can be done.

Regards,

Hanoz


*Hanoz Elavia |*  IT Manager
*O:* 604-734-2866 *|*  *www.atomiccartoons.com
<http://www.atomiccartoons.com>*
112 West 6th Ave, Vancouver, BC, Canada, V5Y1K6

On Wed, Feb 22, 2017 at 6:50 AM, Alexander Bokovoy <aboko...@redhat.com>
wrote:

> On ke, 22 helmi 2017, Jason B. Nance wrote:
>
>> There is none. Compat tree is built with RFC2307 queries in mind.
>>> RFC2307 clients issue a request with a specific user or group name and
>>> that triggers lookup of AD user/group through SSSD and insertion into
>>> the compat tree. A part of the trigger is how LDAP filter is built (see
>>> RFC for those). If your software does not use the same filter, you
>>> wouldn't get a response.
>>>
>>
>> Are you saying that there is an LDAP query you can use to retrieve the
>> UID/GID of a user/group that is known via an AD trust as long as the
>> filter is correct?  I ran into this same situation (with a storage
>> appliance) and thought that the problem was that the UIDs/GIDs were
>> calculated but never stored, but I hadn't stopped to think about how
>> whether sssd (on the local machine) retrieves them from FreeIPA or does
>> the calculation.
>>
> Read https://pagure.io/slapi-nis/blob/master/f/doc/ipa/sch-ipa.txt
>
>
>
> --
> / Alexander Bokovoy
>
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

[Freeipa-users] ldapsearch for AD users

2017-02-21 Thread Hanoz Elavia 
Hello,

I've got the FreeIPA server with AD trust (Server 2008 R2) setup and
running. I can login successfully on linux clients using AD credentials.
I'm now trying to setup my Isilon storage appliance with mixed mode file
sharing.

The filer has joined the AD so it provides Windows users access to the
files. However, being a legacy client, it uses simple bind to query ldap
for uid and gid. I was able to setup FreeIPA as the ldap server but it
doesn't seem to return the uid and gid for AD objects.

The query my storage is using is as follows:

ldapsearch -x -W -z 10 -H ldap://ipa.server.com -b
'cn=compat,dc=ipa,dc=server,dc=com' -D
'uid=binduser,cn=users,cn=accounts,dc=ipa,dc=server,dc=com'
'(|(objectClass=posixAccount)(objectClass=posixGroup)(objectClass=nisNetgroup)(objectClass=person))'

The following command will obtain all the IDs for the native FreeIPA users
/ groups but don't return any results for AD users. Is there a way to get
this done? I can't install any clients on the Isilon as it uses a BSD based
proprietary software. I can manually map FreeIPA assigned uids / gids but
that's tedious and error prone. Any help would be appreciated.

Regards,

H.
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project