Re: [Freeipa-users] [freeipa-users] How to manage Linux attributes for AD users (e.g. how do I set a shell for an AD User)

2016-02-05 Thread Jakub Hrozek 
On Thu, Feb 04, 2016 at 01:57:20PM -0600, Jon wrote:
> Hi Josh,
> 
> I think that's exactly the problem though, how does one set POSIX
> attributes in AD from Linux guests?
> 
> The RedHat documentation has a big warning that the Microsoft IDMU has been
> deprecated.

IIRC the UI is, the schema is not.

> 
> >>
> https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Windows_Integration_Guide/ex.sssd-ad-posix.html
> 
> Surely you're not suggesting manually editing the AD Schema...?
> 
> Also, another use case is ssh keys.  I'm not even sure that IDMU has an
> option for "authorized_keys"  (and FreeIPA doesn't seem to honor what's in
> .ssh/authorized keys...  when that file exists I always get prompted for a
> password then access denied).

For per-AD-user ssh pubkeys, you can use the idviews feature:
ipa idoverrideuser-add --sshpubkey=STR
see:

https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Windows_Integration_Guide/id-views.html
same for shells, although as Josh said, shells can be set globally for
all users in sssd.conf

> 
> I'm sure there are other per-user level attributes that are required, home
> directory perhaps?, but the two big ones are shell and ssh keys.  I can't
> be the only one who has a use case for managing these attributes for Active
> Directory users.
> 
> Thanks,
> Jon A
> 
> On Thu, Feb 4, 2016 at 1:30 PM, Baird, Josh <jba...@follett.com> wrote:
> 
> > For AD users, I believe you have two options.
> >
> >
> >
> > 1) Set the POSIX value on the user in AD for the shell
> >
> > 2) Set the following in your client's sssd.conf:
> >
> >
> >
> > [nss]
> >
> > override_shell = /bin/bash
> >
> >
> >
> > This would obviously be global per IPA client.
> >
> >
> >
> > Josh
> >
> >
> >
> > *From:* freeipa-users-boun...@redhat.com [mailto:
> > freeipa-users-boun...@redhat.com] *On Behalf Of *Jon
> > *Sent:* Thursday, February 04, 2016 2:25 PM
> > *To:* freeipa-users@redhat.com
> > *Subject:* [Freeipa-users] [freeipa-users] How to manage Linux attributes
> > for AD users (e.g. how do I set a shell for an AD User)
> >
> >
> >
> > Hello,
> >
> >
> >
> > How does one manage linux attributes for AD users.  Primarily in my case,
> > I'm looking to change the default shell to either Bash or KSH depending on
> > the user.
> >
> >
> >
> > I can create a .profile that either sources bash or ksh rcs... e.g.:
> >
> >
> >
> > >> $ cat ~/.profile
> >
> > >> bash ./.bashrc
> >
> >
> >
> > This is really less than ideal and just seems like the wrong way to do it,
> > especially considering we have a tool like FreeIPA.
> >
> >
> >
> > According to Microsoft
> > <http://blogs.technet.com/b/activedirectoryua/archive/2015/01/25/identity-management-for-unix-idmu-is-deprecated-in-windows-server.aspx>,
> > they are no longer supporting Identity Management for Unix.  Does FreeIPA
> > honor the attributes set by IDMU?  Even if it's deprecated, I suppose we
> > could continue to use it...
> >
> > This previous FreeIPA thread
> > <https://www.redhat.com/archives/freeipa-users/2013-April/msg7.html> 
> > seems
> > to indicate you can force the shell for anyone in the domain logging into
> > that machine, but we have some users who prefer one shell over the other.
> >
> >
> >
> > I did what I believe to be standard, I created a security group in AD,
> > added that group to a group an external group in FreeIPA, then made an
> > internal group and added the external group as a member to the internal
> > group.  Unfortunately, this doesn't seem to expose any of the AD attributes
> > for management.  Or maybe I'm just misunderstanding...
> >
> >
> >
> > Any thoughts?  How are you managing individual AD user settings?
> >
> >
> >
> > Thanks,
> >
> > Jon A
> >
> >
> >

> -- 
> Manage your subscription for the Freeipa-users mailing list:
> https://www.redhat.com/mailman/listinfo/freeipa-users
> Go to http://freeipa.org for more info on the project

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

[Freeipa-users] [freeipa-users] How to manage Linux attributes for AD users (e.g. how do I set a shell for an AD User)

2016-02-04 Thread Jon 
Hello,

How does one manage linux attributes for AD users.  Primarily in my case,
I'm looking to change the default shell to either Bash or KSH depending on
the user.

I can create a .profile that either sources bash or ksh rcs... e.g.:

>> $ cat ~/.profile
>> bash ./.bashrc

This is really less than ideal and just seems like the wrong way to do it,
especially considering we have a tool like FreeIPA.

According to Microsoft
,
they are no longer supporting Identity Management for Unix.  Does FreeIPA
honor the attributes set by IDMU?  Even if it's deprecated, I suppose we
could continue to use it...
This previous FreeIPA thread
 seems
to indicate you can force the shell for anyone in the domain logging into
that machine, but we have some users who prefer one shell over the other.

I did what I believe to be standard, I created a security group in AD,
added that group to a group an external group in FreeIPA, then made an
internal group and added the external group as a member to the internal
group.  Unfortunately, this doesn't seem to expose any of the AD attributes
for management.  Or maybe I'm just misunderstanding...

Any thoughts?  How are you managing individual AD user settings?

Thanks,
Jon A
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] [freeipa-users] How to manage Linux attributes for AD users (e.g. how do I set a shell for an AD User)

2016-02-04 Thread Baird, Josh 
For AD users, I believe you have two options.

1) Set the POSIX value on the user in AD for the shell
2) Set the following in your client's sssd.conf:

[nss]
override_shell = /bin/bash

This would obviously be global per IPA client.

Josh

From: freeipa-users-boun...@redhat.com 
[mailto:freeipa-users-boun...@redhat.com] On Behalf Of Jon
Sent: Thursday, February 04, 2016 2:25 PM
To: freeipa-users@redhat.com
Subject: [Freeipa-users] [freeipa-users] How to manage Linux attributes for AD 
users (e.g. how do I set a shell for an AD User)

Hello,

How does one manage linux attributes for AD users.  Primarily in my case, I'm 
looking to change the default shell to either Bash or KSH depending on the user.

I can create a .profile that either sources bash or ksh rcs... e.g.:

>> $ cat ~/.profile
>> bash ./.bashrc

This is really less than ideal and just seems like the wrong way to do it, 
especially considering we have a tool like FreeIPA.

According to 
Microsoft<http://blogs.technet.com/b/activedirectoryua/archive/2015/01/25/identity-management-for-unix-idmu-is-deprecated-in-windows-server.aspx>,
 they are no longer supporting Identity Management for Unix.  Does FreeIPA 
honor the attributes set by IDMU?  Even if it's deprecated, I suppose we could 
continue to use it...
This previous FreeIPA 
thread<https://www.redhat.com/archives/freeipa-users/2013-April/msg7.html> 
seems to indicate you can force the shell for anyone in the domain logging into 
that machine, but we have some users who prefer one shell over the other.

I did what I believe to be standard, I created a security group in AD, added 
that group to a group an external group in FreeIPA, then made an internal group 
and added the external group as a member to the internal group.  Unfortunately, 
this doesn't seem to expose any of the AD attributes for management.  Or maybe 
I'm just misunderstanding...

Any thoughts?  How are you managing individual AD user settings?

Thanks,
Jon A

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] [freeipa-users] How to manage Linux attributes for AD users (e.g. how do I set a shell for an AD User)

2016-02-04 Thread Jon 
Hi Josh,

I think that's exactly the problem though, how does one set POSIX
attributes in AD from Linux guests?

The RedHat documentation has a big warning that the Microsoft IDMU has been
deprecated.

>>
https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Windows_Integration_Guide/ex.sssd-ad-posix.html

Surely you're not suggesting manually editing the AD Schema...?

Also, another use case is ssh keys.  I'm not even sure that IDMU has an
option for "authorized_keys"  (and FreeIPA doesn't seem to honor what's in
.ssh/authorized keys...  when that file exists I always get prompted for a
password then access denied).

I'm sure there are other per-user level attributes that are required, home
directory perhaps?, but the two big ones are shell and ssh keys.  I can't
be the only one who has a use case for managing these attributes for Active
Directory users.

Thanks,
Jon A

On Thu, Feb 4, 2016 at 1:30 PM, Baird, Josh <jba...@follett.com> wrote:

> For AD users, I believe you have two options.
>
>
>
> 1) Set the POSIX value on the user in AD for the shell
>
> 2) Set the following in your client's sssd.conf:
>
>
>
> [nss]
>
> override_shell = /bin/bash
>
>
>
> This would obviously be global per IPA client.
>
>
>
> Josh
>
>
>
> *From:* freeipa-users-boun...@redhat.com [mailto:
> freeipa-users-boun...@redhat.com] *On Behalf Of *Jon
> *Sent:* Thursday, February 04, 2016 2:25 PM
> *To:* freeipa-users@redhat.com
> *Subject:* [Freeipa-users] [freeipa-users] How to manage Linux attributes
> for AD users (e.g. how do I set a shell for an AD User)
>
>
>
> Hello,
>
>
>
> How does one manage linux attributes for AD users.  Primarily in my case,
> I'm looking to change the default shell to either Bash or KSH depending on
> the user.
>
>
>
> I can create a .profile that either sources bash or ksh rcs... e.g.:
>
>
>
> >> $ cat ~/.profile
>
> >> bash ./.bashrc
>
>
>
> This is really less than ideal and just seems like the wrong way to do it,
> especially considering we have a tool like FreeIPA.
>
>
>
> According to Microsoft
> <http://blogs.technet.com/b/activedirectoryua/archive/2015/01/25/identity-management-for-unix-idmu-is-deprecated-in-windows-server.aspx>,
> they are no longer supporting Identity Management for Unix.  Does FreeIPA
> honor the attributes set by IDMU?  Even if it's deprecated, I suppose we
> could continue to use it...
>
> This previous FreeIPA thread
> <https://www.redhat.com/archives/freeipa-users/2013-April/msg7.html> seems
> to indicate you can force the shell for anyone in the domain logging into
> that machine, but we have some users who prefer one shell over the other.
>
>
>
> I did what I believe to be standard, I created a security group in AD,
> added that group to a group an external group in FreeIPA, then made an
> internal group and added the external group as a member to the internal
> group.  Unfortunately, this doesn't seem to expose any of the AD attributes
> for management.  Or maybe I'm just misunderstanding...
>
>
>
> Any thoughts?  How are you managing individual AD user settings?
>
>
>
> Thanks,
>
> Jon A
>
>
>
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project