Re: [Freeipa-users] Is WinSync A Bad Choice?

2017-02-02 Thread Jakub Hrozek 
On Wed, Feb 01, 2017 at 04:19:39PM -0600, Jason B. Nance wrote:
> >> - Users can't login to a Linux box using just "username" 
> >> (user@ad.domain is
> >> used)
> > 
> > In the current version you can use the 'default_domain_suffix' option in
> > sssd.conf on the clients. In RHEL-7.4 we are looking into making this
> > limitation go away.
> 
> Thank you very much, Jakub.  That is helpful information!  Are you saying 
> that there will basically be a domain search order or something for users 
> that login without specifying a domain?

For the IPA-AD case, probably:
https://fedorahosted.org/sssd/ticket/3210
For the direct AD integration case (which will share the underlying code
with the IPA-AD integration case), the admin would opt-in with a
sssd.conf option, essentially saying 'let me always use shortnames for
all domains, there are no name conflicts' and then sssd would not
require shortnames for trusted domains.

The ticket that tracks the shortname-for-trusted-domains case in general
is:
https://fedorahosted.org/sssd/ticket/3001

Please note the tickets are in the "Future releases" milestone at the
moment, but we do plan them for the next RHEL release; the upstream
milestones just need a bit more grooming.

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] Is WinSync A Bad Choice?

2017-02-02 Thread Alexander Bokovoy 

On ke, 01 helmi 2017, Jason B. Nance wrote:

- User/group management in general becomes largely a command-line operation

> (such as mapping groups so they can be used in HBAC and sudo rules)



While this is a nice-to-have, it isn't a deal breaker.



This definitely exists in WebUI? Unless you mean something I don't understand.



Define groups:
Identity->User Groups (second tab)


In my setup (FreeIPA 4.4.0 on CentOS 7) I don't see external users
(users that are known via the trust with AD) under the "Users" tab.
There is limited visibility / management of external groups and
membership, but nothing that displays a list of available users/groups
in AD when attempting to create/modify a user/group.

Not seeing AD users is the correct thing, you don't miss anything.

This topic comes regularly on the list. It is described in the Windows
integration guide, we discuss it here, you can look into archives, for
example:

https://www.redhat.com/archives/freeipa-users/2016-October/msg00083.html

IPA is not designed to give you ability to manage your AD users as if
they were in IPA -- you cannot create them there, you cannot list them
there. They are not and there is no need to pretend they are.

POSIX attributes for them can be managed in the ID overrides (in Default
Trust View). We are working on making possible to do self-service in web
UI for AD users themselves in upcoming releases. You can do 'self-service'
as an AD user in CLI already with 
 ipa idoverrideuser-mod "default trust view" your.account@ad.domain  [options]

but you currently cannot login as AD user to web UI. Also ID Override
needs to be pre-created by the IPA admin right now -- just do

 ipa idoverrideuser-add "default trust view" your.account@ad.domain




Define user mappings:
IPA Server -> ID Views -> Default Trust View


By "mapping" I meant adding an AD group to a FreeIPA group (which can be used 
for HBAC/sudo) so that AD membership is known by IPA when applying the HBAC/sudo rules. 
For example:

ipa group-add \
--desc="lab.gen.zone 'Domain Admins' external map" \
lgz_map_domain_admins \
--external
ipa group-add \
--desc="lab.gen.zone 'Domain Admins' POSIX" \
lgz_domain_admins
ipa group-add-member \
lgz_map_domain_admins \
--external 'LAB\Domain Admins'
ipa group-add-member \
lgz_domain_admins \
--groups lgz_map_domain_admins



--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project



--
/ Alexander Bokovoy

--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] Is WinSync A Bad Choice?

2017-02-01 Thread Lachlan Musicman 
On 2 February 2017 at 10:06, Jason B. Nance  wrote:

>
> >- User/group management in general becomes largely a command-line
>> operation (such as mapping groups so they can be used in HBAC and sudo
>> rules)
>>
>> While this is a nice-to-have, it isn't a deal breaker.
>>
>
> This definitely exists in WebUI? Unless you mean something I don't
> understand.
>
> Define groups:
> Identity->User Groups (second tab)
>
> In my setup (FreeIPA 4.4.0 on CentOS 7) I don't see external users (users
> that are known via the trust with AD) under the "Users" tab.  There is
> limited visibility / management of external groups and membership, but
> nothing that displays a list of available users/groups in AD when
> attempting to create/modify a user/group.
>



Ah! Yes, I can't see all the AD users either. But adding a user to the ID
Views does fail on bad user names, which is not the same thing - I know -
but I only have a one way trust (from FreeIPA to AD) and the AD is managed
by the IT Overlords on Floor 6.

Bi directional trust may have different usage?


> Define user mappings:
> IPA Server -> ID Views -> Default Trust View
>
> By "mapping" I meant adding an AD group to a FreeIPA group (which can be
> used for HBAC/sudo) so that AD membership is known by IPA when applying the
> HBAC/sudo rules.  For example:
>
> ipa group-add \
>   --desc="lab.gen.zone 'Domain Admins' external map" \
>   lgz_map_domain_admins \
>   --external
> ipa group-add \
>   --desc="lab.gen.zone 'Domain Admins' POSIX" \
>   lgz_domain_admins
> ipa group-add-member \
>   lgz_map_domain_admins \
>   --external 'LAB\Domain Admins'
> ipa group-add-member \
>   lgz_domain_admins \
>   --groups lgz_map_domain_admins
>
>


Through the groups UI, you can add an external group (we use the naming
system "ad_my_group"), then add the AD group as an external member to that
group (add AD-DOMAIN\my_group). Then we add the local POSIX group
("my_group")  and make "ad_my_group" a member of that.


When you add a group in the groups, you will see the option for the group
to be POSIX, external or normal.

cheers
L.



--
The most dangerous phrase in the language is, "We've always done it this
way."

- Grace Hopper
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] Is WinSync A Bad Choice?

2017-02-01 Thread Martin Basti 



On 02.02.2017 00:05, Lachlan Musicman wrote:
On 2 February 2017 at 09:51, Martin Basti > wrote:



On 01.02.2017 23:44, Lachlan Musicman wrote:



(aside: does FreeIPA have plans to move toward PatternFly?
http://www.patternfly.org/ )


Unless I missed something, FreeIPA 4.x already uses patternfly

https://ipa.demo1.freeipa.org/ipa/ui/

admin/Secret123


Ah! The thing I am missing is IPA 4.4! (still on 4.2. Upgrade in the 
planning)


cheers
L.


Actually patternfly is there since 4.0.0

http://www.freeipa.org/page/Releases/4.0.0

"""
Web UI adopted Patternfly open interface project to promote design 
commonality and improved user experience. Web UI is now responsive and 
adapts to different screen sizes like mobile or tablets.

"""

So you should see it on 4.2, if not you have something broken :)
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] Is WinSync A Bad Choice?

2017-02-01 Thread Jason B. Nance 
>>> - User/group management in general becomes largely a command-line operation
>> > (such as mapping groups so they can be used in HBAC and sudo rules)

>> While this is a nice-to-have, it isn't a deal breaker.

> This definitely exists in WebUI? Unless you mean something I don't understand.

> Define groups:
> Identity->User Groups (second tab)

In my setup (FreeIPA 4.4.0 on CentOS 7) I don't see external users (users that 
are known via the trust with AD) under the "Users" tab. There is limited 
visibility / management of external groups and membership, but nothing that 
displays a list of available users/groups in AD when attempting to 
create/modify a user/group. 
> Define user mappings:
> IPA Server -> ID Views -> Default Trust View

By "mapping" I meant adding an AD group to a FreeIPA group (which can be used 
for HBAC/sudo) so that AD membership is known by IPA when applying the 
HBAC/sudo rules. For example: 

ipa group-add \ 
--desc="lab.gen.zone 'Domain Admins' external map" \ 
lgz_map_domain_admins \ 
--external 
ipa group-add \ 
--desc="lab.gen.zone 'Domain Admins' POSIX" \ 
lgz_domain_admins 
ipa group-add-member \ 
lgz_map_domain_admins \ 
--external 'LAB\Domain Admins' 
ipa group-add-member \ 
lgz_domain_admins \ 
--groups lgz_map_domain_admins 
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] Is WinSync A Bad Choice?

2017-02-01 Thread Lachlan Musicman 
On 2 February 2017 at 09:51, Martin Basti  wrote:

>
> On 01.02.2017 23:44, Lachlan Musicman wrote:
>
>
>
> (aside: does FreeIPA have plans to move toward PatternFly?
> http://www.patternfly.org/ )
>
>
> Unless I missed something, FreeIPA 4.x already uses patternfly
>
> https://ipa.demo1.freeipa.org/ipa/ui/
> admin/Secret123
>
>
Ah! The thing I am missing is IPA 4.4! (still on 4.2. Upgrade in the
planning)

cheers
L.
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] Is WinSync A Bad Choice?

2017-02-01 Thread Martin Basti 



On 01.02.2017 23:44, Lachlan Musicman wrote:
On 2 February 2017 at 09:19, Jason B. Nance > wrote:


>- User/group management in general becomes largely a command-line
operation (such as mapping groups so they can be used in HBAC and
sudo rules)

While this is a nice-to-have, it isn't a deal breaker.


This definitely exists in WebUI? Unless you mean something I don't 
understand.


Define groups:
Identity->User Groups (second tab)

Define user mappings:
IPA Server -> ID Views -> Default Trust View

Is that what you mean?

(aside: does FreeIPA have plans to move toward PatternFly? 
http://www.patternfly.org/ )


Unless I missed something, FreeIPA 4.x already uses patternfly

https://ipa.demo1.freeipa.org/ipa/ui/
admin/Secret123

Martin





cheers
L.






-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] Is WinSync A Bad Choice?

2017-02-01 Thread Lachlan Musicman 
On 2 February 2017 at 09:19, Jason B. Nance  wrote:

> >- User/group management in general becomes largely a command-line
> operation (such as mapping groups so they can be used in HBAC and sudo
> rules)
>
> While this is a nice-to-have, it isn't a deal breaker.
>

This definitely exists in WebUI? Unless you mean something I don't
understand.

Define groups:
Identity->User Groups (second tab)

Define user mappings:
IPA Server -> ID Views -> Default Trust View

Is that what you mean?

(aside: does FreeIPA have plans to move toward PatternFly?
http://www.patternfly.org/ )

cheers
L.
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] Is WinSync A Bad Choice?

2017-02-01 Thread Jason B. Nance 
>> - Users can't login to a Linux box using just "username" (user@ad.domain 
>> is
>> used)
> 
> In the current version you can use the 'default_domain_suffix' option in
> sssd.conf on the clients. In RHEL-7.4 we are looking into making this
> limitation go away.

Thank you very much, Jakub.  That is helpful information!  Are you saying that 
there will basically be a domain search order or something for users that login 
without specifying a domain?

Back to the community as a whole, regarding these other items:

>- Since AD trust users don't show up in FreeIPA web UI users can't login 
> to manage their own SSH keys

After doing some additional thinking/researching I realized that SSH keys 
become largely irrelevant because of GSSAPI (Dmitri Pal posed this question in 
this thread: 
https://www.redhat.com/archives/freeipa-users/2013-September/msg00290.html).

>- User/group management in general becomes largely a command-line 
> operation (such as mapping groups so they can be used in HBAC and sudo rules)

While this is a nice-to-have, it isn't a deal breaker.

I have another question.  Can additional authentication requirements (such as 
2FA) be imposed on users from a trust via IPA?

Thanks,

j

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] Is WinSync A Bad Choice?

2017-02-01 Thread Jakub Hrozek 
On Wed, Feb 01, 2017 at 03:00:55PM -0600, Jason B. Nance wrote:
> Hello everyone,
> 
> I'm about to deploy a fresh IPA domain that needs to integrate with Active 
> Directory.  In my lab environment I've setup a trust with AD and the 
> following items are driving me away from using the trust:
> 
> - Users can't login to a Linux box using just "username" (user@ad.domain 
> is used)

In the current version you can use the 'default_domain_suffix' option in
sssd.conf on the clients. In RHEL-7.4 we are looking into making this
limitation go away.

(I won't reply to the other two questions because they are outside my
knowledge domain, sorry)

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

[Freeipa-users] Is WinSync A Bad Choice?

2017-02-01 Thread Jason B. Nance 
Hello everyone,

I'm about to deploy a fresh IPA domain that needs to integrate with Active 
Directory.  In my lab environment I've setup a trust with AD and the following 
items are driving me away from using the trust:

- Users can't login to a Linux box using just "username" (user@ad.domain is 
used)
- Since AD trust users don't show up in FreeIPA web UI users can't login to 
manage their own SSH keys
- User/group management in general becomes largely a command-line operation 
(such as mapping groups so they can be used in HBAC and sudo rules)

First, if any of the above is incorrect or there are workarounds I am very much 
open to discussion.

I'm considering using WinSync+PassSync so that users and groups appear as 
"real" IPA objects to be managed normally.  Given that an entire tool has been 
written to migrate away from WinSync to AD trusts and language in the RH 
documentation suggesting to only use WinSync if you have to I'm wondering what 
issues I'm not considering and if I could be leading toward a world of hurt.

Guidance in this area is appreciated.

Thanks,

j

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project