Re: [Freeipa-users] Password entry through Trust not correct
On Sun, Mar 22, 2015 at 04:44:42PM +, McEvoy, James wrote:
>
> From: freeipa-users-boun...@redhat.com [freeipa-users-boun...@redhat.com] on
> behalf of Dmitri Pal [d...@redhat.com]
> Sent: Saturday, March 21, 2015 10:42 AM
> To: freeipa-users@redhat.com
> Subject: Re: [Freeipa-users] Password entry through Trust not correct
>
> On 03/20/2015 08:56 PM, McEvoy, James wrote:
> When I look at the password entries for my rfc2307 account in Active
> directory I get three different answers.
> The only correct one is on a server where I used sssd to join AD directly (
> the last one ). Do I need to configure
> rfc2307? When I configured the server to join AD directly I use the option
> --enablerfc2307bis when I run authconfig.
>
> from a freeipa client:
> $ getent passwd jemce...@enas.net<mailto:jemce...@enas.net>
> jemce...@enas.net:*:10001:10004::/home/enas.net/jemcevoy:
>
> from the ipa server:
> [root@ipa ~]# getent passwd jemce...@enas.net<mailto:jemce...@enas.net>
> jemce...@enas.net:*:10001:10004:James
> McEvoy:/home/enas.net/jemcevoy:/bin/bash
>
> from a server that joined AD directly using sssd:
> $ getent passwd jemce...@enas.net<mailto:jemce...@enas.net>
> jemcevoy:*:10001:10004:James McEvoy:/home/jemcevoy:/bin/bash
>
>
> Hi,
>
> Let us step back.
> What versions of the server and of the client and on what platforms?
>
> When you set trust, how did you set it?
> It might be that IPA server did not detect that you have Posix extensions in
> AD.
> There is some heuristics involved so probably you should use explicit
> parameters to tell IPA whether you have posix in AD or not.
>
>
>
> --
> Thank you,
> Dmitri Pal
>
> Sr. Engineering Manager IdM portfolio
> Red Hat, Inc.
>
>
> Hi Dmitri,
>
> My IPA Server is running Fedora 21 directly on an HP DL360-G7 server.
> The Version of the freeipa is: freeipa-server-4.1.3-2.fc21.x86_64
>
> The freeipa server has a trust with a Windows 2008R2 Active Directory
> domain named ENAS.Net.
>
> The client is in an LXC container with both the hosting server and the
> LXC guest running Fedora 20.
> The client is running freeipa-client-3.3.5-1.fc20.x86_64.
>
> This is at the top of the file /var/log/ipaclient-install.log in the client:
>
> 2015-03-19T19:20:38Z DEBUG /usr/sbin/ipa-client-install was invoked with
> options
> : {'domain': 'lnx.lab', 'force': False, 'krb5_offline_passwords': True,
> 'primary
> ': False, 'realm_name': 'LNX.LAB', 'force_ntpd': False, 'create_sshfp': True,
> 'c
> onf_sshd': True, 'conf_ntp': False, 'on_master': False, 'ntp_server': None,
> 'ca_
> cert_file': None, 'principal': 'ad...@lnx.lab', 'keytab': None, 'hostname':
> 'ctn
> 017-135.lnx.lab', 'no_ac': False, 'unattended': None, 'sssd': True,
> 'trust_sshfp
> ': False, 'dns_updates': True, 'mkhomedir': True, 'conf_ssh': True,
> 'force_join'
> : False, 'server': ['ipa.lnx.lab'], 'prompt_password': False, 'permit':
> False, '
> debug': False, 'preserve_sssd': False, 'uninstall': False}
>
>
> The client is getting the correct POSIX uid/gid from Active Directory, it is
> the
> home directory which looks samba style to me and the shell is completely
> missing.
>
> Monday morning (PDT) I will kickstart another server with Fedora 21 to see the
> results when it joins freeipa and uses the trust. I will try both directly
> and
> from an LXC guest to see if the correct POSIX attributes get passed through
> from
> the Active Directory Identity Management for Unix plugin.
With FreeIPA server 3.x what you are seeing is actually expected. The
ability to transfer additional POSIX attributes from the server to the
client was only added in 4.x, sorry.
In the meantime, I wonder if the various
subdomain_homedir/override_homedir/override_shell etc
attributes would be helpful on the clients?
Finally, please note that the most important part are the UID and GID
attributes so that you can access your files.
--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] Password entry through Trust not correct
From: freeipa-users-boun...@redhat.com [freeipa-users-boun...@redhat.com] on
behalf of Dmitri Pal [d...@redhat.com]
Sent: Saturday, March 21, 2015 10:42 AM
To: freeipa-users@redhat.com
Subject: Re: [Freeipa-users] Password entry through Trust not correct
On 03/20/2015 08:56 PM, McEvoy, James wrote:
When I look at the password entries for my rfc2307 account in Active directory
I get three different answers.
The only correct one is on a server where I used sssd to join AD directly ( the
last one ). Do I need to configure
rfc2307? When I configured the server to join AD directly I use the option
--enablerfc2307bis when I run authconfig.
from a freeipa client:
$ getent passwd jemce...@enas.net<mailto:jemce...@enas.net>
jemce...@enas.net:*:10001:10004::/home/enas.net/jemcevoy:
from the ipa server:
[root@ipa ~]# getent passwd jemce...@enas.net<mailto:jemce...@enas.net>
jemce...@enas.net:*:10001:10004:James
McEvoy:/home/enas.net/jemcevoy:/bin/bash
from a server that joined AD directly using sssd:
$ getent passwd jemce...@enas.net<mailto:jemce...@enas.net>
jemcevoy:*:10001:10004:James McEvoy:/home/jemcevoy:/bin/bash
Hi,
Let us step back.
What versions of the server and of the client and on what platforms?
When you set trust, how did you set it?
It might be that IPA server did not detect that you have Posix extensions in AD.
There is some heuristics involved so probably you should use explicit
parameters to tell IPA whether you have posix in AD or not.
--
Thank you,
Dmitri Pal
Sr. Engineering Manager IdM portfolio
Red Hat, Inc.
Hi Dmitri,
My IPA Server is running Fedora 21 directly on an HP DL360-G7 server.
The Version of the freeipa is: freeipa-server-4.1.3-2.fc21.x86_64
The freeipa server has a trust with a Windows 2008R2 Active Directory
domain named ENAS.Net.
The client is in an LXC container with both the hosting server and the
LXC guest running Fedora 20.
The client is running freeipa-client-3.3.5-1.fc20.x86_64.
This is at the top of the file /var/log/ipaclient-install.log in the client:
2015-03-19T19:20:38Z DEBUG /usr/sbin/ipa-client-install was invoked with options
: {'domain': 'lnx.lab', 'force': False, 'krb5_offline_passwords': True, 'primary
': False, 'realm_name': 'LNX.LAB', 'force_ntpd': False, 'create_sshfp': True, 'c
onf_sshd': True, 'conf_ntp': False, 'on_master': False, 'ntp_server': None, 'ca_
cert_file': None, 'principal': 'ad...@lnx.lab', 'keytab': None, 'hostname': 'ctn
017-135.lnx.lab', 'no_ac': False, 'unattended': None, 'sssd': True, 'trust_sshfp
': False, 'dns_updates': True, 'mkhomedir': True, 'conf_ssh': True, 'force_join'
: False, 'server': ['ipa.lnx.lab'], 'prompt_password': False, 'permit': False, '
debug': False, 'preserve_sssd': False, 'uninstall': False}
The client is getting the correct POSIX uid/gid from Active Directory, it is the
home directory which looks samba style to me and the shell is completely
missing.
Monday morning (PDT) I will kickstart another server with Fedora 21 to see the
results when it joins freeipa and uses the trust. I will try both directly and
from an LXC guest to see if the correct POSIX attributes get passed through from
the Active Directory Identity Management for Unix plugin.
-- jim
--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] Password entry through Trust not correct
On 03/20/2015 08:56 PM, McEvoy, James wrote: When I look at the password entries for my rfc2307 account in Active directory I get three different answers. The only correct one is on a server where I used sssd to join AD directly ( the last one ). Do I need to configure rfc2307? When I configured the server to join AD directly I use the option --enablerfc2307bis when I run authconfig. from a freeipa client: $ getent passwd jemce...@enas.net jemce...@enas.net:*:10001:10004::/home/enas.net/jemcevoy: from the ipa server: [root@ipa ~]# getent passwd jemce...@enas.net jemce...@enas.net:*:10001:10004:James McEvoy:/home/enas.net/jemcevoy:/bin/bash from a server that joined AD directly using sssd: $ getent passwd jemce...@enas.net jemcevoy:*:10001:10004:James McEvoy:/home/jemcevoy:/bin/bash Hi, Let us step back. What versions of the server and of the client and on what platforms? When you set trust, how did you set it? It might be that IPA server did not detect that you have Posix extensions in AD. There is some heuristics involved so probably you should use explicit parameters to tell IPA whether you have posix in AD or not. -- Thank you, Dmitri Pal Sr. Engineering Manager IdM portfolio Red Hat, Inc. -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
